DNS Redirect on OS X 10.6

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Les Kern, Dec 9, 2013.

  1. Les Kern macrumors 68040

    Les Kern

    Joined:
    Apr 26, 2002
    Location:
    Alabama
    #1
    Was wondering how to set up a redirect of an external domain internally on my DNS server.
    For instance, I need to direct all SSL traffic requests for https://www.google.com to http://www.google.com, same for Youtube.

    Reason: Google owns Youtube, Youtube kills bandwidth and porn is readily available, at least images. (Our motto: Just add that S!).
    Until I set up deep packet inspection using a locally installed cert and my Cymphonic box I need to be able to block the ability for students to bypass. I have 1/2 of a school year to go.
    Thanks for any guidance... from a guy who doesn't believe in filtering but doesn't pay himself.
     
  2. chris.k macrumors member

    Joined:
    May 22, 2013
    Location:
    YSSY
    #2
    That can't be solved by DNS alone. (Unless you "wall garden" everything per se, but that doesn't help here)

    Name servers are oblivious to the Http/https portion of the URL request.

    You'd need to hijack the TCP/443 or TCP/80 request and insert your own "301 Redirect". A squid proxy cache may be able to do this, or yeah, one of the more expensive Router/Firewall/DPI boxes. (Juniper SRX, Cisco ASA etc..)

    DNS overwrite alone won't cut it I believe.


    Edit: on second thought, if you want to block the sites completely, just setup an Authoritative Zone for google.com or YouTube.com on your local DNS and return unroutable addresses.

    You'd also have to block all outgoing DNS requests from everything but your DNS server. Also ensure to change the DHCP info to have all your students use your local DNS.
     
  3. Les Kern thread starter macrumors 68040

    Les Kern

    Joined:
    Apr 26, 2002
    Location:
    Alabama
    #3
    Sounds like a plan. I use two internal DNS servers, one a master crossing to another subnet to a replica. This should be easy. Didn't think DNA alone was possible but I was hoping.
    Thanks so much.
     
  4. chris.k macrumors member

    Joined:
    May 22, 2013
    Location:
    YSSY
    #4
    Glad I could help.

    Let us know if any if these tricks work out for you.!
     

Share This Page