internet filter and access control

Bill Vermillion fp at wjv.com
Fri Jan 28 06:44:10 PST 2005 

Putting quill to paper and scribbling furiously on Thu, Jan 27 21:24  
Kenneth Brody missed achieving immortality when he said: 

> Bill Vermillion wrote:
> [...]
> > The other problem will be that you will have to set up the machines
> > you don't want to access the world to use that internal DNS and
> > for those that need to go elsewhere have those set up with a real
> > DNS.

> > And then you have to keep the users from chaning the network
> > settings to use an external DNS.   Since a good many people are
> > computer savy then you need a very good internal policy as to what
> > will happen to anyone violating the policies.

> Just as many ISPs block SMTP access to anything except their own
> servers, you should be able to block external DNS attempts, or
> even have your router reroute them to your own DNS server.

But if you block access to external DNS servers, then you have the
problem of blocking just who will be able to see the outside DNS
servers.    But you still have to have strict policied to keep
the computer savy people from changing these items.

As to local DNS it is going to depend on just what/how you are
using DNS.

If you are responsible for your own DNS - eg you are the primary
DNS while your ISP is secondary - then you run two DNS servers
on your DNS machine.   This is handy when you have a machine
acting as a web server, mail, router, or ??.     You put
your public IP on one interface.  And your private IP on the other 
interface.

Then you configure one DNS for all the IPs you wish the public to
see, and the other DNS for all your internal addresses.  Then
you add the 'listen on' statement to each server running on the
same machine so that external queries go to the DNS serving the
public IP and all local machines go to the IP serving the private
address.

If you run DHCP you could perhaps run conditional statements - but
that is going to be outside the realm of the $70 dsl/cable/dhcp
type devices.    


Bill
-- 
Bill Vermillion - bv @ wjv . com

More information about the Filepro-list mailing list