Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, November 18, 2016 4:18 PM
Hi,
I have two DCs that have the DNS server role installed. Both servers are running Windows Server 2008 R2.
I'm looking for a way to block top level domain DNS queries to our DNS servers by any workstation in our network. Specifically, I want to block .tk and .ml domains as these are commonly used for malicious websites.
Does anybody know how can I block top level domains on my DNS servers?
Any help is greatly appreciated! Thanks!
All replies (4)
Friday, November 18, 2016 6:02 PM
Hi Eightbitsshort,
if you go to DNS server and open DNS console > right click on server name> properties
you will find a check box called "use root hints...." and also if you go to root hints tab you will find the complete list of the root hints that you can modify or delete completely.
just note that by doing this you are breaking reachability between your DNS server and root hints on internet in case any external query was not resolved from your ISP at first attempt.
is that what you are looking for?
Thanks
Mahmoud
Microsoft CTS
Thanks Mahmoud
Friday, November 18, 2016 6:53 PM
Thanks for your reply but this is not what I'm looking for.
I want to block access to any domains that end in .tk and .ml for all workstation and devices in my network. Let's say a user types http://whateverdomain.tk in their web browser, their workstation is going to query my DNS server to try to resolve whateverdomain.tk, so I want my DNS server to deny that DNS query or not try to resolve for it for the workstation, which would result in the workstation not being able to access that domain name.
Friday, November 18, 2016 7:01 PM
Hi, I got it now. Actually Microsoft DNS won't achieve this. You need to have a 3rd part DNS that is havibg filteration features or there are some software that can inject kernel filters to achieve the same. Also regardless of DNS resolving there are some proxy solutions that can block it let's say anything ending with certain suffix will be dropped. Also going back to your original request what is the cause you want to block these domains ? May be after knowing the reason we can think of alternative? Thanks Mahmoud
Thanks Mahmoud
Monday, November 21, 2016 5:35 AM
Hi Eightbitsshort,>> Let's say a user types http://whateverdomain.tk in their web browser, their workstation is going to query my DNS server to try to resolve whateverdomain.tk, so I want my DNS server to deny that DNS query or not try to resolve for it for the workstation,
Did you mean that you want to deny DNS query from specific workstation or all of workstation?
You could try to deploy DNSSec to achieve the goal.
Please reference the article below to understand it:
Overview of DNSSEC
https://technet.microsoft.com/en-us/library/jj200221%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
Best Regards
John
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].