Use Wildcard to Limit TLD (and block Google search images)
Hi Folks,
I'm new, so please take it easy.
I know this has been canvassed to death over the years on OpenDNS forums, but I have found no recent discussion on the subject.
I want to be able to block all Google search sites, without having to list and maintain every TLD they prefix "google" to. For example, I'd like to be able to enter "google.*" into my always block list, then allow certain Google domains (e.g. translate.google.com). I've already got explicit blocking on google.com, google.ca, etc., but the list is too extensive to reasonably maintain. I'm allowing translate.google.com through and it all seems to work and I have not noticed any performance issues.
For those people that are wondering why, it's because Google do not support blocking porn from their search results, but Bing do (via explicit.bing.com). I am blocking access to all Google search sites in favour of Bing for this reason.
If you'd like to suggest installing other software on computers, that is not feasible because of the number of devices accessing the Internet through my network (tablets, computers, TV's, etc.).
Any help or suggestions welcome, thanks in advance.
EDIT: Please see the document attached to this original post (below) for a summary solution from this thread.
Use Wildcard to Limit TLD (and block Google search images).pdf
-
Hi Rotblitz, Appreciating the feedback, thanks. Client based solutions aren't much use I'm afraid, as there are browser built into other devices that also need blocking. I've used your suggestion to block the search engine category, and it seems to do the trick. "Safe" image queries on Bing yield pictures, "unsafe" ones yield placeholders only; that's great. I've added maps.google.com to the "never block" list, but it is still being blocked. I've tested this on numerous devices and computers - I cleared the cache and flushed dns but still no go. Any suggestions on that? TIA -
It looks like the following domains are also accessed when querying maps.google.com: google.com, apis.google.com, maps.google.com, plus.google.com
Since you want google.com to remain blocked, you may want to try unblocking apis.google.com to see if that allows you to access maps.google.com.
-
"Client based solutions aren't much use I'm afraid"
Hey, Google SafeSearch is not only a client based solution, but also a server based one:
https://support.google.com/websearch/answer/144686?hl=en
If you deploy a proxy on your web traffic, it may be possible to configure your proxy to append &safe=strict to all search requests sent to Google. This parameter enables strict SafeSearch for all searches, regardless of the setting on the Google Preferences page.https://support.google.com/websearch/answer/186669?hl=en
To enable SafeSearch throughout a school network, you can use a proxy server to append &safe=active directly to all search URLs. This will enable strict SafeSearch."I've added maps.google.com to the "never block" list, but it is still being blocked."
Not everything is hosted on maps.google.com, but also other (Google) domains are involved. Check with a tool like http://www.nirsoft.net/utils/dns_query_sniffer.html or with your OpenDNS domain stats to see what domains still need to be whitelisted.
-
@Kristy - many thanks. I did manage to get maps to load (actually I did nothing, it just started to work), but the map background did not load. I'd been trying to find out what other domains served map data, so I'll try your suggestion and post back. @rotblitz - again, thanks for the detailed help. I don't use a proxy as this is a home network and a proxy always seemed like added hassle and maybe expense. It also seemed to be taking a sledge hammer to a peanut. However, I may have to consider this option again if it will help to keep my kids safe. A general question relating to the various domains with maps; I'd noticed that the sub domain l.google.com us used with maps and many other Google sites. What is the general rule with OpenDNS when it comes to blocking - use the actual sub domain name, or is it sufficient to block alias names? Thanks again. -
First off, Kristy: tried adding apis.google.com to the whitelist - no joy. Map page loads but actual map background (the important bit) does not. @rotblitz Since I blocked the search engine category I have also not been able to get youtube to load, despite whitelisting that and a variety of sub domains. I'm no longer getting the OpenDNS block logo for YouTube, but it only partially loads the page. Interestingly, whitelisting only youtube.com still resulted in the OpenDNS block message. I am only seeing this behaviour with Google maps and youtube. I was able to whitelist yahoo.com and it started working straight away. Anyone else have similar issues with Google domains? Perhaps I should start a new thread? -
I think I have the solution to my problem. Just to recap - I wanted to block the google search engine because of porn. Rotblitz suggested (quite rightly) blocking the entire search engine category. I did so, which had the effect of breaking my access to youtube and google maps, which I wanted to keep. The answer is to add, believe it or not, google.com to the whitelist, but still leave the search engine category blocked. Doing this, plus whitelisting Bing means I have all search engines other than Bing blocked, but still have access to other desirable Google services. Thank you both all for your help. -
Actually, it didn't fix it. :( Ok, the problem I'm having is that I've blocked the search engine category, which also blocks YouTube and Google Maps - I don't want YouTube and Google Maps to be blocked. So, I whitelist youtube.com, s.ytimg.com, ytimg.com, maps.google.com and maps.google.com.au (as I'm in Australia). I've also white listed bing.com and yahoo.com. Here's the rub - bing and yahoo load, as you'd expect as they're white listed. Google Maps and YouTube do not load, despite being white listed. Do we have an idea why this is and what the best way to approach it is? It doesn't seem to be a problem with OpenDNS, it must be Google trickery? -
Couple of things to do... 1) look through your stats over the past day and see what is getting blocked... not everything is obvious but trial/error whitelisting can help. or...2) run Fiddler in the background and see what comes up when you try to load maps, for example. You'll see immediately which connections are being blocked. Again... whitelist trial & error (as some of the blocks may be legitimate, for example for adware.
For youtube... I also would whitelist gstatic.com (loads with both maps and youtube) You can delete s.ytimg.com, since that is already available through your whitelisted ytimg.com
-
I think I need some help interpreting Fiddler (looks awesome though).
Several other domains listed in Fiddler results that I have not whitelisted - I have to go out now so can't elaborate until tomorrow.
Interestingly (to me) there is a sub-domain called "safesearch.google.com". Could this be a key to helping resolve this issue?
More tomorrow...
-
Back again. Whitelisting gstatic did not help. Seems that the whole site loads properly, with the exception of the image header. I can even see all the video tiles, but when I click on one (any one) I get the "An error occurred, please try again later." message.
I also had this issue reported by Fiddler:
----
Session #94: The remote server (apis.google.com) presented a certificate that did not validate, due to RemoteCertificateNameMismatch.
SUBJECT: CN=*.opendns.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)12, OU=GT55236522, SERIALNUMBER=UoFmxu6ta5ecJiIs4su2w-q-u8rxJ/d3
ISSUER: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
EXPIRES: 25/09/2014 8:42:00 PM
----
Its the only hint I've seen of anything to do with OpenDNS. Mean anything to anyone?
-
This browser generated certificate warning appears generally if you try to access a HTTPS site, but the related domain is either blocked by your OpenDNS settings or cannot be resolved to an IPv4 address by OpenDNS.
Also, apis.google.com is an alias for the real name plus.l.google.com. Do you have blocked this?
-
After much frustration I can finally report that I have used OpenDNS to enable the following behaviour on my home network:
- Permit only the Bing search engine, which supports blocking adult images (with a caveat; see below)
- Completely block access to all other search engines (in the OpenDNS Search Category)
- Maintain access to Google Maps and YouTube
Things I learned:
- Bing will still allow "non-porn" search terms (e.g. vagina) to return what I consider "adult" images
- In order to ensure "safe" images are returned on Bing it is necessary to whitelist mm.bing.net (not bing.net, as that will let porn in)
- To get Google Maps going required whitelisting maps.google.com, maps.google.com.au (I'm in Australia), mts0.google.com and mts1.google.com (in order to display map background) and gstatic.com
- YouTube worked after whitelisting googlesyndication.com, googletagservices.com, googlevideo.com, gstatic.com, youtube.no-cookie.com and ytimg.com
- It seemed Google's 1e100.net was required in my case for some services
- Whitelisting accounts.google.com and accounts.google.com.au did nothing as they both redirect to google.com during a login event (some gurus needed to solve that one!)
The categories that I am blocking are:
- Drugs
- Gambling
- Lingerie/Bikini
- Sexuality
- Hate/Discrimination
- Proxy/Anonymizer
- Tasteless
- Adware
- Dating
- Nudity
- Pornography
- Search Engines
- Weapons
The complete whitelist I am using is:
- 1e100.net
- accounts.google.com
- accounts.google.com.au
- bing.com
- googlesyndication.com
- googletagservices.com
- googlevideo.com
- gstatic.com
- maps.google.com
- maps.google.com.au
- mm.bing.net
- mts0.google.com
- mts1.google.com
- safebrowsing.google.com
- search.live.com
- translate.google.com
- youtube.com
- youtube.no-cookie.com
- ytimg.com
I hope this helps somebody else. You may need to change some things to suit your location.
Thank you very much to those who offered their advice (rotblitz and cervezafria in particular). I definitely recommend grabbing the Fiddler2 app, that was a great tip.
Merry Christmas to all.
-
No problem cervezafria, I hope someone benefits from it.
NB: I'd had apis.google.com whitelisted the other day, then must've removed it. I added it back when I posted the "December 06, 2013 07:14" comment and it then blocked access to youtube again. I have removed apis.google.com from the whitelist and I now have access back.
Go figure...
-
jmerichards, yes, this kind of detail is just what us non techy type need. I don't even understand most of the stuff you said but can easily see from your list what I need to do to make OpenDNS work for our family. I was really frustrated with the images that can be see on google images search even though visual search engines are blocked. What exactly is a visual search engine if not google images? oh well. will try what you have done and hope it works, with teenage boys this is a must. I am sure others will benefit from this so thanks again,
kam
-
by jmerichards "After much frustration I can finally report that I have used OpenDNS to enable the following behaviour on my home network:
- Permit only the Bing search engine, which supports blocking adult images (with a caveat; see below)
- Completely block access to all other search engines (in the OpenDNS Search Category)
- Maintain access to Google Maps and YouTube"
I am hoping that I can continue this thread as I have tried doing everything as you put in your post but Bing is being blocked now even though on my white list. I put in all the whitelist domains and have the same categories blocked except I also blocked visual search engines (though not sure its doing anything). please let me know I can do if anything.
-
Hi Karenam, I'm by no means an expert on this stuff, but I would suggest that you flush the DNS and browser caches on every device in your network. I found that this was the only way to ensure that the OpenDNS settings worked. If you have more than one browser on each device, flush the cache of each one. I'd also check that your router is set to use the OpenDNS IP addresses. I hope that helps. I'll be interested to hear how you get on. -
Rotblitz, I respectfully disagree that using SafeSearch is an adequate solution for the home user. Unless you have a solution to the contrary, all one needs to do is sign out of your Google account and SafeSearch no longer functions. My kids figured this out pretty quickly. Home users are very unlikely to have a server, and much more likely to just have a router to use to point to OpenDNS DNS servers. Google Images cannot be stopped in this scenario, if one simply signs out of their Google account. Do you have a solution to this problem that I need to be educated about?
-
"I respectfully disagree that using SafeSearch is an adequate solution for the home user."
You may want to let Google know your opinion. This is unrelated to OpenDNS, because OpenDNS can't do it either due to technical reasons.
"Unless you have a solution to the contrary, all one needs to do is sign out of your Google account and SafeSearch no longer functions."
This is not true. If you follow Google's KB articles, you can make SafeSearch permanent per browser and user, independent of being logged on to Google.
-
= "Unless you have a solution to the contrary, all one needs to do is sign out of your Google account and SafeSearch no longer functions."
= This is not true. If you follow Google's KB articles, you can make SafeSearch permanent per browser and user, independent of being logged on to Google.
In addition to what Rotblitz correctly pointed out, removing ADMIN privileges from users will extend by leaps and bounds the ability to prevent users from circumventing content filtering solutions as have been discussed.
-
Hi Rotblitz and Cindelicato, To make a bit of a case for us new guys, I have to say that I opted for a domain service simply because of the variety of devices that use my network. I am not the administrator of them all, as often my friends children come to my house with their laptops or tablets, or mobile phones. My hope in using OpenDNS was that I could easily block domains containing undesirable content. This is only partially true, as the service has its difficulties, not the least of which is dynamic IP's. Yes, if you run desktop units that you control then the problem can be further controlled on the client side, but that is not really a realistic proposition these days. I think that fact deserves some recognition. Having said that, I depend on OpenDNS as a "back-up" to help to prevent as much undesirable material as possible. It does have its limitations, but the marketing of the product seems to imply otherwise to people like myself. My 2 cents worth...
Post is closed for comments.
Comments
62 comments