I think I can answer your problem but first I think it will help to explain some of the basics of how DNS servers work.
A DNS server is responsible for mapping a human readable name, to a computer readable numeric address. As it is not really relevant here we will ignore the differences between IPv4 and IPv6 numeric addresses. Less widely known is that DNS servers also do the reverse process they can take a computer friendly numeric address and look up the matching human friendly name. (So called reverse DNS lookups.)
Now while all DNS servers do the above, they normally can only define records for domain names which they are responsible for i.e. own. So you are responsible for your internal private .pvt domain and if you had bought a domain like for example mydomain.com then you could also define records for that. However you don't own the google.com domain so strictly speaking you should not be creating records for this domain on your DNS server. In fact based on their instructions you would also need to create records for all the other google countries as well, e.g. google.co.uk, google.ie etc.
To do this using Apple's DNS server in Server.app you would first have to create each domain name as a zone i.e. creating google.com, google.co.uk, google.ie and so on. Then you would be able to create records in these domains including in this case an alias i.e. CNAME record.
However there is a big problem here, if you create for example the domain google.com this way then your client computers assume your DNS server will be responsible for looking up all hosts/records for that domain whatever they might be so not only www but mail, and any others that google use. If you don't also create these as well then they will fail when your clients try to look them up and as a result you will not be able to access them. Obviously it is impossible for you to know all the hosts/records they use in their domain names.
To summarise in order to create an alias in/for the google.com domain i.e. aliasing www.google.com and forcesafesearch.google.com you need to create the domain google.com (and the others) and this will to put it mildly break all other google records for those domains.
It appears that Google are assuming you can create a CNAME without having to create the entire google.com domain, something as I explained that Apple's Server.app software does not let you do. Apple actually use the standard BIND aka. named DNS server software the same software used by the majority of Linux servers and Unix servers. It is possible to manually edit the configuration files for this software and this is how Linux system administrators usually do it in any case. Apple store the configuration files in /Library/Server/named/
What I cannot tell you is how you could manually create or edit one of these files to accomplish this. I did find this article https://productforums.google.com/d/msg/websearch/srXRvrF1ERg/qtvZfsaWsIQJ which does appear to describe how to do this on a standard BIND server. You would need to create the suggested db.rpz file and what is not mentioned you would also have to modify the named.conf file produced by Apple to add instructions to load this additional db file. Whether this will work with Apple's software is something that you would have to try to find out.
The second approach which on the face of it is far simpler is to edit the /etc/hosts file on each client computer. One can then put records in which say that for example www.google.com is IP address 216.239.38.120 i.e. the current IP address of forcesafesearch.google.com then this will override a DNS lookup of www.google.com and redirect it to the IP address specified causing the search to go to the forcesafesearch.google.com server.
The problem with this /etc/hosts approach is that it needs to be done on each client computer rather than on a single server. Also it is not possible to do this on iPhones and iPads.
The third approach is to use a proxy server. With this approach you do not make any changes to your DNS server, you also do not make any changes to the /etc/hosts file on each computer. Instead all web traffic including for example http://www.google.com is sent via the proxy server. The proxy server would then be configured to send any traffic intended to go to www.google.com or www.google.co.uk or others to be sent instead to forcesafesearch.google.com.
This sounds like it may be the best solution for you. To do this will require the following.
- Setup a proxy server, e.g. the free Squid software
- Set the proxy server to redirect the desired addresses to forcesafesearch.google.com
- Set all your client devices to send web-traffic via the proxy server
Note: I have previously setup and used Squid on a Mac server but you can also use a Linux server just as well. (Some would argue better 🙂)
There is a way to automatically advertise a proxy server to client devices called WPAD (Web Proxy Auto Discovery), this can be done using Apple's DHCP and/or DNS servers by adding the appropriate records and turning on an option on client devices including Macs. You also need to create a proxy.pac configuration file also known as a wpad.dat file and have this made available via an internal web server e.g. http://www.pvt/wpad.dat
A fourth approach is to use a dnsmasq server. This is a special type of DNS server which is solely used to 'spoof' DNS records and would in this case automatically and invisibly to users redirect www.google.com etc. to forcesafesearch.com. This is not available or at least not 'off the shelf' for a Mac server but is easily available for a Linux server. Some routers might have this built-in for example some Cisco boxes can do this.
As should by now be very clear what you are trying to do is very much an 'advanced' level issue. If you do not feel confident you should perhaps get someone in to assist you.
Finally, if the goal is merely to prevent displaying inappropriate images you could use a different approach which is to block access to websites holding those images. There are lots of solutions to 'filter' web activity and prevent accessing adult and other inappropriate categories. So in they they could try searching but should not be able to see such results. I would also remind you that there are other search engines besides Google such as Bing, DuckDuckGo and so on. I can also tell you that any appropriately knowledgable person will be able to get past any measures you put in place no matter how hard you try. All you can do is your best efforts and show to people that you have made such best and reasonable efforts.