Option to force Google Safe Search



  • Avatar

    Patrick - the advice on that page is too complex.  If OpenDNS is a respectable DNS it would just solve this as requested above

    OpenDNS should set the DNS entry for all google domains to be a CNAME for forcesafesearch.google.com

  • Avatar
    Apologies for being a naive paying customer of opendns and wanting "to protect my family from inappropriate websites" as the sales pitch promises". I don't think there are many people who know how to set up a home DNS with cname mapping as described.
  • Avatar

    > OpenDNS should set the DNS entry for all google domains to be a CNAME for forcesafesearch.google.com

    +1 to that... seems a very simple problem.

    It should be optional in the Web Content Filtering page.

  • Avatar

    "It can only lookup and provide DNS entries that a domain owner defines on their authoritative DNS server."

    In case of OpenDNS (and some others) this is not entirely true.  They return their own IP address in case of category blocking, individual domain and phish and malware blocking, earlier even instead of NXDOMAIN and SERVFAIL responses.  The same way they could theoretically return the IP address of forcesafesearch.google.com for the listed Google domains if such an option existed at the dashboard.  I know, this may be an expensive system change though.

    Therefore I voted for this idea already a longer while ago.

  • Avatar

    I would also love to see OpenDNS add an option to resolve all of the published Google TLD's to the safesearch VIP.  This would be a very useful feature that would be most helpful to non-technical users.  Pornographic search results are a real problem for parents & schools.  Blocking the CND's for these images is only somewhat effective and can interfere dramatically with legitimate search.  Now that search engines  are moving to SSL exclusively, previous fixes to force safe search by manipulating the uri by proxy are no longer effective. From a technical perspective, this would be straight forward to do.

    Bing also offers an ad free, forced safe search that's currently only available to schools...it would be really nice if Bing were to open that up like Google has and/or for OpenDNS to work out a deal with Microsoft to allow OpenDNS subscribers to opt into that somehow.  It would take a bit of engineering and collaboration between both parties, but entirely doable.

    I would also like to see more robust handling of search engine category.  I tried to block Search Engines and white-list Google; however, I experienced frequent mis-categorizations of unrelated sites as search engines and had to turn it off.

    In my utopia - OpenDNS would have their own 'Safe Search' option in web filtering that allows subscribers to block all Search Engines that do not have a forced safe search capability and to correctly direct or proxy the opted-in subscribers to each supported search provider.

    Since OpenDNS does not have this feature at this time, the instructions outlined for configuring an internal DNS server are effective.  I was able to do it on my Ubiquiti EdgeMax via the built in DNSmasq feature as follows; however, it's was a bit time consuming since there are very many TLD's:

    set service dns forwarding options ‘address=/.google.com/’
    set service dns forwarding options 'address=/.google.co.uk/'
    set service dns forwarding options ‘address=/.google.com.af/’
    etc etc...


  • Avatar

    > OpenDNS has made it clear that they cannot or will not provide this "feature"

    I don't believe they have.  They have simply referenced a support article which makes it clear that it's not a current feature.  I have not seen where they stated they cannot or will not provide this feature.

    > Currently, enforcing Google SafeSearch on your network requires the ability to create a local Canonical Name (CNAME) record on your local DNS server or editing your Hosts file on your local computer.

    source: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch

    If enough people want it, they may implement it.  If you keep discouraging people from asking for it then it is counter-productive to getting this feature implemented at some point in the future.

  • Avatar

    Yeah, it seems to me that if you can block a category and be redirected to an OpenDNS block page, you could just as easily check "Force Safe Search" and have Open DNS do some kind of forced redirect to the virtual IP at forcesafesearch.google.com. 

    Every topic I'm interested in seems to have mattwilson9090 and rotblitz telling people that OpenDNS will not and should not do what they're asking for, but they seem unaware of all that OpenDNS offers through their Umbrella platform, which in many cases mirrors or comes very close to the features people are asking for. In fact, when the intelligent proxy was first introduced, I had an OpenDNS employee tell me point blank that the intelligent proxy would filter google search results based on category settings. The technology could do this, they have just opted not to enable it to do this for some reason, probably because it appeals to a minority of their subscribers, people who are looking for a level of control and filtering that most large companies (their target subscribers) aren't comfortable wielding with their employees' devices. I know this is why we haven't gotten an Android client yet for Umbrella, even though many people do want to provide that level of supervision and MDM for their Android devices.

    The fact of the matter is, the intelligent proxy could probably force safesearch, and possibly even filter the search results themselves, but it would require making the intelligent proxy a little less "intelligent" and allowing people to customize their proxy settings. OpenDNS already offers a proxy, so I would hope they'd allow us to customize some "gray" domains that we want proxied and filtered at the URL level, like google or reddit or craigslist.

  • Avatar

    Yandex DNS offer Google Safe Search and more.



  • Avatar

    I don't use rawsteam, but from what I read it can be deployed using DNS and works as a web service not as software you install at home.  I could be wrong, but thats the impression I got from here - http://www.fiercecio.com/techwatch/story/rawstream-ceo-our-cloud-based-web-filtering-wont-slow-down-browsing/2014-01-17

    mattwilson9090, you seem very firm on the idea that OpenDNS cannot tamper with the dns response that is given, because they are not an authoritive dns service.  I clearly don't know enough about dns to understand what this means at a technical level.  Do you know how OpenDNS is able to re-route filtered domains to its blocked page?  When I ping a blocked domain it seems to give me back an IP owned by OpenDNS.

  • Avatar

    Hi all. Brian from Rawstream here. Rawstream is a cloud based web security vendor. We provide DNS-based filtering, like OpenDNS, as well as on-premise DNS-based filtering. In addition to that, we have native agents for Windows and Chromebooks.

    Rawstream is not an appliance - hardware or virtual. To use our Cloud DNS servers just create an account and point your network to use the DNS servers indicated to you in the console. The on-premise deployment: Rawstream Network Server runs as a Windows service, or a Linux process. It is self contained with no need for a VM.

    We enforce Google SafeSearch across all our different deployments: Cloud DNS, on-prem DNS, and agents. You can read more here: http://rawstream.com/dns-web-security/

    Hope that helps. Any questions just email us at hello@rawstream.com



  • Avatar

    @mattwilson9090 I completely disagree.  

    Rawstream was discussed here before Brian posted his comment.  You even said you didn't know how they worked and something about not being bothered to find out.  Brian has posted his comment to clarify their services.

    OpenDNS is not willing to provide a solution to this much-demanded feature, and if Rawstream can then it will solve the issue for those who want this feature.

    If anyone is "hijacking" the thread it seems to be you.  People are asking for this feature, and you are telling them it cannot be done.  This is counter-productive to getting the feature implemented.  If you don't want this feature, fine, but why don't you want anyone else to have it?


  • Avatar

    Spam: irrelevant or inappropriate messages sent on the Internet to a large number of recipients.

    Their message was both relevant and appropriate.  The only reason you are calling it spam is because the poster works for the company in question.  If any other user posted exactly the same comment would you still call it spam?

    Nobody said OpenDNS were obligated to provide anything.  Do you frequently visit Burger King's forums and find people who are asking for Big Macs and then tell them they cant have it without understanding the reason why?  I assume not, and it makes me wonder why you invest so much effort here telling people they cannot have what they are asking for.  Why not leave it to OpenDNS or Burger King to explain it to their customers?

    If I'm asking for bacon on my burger at BK, and they don't want to give it, that's up to them.  If someone next to me says McD can do that, great, my problem is solved.  However if that person works at McD then you would consider them hijacking the discussion?  If another BK customer jumps in and starts telling me that I cant have it then I would consider that counter-productive to my request.

    I don't think we will see eye-to-eye on this, so I guess we will have to agree to disagree.

  • Avatar

    FYI: There's a new breed of of router that deal with the incognito loophole! They appear to implement something like option 3 described in this link: (https://support.google.com/websearch/answer/186669?hl=en) or perhaps append &safe=active at the router, and make it real easy. I found three: 1) Kibosh (www.kibosh.net) 2) Blocksi Router (http://www.blocksi.net/parental-control.php) and 3) pcWRT (http://www.pcwrt.com/).

    Please, please, please consider distributing this information. It is appalling that 90% of parents are so completely unaware of what access kids have through incognito browsing.

    Likewise, it's disturbing how unaware the general adult population is about 3g/4g smartphone access to porn is by minors. An outstanding solution for 3g/4g smartphones is 'comvigo'. It filters and blocks incognito without restricting many other features unnecessarily like funamo and other apps do.

  • Avatar

    @jedashford - SafeDNS is great.. offers pretty much the same features as OpenDns, except it offers Enforced SafeSearch for google and bing... Hopefully this is something OpenDns will have available in the near future as this is something lots of parents are looking for.

  • Avatar
    dummy.bin (Edited )


    I've been enforcing SafeSearch on my home network for months by following this article from Google with no such issue. Forcing SafeSearch works perfectly for all of the other Google ccTLD country subdomains. Or are you saying that DNSFilter.com is not enforcing SafeSearch for all of the other subdomains?


    My biggest concern is that OpenDNS claims that it "is unable to support this solution directly as it does not involve any OpenDNS software".

    How can this be true if competitors are able to offer this feature such as SafeDNS and DNSFilter.com? I thought OpenDNS existed to help make the internet safer?

    Especially now that they offer the Family Shield product shouldn't this product enforce SafeSearch and YouTube Restricted Mode right out of the box?

    How is OpenDNS "shielding" anyone's family if all Google/Bing searches (including image/video searches) come back with adult content?

  • Avatar

    This is problematic.  OpenDNS could create an option to configure for step 1 (CNAME www.google.com to nosslsearch.google.com) and step 3 (Block access to encrypted.google.com), but step 2 (append &safe=active directly to all search URLs) is totally out of scope for a DNS service like OpenDNS.  This can be done by a HTTP proxy service only.

    On the other hand, OpenDNS occasionally operated a Google proxy (http://blog.opendns.com/2007/05/22/google-turns-the-page/).  This could be used as such a proxy where &safe=active is appended to the URL.

    No matter, you got my vote!  Let's see what comes out.

  • Avatar

    If you get Google locked into SafeSearch, what about Bing.com, Ask.com, Yahoo.com, AOl.com, etc? Check out buctools.com, they have a router that protects them all.

  • Avatar

    How about this taken from this page


    This option requires extensive technical expertise. Options 1 and 2 are recommended for those who don’t have a technical background.

    About SafeSearch Virtual IP address (VIP)

    SafeSearch VIP will force all users on your network to use SafeSearch on Google Search while still allowing a secure connection via HTTPS. The VIP in SafeSearch VIP refers to a Virtual IP which is an IP address that can be routed internally to multiple Google servers.

    When SafeSearch VIP is turned on, teachers and students at your school will see a notification the first time they go to Google; this will let them know that SafeSearch is on.

    SafeSearch VIP can be used as part of a comprehensive internet safety policy by schools; this is part of keeping students secure while limiting their access to adult content at school.

    Using SafeSearch VIP will not affect other Google services outside of Google Search.

    Turn on SafeSearch VIP

    To force SafeSearch for your network, you’ll need to update your DNS configuration. Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com.

    We will serve SafeSearch Search and Image Search results for requests that we receive on this VIP.

    Could OpenDNS setup the DNS entry for all google domains to be a CNAME for forcesafesearch.google.com.




  • Avatar
    Patrick Colford

    Hi Robin!

    We actually have some information on this since Google released this feature. You can find our support article on it here: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch

  • Avatar

    Turns out I can't get the google forcesafesearch domain doesn't work.


  • Avatar
    And BTW Google's fix doesn't work
  • Avatar

    You'll want to read https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch#view-post-23392360 to solve it with what you have already.

  • Avatar

    What is buctools?

  • Avatar


    As scott_st said above, "they have a router that protects them all".

  • Avatar

    Thanks. Looks interesting.

    As good as OpenDNS is, there are some things that can only be done with a local device.

  • Avatar

    This is possible, translating any Google domain (www.google.com/supported_domains) to the following IP

  • Avatar

    I believe that @jonathanhg meant that it is possible with an own DNS server only as explicitly documented even by Google.

    From https://support.google.com/websearch/answer/186669?hl=en :

    To force SafeSearch for your network, you’ll need to update your DNS configuration.

    This is all pretty clear, isn't it?  They definitely didn't think about recursive DNS services like OpenDNS, else they would offer this for their own recursive Google DNS service, but - they don't!  (This would be the minimum to combine their SafeSearch with their own recursive DNS service, isn't it?)  Also, all other filtering recursive DNS services don't offer an option to force Google SafeSearch either.  They know why not!  (Or do you know one offering this option?)

  • Avatar

    Great thread, very helpful.  Would like to know if anyone has bought , setup , using and found effective the buctools device mentioned.  I also saw mentioned DD-WRT device


    We are also trying to setup Safe Search from all devices .  Currently all available openDNS web content filtering categories are turned on (including 'search engines') .  I tried putting forcesafesearch.google.com into the whitelist of allowed sites but errors out pointing to the fact that I blocked 'search engines'.  I'm familiar with the openDNS product in general using it for quite some time with great success overall.  Something probably simple I am missing here regarding blocking google.com but trying to access forcesafesearch.google.com I am still researching using many links above.

    Wanted to also mention I found a great local DNS solution, DNS redirector.  Its founder was very helpful and available for questions.  Its my next step. 

    I also saw mentioned that the founder of openDNS was involved in a local DNS product installed at system level , is that available or can openDNS with a purchased extension or variation provide a "Total internet block , then build whitelist"

    DNS redirector although very good at this, requires quite a bit of hands on to determine all URL's and sub URL's for some sites to work effectively.  Loved how I could block ad's/other sites showing up inside sites.

    Thank you !


  • Avatar

    "I tried putting forcesafesearch.google.com into the whitelist of allowed sites but errors out pointing to the fact that I blocked 'search engines'."

    Yes, sure, also forcesafesearch.google.com belongs to this category, of course. And if you visit forcesafesearch.google.com, you will be immediately redirected to www.google.com (or other Google TLD) with the SafeSearch Option set (unless you blocked forcesafesearch.google.com or Search Engines with OpenDNS).  So what's your problem, and what do you want to achieve?  If you want to allow Google (no matter if with or without SafeSearch), you must not block the Search Engines category, or you must add google.com to your "never block" list, not forcesafesearch.google.com.

    "I found a great local DNS solution, DNS redirector."

    Which is a totally different product and service, because it's local software, not a service "in the cloud", so not comparable and not worth to be discussed here.  You can use it as an additional layer of your concept if you like.

    "I also saw mentioned that the founder of openDNS was involved in a local DNS product installed at system level"

    Never heard about this.  I only know about DNS services, recursive and authoritative.  The authoritative one has been sold out.

    "can openDNS with a purchased extension or variation provide a "Total internet block , then build whitelist""

    Not internet block, but DNS block.  OpenDNS is a DNS service with no influence on your internet connection where only your ISP is in charge for.
    And yes, this "white-list only" mode is available in OpenDNS Home VIP and also in the Enterprise versions.

    "Loved how I could block ad's/other sites showing up inside sites."

    You don't do this with an online service, because you want to get rid of related traffic.  You don't want to produce traffic for stuff you don't want to see anyway.  Instead you use local browser extensions like Adblock Plus or Ghostery.

    But your message tended to become off-topic with this.  This thread is about enforcing Google SafeSearch only.

Please sign in to leave a comment.