Blocking Modes

DNS Safety is able to function in three different DNS blocking modes.

NXDOMAIN Mode

By default DNS Safety blocks access to prohibited sites using NXDOMAIN mode. This is the safest and most recommended blocking mode. In this case clients wishing to resolve a prohibited domain name will get the Domain does not exist DNS response message and thus will not be able to establish connections to blocked domains.

The downside of this method is that your users may interpret the DNS error as network related error and will tend to call administrator for help all the time.

Redirect to IP Mode

In this case, clients wishing to resolve a prohibited domain name will get the predefined IP address as DNS response. Both IPv4 (A) and IPv6 (AAAA) addresses are supported.

It is recommended to use the IP addresses of the DNS machine to show the predefined Access to this site is prohibited message. If needed you can also indicate IP addresses of another remote server that you manage.

Dns Safety is able to serve the Access to this site is prohibited message on ports 80 and 443 on the machine it runs. Contents of this message are stored in the /opt/dnssafety/etc/blocked_page.html file and can be easily adjusted to your needs manually.

Custom Blocking Mode

This is a combination of previous methods when some site categories are blocked with NXDOMAIN response and others are redirected to a blocked page. Actions for different categories can be specified in Custom Blocking tab.