Restricting access to sites

[Jim Reid]

>>>>> "Simon" == Simon Bond <simon.bond at ptr.co.uk> writes:

    Simon> If a user on machine A tries to go to xxx.com, the DNS
    Simon> query goes from machine A to our DNS server, which then
    Simon> raises the ISDN line to the Internet to perform it's own
    Simon> DNS query. The reply then comes back and the client machine
    Simon> then tries to go to the site (e.g. via FTP or HTTP), which
    Simon> is then blocked by the firewall.

    Simon> So what I'm saying is... I can block FTP or HTTP access to
    Simon> sites, but I can't block the actual DNS query which goes
    Simon> out before that. Now these all raise the ISDN line and I
    Simon> want to stop that.

You can't really do that. One possibility might be to slave the
xxx.com zone so that local lookups don't need to bring up the ISDN
link. However, that's not scalable. And then you have the cost of the
SOA queries every zone-refresh-interval and the odd zone transfer to
consider. These'll bring up the ISDN link too. This might well create
more traffic than the odd lookup of xxx.com. 

You could of course master a fake xxx.com domain on your name server.
That'll stop the off-site DNS lookups for sure, but it will probably
break all traffic from your site to xxx.com. And that "solution" isn't
really scalable either.

Probably the best you can hope for is that all internal lookups get
sent to your local name server, and it builds up a good cache so that
the ISDN line only comes up when the name server is asked for a name
it hasn't already cached. You have to accept that some off-site DNS
traffic is unavoidable, so DNS lookups will bring up your ISDN
link. The trick will be to keep call charges to a minimum: (a) the
Internet doesn't need to query your name server; (b) after a DNS
lookup you keep the link up for 1 PTT-charging-unit-number-of-seconds
in the hope that soon after the lookup some local application sends
data to the external name/address that has just been looked up.