Readme | FAQ | Wizard

Requirements:

DNS Redirector is intended to be used on reliable hardware with a server operating system.

Windows 7*
Windows Server 2008/Core/Web/SBS/R2
Windows Vista* with SP2
Windows Server 2003/Web/SBS/R2/WHS
Windows XP* Home/Pro/Tablet/MCE
Windows 2000 with SP4 (Not supported, end-of-life on July 13, 2010)

*Not supported/recommended in production environments due to OS and IIS connection limits.

DNS Redirector v7.x requires .NET Framework 2.0 SP2
A minimum of 512MB over the OS minimum memory requirement is suggested.
Running DNS Redirector as a service (no GUI) is discussed in FAQ 73.
Any Windows x86 or x64, Apple/Mac, Linux, Unix, etc. OS is supported as a client.

Implementation Considerations:

Use a standard LAN with a hardware firewall as the default gateway...
See the Network Examples. Notice that proxy/SOCKS, ISA, or ICS is not compatible.

When used for content filtering...
A dedicated server is not required; installation on your existing domain controller(s), small business server, or home server is adequate.

When used for a public HotSpot...
The guest LAN should be completely isolated from any internal/office LAN as shown in Network Examples.
You should mitigate problems as discussed in FAQ 39 and FAQ 34.

DNS Redirector will try and bind DNS service to all IPs assigned to the server...
If Microsoft's DNS service (found on some Windows Servers or Active Directory domain controllers) is installed see FAQ 91.
If another DNS server or something using the same ports is installed see FAQ 4.

You will need to change DHCP scope properties (option 6, DNS server)...
The IP address used by DNS Redirector needs to be the only one handed out as the DNS server.
If running multiple instances of DNS Redirector (only for content filtering, see FAQ 28) then add the IP of every DNS Redirector server.

No NAT and no DNS separation...
For a wireless HotSpot, the DNS Redirector server and all clients must be in the same IP address space and cannot be separated by a NAT device.
If used only for content filtering, blocked/allowed functionality will work regardless of network placement as discussed in FAQ 37.
Every client should use the IP of the DNS Redirector server as their default DNS server (usually provided via DHCP), another DNS server cannot exist in-between.

When running the GUI...
Clicking on an IP in the list gives you several client options. The "Send message to a Windows client..." performs a 'net send' to Windows 2000/XP/2003 clients, this only works when the DNS Redirector server and the client machine have the messenger service started. (which is disabled by default in XP SP2 and later, not available on Vista)

For third-party software that is known to work with or aid in the use of DNS Redirector see FAQ 71.

Installation:

Download DNS Redirector, extract the .zip to C:\DNSREDIR

 Configure C:\DNSREDIR\dnsredir.ini using the INI Settings section below.

 Setup IIS or other web server software using the Hosted Pages section below.

 Allow access through any firewalls, see FAQ 102.

 Run C:\DNSREDIR\dnsredir.exe or as a service.

 Change your DHCP scope (option 6, DNS server) to hand out the DNS Redirector server IP as the only DNS server,
      this should be the same as the IP you specified for ListenOnIP= in dnsredir.ini

Trouble? Visit the support page to search the FAQ, try the Wizard, or contact support.

INI Settings:

Default values are in green
Example values are in blue
v7 Only values are in purple

All files referenced in the .ini are assumed to be in the C:\DNSREDIR working directory.
Click here to view a simple/condensed version of these descriptions.

Logging=Normal
  Sets the log file detail, a new log file is created each day using the day's date as a filename.
Valid options are:
Off - No log is created (this is fastest and recommended for large networks)
Normal - Only queries modified/answered by DNS Redirector are logged
Full - Every query, response, and function is logged (useful for diagnostic/troubleshooting, use sparingly as log files become large quickly)

Optimize=Speed
  Sets the string matching algorithm used on keyword lists.
Valid options are:
Speed - this is fastest and recommended for large networks
Memory - this will use less memory (ideal for machines with low resources serving smaller networks)

ListenOnIP=192.168.0.2, 192.168.0.3
  Specify the static IP address(es) of this DNS Redirector server, or leave blank to bind on all system IPs (including the loopback address).
DNS Redirector can listen on certain IPs when specified to avoid conflicts. See FAQ 4.

SimpleDNS=simpledns.txt
  File containing DNS A records that you want to resolve locally.
The contents of the file needs to be in the following format:
IP address[tab]Fully qualified domain name
As shown in this example:
192.168.0.1[tab]router.example.com
192.168.0.2[tab]blocked.example.com
192.168.0.3[tab]welcome.example.com
  Or as a catch-all:
192.168.0.8[tab]*
  When using an asterisk all domain names will resolve to a single IP, regardless of being real or not. This method does not require a real DNS server to be specified under DNSServerIP= but will render all RedirectIP=, BlockedIP=, and RestrictIP= functions disabled. This method is for specific scenarios where a real DNS server is not available (no Internet connection) and/or you need to make only a few internal sites available. Use the same steps as if you were setting up a RedirectIP= site at this IP, see the Hosted Pages section.

GetClientName=False
  Sets whether the client computer name will be displayed in the GUI.
Valid options are:
False - this is fastest and recommended for HotSpot/public network environments
True - this is useful in Internet filtering environments with Active Directory-integrated DNS

DNSServerIP=4.2.2.1, 4.2.2.2
  Specify the IP of a real DNS server.
This is the DNS server that all normal queries are forwarded onto. On a corporate network you will usually declare the IP of your internal DNS or Active Directory integrated DNS server, otherwise declare the DNS server provided by your upstream Internet provider. This setting is not required when using SimpleDNS= with a catch-all asterisk record. Leave blank to use the DNS server(s) provided by the local DHCP server.

RedirectIP=192.168.0.3, 192.168.8.3
  Initially redirect clients to this IP, where your welcome page is hosted.
When specified, the first time a client tries to browse the Internet they will be shown the website hosted at this IP address instead. When specifying RedirectIP= then AuthKeywordsFile= is also required. If initial redirection is not going to be used leave both settings blank. This must be an IP address, not a URL. For more information on setting up a page at an IP address, see the Hosted Pages section. For information on redirecting to an existing website or URL see FAQ 30.

  AuthKeywordsFile=authorized.txt
  File containing keywords of domain names that authorize the client to surf past the welcome page.
The contents of the file needs to include one or several complex/unique domain names to be treated as the "key" that allows users to browse past the RedirectIP= page. These do not have to be actual domain names registered on the Internet, you can make them up. Use SimpleDNS= if you want a made up domain name to resolve to an IP. When a client does a DNS lookup for a matching domain name the client will be marked as Authorized.
   The system should work like this...  (adapt it to your needs; payment page, password, registration, etc.)
A) user joins the network, B) user gets DHCP lease including DNS Redirector as the DNS server, C) user starts browser and sees your terms and conditions page, D) user clicks a link to accept the agreement, E) user gets forwarded to another page that says "Welcome to the Internet" and includes a clear image referenced at http://surfon.dnsredirctrl.com/clear.gif, F) the browser does a DNS lookup for surfon.dnsredirctrl.com G) DNS Redirector finds that surfon.dnsredirctrl.com matches the domain name specified in the AuthKeywordsFile, H) user can now browse the Internet freely.

AlwaysKeywordsFile=always.txt
  File containing keywords of domain names that clients are always allowed to visit, even if they have not been authorized.
In a paid HotSpot scenario you would want to add the domain name(s) of your payment processor to the file so that users can visit the site in order to pay for access and then become authorized. Leave this setting blank if you are not going to use it.

AuthClientsFile=authclients.txt
  File containing IPs of local network clients that are always allowed to surf, even if they have not been authorized.
Useful for static-IP machines on the same LAN as the hotspot that shouldn't have to pay or be authorized to surf; such as the IT manager, back office, or receptionist's computer. Leave this setting blank if you are not going to use it.
BlockedIP=192.168.0.2, 192.168.8.2
  Domain names matched in the BlockedKeywordsFile= below will resolve to this IP, where your blocked page is hosted.
If content filtering is not going to be used leave this setting blank. This must be an IP address, not a URL. When specifying BlockedIP= then BlockedKeywordsFile= is also required. For more information on setting up a page at an IP address, see the Hosted Pages section.

  BlockResponse=Lookup
  Valid options are:
Lookup - resolves to the BlockedIP only if the domain name is real (does a lookup at the DNSServerIP= first)
Fast - resolves to the BlockedIP even if the domain name does not exist

BlockedKeywordsFile=blocked.txt
  File containing keywords of domain names that clients cannot visit.
To automate the updating of keywords see FAQ 52. To block everything see FAQ 5. If blocking is not going to be used leave this setting blank. When specifying BlockedKeywordsFile= you must also specify BlockedIP= and host a website at that IP or web surfing will be slow.

AllowedKeywordsFile=allowed.txt
  File containing keywords of domain names that clients are allowed to visit.
Sometimes good blocking keywords can prevent clients from reaching legitimate content, this list corrects that. See FAQ 112. If blocking is not going to be used leave this setting blank.

BypassBlockFile=bypassblock.txt
  File containing keywords of domain names that toggles the client's ability to view blocked content.
The contents of the file needs to include one or several complex/unique domain names to be treated as the "key" that allows users to browse past the BlockedIP= page. These do not have to be actual domain names registered on the Internet, you can make them up. Use SimpleDNS= if you want a made up domain name to resolve to an IP. After a client does a DNS lookup for a matching domain name the client will be bypassing the blocked list. Note that after toggling blocking you will need to close and open any browser windows, this is necessary to clear the browser's DNS cache for websites visited prior, otherwise those sites may still be blocked. If the same client does a lookup for a matching domain name again the blocking is turned back on. Restarting DNS Redirector will clear all clients that previously toggled blocking off. Note that a client who visits a bypass domain name before the authorized domain name will be able to browse freely, but will not set Authorized=True in the GUI. If blocking is not going to be used leave this setting blank.

RestrictIP=192.168.0.4, 192.168.8.4
  When the server time is between the values for RestrictStart= and RestrictEnd= all DNS queries will instead resolve to this IP, where your time restriction page is hosted.
If restriction is not going to be used leave this setting blank. This must be an IP address, not a URL. For more information on setting up a hosted page at an IP address, see the Hosted Pages section. The intention is you would host a page saying "Internet restriction in effect during this time" or something that indicates Internet access is not available. Note that a client who was already online up to this timeframe may still be able to browse a few of the previously viewed/cached websites until their browser is closed.

  RestrictStart=6:00:00 PM
RestrictEnd=11:59:00 PM
  Time format in hr:min:sec and AM or PM, must be within the same day.

BypassRestrictFile=bypassrestrict.txt
  File containing keywords of domain names that toggle the client so they can surf even if within the restricted timeframe.
Similar to the BypassBlockFile= setting, every time a client does a lookup for a domain name that is matched in this file the bypassing is toggled on or off.

ActionNumber=0
  Perform the JoinAction specified below; 1 means every time, 2 means for every 2nd client who joins, 3 for every 3rd client who joins, etc. If actions are not going to be used leave this set to 0.

JoinType=Detect
  Valid options are:
Detect - executes JoinAction for any client
Auth - executes JoinAction when a client becomes authorized
 
  JoinAction=
  File you want to launch or execute when a client joins the network. This could be a .exe, .wav, .bat or other script. If a join action is not desired then leave this blank. For use with a third-party script or application, the client's IP is passed as a variable after the command.

LeaveAction=
  File you want to launch or execute when a client leaves the network. This could be a .exe, .wav, .bat or other script. If a leave action is not desired then leave this blank. For use with a third-party script or application, the client's IP is passed as a variable after the command.
ClientTimeout=20
  Interval in minutes before an active client is considered gone or left the network, based on the last DNS query received. This removes the client from the list, also de-authorizes and executes the LeaveAction if set.

MinToTray=False
  Set this True so when the GUI is minimized it will go to the system tray area instead.

CloseToTray=False
  Set this True so when X is pressed (as if to normally close the GUI) it will stay running and go to the system tray area instead. When set True the GUI is also not displayed on startup but rather loads directly to the system tray.

Hosted Pages:

Using IIS on the same server as DNS Redirector to host the welcome/blocked/time restriction pages is suggested. Optionally, you can declare the IP of another web server that is internal or external to the DNS Redirector network.  (IIS on a non-server OS has restrictions, such configuration is not supported or recommended)

When installing IIS also install ASP and SSI components (see screenshot for IIS6 or IIS7)

Depending on the features enabled in DNS Redirector you may need multiple sites in IIS, each site requiring its own IP address. Add multiple IP addresses to the same NIC under the Advanced button in TCP/IP properties.

If RedirectIP=192.168.0.3 complete the following steps...
create a folder for the site root, such as C:\Inetpub\welcome
   in IIS Manager create a site:  (see details for IIS6 or IIS7)
running at at 192.168.0.3 | port 80 | no Host header | path set as the folder created above
   for IIS6: leave checked "Allow anonymous access to this Web site" | leave checked "Read" | check "Run scripts (such as ASP)"
extract a sample welcome page to the folder created above
set the Default Document as: welcome.asp  (must be listed first, it is suggested to remove all other default documents)
   set the following custom errors:  (see details for IIS6 or IIS7)
HTTP Error: 403;1 | Message Type: URL | URL: /welcome.asp
HTTP Error: 404    | Message Type: URL | URL: /welcome.asp
HTTP Error: 414    | Message Type: URL | URL: /welcome.asp

If BlockedIP=192.168.0.2 complete the following steps...
create a folder for the site root, such as C:\Inetpub\blocked
   in IIS Manager create a site:  (see details for IIS6 or IIS7)
running at at 192.168.0.2 | port 80 | no Host header | path set as the folder created above
   for IIS6: leave checked "Allow anonymous access to this Web site" | leave checked "Read" | check "Run scripts (such as ASP)"
extract a sample blocked page to the folder created above
set the Default Document as: blocked.asp  (must be listed first, it is suggested to remove all other default documents)
   set the following custom errors:  (see details for IIS6 or IIS7)
HTTP Error: 403;1 | Message Type: URL | URL: /blocked.asp
HTTP Error: 404    | Message Type: URL | URL: /blocked.asp
HTTP Error: 414    | Message Type: URL | URL: /blocked.asp
open regedit and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
     edit or create DWORD "UrlSegmentMaxLength" and set to "450" so certain blocked content is replaced correctly (see kb820129)
     optionally, download: REG-UrlSegmentMaxLength.zip then open the .reg file to make this change

If RestrictIP=192.168.0.4 complete the following steps...
create a folder for the site root, such as C:\Inetpub\timerst
   in IIS Manager create a site:  (see details for IIS6 or IIS7)
running at at 192.168.0.4 | port 80 | no Host header | path set as the folder created above
   for IIS6: leave checked "Allow anonymous access to this Web site" | leave checked "Read" | check "Run scripts (such as ASP)"
extract a sample blocked page to the folder created above
set the Default Document as: blocked.asp  (must be listed first, it is suggested to remove all other default documents)
   set the following custom errors:  (see details for IIS6 or IIS7)
HTTP Error: 403;1 | Message Type: URL | URL: /blocked.asp
HTTP Error: 404    | Message Type: URL | URL: /blocked.asp
HTTP Error: 414    | Message Type: URL | URL: /blocked.asp

for every site created above...

add the HTTP Header: "Cache-Control: no-store, no-cache, post-check=0, pre-check=0"  (see screenshot for IIS6 or IIS7)
     optionally, it is safe to remove: "X-Powered-By: ASP.NET"  (this is for display/identification purposes only, and not related to the function of ASP)
     the META tags which preventing caching (as seen in sample pages) are required in addition to this HTTP Header  (see rfc2616-sec14.9 and msdn)

on IIS6 when ASP.NET is installed ensure the version is set to 2.x or later (see screenshot)

on IIS7 under Error Pages Settings pick: "Custom error pages" (see screenshot)

check NTFS permissions on the root folder  (see kb812614, screenshot for IIS6 or IIS7)

ensure the site is running  (visit the site by typing http://[IP_Address] into a browser)

License:

Each license purchase is for use in one working location (one server). For IT consultants or other systems integrators; the correct way to license software is to have the end-customer purchase it directly in their name. You may not resell or bundle the software without prior written approval.

Since DNS is critical to the operation of any network, and we don't want to aggravate system administrators, there are no activation or renewal techniques built into the full version. The software does not 'phone home' at any time with the exception of voluntarily using updater, of which the only function is keyword list retrieval.

For the complete software license agreement visit: dnsredirector.com/license

 
DNS Redirector | Copyright © 2003-2010