Option to force Google Safe Search
I think it is possible for OpenDNS to offer an option to force Google Safe Search using option 3 at the DNS level from these instructions https://support.google.com/websearch/answer/186669?hl=en The requirements are creating a specific DNS entry that tells Google not to apply https and secondly to apply a proxy service to append search names to include &safe=active. I don't mind blocking the other search engines to avoid the same issue but blocking Google is not optional.
-
This is problematic. OpenDNS could create an option to configure for step 1 (CNAME www.google.com to nosslsearch.google.com) and step 3 (Block access to encrypted.google.com), but step 2 (append &safe=active directly to all search URLs) is totally out of scope for a DNS service like OpenDNS. This can be done by a HTTP proxy service only.
On the other hand, OpenDNS occasionally operated a Google proxy (http://blog.opendns.com/2007/05/22/google-turns-the-page/). This could be used as such a proxy where &safe=active is appended to the URL.
No matter, you got my vote! Let's see what comes out.
-
How about this taken from this page
https://support.google.com/websearch/answer/186669?hl=en-GB
This option requires extensive technical expertise. Options 1 and 2 are recommended for those who don’t have a technical background.
About SafeSearch Virtual IP address (VIP)
SafeSearch VIP will force all users on your network to use SafeSearch on Google Search while still allowing a secure connection via HTTPS. The VIP in SafeSearch VIP refers to a Virtual IP which is an IP address that can be routed internally to multiple Google servers.
When SafeSearch VIP is turned on, teachers and students at your school will see a notification the first time they go to Google; this will let them know that SafeSearch is on.
SafeSearch VIP can be used as part of a comprehensive internet safety policy by schools; this is part of keeping students secure while limiting their access to adult content at school.
Using SafeSearch VIP will not affect other Google services outside of Google Search.
Turn on SafeSearch VIP
To force SafeSearch for your network, you’ll need to update your DNS configuration. Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com.
We will serve SafeSearch Search and Image Search results for requests that we receive on this VIP.
Could OpenDNS setup the DNS entry for all google domains to be a CNAME for forcesafesearch.google.com.
Cheers
Robin
-
Hi Robin!
We actually have some information on this since Google released this feature. You can find our support article on it here: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch -
What is too complicated about it? They are clear instructions on how to enable this, including that you need a local DNS server in order to make it work.
What do you mean by a respectable DNS? Have you read in the several threads that address this exact same topic that OpenDNS is a recursive DNS service, not an authoritative DNS service, and thus cannot modify the DNS information or create CNAME's for you, that you need to do it yourself on your own DNS server?
Also, assuming this were even technically possible to do, why should OpenDNS force this setting upon all of it's users, whether they use a free or paid service, when Google itself offers this as an option for it's own users?
If you are this concerned about this I suggest that you block the Search Engines category and then whitelist only the search engines that provide the degree of censorship that you are looking for. After all, even if OpenDNS were to implement this on Google, you'd still have all the other search engines, such as bing, ask, yahoo, etc to worry about.
-
So in other words you have completely ignored all of the statements that say that OpenDNS *cannot* do this because it is a recursive DNS service, not an authoritative DNS service. Instead you prefer to stamp your foot like a petulant child and keeping screaming "I want it. Do it."
OpenDNS is doing what they say they are doing in providing protection. They are blocking the domains or categories of domains that you want blocked. For those who pay for additional services they are also blocking those domains that are in some manner deemed "malicious". OpenDNS does not block specific content from individual domains that you are not blocking. They cannot be held responsible for protecting you from content that websites return to you if you choose to allow those websites through.
How exactly does Google's fix not work?
Like I suggested, if you don't like the results that Google returns, and either can't or won't follow their instructions for forcing safesearch just block the entire Search Engines category and then whitelist whatever search engine that provides the level of censorship that you desire. The tools, including OpenDNS are available to you. It's up to you to use them appropriately they providing the level of censorship that you want.
-
@doafr
You'll want to read https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch#view-post-23392360 to solve it with what you have already. -
As scott_st said above, "they have a router that protects them all".
-
This is possible, translating any Google domain (www.google.com/supported_domains) to the following IP 216.239.38.120
-
How is this possible? What do you mean by "translating"? In all of the years I've worked in IT and with DNS I have never come across the term "translating".
I think what you are referring to are the instructions posted here and at Google multiple times that state you need to set up your own DNS server (I believe even DNSMasq will work as well) on your own network or networks. The reason you need your own DNS server is that an *authoritative* DNS server is needed to do this. However OpenDNS is essentially a *recursive* DNS service so they cannot do this without completely redesigning their entire service for the sake of a feature supported on someone else's service.
If you know of a different way to do this please let us know how to do it.
-
I believe that @jonathanhg meant that it is possible with an own DNS server only as explicitly documented even by Google.
From https://support.google.com/websearch/answer/186669?hl=en :
To force SafeSearch for your network, you’ll need to update your DNS configuration.
This is all pretty clear, isn't it? They definitely didn't think about recursive DNS services like OpenDNS, else they would offer this for their own recursive Google DNS service, but - they don't! (This would be the minimum to combine their SafeSearch with their own recursive DNS service, isn't it?) Also, all other filtering recursive DNS services don't offer an option to force Google SafeSearch either. They know why not! (Or do you know one offering this option?)
-
See reply at https://support.opendns.com/entries/22120005-Block-images-in-search-engine-that-are-taken-from-porn-sites-?page=1#post_23944900 where he also posted this same statement.
-
Great thread, very helpful. Would like to know if anyone has bought , setup , using and found effective the buctools device mentioned. I also saw mentioned DD-WRT device
https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch#view-post-23392360
We are also trying to setup Safe Search from all devices . Currently all available openDNS web content filtering categories are turned on (including 'search engines') . I tried putting forcesafesearch.google.com into the whitelist of allowed sites but errors out pointing to the fact that I blocked 'search engines'. I'm familiar with the openDNS product in general using it for quite some time with great success overall. Something probably simple I am missing here regarding blocking google.com but trying to access forcesafesearch.google.com I am still researching using many links above.
Wanted to also mention I found a great local DNS solution, DNS redirector. Its founder was very helpful and available for questions. Its my next step.
I also saw mentioned that the founder of openDNS was involved in a local DNS product installed at system level , is that available or can openDNS with a purchased extension or variation provide a "Total internet block , then build whitelist"
DNS redirector although very good at this, requires quite a bit of hands on to determine all URL's and sub URL's for some sites to work effectively. Loved how I could block ad's/other sites showing up inside sites.
Thank you !
-
"I tried putting forcesafesearch.google.com into the whitelist of allowed sites but errors out pointing to the fact that I blocked 'search engines'."
Yes, sure, also forcesafesearch.google.com belongs to this category, of course. And if you visit forcesafesearch.google.com, you will be immediately redirected to www.google.com (or other Google TLD) with the SafeSearch Option set (unless you blocked forcesafesearch.google.com or Search Engines with OpenDNS). So what's your problem, and what do you want to achieve? If you want to allow Google (no matter if with or without SafeSearch), you must not block the Search Engines category, or you must add google.com to your "never block" list, not forcesafesearch.google.com.
"I found a great local DNS solution, DNS redirector."
Which is a totally different product and service, because it's local software, not a service "in the cloud", so not comparable and not worth to be discussed here. You can use it as an additional layer of your concept if you like.
"I also saw mentioned that the founder of openDNS was involved in a local DNS product installed at system level"
Never heard about this. I only know about DNS services, recursive and authoritative. The authoritative one has been sold out.
"can openDNS with a purchased extension or variation provide a "Total internet block , then build whitelist""
Not internet block, but DNS block. OpenDNS is a DNS service with no influence on your internet connection where only your ISP is in charge for.
And yes, this "white-list only" mode is available in OpenDNS Home VIP and also in the Enterprise versions."Loved how I could block ad's/other sites showing up inside sites."
You don't do this with an online service, because you want to get rid of related traffic. You don't want to produce traffic for stuff you don't want to see anyway. Instead you use local browser extensions like Adblock Plus or Ghostery.
But your message tended to become off-topic with this. This thread is about enforcing Google SafeSearch only.
-
Hey thanks rotblitz . I am moving toward a total internet block and whitelist allowed sites, especially safe search google, since users of our network were basically google searching for music and game sites that openDNS hasn't filtered yet. or are being reviewed even with those categories selected in the openDNS config I setup.
Understood re: DNS redirector, i realize its different than openDNS. Just mentioning it in the event someone had experience with it or could recommend a better local software solution.
Yes the authoritative one, that's it, oh it sold out, ok
Yes I meant DNS block, I'll check into Home VIP and Enterprise .
We have Adblock in place, I'll check Ghostery
Thanks for the feedback .
-
"especially safe search google, since users of our network were basically google searching for music and game sites"
Well, Google's SafeSearch will not prevent users from searching for music and games. SafeSearch concentrates on filtering "adult" content of any (mostly with sexuality associated) kind.
"Just mentioning it in the event someone had experience with it or could recommend a better local software solution."
No experience with Redirector. Maybe Fiddler? This can be operated as internal proxy where all web traffic has to go through and can be filtered as you want. And it's free!
-
@cornernote Have you even bothered to read any of the discussion in this and related threads? Why do you think this is a very simple "problem" for OpenDNS to "resolve"?
Quite simply, OpenDNS is at it's heart a recursive DNS provider, not an authoritative DNS provider. It can only lookup and provide DNS entries that a domain owner defines on their authoritative DNS server. There is no way for them to modify that information.
To force the forcesafesearch option on google requires setting an A record that can only be done on an authoritative DNS server, which is why all of the directions and discussion surrounding this say that you need to set up a DNS server on your own network. That is why OpenDNS cannot offer this as an option and why you must do it for yourself on your network (or have someone who is knowledgeable for such things do it on your network).
-
"It can only lookup and provide DNS entries that a domain owner defines on their authoritative DNS server."
In case of OpenDNS (and some others) this is not entirely true. They return their own IP address in case of category blocking, individual domain and phish and malware blocking, earlier even instead of NXDOMAIN and SERVFAIL responses. The same way they could theoretically return the IP address of forcesafesearch.google.com for the listed Google domains if such an option existed at the dashboard. I know, this may be an expensive system change though.
Therefore I voted for this idea already a longer while ago.
Please sign in to leave a comment.
Comments
65 comments