Menu
What's new
By:
Filters Better Search

Force SafeSearch in DuckDuckGo

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

macster2075

macster2075

Very Senior Member
Hi,
I currently have a few scripts that force SafeSearch in Google and Bing wich work great...
For Google I am using this

echo address=/www.google.com/216.239.38.120 > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

DuckduckGo does not have an IP address for safe.duckduckgo.com -
I have tried the jffs below, but it doesn't work...

echo address=/www.duckduckgo.com/safe.duckduckgo.com > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

Any help on this?
Thanks.
 
macster2075 said:
Hi,
I currently have a few scripts that force SafeSearch in Google and Bing wich work great...
For Google I am using this

echo address=/www.google.com/216.239.38.120 > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

DuckduckGo does not have an IP address for safe.duckduckgo.com -
I have tried the jffs below, but it doesn't work...

echo address=/www.duckduckgo.com/safe.duckduckgo.com > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

Any help on this?
Thanks.
Click to expand...
try
echo address=/duckduckgo.com/safe.duckduckgo.com > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
 
here is a better block for duckduckgo.com
Code: 
{
    echo 'address=/duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/www.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/start.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/duck.com/safe.duckduckgo.com'
    echo 'address=/www.duck.com/safe.duckduckgo.com'
} >> /jffs/configs/dnsmasq.conf.add
 
Last edited:
SomeWhereOverTheRainBow said:
here is a better block for duckduckgo.com
Code: 
{
    echo 'address=/duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/www.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/start.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/duck.com/safe.duckduckgo.com'
    echo 'address=/www.duck.com/safe.duckduckgo.com'
} >> /jffs/configs/dnsmasq.conf.add
Click to expand...

Hi @SomeWhereOverTheRainBow, when I added these lines to dnsmasq.conf.add I get an error after I run the service restart_dnsmasq command:

Code: 
Mar  4 12:45:31 dnsmasq[20586]: bad address at line 51 of /etc/dnsmasq.conf
Mar  4 12:45:31 dnsmasq[20586]: FAILED to start up

Line 51 is where the "address" lines start...
 
lordtech said:
Hi @SomeWhereOverTheRainBow, when I added these lines to dnsmasq.conf.add I get an error after I run the service restart_dnsmasq command:

Code: 
Mar  4 12:45:31 dnsmasq[20586]: bad address at line 51 of /etc/dnsmasq.conf
Mar  4 12:45:31 dnsmasq[20586]: FAILED to start up

Line 51 is where the "address" lines start...
Click to expand...
you have to copy and paste those lines into the terminal.. don't add them directly to dnsmasq.conf.add


For best results, use the script 1 from this link
www.snbforums.com

Tutorial - Forcing SafeSearch Tutorial

There are many approaches to this topic and RMerlin's Wiki https://github.com/RMerl/asuswrt-merlin.ng/wiki/Enforce-Safesearch -briefly delves on the concept using dnsmasq. Instead of reinventing the wheel over and over again with this topic, below is a small script and instructions for users...
www.snbforums.com www.snbforums.com


Code: 
touch enforcesafe.sh && cat > "enforcesafe.sh" <<'EOF'
#!/bin/sh
URL="https://www.google.com/supported_domains"
FILE="/jffs/configs/dnsmasq.conf.add"

[ ! -f "$FILE" ] && touch $FILE
echo -e "\n# Enforced Safe Search:\n" >> "${FILE}"
DOMAINS="$(curl $URL 2>/dev/null)"
for DOMAIN in $DOMAINS; do
    DOMAIN=$(echo $DOMAIN | cut -c 2-)
    printf 'cname=www.%s,forcesafesearch.google.com \n' $DOMAIN >> "${FILE}"
done
#this version uses restrictmoderate.youtube.com
for DOMAIN in youtube; do
    printf 'cname=www.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=m.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%si.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%s.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=www.%s-nocookie.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in bing.com; do
    printf 'cname=%s,www.%s,strict.%s \n' $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in pixabay.com; do
    printf 'cname=%s,safesearch.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in duckduckgo.com; do
    printf 'cname=%s,www.%s,start.%s,safe.%s \n' $DOMAIN $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=duck.com,www.duck.com,safe.%s \n' $DOMAIN >> "${FILE}"
done
for DOMAIN in qwant.com; do
    printf 'cname=api.%s,safeapi.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
YANDEX="com ru ua by kz"
for DOMAIN in $YANDEX; do
    printf 'cname=yandex.%s,www.yandex.%s,familysearch.yandex.ru \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in forcesafesearch.google.com safe.duckduckgo.com restrictmoderate.youtube.com strict.bing.com safesearch.pixabay.com safeapi.qwant.com familysearch.yandex.ru; do
IPS="$(nslookup $DOMAIN | grep "Address" | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | sed -n 2p)"
    if [ "$DOMAIN" = "forcesafesearch.google.com" ]; then
        printf 'host-record=%s,restrict.youtube.com,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    else
        printf 'host-record=%s,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    fi
done
echo -e "\n# End of Enforced Safe Search #\n" >> "${FILE}"
service restart_dnsmasq >/dev/null 2>&1
EOF
sh enforcesafe.sh && rm -rf enforcesafe.sh


Copy and paste this script directly into the ssh terminal and press enter.

all of your safesearch needs will be covered.
 
Last edited:
SomeWhereOverTheRainBow said:
you have to copy and paste those lines into the terminal.. don't add them directly to dnsmasq.conf.add


For best results, use the script 1 from this link
www.snbforums.com

Tutorial - Forcing SafeSearch Tutorial

There are many approaches to this topic and RMerlin's Wiki https://github.com/RMerl/asuswrt-merlin.ng/wiki/Enforce-Safesearch -briefly delves on the concept using dnsmasq. Instead of reinventing the wheel over and over again with this topic, below is a small script and instructions for users...
www.snbforums.com www.snbforums.com


Code: 
touch enforcesafe.sh && cat > "enforcesafe.sh" <<'EOF'
#!/bin/sh
URL="https://www.google.com/supported_domains"
FILE="/jffs/configs/dnsmasq.conf.add"

[ ! -f "$FILE" ] && touch $FILE
echo -e "\n# Enforced Safe Search:\n" >> "${FILE}"
DOMAINS="$(curl $URL 2>/dev/null)"
for DOMAIN in $DOMAINS; do
    DOMAIN=$(echo $DOMAIN | cut -c 2-)
    printf 'cname=www.%s,forcesafesearch.google.com \n' $DOMAIN >> "${FILE}"
done
#this version uses restrictmoderate.youtube.com
for DOMAIN in youtube; do
    printf 'cname=www.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=m.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%si.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%s.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=www.%s-nocookie.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in bing.com; do
    printf 'cname=%s,www.%s,strict.%s \n' $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in pixabay.com; do
    printf 'cname=%s,safesearch.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in duckduckgo.com; do
    printf 'cname=%s,www.%s,start.%s,safe.%s \n' $DOMAIN $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=duck.com,www.duck.com,safe.%s \n' $DOMAIN >> "${FILE}"
done
for DOMAIN in qwant.com; do
    printf 'cname=api.%s,safeapi.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
YANDEX="com ru ua by kz"
for DOMAIN in $YANDEX; do
    printf 'cname=yandex.%s,www.yandex.%s,familysearch.yandex.ru \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in forcesafesearch.google.com safe.duckduckgo.com restrictmoderate.youtube.com strict.bing.com safesearch.pixabay.com safeapi.qwant.com familysearch.yandex.ru; do
IPS="$(nslookup $DOMAIN | grep "Address" | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | sed -n 2p)"
    if [ "$DOMAIN" = "forcesafesearch.google.com" ]; then
        printf 'host-record=%s,restrict.youtube.com,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    else
        printf 'host-record=%s,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    fi
done
echo -e "\n# End of Enforced Safe Search #\n" >> "${FILE}"
service restart_dnsmasq >/dev/null 2>&1
EOF
sh enforcesafe.sh && rm -rf enforcesafe.sh


Copy and paste this script directly into the ssh terminal and press enter.

all of your safesearch needs will be covered.
Click to expand...
Hi guys.. sorry to awake this thread again.
So, SafeSearch has been working great, no issues. However, I started using FireFox and I enabled DNS over HTTPS for more security. I noticed that if that's enabled, the dnsmasq configuration I have is bypassed. Is there a way to still enforce that rule over HTTPS?

I am using this..

address=/www.bing.com/204.79.197.220
address=/duckduckgo.com/ 52.149.247.1
address=/www.google.com/216.239.38.120

@SomeWhereOverTheRainBow
If I add your script, will that still work over HTTPS?
 
macster2075 said:
However, I started using FireFox and I enabled DNS over HTTPS for more security. I noticed that if that's enabled, the dnsmasq configuration I have is bypassed. Is there a way to still enforce that rule over HTTPS?
Click to expand...
No. DoH bypasses the router DNS completely. Ironic that you believe you are using DoH for “security” but it prevents you from enforcing safer searches. Those kiddies being protected from adult searches can use the same DoH tricks to bypass your safeguards once a classmate shows them how.
 
dave14305 said:
No. DoH bypasses the router DNS completely. Ironic that you believe you are using DoH for “security” but it prevents you from enforcing safer searches. Those kiddies being protected from adult searches can use the same DoH tricks to bypass your safeguards once a classmate shows them how.
Click to expand...
"safer" meaning filtering adult sites...and I meant "security" as in my connection to the Internet being safer than using http. - So you're saying there's really nothing I can do at the router level with firewall to do this? - I've found a few sites that mention enforcing SafeSearch over HTTPS, but I don't know how to implement that on my router.
 
macster2075 said:
but I don't know how to implement that on my router.
Click to expand...
You can't, if you're enabling DoH in the browser. That's the whole point of enabling DoH in the browser! If you want to encrypt the DNS requests of all of your clients you need to disable DoH on the clients and either use DoT on the router or setup another local DNS server (e.g. Pihole) that runs DoH.
 
ColinTaylor said:
You can't, if you're enabling DoH in the browser. That's the whole point of enabling DoH in the browser! If you want to encrypt the DNS requests of all of your clients you need to disable DoH on the clients and either use DoT on the router or setup another local DNS server (e.g. Pihole) that runs DoH.
Click to expand...
I actually have a pihole machine running, but for some reason safesearch doesn't work. I had created another post regarding that issue, and it seems it's an issue with pihole.
So, to understand what you're saying... if I set pihole as the ONLY dns server and point all devices to it, even if they enable doh in the browser, they won't be able to bypass it?
 
macster2075 said:
...even if they enable doh in the browser, they won't be able to bypass it?
Click to expand...
No, I'm saying the opposite. Enabling DoH in the browser will bypass whatever you else you do***. This is the main point of DoH. It takes control away from the network administrator and puts it in the hands of the user.

*** An exception is if you set "Prevent client auto DoH" to Yes in the router's WAN settings and the browser is configured to honour that setting.
 
oh ok.. I asked because you said this..."......If you want to encrypt the DNS requests of all of your clients...... or setup another local DNS server (e.g. Pihole) that runs DoH."
That made me think you meant if there's a Pihole DNS server, it could help with that.
 
But.. thank you Colin, enabling that setting in the router helped...for now. haha... now even if I enable doh in firefox, SafeSearch is still implemented.
 
HA!! - Spoke too soon.. that setting in the browser didn't actually block doh haha... I cleared cache and safesearch is no longer enabled :(
 
macster2075 said:
I actually have a pihole machine running, but for some reason safesearch doesn't work. I had created another post regarding that issue, and it seems it's an issue with pihole.
So, to understand what you're saying... if I set pihole as the ONLY dns server and point all devices to it, even if they enable doh in the browser, they won't be able to bypass it?
Click to expand...
Sounds like you have your pihole configured in such away that it Bypasses using DNS from the router.

If you want to use safe-search from the router script, your pihole point must back to the router for dns thus not bypassing it. -i.e. the routers WAN-DNS1 and DNS2 is configured to some outbound dns such as 1.1.1.1 and 1.0.0.1, or you are using the routers DoT. Pihole custom DNS options points back to using the Router for DNS.

If you insist on using some alternative DNS for Pi-hole setup other than the router, You must configure a safe search option on the pihole itself and not rely on the router script. -i.e. where you have some odd configuration where Wan DNS 1 points to some outbound DNS and Wan DNS 2 points to pihole, and some weird configuration where Lan DNS points at your pihole and also points at the router itself.
 
Last edited:
SomeWhereOverTheRainBow said:
Sounds like you have your pihole configured in such away that it Bypasses using DNS from the router.

If you want to use safe-search from the router script, your pihole point must back to the router for dns thus not bypassing it.

If you insist on using some alternative DNS for Pi-hole setup other than the router, You must configure a safe search option on the pihole itself and not rely on the router script.
Click to expand...
Right.. I'm just looking for a way to prevent bypassing content filtering using DOH. I've been reading and watching videos on how to setup the pihole using dns over HTTPS, like Cloudfare, but I can't really rap my head around it.

Not entirely sure if doing this will prevent a user from bypassing filtering simply by enabling doh in Firefox even though the dns will be over doh...can you clarify?
 
macster2075 said:
Right.. I'm just looking for a way to prevent bypassing content filtering using DOH. I've been reading and watching videos on how to setup the pihole using dns over HTTPS, like Cloudfare, but I can't really rap my head around it.

Not entirely sure if doing this will prevent a user from bypassing filtering simply by enabling doh in Firefox even though the dns will be over doh...can you clarify?
Click to expand...
Use your firewall to block out bound connections on port 443 to certain IP addresses know for DoH traffic. Another classic method is to block the DoH addresses similar to how you block advertisements on pihole. DoH connections before it starts out as a DoH connection ,has to be able to send a query to the server it is trying to connect. If you block this, then it has no way of ever establishing the connection.

Here is a good nobypass list

 
Last edited:
SomeWhereOverTheRainBow said:
Use your firewall to block out bound connections on port 443 to certain IP addresses know for DoH traffic. Another classic method is to block the DoH addresses similar to how you block advertisements on pihole. DoH connections before it starts out as a DoH connection ,has to be able to send a query to the server it is trying to connect. If you block this, then it has no way of ever establishing the connection.

Here is a good nobypass list

Click to expand...
So I would have to know which IP address are using outbound doh connection on port 443?
Based on the answers I got previously on this post, I thought doh would bypass all filtering at the router level, no matter what.. that's the impression I got from it.
But you're saying there's a way block that?
 
You must log in or register to reply here.

Similar threads

XxUnkn0wnxX
Proper dnsmasq config for local resolver?
Replies
3
Views
882
XxUnkn0wnxX
XxUnkn0wnxX
alan6854321
Missing entries in syslog?
Replies
3
Views
545
ColinTaylor
C
macster2075
Solved Need help Enforcing SafeSearch on duckduckgo.com
2 3
Replies
40
Views
10K
macster2075
macster2075
icanfly
DNS fails for local devices when there is no WAN!
Replies
2
Views
1K
icanfly
icanfly
cyruz
Simple script for DNS fallback
Replies
9
Views
2K
Drinking_Dragon
Drinking_Dragon
Similar threads
Thread starter Title Forum Replies Date
C force to flush flowcache entries Asuswrt-Merlin 1
K Is there anyway to force AiMesh to use eth8 as backhaul? Asuswrt-Merlin 4
C How to set upstream DNS but force clients to use the router for DNS? Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 766 (members: 17, guests: 749)
Top