Home
Join

24 Replies

  • Why not use an HTTP(S) proxy instead? That way, you would still be pointing at your internal DNS (as you should), but you can filter web traffic as you plan to do.

    Spice (32) flagReport
    9 found this helpful thumb_up thumb_down
  • spicehead-lf46i wrote:

    I need half my workstation on my domain to use an alternative DNS IPs so I can point some of them towards our DNS Webfilter.

    I have tried to change the DNS via GPO which works fine but when a new user comes to use one of the workstations because the workstation with the modified DNS directs to our DNS Webfilter the PC cannot resolve the domain controller so wont let them login a profile.

    Is there a way I can makes PCs first login to the domain controller but then use a different DNS for web browsing? Whilst leaving some machines able to browse anything using the original Domain DNS.

    I have investigated but cannot find an answer 

    Most DNS based filtering have some sort of appliance you can run locally, so you point your clients to this instead of your DC's and then these appliances route DNS requests to the right place, so local domain queries go to your DC's, and anything else goes out to the providers DNS servers.

    This is at least the case with Cisco Umbrella anyway and is the logical way of handling it so I assume other providers offer something similar.

    Spice (7) flagReport
    Was this post helpful? thumb_up thumb_down
  • Big Green Man wrote:

    Why not use an HTTP(S) proxy instead? That way, you would still be pointing at your internal DNS (as you should), but you can filter web traffic as you plan to do.

    This would be where I'd start.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Definitely agree with Big Green Man​ on this.
    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Domain clients must point to the domain controllers for DNS.

    Any solution you implement will need to work with that - but I can't see any enterprise solution that wouldn't have a solution to this scenario.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • If you do need DNS based filtering, see if your router/firewall supports this feature. Next Gen firewalls often has DNS and web filter capabilities which you can configure through firewall policies. You can often craft a policy to only apply to certain IP addresses. Everybody uses the same DNS server but as soon as a request/website attempt goes out onto the Internet the router/firewall kicks in and will block or pass based on your policies.

    This ties in with Big Green Man's proxy suggestion. A next gen firewall doing this kind of thing is by nature of the beast doing proxying. It's just not only http(s) proxying, it's also proxying DNS and other protocols if supported.

    Spice (7) flagReport
    1 found this helpful thumb_up thumb_down
  • Workstations point to AD DNS, On your DNS server in AD, use the DNS forwarder option to point to your DNS based web filter. Domain machines will not function properly unless they are looking at AD DNS for services published within the domain. I am assuming you are looking at Umbrella or something similar?

    Spice (14) flagReport
    3 found this helpful thumb_up thumb_down
  • James R. Howard wrote:

    Workstations point to AD DNS, On your DNS server in AD, use the DNS forwarder option to point to your DNS based web filter. Domain machines will not function properly unless they are looking at AD DNS for services published within the domain. I am assuming you are looking at Umbrella or something similar?

    Exactly this.

    Anything not specifically listed or cached on your AD DNS server will be resolved by the forwarder you specify.  

    Spice (3) flagReport
    2 found this helpful thumb_up thumb_down
  • Do you have 2 DCs?  If you do, you can setup one of them to use DNS forwarders and the other to resolve via root hints.  Then you could static the DNS server on your workstations to one or the other DCs depending on the need to filter that PC.   Either way, for AD to work correctly, you need the PC to point to an internal AD DNS server.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • Adding a DNS firewall or DNS security service?

    Use multiple DHCP scopes and segment your network into multiple VLANs with layer 3 routing. Then use the multiple AD/DNS servers as previously stated with root hints or forwarders. Use ACLs to prevent someone from accessing the undesired DNS server. Make sure AD servers replicate with ACLs in place.

    Another option is to move to a zero trust network design which allows greater option control using IAM templates at the cost of redesigning the network and implementing.

    Spice (5) flagReport
    1 found this helpful thumb_up thumb_down
  • James R. Howard wrote:

    Workstations point to AD DNS, On your DNS server in AD, use the DNS forwarder option to point to your DNS based web filter. Domain machines will not function properly unless they are looking at AD DNS for services published within the domain. I am assuming you are looking at Umbrella or something similar?

    James has the nutshell of it here.  Simply put, you use your AD DNS server to be master DNS, and all requests not "in your local domains" to be forwarded to your external DNS resolver of choice. 

    However, you have two scenarios to support here, one for group A, using one specific DNS host for external queries, and one for group B, using a different DNS host for those external queries, which means something needs to provide two different answers.  My answer? Create another local DNS server, for that "half" of the people.

    The Group B DNS server, will "forward" all local/internal queries to your primary AD DNS server, but it will have that different DNS forwarding entry for the external queries.

    That way, if any desktop is associated with  either DNS Server, all of your login attempts and local domain queries will still arrive at the proper destination, and upon login, the GPO will be applied for all future DNS queries, to point to the Group A external DNS services, or Group B DNS services, until someone else logs in.

    Spice (5) flagReport
    1 found this helpful thumb_up thumb_down
  • It sounds like the OP is trying to filter 'some' workstations this way.  DNS forwarder built into DNS will forward all requests that can't be found in the local DNS to an different service so it's best used when you're filtering everyone on your network.

    If you have some systems that require filtering, and others that do not, it gets more complicated.  

    That's where a proxy server comes in.  Set up a proxy server (like Squid) and configure browsers on the systems you want to use it (this can even be done using a targeted GPO).  The proxy itself can be configured for filtering but you can actually leave the defaults in this case.  What you want to do is set the DNS on the proxy server to point to the Webfilter DNS.  It might not give you the same clean messages when requests fail, but the idea is that if the filter blocks something, the proxy shouldn't return it to the requesting client.

    There are ways to set up a transparent proxy that doesn't require client configuration, but that gets more complicated hardware wise because you need to pipe filtered traffic through the proxy while having another path for unfiltered traffic before it gets to your gateway.  

    Was this post helpful? thumb_up thumb_down
  • I think the easiest and quickest answer is a combination of several ideas posted here already.  Without suggest using technologies OP doesn't have in play (like proxies) or things that would incur additional cost,.  Lets assume this is a Windows AD Domain with Windows clients.  Likely, but OP never specifies.  We also do not know how big of an environment this is, which plays a role in the solution.

    1) Create 2 subnet or vLANS.  One for filtered workstation, one for non-filtered.

    2) Build 4 AD DNS servers for redundancy. (a redundant pair for each Filter Group).  (virtual servers are virtually free with datacenter and hyperV, pun intended)

    3) Set All 4 AD DNS servers to forward all traffic to your DNS Webfilter and replicate with each other.  Because they are domain controllers (you can make the AD read-only copies if it makes security feel better), and not just a DNS server, they inherently know about the domain AND can authenticate user/computer accounts against their local directory store.  When the request comes from a workstation for yourcontoso.local, its gonna say 'THATS ME!'

    4)  Use GPO with WMI filtering and create two separate DNS policies based on workstation IP.  Group 1 gets DNS servers A/B, Group 2 gets DNS servers C/D

    5) create an ACL on DNS Webfilter setting all traffic from DNS A/B to Filter 1, and from DNS C/D to bypass direct to web

    6) profit.

    Using this model can get very cumbersome very quickly, and is not without its flaws. Especially since every time you want to create a new filter group you need 2 more DNS servers for your ACL (but hey they are 'virtual'ly unlimited right?).  For a small environment  with 4 'VIPs' that get to browse porn at work and 20-30 employees that get 'just the basics'.  This works fine.  For 1200 users and multiple sites, not so much.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Thanks for all of your reply's, Its given me some good reading and I now think I have a way forwards.

    Much appreciated 

    Was this post helpful? thumb_up thumb_down
  • What you are trying to do with the filtering is not something that you would be doing on a per work station basis, you would be doing this at the edge on either your router or firewall.

    If you change the DNS servers on your work stations you will have the problem you are seeing in that authentication requests will not be able to reach your Domain Controllers. This will not just effect new users on work stations but eventually users who have already logged in to the work stations previously will eventually not be able to login because the cached credentials they are currently using will expire.

    Was this post helpful? thumb_up thumb_down
  • So a bit more background:

    This is a windows domain with 200 Machines, about 30 are Admin staff which we want to have full internet access, the other 150 are Agents which we only want to be able to access 5 or so websites.

    We tried an on-premise solution, (Squid Server) BUT we are working in a part of the world where the internet connections are very poor so we found any options we tried within the on-prem network made the connect unusable at times. We have no options of improving the connection in all honesty.

    So the plan was to try using off-site DNS filtering, OpenDNS, this option works but as mentioned stops the ability to use the PCs on the domain.

    So I tried this as a workaround Solution:

    2 Scheduled tasks are created via GPO

    1st.) On any user login a Scheduled task runs 1 minute after the login it changes the Workstation DNS to forward to the DNS filtering,

    2nd..) A Scheduled task is create that on a Shutdown/restart event the DNS changes back to the DC, enabling the next user to come along and login to the domain.

    To add to the complexity, each agent workstation has 2 Static IP assigned, 1 IP is for the internal network, domain and internet browsing, the 2nd IP for for a Softphone solution.

    It seems to kind of work but is a bit hit and miss, ideally Id like an On-Prem solution but I cant see it working with out connection limitations. 

    Was this post helpful? thumb_up thumb_down
  • spicehead-lf46i wrote:

    So a bit more background:

    This is a windows domain with 200 Machines, about 30 are Admin staff which we want to have full internet access, the other 150 are Agents which we only want to be able to access 5 or so websites.

    We tried an on-premise solution, (Squid Server) BUT we are working in a part of the world where the internet connections are very poor so we found any options we tried within the on-prem network made the connect unusable at times. We have no options of improving the connection in all honesty...

    A Next Generation FireWall with web filtering can do this much more simply.  You'd create a group for the admins (containing their ip addresses) on the firewall with a policy entry allowing them access to everything then make access to only the allowed sites the default policy. 

    Was this post helpful? thumb_up thumb_down
  • Agreed, Unfortunately the business doesn't want to spend too much money at this (Frown and Sigh) despite me telling them this 

    Was this post helpful? thumb_up thumb_down
  • Subnetting or vlan with it's own router. 

    Was this post helpful? thumb_up thumb_down
  • Already the first reply from Big Green Man was the correct answer.

    There was only one small part missing, that he did not mention.

    When you look at modern NGFW firewalls, they can integrate with AD. Even SingleSignOn is possible to set up with many vendors.

    So whenever a user logs off and another logs in, the firewall will know this change and handle all filtering as it is defined for the now loged in user and/or his AD group.

    Still you can also do filtering based on IP addresses for everything else, but when it comes to firewall rules that handle http and https traffic, you would filter it based on different rules for different users / group names.

    I'm using this on WatchGuard firewalls for more than a decade, it's nothing 'out of this world', most modern firewall solutions should be able to handle this kind of AD integrated traffic filtering.

    When you are a 200 user shop, you possibly already have a firewall with this kind of capability. Check with the manager of the firewall!

    If your firewall doesn't have this capabilities, than it's time for an upgrade! Too many users to be using a "previous generation" firewall!

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • You can set up Split DNS in your AD. That should achieve the result you're aiming for. As for how to do that, I don't have a lot of time to write a guide, but you can start here: 

    https://www.vcloudnine.de/setting-up-split-dns-using-windows-dns-server/?cn-reloaded=1

    1 found this helpful thumb_up thumb_down
  • All these are great suggestions.  It sounds like you've already got a partially working solution, so if you want the easiest solution using what you've already implemented, why not just put entries for your DCs in your computer's local hosts file?  If the only problem is DCs aren't being resolved, that should solve it.  It's not the most elegant solution (you'll need to update all the workstation hosts file (which you can do with a simply login script) but it should allow you do keep the work you've already done and make it work.  You didn't mention the OS you're using but I assume it's Windows, so the hosts file can be found in c:\Windows\System32\Drivers\etc\hosts  (if for some reason you need to redirect WINS/netbios you can do that in the lmhosts file, in the same directory).

    1 found this helpful thumb_up thumb_down
  • Why not use a web filter that goes between the user PCs and the Microsoft DNS service? that's what we're using, software called DNS Redirector.  Our setup is like this...

    User PC get's the DNS Redirector server IP via DHCP or group policy, that server filters the bad stuff, then it forwards DNS requests onto the MS DNS service, then MS DNS service forwards out to your ISP or Google DNS, or whoever you like better.

    This lets us have some PCs that are filtered, and others that are not.

    1 found this helpful thumb_up thumb_down
  • Big Green Man wrote:

    use an HTTP(S) proxy instead

    This. ^^^

    Was this post helpful? thumb_up thumb_down

Read these next...

  • Cloud storage to share video files 5TB and larger

    Cloud storage to share video files 5TB and larger

    Data Storage, Backup & Recovery

    I assisting a company that is looking for cloud storage for large video files so they can upload the videos at one site and download them at another.The current solution is manually shipping usb hard drives with the video files which are around 5TB or lar...

  • Spark! Pro Series - 28th September 2022

    Spark! Pro Series - 28th September 2022

    Water Cooler

    Today in History: 1980 Carl Sagan's 13 part "Cosmos" premieres on PBSAstronomer Carl Sagan's landmark 13-part science series takes you on an awe-inspiring cosmic journey to the edge of the Universe and back aboard the spaceship of the imagination.The seri...

  • Win 10 Lock screen showing wrong name, after name change

    Win 10 Lock screen showing wrong name, after name change

    Windows

    I have a strange thing happening with a remote laptop after I changed her name.So, everything is changed in AD and setup correctly.  So, I like to simplify things for my users so when i change names I do the following: change names in AD username email ...

  • Best Practice Enterprise Wiping Devices Before New User

    Best Practice Enterprise Wiping Devices Before New User

    Windows

    Hello all.As I am sitting here wiping laptops for one of my sites, in preparation for any new users that start.I got to thinking, what is the best practice for re-deploying previously used laptops in an enterprise environment? I was curious how ya'll hand...

  • Tech & End User Expectations

    Tech & End User Expectations

    Best Practices & General IT

    Hey all!We are an IT team of 10 in a school district, and there have been some recent (and not so recent) issues with techs being snarky, end users being snarky, etc.We are trying to turn a new leaf, and want to come up with a set of expectations for the ...