Force safe search using Pi-hole

FAQs Community How-to's
2

Thank you for your contribution..

I'm afraid that your approach will not work reliably. :frowning_face:

Regarding the custom Local DNS Records for Yandex, you may verify this e.g. by running e.g.:

~$ nslookup yandex.com
Server:         192.168.1.20
Address:        192.168.1.20#53

Name:   yandex.com
Address: 213.180.193.56
Name:   yandex.com
Address: 2a02:6b8:a::a

IPv6-capable clients may by-pass your redirection attempts by simply using Yandex's IPv-6 addresses.

All of your remaining redirection attempts rely on CNAME records.
Local CNAME Records prominently disclaims

The target of a CNAME must be a domain that the Pi-hole already has in its cache or is authoritative for. This is a universal limitation of CNAME records.

Resolution requests for your CNAME redirections would result in Pi-hole returning the CNAME target, e.g.

~$ nslookup pixabay.com
Server:         192.168.1.20
Address:        192.168.1.20#53

pixabay.com     canonical name = safesearch.pixabay.com.
;; Got SERVFAIL reply from 192.168.1.20, trying next server
** server can't find safesearch.pixabay.com: SERVFAIL

Client software expecting an IP address, like browsers, will acknowledge this with an error message.

To make CNAMEs work, you'd have to define the respective local DNS records (A and AAAA) for resolution targets as well.
If you consider this, you should be aware that when acquiring the IP addresses to add, the IPs you would receive for resolving a given domain may differ from those that someone requesting it from another geographical location may see.
Also, this approach may break as soon as public DNS resolution of such a target domain would change to a different IP.

To temporarily mitigate this, you could do manual lookups for the CNAME target domains:

nslookup safe.duckduckgo.com <your.pihole.host.ip>
nslookup strict.bing.com <your.pihole.host.ip>
nslookup forcesafesearch.google.com <your.pihole.host.ip>
nslookup restrictmoderate.youtube.com <your.pihole.host.ip>
nslookup safesearch.pixabay.com <your.pihole.host.ip>

Substitute <your.pihole.host.ip> with your respective IP address.

This will make the CNAME target records known to Pi-hole by injecting them into Pi-hole's cache. Until the TTL of those records expires, your CNAME redirects will then work.
You could probably run a cron job executing those nslookups every 5 minutes or so (currently, 300 seconds seems to be the lowest TTL for above safe search domains).