Solved

How to enable Google SafeSearch VIP on MS DNS

Posted on 2014-12-01
8
2,645 Views
Last Modified: 2015-10-05
Id like to use the new Google SafeSearch VIP to force safe search on for my users.  It sounds easy; "Set the DNS entry for www.google.com to be a CNAME for forcesafesearch.google.com.

Above came from https://support.google.com/websearch/answer/186669?hl=en Option 3

Ok great, how do I do that?  I use MS DNS internally and do not have a forward lookup zone for google.com.  Do I need to make one?  Primary or stub?  I tried a primary forward lookup zone google.com and added the CNAME so the end result looked like the graphic here: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch but then nothing worked, I think because google.com would not resolve at all so clearly I need help with MS DNS and the instruction above.
0
Comment
Question by:BCSSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 

Expert Comment

by:Pawel_Kowalski
ID: 40474447
Did you create the CNAME for both google.com and www.google.com ?

Does one work and not the other?
0
 

Author Comment

by:BCSSupport
ID: 40474479
I created a primary zone google.com, by default it had two entries, SOA and NS I think, I created CNAME for only www.google.com <-> forcesafesearch.google.com and I had the same as the image in the first post at the opendns link I gave above.  After I did this, I couldn't resolve anything google, www, support.google.com, nothing *.google.com would resolve, I'd just get Ping request could not find host google.com. Please check the name and try again. and the same response for [anything].google.com.

When I delete my forward zone and flush my DNS, I can resolve any Google host.
0
 
LVL 40

Expert Comment

by:footech
ID: 40474579
There are a number of pitfalls here.
As you've discovered, if you create forward lookup zone for google.com, the DNS server thinks it knows about every record in the google.com domain.  So unless you have an entry in the zone for forcesafesearch, support, images, etc. (i.e. anything.google.com) it won't know about it and it won't resolve.

Apparently Google's instructions work for Server 2003 and 2008.  But not for 2008 R2 or 2012 (not sure about 2012 R2).  2008 R2 more closely follows RFC specs and so doesn't allow you to create a CNAME record at the root of zone.

If you're using Server 2008 R2, about the best solution I can think of would be to create a zone for www.google.com and create an A record in it with a blank name that points at 216.239.38.120.  The downfall is it won't work if the IP ever changes.  Another solution that might work would be to create the "www.google.com" zone with an A record that has a blank name and points at an internal IP of a webserver, and on that webserver have it do a redirect or URL rewrite to forcesafesearch.google.com.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:BCSSupport
ID: 40503635
I don't have this resolved yet but I suspect that the problem is that we block port 53 because we use OpenDNS and don't want users specifying their own DNS server.  I'll do some testing soon and report back.
0
 
LVL 40

Expert Comment

by:footech
ID: 40503676
Blocking port 53 for clients shouldn't be a problem if they're using your DNS server, and your DNS server then forwards to OpenDNS.
0
 
LVL 1

Accepted Solution

by:
derisman earned 500 total points
ID: 40772996
Hello, it took me a while to figure this one out as well.   Because windows 2008-2012 DNS won't allow you to use cname record for www.google.com you need to use a dname record.  

Create  a new zone for www.google.com NOT google.com.   Then create a dname record pointing to forcesafesearch.google.com.  

It works as it should and will force users to use safesearch.  Of course they can always bypass using alternate DNS or windows hosts file.  

Enjoy,

Dave
0
 

Author Comment

by:BCSSupport
ID: 40820770
I'll try this, thanks!
0
 

Author Closing Comment

by:BCSSupport
ID: 41025678
It took me a while to figure out just how to create the DNAME as I had never done that before but it works.  I used the following settings:

Alias name: <null> I left this blank
FQDN: www.google.com
FQDN for target domain: forcesafesearch.google.com.

Through my firewall and GPOs, most users would be unable to specify their own DNS and even if they did, the firewall only allows our authorized internal DNS to pass DNS traffic.  Well there's always a way but for 99% of users, there's not an easy way.
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question