Option to force Google Safe Search

Comments

65 comments

  • Avatar
    jawboned
    Rawstream is a Program like openDNS. They provide a checkbox to activate forced safe search mode on Google searches. It works well through the router.
    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    OpenDNS is not a program, it is an internet based service that leverages recursive DNS to provide their service. Any software that OpenDNS writes facilitates providing that service, but does not actually provide the features and services of OpenDNS. Whatever this rawstream is it sounds like either a hardware router with options in the firmware to do this, or some sort of module that can be added to some routers. There are many things that can be done in local hardware that cannot be done with an internet service, such as directly intercepting and rerouting internet traffic.

    If you want to know how another technology works, especially one that may be a competitor you should check that website, not ask here.

    -1
    Comment actions Permalink
  • Avatar
    jawboned

    My point is that Rawstream which runs similar to opendns provides a means in the settings to force safe search in Google.

    I am NOT asking how to use Rawstream here, I am asking why OpenDNS can't do what Rawstream does. There is a lot of call for this ability in the Forums. So I am asking why a competitor can do it and OPenDNS can't. Fair question I believe.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    From your description of rawstream as a program, and it working through the router, it sounds like software that runs on local hardware. That is not at all similar to how OpenDNS works since OpenDNS is *not* a program that runs on any local hardware, including the router. Like I said already OpenDNS is an internet based service, a completely different thing.

    If you want to know why OpenDNS does not redirect Google traffic from one domain to another you should read this and the related threads, as well as the webpage from Google itself that describes what you need to do to redirect the traffic. Google specifically says that you need to create a CNAME record on your own DNS server. OpenDNS has made it clear that they will provide links to Google's officially supported method for doing this, but they will not do it for you. That is both a technical and a business decision that they do not appear likely to change.

    -1
    Comment actions Permalink
  • Avatar
    cornernote

    I don't use rawsteam, but from what I read it can be deployed using DNS and works as a web service not as software you install at home.  I could be wrong, but thats the impression I got from here - http://www.fiercecio.com/techwatch/story/rawstream-ceo-our-cloud-based-web-filtering-wont-slow-down-browsing/2014-01-17

    mattwilson9090, you seem very firm on the idea that OpenDNS cannot tamper with the dns response that is given, because they are not an authoritive dns service.  I clearly don't know enough about dns to understand what this means at a technical level.  Do you know how OpenDNS is able to re-route filtered domains to its blocked page?  When I ping a blocked domain it seems to give me back an IP owned by OpenDNS.

    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Well, an internet service is completely different from local software as this was first described. I don't really know how rawstream works and am not interested enough to dig into it, but even in their own description they seem to be saying they are offering things in a completely different way from OpenDNS, which they mentioned specifically.

    I don't know enough about how OpenDNS provides their service, but they consistently refer to themselves as a recursive service, not a dynamic DNS or authoritative service. To provide the solution that Google tells people to use would require creating CNAME records, which would firmly put them in the position of providing authoritative DNS service. All I know for certain is that if a domain is configured to be blocked then it is, but I have no idea how they do it. All I know for certain is that OpenDNS has made it clear that their users need to follow the official answer from Google on this. Whatever went into the decision leading up to that guidance is probably a mix of technical, business, and legal considerations. And yes, at this point we are probably discussing semantics, but if business and legal considerations are a part of their decisions then semantics are going to be extremely important to any decision.

    You could write OpenDNS directly and ask for a detailed explanation of their decision making process, but like most businesses I doubt they will provide that. They'll only restate their final answer and point you to how you can accomplish what you want.

    -1
    Comment actions Permalink
  • Avatar
    rgrdave

    I would also love to see OpenDNS add an option to resolve all of the published Google TLD's to the safesearch VIP.  This would be a very useful feature that would be most helpful to non-technical users.  Pornographic search results are a real problem for parents & schools.  Blocking the CND's for these images is only somewhat effective and can interfere dramatically with legitimate search.  Now that search engines  are moving to SSL exclusively, previous fixes to force safe search by manipulating the uri by proxy are no longer effective. From a technical perspective, this would be straight forward to do.

    Bing also offers an ad free, forced safe search that's currently only available to schools...it would be really nice if Bing were to open that up like Google has and/or for OpenDNS to work out a deal with Microsoft to allow OpenDNS subscribers to opt into that somehow.  It would take a bit of engineering and collaboration between both parties, but entirely doable.

    I would also like to see more robust handling of search engine category.  I tried to block Search Engines and white-list Google; however, I experienced frequent mis-categorizations of unrelated sites as search engines and had to turn it off.

    In my utopia - OpenDNS would have their own 'Safe Search' option in web filtering that allows subscribers to block all Search Engines that do not have a forced safe search capability and to correctly direct or proxy the opted-in subscribers to each supported search provider.

    Since OpenDNS does not have this feature at this time, the instructions outlined for configuring an internal DNS server are effective.  I was able to do it on my Ubiquiti EdgeMax via the built in DNSmasq feature as follows; however, it's was a bit time consuming since there are very many TLD's:

    set service dns forwarding options ‘address=/.google.com/216.239.38.120’
    set service dns forwarding options 'address=/.google.co.uk/216.239.38.120'
    set service dns forwarding options ‘address=/.google.com.af/216.239.38.120’
    etc etc...

    David

    2
    Comment actions Permalink
  • Avatar
    brian.azzopardi

    Hi all. Brian from Rawstream here. Rawstream is a cloud based web security vendor. We provide DNS-based filtering, like OpenDNS, as well as on-premise DNS-based filtering. In addition to that, we have native agents for Windows and Chromebooks.

    Rawstream is not an appliance - hardware or virtual. To use our Cloud DNS servers just create an account and point your network to use the DNS servers indicated to you in the console. The on-premise deployment: Rawstream Network Server runs as a Windows service, or a Linux process. It is self contained with no need for a VM.

    We enforce Google SafeSearch across all our different deployments: Cloud DNS, on-prem DNS, and agents. You can read more here: http://rawstream.com/dns-web-security/

    Hope that helps. Any questions just email us at hello@rawstream.com

     

    Brian

    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Obviously a company with pretty low standards if they will hijack a competitors support forum to advertise their product. Be wary of them.

    -1
    Comment actions Permalink
  • Avatar
    cornernote

    @mattwilson9090 I completely disagree.  

    Rawstream was discussed here before Brian posted his comment.  You even said you didn't know how they worked and something about not being bothered to find out.  Brian has posted his comment to clarify their services.

    OpenDNS is not willing to provide a solution to this much-demanded feature, and if Rawstream can then it will solve the issue for those who want this feature.

    If anyone is "hijacking" the thread it seems to be you.  People are asking for this feature, and you are telling them it cannot be done.  This is counter-productive to getting the feature implemented.  If you don't want this feature, fine, but why don't you want anyone else to have it?

     

    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Yes, rawstream was discussed here before, by a user, not a representative of the company. I discussed it with the person to the extent that they actually wanted to discuss the subject.

    What "brian" posted was not a clarification, it was an advertisement using a competitors forum to do so. That is generally what is called spam since the purpose of this forum is to support OpenDNS and it's users, not to provide advertising for a competitor.

    Like all the other commenters in this thread, other than "brian", I am participating in the ongoing and evolving discussion, centered around OpenDNS. Just because you don't like the answers or explanations that some of the people in the thread have posted does not make it hijacking. An employee of another company directing users to their own products *is* hijacking. It's also a violation of all commonly accepted business ethics.

    As far as it goes, just because you want a business to provide something marginally related to their business does not mean they are obligated to provide it to you, and someone explaining the situation, how things work, and how they can accomplish with they want to do is not counterproductive. A Big Mac is technically a hamburger, but just because Burger Kind also sells hamburgers does not mean that they can, or will, sell you a Big Mac, regardless of how much you tell them that its easy to do, or that they should do it because others are demanding it. OpenDNS has made it clear that they cannot or will not provide this "feature", but do provide the information that officially comes from Google on how you can do this on your own. I have no idea of everything that lead to this stance, but I'm sure it's a mix of technical, business, and legal considerations.

    -1
    Comment actions Permalink
  • Avatar
    cornernote

    Spam: irrelevant or inappropriate messages sent on the Internet to a large number of recipients.

    Their message was both relevant and appropriate.  The only reason you are calling it spam is because the poster works for the company in question.  If any other user posted exactly the same comment would you still call it spam?

    Nobody said OpenDNS were obligated to provide anything.  Do you frequently visit Burger King's forums and find people who are asking for Big Macs and then tell them they cant have it without understanding the reason why?  I assume not, and it makes me wonder why you invest so much effort here telling people they cannot have what they are asking for.  Why not leave it to OpenDNS or Burger King to explain it to their customers?

    If I'm asking for bacon on my burger at BK, and they don't want to give it, that's up to them.  If someone next to me says McD can do that, great, my problem is solved.  However if that person works at McD then you would consider them hijacking the discussion?  If another BK customer jumps in and starts telling me that I cant have it then I would consider that counter-productive to my request.

    I don't think we will see eye-to-eye on this, so I guess we will have to agree to disagree.

    1
    Comment actions Permalink
  • Avatar
    cornernote

    > OpenDNS has made it clear that they cannot or will not provide this "feature"

    I don't believe they have.  They have simply referenced a support article which makes it clear that it's not a current feature.  I have not seen where they stated they cannot or will not provide this feature.

    > Currently, enforcing Google SafeSearch on your network requires the ability to create a local Canonical Name (CNAME) record on your local DNS server or editing your Hosts file on your local computer.

    source: https://support.opendns.com/entries/57304954-Enforcing-Google-SafeSearch

    If enough people want it, they may implement it.  If you keep discouraging people from asking for it then it is counter-productive to getting this feature implemented at some point in the future.

    2
    Comment actions Permalink
  • Avatar
    bwna911

    Hello everybody, yandex dns offers this feature for free (I don't know if they enable it on every search engine but in google it works) no more porn pictures, no more porn sites in results, the only problem is that yandex dns is slower than openDNS and sometimes it bugs (sites don't start you need to disable dns and enable it again).

    0
    Comment actions Permalink
  • Avatar
    laynerd

    Yeah, it seems to me that if you can block a category and be redirected to an OpenDNS block page, you could just as easily check "Force Safe Search" and have Open DNS do some kind of forced redirect to the virtual IP at forcesafesearch.google.com. 

    Every topic I'm interested in seems to have mattwilson9090 and rotblitz telling people that OpenDNS will not and should not do what they're asking for, but they seem unaware of all that OpenDNS offers through their Umbrella platform, which in many cases mirrors or comes very close to the features people are asking for. In fact, when the intelligent proxy was first introduced, I had an OpenDNS employee tell me point blank that the intelligent proxy would filter google search results based on category settings. The technology could do this, they have just opted not to enable it to do this for some reason, probably because it appeals to a minority of their subscribers, people who are looking for a level of control and filtering that most large companies (their target subscribers) aren't comfortable wielding with their employees' devices. I know this is why we haven't gotten an Android client yet for Umbrella, even though many people do want to provide that level of supervision and MDM for their Android devices.

    The fact of the matter is, the intelligent proxy could probably force safesearch, and possibly even filter the search results themselves, but it would require making the intelligent proxy a little less "intelligent" and allowing people to customize their proxy settings. OpenDNS already offers a proxy, so I would hope they'd allow us to customize some "gray" domains that we want proxied and filtered at the URL level, like google or reddit or craigslist.

    2
    Comment actions Permalink
  • Avatar
    rotblitz

    You're wrong.

    "OpenDNS will not and should not do"

    Should not do - no.  I support the idea offering it as an option at the dashboard and have voted for the idea above, as said above.  At least one other competitor already does it already...

    Will not - yes, this is what OpenDNS said.  But times may change...

    0
    Comment actions Permalink
  • Avatar
    johank96

    FYI: There's a new breed of of router that deal with the incognito loophole! They appear to implement something like option 3 described in this link: (https://support.google.com/websearch/answer/186669?hl=en) or perhaps append &safe=active at the router, and make it real easy. I found three: 1) Kibosh (www.kibosh.net) 2) Blocksi Router (http://www.blocksi.net/parental-control.php) and 3) pcWRT (http://www.pcwrt.com/).

    Please, please, please consider distributing this information. It is appalling that 90% of parents are so completely unaware of what access kids have through incognito browsing.

    Likewise, it's disturbing how unaware the general adult population is about 3g/4g smartphone access to porn is by minors. An outstanding solution for 3g/4g smartphones is 'comvigo'. It filters and blocks incognito without restricting many other features unnecessarily like funamo and other apps do.

    1
    Comment actions Permalink
  • Avatar
    samsyst

    I wholeheartedly agree with @johank96! I recently bought a pcWRT router because it works with OpenDNS and is a standalone router. The latter is important to me because I don't want to be like the Skydog users - if and when the router vendor drops support, what you bought becomes nothing more than a brick!

    Enforcing SafeSearch on the pcWRT is as simple as ticking a checkbox, and you can leave the checkbox unchecked for your own devices so that you are not bound by SafeSearch.

    0
    Comment actions Permalink
  • Avatar
    charisc

    I saw this with a similar product - cisco meraki. So it will be very good if you do this.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    But this is a hardware solution, not a solution like OpenDNS in the cloud.  It is in no way "similar".

    No matter, OpenDNS belongs to Cisco now, so this may be integrated in the future, but you still had to buy such hardware.

    Or did you mean pcWRT with "similar product"?

    -1
    Comment actions Permalink
  • Avatar
    charisc

    Yes meraki and pcWRT involve a hardware solution but there are still other cloud solutions that do this such as McAfee webwasher (this can be an appliance or cloud).

    Maybe this implementation will also involve the installation of software in a VM machine rather than in a router or appliance. 

    0
    Comment actions Permalink
  • Avatar
    jedashford

    Thanks for the tip on raw stream. Although I need to pay, far better option IMO.

    0
    Comment actions Permalink
  • Avatar
    scott_st

    I'll second www.kibosh.net, they sell a router that enforces Google safesearch and more.

    0
    Comment actions Permalink
  • Avatar
    gcbourque

    I don't think there is a way to force Google SafeSearch at the home router level, with most routers anyway. However, it is really easy to change the hosts file on each home computer to force Google to use SafeSearch on that computer.   Change C:\Windows\System32\drivers\etc\hosts by adding one line to force Google SafeSearch.  (Need to have admin rights on Windows to do this. The easiest way is to make a copy of hosts with another name, change the copy, delete the original, and rename the copy to "hosts". Just a Windows idiosyncrasy.) Add the following to hosts:

    #
    # This forces Google to use SafeSearch
    #
    216.239.38.120       www.google.com

    216.239.38.120       www.google.com

    Close and reopen the browser. This will redirect to forcesafeseach.google.com. And you won't have to mess with the unreliable step of "locking" SafeSearch with a Google account. Just change hosts. Easy. Kids will not know about this in almost all cases. Plus hosts is a little difficult to edit.  All good for the cause. 

    But that's not all. You can also redirect any other search engine to forcesafesearch.google.com! This will prevent users from going to bing or altavista or duckduckgo or any other search engine you can think of. Here is pretty exhaustive list of lines to add.  Works great. 

    #
    # These redirect search engines to forcesafesearch.google.com
    #
    216.239.38.120  aol.com
    216.239.38.120 search.aol.com
    216.239.38.120 www.aol.com
    216.239.38.120 ask.com
    216.239.38.120 www.ask.com
    216.239.38.120 altavista.com
    216.239.38.120 www.altavista.com
    216.239.38.120 baidu.com
    216.239.38.120 www.baidu.com
    216.239.38.120 bing.com
    216.239.38.120 www.bing.com
    216.239.38.120 dogpile.com
    216.239.38.120 www.dogpile.com
    216.239.38.120 duckduckgo.com
    216.239.38.120 www.duckduckgo.com
    216.239.38.120 entireweb.com
    216.239.38.120 www.entireweb.com
    216.239.38.120 exalead.com
    216.239.38.120 www.exalead.com
    216.239.38.120 excite.com
    216.239.38.120 www.excite.com
    216.239.38.120 galaxy.com
    216.239.38.120 www.galaxy.com
    216.239.38.120 gigablast.com
    216.239.38.120 www.gigablast.com
    216.239.38.120 hotbot.com
    216.239.38.120 www.hotbot.com
    216.239.38.120 lycos.com
    216.239.38.120 www.lycos.com
    216.239.38.120 search.lycos.com
    216.239.38.120 qwant.com
    216.239.38.120 www.qwant.com
    216.239.38.120 yahoo.com
    216.239.38.120 search.yahoo.com
    216.239.38.120 www.yahoo.com
    216.239.38.120 yandex.com
    216.239.38.120 www.yandex.com
    216.239.38.120 yippy.com
    216.239.38.120 www.yippy.com

     

     

    0
    Comment actions Permalink
  • Avatar
    scott_st

    Hi gcbourque - check out kibosh dot net, they have a dns like service that enforces safesearch that hooks into your router.

    0
    Comment actions Permalink
  • Avatar
    jedashford

    I went with SafeDNS, they are 19.95 a year and works like a charm.

    0
    Comment actions Permalink
  • Avatar
    magdiel1975

    @jedashford - SafeDNS is great.. offers pretty much the same features as OpenDns, except it offers Enforced SafeSearch for google and bing... Hopefully this is something OpenDns will have available in the near future as this is something lots of parents are looking for.

    1
    Comment actions Permalink
  • Avatar
    logicx

    We support this functionality at DNSFilter.com and have metered-based usage for networks. Works great for BYOD networks!

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    @logicx  
    Forcing SafeSearch actually works for www.google.com only yet, not for any other of the dozens of Google country TLDs...

    0
    Comment actions Permalink
  • Avatar
    dummy.bin (Edited )

    @rotblitz

    I've been enforcing SafeSearch on my home network for months by following this article from Google with no such issue. Forcing SafeSearch works perfectly for all of the other Google ccTLD country subdomains. Or are you saying that DNSFilter.com is not enforcing SafeSearch for all of the other subdomains?

    @OpenDNS

    My biggest concern is that OpenDNS claims that it "is unable to support this solution directly as it does not involve any OpenDNS software".

    How can this be true if competitors are able to offer this feature such as SafeDNS and DNSFilter.com? I thought OpenDNS existed to help make the internet safer?

    Especially now that they offer the Family Shield product shouldn't this product enforce SafeSearch and YouTube Restricted Mode right out of the box?

    How is OpenDNS "shielding" anyone's family if all Google/Bing searches (including image/video searches) come back with adult content?

    1
    Comment actions Permalink

Please sign in to leave a comment.