DNS Redirector

Readme | FAQ | Wizard

Requirements:

DNS Redirector is intended to be used on reliable hardware with a server operating system.
Depending on use a dedicated server is not required, see the Other Things section.

Windows 7¹
Windows Server 2008/Core/Web/SBS/R2
Windows Vista¹ ...at least SP2 recommended
Windows Server 2003/Web/SBS/R2/WHS
Windows XP¹ Home/Pro/Tablet/MCE
Windows 2000 w/SP4² Professional¹/Server/SBS

¹ Not supported/recommended in production environments due to OS and IIS connection limits.
² Not supported/recommended due to End of Life, post-SP4 updates only through 2010.

The OS minimum memory requirements plus 256mb is suggested.
Running as a service (no GUI) is discussed in FAQ 73.
DNS Redirector is 32-bit and will run automatically on x64 using WOW64.
It will not run under Wine, Windows NT4 or earlier.

Any Windows x86 or x64, Apple/Mac, Linux, Unix, etc. OS using IPv4 is supported as a client.

Installation:

Download:

DNS Redirector v6.4.9 r02/10/09

Mirror: FileForum

1) Run setup and follow the wizard
2) Configure C:\DNSREDIR\dnsredir.ini (see the INI Settings section)
3) Setup IIS or other web server software (see the Hosted Pages section)
4) Run C:\DNSREDIR\dnsredir.exe
5) Change your DHCP scope to hand out the DNS Redirector server IP as the only DNS server

Implementation:

IMPORTANT: By default, DNS Redirector will try and bind DNS service to all IPs assigned to the server. If another DNS server is bound to the same IP (such as Microsoft's DNS service under Windows Server, see FAQ 91) you will get an error when starting DNS Redirector. In some instances you may need to add another IP address (not another NIC) to the server; configuring DNS Redirector's ListenOnIP= to be the new IP and the other DNS service to use only the original IP.
See FAQ 4.

You will need to change the DHCP scope properties of your LAN so the IP address of the machine running DNS Redirector is the one handed out as the default DNS server. This IP is also shown in the log file on load as [Initialize] DNS listener bound to... If you are running multiple copies of DNS Redirector (for filtering redundancy only) you should add the IP of each DNS Redirector server to your DHCP scope properties. See FAQ 28.

Considerations for no NAT and no DNS separation...
For a wireless HotSpot, the DNS Redirector server and clients must be in the same IP address space and not separated by a NAT device.
For content filtering, blocked/allowed functionality will work regardless of network placement.
Similarly, no other DNS server should exist between clients and the DNS Redirector server. DNS Redirector should always be first in the chain of DNS resolution. See FAQ 37 and Network Examples.

INI Settings:

In the example below Default values are in green, and Example values are in blue.
All files referenced in the .ini are assumed to be in the C:\DNSREDIR working directory.
Click here to view a simple/condensed version of these descriptions.

Logging=Normal
Sets the log file detail, a new log file is created each day using the day's date as a filename.
Valid options are:
Off - No log is created (this is fastest and recommended for large networks)
Normal - Only queries modified/answered by DNS Redirector are logged
Full - Every query, response, and function is logged (useful for diagnostic/troubleshooting, use sparingly as log files become large quickly)

ListenOnIP=192.168.0.2
Specify the static IP address of this DNS Redirector server, or leave blank to bind on all system IPs.
When specified, DNS Redirector will bind only to this local system IP address to avoid conflicts. See FAQ 4.

DNSServerIP=
Specify the IP of a real DNS server, your internal or Active Directory integrated DNS server.
This is the DNS server that all normal queries are forwarded onto. On a corporate network you will usually declare the IP of your internal DNS or Active Directory integrated DNS server, otherwise declare the DNS server provided by your upstream Internet provider or ISP. See FAQ 50.

SimpleDNS=simpledns.txt
File containing DNS A records that you want to resolve locally.
The contents of the file needs to be in the following format:
IP address[tab]Fully qualified domain name
As shown in this example:
192.168.0.1[tab]router.example.com
192.168.0.2[tab]blocked.example.com
192.168.0.3[tab]welcome.example.com
Or as a catch-all:
192.168.0.8[tab]*
When using an asterisk all domain names will resolve to a single IP, regardless of being real or not. This method does not require a real DNS server to be specified under DNSServerIP= but will render all RedirectIP=, BlockedIP=, and RestrictIP= functions disabled. This method is for specific scenarios where a real DNS server is not available (no Internet connection) and/or you need to make only a few internal sites available, see sample files.

RedirectIP=192.168.0.3
Initially redirect clients to this IP, where your welcome page is hosted.
When specified, the first time a client tries to browse the Internet they will be shown the website hosted at this IP address instead. When specifying RedirectIP= then AuthKeywordsFile= is also required. If initial redirection is not going to be used leave both settings blank. This must be an IP address, not a URL. For more information on setting up a page at an IP address, see the Hosted Pages section. For information on redirecting to an existing website or URL see FAQ 30.

AuthKeywordsFile=authorized.txt
File containing keywords of domain names that authorize the client to surf past the welcome page.
The contents of the file needs to include one or several complex/unique domain names to be treated as the "key" that allows users to browse past the RedirectIP= page. These do not have to be actual domain names registered on the Internet, you can make them up. Use SimpleDNS= if you want a made up domain name to resolve to an IP. When a client does a DNS lookup for a matching domain name the client will be marked as Authorized.
The system should work like this... (adapt it to your needs; payment page, password, registration, etc.)
A) user joins the network, B) user gets DHCP lease including DNS Redirector as the DNS server, C) user starts browser and sees your terms and conditions page, D) user clicks a link to accept the agreement, E) user gets forwarded to another page that says "Welcome to the Internet" and includes a clear image referenced at http://oktosurfnow123.com/clear.gif, F) DNS Redirector finds that oktosurfnow123.com matches the domain name specified in the AuthKeywordsFile, G) user can now browse the Internet freely.

AlwaysKeywordsFile=always.txt
File containing keywords of domain names that clients are always allowed to visit, even if they have not been authorized.
In a paid HotSpot scenario you would want to add the domain name(s) of your payment processor to the file so that users can visit the site in order to pay for access and then become authorized. Leave this setting blank if you are not going to use it.

AuthClientsFile=authclients.txt
File containing IPs of local network clients that are always allowed to surf, even if they have not been authorized.
Useful for static-IP machines on the same LAN as the hotspot that shouldn't have to pay or be authorized to surf; such as the IT manager, back office, or receptionist's computer. Leave this setting blank if you are not going to use it.

BlockedIP=192.168.0.2
Domain names matched in the BlockedKeywordsFile= below will resolve to this IP, where your blocked page is hosted.
If content filtering is not going to be used leave this setting blank. This must be an IP address, not a URL. When specifying BlockedIP= then BlockedKeywordsFile= is also required. For more information on setting up a page at an IP address, see the Hosted Pages section.

BlockedKeywordsFile=blocked.txt
File containing keywords of domain names that clients should not be able to visit.
Sample keywords to block websites, instant messaging, file-sharing programs, spyware, pornography and other content are available from our website here. Copy and paste the appropriate keywords into your blocked file, then restart DNS Redirector to make them active. To automate the updating of keywords see FAQ 52. If blocking is not going to be used leave this setting blank.

AllowedKeywordsFile=allowed.txt
File containing keywords of domain names that clients are allowed to visit.
Certain blocking keywords (usually keywords that are too generic) may prevent clients from visiting legitimate content, this list corrects that. If blocking is not going to be used leave this setting blank.

BypassBlockFile=bypassblock.txt
File containing keywords of domain names that toggle the client so they can view blocked content.
The contents of the file needs to include one or several complex/unique domain names to be treated as the "key" that allows users to browse past the BlockedIP= page. These do not have to be actual domain names registered on the Internet, you can make them up. Use SimpleDNS= if you want a made up domain name to resolve to an IP. When a client does a DNS lookup for a matching domain name the client will be marked as Authorized. Note that after toggling blocking you will need to close and open any browser windows, this is necessary to clear the browser's DNS cache for websites visited prior, otherwise those sites may still be blocked. If the same machine does a lookup for a matching domain name again the blocking is turned back on. Restarting DNS Redirector will clear all clients that previously requested blocking off. Note that a client who visits a bypass domain name before the authorized domain name will be able to browse freely, but will not set Authorized=True in the GUI. If blocking is not going to be used leave this setting blank.

RestrictIP=192.168.0.4
When the server time is between the values for RestrictStart= and RestrictEnd= all DNS queries will instead resolve to this IP, where your time restriction page is hosted.
If restriction is not going to be used leave this setting blank. This must be an IP address, not a URL. For more information on setting up a hosted page at an IP address, see the Hosted Pages section. The intention is you would host a page saying "Internet restriction in effect during this time" or something that indicates Internet access is not available. Note that a client who was already online up to this timeframe may still be able to browse a few of the previously viewed/cached websites until their browser is closed.

RestrictStart=5:00:00 PM
RestrictEnd=8:00:00 AM
Time format in #:##:## XM, where #'s are hr:min:sec and XM is either AM or PM.

BypassRestrictFile=bypassrestrict.txt
File containing keywords of domain names that toggle the client so they can surf even if within the restricted timeframe.
Similar to the BypassBlockFile= setting, every time a client machine does a lookup for a domain name that is matched in this file the bypassing is toggled on or off.

ActionNumber=0
Perform the JoinAction specified below; 1 means every time, 2 means for every 2nd client who joins, 3 for every 3rd client who joins, etc. If actions are not going to be used leave this set to 0.

JoinType=Detect
Perform the JoinAction specified below; Detect means for any client that tried to do a DNS lookup, Auth means only for clients that have been authorized.

JoinAction=
File you want to launch or execute when a client joins the network. This could be a .exe, .wav, .bat or other script. If a join action is not desired then leave this blank. For use with a third-party script or application, the client's IP is passed as a variable after the command.

LeaveAction=
File you want to launch or execute when a client leaves the network. A leave action only happens if ActionNumber= is set to 1, meaning every time. This could be a .exe, .wav, .bat or other script. If a leave action is not desired then leave this blank. For use with a third-party script or application, the client's IP is passed as a variable after the command.

ClientTimeout=20
Interval in minutes before an active client is considered gone or left the network, based on the last DNS query received. This removes the client from the list, also de-authorizes and executes the LeaveAction if set.

MinToTray=False
Set this True so when the GUI is minimized it will go to the system tray area instead.

CloseToTray=False
Set this True so when X is pressed (as if to normally close the GUI) it will stay running and go to the system tray area instead. When set True the GUI is also not displayed on startup but rather loads directly to the system tray.

Hosted Pages:

You can use IIS on the same server to host your welcome/blocked/restrict pages. Optionally, you can declare the IP of another web server, even those outside your network, as the place where your welcome/blocked/restrict page is hosted. Note that IIS on non-server OS has restrictions, such configuration is not supported/recommended. Each site needs its own IP address, this might require you to add additional IP addresses (not more NIC's) to the system. To redirect to a page that is external to the network and not accessible via IP address directly, see FAQ 30.

In order for clients to successfully see the welcome/blocked/restrict pages you need to define custom errors that redirect to the site's default document. If using IIS, set this under the Documents and Custom Errors tabs. For example...

   Blocked Page
       WWW Server at 192.168.0.2   (if BlockedIP=192.168.0.2)
           Default Document: blocked.asp
           HTTP Error: 403;1
             Message Type: URL
             URL: /blocked.asp
           HTTP Error: 404
             Message Type: URL
             URL: /blocked.asp
           HTTP Error: 414
             Message Type: URL
             URL: /blocked.asp

Sample redirect and blocked pages are available from our website here. Within the HTML you'll see some special META tags which prevent browsers from caching these pages, if you modify or build your own page be sure to include these tags. To ensure compatibility with clients using IE7 see FAQ 22.

When using BlockedKeywordsFile= you must also specify BlockedIP= and host a website at that IP or web surfing will be slow. If you don't want to use IIS try SimpleHTTP, which is sufficient for the local machine or a network with only a few users.

Other Things You Should Know:

A dedicated server is not required; installation on your existing domain controller(s), small business server, or home server is adequate. A separate LAN and server is advised when used for a public hotspot, this prevents malicious users from reaching your internal/office network. See Network Example 6.

Due to the potential for hostile or abusive users on a public hotspot, you should secure the server running DNS Redirector. See FAQ 39.

You should create a rule in the firewall/router to the Internet that prevents the range of IP addresses handed out by DHCP from communicating outbound over TCP/UDP port 53. This prevents an extremely clever person from bypassing your blocked list or getting out on the Internet. See FAQ 34.

When running the GUI, clicking on an IP in the list gives you several client options. The 'Send message to a Windows client...' performs a 'net send' to Windows 2000/XP/2003 clients, this only works when the DNS Redirector server and the client machine have the messenger service started. (disabled by default in XP SP2 and later, not available on Vista)

Running multiple instances of DNS Redirector (on separate physical/virtual servers) for redundancy is supported when used for filtering only, see FAQ 28.

For third-party software that is known to work with or aid in the use of DNS Redirector see FAQ 71.

License:

Some commercial use requires a DNS Redirector license. Since DNS is critical to the operation of any network, and we don’t want to aggravate system administrators, there is no activation or renewal techniques built into the full version from this website. License purchases work on the honor system, when a license is necessary return the favor by honoring us with your purchase.

To purchase a commercial license visit: dnsredirector.com/purchase

For the complete software license agreement visit: dnsredirector.com/license