Just recently I had a consulting appointment with a school that needed to use a proxy server in order to block students from inappropriate websites. Previous to my visit they were using a tangerine iBook with OS9 and some piece of software that did the proxy work. After some thought we came up with the idea of using OS X Server (since they also were running that) as the proxy server. It was much more up to date and it seemed like it would be pretty easy to transfer the list from the iBook’s proxy software to OS X Server. Unfortunately, I have a feeling the list was so huge that it kept crashing the Web service, so it was back to the drawing board.
We finally decided to use OpenDNS and after some initial testing it all seemed to work fine. We assigned all the student computers static IPs and setup the DNS using the OS X Leopards IP and then OpenDNS. We included the the servers IP first because it allowed the clients to find the server for network home directory use and then I assumed it would use OpenDNS second (for all other queries).
Unfortunately, while we could login to the network home directories, OpenDNS and blocking in-appropriate websites failed to work. Puzzled, I searched for a way to allow us to use the server for initial DNS, but anything else had to pass through OpenDNS. A quick search through the knowledge base turned up this article. Basically you just had to add a few lines into one of the DNS configuration files. Really simple. When I restarted the DNS service, nothing worked. I believe that is because the article linked above is for OS X Server Tiger and previous versions. After looking around in the DNS service settings (via the Server Admin tool) I found a box called, ‘DNS Forwarding’. I simply plugged in the OpenDNS IP addresses and removed all but the servers IP from the client DNS servers.
Restarted the DNS service and rebooted the client machine for good luck and attempted to login to the network home directory. It worked! Next I tried loading a site on my OpenDNS blacklist and it too was blocked. It worked just as I had wanted it too.
DNS Forwarding in my understanding works like so:
- The client machine use the server’s IP for it’s main DNS server.
- In my case the server contains one DNS entry (well two if you count the reverse DNS record). The one record is of itself. That way the clients know of the server.
- Anything that isn’t in the servers DNS list gets sent to the entries in your DNS Forward records. In this case it was OpenDNS so pretty much every request except one’s for the server were forwarded to OpenDNS.
Hopefully this article can help people out who use in-house DNS and are also looking for a way to send other DNS queries to other outside services such as their ISPs DNS servers or even OpenDNS.