Friday, September 27, 2013

DNS-jailed Network


The goal here is to develop a network segment that’s locked down to a specific service (HTTP) and to force that segment into a specific DNS server environment for the purpose of filtering out DNS resolution of undesirable websites such as Facebook, youtube, OnLineBootyCall.com, etc. We leverage the services from OpenDNS.com to do this. Net, we’ll be building a cheap (as in FREE) web filter for the kids. This concept can easily be extended to the Spouse, live-in Mother-in-Law, etc.


Step 1: Establish an account on OpenDNS.com (free). Here you can define the ‘Web Content Filtering’ context you prefer. At “High”, I find it filters out all the undesirable sites plus more that you may want to allow in at an “individual domain” level.

Step 2: Define a DNS view and view-list for the “kids”.

ip dns view kids
domain name-server 208.67.222.222
domain name-server 208.67.220.220
ip dns view-list kidslist
view kids 1

Here, I’m forcing DNS forwarding in this particular view to a couple of OpenDNS.com servers. Using OpenDNS's free filtering tools, you can effectively lock down browser activity.  You need to assign this DNS view to the VLAN segment where your jailbirds will reside as described here.

Step 3: If you’re going to use DHCP on this network segment, you’ll want to define a specific DHCP scope that assigns the default gateway and DNS server for the segment. Here, I’m using a 192.168.5.x VLAN for the ‘kids’. They get a router address for both the default gateway and DNS server. 

ip dhcp pool kids
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 192.168.5.1

Step 4: Define an ACL for this segment to lock it down to DHCP and HTTP traffic (only) and restrict DNS traffic to the router/DNS view we defined previously. Of note, even if the ‘kids’ get to a tech sophistication level where they understand how to assign a different DNS server to their interface – it won’t work. All DNS traffic is blocked other than to the DNS server we defined in Step 3.

ip access-list extended kids_inACL
permit udp any any eq bootpc
permit udp any any eq bootps
permit tcp any any eq www
permit udp any host 192.168.5.1 eq domain
deny ip any any log

No comments:

Post a Comment