Use Wildcard to Limit TLD (and block Google search images)

Comments

62 comments

  • Avatar
    rotblitz

    The preferred method for selective Google content filtering is Google's SafeSearch feature.

    You catch most Google domains with blocking the Search Engines category.  Then you had to whitelist the few you want to allow.

  • Avatar
    jmerichards
    Hi Rotblitz, Appreciating the feedback, thanks. Client based solutions aren't much use I'm afraid, as there are browser built into other devices that also need blocking. I've used your suggestion to block the search engine category, and it seems to do the trick. "Safe" image queries on Bing yield pictures, "unsafe" ones yield placeholders only; that's great. I've added maps.google.com to the "never block" list, but it is still being blocked. I've tested this on numerous devices and computers - I cleared the cache and flushed dns but still no go. Any suggestions on that? TIA
  • Avatar
    Kristy Patullo

    It looks like the following domains are also accessed when querying maps.google.com: google.com, apis.google.com, maps.google.com, plus.google.com

    Since you want google.com to remain blocked, you may want to try unblocking apis.google.com to see if that allows you to access maps.google.com.  

  • Avatar
    rotblitz

    "Client based solutions aren't much use I'm afraid"

    Hey, Google SafeSearch is not only a client based solution, but also a server based one:

    https://support.google.com/websearch/answer/144686?hl=en
    If you deploy a proxy on your web traffic, it may be possible to configure your proxy to append 
    &safe=strict to all search requests sent to Google. This parameter enables strict SafeSearch for all searches, regardless of the setting on the Google Preferences page.

    https://support.google.com/websearch/answer/186669?hl=en
    To enable SafeSearch throughout a school network, you can use a 
    proxy server to append &safe=active directly to all search URLs. This will enable strict SafeSearch.

    "I've added maps.google.com to the "never block" list, but it is still being blocked."

    Not everything is hosted on maps.google.com, but also other (Google) domains are involved.  Check with a tool like http://www.nirsoft.net/utils/dns_query_sniffer.html or with your OpenDNS domain stats to see what domains still need to be whitelisted.

  • Avatar
    jmerichards
    @Kristy - many thanks. I did manage to get maps to load (actually I did nothing, it just started to work), but the map background did not load. I'd been trying to find out what other domains served map data, so I'll try your suggestion and post back. @rotblitz - again, thanks for the detailed help. I don't use a proxy as this is a home network and a proxy always seemed like added hassle and maybe expense. It also seemed to be taking a sledge hammer to a peanut. However, I may have to consider this option again if it will help to keep my kids safe. A general question relating to the various domains with maps; I'd noticed that the sub domain l.google.com us used with maps and many other Google sites. What is the general rule with OpenDNS when it comes to blocking - use the actual sub domain name, or is it sufficient to block alias names? Thanks again.
  • Avatar
    rotblitz

    Normally both methods will work, domain name and/or aliases (CNAMEs).  There may be exceptions.
    Also, example.com covers this and all its subdomains and almost possible aliases.

  • Avatar
    jmerichards
    First off, Kristy: tried adding apis.google.com to the whitelist - no joy. Map page loads but actual map background (the important bit) does not. @rotblitz Since I blocked the search engine category I have also not been able to get youtube to load, despite whitelisting that and a variety of sub domains. I'm no longer getting the OpenDNS block logo for YouTube, but it only partially loads the page. Interestingly, whitelisting only youtube.com still resulted in the OpenDNS block message. I am only seeing this behaviour with Google maps and youtube. I was able to whitelist yahoo.com and it started working straight away. Anyone else have similar issues with Google domains? Perhaps I should start a new thread?
  • Avatar
    jmerichards
    I think I have the solution to my problem. Just to recap - I wanted to block the google search engine because of porn. Rotblitz suggested (quite rightly) blocking the entire search engine category. I did so, which had the effect of breaking my access to youtube and google maps, which I wanted to keep. The answer is to add, believe it or not, google.com to the whitelist, but still leave the search engine category blocked. Doing this, plus whitelisting Bing means I have all search engines other than Bing blocked, but still have access to other desirable Google services. Thank you both all for your help.
  • Avatar
    rotblitz

    Excellent!  You're welcome.

  • Avatar
    jmerichards
    Actually, it didn't fix it. :( Ok, the problem I'm having is that I've blocked the search engine category, which also blocks YouTube and Google Maps - I don't want YouTube and Google Maps to be blocked. So, I whitelist youtube.com, s.ytimg.com, ytimg.com, maps.google.com and maps.google.com.au (as I'm in Australia). I've also white listed bing.com and yahoo.com. Here's the rub - bing and yahoo load, as you'd expect as they're white listed. Google Maps and YouTube do not load, despite being white listed. Do we have an idea why this is and what the best way to approach it is? It doesn't seem to be a problem with OpenDNS, it must be Google trickery?
  • Avatar
    cervezafria

    Couple of things to do... 1) look through your stats over the past day and see what is getting blocked... not everything is obvious but trial/error whitelisting can help. or...2) run Fiddler in the background and see what comes up when you try to load maps, for example. You'll see immediately which connections are being blocked. Again... whitelist trial & error (as some of the blocks may be legitimate, for example for adware.

    For youtube... I also would whitelist gstatic.com (loads with both maps and youtube) You can delete s.ytimg.com, since that is already available through your whitelisted ytimg.com

  • Avatar
    jmerichards
    Cheers Cervezafria. I'll try all those things tonight (my time) and report back.
  • Avatar
    jmerichards

    I think I need some help interpreting Fiddler (looks awesome though).

    Several other domains listed in Fiddler results that I have not whitelisted - I have to go out now so can't elaborate until tomorrow.

     

    Interestingly (to me) there is a sub-domain called "safesearch.google.com".  Could this be a key to helping resolve this issue?

     

    More tomorrow...

  • Avatar
    cervezafria

    Did whitelisting gstatic.com help? For youtube, I also had to whitelist "youtube.be" and "youtube-nocookie.com". Good luck!

  • Avatar
    jmerichards

    Back again. Whitelisting gstatic did not help.  Seems that the whole site loads properly, with the exception of the image header.  I can even see all the video tiles, but when I click on one (any one) I get the "An error occurred, please try again later." message.

    I also had this issue reported by Fiddler:

    ----

    Session #94: The remote server (apis.google.com) presented a certificate that did not validate, due to RemoteCertificateNameMismatch.

    SUBJECT: CN=*.opendns.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)12, OU=GT55236522, SERIALNUMBER=UoFmxu6ta5ecJiIs4su2w-q-u8rxJ/d3

    ISSUER: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US

    EXPIRES: 25/09/2014 8:42:00 PM

    ----

    Its the only hint I've seen of anything to do with OpenDNS.  Mean anything to anyone?

  • Avatar
    rotblitz

    This browser generated certificate warning appears generally if you try to access a HTTPS site, but the related domain is either blocked by your OpenDNS settings or cannot be resolved to an IPv4 address by OpenDNS.

    Also, apis.google.com is an alias for the real name plus.l.google.com.  Do you have blocked this?

  • Avatar
    jmerichards

    Hi Rotblitz - Thanks for that info.  I do have apis whitelisted.

    I now have YouTube working, but I'm just going to spend a few more minutes testing some settings then I'll post white I ended up needing on the whitelist.

  • Avatar
    jmerichards

    After much frustration I can finally report that I have used OpenDNS to enable the following behaviour on my home network:

    • Permit only the Bing search engine, which supports blocking adult images (with a caveat; see below)
    • Completely block access to all other search engines (in the OpenDNS Search Category)
    • Maintain access to Google Maps and YouTube

    Things I learned:

    • Bing will still allow "non-porn" search terms (e.g. vagina) to return what I consider "adult" images
    • In order to ensure "safe" images are returned on Bing it is necessary to whitelist mm.bing.net (not bing.net, as that will let porn in)
    • To get Google Maps going required whitelisting maps.google.com, maps.google.com.au (I'm in Australia), mts0.google.com and mts1.google.com (in order to display map background) and gstatic.com
    • YouTube worked after whitelisting googlesyndication.com, googletagservices.com, googlevideo.com, gstatic.com, youtube.no-cookie.com and ytimg.com
    • It seemed Google's 1e100.net was required in my case for some services
    • Whitelisting accounts.google.com and accounts.google.com.au did nothing as they both redirect to google.com during a login event (some gurus needed to solve that one!)

    The categories that I am blocking are:

    • Drugs
    • Gambling
    • Lingerie/Bikini
    • Sexuality
    • Hate/Discrimination
    • Proxy/Anonymizer
    • Tasteless
    • Adware
    • Dating
    • Nudity
    • Pornography
    • Search Engines
    • Weapons

    The complete whitelist I am using is:

    • 1e100.net
    • accounts.google.com
    • accounts.google.com.au
    • bing.com
    • googlesyndication.com
    • googletagservices.com
    • googlevideo.com
    • gstatic.com
    • maps.google.com
    • maps.google.com.au
    • mm.bing.net
    • mts0.google.com
    • mts1.google.com
    • safebrowsing.google.com
    • search.live.com
    • translate.google.com
    • youtube.com
    • youtube.no-cookie.com
    • ytimg.com   

    I hope this helps somebody else. You may need to change some things to suit your location.

    Thank you very much to those who offered their advice (rotblitz and cervezafria in particular). I definitely recommend grabbing the Fiddler2 app, that was a great tip.

    Merry Christmas to all.

  • Avatar
    jmerichards

    Sorry for spamming the thread - Add to the whitelist I posted above apis.google.com.

  • Avatar
    cervezafria

    Glad to hear that you've resolved this issue. Thank you for thoroughly detailing your solution here.

  • Avatar
    jmerichards

    No problem cervezafria, I hope someone benefits from it.

    NB: I'd had apis.google.com whitelisted the other day, then must've removed it.  I added it back when I posted the "December 06, 2013 07:14" comment and it then blocked access to youtube again.  I have removed apis.google.com from the whitelist and I now have access back.

    Go figure...

  • Avatar
    karenam

    jmerichards, yes, this kind of detail is just what us non techy type need. I don't even understand most of the stuff you said but can easily see from your list what I need to do to make OpenDNS work for our family. I was really frustrated with the images that can be see on google images search even though visual search engines are blocked. What exactly is a visual search engine if not google images? oh well. will try what you have done and hope it works, with teenage boys this is a must. I am sure others will benefit from this so thanks again, 

    kam

  • Avatar
    karenam

    by jmerichards "After much frustration I can finally report that I have used OpenDNS to enable the following behaviour on my home network:

    • Permit only the Bing search engine, which supports blocking adult images (with a caveat; see below)
    • Completely block access to all other search engines (in the OpenDNS Search Category)
    • Maintain access to Google Maps and YouTube"

    I am hoping that I can continue this thread as I have tried doing everything as you put in your post but Bing is being blocked now even though on my white list. I put in all the whitelist domains and have the same categories blocked except I also blocked visual search engines (though not sure its doing anything). please let me know I can do if anything.

  • Avatar
    jmerichards
    Hi Karenam, I'm by no means an expert on this stuff, but I would suggest that you flush the DNS and browser caches on every device in your network. I found that this was the only way to ensure that the OpenDNS settings worked. If you have more than one browser on each device, flush the cache of each one. I'd also check that your router is set to use the OpenDNS IP addresses. I hope that helps. I'll be interested to hear how you get on.
  • Avatar
    jmerichards
    Oh sorry; I see Bing is being blocked, so you're router must be pointed at OpenDNS IP addresses. Also, I am not blocking the Visual Search engine category, so maybe try unblocking that.
  • Avatar
    schnabeljs

    Rotblitz, I respectfully disagree that using SafeSearch is an adequate solution for the home user.  Unless you have a solution to the contrary, all one needs to do is sign out of your Google account and SafeSearch no longer functions.  My kids figured this out pretty quickly.  Home users are very unlikely to have a server, and much more likely to just have a router to use to point to OpenDNS DNS servers.  Google Images cannot be stopped in this scenario, if one simply signs out of their Google account.  Do you have a solution to this problem that I need to be educated about?

  • Avatar
    rotblitz

    "I respectfully disagree that using SafeSearch is an adequate solution for the home user."

    You may want to let Google know your opinion.  This is unrelated to OpenDNS, because OpenDNS can't do it either due to technical reasons.

    "Unless you have a solution to the contrary, all one needs to do is sign out of your Google account and SafeSearch no longer functions."

    This is not true.  If you follow Google's KB articles, you can make SafeSearch permanent per browser and user, independent of being logged on to Google.

     

  • Avatar
    cindelicato

    = "Unless you have a solution to the contrary, all one needs to do is sign out of your Google account and SafeSearch no longer functions."

    = This is not true.  If you follow Google's KB articles, you can make SafeSearch permanent per browser and user, independent of being logged on to Google.

     

    In addition to what Rotblitz correctly pointed out, removing ADMIN privileges from users will extend by leaps and bounds the ability to prevent users from circumventing content filtering solutions as have been discussed.  

  • Avatar
    jmerichards
    Hi Rotblitz and Cindelicato, To make a bit of a case for us new guys, I have to say that I opted for a domain service simply because of the variety of devices that use my network. I am not the administrator of them all, as often my friends children come to my house with their laptops or tablets, or mobile phones. My hope in using OpenDNS was that I could easily block domains containing undesirable content. This is only partially true, as the service has its difficulties, not the least of which is dynamic IP's. Yes, if you run desktop units that you control then the problem can be further controlled on the client side, but that is not really a realistic proposition these days. I think that fact deserves some recognition. Having said that, I depend on OpenDNS as a "back-up" to help to prevent as much undesirable material as possible. It does have its limitations, but the marketing of the product seems to imply otherwise to people like myself. My 2 cents worth...
  • Avatar
    cervezafria

    @jmerichards... you said: " the service has its difficulties, not the least of which is dynamic IP's"

    Could you clarify? Dynamic IPs haven't been an issue here. 

Post is closed for comments.