I'd like to use the DNS service on my OS X Server as a way to force all all web traffic to one specific, external website. Not quite sure how to go about configuring it, though - any recommendations?
(BTW, this is, obviously, not our primary DNS server; I intend to silently update the preferred DNS server for users who fail to complete their timesheets in order to force the issue)
It may be easier to update the client to use a proxy server that performs URL blocking rather than changing DNS.
The issue is not so much client-side, but server-side. Proxies (such as squid, varnish, or even Apache's proxy) have the ability to provide any kind of redirect/filtering/routing you like.
While, theoretically, you could do the same thing with DNS you would need to configure a DNS server as authoritative for all domains. You will also have problems with DNS caches - clients cache DNS records so you'll only be able to affect domain lookups that the user hasn't been to recently (which might be a show-stopper right there since it won't prevent them from continuing to use sites they're already connected to).
So I'd suggest taking a look at squid or Apache's proxy (varnish is in some ways better, but harder to manage, IMHO).
Web clients don't generate uniquely-identifiable DNS queries; there's no SRV request or related traffic that you could select on and spoof. So if you do implement this, everything querying the spoofing DNS server will get the spoofed host, or you'll have to spot specific queries that are likely web queries; Facebook, Google, Bing, etc.
If you still want to implement this, then I'd probably replace the DNS server with a runt DNS server (maybe hack dnsmasq or maraDNS, or create yourself a trivial DNS server) and have that always return the specified IP address. This avoids having to hack BIND to be universally authoritative, which is probably on par with hacking a simpler DNS server to always return a fixed IP address, and the latter is probably easier to undo.
A firewall can spot TCP port 80 and port 443 traffic, unlike a DNS server. Firewalling outbound port 80 traffic is more typical of these requests, and either trap that traffic to a specific web page based on the capabilities of the firewall, or the web proxy approach that Camelot suggests. There are folks that tie access into the web proxies into external authentication and related; that'd be able to do what you want. Web proxies are usually combined with firewall blocks, as most sites want only the web proxy to have external access, too. But this is also rather more pieces than a DNS redirect, too.
Regardless of the technology your idea sounds wrong headed and likely to backfire. How about a positive reward for employees who complete time sheets when needed?
And... you think I haven't already tried that in multiple pernutations over the past few years? I'm not looking for self-righteous value judgements - I'm looking for suggestions on how to address a technical problem. If you can't help answer the question posed then kindly don't post at all.
Instead of DNS maybe you could use the redirect in the web site setup to redirect the web traffic to another server.
How to configure DNS server to redirect all web traffic to one external website?
