Forum Discussion
How to block Bing Chat public for organization users and allowing Bing Chat Enterprise
What we're trying to do: Redirect copilot.microsoft.com to cdp.copilot.microsoft.com to force data protection in copilot.
On your secondary DNS server (the ones the clients know nothing of) create the primary zone microsoft.com. Add a CNAME for copilot.microsoft.com and point it at cdp.copilot.microsoft.com.
Back to the production server. Create TWO conditional forwarders here.
The first is copilot.microsoft.com that sends the requests to your secondary DNS server to get the CNAME.
The second is cdp.copilot.microsoft.com which should send the request out to the internet (I'm using 8.8.8.8 and 8.8.4.4).
The second is required because if it tries to resolve itself, it just uses the first conditional forwarder again which sends the request in an infinite loop between your DNS servers.
Bradley Fox , great hack!
I'll mention that anyone using some kind of DNS firewall or Response Policy Zone for DNS can easily create a policy rule to match both names and have the DNS server artificially generate the CNAME response without all the configuration flaming hoops...
As Microsoft DNS Policies do not appear to support a redirect action (see: https://learn.microsoft.com/en-us/powershell/module/dnsserver/add-dnsserverqueryresolutionpolicy?view=windowsserver2022-ps ), one is left to implement the feature at the forwarding/recursion/caching level of your DNS infrastructure with BIND or other non-microsoft DNS solutions.
https://bind9.readthedocs.io/en/latest/chapter6.html#dns-firewalls-and-response-policy-zones
for examples of how to get RPZ to generate a CNAME based on a policy match.
And RPZ is a standard feature on pretty much any Protected DNS service out there.