Solved

How to enable Google SafeSearch VIP on MS DNS

Posted on 2014-12-01
8
1,600 Views
Last Modified: 2015-10-05
Id like to use the new Google SafeSearch VIP to force safe search on for my users.  It sounds easy; "Set the DNS entry for www.google.com to be a CNAME for forcesafesearch.google.com.

Above came from https://support.google.com/websearch/answer/186669?hl=en Option 3

Ok great, how do I do that?  I use MS DNS internally and do not have a forward lookup zone for google.com.  Do I need to make one?  Primary or stub?  I tried a primary forward lookup zone google.com and added the CNAME so the end result looked like the graphic here: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch but then nothing worked, I think because google.com would not resolve at all so clearly I need help with MS DNS and the instruction above.
0
Comment
Question by:BCSSupport
8 Comments
 

Expert Comment

by:Pawel_Kowalski
ID: 40474447
Did you create the CNAME for both google.com and www.google.com ?

Does one work and not the other?
0
 

Author Comment

by:BCSSupport
ID: 40474479
I created a primary zone google.com, by default it had two entries, SOA and NS I think, I created CNAME for only www.google.com <-> forcesafesearch.google.com and I had the same as the image in the first post at the opendns link I gave above.  After I did this, I couldn't resolve anything google, www, support.google.com, nothing *.google.com would resolve, I'd just get Ping request could not find host google.com. Please check the name and try again. and the same response for [anything].google.com.

When I delete my forward zone and flush my DNS, I can resolve any Google host.
0
 
LVL 39

Expert Comment

by:footech
ID: 40474579
There are a number of pitfalls here.
As you've discovered, if you create forward lookup zone for google.com, the DNS server thinks it knows about every record in the google.com domain.  So unless you have an entry in the zone for forcesafesearch, support, images, etc. (i.e. anything.google.com) it won't know about it and it won't resolve.

Apparently Google's instructions work for Server 2003 and 2008.  But not for 2008 R2 or 2012 (not sure about 2012 R2).  2008 R2 more closely follows RFC specs and so doesn't allow you to create a CNAME record at the root of zone.

If you're using Server 2008 R2, about the best solution I can think of would be to create a zone for www.google.com and create an A record in it with a blank name that points at 216.239.38.120.  The downfall is it won't work if the IP ever changes.  Another solution that might work would be to create the "www.google.com" zone with an A record that has a blank name and points at an internal IP of a webserver, and on that webserver have it do a redirect or URL rewrite to forcesafesearch.google.com.
0
 

Author Comment

by:BCSSupport
ID: 40503635
I don't have this resolved yet but I suspect that the problem is that we block port 53 because we use OpenDNS and don't want users specifying their own DNS server.  I'll do some testing soon and report back.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 39

Expert Comment

by:footech
ID: 40503676
Blocking port 53 for clients shouldn't be a problem if they're using your DNS server, and your DNS server then forwards to OpenDNS.
0
 
LVL 1

Accepted Solution

by:
derisman earned 500 total points
ID: 40772996
Hello, it took me a while to figure this one out as well.   Because windows 2008-2012 DNS won't allow you to use cname record for www.google.com you need to use a dname record.  

Create  a new zone for www.google.com NOT google.com.   Then create a dname record pointing to forcesafesearch.google.com.  

It works as it should and will force users to use safesearch.  Of course they can always bypass using alternate DNS or windows hosts file.  

Enjoy,

Dave
0
 

Author Comment

by:BCSSupport
ID: 40820770
I'll try this, thanks!
0
 

Author Closing Comment

by:BCSSupport
ID: 41025678
It took me a while to figure out just how to create the DNAME as I had never done that before but it works.  I used the following settings:

Alias name: <null> I left this blank
FQDN: www.google.com
FQDN for target domain: forcesafesearch.google.com.

Through my firewall and GPOs, most users would be unable to specify their own DNS and even if they did, the firewall only allows our authorized internal DNS to pass DNS traffic.  Well there's always a way but for 99% of users, there's not an easy way.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now