Compare: OpenDNS vs. ScrubIT vs. DNS Redirector ...get the facts here!

  Readme for v6.4.7

About  |  Screenshot  |  Network Examples  |  Sample Pages  |  Configuration Wizard  |  FAQ  |  Purchase  | 

Requirements:

DNS Redirector is intended to be used on reliable hardware with a server operating system.
It can be installed on individual Windows clients1 but consider the administrative risks.

Windows 2000 Server/SBS (RTM, SP1-4) 3
Windows 2000 Professional (RTM, SP1-4) 1
Windows XP Home/Pro/Tablet/MCE (RTM, SP1-3, x64) 1, 2
Windows Server 2003/Web/SBS/R2 (RTM, SP1-2, x64) 2
Windows Vista (RTM, SP1, x64) 1, 3
Windows Server 2008/Core/Web/SBS (RTM=SP1, x64) 3

1 Not supported in production environments due to OS and/or IIS connection limits.
2 Running as a service (no GUI) is available for this OS by using the method described in FAQ 73.
3 Running as a service (no GUI) is only available for this OS by using FireDaemon.

We are unable to test on Windows Server "for Itanium-Based Systems" or "Datacenter Edition" but have been told it works.
DNS Redirector will not run under Wine, Windows NT4 (or earlier)

The OS minimum memory requirements + 256mb is suggested.

Any Windows x86 or x64, Apple/Mac, Linux, Unix, etc. OS is supported as a client.

Installation:

Download DNS Redirector

1) Run setup and follow the wizard
2) Configure C:\DNSREDIR\dnsredir.ini as indicated below
3) Setup any hosted pages you require in IIS (or other web server software)
4) Run C:\DNSREDIR\dnsredir.exe
5) Change your DHCP scope to hand out the DNS Redirector server IP as the only DNS server

Implementation:

IMPORTANT: By default, DNS Redirector will try and bind DNS service to all IPs assigned to the server, ensure that other DNS software (such as Microsoft's DNS service for Windows 2000/2003 Server) is not also set to listen on the same IP. If two DNS servers are bound to the same IP you will get an error when starting DNS Redirector. In some instances you may need to add another IP address (not another NIC) to the server; in this case configure DNS Redirector's ListenOnIP= to be the new IP and set Microsoft's DNS service to listen only on the original IP. See FAQ 4.

You will need to change the DHCP scope properties of your LAN so the IP address of the machine running DNS Redirector is the one handed out as the default DNS server. This IP is also shown in the log file on load as [Initialize] DNS listener bound to... If you are running multiple copies of DNS Redirector (for filtering redundancy only) you should add the IP of each DNS Redirector server to your DHCP scope properties. See FAQ 28.

Considerations for no NAT and no DNS separation...
For a wireless HotSpot, the DNS Redirector server and clients must be in the same IP address space and not separated by a NAT device.
For content filtering, blocked/allowed functionality will work regardless of network placement.
Similarly, no other DNS server should exist between clients and the DNS Redirector server. DNS Redirector should always be first in the chain of DNS resolution. See FAQ 37 and Network Examples.

dnsredir.ini Settings:

In the example below Default values are in green, and Example values are in blue.
All files referenced in the .ini are assumed to be in the C:\DNSREDIR working directory.
Click here to view a simple/condensed version of these descriptions.

Logging=Normal
  Sets the log file detail, a new log file is created each day using the day's date as a filename.
Valid options are:
Off - New Instance Started is the only log item
Normal - Only queries modified/answered by DNS Redirector are logged, all others are not logged
Full - Every query/response and function of DNS Redirector is logged, useful for diagnostic/troubleshooting
        (In a large environment this log file may become very big, use sparingly)

ListenOnIP=192.168.0.2
  Specify the static IP address of this DNS Redirector server, or leave blank to bind on all system IPs.
When specified, DNS Redirector will bind only to this local system IP address to avoid conflicts. See FAQ 4.

DNSServerIP1=
DNSServerIP2=
  Your real DNS servers, as provided by your ISP or your internal/Active Directory integrated DNS servers.
These are the real DNS Servers that all normal queries are forwarded onto. If one becomes unavailable or times out DNS Redirector automatically switches to the next; due to this process DNS performance through DNS Redirector can be improved by only specifying one DNS server here. On a corporate network you will usually declare the IP of your internal DNS or Active Directory integrated DNS server(s), otherwise declare the DNS server(s) provided by your upstream Internet provider or ISP. See FAQ 40.

SimpleDNS=simpledns.txt
  File containing DNS A records that you want to resolve locally.
The contents of the file needs to be in the following format:
IP Address [tab] Fully Qualified Domain Name
As shown in this example:
192.168.0.1   router.example.com
192.168.0.2   blocked.example.com
192.168.0.3   welcome.example.com
Or as a catch-all:
192.168.0.8   *
When using an asterisk as shown above, all domain names, regardless of being real or not, will resolve to a single IP. This method does not require any real DNS server to be specified under DNSServerIP1= but will render all RedirectIP=, BlockedIP=, and RestrictIP= functions disabled. This function is for specific scenarios where a real DNS server is not available (no Internet connection) and/or you need to make only a few internal sites available.    [sample files]

RedirectIP=192.168.0.3
  Initially redirect clients to this IP, where your welcome page is hosted.
When specified, the first time a client tries to browse the Internet they will be shown the website hosted at this IP address instead. When specifying RedirectIP= then AuthKeywordsFile= is also required. If initial redirection is not going to be used leave both settings blank. This must be an IP address, not a URL. For more information on setting up a page at an IP address, see the Hosted Pages section below. For information on redirecting to an existing website or URL see FAQ 30.
 
  AuthKeywordsFile=authorized.txt
  File containing keywords of domain names that authorize the client to surf past the welcome page.
The contents of the file needs to include one or several complex/unique domain names to be treated as the "key" that allows users to browse past the Welcome page. These do not have to be actual domain names registered on the Internet, you can make them up. Use SimpleDNS= if you want a made up domain name to resolve to an IP. When a client does a DNS lookup for this domain name the client will be marked as Authorized.
   The system might work like this...  (or you can adapt it to your needs; payment page, password, registration, etc.)
User joins the network, User gets DHCP lease including DNS Redirector as the DNS server, User starts browser and sees your terms and conditions page, User clicks a link to accept the agreement, User gets forwarded to another page that says Welcome and includes a clear image referenced at http://oktosurfnow123.com/clear.gif, DNS Redirector finds that oktosurfnow123.com matches the domain name specified in the AuthKeywordsFile, User can now browse the Internet freely.    [sample files]

AlwaysKeywordsFile=always.txt
  File containing keywords of domain names that clients are always allowed to visit, even if they have not been authorized.
In a paid HotSpot scenario you would want to add the domain name(s) of your payment processor to the file so that users can visit the site in order to pay for access and then become authorized. Leave this setting blank if you are not going to use it.

AuthClientsFile=authclients.txt
  File containing IPs of local network clients that are always allowed to surf, even if they have not been authorized.
Useful for static-IP machines on the same LAN as the hotspot that shouldn't have to pay or be authorized to surf; such as the IT manager, back office, or receptionist's computer. Leave this setting blank if you are not going to use it.

BlockedIP=192.168.0.2
  Domain names matched in the BlockedKeywordsFile= below will resolve to this IP, where your blocked page is hosted.
If content filtering is not going to be used leave this setting blank. This must be an IP address, not a URL. When specifying BlockedIP= then BlockedKeywordsFile= is also required. For more information on setting up a page at an IP address, see the Hosted Pages section below.
 
  BlockedKeywordsFile=blocked.txt
  File containing keywords of domain names that clients should not be able to visit.
Sample keywords to block websites, instant messaging, file-sharing programs, spyware, pornography and other content are available from our website here. Copy and paste the appropriate keywords into your blocked file, then restart DNS Redirector to make them active. If blocking is not going to be used leave this setting blank.

AllowedKeywordsFile=allowed.txt
  File containing keywords of domain names that clients are allowed to visit.
Certain blocking keywords (usually keywords that are too generic) may prevent clients from visiting legitimate content, this list corrects that. If blocking is not going to be used leave this setting blank.

BypassBlockFile=bypassblock.txt
  File containing keywords of domain names that toggle the client so they can view blocked content.
When a client machine does a lookup for a domain name that is matched in this file, that client will be then be able to surf websites freely and resolve domain names which are normally blocked. If that same machine does a lookup for a matching domain name again, the blocking is turned back on. Note that after toggling blocking you will usually need to close and open the browser, and possibly run the command "ipconfig /flushdns" (Win2K/XP only) on the local client machine. This is necessary to clear any cached records for the websites visited prior, otherwise those sites may still be un/reachable. Restarting DNS Redirector will also clear any and all clients that previously requested blocking off. Note that a client who visits a bypass URL before the authorized URL will be able to browse freely, but will not set Authorized=True in the GUI. If blocking is not going to be used leave this setting blank.

RestrictIP=192.168.0.4
  When the server time is between the values for RestrictStart= and RestrictEnd= all DNS queries will instead resolve to this IP, where your time restriction page is hosted.
If restriction is not going to be used leave this setting blank. This must be an IP address, not a URL. For more information on setting up a hosted page at an IP address, see the Hosted Pages section below. The intention is you would host a page saying "Internet restriction in effect during this time" or something that indicates Internet access is not available. Note that a client who was already online up to this timeframe may still be able to browse a few of the previously viewed/cached websites until their browser is closed.
 
  RestrictStart=5:00:00 PM
RestrictEnd=8:00:00 AM
  Time format in #:##:## XM, where #'s are hr:min:sec and XM is either AM or PM.

BypassRestrictFile=bypassrestrict.txt
  File containing keywords of domain names that toggle the client so they can surf even if within the restricted timeframe.
Similar to the BypassBlockFile= setting, every time a client machine does a lookup for a domain name that is matched in this file the bypassing is toggled on or off.

ActionNumber=0
  Perform the JoinAction specified below; 1 means every time, 2 means for every 2nd client who joins, 3 for every 3rd client who joins, etc. If actions are not going to be used leave this set to 0.

JoinType=Detect
  Perform the JoinAction specified below; Detect means for any client that tried to do a DNS lookup, Auth means only for clients that have been authorized.
 
  JoinAction=
  File you want to launch or execute when a client joins the network. This could be a .exe, .wav, .bat or other script. If a join action is not desired then leave this blank. For use with a third-party script or application, the client's IP is passed as a variable after the command.

LeaveAction=
  File you want to launch or execute when a client leaves the network. A leave action only happens if ActionNumber= is set to 1, meaning every time. This could be a .exe, .wav, .bat or other script. If a leave action is not desired then leave this blank. For use with a third-party script or application, the client's IP is passed as a variable after the command.
ClientTimeout=20
  Interval in minutes before an active client is considered gone or left the network, based on the last DNS query received. This removes the client from the list, also de-authorizes and executes the LeaveAction if set.

MinToTray=False
  Set this True so when the GUI is minimized it will go to the system tray area instead.

CloseToTray=False
  Set this True so when X is pressed (as if to normally close the GUI) it will stay running and go to the system tray area instead. When set True the GUI is also not displayed on startup but rather loads directly to the system tray.

Hosted Pages:

You can use IIS on the same machine to host your welcome/blocked/restrict pages. Note that IIS on Home/Workstation versions of Windows may only support one site and have other restrictions, see here for details. Each site in IIS needs its own IP address, this might require you to add additional IP addresses (not more NIC's) to the system. Optionally, you can declare the IP of another web server, even those outside your network, as the place where your welcome/blocked/restrict page is hosted.

For information on redirecting to a page that is external to the network, or that is not accessible via IP address directly, see FAQ 30. When redirecting to an external page you usually need to add that domain name in AlwaysKeywordsFile= or AllowedKeywordsFile= depending on your configuration.

In order for clients to successfully see the welcome, blocked, or time restriction pages you need to define custom errors that redirect to the site's default document. This can be set from the IIS Custom Errors tab. Create a separate site in IIS bound to a particular IP for each type of redirection page. For example...

   Blocked Page
       WWW Server at 192.168.0.2   (if BlockedIP=192.168.0.2)
           Default Document: blocked.asp
           HTTP Error: 403;1
             Message Type: URL
             URL: /blocked.asp
           HTTP Error: 404
             Message Type: URL
             URL: /blocked.asp
           HTTP Error: 414
             Message Type: URL
             URL: /blocked.asp

Sample redirect and blocked pages are available from our website here. Within the HTML you'll see some special META tags which prevent browsers from caching these pages, if you modify or build your own page be sure to include these tags. To ensure compatibility with clients using IE7 see FAQ 22.

Other things you should know:

Because of the potential for hostile or abusive users on a public hotspot, you should place a firewall (preferably hardware based) between clients and the DNS Redirector server, allowing only UDP 53 and TCP 80 inbound to the server. At the least, you should disable unnecessary windows services such as File and Printer Sharing (harden the machine) and/or use TCP/IP filtering.

You should create a rule in the firewall/router to the Internet that prevents the range of IP addresses handed out by DHCP from communicating outbound over TCP/UDP port 53. This prevents an extremely clever person, who intentionally changed their default DNS server to something other than DNS Redirector, from bypassing your blocked list or getting out on the Internet. See FAQ 34.

By clicking on an IP in the list (GUI only) you can send a popup message (net send) to most Windows 2000 or later clients. This only works when DNS Redirector and the client machine have the messenger service started.

Running multiple instances of DNS Redirector (on separate physical or virtual servers) for redundancy is only advised when using it as a filter, not when any kind of initial redirection is necessary like a HotSpot environment. As a result, RedirectIP= and it's associated functions are not supported when multiple DNS servers are provided to network clients. See FAQ 28.

For third-party software that is known to work with or aid in the use of DNS Redirector see FAQ 71

License:

To purchase a commercial license visit: dnsredirector.com/purchase
For the complete software license agreement visit: dnsredirector.com/license

 
DNS Redirector | Copyright © 2003-2008