Setup Instructions
    Windows Server 2008 R2
       Internet Filter
          On a stand-alone server
             Configured to block everything, but allow some sites/domains



Implementation Considerations

Use a standard LAN with a hardware firewall as the default gateway, see the Network Examples.
     Notice that proxy/SOCKS, ISA, or ICS is not compatible.

Blocked/allowed functionality will work regardless of network placement, this is discussed further in FAQ 37.
     Normally, all clients should get the IP of the DNS Redirector server as their default DNS server, provided by DHCP.
     Alternatively, you can use the IP of the DNS Redirector server as the default DNS server on just a few clients, set statically.

This system must have a static IP address.
     (Do this under TCP/IP properties, do not use a DHCP reservation)


Install prerequisites

Download and install the Microsoft .NET Framework 4.6.1

Revisit Microsoft Update until no .NET Framework 4.x updates remain
     Some .NET updates appear to stall, be patient, it will complete

Restart your computer (really, do restart even if the installer did not prompt you to)


Setup the blocked website

Download a sample blocked page

Right-click the .zip file you just downloaded
     Select properties
     Click the Unblock button (if this button is not present just proceed), then OK
     Extract the contents to a new folder C:\Inetpub\blocked

Verify that "ASP" and "Server Side Includes" are installed with IIS (see screenshot)

In IIS Manager create a site:
     Site name: dnsredir-blocked
     Content Directory, Physical path: C:\Inetpub\blocked
     Binding, Type: http | IP address: pick the static IP address you assigned to this system | Port: 80
     Host name: leave blank
     [checked] Start Web site immediately

Verify the Default Document is: blocked.asp (must be listed first, remove all other default documents)

Under Error Pages, Edit Feature Settings, set: Custom error pages (see screenshot)

Verify the Error Pages are set:
     Status Code: 403.1 | Path: /blocked.asp | Type: Execute URL
     Status Code: 404    | Path: /blocked.asp | Type: Execute URL
     Status Code: 414    | Path: /blocked.asp | Type: Execute URL

Download REG-UrlSegmentMaxLength.zip then open the .reg file
     Necessary for certain blocked content to be replaced correctly, see FAQ 169

Verify the HTTP Response Header is set: (see screenshot)
     Cache-Control: no-store, no-cache, post-check=0, pre-check=0
     META tags which preventing caching (as included in our example pages) are required in addition to this HTTP Header (see rfc2616-sec14.9 and msdn)

Under ASP, Enable Parent Paths, set: True (see screenshot)

Check NTFS permissions on the root folder (see screenshot)
     (see kb981949)

If you downloaded the "blocked -suggested.zip" site, open C:\Inetpub\blocked\global.asa with notepad and read the "Required settings" section.


Setup DNS Redirector software

Download the software from http://dnsredirector.com/download and run the file

     -- This software will run as a demo (all features and capabilities) for 25 days --

     If you are upgrading see FAQ 103.

Open dnsredir.ini and set the following
     ListenOnIP= to be the static IP address you assigned to this system
     SimpleDNS=simpledns.txt
     DNSServerIP= to be the IP of your internal DNS server, or a DNS server provided by your ISP
     BlockedIP= to be the static IP address you assigned to this system, same as ListenOnIP
     BlockedKeywordsFile=blocked.txt
     AllowedKeywordsFile=allowed.txt

Create a new file simpledns.txt within C:\DNSREDIR
     Open this file and add just one record on the first line...
192.168.0.2 blocked.inside.example.com
     ...replace "192.168.0.2" with the static IP address you assigned to this system
     ...replace ".inside.example.com" with the DNS suffix of your network

Create a new file allowed.txt within C:\DNSREDIR
     Open this file and add the following lines...
^.*\.msftncsi\.com$
allowed.inside.example.com
     ...replace ".inside.example.com" with the DNS suffix of your network
     This file is where you will add domain names that should never be blocked.

Create a new file blocked.txt within C:\DNSREDIR
     Open this file and put just a . (period) in it on the first line, this blocks everything.

Run fixNTFS.bat
     This fixes NTFS security on C:\DNSREDIR and files, see FAQ 129.

Run fixFirewall.bat
     This will allow DNS Redirector and IIS connections through Windows firewall, see FAQ 102.

Run dnsrsvc-install.bat
     This will install the service
     Then start the DNS Redirector service


Testing and Implementation

On this DNS Redirector server, verify the blocked website is running by visiting http://192.168.0.2
     Replace "192.168.0.2" with the static IP address you assigned to this system
     With some browsers, you must type the http:// part before the IP address

On a test client (different computer/laptop connected to the same network), verify the blocked website is running by visiting http://192.168.0.2
     Replace "192.168.0.2" with the static IP address you assigned to the DNS Redirector server
     With some browsers, you must type the http:// part before the IP address

On the same test client, under the network adapter properties, under TCP/IP properties,
     select "Use the following DNS server addresses" and put in the static IP address you assigned to the DNS Redirector server.
     Leave the second DNS server field empty

On the same test client, browse the Internet
     When you visit any website you should see the blocked site

You can manually change additional clients to use the DNS Redirector server IP, just as you did for the test client above or,
     it is recommended you change your DHCP scope to hand out the DNS Redirector server IP as the default DNS server for every/new client on the network.
         Your DHCP scope options may be controlled by the firewall/router to the Internet or by a server.
         Specify only the DNS Redirector server IP, remove all others.
         After changing DHCP, all clients will need to be restarted to pickup a new lease with the new DNS server.


General Information

Understand that only domain names can be added to keyword lists, not URLs, see FAQ 79.

You need to add domains to your allowed.txt file, this is discussed further in FAQ 5.
Regex keywords are often better than plain keywords, see FAQ 112.
After saving this file, DNS Redirector loads the changes automatically.

Client devices often maintain a cache of recently blocked or un-blocked sites, this varies by domain name but is usually resolved after the browser is closed.  To immediately see the results of a recent blocked or allowed list change try the following on the client A) close all browsers B) flush the DNS cache or C) reboot the client.


For third-party software that is known to work with or aid in the use of DNS Redirector see FAQ 71.


License

For licensing information; including multi-site use, IT consultants/system integrators, and upgrades see FAQ 2.

Your concurrent client license should be big enough to support your network, see FAQ 98.

For the complete software license agreement see: dnsredirector.com/license

 
DNS Redirector | Legal Information | 2003-2017