Tutorial Forcing SafeSearch Tutorial

[SomeWhereOverTheRainBow]

It appears you are right. As I said your script seems to work fine after the modifications you've made, so this was in no way an attack on your effort, so please don't feel offended.

Nevertheless I still think it's strange that safe.duckduckgo, shows 'Moderate' Safe Search settings, instead of Strict (at least, that's the option shown at their settings page), regardless of what the search results are showing, but that now seems to be completely beyond the scope of this thread. That's odd, or is am I the only one thinking that they're completely missing the point they're trying to achieve with safe.duckduckgo. When visiting Google it clearly shows 'Safesearch on' and there's no (obvious) way around it. If and when I'll receive a reply from Duckduckgo, I'll share it.

it is due to the fact that once upon a time duckduckgo was only able to safe search via the settings page. the addition of CNAME controlled Safe search is relatively new to Duckduckgo. They have only been CNAME compatible for a few years now and the methods the settings page use and the method the CNAME methods use are completely different and separate.

 

[SomeWhereOverTheRainBow]

@MvW One good thing that comes out of it is no matter if I try to downgrade the type of search, the CNAME method appears to be doing its job despite what the settings page says. It will not let me get around the search restrictions. This means the CNAME method is enforced.

 

[MvW]

@SomeWhereOverTheRainBow: it seems that youtube.com and youtu.be are both still getting away with it, they're not redirected tot restrictmoderate.youtube.com but to some other (Google-owned) IP-address 172.217.17.110, which in my case opens google.com. Could you add them to the script or explain to me how to add them manually?

/tmp/home/root# dig www.youtube.com @10.0.12.1

; <<>> DiG 9.16.8 <<>> www.youtube.com @10.0.12.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59551
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.youtube.com.               IN      A

;; ANSWER SECTION:
www.youtube.com.        0       IN      CNAME   restrictmoderate.youtube.com.
restrictmoderate.youtube.com. 0 IN      A       216.239.38.119

;; Query time: 20 msec
;; SERVER: 10.0.12.1#53(10.0.12.1)
;; WHEN: Sun Jan 31 22:49:16 CET 2021
;; MSG SIZE  rcvd: 102

/tmp/home/root# dig youtu.be @10.0.12.1

; <<>> DiG 9.16.8 <<>> youtu.be @10.0.12.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26862
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;youtu.be.                      IN      A

;; ANSWER SECTION:
youtu.be.               300     IN      A       172.217.17.110

;; Query time: 70 msec
;; SERVER: 10.0.12.1#53(10.0.12.1)
;; WHEN: Sun Jan 31 22:52:33 CET 2021
;; MSG SIZE  rcvd: 53

/tmp/home/root# dig youtube.com @10.0.12.1

; <<>> DiG 9.16.8 <<>> youtube.com @10.0.12.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;youtube.com.                   IN      A

;; ANSWER SECTION:
youtube.com.            34      IN      A       172.217.17.110

;; Query time: 0 msec
;; SERVER: 10.0.12.1#53(10.0.12.1)
;; WHEN: Sun Jan 31 22:53:23 CET 2021
;; MSG SIZE  rcvd: 56

Thanks in advance.

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow: it seems that youtube.com and youtu.be are both still getting away with it, they're not redirected tot restrictmoderate.youtube.com but to some other (Google-owned) IP-address 172.217.17.110, which in my case opens google.com. Could you add them to the script or explain to me how to add them manually?

/tmp/home/root# dig www.youtube.com @10.0.12.1

; <<>> DiG 9.16.8 <<>> www.youtube.com @10.0.12.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59551
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.youtube.com.               IN      A

;; ANSWER SECTION:
www.youtube.com.        0       IN      CNAME   restrictmoderate.youtube.com.
restrictmoderate.youtube.com. 0 IN      A       216.239.38.119

;; Query time: 20 msec
;; SERVER: 10.0.12.1#53(10.0.12.1)
;; WHEN: Sun Jan 31 22:49:16 CET 2021
;; MSG SIZE  rcvd: 102

/tmp/home/root# dig youtu.be @10.0.12.1

; <<>> DiG 9.16.8 <<>> youtu.be @10.0.12.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26862
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;youtu.be.                      IN      A

;; ANSWER SECTION:
youtu.be.               300     IN      A       172.217.17.110

;; Query time: 70 msec
;; SERVER: 10.0.12.1#53(10.0.12.1)
;; WHEN: Sun Jan 31 22:52:33 CET 2021
;; MSG SIZE  rcvd: 53

/tmp/home/root# dig youtube.com @10.0.12.1

; <<>> DiG 9.16.8 <<>> youtube.com @10.0.12.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;youtube.com.                   IN      A

;; ANSWER SECTION:
youtube.com.            34      IN      A       172.217.17.110

;; Query time: 0 msec
;; SERVER: 10.0.12.1#53(10.0.12.1)
;; WHEN: Sun Jan 31 22:53:23 CET 2021
;; MSG SIZE  rcvd: 56

Thanks in advance.

have you tested to see if the videos are unrestricted on the search? because once you use the search it appears to divert back to www.youtube.com which gets enforced to restrictmoderate.youtube.com. So from what I can tell from my personal use, it always reverts back to www.youtube.com which is controlled by restrictmoderate.youtube.com. so there is no point to direct the domain as it always leads to www.youtube.com. This is what they call a domain the directs to www.youtube.com. it doesn't act exclusively separate.

I also tested the IP address that leads to www.google.com and it is still restricted when you use the search. Youtube and google are interconnected as they share domains as long as both are still restricted there is no issues.

I wont be changing anything on the main script because from what I can tell everything is working as intended. You are welcome to modify or add any additional lines that you may be required to your own personal dnsmasq.conf.add using nano inside your SSH terminal.

You could also try rerunning the script and clearing cache one more time. I had to do that one time earlier.

 

[MvW]

Thanks for your reply, @SomeWhereOverTheRainBow.

How can I check that both addresses end up using restrictmoderate.youtube.com? How do I recognise a restricted video from the others. Sorry, might sound silly, but I really don't know and I've got mental issues which prevent me from thinking straight, so please help me.

I noticed you changed the first post, but I don't know the difference. English is not my native language. Is restrict.youtube.com even more strict than restrictmoderate.youtube.com?

Yesterday morning I discovered I couldn't watch the streaming service of our church, getting an error about 'our Google platform manager having put restrictions in place'. I assume this is because of the re-directions we've made? I've now setup DNSFilter for everything to use router settings, except for the Smart TV, to bypass router settings. Is that the best way to solve it? I can only test it Sunday next week and was hoping to get it solved by than.

For what it's worth: I wasn't asking you to change the script, I just noticed that youtube.com and youtu.be pointed at a different address than www.youtube.com. Just trying to help here, as far as I'm able to.

Best regards,
Marco

 

[SomeWhereOverTheRainBow]

Thanks for your reply, @SomeWhereOverTheRainBow.

How can I check that both addresses end up using restrictmoderate.youtube.com? How do I recognise a restricted video from the others. Sorry, might sound silly, but I really don't know and I've got mental issues which prevent me from thinking straight, so please help me.

I noticed you changed the first post, but I don't know the difference. English is not my native language. Is restrict.youtube.com even more strict than restrictmoderate.youtube.com?

Yesterday morning I discovered I couldn't watch the streaming service of our church, getting an error about 'our Google platform manager having put restrictions in place'. I assume this is because of the re-directions we've made? I've now setup DNSFilter for everything to use router settings, except for the Smart TV, to bypass router settings. Is that the best way to solve it? I can only test it Sunday next week and was hoping to get it solved by than.

For what it's worth: I wasn't asking you to change the script, I just noticed that youtube.com and youtu.be pointed at a different address than www.youtube.com. Just trying to help here, as far a I'm able to.

Best regards,
Marco

My point is that the addresses you mentioned lead back to www.youtube.com once placed in a browser, so there is no need for concern, even though the dig test do not show that. The www.youtube.com is covered by restrictmoderate.youtube.com.

 

[MvW]

Thanks for your explanation. Would anyone be so kind to answer my remaining questions from my previous post?

 

[SomeWhereOverTheRainBow]

Thanks for your explanation. Would anyone be so kind to answer my remaining questions from my previous post?

restrict.youtube.com is strict, while restrctmoderate.youtube.com is less strict than strict. The restriction flag is not prompted unless the visitor attempts to access a video that is rated inappropriate for the chosen restriction level. Restrict moderate is more relaxed on what gets blocked compared to plain restrict. In contrast plain restrict sometimes blocks too much.

 

[MamaLbh]

I tried copying and pasting this and I got "nonexistent directory" error for each line. How do I create the directory? Something like: mkdir /jffs/configs/ ?
I am still very new to 'talking' to the router this way.
Thanks - I am running a LBR20 (Orbi)

 

[ColinTaylor]

Thanks - I am running a LBR20 (Orbi)

These scripts are specific to Merlin's firmware running on Asus routers. They will not work on Netgear.

 

[SomeWhereOverTheRainBow]

I tried copying and pasting this and I got "nonexistent directory" error for each line. How do I create the directory? Something like: mkdir /jffs/configs/ ?
I am still very new to 'talking' to the router this way.
Thanks - I am running a LBR20 (Orbi)

This is for RMerlin Based firmware, where the directory should already exist. I am not even sure if this will work with your router. It is not even tested for it.

 

[macster2075]

@SomeWhereOverTheRainBow Is this the script you mentioned on my other post?

If it is, how would apply this to Pihole?
I am running Pihole in Ubuntu.

There is a section in Pihole for CNAME Records, but I don't know how to use it.

I have tried this, but it doesn't seem to work.. it's probably wrong!

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow Is this the script you mentioned on my other post?

If it is, how would apply this to Pihole?
I am running Pihole in Ubuntu.

There is a section in Pihole for CNAME Records, but I don't know how to use it.

I have tried this, but it doesn't seem to work.. it's probably wrong!

View attachment 46188

Yea my script only applies if you are talking about enforcing safe search with the router. Nothing to do with pihole. Same as the thread you posted in. The OP issue on that thread was originally about enforcing safe search on the router itself. How it evolved to pihole is a mystery. You will have to bring this type up question up with the pihole developers.

 

[macster2075]

Oh ok, thanks for that. Just curious, which search engines is it being implemented on?

 

[SomeWhereOverTheRainBow]

Oh ok, thanks for that. Just curious, which search engines is it being implemented on?

All the ones you describe and a couple of more.


If you happen to run unbound instance with your pihole as upstream for pihole you could consider using my unbound list for enforcing safe search with unbound cname feature.

https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/safesearch.conf

Both my methods cover youtube,Google, Bing, duckduckgo and a couple of others.

 

[macster2075]

Nice! - I would definitely give it try. I have tried Unbound before, but it I got scared when Merlin said something about security risk when running a recursive DNS, so I took it off haha.

 

[SomeWhereOverTheRainBow]

Nice! - I would definitely give it try. I have tried Unbound before, but it I got scared when Merlin said something about security risk when running a recursive DNS, so I took it off haha.

There are risks with anything especially if your network is unsecure including open firewall and such. He was just bring it up to indicate nothing is ever truly secure absent of good network practices.

 

[macster2075]

Is there a script available I can run after I install Unbound to make sure my network is properly secured?

 

[L&LD]

No.

There is no script I would trust that would give a 'safe network' approval stamp.

 

[macster2075]

What I meant by a script is....
Since I have been told that running a recursive DNS server opens the door for security risks...

So the script I am referring to, is one that closes any ports it opened or whatever it is Unbound did....I am saying "opened ports" as an example.
If there is no script, what do I need to do, to make it as secure as it was before I installed Unbound?