1

I have a Windows-based, walk-up workstation which I would like to restrict to one specific domain. It is on its own wireless network.

Essentially, I would like to resolve DNS resolution calls to this one specific domain and block all others. I would also like to block those resolution calls from getting past the wireless AP to the firewall router where DNS calls are handled.

I am not looking for a uber-secure solution. The goal is to prevent casual users from browsing to sites inappropriate for the setting. I could install a full-on web filter or DNS filter application but that seems overkill for what I am trying to accomplish.

My AP is running DNSmasq and that looks like it might have promise but I wanted to run this past the experts before spending time learning DNSmasq.

Thoughts?

Not a machine
  • 115
  • 1
  • 6

2 Answers2

3

How many records in the domain need to be resolved? If only a few you could add them to the hosts file on this computer and remove the DNS servers in the TCP/IP properties.

All DNS queries would fail except for those in the hosts file.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Hmmm...less than a dozen. I have done that on unix and changed resolv.conf. It did not occur to me that we could do that on Windows. Would Windows route DNS calls to the gateway? – Not a machine Sep 13 '19 at 17:14
  • 1
    If the client has no DNS servers configured in it's TCP/IP settings then it will only resolve names that exist in the hosts file. DNS queries won't be routed to the gateway because the client will have no DNS server configured for it to use... so it will not issue any DNS queries. – joeqwerty Sep 13 '19 at 17:19
  • Currently it is using the DNS settings from the DHCP lease but I can easily changed that to a static IP address. – Not a machine Sep 13 '19 at 17:19
  • I will give this a shot and report back. Much obliged! – Not a machine Sep 13 '19 at 17:26
  • 1
    I had to add 6 entries to the hosts file including a few edge points. But, it is working perfectly. Thanks again! – Not a machine Sep 19 '19 at 04:08
  • Glad to help... – joeqwerty Sep 19 '19 at 11:53
1

Another option would be to configure the client to point to a DNS server that is pointing at itself only and not look for any other upstream DNS servers when it cannot resolve a request on its own.

DrWatson128
  • 11
  • 1
  • I like this idea and it occurred to me as well. However, I am reluctant (lazy?) to set up yet another DNS server. A lightweight solution is my ideal. I have a new network card arriving Monday so I will try Joe QWERTY's idea and see how that goes. – Not a machine Sep 14 '19 at 16:28