Configuring Google NoSSLSearch for Windows DNS Servers

Wednesday, March 14, 2012

Configuring Google NoSSLSearch for Windows DNS Servers


Create a new Primary DNS Zone on your DNS server for www.google.com.
Add a single CNAME record with a blank alias name and “nosslsearch.google.com.” for the FQDN for target host. The trailing dot after “com” is important.
Google NOSSLSEARCH
Clear your DNS server cache by right-clicking on your server in DNS manager and selecting Clear Cache.
When your clients request www.google.com, your DNS server will direct the client to nosslsearch.google.com instead of www.l.google.com.
Sample output from NSLOOKUP after configuring this DNS zone:

C:\Windows\system32>nslookup www.google.com
Server:  dc02.domain.local
Address:  10.254.1.2

Name:    nosslsearch.google.com
Address:  216.239.32.20
Aliases:  www.google.com
Hope this helps.

9 comments :

Ace Fekay said...

This works with Windows 2003 and WIndows 2008 DNS, but not for Windows 2008 R2. For specifics, please see:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/eebd5c3f-8d96-4014-9852-f3028c71d930

erikpt said...

I have the solution in this article implemented on 16 Windows Server 2008 R2 DNS servers. You may have to configure the zone as a text-file based zone initially, then remove the default A record manually. Once the zone loads successfully, you can make it active directory integrated once again.

Unknown said...

Hi Erik,
Can you provide some more detail about how you have gone about this on 2008r2? I don't seem to be getting very far.
Cheers,
Ben

Unknown said...

Hi Erik,
I am not having much luck with this. Could you provide some more details?
Cheers,
Ben

erikpt said...

Ben-

The instructions I give will work if you have (or can stand up) a WIndows 2008 (not R2) DNS server. For some reason, Microsoft doesn't let you configure a zone in this way in Windows 2008 R2, but an R2 DNS server will replicate this zone and serve it out all day and night if it was created on a downlevel server. Go figure.

If you're running AD-integrated DNS , and are not on the 2008 R2 functional level, it's as easy as adding a 2008 DC with DNS (still non-trivial). However if you're already on the 2008 R2 functional levels, your best bet may be to setup a BIND DNS server and setup conditional forwarders on the Windows DNS servers to forward www.google.com to the BIND DNS servers. I'll amend this post with a BIND DNS zone file and configuration entry for this setup over the weekend.

Unknown said...

Thanks Erik, I think I should be ok from here.
Ben

Unknown said...

Where is the non-RFC-compliant checkbox...? Microsoft, please include a 2 page disclaimer making us responsible if we break our DNS, but let us decide whether to risk breaking it.

Unknown said...

I was on 2008R2 functional level, and here is what worked for me. I added the DNS service role to an existing 2008 server. I did not promote it to DC. I setup the forwarders to public DNS servers. Then I added the zone per the instructions on this blog. Then, on my 2008r2 DC's, I setup a conditional forward for www.google.com to my newly configured 2008 dns enabled server.

Vonster said...

I was able to create a DNAME record on Win2008 R2 SP1 and got it to work. This is my procedure:

- create a new Forward Lookup Zone for www.google.com
- add a new DNAME (Domain ALIAS) record for zone 'www.google.com' to use FQDN of forcesafesearch.google.com as target

I repeated the process and created another DNAME record for www.youtube.com to point to forcesafesearch.google.com to get safesearch for youtube.