locking down network
-
@Kelly said in locking down network:
@Dashrender said in locking down network:
@Kelly said in locking down network:
If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.
I would strongly recommend against using this method if you need to handle more than 10 sites.
Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.
I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.
Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.
-
@scottalanmiller said in locking down network:
@Kelly said in locking down network:
@Dashrender said in locking down network:
@Kelly said in locking down network:
If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.
I would strongly recommend against using this method if you need to handle more than 10 sites.
Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.
I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.
Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.
Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?
-
@Dashrender said in locking down network:
@scottalanmiller said in locking down network:
@Kelly said in locking down network:
@Dashrender said in locking down network:
@Kelly said in locking down network:
If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.
I would strongly recommend against using this method if you need to handle more than 10 sites.
Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.
I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.
Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.
Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?
There is no such thing as "Fedora DNS"
Choose a DNS server type and then ask the question.
The two most common (that I know of) arebind
anddnsmasq
. -
@Dashrender said in locking down network:
@scottalanmiller said in locking down network:
@Kelly said in locking down network:
@Dashrender said in locking down network:
@Kelly said in locking down network:
If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.
I would strongly recommend against using this method if you need to handle more than 10 sites.
Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.
I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.
Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.
Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?
Do you mean BIND?
-
And the answer is yes. How do you think Cloudflare works.
MS requires all kinds of stupid things because of AD.
-
@scottalanmiller said in locking down network:
@Dashrender said in locking down network:
@scottalanmiller said in locking down network:
@Kelly said in locking down network:
@Dashrender said in locking down network:
@Kelly said in locking down network:
If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.
I would strongly recommend against using this method if you need to handle more than 10 sites.
Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.
I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.
Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.
Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?
Do you mean BIND?
Well - as JB pointed out - I didn't know the names - BIND or dnsmasq - do either?
-
@JaredBusch said in locking down network:
And the answer is yes. How do you think Cloudflare works.
MS requires all kinds of stupid things because of AD.
I don't understand this - Cloudflare is the DNS host for most of those it's protecting, if not all.... Soooo not sure where you're getting at?
-
so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.
So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.
Thats the situation at hand.
They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.
This is something I want to setup and walk away.. I am just doing this to help them.
-
@mroth911 said in locking down network:
so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.
So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.
Thats the situation at hand.
They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.
This is something I want to setup and walk away.. I am just doing this to help them.
Once you have set up pi-hole, go to this site:
https://github.com/StevenBlack/hosts#list-of-all-hosts-file-variantsHe provides list of social media sites to block.
If you must you either setup squid and squidguard and then use Shalla Blacklist to block whatever sites you preferred.
http://www.shallalist.de/categories.htmlAnd If a web gui is necessary, pfSense makes it pretty easy to configure.
https://www.netgate.com/docs/pfsense/cache-proxy/squidguard-package.html -
@mroth911 said in locking down network:
Thats the situation at hand.
This is something I want to setup and walk away.. I am just doing this to help them.
If only it was possible...
-
@mroth911 said in locking down network:
so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.
So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.
Thats the situation at hand.
They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.
This is something I want to setup and walk away.. I am just doing this to help them.
Blocking Bittorrent without an application level firewall isn't that easy. Talking to the tracker happens via DNS, but talking to the other clients normally is just via IP address.
You could block all non needed outbound ports - but again, I think Bittorrent can work over port 80 and 443, so not really that helpful.