You are here:Home»KB»Web Server»DNS»Force restricted content and SafeSearch on different platforms
Sunday, 13 October 2024 15:18

Force restricted content and SafeSearch on different platforms

Written by

Filtering content is an important thing to do nowadays if you have a family for all the major platforms such as YouTube, Bing, Google, DuckDuckGo and more. In this article I will outline the different methods to restrict content and show you how to apply them.

There are a few different ways to restrict content on the internet:

  • Use a DNS provider that implements the restricted content for you.
    • OpenDNS, CleanBrowsing, etc...
    • Some are paid and some are free.
  • Install control Apps on your device
    • This requires an installation on each device.
  • Override key domains for each of the platforms you want restricted content on.
    • This is done on your router or hosts file on your PC.
  • Each platform can usually have the content filters by the account. This does require you to login to get the filtered results.
  • When using the DNS options it is important to make sure you do full DNS Hijacking on your local network to ensure the DNS requests are all sent through your router.
  • You should always make the changes on your router/network level so you do not have to visit each device and you cannot change the DNS settings on every device as required such as a Firestick.

 YouTube

  • To test the restriction level, visit:
  • Tutorials
    • Control YouTube content available to users - Google Workspace Admin Help
      • As an administrator, you can set up your network or managed devices to restrict which YouTube videos are available to employees and students in your organization.
      • Not everyone's router can override CNAMEs such as pfSense. There is a workaround, see below.
    • How To Enable YouTube Restrict / Moderate Modes | cleanbrowsing.org
      • This articles shows a user what options YouTube offers with restrict and moderate mode for content on the YouTube platform.
      • YouTube Offers 2 modes:
        • restrict.youtube.com: More strict mode. It blocks access to videos with violence, language, sexuality or adult content. It is the closest to the YouTube Kids mode. Blocks comments. Recommended for kids under 12.
        • restrictmoderate.youtube.com: Less strict mode. It blocks access to videos with possible violence, sexuality or adult content. It also blocks comments.
    • Your YouTube content & Restricted Mode - YouTube Help
      • Restricted Mode is an optional setting that has been available since 2010. A small subset of users, such as libraries, schools, and public institutions, who choose to have a more limited viewing experience on YouTube use Restricted Mode.
      • Restricted Mode is turned off for viewers by default.

General Notes

  • Filters from different companies
    • Web Content Filtering and Security – OpenDNS - Introduction to Web Content Filtering and Security
    • Free DNS Filtering | Block Online Porn with CleanBrowsing - Free DNS Filters by CleanBrowsing allow you to filter adult, pornography, obscene and other similar content from your internet.
    • CleanBrowsing - Wikipedia
      • CleanBrowsing is a free public DNS resolver with content filtering, founded by Daniel B. Cid and Tony Perez. It supports DNS TLS over port 853 and DNS over HTTP over port 443 in addition to the standard DNS over port 53. CleanBrowsing filters can be used by parents to protect their children from adult and inappropriate content online.
      • There are several filter levels with their settings outlined here.
  • Tutorials
    • How to: Enforcing Google SafeSearch, YouTube, and Bing – OpenDNS
      • Currently, enforcing Google SafeSearch, YouTube, or Bing on your network without an HTTP proxy requires the ability to create a local Canonical Name (CNAME) record on your local DNS server or editing your Hosts file on your local computer.
      • The Global enforcement of Google SafeSearch previously was only possible with a local agent or firewall rules; however, Google has introduced a new way of enforcing SafeSearch with Google SafeSearch VIP.

Handling CNAMEs on pfSense

Instructions

  • Here we ping the CNAME, get the IP and use that instead of the CNAME.
  • The basic procedure below can be used for all of the platforms that use a SafeSearch VIP system (i.e. like below)

Notes

  • pfSense is configured as a forwarder and not a full authoritative resolver so cannot expand the CNAME records.
  • pfSense Force Safe Search Configuration - Virtualization Howto - pfSense Force Safe Search Configuration. A look at pfSense, pfBlockerNG, Unbound DNS, and other plugins that allow you to enable safesearch
    • Has safe search instructions for Google, Bing, YouTube
    • You can edit the Local Unbound Configuration Files (not recommended)
  • DNS CNAME records posible with unbound? | Netgate Forum
    • No, it's not going to work with Unbound because it's not an authoritative name server and can not expand the CNAMEs. You would need BIND or equivalent for that. Use the host overrides if that solves your problem as noted by dok above.
    • You can override MX, PTR, SRV and even SOA records with Unbound, no problem (not exposed trough the GUI in pfSense but you can use custom options).
    • What I wrote above is bit incorrect. The reason the CNAME records won't work as host overrides is because they have to be resolved with an additional query either to the upstream forwarder or the authoritative server. A resolver like Unbound won't look at its own host overrides to resolve a CNAME, they have to be set in the authoritative server.
  • Guide to force your clients to use Youtube in Restricted mode | Netgate Forum - The below example will show how to configure Unbound to force LAN clients to use Youtube in Restricted mode. This same process will work with safesearch for Google/Bing/etc.
Read 238 times Last modified on Sunday, 13 October 2024 16:25