DNS Redirector
 Return to FAQ List


FAQ 5: Block everything and allow just a few sites

Category: BlockedIP function


Block all websites and/or software that uses DNS to reach login servers/communicate (such as IM, chat, or email clients).

Allow a list of domain names you choose.

Resolution

Create a blocked.txt file and put just a . (period) in it on the first line, this blocks everything.

If you've previously been using updater.exe you should delete it, and the scheduled task, so it doesn't run and replace your blocked.txt file.

Create an allowed.txt file and add domains that clients may visit, one on each line...
allowed.inside.example.com
^(.*\.)?cnn\.com$   ...allows browsers to visit http://cnn.com and http://www.cnn.com and http://money.cnn.com
^(.*\.)?microsoft\.com$
^.*\.msftncsi\.com$
^(.*\.)?msftconnecttest\.com$   ...see FAQ 159
^.*\.in-addr\.arpa$
^update\.nai\.com$   ...allows McAfee Virus Scan Enterprise updates via HTTP
^ftp\.nai\.com$

If client computers are part of a domain you will also want to allow your internal domain name(s) otherwise clients may have trouble reaching internal servers or experience very slow logon after CTRL+ALT+DEL. This domain name is shown under My Computer, right-click Properties, Computer Name tab, where it says Full computer name.
The format is: computer-name.netbios-domain-name.domain.tld
As an example: hp713.hq.contoso.com
So you could add a plain keyword like: .hq.contoso.com
or, a more secure regex keyword like: ^.*\.hq\.contoso\.com$

You'll find some websites/software may need additional domains to function correctly, like their CDN or partner sites.
You can discover these other domains by:
- setting Logging=Full in dnsredir.ini
- restart DNS Redirector
- clear your cache and visit the website, or start the software/update
- look at today's logfile to see what else is required

You may also want to allow other software update domains; virus scan definitions, Adobe, or Microsoft updates.

Both of these files should be in the DNS Redirector working directory (usually C:\DNSREDIR) and specified in dnsredir.ini as:
BlockedKeywordsFile=blocked.txt
AllowedKeywordsFile=allowed.txt

 [ See a sample allowed file here: example-allowed.txt ]
Common/popular services and websites may use many domains, and rely on other CDN domains. Incorporating this list can avoid disruption to services you know your company relies on. Remember that your internal domain suffix should also be included in your allowed file.

All keyword lists need to have at least one non-regex keyword present; at least 1 line not starting with ^
You can make this keyword up and/or make it specific to your network's domain, for example: allowed.inside.example.com



Related articles
FAQ 75  Create 3 tiers of blocking
FAQ 159  Useful AllowedKeywordsFile or AlwaysKeywordsFile additions

 
DNS Redirector | Legal Information | 2003-2017