Please clarify how to enforce commercial data protection for Copilot using DNS CNAME

Mathias 46 Reputation points
2024-01-26T20:52:51.1933333+00:00

The documentation offered at https://learn.microsoft.com/en-us/copilot/manage#require-commercial-data-protection-in instructs to create CNAME records in DNS to resolve to particular host names in order to enforce the use of copilot with commercial data protection only.

"Update your DNS configuration by setting the DNS entry for www.bing.com to be a CNAME for nochat.bing.com" and

"Update your DNS configuration by setting the DNS entry for copilot.microsoft.com to be a CNAME for cdp.copilot.microsoft.com"

I have the same question @kikoplavddd_777 asks at https://answers.microsoft.com/en-us/bing/forum/all/how-to-update-internal-microsoft-dns-to-require/d0509074-ab63-4775-815c-9aeb05e407b9

A CNAME cannot sit at the apex of a DNS zone and surely you do not suggest that I create bing.com and microsoft.com zones in my local DNS. So I must be missing something, perhaps another method exists that I am overlooking? Thanks! Mathias

Microsoft Copilot
Microsoft Copilot
Microsoft terminology for a universal copilot interface.
133 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Don Babnew 0 Reputation points
    2024-02-06T17:43:46.7133333+00:00

    A solution can be found in https://techcommunity.microsoft.com/t5/copilot-formerly-bing-chat/how-to-block-bing-chat-public-for-organization-users-and/m-p/3925073 "What I had to do was install DNS on a secondary server that my clients do not use directly with the primary zone bing.com and a CNAME for www pointing to nochat.bing.com. Then I setup a conditional forwarder for www.bing.com on my real DNS servers that forwards the request to the secondary server."

  2. Chris Keown 0 Reputation points
    2024-03-04T21:45:24.1333333+00:00

    There is no good documentation on this at all. We need something from Microsoft bad on this.

  3. Paul Flores 0 Reputation points
    2024-04-22T19:50:11.64+00:00

    If you have some kind of DNS Policy system in place, that would be the best place to enact these redirects. BIND has response policy zones, and most commercial dns security solutions can do a redirect based on dns query match.

    The proposed solution from microsoft requires a hidden authoritative server to allow you to create an authoritative zone for 'bing.com' and 'microsoft.com', that you can then use condiftional forwarders on to generate the proper DNS query.

    https://www.dnsrpz.info/. For more info on this basic DNS server function.

    0 comments