internet filter and access control

Kenneth Brody kenbrody at bestweb.net
Fri Jan 28 08:14:48 PST 2005


Bill Vermillion wrote:
[...]
> > > And then you have to keep the users from chaning the network
> > > settings to use an external DNS.   Since a good many people are
> > > computer savy then you need a very good internal policy as to what
> > > will happen to anyone violating the policies.
> 
> > Just as many ISPs block SMTP access to anything except their own
> > servers, you should be able to block external DNS attempts, or
> > even have your router reroute them to your own DNS server.
> 
> But if you block access to external DNS servers, then you have the
> problem of blocking just who will be able to see the outside DNS
> servers.    But you still have to have strict policied to keep
> the computer savy people from changing these items.
> 
> As to local DNS it is going to depend on just what/how you are
> using DNS.
> 
> If you are responsible for your own DNS - eg you are the primary
> DNS while your ISP is secondary - then you run two DNS servers
> on your DNS machine.   This is handy when you have a machine
> acting as a web server, mail, router, or ??.     You put
> your public IP on one interface.  And your private IP on the other
> interface.
[...]

I have every system on our LAN configured to use the router for DNS.  While
I don't block external DNS, I could easily configure the router to block
and/or redirect external DNS requests from inside the LAN.  The router also
has its own hosts file, so I can add shortcuts to some of fPTech's systems.
(For example, "bill.fptech" resolves to Bill's system, and "fpchat.fptech"
resolves to the fPChat server, regardless of the "real" names of those
systems.  When the fPChat server was moved from the Sun box in Indy down
to a Windows box in Florida, I simply changed the router's host file, and
no changes were needed to the local fPChat clients' configurations.)  If
the name isn't listed in the hosts file, the router goes out to the ISP's
DNS server.  I can also prevent some annoying ads from appearing by adding
things like "ads.x10.com" to the router's hosts file.  If I wanted, I could
also restrict access to the outside world to only those sites I wanted, and
could do that on a system-by-system basis.  For example, I could restrict
which IP addresses Alex's system could access.  (For now, all I need to do
is configure Netscape to not show the address bar, and set his home page to
a local HTML document with only those sites we want him to have access to.)

-- 
+-------------------------+--------------------+-----------------------------+
| Kenneth J. Brody        | www.hvcomputer.com |                             |
| kenbrody/at\spamcop.net | www.fptech.com     | #include <std_disclaimer.h> |
+-------------------------+--------------------+-----------------------------+
Don't e-mail me at: <mailto:ThisIsASpamTrap at gmail.com>



More information about the Filepro-list mailing list