question

WilliamMS avatar image
0 Votes"
WilliamMS asked GloriaGu-MSFT edited

How to block DNS by categories?

Hello everyone,

I have read through this URL: https://docs.microsoft.com/en-us/powershell/module/dnsserver/add-dnsserverqueryresolutionpolicy?view=win10-ps as DNS PowerShell script to block and filter query from users.

But I couldn't find my answer anyway,

My local DNS scenarios:

  • I create local DNS server 2016

  • All domain user have been using that DNS as primary

Now I want:

  • I want to block all users from accessing website by categories like Social Media, Job Portal

  • I want to allow only HR computer IP address to be able assessible HR portal

  • I want to allow only Marketing computer IP address to be able assessible Facebook


Please anyone could help me out or some suggestion I would really thank in advance.



windows-dhcp-dns
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

timrprobocom avatar image timrprobocom ·

You need to step back and think about what you're doing. You're describing a fascist workplace, in which there is a huge wall between management and employees, where management does not trust the employees to behave in an ethical manner. That is not a recipe for a happy workforce or a successful company.

0 Votes 0 ·

2 Answers

DSPatrick avatar image
0 Votes"
DSPatrick answered

There are no windows processes to do this natively. Your local DNS server has no knowledge of public DNS and or categories like Social Media, Job Portal. You may need to look for a third party product to accomplish your task.


--please don't forget to Accept as answer if the reply is helpful--




5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GloriaGu-MSFT avatar image
0 Votes"
GloriaGu-MSFT answered GloriaGu-MSFT edited

@WilliamMS Hi,

Thank you for posting in Q&A!

According to my research, it seems can be achieved by configuring DNS policy based on your requirements.

DNS Policies are a new feature in Windows Server 2016 that allow administrators to determine how DNS servers respond to client queries, based on several factors, including the client’s location, the time of day, transport protocol, etc. Currently, DNS Policies can only be configured via PowerShell.

For more details about how to configure DNS policy, please refer to:
https://petri.com/windows-server-2016-apply-filters-dns-queries
http://innovativeii.com/windows-server-2016-dns-policies/
https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview


Hope you have a nice day!
Gloria

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html


· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WilliamMS avatar image WilliamMS ·

@GloriaGu-MSFT Thanks but I also been research and read MS official document already but no help with my scenario at all.

@Microsoft Hope Microsoft would created server service more flexible with modern need and faster in the future.

Thank for all any idea.

0 Votes 0 ·
GloriaGu-MSFT avatar image GloriaGu-MSFT WilliamMS ·

@WilliamMS Hi,

According to the first link I provided,

"I want to block all users from accessing website by categories like Social Media, Job Portal"

can be achieved by creating a policy that blocks queries for Social Media websites from clients located in the specific subnet, please try.

So far, microsoft server haven't developed so much flexible functions. But we have already feed back your suggestions to microsoft and the technical team will work on it to meet your satisfaction.

0 Votes 0 ·
GloriaGu-MSFT avatar image GloriaGu-MSFT GloriaGu-MSFT ·

Hi,
Just want to confirm the current situations. Please feel free to let us know if you need further assistance.

0 Votes 0 ·
WilliamMS avatar image WilliamMS GloriaGu-MSFT ·

can be achieved by creating a policy that blocks queries for Social Media websites from clients located in the specific subnet, please try.

If I block by subnet it will block all PCs which /24 but amoung that PCs has marketing PC need to access Facebook or Youtube then I couldn't archived my goal.

Now still need to block site by Mikrotik firewall instead.

May be MS server will has flexible DNS solution to block site by categories and ACL IP also can do.



0 Votes 0 ·
Show more comments