Porxy VS DNS to control internet contect

I have a company multiple sites and they would like to be able to control and
monitor where there staff is going due to National Sercurity issues. They
currently are using 2 different firewall product which is a problem maintain
and resport against.

My feeling was that if we sent all traffic via company controlled DNS and
proxy servers it would resolve the issue. Are there services which office
this with user control ?

Thank you and happy new year

Hello Help,

The only control offered by Microsoft is the ISA server with proxy functionality
where you can configure/monitor based on the user accounts.

With DNS servers you can not really control the access.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have a company multiple sites and they would like to be able to
> control and monitor where there staff is going due to National
> Sercurity issues. They currently are using 2 different firewall
> product which is a problem maintain and resport against.
>
> My feeling was that if we sent all traffic via company controlled DNS
> and proxy servers it would resolve the issue. Are there services
> which office this with user control ?
>
> Thank you and happy new year
>

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:. com...
> Hello Help,
>
> The only control offered by Microsoft is the ISA server with proxy
> functionality where you can configure/monitor based on the user accounts.
>
> With DNS servers you can not really control the access.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Actually, there is a way with using OpenDNS.

OpenDNS | Internet Navigation And SecurityOpenDNS makes networks in homes,
schools and businesses safer, faster, smarter and more reliable through Web
content filtering and navigation services.
www.opendns.com/

Also, you can use HOSTS files or an additional zone in your DNS server to
stop these locations, blocking inappropriate sites as well as stopping ad
sites from popping up or that load into the browser. Read the following link
for more info.

Adserver blocking (hosts file or DNS):
http://pgl.yoyo.org/adservers/

However, as for OpenDNS, there are caveats associated with it because they
have set "shared" rate limits that can affect all institutions using it,
because OpenDNS considers all incoming forwarded requests as from 'one
entity' therefore if the rate limits are reached as a combined total, you
may get non-resolution or NXDOMAIN response.

The following quote was from an "open" discussion (no pun intended) last
month that was between myself, ObiWan (I consider a DNS expert) and a few
others, on OpenDNS and its drawbacks regarding its functionality and impact
on Exchange. Maybe one way to get around it on Exchange is have the SMTP
service use a separate outside DNS instead of the internal DNS, which is
forwarding to OpenDNS. Kind of complicated.

My thoughts are to go with your suggestion, Meinolf, that is to use ISA, or
a third party such as Packeteer, which you have complete control of internet
sites and traffic instead of relying on OpenDNS and possibly face it's
shortcomings.

================================================== ================
================================================== ================
OpenDNS issues

> Check what DNS resolvers you are using: If you are using a free "open
DNS
> resolver" service such as Google Public DNS or Level3's public DNS
> servers to resolve your DNSBL requests, in most cases you will receive
> a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers.
> Please use your own DNS servers when doing DNSBL queries to Spamhaus.

Following response from:
From: "ObiWan [MVP]" <>
References: <FF2DDBE2-5935-4213-9AAB->
<>
<#>
Subject: Re: Exchange 2003, Google DNS, and IMF Connection Filtering RBL
Failures
Date: Mon, 28 Dec 2009 11:16:29 +0100

Right, see, those DNSBLs allow free use if you keep *under* a given
query rate,
otherwise you'll have to "buy" an account with them so that your DNS IPs
will be
able to query the blacklists w/o restrictions (or, optionally you may
setup your
own rbldnsd and keep a local copy of the BL zones); now... using
whatever
public resolver means that such resolvers may issue a whole lot of
queries
toward the DNSBLs so the total traffic from those open resolvers IPs as
seen
from the DNSBL servers point of view will be above the rate limit and
this in
turn will trigger the rate limiting mechanism resulting in NXDOMAIN
answer
to any query coming from those resolvers IP addresses

The bottom line is that, as long as you have your own DNS server you
should
NOT rely on 3rd party (external) resolvers using them as forwarders but
instead
set up your DNS to carry on the full resolution process; and this is
*especially*
true when it comes to DNS resolvers serving mailservers

The rule of thumb with forwarders is that you should use them only under
one
of the following conditions

* You have a slow internet connection (i.e. dialup, ISDN)

* The external DNS which you use as forwarders are under your direct
control

* You have some special needs which force you to only use forwarders

as a bottom note; if you still want to use forwarders for your DNS, even
if
you don't need them, you'd better setup some conditional forwarding
rules
on your DNS so that queries directed to the DNSBL you are using will be
directly sent to the DNS servers which are authoritative for such zones
================================================== ================
================================================== ================


And more...
================================================== ================
================================================== ================
More issue with OpenDNS:

>> In summary, the link indicates the service is free unless (quoted):
>>
>> 1. Your use of the Spamhaus DNSBLs is non-commercial*, and
>> 2. Your email traffic is less than 100,000 SMTP connections per day,
> and
>> 3. Your DNSBL query volume is less than 300,000 queries per day.
>
> exactly, now, since the spamhaus DNS servers only see the IP of
> the querying box, in case your DNS is using the OpenDNS servers
> as forwarders, the spamhaus DNS will see the IPs of the OpenDNS
> servers since the query "chain" will be
>
> exchange IMF <-> your DNS <-> OpenDNS <-> spamhaus DNS
>
> now, the above means that anyone using the same config will be
> seen by the spamhaus DNS with the SAME IP, so even a bunch
> of low traffic email servers may quickly go above the allowed
> spamhaus query rate (as seen above) and this in turn would
> result in NXDOMAIN answers being returned by the spamhaus
> DNS servers and btw the same (rate limit) issue is also true for
> most/all other DNSBLs not just for spamhaus

No kidding. I didn't think of this scenario. So the rate limit could be
quickly reached and everyone is blaming ODNS for it. Well, it is ODNS fault,
only because all of the queries are eminating from ODNS.

>
> bottom line, if one has a DNS server, better using it and not
> some external forwarder (set aside the exceptions I listed
> into another post in this same thread) since such a setup
> will avoid a lot of troubles ... and since with such a setup
> YOU will be back in control of YOUR DNS resolution

True, eliminating the single point query scenario of ODNS to the DNSBLs.

Ace
================================================== ================
================================================== ================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

Ace

This is great information. The company has 25,000 desktops, laptops and
portable devices. They want to be able to control internet useage where ever
the device is so Microsoft ISA server will not work. A solution simular to
opendns or other dns company or solution which will filter content is more of
what I need.

HM

"Ace Fekay [MVP-DS, MCT]" wrote:

> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:. com...
> > Hello Help,
> >
> > The only control offered by Microsoft is the ISA server with proxy
> > functionality where you can configure/monitor based on the user accounts.
> >
> > With DNS servers you can not really control the access.
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> > confers no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> Actually, there is a way with using OpenDNS.
>
> OpenDNS | Internet Navigation And SecurityOpenDNS makes networks in homes,
> schools and businesses safer, faster, smarter and more reliable through Web
> content filtering and navigation services.
> www.opendns.com/
>
> Also, you can use HOSTS files or an additional zone in your DNS server to
> stop these locations, blocking inappropriate sites as well as stopping ad
> sites from popping up or that load into the browser. Read the following link
> for more info.
>
> Adserver blocking (hosts file or DNS):
> http://pgl.yoyo.org/adservers/
>
> However, as for OpenDNS, there are caveats associated with it because they
> have set "shared" rate limits that can affect all institutions using it,
> because OpenDNS considers all incoming forwarded requests as from 'one
> entity' therefore if the rate limits are reached as a combined total, you
> may get non-resolution or NXDOMAIN response.
>
> The following quote was from an "open" discussion (no pun intended) last
> month that was between myself, ObiWan (I consider a DNS expert) and a few
> others, on OpenDNS and its drawbacks regarding its functionality and impact
> on Exchange. Maybe one way to get around it on Exchange is have the SMTP
> service use a separate outside DNS instead of the internal DNS, which is
> forwarding to OpenDNS. Kind of complicated.
>
> My thoughts are to go with your suggestion, Meinolf, that is to use ISA, or
> a third party such as Packeteer, which you have complete control of internet
> sites and traffic instead of relying on OpenDNS and possibly face it's
> shortcomings.
>
> ================================================== ================
> ================================================== ================
> OpenDNS issues
>
> > Check what DNS resolvers you are using: If you are using a free "open
> DNS
> > resolver" service such as Google Public DNS or Level3's public DNS
> > servers to resolve your DNSBL requests, in most cases you will receive
> > a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers.
> > Please use your own DNS servers when doing DNSBL queries to Spamhaus.
>
> Following response from:
> From: "ObiWan [MVP]" <>
> References: <FF2DDBE2-5935-4213-9AAB->
> <>
> <#>
> Subject: Re: Exchange 2003, Google DNS, and IMF Connection Filtering RBL
> Failures
> Date: Mon, 28 Dec 2009 11:16:29 +0100
>
> Right, see, those DNSBLs allow free use if you keep *under* a given
> query rate,
> otherwise you'll have to "buy" an account with them so that your DNS IPs
> will be
> able to query the blacklists w/o restrictions (or, optionally you may
> setup your
> own rbldnsd and keep a local copy of the BL zones); now... using
> whatever
> public resolver means that such resolvers may issue a whole lot of
> queries
> toward the DNSBLs so the total traffic from those open resolvers IPs as
> seen
> from the DNSBL servers point of view will be above the rate limit and
> this in
> turn will trigger the rate limiting mechanism resulting in NXDOMAIN
> answer
> to any query coming from those resolvers IP addresses
>
> The bottom line is that, as long as you have your own DNS server you
> should
> NOT rely on 3rd party (external) resolvers using them as forwarders but
> instead
> set up your DNS to carry on the full resolution process; and this is
> *especially*
> true when it comes to DNS resolvers serving mailservers
>
> The rule of thumb with forwarders is that you should use them only under
> one
> of the following conditions
>
> * You have a slow internet connection (i.e. dialup, ISDN)
>
> * The external DNS which you use as forwarders are under your direct
> control
>
> * You have some special needs which force you to only use forwarders
>
> as a bottom note; if you still want to use forwarders for your DNS, even
> if
> you don't need them, you'd better setup some conditional forwarding
> rules
> on your DNS so that queries directed to the DNSBL you are using will be
> directly sent to the DNS servers which are authoritative for such zones
> ================================================== ================
> ================================================== ================
>
>
> And more...
> ================================================== ================
> ================================================== ================
> More issue with OpenDNS:
>
> >> In summary, the link indicates the service is free unless (quoted):
> >>
> >> 1. Your use of the Spamhaus DNSBLs is non-commercial*, and
> >> 2. Your email traffic is less than 100,000 SMTP connections per day,
> > and
> >> 3. Your DNSBL query volume is less than 300,000 queries per day.
> >
> > exactly, now, since the spamhaus DNS servers only see the IP of
> > the querying box, in case your DNS is using the OpenDNS servers
> > as forwarders, the spamhaus DNS will see the IPs of the OpenDNS
> > servers since the query "chain" will be
> >
> > exchange IMF <-> your DNS <-> OpenDNS <-> spamhaus DNS
> >
> > now, the above means that anyone using the same config will be
> > seen by the spamhaus DNS with the SAME IP, so even a bunch
> > of low traffic email servers may quickly go above the allowed
> > spamhaus query rate (as seen above) and this in turn would
> > result in NXDOMAIN answers being returned by the spamhaus
> > DNS servers and btw the same (rate limit) issue is also true for
> > most/all other DNSBLs not just for spamhaus
>
> No kidding. I didn't think of this scenario. So the rate limit could be
> quickly reached and everyone is blaming ODNS for it. Well, it is ODNS fault,
> only because all of the queries are eminating from ODNS.
>
> >
> > bottom line, if one has a DNS server, better using it and not
> > some external forwarder (set aside the exceptions I listed
> > into another post in this same thread) since such a setup
> > will avoid a lot of troubles ... and since with such a setup
> > YOU will be back in control of YOUR DNS resolution
>
> True, eliminating the single point query scenario of ODNS to the DNSBLs.
>
> Ace
> ================================================== ================
> ================================================== ================
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please
> contact Microsoft PSS directly. Please check http://support.microsoft.com
> for regional support phone numbers.
>
>
> .
>

"Help me" <> wrote in message
news:46917193-78F8-4CCB-81CD-...
> Ace
>
> This is great information. The company has 25,000 desktops, laptops and
> portable devices. They want to be able to control internet useage where
> ever
> the device is so Microsoft ISA server will not work. A solution simular
> to
> opendns or other dns company or solution which will filter content is more
> of
> what I need.
>
> HM

For a 25,000 seat infrastructure, I don't recommend OpenDNS nor DNS to do
this. It's just waaay tooo much for what you need. ISA will work in an
enterprise configuration. However, many large infrastructures, such as the
one I worked in with 5000 seats, can also use a third party device, such as
Packeteer or Exinda. It's a one stop solution for all internet control. It's
pretty robust and easy to use.

Packeteer
http://www.bluecoat.com/products/overview

Exinda
http://www.exinda.com/products/default.aspx

Ace