Use this: http://35.188.83.81/UniPi.php?q=ss
Do you see how google has 300+ top level domains. Each of them needs a CNAME DNS record to enforce SafeSearch. The question I was asking was: Would I just need 1 host record for Google SafeSearch forcesafesearch.google.com so I don't have to put it in the hosts file? I don't understand what your regex is for either. Is it to block other websites that may expose adult content?
Ok, I see. You have IPV4 and IPv6 records. Could I put multiple IPV4 addresses to point to a host and dnsmasq would do it round robin? Or should I radnomly select an IP?
Happy New Year!
I am working on making a python command line tool to acomplish this very task. This is turning into more of a project and I don't think bash will do the trick anymore. I will have it done by the end of the week.
1 Like
Hi, you could do a script to go back this function? or a button to activate o deactivate? Thanks
1 Like
Yes, this is a very useful and important feature
1 Like
Sure thing! I was initially planning that, just wouldn't get to it until this week. Do you want the controls to be granular, for say enable and disable Youtube, Duckduckgo, Google SafeSearch, etc? Or do you just want all of those together in the script?
Please let me know,
Thanks,
Jayke
Thanks, I see. You can add multiple host-records and when you use the dig command, multiple IP addresses will be returned.
host-record=www.example.com,1.1.1.1
host-record=www.example.com,1.1.1.2
host-record=www.example.com,1.1.1.3
1 Like
I think it should be a feature included from the installation and the best would be if you could choose which domains to activate this function (YouTube, Duckduckgo, Google SafeSearch, etc), thank you for your time and consideration on the subject .. but it is certainly helpful for families who have small children
3 Likes
Yes, I agree. As of now, the Enable and Disable functions have been added.
1 Like
Perfect! need development for web interface feature! 
If this is a desired feature, please submit a feature request.
okok a do it now
For those having trouble getting DuckDuckGo into restricted mode, I may have found a solution to the problem. It seems only some IP addresses work, and when I tried using the script listed above it would not force restricted mode. I tried a few different IP addresses for the safe.duckduckgo.com domain, and I found an IP that works. I am also going to list the safe search DNS option for Pixabay, if you don't want to restrict this simply copy the lines related to DuckDuckGo.
In your /etc/hosts file put the following (separate the IP and domain by a tab character):
54.241.17.246 safe.duckduckgo.com
176.9.158.70 safesearch.pixabay.com
Create a new file, unless you already have one, here: /etc/dnsmasq.d/98-restrict.conf and copy the following:
cname=www.duckduckgo.com,safe.duckduckgo.com
cname=duckduckgo.com,safe.duckduckgo.com
cname=pixabay.com,safesearch.pixabay.com
For me this has enabled safe search and removed the option to disable it. Hope this helps someone! I know I spent a while trying to figure this out, and thought I should let others know.
2 Likes
Thanks to jaykepeters, msatter, and jpgpi250 for their contributions to this thread... the information you provided has been very helpful to me!
I am hopeful that your work on this issue will help the devs to consider implementing "Safe Search" as an option in Pi-Hole!
Mark
@BluePuffin I have made an update to the script with your suggestions. You may have to remove /etc/dnsmasq.d/05-restrict.conf first for it to work.... Next I'll integrate some update function...
1 Like
@jaykepeters awesome job on the script! After I figured out I had to issue the command sudo ./Pi-hole_SafeSearch.sh -e to enable safesearch. I was up and running with the safe search and youtube restricted mode enabled. I am having problem though with every other google domain that is not listed in the script ie mail.google.com time.google.com when I have DNSSEC enable in the Pi-hole settings. When I disable DNSSEC the domains resolve with no problem. I have tried many different Upstream DNS servers all with the same response. Here is an example of my nslookup from my Windows 10 box. I get the same response directly on the Pi-hole box with dig. Let me know if you have any ideas.
DNSSEC Enabled:
C:\Windows\system32>nslookup mail.google.com
Server: raspberrypi
Address: 192.168.10.53
*** raspberrypi can't find mail.google.com: Server failed
C:\Windows\system32>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
DNSSEC Disabled
C:\Windows\system32>nslookup mail.google.com
Server: raspberrypi
Address: 192.168.10.53
Non-authoritative answer:
Name: googlemail.l.google.com
Addresses: 2607:f8b0:4004:804::2005
172.217.7.133
Aliases: mail.google.com
1 Like
Thanks! I put that together in a weekend! That is an interesting issue. I haven't tested this out with DNSSEC. Maybe there is something else I have to add to the script to make it work... I will let you know if I find a solution.
I was going to say
I think this is because DNSSEC does not allow tampering with the response at the internal resolver level.
Thanks a lot @anon55913113! I am new to this myself.
@jaykepeters and @anon55913113 Thanks for your quick and helpful response. You two are doing great work keep it up. I am going to leave my DNSSEC disabled.
1 Like