I'm really new to pi-hole, I was trying to keep up with what you guys were doing but I'm having a hard time.
Could you possibly make a step be step on how you did this?
And also if you figured out the Google Safe Search thing.
Thanks in advance. 
1 Like
Reference for domain names here and here
Create a file /etc/dnsmasq.d/05-restrict.conf, us a higher number if you already have a 05 entry. Don't use 01 (pihole core) 02 (pihole dhcp) or 03 (pihole wildcards):
# reference: https://support.opendns.com/hc/en-us/articles/227986807-How-to-Enforcing-Google-SafeSearch-YouTube-and-Bing
# YouTube
# you can also implement a moderate setting
# replace restrict.youtube.com with restrictmoderate.youtube.com
cname=www.youtube.com,restrict.youtube.com
cname=m.youtube.com,restrict.youtube.com
cname=youtubei.googleapis.com,restrict.youtube.com
cname=youtube.googleapis.com,restrict.youtube.com
cname=www.youtube-nocookie.com,restrict.youtube.com
# SafeSearch
cname=www.google.com,forcesafesearch.google.com
# Bing Family Filter
cname=www.bing.com,strict.bing.com
test (for typo's) - should report dnsmasq: syntax check OK.
dnsmasq --test
edit your hosts file
sudo nano /etc/hosts
enter the following entries (leave the original content, just add the following)
216.239.38.120 restrict.youtube.com
216.239.38.119 restrictmoderate.youtube.com
216.239.38.120 forcesafesearch.google.com
204.79.197.220 strict.bing.com
restart the dns service
sudo service dnsmasq restart
I don't think it's really necessary to update the addresses regularly, since it would brake protection for a lot of people worldwide, if they changed, but you can run (from time to time) the script that's listed above. The script has changed to allow for the additional entries to be processed correctly!
haven't tried safe search or youtube (kingmoocow seems to have had good results) but bing produces this:
8 Likes
This is well done, thanks for getting to this first.
The added 05 file is also probably a much better practice than what I'm currently doing - putting the cname entries in the dnsmasq.conf file (however it doesn't appear that this file gets overwritten by pihole updates - though it's possible that it gets muddled by other updates in the future (I also haven't yet noticed that 02 and 03 are reserved, guess I haven't added anything that created them).
The addition of bing is also a nice touch. I still haven't tested google safe search though - I'll do that today.
Wish there was a more comprehensive place to find all of these types of settings - the palo alto is good; maybe there really just are not many engines that do this kind of thing.
Thank you so much for your answer and how quickly you got back to me.
I just had one more question.
What is the command to create a /etc/dnsmasq.d/05-restrict.conf? And add in the links.
I'm running it on the Raspberry Pi 3 running Dietpi.
Also I'm just curious, how long have you guys been at this stuff?
When I read people's discussions I'm shocked at how many geniuses are out there and how little I know. There are so many pi projects that are really cool.
So far my favorites are Retropie and Pi-hole
You can find a detailed basic installation manual here. This manual assumes raspbian jessie lite, version march 2017, but most things will be identical. Among other things, it explains how to setup putty and winscp, witch will allow you to create/edit files easier.
you might want to append the solution w/ duckduckgo settings?
= DUCKDUCKGO =
duckduck settings
something like
cname=www.duckduckgo.com,safe.duckduckgo.com and then, of coarse, update the host file w/ IP
= YAHOO =
Not sure if this helps or not; to my knowledge you need a proxy to append, is that true?
"Appending vm=r to a Yahoo search query URL also enables the strictest safe search settings."
Old thread, sorry. Would love to see this as a built-in feature that can be enabled/disabled within the UI. Just a thought...
1 Like
Hi,
I just set up pi-hole today so I'm still learning a lot. I'm trying to force Google and youtube to safe search. Attached is an image of my 05-restrict.conf file and my /etc/hosts file. I've also set up Bing safe search.
Bing safe search works. Google and Youtube do not block anything. Searching for 'Porn', 'Nude', etc bring up what you would expect from Google and Youtube while Bing tells me I"m under protected search.
For testing whether it's working I've flushed the cache of pi-hole and tried using Firefox and Chrome in incognito mode to make sure nothing was cached.
Any ideas why this configuration is not working for Google and Youtube?
I made it with chmod +x ip.sh executable
But when I enter sudo bash ip.sh
It gives the following error:
sed: -e expression #1, char 41: unterminated `s' command
What does this mean?
I've never tested the script with duckduckgo, this was added later by @picante here. The script can't handle the output from dig, hence, the error message.
I've modified the script (I'm NOT a script guru, there might be a better way). Here is the summary of things you need to have, in order for this to work.
- Modify /etc/hosts, it should contain:
# restricted youtube, bing, google and duckduckgo search
216.239.38.120 restrict.youtube.com
216.239.38.119 restrictmoderate.youtube.com
216.239.38.120 forcesafesearch.google.com
204.79.197.220 strict.bing.com
46.51.179.90 safe.duckduckgo.com
- Create an aditional dnsmasq configuration file, for example /etc/dnsmasq.d/98-restrict.conf.
Use any number you haven't used yet, apart from 01, 02 and 03 (see earlier for an explanation). This new file should contain the following:
# YouTube
# you can also implement a moderate setting
# replace restrict.youtube.com with restrictmoderate.youtube.com
cname=www.youtube.com,restrict.youtube.com
cname=m.youtube.com,restrict.youtube.com
cname=youtubei.googleapis.com,restrict.youtube.com
cname=youtube.googleapis.com,restrict.youtube.com
cname=www.youtube-nocookie.com,restrict.youtube.com
# SafeSearch
cname=www.google.com,forcesafesearch.google.com
# Bing Family Filter
cname=www.bing.com,strict.bing.com
# duckduckgo
cname=www.duckduckgo.com,safe.duckduckgo.com
You can test the new configuration file by running:
dnsmasq --test
- restart dnsmasq, if you're still using the current production version:
sudo service dnsmasq restart
if you're already using FTLDNS, restart FTLDNS (I'm not running FTLDNS, I found the restart command here):
sudo systemctl start pihole-FTL.service
- You might want to update the IP addresses, using a script, but I don't think this is necessary. I wrote the original guidelines over a year ago, the addresses have not changed. Here is the updated script:
#!/bin/bash
update_ip_address() {
file=/etc/hosts
if [[ $(grep $1 $file) ]]; then
IP=$(nslookup -query=A $1 8.8.8.8 | grep 'Address:' | tail -1 | \
grep -oE '((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\.){3}((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))')
sed -i "/$1/ s/.*/$IP\t$1/g" $file
fi
}
update_ip_address restrict.youtube.com
update_ip_address restrictmoderate.youtube.com
update_ip_address strict.bing.com
update_ip_address forcesafesearch.google.com
update_ip_address safe.duckduckgo.com
Hope this helps...
@DL6ER: as suggested somewhere in this topic, this might be a nice feature to add to the web interface, so users can activate / deactivate safe search with a single click.
2 Likes
I didn't get duck to work. My post had a link to duck settings, which states you have to append to the URL to force safe searches, not sure if the approach discussed here can do that.
According to this, using safe.duckduckgo.com is a solution, among others.
I use edge, just typed 'nude' in the address bar, this is the result:
I have no idea how to remove the possibility to turn off the option to disable the safe search. Anybody?
any step by step tuto or full install script by any chance ?
1 Like
Unfortunately, this doesn't help. pihole handles DNS entries and isn't capable of adding/modifying stuff to URL's, at least not that I know of.
The idea is to provide safe search without any local user interaction, local installation on the target machine(s), or possibility to tamper with the result.
Hey folks, I have made a script to make this much easier!
https://raw.githubusercontent.com/jaykepeters/Scripts/Deployment/Pi-hole_SafeSearch.sh
4 Likes
Thanks for the feedback, @anon55913113! I will work to implement this into the next version within an hour or so. I am not 100% sure if DuckDuckGo can be forced into SafeSearch all the time, but for now we will just add it to the CNAME's in "/etc/dnsmasq.d/05-restrict.conf" and safe.duckduckgo.com will be added to the hosts file, per your request. You are more than welcome to collaborate with me on this on GitHub as well.
I think your idea works!
And when I try to turn safesearch off, it stays on! DuckDuckGo must have recently added this functionality as it did not work earlier this year (May/June)
You will never see it using forcesafesearch.google.com or safe.duckduckgo.com in the web browser, DNS does that behind the scenes. That is because it is a CNAME record. I may have mislead you, I attempted to to it in May/June but it did not work. Now it does work. This has been an open feature request with duckduckgo for some time now.
As you can see below, it is working for me:
How do the last lines of /etc/dnsmasq.d/05-restrict.conf and /etc/hosts look?
I have tried this with two pi-holes and I can confirm it is working. Is your devices' DNS cache cleared and is it using Pi-hole as it's ONLY dns server? This would cause conflict.
Try my main Public Pi-hole at 35.188.83.81, and only use 35.239.60.156 if that does not respond.... They should have Safesearch enabled...
Thanks for checking it out! I will work on that tomorrow... So can you really eliminate the hosts entries now? How about google since there are 300+ domains...
And where would this be added?