none
"Block" a specific domain in windows DNS? RRS feed

  • Question

  • We just got a phishing attempt and I felt really bad that I could not stop people from accessing a domain. Isn't there a way to override a domain in our DNS just for a while so I can stop people from accessing a domain?

    We have Windows 2008 R2 DNS servers.

    Tuesday, February 21, 2012 7:33 PM

Answers

  • Jorge provided your answer. For example, when I want to block www.youtube.com, I create a zone called youtube.com, and don't create any records.

    Sometimes if I want to play around, I'll create two CNAME records, one called www, and one with no hostname, under it, that both point to the company's website. THis way when they type in www.youtube.com or http://youtube.com, it goes to the company website. That confuses them. :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 22, 2012 2:20 AM
  • Yes, you could create a zone for that domain.  No need to create any records, unless you want to point them to a webserver explaining why they are there.  Having a DNS zone will make you authoritative for it.  When people click on the phishing links, their computers will try to resolve the name with your DNS, and of course, will not be able to access the malware site.


    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube

    Tuesday, February 21, 2012 7:54 PM

All replies

  • Yes, you could create a zone for that domain.  No need to create any records, unless you want to point them to a webserver explaining why they are there.  Having a DNS zone will make you authoritative for it.  When people click on the phishing links, their computers will try to resolve the name with your DNS, and of course, will not be able to access the malware site.


    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube

    Tuesday, February 21, 2012 7:54 PM
  • Also you may wan't to block all DNS request from all computers except your DNS servers.

    • Proposed as answer by jimcaror70 Wednesday, September 28, 2016 4:54 PM
    Tuesday, February 21, 2012 8:59 PM
  • Jorge provided your answer. For example, when I want to block www.youtube.com, I create a zone called youtube.com, and don't create any records.

    Sometimes if I want to play around, I'll create two CNAME records, one called www, and one with no hostname, under it, that both point to the company's website. THis way when they type in www.youtube.com or http://youtube.com, it goes to the company website. That confuses them. :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 22, 2012 2:20 AM
  • Ace, its actually funner to watch people click on the malware link and have them redirected to an intranet page that contains big security icons and a statement about being logged. give it a try sometime  :-)

    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube

    Wednesday, February 22, 2012 3:38 AM
  • You know, I might try that. I did the youtube thing because people were complaining about slow internet speeds during the day, but would speed up after 5PM. After some testing, they were messing wtih streaming music and vids. I am using OpenDNS to control the stuff, but I first did what I mentioned above. Next time I'll create an intranet page, as you suggested, and put a big Jolly Roger flashing GIF with some "pirate" laughter. If they don't get a kick out of it, I will! :-)

    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 22, 2012 5:12 AM
  • Yes, you could create a zone for that domain.  No need to create any records, unless you want to point them to a webserver explaining why they are there.  Having a DNS zone will make you authoritative for it.  When people click on the phishing links, their computers will try to resolve the name with your DNS, and of course, will not be able to access the malware site.


    Guides and tutorials, visit ITGeared.com.

    itgeared.comfacebook twitter youtube

    Just add , we might also add this domain name into the golabl query block list on that DNS server:

    Managing the Global Query Block List

    http://technet.microsoft.com/en-us/library/cc794902(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Wednesday, February 22, 2012 10:58 AM