Solved

How to enable Google SafeSearch VIP on MS DNS

Posted on 2014-12-01
8
2,087 Views
Last Modified: 2015-10-05
Id like to use the new Google SafeSearch VIP to force safe search on for my users.  It sounds easy; "Set the DNS entry for www.google.com to be a CNAME for forcesafesearch.google.com.

Above came from https://support.google.com/websearch/answer/186669?hl=en Option 3

Ok great, how do I do that?  I use MS DNS internally and do not have a forward lookup zone for google.com.  Do I need to make one?  Primary or stub?  I tried a primary forward lookup zone google.com and added the CNAME so the end result looked like the graphic here: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch but then nothing worked, I think because google.com would not resolve at all so clearly I need help with MS DNS and the instruction above.
0
Comment
Question by:BCSSupport
8 Comments
 

Expert Comment

by:Pawel_Kowalski
ID: 40474447
Did you create the CNAME for both google.com and www.google.com ?

Does one work and not the other?
0
 

Author Comment

by:BCSSupport
ID: 40474479
I created a primary zone google.com, by default it had two entries, SOA and NS I think, I created CNAME for only www.google.com <-> forcesafesearch.google.com and I had the same as the image in the first post at the opendns link I gave above.  After I did this, I couldn't resolve anything google, www, support.google.com, nothing *.google.com would resolve, I'd just get Ping request could not find host google.com. Please check the name and try again. and the same response for [anything].google.com.

When I delete my forward zone and flush my DNS, I can resolve any Google host.
0
 
LVL 39

Expert Comment

by:footech
ID: 40474579
There are a number of pitfalls here.
As you've discovered, if you create forward lookup zone for google.com, the DNS server thinks it knows about every record in the google.com domain.  So unless you have an entry in the zone for forcesafesearch, support, images, etc. (i.e. anything.google.com) it won't know about it and it won't resolve.

Apparently Google's instructions work for Server 2003 and 2008.  But not for 2008 R2 or 2012 (not sure about 2012 R2).  2008 R2 more closely follows RFC specs and so doesn't allow you to create a CNAME record at the root of zone.

If you're using Server 2008 R2, about the best solution I can think of would be to create a zone for www.google.com and create an A record in it with a blank name that points at 216.239.38.120.  The downfall is it won't work if the IP ever changes.  Another solution that might work would be to create the "www.google.com" zone with an A record that has a blank name and points at an internal IP of a webserver, and on that webserver have it do a redirect or URL rewrite to forcesafesearch.google.com.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:BCSSupport
ID: 40503635
I don't have this resolved yet but I suspect that the problem is that we block port 53 because we use OpenDNS and don't want users specifying their own DNS server.  I'll do some testing soon and report back.
0
 
LVL 39

Expert Comment

by:footech
ID: 40503676
Blocking port 53 for clients shouldn't be a problem if they're using your DNS server, and your DNS server then forwards to OpenDNS.
0
 
LVL 1

Accepted Solution

by:
derisman earned 500 total points
ID: 40772996
Hello, it took me a while to figure this one out as well.   Because windows 2008-2012 DNS won't allow you to use cname record for www.google.com you need to use a dname record.  

Create  a new zone for www.google.com NOT google.com.   Then create a dname record pointing to forcesafesearch.google.com.  

It works as it should and will force users to use safesearch.  Of course they can always bypass using alternate DNS or windows hosts file.  

Enjoy,

Dave
0
 

Author Comment

by:BCSSupport
ID: 40820770
I'll try this, thanks!
0
 

Author Closing Comment

by:BCSSupport
ID: 41025678
It took me a while to figure out just how to create the DNAME as I had never done that before but it works.  I used the following settings:

Alias name: <null> I left this blank
FQDN: www.google.com
FQDN for target domain: forcesafesearch.google.com.

Through my firewall and GPOs, most users would be unable to specify their own DNS and even if they did, the firewall only allows our authorized internal DNS to pass DNS traffic.  Well there's always a way but for 99% of users, there's not an easy way.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question