DNS off site

You can look into having a GPO that would set the DNS settings only and they would pick up the dynamic IP from where ever they are connected.
http://www.techrepublic.com/blog/datacenter/manage-dns-suffix-configuration-through-group-policy/2665

If you always want the laptops to use the same DNS servers regardless of where they are, you can simply set static DNS server entries in the properties of the laptops' NICs, as shown in the attachment.

Let me know if that's not what you meant.
staticDNS.jpg

So I'm thinking this....

The cloud service I"m looking into for filtering has me setting a forwarder on my internal DNS so that all internet traffic goes to the filter company's servers.  That works great!

But I need our student laptops to also go to that site when they are NOT on my network.

I can force the DNS settings on the laptops using a netsh script or a GPO, but when the laptop comes back to school, they need to hit my internal DNS as well.

Hope I explained that clearly

OK, I see what you're saying now.  Is there a reason why the clients need to use that particular DNS server when they're outside your network?  Will they be querying names that can't be resolved by the public DNS hierarchy?

The clients need to hit my internal DNS while here at school.  (shares, printers, other AD items)  but out side they don't need to hit my internal DNS.  They DO need to hit the filter's DNS server while outside of my network.

Right - I understand why they need to hit the internal DNS servers while on the school network; I was just wondering why it's necessary for them to hit the filter's DNS server while outside, as opposed to any other public DNS server.  One of the core tenets of the public DNS system is that any public hostname should be resolvable by any public server, through forwarders, referrals, delegations, etc.  If they need to be on the public network but able to resolve hostnames that aren't resolvable by public DNS servers, that's going to be problematic.

Because the laptops are school property, we must provide filtering on them even off of the school network.  So it's the filtering that is necessary offsite...not browsing any school domain items.

OK, that makes more sense.  I'm just trying to figure out how DNS fits into this.  I'm afraid I don't know of any way to restrict a machine to using a particular set of DNS servers regardless of what network it's connected to, since the DNS servers are typically going to be assigned by DHCP (aside from assigning static DNS servers as mentioned earlier, but that won't work for your situation).  Does the provider of the filter have any guidance on how to go about this?

I'm thinking this...if I setup a read only DNS server and have all of my student laptops forced to use it even off site.  That way, my DNS keeps forwarding their internet traffic to my cloud filter.  Thoughts?

OpenDNS (it's Public) has filters and restrictions, used to be free, I'm not sure what it charges now.
How about the school getting an application that filters traffic? Since it's a school I'm sure they'll either get it for free or at a large discount.

That's what I have now, an appliance, but the cloud option I'm looking into is integrated with our new Google Apps for Education domain.

Besides having a software application that filters traffic on each laptop, I cant think of anything else because once they connect outside the domain they'll be able to use those external dns servers, not the schools.

But I can force the DNS settings on the laptops so regardless of the IP address they get from WiFi, they will have to use my DNS...yes??

How can they if they are external and your DNS servers are internal? For example: Say I'm typing this right now from one of your school's laptops and I'm in an internet cafe, how is it going to know about your internal DNS servers at the school? It's not. It will have the IP from the wireless router at the cafe and use their ISP server's DNS server for name resolution.

So I can force the DNS settings to the laptop wireless card to NOT take them from any WiFi...and the student account used to login is from my AD, so my RODC should accept the connection...I'm going to test this out...you may be right though.

It still aint gonna have the results you want. Even if you restrict the DNS settings on the wireless card somehow, how will they use the wireless card then for internet connectivity? What if they decide to plug in a RJ-45 cable?

what you should do, in my opinion, is look into other ways of monitoring or restricitng. Why not have all users force connect to the vpn upon login, that way they get the company policy GPO that has your internal DNS settings, that way their internet traffic goes through your office.

Or, look into software as Barracuda's web filtering to go through their DNS servers, or something similar.
http://techlib.barracuda.com/display/BWFv60/Barracuda+Web+Security+Agent+-+How+it++Works

or this:
http://www.umbrella.com/business-security-solutions/web-filtering/?__utma=247635969.1624713543.1368454641.1368454641.1368454641.1&__utmb=247635969.2.10.1368454641&__utmc=247635969&__utmx=-&__utmz=247635969.1368454641.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&__utmv=-&__utmk=108362625

I'm thinking that since my internal DNS uses a forwarder to send all internet traffic to the cloud filtering site, even if connected at McDonalds, if they are forced to route internet traffic through my internal DNS, they still should be able to browse.  I'm also looking into the VPN option as well.