How To Setup 2 DIFFERENT DNS Servers

[detroit]

I'd like to restrict access to the internet for some users in our different locations. I've tried several things, but found that the easiest was to not setup a DNS entry in the DHCP server or TCP/IP properties.

However, this caused slow logins to the domain.

Another way was to remove the gateway feature, but I don't believe I can do that as I am dealing with several sites, and the gateway would be necessary to route them back to our main location. Please correct me if I am wrong on this part.

The best way for me to do this now is to setup 2 different DNS servers. One that has the forward to the internet, and one that does not. Therefore, I can still add DNS entries for all users, but the one DNS address will not be forwarded to the internet, where the first one will.

I have 2 servers running DNS. They are backing each other up and have the

http://www pointer

to the internet. They are also storing this in the AD, not in a separate file.

My 3rd server in this location will be the one that does not forward to the internet.

How can I setup this server without it getting it's DNS entries from the AD and/or the other 2 DNS servers?

Thanks.

Detroit.

 

[MattWray]

The Easiest way would be to implement Group Policies, one for Internet access and one that cannot access...

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

http://www.total-tec.com

 

[hewissa]

Another way would be to block port 80 on the router to ip address ranges you want to stop.

Hewissa

MCSE, CCNA, CIW

 

[detroit]

Matt....

Can you be a little more specific on what needs to be enabled/disabled in the group policies?

Detroit.

 

[bwilliam13]

Why mess with DNS and such? Why don't you just block internet access right at your router or firewall for the hosts you don't want going to internet sites? That's a two-line entry in a Cisco device...then you're done.

 

[detroit]

I have 7 different sites, all users are set with static IP addresses, and only some people need internet access.

I was thinking that 2 DNS lists would be the easiest.

Detroit

 

[bwilliam13]

DNS doesn't control internet access. As long as your hosts aren't blocked at the router/firewall, they can still get there.

If they are static IP addressed, just block all but the few hosts. DNS is for domain name resolution...not blocking people from certain websites.

 

[rushrick]

I would agree with hewissa and bwilliam in this situation. Block the users at the router. Or more specifically filter the ip addresses of the statically configured machine.

Unless, what detroit is saying is that it is to apply to specific users, whereas what Matt had said, using gpo's would be more appropriate.

If you want to get realy fancy, configure a proxy server or an ISA server and filer them there too.

 

[detroit]

I'd love to do a proxy server or an ISA server, but the issue with doing that is the dollar value....Not in this year's budget. Unless there is a cheaper way that I am not aware of.

As for the DNS Issue, If I had 2 different DNS Servers, I could set one of them up to forward to the ISP, and one to not forward to the ISP, therefore, restricting internet access.

I don't want some users having access to the internet at ALL, not just restricted to a few sites....

Detroit