My thoughts and tips from my work life.

Wednesday, March 14, 2012

Configuring Google NoSSLSearch for Windows DNS Servers

5:35 PM Posted by Unknown 9 comments
Create a new Primary DNS Zone on your DNS server for
Add a single CNAME record with a blank alias name and “” for the FQDN for target host. The trailing dot after “com” is important.
Clear your DNS server cache by right-clicking on your server in DNS manager and selecting Clear Cache.
When your clients request, your DNS server will direct the client to instead of
Sample output from NSLOOKUP after configuring this DNS zone:

Server:  dc02.domain.local

Hope this helps.


Ace Fekay said...

This works with Windows 2003 and WIndows 2008 DNS, but not for Windows 2008 R2. For specifics, please see:

Erik Pitti said...

I have the solution in this article implemented on 16 Windows Server 2008 R2 DNS servers. You may have to configure the zone as a text-file based zone initially, then remove the default A record manually. Once the zone loads successfully, you can make it active directory integrated once again.

B said...

Hi Erik,
Can you provide some more detail about how you have gone about this on 2008r2? I don't seem to be getting very far.

B said...

Hi Erik,
I am not having much luck with this. Could you provide some more details?

Erik Pitti said...


The instructions I give will work if you have (or can stand up) a WIndows 2008 (not R2) DNS server. For some reason, Microsoft doesn't let you configure a zone in this way in Windows 2008 R2, but an R2 DNS server will replicate this zone and serve it out all day and night if it was created on a downlevel server. Go figure.

If you're running AD-integrated DNS , and are not on the 2008 R2 functional level, it's as easy as adding a 2008 DC with DNS (still non-trivial). However if you're already on the 2008 R2 functional levels, your best bet may be to setup a BIND DNS server and setup conditional forwarders on the Windows DNS servers to forward to the BIND DNS servers. I'll amend this post with a BIND DNS zone file and configuration entry for this setup over the weekend.

B said...

Thanks Erik, I think I should be ok from here.

Ronald Nissley said...

Where is the non-RFC-compliant checkbox...? Microsoft, please include a 2 page disclaimer making us responsible if we break our DNS, but let us decide whether to risk breaking it.

Brad Stocks said...

I was on 2008R2 functional level, and here is what worked for me. I added the DNS service role to an existing 2008 server. I did not promote it to DC. I setup the forwarders to public DNS servers. Then I added the zone per the instructions on this blog. Then, on my 2008r2 DC's, I setup a conditional forward for to my newly configured 2008 dns enabled server.

Vonster said...

I was able to create a DNAME record on Win2008 R2 SP1 and got it to work. This is my procedure:

- create a new Forward Lookup Zone for
- add a new DNAME (Domain ALIAS) record for zone '' to use FQDN of as target

I repeated the process and created another DNAME record for to point to to get safesearch for youtube.

© 2006-2015 Erik Pitti, All Rights Reserved. Powered by Blogger.