BCSSupport
asked on
How to enable Google SafeSearch VIP on MS DNS
Id like to use the new Google SafeSearch VIP to force safe search on for my users. It sounds easy; "Set the DNS entry for www.google.com to be a CNAME for forcesafesearch.google.com
Above came from https://support.google.com/websearch/answer/186669?hl=en Option 3
Ok great, how do I do that? I use MS DNS internally and do not have a forward lookup zone for google.com. Do I need to make one? Primary or stub? I tried a primary forward lookup zone google.com and added the CNAME so the end result looked like the graphic here: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch but then nothing worked, I think because google.com would not resolve at all so clearly I need help with MS DNS and the instruction above.
Above came from https://support.google.com/websearch/answer/186669?hl=en Option 3
Ok great, how do I do that? I use MS DNS internally and do not have a forward lookup zone for google.com. Do I need to make one? Primary or stub? I tried a primary forward lookup zone google.com and added the CNAME so the end result looked like the graphic here: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch but then nothing worked, I think because google.com would not resolve at all so clearly I need help with MS DNS and the instruction above.
ASKER
I created a primary zone google.com, by default it had two entries, SOA and NS I think, I created CNAME for only www.google.com <-> forcesafesearch.google.com
When I delete my forward zone and flush my DNS, I can resolve any Google host.
When I delete my forward zone and flush my DNS, I can resolve any Google host.
There are a number of pitfalls here.
As you've discovered, if you create forward lookup zone for google.com, the DNS server thinks it knows about every record in the google.com domain. So unless you have an entry in the zone for forcesafesearch, support, images, etc. (i.e. anything.google.com) it won't know about it and it won't resolve.
Apparently Google's instructions work for Server 2003 and 2008. But not for 2008 R2 or 2012 (not sure about 2012 R2). 2008 R2 more closely follows RFC specs and so doesn't allow you to create a CNAME record at the root of zone.
If you're using Server 2008 R2, about the best solution I can think of would be to create a zone for www.google.com and create an A record in it with a blank name that points at 216.239.38.120. The downfall is it won't work if the IP ever changes. Another solution that might work would be to create the "www.google.com" zone with an A record that has a blank name and points at an internal IP of a webserver, and on that webserver have it do a redirect or URL rewrite to forcesafesearch.google.com
As you've discovered, if you create forward lookup zone for google.com, the DNS server thinks it knows about every record in the google.com domain. So unless you have an entry in the zone for forcesafesearch, support, images, etc. (i.e. anything.google.com) it won't know about it and it won't resolve.
Apparently Google's instructions work for Server 2003 and 2008. But not for 2008 R2 or 2012 (not sure about 2012 R2). 2008 R2 more closely follows RFC specs and so doesn't allow you to create a CNAME record at the root of zone.
If you're using Server 2008 R2, about the best solution I can think of would be to create a zone for www.google.com and create an A record in it with a blank name that points at 216.239.38.120. The downfall is it won't work if the IP ever changes. Another solution that might work would be to create the "www.google.com" zone with an A record that has a blank name and points at an internal IP of a webserver, and on that webserver have it do a redirect or URL rewrite to forcesafesearch.google.com
ASKER
I don't have this resolved yet but I suspect that the problem is that we block port 53 because we use OpenDNS and don't want users specifying their own DNS server. I'll do some testing soon and report back.
Blocking port 53 for clients shouldn't be a problem if they're using your DNS server, and your DNS server then forwards to OpenDNS.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll try this, thanks!
ASKER
It took me a while to figure out just how to create the DNAME as I had never done that before but it works. I used the following settings:
Alias name: <null> I left this blank
FQDN: www.google.com
FQDN for target domain: forcesafesearch.google.com
Through my firewall and GPOs, most users would be unable to specify their own DNS and even if they did, the firewall only allows our authorized internal DNS to pass DNS traffic. Well there's always a way but for 99% of users, there's not an easy way.
Alias name: <null> I left this blank
FQDN: www.google.com
FQDN for target domain: forcesafesearch.google.com
Through my firewall and GPOs, most users would be unable to specify their own DNS and even if they did, the firewall only allows our authorized internal DNS to pass DNS traffic. Well there's always a way but for 99% of users, there's not an easy way.
Does one work and not the other?