Force Safesearch using CNAME breaks sites

Fotingo · June 16, 2024, 4:46am

When using CNAME for safesearch for Google, Bing, it breaks the sites.

I am using
www.google.com as domain and forcesafesearch.google.com as the target domain, it breaks the site.

The same with bing
I use www.bing.com and strict.bing.com.

why does it break the sites?

chrislph · June 16, 2024, 4:56am

Note the text which appears in the CNAME section:

The target of a CNAME must be a domain that the Pi-hole already has in its cache or is authoritative for. This is a universal limitation of CNAME records.
...
Additionally, you can't CNAME external domains (bing.com to google.com ) successfully as this could result in invalid SSL certificate errors when the target server does not serve content for the requested domain.

Fotingo · June 16, 2024, 4:58am

Yeah I saw that.. but that just says I can't do bing.com to google.com... which is not what I am trying to do.

chrislph · June 16, 2024, 5:00am

That's just an example of trying to direct one external site to another.

Edit - try using only an upstream server that doesn't have DNSSEC, for example Level 3 and Comodo appear to not have it based on the list in Settings > DNS. If Google promotes that CNAME redirection it stands to reason that they are supporting it with the correct SSL, and it might just be the DNSSEC element which is making it fail.

Fotingo · June 16, 2024, 5:00am

I understand, but that is not what I am trying to do.

Fotingo · June 16, 2024, 5:06am

Im using Unbound with Quad9 as the upstream dns server.

chrislph · June 16, 2024, 5:11am

Try Quad9 (unfiltered, no DNSSEC), third one up on the DNS page, as the single upstream, to test if DNSSEC has any bearing on what you're seeing.

Fotingo · June 16, 2024, 5:14am

Thing is that I set the upstream dns server as part of the Unbound config.. using

chrislph · June 16, 2024, 5:15am

That's okay, you can return to that later, but for now untick it and tick the one I mentioned and try that, it's just to test.

Fotingo · June 16, 2024, 5:24am

Doing that makes things weird.. the wifi device has not internet...even after refreshing the connection. LAN PC seems ok.

chrislph · June 16, 2024, 5:34am

See this post for why it fails in your browser and a possible script-based workaround.

Regarding the general idea, the CNAME disclaimers are correct but I'd expect Google to have sorted the SSL aspect if they're promoting this as a way to force safe search. When I try it with Unbound it returns BOGUS results, meaning the domain info doesn't match what I requested, which I'd imagine is correct. I suggested using a non-DNSSEC upstream and disabling DNSSEC in Pi-hole as a possible way to avoid that, but I don't know if it's relevant.

Fotingo · June 16, 2024, 5:38am

Wow.. that sucks haha.. The way I am forcing safe search now is using DNS records, but hopefully the IPs never change.

I just wanted to try the CNAME option, but I guess that's not working. I did notice duckduckgo works fine using the CNAME..it's only bing and google the ones with the issue.

system · July 7, 2024, 5:38am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.