I figured it out. It would not take a blank CNAME, so I started looking at other record types and DNAME jumped out at me as a possible solution. Basically a CNAME for a domain name which would work if Google has an A record up for the targeted domain name, which they do.
I put up a primary zone www.google.com<http://www.google.com> Then I put up a DNAME leaving the first line blank )alias name) so that it would use the parent domain. And the FQDN for the target host as nosslsearch.google.com. Tested it extensively Sunday from home on the VPN and then again here and everything is working as it should. All the other google servers resolve correctly and when they go to httpS://www.google.com it redirects them to the plain http. :banana: From: Andrew S. Baker [mailto:[email protected]] Sent: Monday, February 13, 2012 1:07 AM To: NT System Admin Issues Subject: Re: DNS Partial zone CNAMEs? Yeah, I'm not seeing a good way to do this at the DNS level. At least not with Windows DNS. Might be time to employ a proxy or application firewall and manage the traffic at that level. This is not strictly a DNS issue. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Fri, Feb 10, 2012 at 12:47 PM, Brian Desmond <[email protected]<mailto:[email protected]>> wrote: I don't know if you can define non glue/NS/SOA records in a stub. Thanks, Brian Desmond [email protected]<mailto:[email protected]> w - 312.625.1438<tel:312.625.1438> | c - 312.731.3132<tel:312.731.3132> From: Andrew S. Baker [mailto:[email protected]<mailto:[email protected]>] Sent: Friday, February 10, 2012 11:17 AM To: NT System Admin Issues Subject: Re: DNS Partial zone CNAMEs? What about using a Stub zone? I agree that it is annoying, though. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Fri, Feb 10, 2012 at 11:51 AM, Brian Desmond <[email protected]<mailto:[email protected]>> wrote: No it won't forward unless you have all the records. I don't see how this is scalable. Thanks, Brian Desmond [email protected]<mailto:[email protected]> w - 312.625.1438<tel:312.625.1438> | c - 312.731.3132<tel:312.731.3132> From: Kennedy, Jim [mailto:[email protected]<mailto:[email protected]>] Sent: Friday, February 10, 2012 9:45 AM To: NT System Admin Issues Subject: DNS Partial zone CNAMEs? Long story made somewhat short: We enforce safe search on google images with our filter. If a clever student hits https://www.google.com and searches for Excalibur Films images the safe search enforcement fails and they are going to get more than they should. And since I now know this, I will go to jail and my wife will be sad. So I need to do the below from Google: To utilize this solution, your school's network administrator would modify your DNS (Domain Name System) configuration to make Google domains, e.g. www.google.com<http://www.google.com> to be an alias or CNAME (canonical name) of nossl.google.com<http://nossl.google.com>. When we see search requests arriving over the nossl end point we will redirect these to a non-SSL search session. HTTP traffic and other services will not be affected. I am a bit puzzled on how to do this. If I toss up a zone for google.com<http://google.com> and put up a www.google.com<http://www.google.com> CNAME nossl.google.com<http://nossl.google.com> What happens when someone tries to hit mail.google.com<http://mail.google.com>? My zone lookup will fail...will my DNS server then hit my forwarders for mail.google.com<http://mail.google.com> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
