I figured it out. It would not take a blank CNAME, so I started looking at 
other record types and DNAME jumped out at me as a possible solution.  
Basically a CNAME for a domain name which would work if Google has an A record 
up for the targeted domain name, which they do.

I put up a primary zone   www.google.com<http://www.google.com>   Then I put up 
a DNAME leaving the first line blank )alias name) so that it would use the 
parent domain.  And the FQDN for the target host as nosslsearch.google.com. 
Tested it extensively Sunday from home on the VPN and then again here and 
everything is working as it should.  All the other google servers resolve 
correctly and when they go to httpS://www.google.com it redirects them to the 
plain http.

:banana:


From: Andrew S. Baker [mailto:[email protected]]
Sent: Monday, February 13, 2012 1:07 AM
To: NT System Admin Issues
Subject: Re: DNS Partial zone CNAMEs?

Yeah, I'm not seeing a good way to do this at the DNS level.  At least not with 
Windows DNS.

Might be time to employ a proxy or application firewall and manage the traffic 
at that level.  This is not strictly a DNS issue.

ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...



On Fri, Feb 10, 2012 at 12:47 PM, Brian Desmond 
<[email protected]<mailto:[email protected]>> wrote:
I don't know if you can define non glue/NS/SOA records in a stub.

Thanks,
Brian Desmond
[email protected]<mailto:[email protected]>

w - 312.625.1438<tel:312.625.1438> | c   - 312.731.3132<tel:312.731.3132>

From: Andrew S. Baker [mailto:[email protected]<mailto:[email protected]>]
Sent: Friday, February 10, 2012 11:17 AM

To: NT System Admin Issues
Subject: Re: DNS Partial zone CNAMEs?

What about using a Stub zone?

I agree that it is annoying, though.
ASB

http://XeeMe.com/AndrewBaker

Harnessing the Advantages of Technology for the SMB market...


On Fri, Feb 10, 2012 at 11:51 AM, Brian Desmond 
<[email protected]<mailto:[email protected]>> wrote:
No it won't forward unless you have all the records. I don't see how this is 
scalable.

Thanks,
Brian Desmond
[email protected]<mailto:[email protected]>

w - 312.625.1438<tel:312.625.1438> | c   - 312.731.3132<tel:312.731.3132>

From: Kennedy, Jim 
[mailto:[email protected]<mailto:[email protected]>]
Sent: Friday, February 10, 2012 9:45 AM
To: NT System Admin Issues
Subject: DNS Partial zone CNAMEs?

Long story made somewhat short:  We enforce safe search on google images with 
our filter. If a clever student hits https://www.google.com and searches for 
Excalibur Films images the safe search enforcement fails and they are going to 
get more than they should. And since I now know this, I will go to jail and my 
wife will be sad.

So I need to do the below from Google:


To utilize this solution, your school's network administrator would modify your 
DNS (Domain Name System) configuration to make Google domains, e.g. 
www.google.com<http://www.google.com> to be an alias or CNAME (canonical name) 
of nossl.google.com<http://nossl.google.com>. When we see search requests 
arriving over the nossl end point we will redirect these to a non-SSL search 
session. HTTP traffic and other services will not be affected.



I am a bit puzzled on how to do this. If I toss up a zone for 
google.com<http://google.com> and put up a 
www.google.com<http://www.google.com> CNAME 
nossl.google.com<http://nossl.google.com>   What happens when someone tries to 
hit mail.google.com<http://mail.google.com>? My zone lookup will fail...will my 
DNS server then hit my forwarders for mail.google.com<http://mail.google.com>





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to