Reply

OpenDNS web blocking not working after joining domain

Hozism
Aspirant

OpenDNS web blocking not working after joining domain

The router we have is setup w/OpenDNS to block certain websites like Pandora, facebook etc. It worked like a charm and we were also able to allow access to few employees who needed access to facebook etc.This is when all computers were in a WORKGROUP mode. All computers had DHCP setup for IP and DNS settings.

 

When we moved to Windows Server 2012 DOMAIN based setup, all these computers were domain-joined. The computers still gets IP via DHCP  but DNS setting now points to Windows Server. Windows Server itself has no restriction on the router.

 

The issue I am facing is suddenly router is bypassing all restrictions set via OpenDNS and everyone is able to access restricted websites. I did some research but couldn't find anything on why it suddenly stopped working. Is it because of DNS setting on each computer points to Windows Server and Windows Server itself has full privileges which makes router think request is originating from Server and not from the computer?

 

I understand we need to have a management policy on misue of resources but I was wondering why it would stop suddenly after domain join? We are process of getting a firewall in future but in the meantime I do want to block. Any help will be appreciated.

Model: R7800|Nighthawk X4S AC2600 WiFi Router
Message 1 of 3

Accepted Solutions
schumaku
Guru

Re: OpenDNS web blocking not working after joining domain

Not a Netgear problem at all... 

 


@Hozism wrote:

When we moved to Windows Server 2012 DOMAIN based setup, all these computers were domain-joined. The computers still gets IP via DHCP  but DNS setting now points to Windows Server. Windows Server itself has no restriction on the router. 


DNS is a strictly hierarchical system - yes, this will reliably allow to bypass any restrictions you had set in place as long as it was a pure workgroup.

 


@Hozism wrote:

The issue I am facing is suddenly router is bypassing all restrictions set via OpenDNS and everyone is able to access restricted websites. I did some research but couldn't find anything on why it suddenly stopped working. Is it because of DNS setting on each computer points to Windows Server and Windows Server itself has full privileges which makes router think request is originating from Server and not from the computer?

Noting "suddenly" - it has to be that way.

 


@Hozism wrote:

I understand we need to have a management policy on misue of resources but I was wondering why it would stop suddenly after domain join?


In an Active Directory Domain, DNS is core, and all domain intergrated systems must run on the Active DIrectory DNS. Therefore, all DNS requests will - and must - go to the AD DNS, and the AD DNS server will drill up to the Internet DNS.  

 

It's possible to configure the AD DNS by adding OpenDNS servers to the forwarders so the AD DNS does always query OpenDNS. But to my knowledge, this still won't allow policies to different local workstations and users. Not aware OpenDNS has anything the like.

 

No other way than migrate to a proper solution, the most simple one might be to look into Microsoft ISA (Internet Security and Acceleration) - this can be enforced to the clients using policies, and allows flexible handling based on workstations, user groups, applications, ...

 

View solution in original post

Message 2 of 3

All Replies
schumaku
Guru

Re: OpenDNS web blocking not working after joining domain

Not a Netgear problem at all... 

 


@Hozism wrote:

When we moved to Windows Server 2012 DOMAIN based setup, all these computers were domain-joined. The computers still gets IP via DHCP  but DNS setting now points to Windows Server. Windows Server itself has no restriction on the router. 


DNS is a strictly hierarchical system - yes, this will reliably allow to bypass any restrictions you had set in place as long as it was a pure workgroup.

 


@Hozism wrote:

The issue I am facing is suddenly router is bypassing all restrictions set via OpenDNS and everyone is able to access restricted websites. I did some research but couldn't find anything on why it suddenly stopped working. Is it because of DNS setting on each computer points to Windows Server and Windows Server itself has full privileges which makes router think request is originating from Server and not from the computer?

Noting "suddenly" - it has to be that way.

 


@Hozism wrote:

I understand we need to have a management policy on misue of resources but I was wondering why it would stop suddenly after domain join?


In an Active Directory Domain, DNS is core, and all domain intergrated systems must run on the Active DIrectory DNS. Therefore, all DNS requests will - and must - go to the AD DNS, and the AD DNS server will drill up to the Internet DNS.  

 

It's possible to configure the AD DNS by adding OpenDNS servers to the forwarders so the AD DNS does always query OpenDNS. But to my knowledge, this still won't allow policies to different local workstations and users. Not aware OpenDNS has anything the like.

 

No other way than migrate to a proper solution, the most simple one might be to look into Microsoft ISA (Internet Security and Acceleration) - this can be enforced to the clients using policies, and allows flexible handling based on workstations, user groups, applications, ...

 

View solution in original post

Message 2 of 3
Hozism
Aspirant

Re: OpenDNS web blocking not working after joining domain

Thank you schumaku. Unfortunately I suspected as such but wanted to validate with someone. We are in process to implement a Sophos Firewall so hopefully some of these issues will be handled as part of the Firewall configuration. Thank you for the input. If others have anymore insight, I would love to hear until then thank you again.

Message 3 of 3
Top Contributors
Discussion stats
  • 2 replies
  • 480 views
  • 0 kudos
  • 2 in conversation
Announcements