On 7/25/2012 3:26 PM, Emiliano Vazquez wrote:
well on a dns level will be nice to block it but if the user will have
access to some dns anywhere in the world in any way he can just use some
basic browser tricks to make this dns setup stupid.
i think it's better to use a proxy\fw to block these sites.
you can use let say squid and use some nice and good acls to do all your
the tricks you need.
Regards,
Eliezer
My idea was block all DNS except the bind9 who has this filter. blocking
port 53 will we enought?
I'm using squid but in transparent mode.
I'm reading about this. If i find the solution i will post. Have a lot
of work to read!
Best regards.
block udp dst port 53 is good but you must to take in account that maybe
some of your services\servers needs this access for whatever reason
there is.
if you are using squid in transparent mode it's good enough for basic
http blocking.
to block HTTPS you will need to force your users to use the proxy server
using some WPAD + DHCP \ Group policy.
either of them can lead to some problems so you can test it first and
see if it's for you.
there is an option of SSL-BUMP in squid that can take a lot off but you
must install the local root-ca on all the clients computers.
i suggest for you to first implement the basic allow\deny acls in squid
for the intercepted traffic and later see what is the effect.
Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
