Option to force Google Safe Search

Comments

65 comments

  • Avatar
    rotblitz

    This is problematic.  OpenDNS could create an option to configure for step 1 (CNAME www.google.com to nosslsearch.google.com) and step 3 (Block access to encrypted.google.com), but step 2 (append &safe=active directly to all search URLs) is totally out of scope for a DNS service like OpenDNS.  This can be done by a HTTP proxy service only.

    On the other hand, OpenDNS occasionally operated a Google proxy (http://blog.opendns.com/2007/05/22/google-turns-the-page/).  This could be used as such a proxy where &safe=active is appended to the URL.

    No matter, you got my vote!  Let's see what comes out.

  • Avatar
    scott_st

    If you get Google locked into SafeSearch, what about Bing.com, Ask.com, Yahoo.com, AOl.com, etc? Check out buctools.com, they have a router that protects them all.

  • Avatar
    robingeek

    How about this taken from this page

    https://support.google.com/websearch/answer/186669?hl=en-GB

    This option requires extensive technical expertise. Options 1 and 2 are recommended for those who don’t have a technical background.

    About SafeSearch Virtual IP address (VIP)

    SafeSearch VIP will force all users on your network to use SafeSearch on Google Search while still allowing a secure connection via HTTPS. The VIP in SafeSearch VIP refers to a Virtual IP which is an IP address that can be routed internally to multiple Google servers.

    When SafeSearch VIP is turned on, teachers and students at your school will see a notification the first time they go to Google; this will let them know that SafeSearch is on.

    SafeSearch VIP can be used as part of a comprehensive internet safety policy by schools; this is part of keeping students secure while limiting their access to adult content at school.

    Using SafeSearch VIP will not affect other Google services outside of Google Search.

    Turn on SafeSearch VIP

    To force SafeSearch for your network, you’ll need to update your DNS configuration. Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com.

    We will serve SafeSearch Search and Image Search results for requests that we receive on this VIP.

    Could OpenDNS setup the DNS entry for all google domains to be a CNAME for forcesafesearch.google.com.

     

    Cheers

    Robin

  • Avatar
    Patrick Colford

    Hi Robin!

    We actually have some information on this since Google released this feature. You can find our support article on it here: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch

  • Avatar
    doafr

    Patrick - the advice on that page is too complex.  If OpenDNS is a respectable DNS it would just solve this as requested above

    OpenDNS should set the DNS entry for all google domains to be a CNAME for forcesafesearch.google.com

  • Avatar
    doafr

    Turns out I can't get the google forcesafesearch domain doesn't work.

     

  • Avatar
    mattwilson9090

    What is too complicated about it? They are clear instructions on how to enable this, including that you need a local DNS server in order to make it work.

    What do you mean by a respectable DNS? Have you read in the several threads that address this exact same topic that OpenDNS is a recursive DNS service, not an authoritative DNS service, and thus cannot modify the DNS information or create CNAME's for you, that you need to do it yourself on your own DNS server?

    Also, assuming this were even technically possible to do, why should OpenDNS force this setting upon all of it's users, whether they use a free or paid service, when Google itself offers this as an option for it's own users?

    If you are this concerned about this I suggest that you block the Search Engines category and then whitelist only the search engines that provide the degree of censorship that you are looking for. After all, even if OpenDNS were to implement this on Google, you'd still have all the other search engines, such as bing, ask, yahoo, etc to worry about.

  • Avatar
    doafr
    Apologies for being a naive paying customer of opendns and wanting "to protect my family from inappropriate websites" as the sales pitch promises". I don't think there are many people who know how to set up a home DNS with cname mapping as described.
  • Avatar
    doafr
    And BTW Google's fix doesn't work
  • Avatar
    mattwilson9090

    So in other words you have completely ignored all of the statements that say that OpenDNS *cannot* do this because it is a recursive DNS service, not an authoritative DNS service. Instead you prefer to stamp your foot like a petulant child and keeping screaming "I want it. Do it."

    OpenDNS is doing what they say they are doing in providing protection. They are blocking the domains or categories of domains that you want blocked. For those who pay for additional services they are also blocking those domains that are in some manner deemed "malicious". OpenDNS does not block specific content from individual domains that you are not blocking. They cannot be held responsible for protecting you from content that websites return to you if you choose to allow those websites through.

    How exactly does Google's fix not work?

    Like I suggested, if you don't like the results that Google returns, and either can't or won't follow their instructions for forcing safesearch just block the entire Search Engines category and then whitelist whatever search engine that provides the level of censorship that you desire. The tools, including OpenDNS are available to you. It's up to you to use them appropriately they providing the level of censorship that you want.

  • Avatar
    scott_st

    doafr - to provide the level of content filtering you desire you need DNS + URL filtering, check out buctools.

  • Avatar
    rotblitz

    @doafr 
    You'll want to read https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch#view-post-23392360 to solve it with what you have already.

  • Avatar
    mattwilson9090

    What is buctools?

  • Avatar
    rotblitz

    http://www.buctools.com/

    As scott_st said above, "they have a router that protects them all".

  • Avatar
    mattwilson9090

    Thanks. Looks interesting.

    As good as OpenDNS is, there are some things that can only be done with a local device.

  • Avatar
    jonathanhg

    This is possible, translating any Google domain (www.google.com/supported_domains) to the following IP 216.239.38.120

  • Avatar
    mattwilson9090

    How is this possible? What do you mean by "translating"? In all of the years I've worked in IT and with DNS I have never come across the term "translating".

    I think what you are referring to are the instructions posted here and at Google multiple times that state you need to set up your own DNS server (I believe even DNSMasq will work as well) on your own network or networks. The reason you need your own DNS server is that an *authoritative* DNS server is needed to do this. However OpenDNS is essentially a *recursive* DNS service so they cannot do this without completely redesigning their entire service for the sake of a feature supported on someone else's service.

    If you know of a different way to do this please let us know how to do it.

  • Avatar
    rotblitz

    I believe that @jonathanhg meant that it is possible with an own DNS server only as explicitly documented even by Google.

    From https://support.google.com/websearch/answer/186669?hl=en :

    To force SafeSearch for your network, you’ll need to update your DNS configuration.

    This is all pretty clear, isn't it?  They definitely didn't think about recursive DNS services like OpenDNS, else they would offer this for their own recursive Google DNS service, but - they don't!  (This would be the minimum to combine their SafeSearch with their own recursive DNS service, isn't it?)  Also, all other filtering recursive DNS services don't offer an option to force Google SafeSearch either.  They know why not!  (Or do you know one offering this option?)

  • Avatar
    thetrush

    Great thread, very helpful.  Would like to know if anyone has bought , setup , using and found effective the buctools device mentioned.  I also saw mentioned DD-WRT device

    https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch#view-post-23392360

    We are also trying to setup Safe Search from all devices .  Currently all available openDNS web content filtering categories are turned on (including 'search engines') .  I tried putting forcesafesearch.google.com into the whitelist of allowed sites but errors out pointing to the fact that I blocked 'search engines'.  I'm familiar with the openDNS product in general using it for quite some time with great success overall.  Something probably simple I am missing here regarding blocking google.com but trying to access forcesafesearch.google.com I am still researching using many links above.

    Wanted to also mention I found a great local DNS solution, DNS redirector.  Its founder was very helpful and available for questions.  Its my next step. 

    I also saw mentioned that the founder of openDNS was involved in a local DNS product installed at system level , is that available or can openDNS with a purchased extension or variation provide a "Total internet block , then build whitelist"

    DNS redirector although very good at this, requires quite a bit of hands on to determine all URL's and sub URL's for some sites to work effectively.  Loved how I could block ad's/other sites showing up inside sites.

    Thank you !

     

  • Avatar
    rotblitz

    "I tried putting forcesafesearch.google.com into the whitelist of allowed sites but errors out pointing to the fact that I blocked 'search engines'."

    Yes, sure, also forcesafesearch.google.com belongs to this category, of course. And if you visit forcesafesearch.google.com, you will be immediately redirected to www.google.com (or other Google TLD) with the SafeSearch Option set (unless you blocked forcesafesearch.google.com or Search Engines with OpenDNS).  So what's your problem, and what do you want to achieve?  If you want to allow Google (no matter if with or without SafeSearch), you must not block the Search Engines category, or you must add google.com to your "never block" list, not forcesafesearch.google.com.

    "I found a great local DNS solution, DNS redirector."

    Which is a totally different product and service, because it's local software, not a service "in the cloud", so not comparable and not worth to be discussed here.  You can use it as an additional layer of your concept if you like.

    "I also saw mentioned that the founder of openDNS was involved in a local DNS product installed at system level"

    Never heard about this.  I only know about DNS services, recursive and authoritative.  The authoritative one has been sold out.

    "can openDNS with a purchased extension or variation provide a "Total internet block , then build whitelist""

    Not internet block, but DNS block.  OpenDNS is a DNS service with no influence on your internet connection where only your ISP is in charge for.
    And yes, this "white-list only" mode is available in OpenDNS Home VIP and also in the Enterprise versions.

    "Loved how I could block ad's/other sites showing up inside sites."

    You don't do this with an online service, because you want to get rid of related traffic.  You don't want to produce traffic for stuff you don't want to see anyway.  Instead you use local browser extensions like Adblock Plus or Ghostery.

    But your message tended to become off-topic with this.  This thread is about enforcing Google SafeSearch only.

  • Avatar
    thetrush

    Hey thanks rotblitz .  I am moving toward a total internet block and whitelist allowed sites, especially safe search google, since users of our network were basically google searching for music and game sites that openDNS hasn't filtered yet. or are being reviewed even with those categories selected in the openDNS config I setup.

    Understood re: DNS redirector, i realize its different than openDNS.  Just mentioning it in the event someone had experience with it or could recommend a better local software solution.

    Yes the authoritative one, that's it, oh it sold out, ok

    Yes I meant DNS block, I'll check into Home VIP and Enterprise .

    We have Adblock in place, I'll check Ghostery

    Thanks for the feedback .

  • Avatar
    rotblitz

    "especially safe search google, since users of our network were basically google searching for music and game sites"

    Well, Google's SafeSearch will not prevent users from searching for music and games. SafeSearch concentrates on filtering "adult" content of any (mostly with sexuality associated) kind.

    "Just mentioning it in the event someone had experience with it or could recommend a better local software solution."

    No experience with Redirector.  Maybe Fiddler?  This can be operated as internal proxy where all web traffic has to go through and can be filtered as you want.  And it's free!

  • Avatar
    f0409404

    i think K9 can force all search engine 

  • Avatar
    mattwilson9090

    What do you mean that "K9 can force all search engine"?

  • Avatar
    cornernote

    > OpenDNS should set the DNS entry for all google domains to be a CNAME for forcesafesearch.google.com

    +1 to that... seems a very simple problem.

    It should be optional in the Web Content Filtering page.

  • Avatar
    mattwilson9090

    @cornernote Have you even bothered to read any of the discussion in this and related threads? Why do you think this is a very simple "problem" for OpenDNS to "resolve"?

    Quite simply, OpenDNS is at it's heart a recursive DNS provider, not an authoritative DNS provider. It can only lookup and provide DNS entries that a domain owner defines on their authoritative DNS server. There is no way for them to modify that information.

    To force the forcesafesearch option on google requires setting an A record that can only be done on an authoritative DNS server, which is why all of the directions and discussion surrounding this say that you need to set up a DNS server on your own network. That is why OpenDNS cannot offer this as an option and why you must do it for yourself on your network (or have someone who is knowledgeable for such things do it on your network).

  • Avatar
    rotblitz

    "It can only lookup and provide DNS entries that a domain owner defines on their authoritative DNS server."

    In case of OpenDNS (and some others) this is not entirely true.  They return their own IP address in case of category blocking, individual domain and phish and malware blocking, earlier even instead of NXDOMAIN and SERVFAIL responses.  The same way they could theoretically return the IP address of forcesafesearch.google.com for the listed Google domains if such an option existed at the dashboard.  I know, this may be an expensive system change though.

    Therefore I voted for this idea already a longer while ago.

  • Avatar
    jawboned

    How does Rawstream do it?

  • Avatar
    mattwilson9090

    Who or what is rawstream, and how do they do what?

Please sign in to leave a comment.