On Mon, Feb 13, 2012 at 8:53 PM, Kennedy, Jim <[email protected]> wrote: > did anyone have any ideas how to skin this cat
I didn't ask on dns-ops because I suspect their answer would be the same as mine: DNS isn't the place to try and solve this problem. > Bottom line is I need to CNAME www.google.com to nosslsearch.google.com No, bottom line is, you need to control web access. Look beyond the technique (DNS) and refocus on your goal (controlling web access). > I am even open to putting up another DNS server that can CNAME this > record and fall over to root for the rest of google...then direct my > AD DNS to that on a conditional forwarder. You might be able to do this, but I suspect it's going to be easy to get around (bare IP addresses, "hosts" files, etc.). So I'm wary of investing effort into a technique that won't be very effective, and thus just lead back to the same problem again. > Get search off SSL so the filter can append the request with > safe search mode. You keep mentioning your filter. Start there. What can it do? How does it work? What is it, for that matter? :) You mentioned contacting the filter vendor. I'd say that should be your first strategy. Only if you're sure they can't do it should you start looking elsewhere. You've got one product already, try that first. Be sure you're giving the vendor the right request. Again, focus on the goal, not the technique. Don't ask, "Can I rewrite DNS answers?" Instead, start with the real problem: "HTTPS to web search engines bypasses the web filter. What can I do to counter that?" If they don't have a good answer for the general case, get slightly more specific: "I want to block HTTPS to <www.google.com.>." Don't go down the DNS; that's not really your goal. If it's an HTTP proxy and all your web browsing is going through it, it should be very easy to block any CONNECT method to <www.google.com.>. (If not, it's not a very good filter.) If I had do this and I didn't have any other product, I'd prolly start with the Squid HTTP proxy. Blocking this particular situation (HTTPS to <www.google.com.>) would be trivial. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
