Sign in with
Sign up | Sign in
Your question
Solved

Modem DNS setup that can't be bypassed?

Tags:
  • LAN
  • Modem
  • DNS
  • Networking
Last response: in Networking
Share
August 23, 2012 3:23:54 PM

Is there a way to force the user to use the modem dns settings? I'm using open dns (set within the modem settings) but think the users are simply entering alternate dns servers in the browser settings or temporarily re-configuring the network settings.

I know the easy solution is to take away administrative privileges, but due to the work the users are doing, they need admin privileges...

More about : modem dns setup bypassed

August 23, 2012 3:48:17 PM

Not unless the modem/router has that option. In my case, I'm using dd-wrt/tomato (third party firmware) routers that either have this option, or worst case, I can manually add firewall rules (using iptables) to prevent access to any other DNS servers.

Even so, it's important to realize that depending on the users’ network savvy and determination, almost ANYTHING you attempt to prevent/filter can probably be overcome by simply using a VPN or other proxy. So any measures you take will only be effective against users w/ limited networking knowledge. A real hacker-type will always defeat your efforts in the end (unfortunately).
m
0
l
August 23, 2012 4:40:14 PM

You can lock down certain areas with group policy, local or network. Network settings is one of them.
m
0
l
Related resources
August 23, 2012 5:19:10 PM

hang-the-9 said:
You can lock down certain areas with group policy, local or network. Network settings is one of them.


As elibgrad stated, a smart person can easily undo this since all users have admin access.
m
0
l
August 23, 2012 6:34:07 PM

Hawkeye22 said:
As elibgrad stated, a smart person can easily undo this since all users have admin access.


You can block even people in the administrator group from having access to change group policy, you will need to make sure you setup an account to be able to change the settings later though. For example, at work we have several levels of users, unless you are in the Level 1 user group, you cannot run regedit and do not have the Run command, restrictions like that. Even if your account is a local admin, you can't run regedit. Can do the same thing for group policy editor.

A user account may be part of the local admin group, but if that group is removed from the rights to edit group policy, they won't be able to.

This is best done in a domain setting though. Locally, you'd have to make sure you have an account setup that does have edit rights or you will be stuck in a loop.
m
0
l

Best solution

August 23, 2012 6:51:47 PM

Sure lock the machine only a minor inconvenience.

All I do is place a device in between that does a simple ip nat on the DNS address to whatever I want. If you try reroute port 53 then I just nat that to another port and use a external DNS that does not use 53.

The holes in openDNS are well known and nobody that can afford a better solution uses it.

I work in IT security for a large company even with many millions of dollars of proxy and firewalls we can find no solution to the SSL VPN running from someone house.
You would have to block HTTPS and ACTIVEX to prevent it.

Share
August 30, 2012 4:52:14 PM

Best answer selected by burk1959.
m
0
l
August 30, 2012 4:57:29 PM

I like the idea of the device in-between.

Seems like it should be easiest to manage, and I don't think it can be easily defeated. I picked up an Untangle U10 which will go between the modem and switch. Just got it, so not installed yet but especially since I'm managing a number of computers, it should be a single point solution to the entire network.

A bit costly, but should easily pay for itself in productivity gains.

m
0
l
!