Use DNS to force youtube into restricted mode - and Pi-Hole

I made it with chmod +x executable

But when I enter sudo bash

It gives the following error:
sed: -e expression #1, char 41: unterminated `s' command

What does this mean?

I've never tested the script with duckduckgo, this was added later by @picante here. The script can't handle the output from dig, hence, the error message.

I've modified the script (I'm NOT a script guru, there might be a better way). Here is the summary of things you need to have, in order for this to work.

  1. Modify /etc/hosts, it should contain:
# restricted youtube, bing, google and duckduckgo search
  1. Create an aditional dnsmasq configuration file, for example /etc/dnsmasq.d/98-restrict.conf.
    Use any number you haven't used yet, apart from 01, 02 and 03 (see earlier for an explanation). This new file should contain the following:
# YouTube
# you can also implement a moderate setting
# replace with,,,,,

# SafeSearch,

# Bing Family Filter,

# duckduckgo,

You can test the new configuration file by running:

dnsmasq --test
  1. restart dnsmasq, if you're still using the current production version:
sudo service dnsmasq restart

if you're already using FTLDNS, restart FTLDNS (I'm not running FTLDNS, I found the restart command here):

sudo systemctl start pihole-FTL.service
  1. You might want to update the IP addresses, using a script, but I don't think this is necessary. I wrote the original guidelines over a year ago, the addresses have not changed. Here is the updated script:

update_ip_address() {
if [[ $(grep $1 $file) ]]; then
	IP=$(nslookup -query=A $1 | grep 'Address:' | tail -1 | \
		grep -oE '((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\.){3}((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))')
	sed -i "/$1/ s/.*/$IP\t$1/g" $file


Hope this helps...

@DL6ER: as suggested somewhere in this topic, this might be a nice feature to add to the web interface, so users can activate / deactivate safe search with a single click.


I didn't get duck to work. My post had a link to duck settings, which states you have to append to the URL to force safe searches, not sure if the approach discussed here can do that.

According to this, using is a solution, among others.

I use edge, just typed 'nude' in the address bar, this is the result:

I have no idea how to remove the possibility to turn off the option to disable the safe search. Anybody?

any step by step tuto or full install script by any chance ?

1 Like

Unfortunately, this doesn't help. pihole handles DNS entries and isn't capable of adding/modifying stuff to URL's, at least not that I know of.

The idea is to provide safe search without any local user interaction, local installation on the target machine(s), or possibility to tamper with the result.

Hey folks, I have made a script to make this much easier!


Thanks for the feedback, @anon55913113! I will work to implement this into the next version within an hour or so. I am not 100% sure if DuckDuckGo can be forced into SafeSearch all the time, but for now we will just add it to the CNAME's in "/etc/dnsmasq.d/05-restrict.conf" and will be added to the hosts file, per your request. You are more than welcome to collaborate with me on this on GitHub as well.

I think your idea works!
And when I try to turn safesearch off, it stays on! DuckDuckGo must have recently added this functionality as it did not work earlier this year (May/June)

You will never see it using or in the web browser, DNS does that behind the scenes. That is because it is a CNAME record. I may have mislead you, I attempted to to it in May/June but it did not work. Now it does work. This has been an open feature request with duckduckgo for some time now.

As you can see below, it is working for me:

How do the last lines of /etc/dnsmasq.d/05-restrict.conf and /etc/hosts look?

I have tried this with two pi-holes and I can confirm it is working. Is your devices' DNS cache cleared and is it using Pi-hole as it's ONLY dns server? This would cause conflict.

Try my main Public Pi-hole at, and only use if that does not respond.... They should have Safesearch enabled...

Thanks for checking it out! I will work on that tomorrow... So can you really eliminate the hosts entries now? How about google since there are 300+ domains...

And where would this be added?

Use this:
Do you see how google has 300+ top level domains. Each of them needs a CNAME DNS record to enforce SafeSearch. The question I was asking was: Would I just need 1 host record for Google SafeSearch so I don't have to put it in the hosts file? I don't understand what your regex is for either. Is it to block other websites that may expose adult content?

Ok, I see. You have IPV4 and IPv6 records. Could I put multiple IPV4 addresses to point to a host and dnsmasq would do it round robin? Or should I radnomly select an IP?

Happy New Year!

I am working on making a python command line tool to acomplish this very task. This is turning into more of a project and I don't think bash will do the trick anymore. I will have it done by the end of the week.

1 Like

Hi, you could do a script to go back this function? or a button to activate o deactivate? Thanks

1 Like

Yes, this is a very useful and important feature

1 Like

Sure thing! I was initially planning that, just wouldn't get to it until this week. Do you want the controls to be granular, for say enable and disable Youtube, Duckduckgo, Google SafeSearch, etc? Or do you just want all of those together in the script?

Please let me know,



Thanks, I see. You can add multiple host-records and when you use the dig command, multiple IP addresses will be returned.,,,
1 Like

I think it should be a feature included from the installation and the best would be if you could choose which domains to activate this function (YouTube, Duckduckgo, Google SafeSearch, etc), thank you for your time and consideration on the subject .. but it is certainly helpful for families who have small children