Use DNS to force youtube into restricted mode - and Pi-Hole


That looks nice and I have not tested it and was browsing through the code and you could replace: silently service pihole-FTL restart by pihole restartdns reload so you don’t have to use service/systemctl.

This replacement will do the same, but then done by Pi-hole itself.

There is a safesearch version of duckduck.go:

Something like this?

1 Like


Thanks for the feedback, @msatter! I will work to implement this into the next version within an hour or so. I am not 100% sure if DuckDuckGo can be forced into SafeSearch all the time, but for now we will just add it to the CNAME’s in “/etc/dnsmasq.d/05-restrict.conf” and will be added to the hosts file, per your request. You are more than welcome to collaborate with me on this on GitHub as well.



I think your idea works!
And when I try to turn safesearch off, it stays on! DuckDuckGo must have recently added this functionality as it did not work earlier this year (May/June)



I tried it myself and I don’t see it using and when I am searching, it searches not safe.

I tried above the earlier cname implementation but never got a working solution like you in May/June.

If it is working for the other search engines then it is great then leave the duckduckgo exclusion enforced.



You will never see it using or in the web browser, DNS does that behind the scenes. That is because it is a CNAME record. I may have mislead you, I attempted to to it in May/June but it did not work. Now it does work. This has been an open feature request with duckduckgo for some time now.

As you can see below, it is working for me:

How do the last lines of /etc/dnsmasq.d/05-restrict.conf and /etc/hosts look?

I have tried this with two pi-holes and I can confirm it is working. Is your devices’ DNS cache cleared and is it using Pi-hole as it’s ONLY dns server? This would cause conflict.

Try my main Public Pi-hole at, and only use if that does not respond… They should have Safesearch enabled…



My bad. I didn’t implement the entries in the host file so I had only a half of the needed implementation.

I will have a new go at it.

1 Like


It works great and I have found a way to not have to edit the /etc/hosts file and compact the lines even more:,,,,,

So you only have to edit the 05-restrict.conf file to make CNAME working for safesearch.

Also the regex part could be more efficient if those are TLD.


They are anchored at the end with “$” so that makes it more easy.



Thanks for checking it out! I will work on that tomorrow… So can you really eliminate the hosts entries now? How about google since there are 300+ domains…



I did only test the duckduckgo part and if it works there then it should also work on other domains you want to CNAME.

I did not see a long list +300 of Google domains. In regex I have the following lines for Google:

### Google ####################################################################

\.[a-z]{2,7}$ matches any TLD between between 2 and 7 characters long.

1 Like


And where would this be added?



This goes in the /etc/pihole/regex.list file.

If you have for me the +300 Google list then I can check it against this regex filter.

I got also one for Facebook complete blocker, because that is spying as bad as Google does. The Google regex only blocks spying stuff and I am going far in that.



Use this:
Do you see how google has 300+ top level domains. Each of them needs a CNAME DNS record to enforce SafeSearch. The question I was asking was: Would I just need 1 host record for Google SafeSearch so I don’t have to put it in the hosts file? I don’t understand what your regex is for either. Is it to block other websites that may expose adult content?



Pi-hole has an name local.list and in the same way host-record works in DNSmasq so no need to use the hosts file.
You only need one entry as long the +300 cnames point to that.

Looking at the list it is covering TLD that Google is using. That is way use not a specific TLD in regex.
So you still need all +300 entries but you condence then to a few lines lines. As long the is on the end of each line.

You can’t use regex for that and my rules protects your own privacy.



So the list can be contracted a bit by putting each TLD on one line:

# /tmp/safesearch.txt generated on 12/30/2018 01:54 by pi-hole
# Google SafeSearch Implementation,,2001:4860:4802:32::78,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Or the Google part even more condensed but I think the top one is prefered:

# Google SafeSearch Implementation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


Ok, I see. You have IPV4 and IPv6 records. Could I put multiple IPV4 addresses to point to a host and dnsmasq would do it round robin? Or should I radnomly select an IP?

Happy New Year!



I am working on making a python command line tool to acomplish this very task. This is turning into more of a project and I don’t think bash will do the trick anymore. I will have it done by the end of the week.

1 Like


Thanks, and a happy new year to you.

You can only enter one IPv4 and one IPv6 address so no round robin possible.

    Add A, AAAA and PTR records to the DNS. This adds one or more names to the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may appear in more than one --host-record and therefore be assigned more than one address. Only the first address creates a PTR record linking the address to the name. This is the same rule as is used reading hosts-files. --host-record options are considered to be read before host-files, so a name appearing there inhibits PTR-record creation if it appears in hosts-file also. Unlike hosts-files, names are not expanded, even when --expand-hosts is in effect. Short and long names may appear in the same --host-record, eg. --host-record=laptop,,,1234::100

    If the time-to-live is given, it overrides the default, which is zero or the value of --local-ttl. The value is a positive integer and gives the time-to-live in seconds.

Take your time and I had the impression that host-record made things easier. You are staying in the Pi-hole/DNSmasq environment.

1 Like


Hi, you could do a script to go back this function? or a button to activate o deactivate? Thanks

1 Like


Lets hope development picks this up when ready and implement it as extra feature in Pi-hole.

1 Like


Yes, this is a very useful and important feature

1 Like