locking down network

mroth911

I am currently using opendns as a net nanny for the network. I was wondering does the Unbiquti er-3 lite have the capability of locking down the network?

or what else can I put in place beside open dns. Cause I have to cherry pick certain sites

travisdh1

@mroth911 said in locking down network:

I am currently using opendns as a net nanny for the network. I was wondering does the Unbiquti er-3 lite have the capability of locking down the network?

or what else can I put in place beside open dns. Cause I have to cherry pick certain sites

So you want to block all but a select few sites?

Use OpenDNS is the first step, and blocking DNS queries from anything other than your router is the second. Any router should be able to do this. You're already halfway there.

mroth911

So open dns does give you an option like. for instance apple store. I want to be able to get to that. but if I select p2p it blocks everyone

travisdh1

@mroth911 said in locking down network:

So open dns does give you an option like. for instance apple store. I want to be able to get to that. but if I select p2p it blocks everyone

This is where we start talking about why are you using technology to solve a people problem. Clicking that p2p block probably does block p2p things, all of them, which includes legitimate things like the Apple Store.

I'm not 100% sure about OpenDNS, I think they have other tools besides just blocking by IP now.

The only other option is to whitelist on a local DNS server. Don't, just, don't. Unless it's like 1 website with 1 possible IP address.

Kelly

If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

I would strongly recommend against using this method if you need to handle more than 10 sites.

JaredBusch

First of all, OpenDNS is not a business service.

Second, content filtering does not belong on your edge routing device.

Third, the only good content filtering is one you don’t mess with. I would just go with a Pi-Hole at default settings, add in porn blocking, then blacklist a few sites if required.

Anything more than that is too much.

mroth911

The pi-hole is it hard to setup. and , does it have a gui interface or web interface

travisdh1

@mroth911 said in locking down network:

The pi-hole is it hard to setup. and , does it have a gui interface or web interface

It has a web interface, and was simple for me to install. Basically, pick your favorite linux distribution, and run the install script as root. https://github.com/pi-hole/pi-hole/#one-step-automated-install

You can take a look at the one running my home lab at https://pihole.travisdh1.net/admin The admin interface offers a lot of extra features once you log in. I think I've used it once to add @JaredBusch's porn block list.

Dashrender

@Kelly said in locking down network:

If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

I would strongly recommend against using this method if you need to handle more than 10 sites.

Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

dbeato

@mroth911 said in locking down network:

The pi-hole is it hard to setup. and , does it have a gui interface or web interface

Very low key install, @JaredBusch the porn block list here

https://mangolassi.it/topic/16905/add-porn-blocking-to-your-pi-hole/15
Managing through the Web interface is simple as well.

scottalanmiller

@mroth911 said in locking down network:

The pi-hole is it hard to setup. and , does it have a gui interface or web interface

It's one of the easiest things to set up ever. It's line one command. Easier than just about anything I know. And yes, it's all super easy GUI.

scottalanmiller

https://mangolassi.it/topic/18590/installing-pi-hole

Kelly

@Dashrender said in locking down network:

@Kelly said in locking down network:

If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

I would strongly recommend against using this method if you need to handle more than 10 sites.

Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

Dashrender

@Kelly said in locking down network:

@Dashrender said in locking down network:

@Kelly said in locking down network:

If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

I would strongly recommend against using this method if you need to handle more than 10 sites.

Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

DNS won't respond with the CNAME unless the DNS server is the owner of the domain itself. So maybe not an SOA specifically, but a (can't think of the term) secondary DNS to a SOA but still authoritative.

Another way to look at it is - if you want to block advertisingsite.com and the hostname is one.advertisingsite.com - where would you put that CNAME to make this work?

scottalanmiller

@Kelly said in locking down network:

@Dashrender said in locking down network:

@Kelly said in locking down network:

If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

I would strongly recommend against using this method if you need to handle more than 10 sites.

Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.

Dashrender

@scottalanmiller said in locking down network:

@Kelly said in locking down network:

@Dashrender said in locking down network:

@Kelly said in locking down network:

If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

I would strongly recommend against using this method if you need to handle more than 10 sites.

Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.

Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?

JaredBusch

@Dashrender said in locking down network:

@scottalanmiller said in locking down network:

@Kelly said in locking down network:

@Dashrender said in locking down network:

@Kelly said in locking down network:

If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

I would strongly recommend against using this method if you need to handle more than 10 sites.

Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.

Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?

There is no such thing as "Fedora DNS"

Choose a DNS server type and then ask the question.
The two most common (that I know of) are bind and dnsmasq.

scottalanmiller

@Dashrender said in locking down network:

@scottalanmiller said in locking down network:

@Kelly said in locking down network:

@Dashrender said in locking down network:

@Kelly said in locking down network:

If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

I would strongly recommend against using this method if you need to handle more than 10 sites.

Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.

Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?

Do you mean BIND?

JaredBusch

And the answer is yes. How do you think Cloudflare works.

MS requires all kinds of stupid things because of AD.

Dashrender

@scottalanmiller said in locking down network:

@Dashrender said in locking down network:

@scottalanmiller said in locking down network:

@Kelly said in locking down network:

@Dashrender said in locking down network:

@Kelly said in locking down network:

If your set of sites you're dropping is very low then you could just put in a DNS record on your on-premise DNS server (assuming you have one). For example if you don't want people to be able to get to myshoppingsite.com then you could create a CNAME record on your server that sets myshoppingsite.com to send all traffic company.com.

I would strongly recommend against using this method if you need to handle more than 10 sites.

Just for completeness - a CNAME alone wouldn't work here. You'd need to create a root SOA on your internal DNS for myshoppingsite.com, then under that create a CNAME that points to your other site.

I've been out of hands on work for a little while, but why would you need the SOA for this to work? Unless the workstation has it cached wouldn't the CNAME handle it? Not arguing, trying to understand.

Unless i'm missing something, last I knew you could only create a CNAME for a domain for which you had an SOA already. I don't believe that you can make an arbitrary CNAME in Windows DNS. Because it has to go in a Zone that is managed on the server. Maybe I'm missing something, but I think Dash is correct.

Will, say, Fedora DNS allow you to create a CNAME for a zone it doesn't control?

Do you mean BIND?

Well - as JB pointed out - I didn't know the names - BIND or dnsmasq - do either?