Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to enable Google SafeSearch VIP on MS DNS

Posted on 2014-12-01
8
Medium Priority
?
3,172 Views
Last Modified: 2015-10-05
Id like to use the new Google SafeSearch VIP to force safe search on for my users.  It sounds easy; "Set the DNS entry for www.google.com to be a CNAME for forcesafesearch.google.com.

Above came from https://support.google.com/websearch/answer/186669?hl=en Option 3

Ok great, how do I do that?  I use MS DNS internally and do not have a forward lookup zone for google.com.  Do I need to make one?  Primary or stub?  I tried a primary forward lookup zone google.com and added the CNAME so the end result looked like the graphic here: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch but then nothing worked, I think because google.com would not resolve at all so clearly I need help with MS DNS and the instruction above.
0
Comment
Question by:BCSSupport
8 Comments
 

Expert Comment

by:Pawel_Kowalski
ID: 40474447
Did you create the CNAME for both google.com and www.google.com ?

Does one work and not the other?
0
 

Author Comment

by:BCSSupport
ID: 40474479
I created a primary zone google.com, by default it had two entries, SOA and NS I think, I created CNAME for only www.google.com <-> forcesafesearch.google.com and I had the same as the image in the first post at the opendns link I gave above.  After I did this, I couldn't resolve anything google, www, support.google.com, nothing *.google.com would resolve, I'd just get Ping request could not find host google.com. Please check the name and try again. and the same response for [anything].google.com.

When I delete my forward zone and flush my DNS, I can resolve any Google host.
0
 
LVL 41

Expert Comment

by:footech
ID: 40474579
There are a number of pitfalls here.
As you've discovered, if you create forward lookup zone for google.com, the DNS server thinks it knows about every record in the google.com domain.  So unless you have an entry in the zone for forcesafesearch, support, images, etc. (i.e. anything.google.com) it won't know about it and it won't resolve.

Apparently Google's instructions work for Server 2003 and 2008.  But not for 2008 R2 or 2012 (not sure about 2012 R2).  2008 R2 more closely follows RFC specs and so doesn't allow you to create a CNAME record at the root of zone.

If you're using Server 2008 R2, about the best solution I can think of would be to create a zone for www.google.com and create an A record in it with a blank name that points at 216.239.38.120.  The downfall is it won't work if the IP ever changes.  Another solution that might work would be to create the "www.google.com" zone with an A record that has a blank name and points at an internal IP of a webserver, and on that webserver have it do a redirect or URL rewrite to forcesafesearch.google.com.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:BCSSupport
ID: 40503635
I don't have this resolved yet but I suspect that the problem is that we block port 53 because we use OpenDNS and don't want users specifying their own DNS server.  I'll do some testing soon and report back.
0
 
LVL 41

Expert Comment

by:footech
ID: 40503676
Blocking port 53 for clients shouldn't be a problem if they're using your DNS server, and your DNS server then forwards to OpenDNS.
0
 
LVL 1

Accepted Solution

by:
derisman earned 2000 total points
ID: 40772996
Hello, it took me a while to figure this one out as well.   Because windows 2008-2012 DNS won't allow you to use cname record for www.google.com you need to use a dname record.  

Create  a new zone for www.google.com NOT google.com.   Then create a dname record pointing to forcesafesearch.google.com.  

It works as it should and will force users to use safesearch.  Of course they can always bypass using alternate DNS or windows hosts file.  

Enjoy,

Dave
0
 

Author Comment

by:BCSSupport
ID: 40820770
I'll try this, thanks!
0
 

Author Closing Comment

by:BCSSupport
ID: 41025678
It took me a while to figure out just how to create the DNAME as I had never done that before but it works.  I used the following settings:

Alias name: <null> I left this blank
FQDN: www.google.com
FQDN for target domain: forcesafesearch.google.com.

Through my firewall and GPOs, most users would be unable to specify their own DNS and even if they did, the firewall only allows our authorized internal DNS to pass DNS traffic.  Well there's always a way but for 99% of users, there's not an easy way.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question