Sep 12 2023 02:42 AM
Bing Chat Enterprise is made available for enterprise users. However there is possibility that users might be using Bing Chat public. Is there a way to force BCE for Organization users and block Bing Chat public.
Sep 12 2023 09:45 AM
Nov 07 2023 10:02 AM
Nov 15 2023 03:24 PM - edited Nov 15 2023 03:25 PM
@Vimaleshwara Gajanana @Bradley Fox
I followed the above suggestion to block the public version, and it worked great. Users could only get to bing.com/chat when signed into edge with corporate profile.
Ignite today announced copilot.microsoft.com. It's basically the same thing, hosted from a different dedicated URL. Unfortunately, this bypasses the previously suggested method to block the public version. Looking for info on how to now force enterprise only version.
Jan 04 2024 04:43 AM
But how do you create a primary zone bing.com and a CNAME for www pointing to nochat.bing.com hosted by bing.com DNS servers? Won't the secondary DNS server also be answering for nochat.bing.com? Since the bing.com zone is on it.
Wouldn't you need to create a A record for nochat.bing.com as well? Thereby losing the whole point of using a CNAME?
Jan 04 2024 05:16 AM
No, because you only have a conditional forwarder setup for www.bing.com which then forwards to the secondary DNS server that holds the CNAME for www.bing.com which sends the client to nochat.bing.com which would be queried on the primary DNS server. Since there is no bing.com domain on the primary and no conditional forwarder it will use either root hints or your regular forwarders to lookup nochat.bing.com.
Jan 04 2024 05:20 AM
Yes, you are right! I just figured it out as well. It only forwards the www.bing.com query to my secondary DNS server. nochat.bing.com it looks up via bing.com DNS servers. Works like a charm.
🙂
Jan 04 2024 05:31 AM - edited Jan 04 2024 05:32 AM
For now, I've just blocked copilot.microsoft.com and informed my users to access Bing chat from Edge or from www.bing.com/chat. Microsoft says this functionality is coming for copilot.micrsoft.com but they don't say when...
Feb 16 2024 09:10 AM
Mar 04 2024 01:17 PM
@Vimaleshwara Gajanana I tried this and it does not work in MS DNS. You cannot create a conditional forward at the zone root level so on the production DNS this means to create a conditional forwarder for www.bing.com you must create the bing.com zone. After doing this the prod DNS server answers bing.com queries. When I try to create a delegation at the root the "Next" box is greyed out unless I input a subdomain so I am unable to create a delegation for www.bing.com in the www.bing.com zone. Likewise, I am unable to create a CNAME at the root of the zone either. As it was described it does not work. Maybe you could provide the steps that worked or the work around that made it possible to delegate only www.domain.com without have a zone record for domain.com in MS DNS.
Mar 05 2024 12:53 PM
Mar 05 2024 01:03 PM
Apr 16 2024 11:06 AM - edited Apr 16 2024 11:06 AM
@Bradley Fox , great hack!
I'll mention that anyone using some kind of DNS firewall or Response Policy Zone for DNS can easily create a policy rule to match both names and have the DNS server artificially generate the CNAME response without all the configuration flaming hoops...
As Microsoft DNS Policies do not appear to support a redirect action (see: https://learn.microsoft.com/en-us/powershell/module/dnsserver/add-dnsserverqueryresolutionpolicy?vie... ), one is left to implement the feature at the forwarding/recursion/caching level of your DNS infrastructure with BIND or other non-microsoft DNS solutions.
https://bind9.readthedocs.io/en/latest/chapter6.html#dns-firewalls-and-response-policy-zones
for examples of how to get RPZ to generate a CNAME based on a policy match.
And RPZ is a standard feature on pretty much any Protected DNS service out there.