Solved

How to enable Google SafeSearch VIP on MS DNS

Posted on 2014-12-01
8
1,840 Views
Last Modified: 2015-10-05
Id like to use the new Google SafeSearch VIP to force safe search on for my users.  It sounds easy; "Set the DNS entry for www.google.com to be a CNAME for forcesafesearch.google.com.

Above came from https://support.google.com/websearch/answer/186669?hl=en Option 3

Ok great, how do I do that?  I use MS DNS internally and do not have a forward lookup zone for google.com.  Do I need to make one?  Primary or stub?  I tried a primary forward lookup zone google.com and added the CNAME so the end result looked like the graphic here: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch but then nothing worked, I think because google.com would not resolve at all so clearly I need help with MS DNS and the instruction above.
0
Comment
Question by:BCSSupport
8 Comments
 

Expert Comment

by:Pawel_Kowalski
ID: 40474447
Did you create the CNAME for both google.com and www.google.com ?

Does one work and not the other?
0
 

Author Comment

by:BCSSupport
ID: 40474479
I created a primary zone google.com, by default it had two entries, SOA and NS I think, I created CNAME for only www.google.com <-> forcesafesearch.google.com and I had the same as the image in the first post at the opendns link I gave above.  After I did this, I couldn't resolve anything google, www, support.google.com, nothing *.google.com would resolve, I'd just get Ping request could not find host google.com. Please check the name and try again. and the same response for [anything].google.com.

When I delete my forward zone and flush my DNS, I can resolve any Google host.
0
 
LVL 39

Expert Comment

by:footech
ID: 40474579
There are a number of pitfalls here.
As you've discovered, if you create forward lookup zone for google.com, the DNS server thinks it knows about every record in the google.com domain.  So unless you have an entry in the zone for forcesafesearch, support, images, etc. (i.e. anything.google.com) it won't know about it and it won't resolve.

Apparently Google's instructions work for Server 2003 and 2008.  But not for 2008 R2 or 2012 (not sure about 2012 R2).  2008 R2 more closely follows RFC specs and so doesn't allow you to create a CNAME record at the root of zone.

If you're using Server 2008 R2, about the best solution I can think of would be to create a zone for www.google.com and create an A record in it with a blank name that points at 216.239.38.120.  The downfall is it won't work if the IP ever changes.  Another solution that might work would be to create the "www.google.com" zone with an A record that has a blank name and points at an internal IP of a webserver, and on that webserver have it do a redirect or URL rewrite to forcesafesearch.google.com.
0
 

Author Comment

by:BCSSupport
ID: 40503635
I don't have this resolved yet but I suspect that the problem is that we block port 53 because we use OpenDNS and don't want users specifying their own DNS server.  I'll do some testing soon and report back.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 39

Expert Comment

by:footech
ID: 40503676
Blocking port 53 for clients shouldn't be a problem if they're using your DNS server, and your DNS server then forwards to OpenDNS.
0
 
LVL 1

Accepted Solution

by:
derisman earned 500 total points
ID: 40772996
Hello, it took me a while to figure this one out as well.   Because windows 2008-2012 DNS won't allow you to use cname record for www.google.com you need to use a dname record.  

Create  a new zone for www.google.com NOT google.com.   Then create a dname record pointing to forcesafesearch.google.com.  

It works as it should and will force users to use safesearch.  Of course they can always bypass using alternate DNS or windows hosts file.  

Enjoy,

Dave
0
 

Author Comment

by:BCSSupport
ID: 40820770
I'll try this, thanks!
0
 

Author Closing Comment

by:BCSSupport
ID: 41025678
It took me a while to figure out just how to create the DNAME as I had never done that before but it works.  I used the following settings:

Alias name: <null> I left this blank
FQDN: www.google.com
FQDN for target domain: forcesafesearch.google.com.

Through my firewall and GPOs, most users would be unable to specify their own DNS and even if they did, the firewall only allows our authorized internal DNS to pass DNS traffic.  Well there's always a way but for 99% of users, there's not an easy way.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now