DNS Server as a limited content filter

[usdan101]

Looking for any existing references to setting up a DNS server that can be queried by PCs and the DNS server will only permit the lookup of a select list of domain names.

Example:
A list of websites such as microsoft.com, google.com, craigslist.com; the lookup for those websites would be permitted. Anything else would fail.

The PCs would be manually configured to use this DNS server (I'm not concerned about users adjusting the network settings).

These PCs are located at various locations in the U.S.

Any suggestions?

Thanks

[vonskippy]

DYN Internet Guide Pro (it's hard to find the pro services, I had to call a sales rep to get setup - their free service doesn't have multiple subnet options nor is it legal for business use).

It's DNS content filtering with around 40 categories plus white/black lists.

10 networks (of any subnet size) runs around $40 per use (and you can add more subnets in stacks of 10).

Then set your workstations to use their DNS servers and block all other outbound DNS traffic at your firewall and it's reasonably bullet proof content filtering.

[usdan101]

DYN Internet Guide Pro .

Thanks for your reply. Their service looks a lot more reasonable than many of the other vendors I've looked at.

However, I'm looking for configuration ideas to use my own bind server to accomplish the filtering.

Thanks

Dan

[vonskippy]

However, I'm looking for configuration ideas to use my own bind server to accomplish the filtering.

Unless you have a very short whitelist, and plan on banning EVERYTHING else, you can't - it would take more then a full time staff member to keep your filters up to date.

If you have a short whitelist, setup a hosts file on whatever your edge device is, ban all other DNS services and be done with it. BIND is a major overkill if you're only going to allow a handful of sites.

[usdan101]

Yep, its a short list of sites to white list.

I considered the hosts file idea, but with with 25-50 pc's in this project, adjusting individual hosts files seems like quite a job to adjust when a change is needed. The PCs are in various locations in different states.

A DNS server would allow me to make an adjustment with the effects to be system wide immediately.

Note: I did explore a HOSTS file option where I use nightly FTP transfer where each PC downloads the company HOSTS file and puts it into place. This would give me a way to at least receive an updated HOSTS file every 24 hours.

[vonskippy]

No, you put the hosts file on WHATEVER box or boxes that you would have put the BIND server on, or put it on the edge firewall and set the internal workstations to use the edge firewall as their DNS source.

The trick is to enforce that ALL workstations only use the box(es) that have the host file. Then you just have to update that/those box(es).

[Greg_E]

What OS are all these remote workstations running? You might need some kind of parental supervisor software to really make this work unless they have dedicated wan connections back to your central network. If they are using dedicated connections back to your CO, then a filtering proxy like privoxy would work.

[usdan101]

The PCs are all windows based and used as P.O.S. terminals.

Not all the PCs on the local network need the filtering.

I appreciate the alternative suggestions. The restrictive DNS setup seems like a real option. I can setup the basic CentOS server, just missing the detail config to make it work.

[gerald_clark]

And if the users change their dns server?

[usdan101]

And if the users change their dns server?

It's not that I haven't thought about that (mentioned it in my initial post). I'm ok with that risk.