Trying to add a CNAME

Google broke the SafeSearch feature for our organization when they directed all traffic to https.  Google has the following fix for this...

"To disable SSL search for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.com."

So on our DNS server, I created a zone called google.com and put in a CNAME for www.  Now www.google.com points to nosslsearch.google.com and that part works perfectly!  The bad thing is, all other sub domains of google no longer work (like mail.google.com, maps.google.com, etc.).

I think this happens because we have a forward lookup zone for google.com, but only www.google.com is in this zone.  How can I add a CNAME on a Windows DNS server for www.google.com without affecting any other sub domains of google?

I know how to create forward lookup zones and CNAMEs, but I'm not a DNS experts.  I need help from someone who is an experts.  Please, no links!  Thanks in advance!
LVL 5
bpl5000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Remove the google.com zone you created. Then create a zone for www.google.com and create a CNAME record in that zone, leaving the primary field blank. That record will now reference the root of the zone so it works the same as what you already have.

Other lookups, like mail or maps will now NOT match the zone you created so a recurisive lookup will work as expected.
Manjunath SulladTechnical ConsultantCommented:
Try creating DNS forwarder for Google.com

Refer below MS links for configuring the DNS forwarder

http://technet.microsoft.com/en-us/library/cc782142(v=ws.10).aspx 

http://technet.microsoft.com/en-us/library/cc754941.aspx
bpl5000Author Commented:
cgaliher, thanks for your reply.  I did try doing that, but I get the following error.  If I put anything in the alias name, then it will let me create it, but of course I need to keep it blank.  Any ideas why I can't do this?
Error adding CNAME
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Cliff GaliherCommented:
That happens if you have a conflicting record of a different type. A "blank" A record, for exMppe, would conflict.
bpl5000Author Commented:
The only records I have in this zone are the ones shown in the image (the NS and SOA records).
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
It seems that creating a CNAME for the root is not supported:
http://technet.microsoft.com/en-us/library/cc816819(v=ws.10).aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cyclops3590Sr Software EngineerCommented:
ya, looks like it was broken as of 2008R2.  only thing I can think of is just create an a blank A record instead.  That still works.  Only problem of course is if google changes their IP address for that nosslsearch name.
mikeldCommented:
Unsure if this will help, but almost every school and public library needs a fix for this issue.  That issue being that when the IP address changes the A Record fix will no longer fix the issue.  I believe the following information from Google is new:

https://support.google.com/websearch/answer/186669?hl=en  Below is a paste of that article
Option 3:  
About SafeSearch Virtual IP address (VIP)

SafeSearch VIP will force all users on your network to use SafeSearch on Google Search while still allowing a secure connection via HTTPS. The VIP in SafeSearch VIP refers to a Virtual IP which is an IP address that can be routed internally to multiple Google servers.

When SafeSearch VIP is turned on, teachers and students at your school will see a notification the first time they go to Google; this will let them know that SafeSearch is on.

SafeSearch VIP can be used as part of a comprehensive internet safety policy by schools; this is part of keeping students secure while limiting their access to adult content at school.

Using SafeSearch VIP will not affect other Google services outside of Google Search.
Turn on SafeSearch VIP
To force SafeSearch for your network, you’ll need to update your DNS configuration. Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com.

We will serve SafeSearch Search and Image Search results for requests that we receive on this VIP.

The issue is that in Windows Server 2008R2 you cannot just do as Google Describes above.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.