Readme | FAQ


Implementation Considerations

Use a standard LAN with a hardware firewall as the default gateway...
See the Network Examples. Notice that proxy/SOCKS, ISA, or ICS is not compatible.

When used for a public HotSpot...
The guest LAN should be completely isolated from any internal/office LAN as shown in Network Examples 06, 09, 10.
You should mitigate problems as discussed in FAQ 34, FAQ 39, FAQ 113, FAQ 126.

When used for content filtering...
A dedicated server is not required; installation on your existing domain controller(s), small business server, or home server is adequate.

DNS Redirector will try and bind DNS service to all IPs assigned to the server...
If Microsoft's DNS service (found on some Windows Servers or Active Directory domain controllers) is installed see FAQ 91.
If another DNS server or something using the same ports is installed see FAQ 4.

You will need to change DHCP scope properties (option 6, DNS server)...
The IP address used by DNS Redirector needs to be the only one handed out as the DNS server.
If running multiple instances of DNS Redirector (only for content filtering, see FAQ 28) then add the IP of every DNS Redirector server.

No NAT and no DNS separation...
The DNS Redirector server and all clients cannot be separated by a NAT device, see FAQ 37, FAQ 142.
Every client should use the IP of the DNS Redirector server as their default DNS server (usually provided via DHCP), another DNS server cannot exist in-between.


For third-party software that is known to work with or aid in the use of DNS Redirector see FAQ 71.


Installation

Download the software from http://dnsredirector.com/download and run the file

     -- This software will run as a demo (all features and capabilities) for 25 days --

     If you are upgrading see FAQ 103.


Configure C:\DNSREDIR\dnsredir.ini (see INI Settings section below)

Setup IIS or other web server software (see Hosted Pages section below)

Verify firewall exceptions have been defined, see FAQ 102.

Verify the working directory has adequate permissions, see FAQ 129.

For Captive Portal, whitelist domains you may need, see FAQ 121, FAQ 159.

For Internet filtering, whitelist domains you may need, see FAQ 112.

For Internet filtering, blacklist any domains you don't need, see FAQ 52, FAQ 106.

Start the DNS Redirector service

Change your DHCP scope to hand out the DNS Redirector server IP as the only DNS server.
     (DHCP option 6, DNS server) This should be the same IP you specified for ListenOnIP= in dnsredir.ini


INI Settings

Default values are in green
Example values are in blue

All files referenced in the .ini are assumed to be in the C:\DNSREDIR working directory.
All IP address fields will also accept an IPv6 address.
Click here to view the full version of these descriptions.

Logging=Normal
  Sets the log file detail. A new log file is created each day within the DailyLogs folder, the filename is the date.

Optimize=Speed
  Sets the string matching algorithm used on keyword lists.
Valid options are:
Speed - this is fastest and recommended for large networks
Memory - this will use less memory (ideal for machines with low resources serving smaller networks)

DNSCase=Insensitive
  Sets the case sensitivity used on keyword lists.
Valid options are:
Insensitive - this is recommended for everyone
Sensitive - for special use/high-security networks

ListenOnIP=192.168.0.2, 192.168.0.3
  Specify the static IP address(es) of this DNS Redirector server (recommended), see FAQ 4, FAQ 91.
Or leave blank to bind on all system IPs (including the IPv4 loopback address 127.0.0.1)

SimpleDNS=simpledns.txt
  File containing DNS A records that you want to resolve locally.

DNSServerIP=8.8.4.4, 8.8.8.8
  Specify the IP of a real DNS server.

RedirectIP=192.168.0.3
  Initially redirect clients to this IP, where your welcome page is hosted.

  AuthKeywordsFile=authorized.txt
  File containing keywords of domain names that, after resolved, authorizes the client to surf past the welcome page.

AlwaysKeywordsFile=always.txt
  File containing keywords of domain names that clients are always allowed to visit, even if they have not been authorized.

AuthClientsFile=authclients.txt
  File containing IPs of local network clients that are always allowed to surf, even if they have not been authorized.

BlockedIP=192.168.0.2
  Domain names matched in the BlockedKeywordsFile= below will resolve to this IP, where your blocked page is hosted.

  BlockResponse=Lookup
  Valid options are:
Lookup - resolves to the BlockedIP only if the domain name is real (does a lookup at the DNSServerIP= first)
Fast - resolves to the BlockedIP even if the domain name does not exist

BlockedKeywordsFile=blocked.txt
  File containing keywords of domain names that clients cannot visit.

AllowedKeywordsFile=allowed.txt
  File containing keywords of domain names that clients are allowed to visit.

BypassBlockFile=bypassblock.txt
  File containing keywords of domain names that, after resolved, allows the client to view blocked content.

NXDForceFile=nxdforce.txt
  File containing IPs that when found in any DNS reply will be replaced with NXDomain response instead.
This is useful to undo NXDomain hijacking (as some ISPs like to do) and for additional protection against badware, malware, scumware.

ResetClientFile=resetclient.txt
  File containing keywords of domain names that, after resolved, causes DNS Redirector to forget the client.  This removes the client from the online clients list; de-authorizes the client, re-enables the block, and executes the LeaveAction if set.

ActionNumber=0
  Perform the JoinAction specified below; 1 means every time, 2 means for every 2nd client who joins, 3 for every 3rd client who joins, etc.
If actions are not going to be used leave this set to 0.

JoinType=Online
  Valid options are:
Online - executes JoinAction for any client that starts resolving through DNS Redirector
Auth - executes JoinAction only when a client becomes authorized
Both - executes JoinAction when a new client starts resolving through DNS Redirector, and again when that client becomes authorized
Only client's who authorize themselves trigger the action, clients specified in the AuthClientsFile= or clients manually marked as Authorized in the GUI will not trigger the JoinAction.
 
  JoinAction=
  File you want to launch or execute when a client joins the network. This could be a .exe, .wav, .bat or other script. If a join action is not desired then leave this blank.  The client's IP is passed as a variable after the command for use with a third-party script or application, see FAQ 62.  Specify the full path to the file, for example C:\DNSREDIR\join.bat

LeaveAction=
  File you want to launch or execute when a client leaves the network, used only when ActionNumber=1.  This could be a .exe, .wav, .bat or other script. If a leave action is not desired then leave this blank.  The client's IP is passed as a variable after the command for use with a third-party script or application.  Specify the full path to the file, for example C:\DNSREDIR\leave.bat

ClientTimeout=20
  Interval in minutes before an active client is considered gone or left the network, based on the last DNS query received.  This removes the client from the online clients list; depending on the features enabled it de-authorizes the client, re-enables the block, and executes the LeaveAction if set.

The following INI settings are depreciated in v7.2.x.x
GetClientName=
MinToTray=
CloseToTray=


Hosted Pages

Using IIS on the same server as DNS Redirector to host the welcome and/or blocked pages is suggested.  Optionally, you can declare the IP of another web server that is internal or external to the DNS Redirector network.  IIS on a non-server OS has restrictions, such configuration is not supported or recommended.  Using SimpleHTTP or Apache HTTP Server may be appropriate in some cases.

Depending on the features enabled in DNS Redirector you may need multiple sites, each requiring its own IP address.  Add multiple IP addresses to the same NIC under the Advanced button in TCP/IP properties.

verify that "ASP" and "Server Side Includes" are installed with IIS  (see screenshot for IIS7 or IIS8)

If RedirectIP=192.168.0.3 complete the following steps...
create a folder for the site root, such as C:\Inetpub\welcome
   in IIS Manager create a site:  (see details for IIS7)
running at 192.168.0.3 | port 80 | no Host header | path set as the folder created above
   for IIS6: leave checked "Allow anonymous access to this Web site" | leave checked "Read" | check "Run scripts (such as ASP)"
extract a sample welcome page to the folder created above

If BlockedIP=192.168.0.2 complete the following steps...
create a folder for the site root, such as C:\Inetpub\blocked
   in IIS Manager create a site:  (see details for IIS7)
running at 192.168.0.2 | port 80 | no Host header | path set as the folder created above
extract a sample blocked page to the folder created above
download: REG-UrlSegmentMaxLength.zip then open the .reg file
     this is necessary so certain blocked content is replaced correctly, see FAQ 169

for every site created above...

add the HTTP Header: "Cache-Control: no-store, no-cache, post-check=0, pre-check=0"  (see screenshot for IIS6 or IIS7)
     META tags which preventing caching (as included in our example pages) are required in addition to this HTTP Header (see rfc2616-sec14.9 and msdn)

on IIS6 when ASP.NET is installed ensure the version is set to 2.x or later  (see screenshot)

on IIS7 under Error Pages, Edit Feature Settings, set "Custom error pages"  (see screenshot)

Enable Parent Paths  (see screenshot for IIS6 or IIS7)

check NTFS permissions on the root folder  (see screenshot for IIS6 or IIS7)
     (see kb812614 / kb981949)

verify the site is running, type: http://[IP from above] in a browser on this server and on a client computer


License

For licensing information; including multi-site use, IT consultants/system integrators, and upgrades see FAQ 2.

Your concurrent client license should be big enough to support your network, see FAQ 98.

For the complete software license agreement see: dnsredirector.com/license

 
DNS Redirector | Legal Information | 2003-2017