Readme | FAQ


Implementation Considerations

Use a standard LAN with a hardware firewall as the default gateway...
See the Network Examples. Notice that proxy/SOCKS, ISA, or ICS is not compatible.

When used for a public HotSpot...
The guest LAN should be completely isolated from any internal/office LAN as shown in Network Examples 06, 09, 10.
You should mitigate problems as discussed in FAQ 34, FAQ 39, FAQ 113, FAQ 126.

When used for content filtering...
A dedicated server is not required; installation on your existing domain controller(s), small business server, or home server is adequate.

DNS Redirector will try and bind DNS service to all IPs assigned to the server...
If Microsoft's DNS service (found on some Windows Servers or Active Directory domain controllers) is installed see FAQ 91.
If another DNS server or something using the same ports is installed see FAQ 4.

You will need to change DHCP scope properties (option 6, DNS server)...
The IP address used by DNS Redirector needs to be the only one handed out as the DNS server.
If running multiple instances of DNS Redirector (only for content filtering, see FAQ 28) then add the IP of every DNS Redirector server.

No NAT and no DNS separation...
The DNS Redirector server and all clients cannot be separated by a NAT device, see FAQ 37, FAQ 142.
Every client should use the IP of the DNS Redirector server as their default DNS server (usually provided via DHCP), another DNS server cannot exist in-between.


For third-party software that is known to work with or aid in the use of DNS Redirector see FAQ 71.


Installation

Download the software from http://dnsredirector.com/download and run the file

     -- This software will run as a demo (all features and capabilities) for 25 days --

     If you are upgrading see FAQ 103.


Configure C:\DNSREDIR\dnsredir.ini (see INI Settings section below)

Setup IIS or other web server software (see Hosted Pages section below)

Verify firewall exceptions have been defined, see FAQ 102.

Verify the working directory has adequate permissions, see FAQ 129.

For Captive Portal, whitelist domains you may need, see FAQ 121, FAQ 159.

For Internet filtering, whitelist domains you may need, see FAQ 112.

For Internet filtering, blacklist any domains you don't need, see FAQ 52, FAQ 106.

Start the DNS Redirector service

Change your DHCP scope to hand out the DNS Redirector server IP as the only DNS server.
     (DHCP option 6, DNS server) This should be the same IP you specified for ListenOnIP= in dnsredir.ini


INI Settings

Default values are in green
Example values are in blue

All files referenced in the .ini are assumed to be in the C:\DNSREDIR working directory.
All IP address fields will also accept an IPv6 address.
Click here to view a simple/condensed version of these descriptions.

Logging=Normal
  Sets the log file detail. A new log file is created each day within the DailyLogs folder, the filename is the date.
Valid options are:
Off - No log is created (this is fastest and recommended for large networks)
Normal - Only queries modified/answered by DNS Redirector are logged
Full - Every query, response, and function is logged (useful for diagnostic/troubleshooting, use sparingly as log files become large quickly)

Optimize=Speed
  Sets the string matching algorithm used on keyword lists.
Valid options are:
Speed - this is fastest and recommended for large networks
Memory - this will use less memory (ideal for machines with low resources serving smaller networks)

DNSCase=Insensitive
  Sets the case sensitivity used on keyword lists.
Valid options are:
Insensitive - this is recommended for everyone
Sensitive - for special use/high-security networks

ListenOnIP=192.168.0.2, 192.168.0.3
  Specify the static IP address(es) of this DNS Redirector server (recommended), see FAQ 4, FAQ 91.
Or leave blank to bind on all system IPs (including the IPv4 loopback address 127.0.0.1)

SimpleDNS=simpledns.txt
  File containing DNS A records that you want to resolve locally.
The contents of the file needs to be in the following format:
IP address[tab]Fully qualified domain name
As shown in this example:
192.168.0.1[tab]router.example.com
192.168.0.2[tab]blocked.example.com
192.168.0.3[tab]welcome.example.com
  Or as a catch-all:
192.168.0.8[tab]*
  When using an asterisk all domain names will resolve to a single IP, regardless of being real or not.  This method does not require a real DNS server to be specified under DNSServerIP= but will render all RedirectIP= and BlockedIP= functions disabled.  This method is for specific scenarios where a real DNS server is not available (no Internet connection) and/or you need to make only a few internal sites available.  Use the same steps as if you were setting up a RedirectIP= site at this IP, see the Hosted Pages section. 

DNSServerIP=8.8.4.4, 8.8.8.8
  Specify the IP of a real DNS server.
This is the DNS server that all normal queries are forwarded onto.  On a corporate network you will usually declare the IP of your internal DNS or Active Directory integrated DNS server, otherwise declare the DNS server provided by your upstream Internet provider.  This setting is always required, unless using SimpleDNS= with a catch-all asterisk record. 

RedirectIP=192.168.0.3
  Initially redirect clients to this IP, where your welcome page is hosted.
When specified, the first time a client tries to browse the Internet they will be shown the website hosted at this IP address instead.  When specifying RedirectIP= then AuthKeywordsFile= is also required.  If initial redirection is not going to be used leave both settings blank.  See the Hosted Pages section for setting up a page at this IP address.  This must be an IP address, not a URL, for information on redirecting to an existing website or URL see FAQ 30

  AuthKeywordsFile=authorized.txt
  File containing keywords of domain names that, after resolved, authorizes the client to surf past the welcome page.
The contents of the file needs to include one or several complex/unique domain names to be treated as the "key" that allows users to browse past the RedirectIP= page.  These do not have to be actual domain names registered on the Internet, you can make them up.  Use SimpleDNS= so a made up domain name resolves to an IP.  When a client does a DNS lookup for a matching domain name the client will be marked as Authorized.
  The system should work like this...  (adapt it to your needs; payment page, password, registration, etc.)
A) user joins the network, B) user gets DHCP lease including DNS Redirector as the DNS server, C) user starts browser and sees your terms and conditions page, D) user clicks a link to accept the agreement, E) user gets forwarded to another page that says "Welcome to the Internet" and includes a clear image referenced at http://surfon.dnsredirctrl.com/clear.gif, F) the browser does a DNS lookup for surfon.dnsredirctrl.com G) DNS Redirector finds that surfon.dnsredirctrl.com matches the domain name specified in the AuthKeywordsFile, H) user can now browse the Internet freely. 

AlwaysKeywordsFile=always.txt
  File containing keywords of domain names that clients are always allowed to visit, even if they have not been authorized.
In a paid HotSpot scenario you would add the domain name(s) of your payment processor to this file so users can visit the site in order to pay for access and then become authorized.  See FAQ 159.  Leave this setting blank if you are not going to use it. 

AuthClientsFile=authclients.txt
  File containing IPs of local network clients that are always allowed to surf, even if they have not been authorized.
Useful for static-IP machines on the same LAN as the hotspot that shouldn't have to pay or become authorized to surf; such as a kiosk, the IT manager, back office, or receptionist's computer.  Leave this setting blank if you are not going to use it.  Note: This function is for special circumstances only, in most cases the public/hotspot network should be completely separate from the internal/office network as shown in Network Examples

BlockedIP=192.168.0.2
  Domain names matched in the BlockedKeywordsFile= below will resolve to this IP, where your blocked page is hosted.
If content filtering is not going to be used leave this setting blank.  This must be an IP address, not a URL.  When specifying BlockedIP= then BlockedKeywordsFile= is also required.  See the Hosted Pages section for setting up a page at this IP address. 

  BlockResponse=Lookup
  Valid options are:
Lookup - resolves to the BlockedIP only if the domain name is real (does a lookup at the DNSServerIP= first)
Fast - resolves to the BlockedIP even if the domain name does not exist

BlockedKeywordsFile=blocked.txt
  File containing keywords of domain names that clients cannot visit.
To automate the updating of keywords see FAQ 52.  To block everything see FAQ 5.  If blocking is not going to be used leave this setting blank.  When specifying BlockedKeywordsFile= you must also specify BlockedIP= and host a website at that IP or web surfing will be slow. 

AllowedKeywordsFile=allowed.txt
  File containing keywords of domain names that clients are allowed to visit.
Sometimes good blocking keywords can prevent clients from reaching legitimate content, this list corrects that.  See FAQ 112.  If blocking is not going to be used leave this setting blank. 

BypassBlockFile=bypassblock.txt
  File containing keywords of domain names that, after resolved, allows the client to view blocked content.
The contents of the file needs to include one or several complex/unique domain names to be treated as the "key" that allows users to browse past the BlockedIP= page.  These do not have to be actual domain names registered on the Internet, you can make them up.  Use SimpleDNS= so a made up domain name resolves to an IP.  Note that after blocking is off you will need to close and open any browser windows, this is necessary to clear the browser's DNS cache for websites visited prior, otherwise those sites may still be blocked.  Restarting DNS Redirector will turn blocking back on for all clients.  By implementing ResetClientFile= you can turn blocking back on per-client.  Note that a client who visits a BypassBlockFile= domain name before a AuthKeywordsFile= domain name will be able to browse freely, but will not be authorized.  If blocking is not going to be used leave this setting blank. 

NXDForceFile=nxdforce.txt
  File containing IPs that when found in any DNS reply will be replaced with NXDomain response instead.
This is useful to undo NXDomain hijacking (as some ISPs like to do) and for additional protection against badware, malware, scumware.

ResetClientFile=resetclient.txt
  File containing keywords of domain names that, after resolved, causes DNS Redirector to forget the client.  This removes the client from the online clients list; de-authorizes the client, re-enables the block, and executes the LeaveAction if set.

ActionNumber=0
  Perform the JoinAction specified below; 1 means every time, 2 means for every 2nd client who joins, 3 for every 3rd client who joins, etc.
If actions are not going to be used leave this set to 0.

JoinType=Online
  Valid options are:
Online - executes JoinAction for any client that starts resolving through DNS Redirector
Auth - executes JoinAction only when a client becomes authorized
Both - executes JoinAction when a new client starts resolving through DNS Redirector, and again when that client becomes authorized
Only client's who authorize themselves trigger the action, clients specified in the AuthClientsFile= or clients manually marked as Authorized in the GUI will not trigger the JoinAction.
 
  JoinAction=
  File you want to launch or execute when a client joins the network. This could be a .exe, .wav, .bat or other script. If a join action is not desired then leave this blank.  The client's IP is passed as a variable after the command for use with a third-party script or application, see FAQ 62.  Specify the full path to the file, for example C:\DNSREDIR\join.bat

LeaveAction=
  File you want to launch or execute when a client leaves the network, used only when ActionNumber=1.  This could be a .exe, .wav, .bat or other script. If a leave action is not desired then leave this blank.  The client's IP is passed as a variable after the command for use with a third-party script or application.  Specify the full path to the file, for example C:\DNSREDIR\leave.bat

ClientTimeout=20
  Interval in minutes before an active client is considered gone or left the network, based on the last DNS query received.  This removes the client from the online clients list; depending on the features enabled it de-authorizes the client, re-enables the block, and executes the LeaveAction if set.

The following INI settings are depreciated in v7.2.x.x
GetClientName=
MinToTray=
CloseToTray=


Hosted Pages

Using IIS on the same server as DNS Redirector to host the welcome and/or blocked pages is suggested.  Optionally, you can declare the IP of another web server that is internal or external to the DNS Redirector network.  IIS on a non-server OS has restrictions, such configuration is not supported or recommended.  Using SimpleHTTP or Apache HTTP Server may be appropriate in some cases.

Depending on the features enabled in DNS Redirector you may need multiple sites, each requiring its own IP address.  Add multiple IP addresses to the same NIC under the Advanced button in TCP/IP properties.

verify that "ASP" and "Server Side Includes" are installed with IIS  (see screenshot for IIS7 or IIS8)

If RedirectIP=192.168.0.3 complete the following steps...
create a folder for the site root, such as C:\Inetpub\welcome
   in IIS Manager create a site:  (see details for IIS7)
running at 192.168.0.3 | port 80 | no Host header | path set as the folder created above
   for IIS6: leave checked "Allow anonymous access to this Web site" | leave checked "Read" | check "Run scripts (such as ASP)"
extract a sample welcome page to the folder created above

If BlockedIP=192.168.0.2 complete the following steps...
create a folder for the site root, such as C:\Inetpub\blocked
   in IIS Manager create a site:  (see details for IIS7)
running at 192.168.0.2 | port 80 | no Host header | path set as the folder created above
extract a sample blocked page to the folder created above
download: REG-UrlSegmentMaxLength.zip then open the .reg file
     this is necessary so certain blocked content is replaced correctly, or follow these manual instructions:
     open regedit and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
     edit or create DWORD "UrlSegmentMaxLength" and set to "450"  (see kb820129)

for every site created above...

add the HTTP Header: "Cache-Control: no-store, no-cache, post-check=0, pre-check=0"  (see screenshot for IIS6 or IIS7)
     META tags which preventing caching (as included in our example pages) are required in addition to this HTTP Header (see rfc2616-sec14.9 and msdn)

on IIS6 when ASP.NET is installed ensure the version is set to 2.x or later  (see screenshot)

on IIS7 under Error Pages, Edit Feature Settings, set "Custom error pages"  (see screenshot)

Enable Parent Paths  (see screenshot for IIS6 or IIS7)

check NTFS permissions on the root folder  (see screenshot for IIS6 or IIS7)
     (see kb812614 / kb981949)

verify the site is running, type: http://[IP from above] in a browser on this server and on a client computer


License

For licensing information; including multi-site use, IT consultants/system integrators, and upgrades see FAQ 2.

Your concurrent client license should be big enough to support your network, see FAQ 98.

For the complete software license agreement see: dnsredirector.com/license

 
DNS Redirector | Legal Information | 2003-2017