They do have to traverse your network in a manageable way, anyway... up until the point that some wiseacre fires up a VPN or a tunnel/proxy, it's not so hard to grab port 53 traffic on its way out and quietly redirect it.
However, the problem itself is extremely difficult to solve thoroughly. How can one possibly stay on top of the IPs that SSL is or isn't "safe" to, given that you cannot do any other meaningful inspection of the data (not even the hostname in the HTTPS request)? I know there are products that attempt to solve it without seriously impairing the network, but I can't imagine they're robust against a clever | determined kiddo. --Steve On Sun, Feb 12, 2012 at 10:22 PM, James Hill <falc...@gmail.com> wrote: > This assumes that the students have to use your DNS as well. > > > > From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] > Sent: Saturday, 11 February 2012 1:45 AM > > > To: NT System Admin Issues > Subject: DNS Partial zone CNAMEs? > > > > Long story made somewhat short: We enforce safe search on google images > with our filter. If a clever student hits https://www.google.com and > searches for Excalibur Films images the safe search enforcement fails and > they are going to get more than they should. And since I now know this, I > will go to jail and my wife will be sad. > > > > So I need to do the below from Google: > > > > To utilize this solution, your school’s network administrator would modify > your DNS (Domain Name System) configuration to make Google domains, e.g. > www.google.com to be an alias or CNAME (canonical name) of nossl.google.com. > When we see search requests arriving over the nossl end point we will > redirect these to a non-SSL search session. HTTP traffic and other services > will not be affected. > > > > I am a bit puzzled on how to do this. If I toss up a zone for google.com and > put up a www.google.com CNAME nossl.google.com What happens when someone > tries to hit mail.google.com? My zone lookup will fail…will my DNS server > then hit my forwarders for mail.google.com > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
