DNS – Block malware sites

When we set up our domain controllers, we installed the DNS role. DNS is key to how Active Directory works. It is possible to move DNS on to dedicated servers, however it’s common place to leave DNS on the Domain Controllers. Client machines will all have to use DNS servers that relate to the domain in order to resolve names, lookup services such as Global Catalogs and LDAP servers. These DNS servers will by default also resolve internet addresses and then cache the results. In default configuration the DNS servers will usually use root hints to find any requested domain. One option is to use a 3rd party DNS resolution service.
OpenDNS is one such service, and by default they will block access to known malware sites. In order to offer some protection to your client devices is to forward your DNS requests to these servers. To do this, from the management workstation we created, open the DNS tool. Add your DNS servers and connect to each one of them. Right click the server in the left pane and select properties. In here, you will see a tab for Forwarders. Select this tab and then add the OpenDNS forwarder addresses of 208.67.222.222 & 208.67.220.220. Apply and OK. Repeat this process on all your DNS servers.
To test (this is a DEMO URL and safe) and make sure this is configured correctly, attempt to visit this URL:
http://www.internetbadguys.com/
You’ll get a message saying whether it was blocked or not.
You can pay for a business account where you can do further DNS filtering for sites such as adult material, however this is something you would need to evaluate. Of course this can be bypassed by editing the hosts file or manually configuring DNS servers on the clients. These tasks are however administrative tasks and so a normal user should not be able to do this.

Leave a Reply

Your email address will not be published. Required fields are marked *