Use DNS to force youtube into restricted mode - and Pi-Hole


#22

I made it with chmod +x ip.sh executable

But when I enter sudo bash ip.sh

It gives the following error:
sed: -e expression #1, char 41: unterminated `s’ command

What does this mean?


Redirect with regex
#23

I’ve never tested the script with duckduckgo, this was added later by @picante here. The script can’t handle the output from dig, hence, the error message.

I’ve modified the script (I’m NOT a script guru, there might be a better way). Here is the summary of things you need to have, in order for this to work.

  1. Modify /etc/hosts, it should contain:
# restricted youtube, bing, google and duckduckgo search
216.239.38.120	restrict.youtube.com
216.239.38.119	restrictmoderate.youtube.com
216.239.38.120	forcesafesearch.google.com
204.79.197.220	strict.bing.com
46.51.179.90	safe.duckduckgo.com
  1. Create an aditional dnsmasq configuration file, for example /etc/dnsmasq.d/98-restrict.conf.
    Use any number you haven’t used yet, apart from 01, 02 and 03 (see earlier for an explanation). This new file should contain the following:
# YouTube
# you can also implement a moderate setting
# replace restrict.youtube.com with restrictmoderate.youtube.com
cname=www.youtube.com,restrict.youtube.com
cname=m.youtube.com,restrict.youtube.com
cname=youtubei.googleapis.com,restrict.youtube.com
cname=youtube.googleapis.com,restrict.youtube.com
cname=www.youtube-nocookie.com,restrict.youtube.com

# SafeSearch
cname=www.google.com,forcesafesearch.google.com

# Bing Family Filter
cname=www.bing.com,strict.bing.com

# duckduckgo
cname=www.duckduckgo.com,safe.duckduckgo.com

You can test the new configuration file by running:

dnsmasq --test
  1. restart dnsmasq, if you’re still using the current production version:
sudo service dnsmasq restart

if you’re already using FTLDNS, restart FTLDNS (I’m not running FTLDNS, I found the restart command here):

sudo systemctl start pihole-FTL.service
  1. You might want to update the IP addresses, using a script, but I don’t think this is necessary. I wrote the original guidelines over a year ago, the addresses have not changed. Here is the updated script:
#!/bin/bash

update_ip_address() {
file=/etc/hosts
if [[ $(grep $1 $file) ]]; then
	IP=$(nslookup -query=A $1 8.8.8.8 | grep 'Address:' | tail -1 | \
		grep -oE '((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\.){3}((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))')
	sed -i "/$1/ s/.*/$IP\t$1/g" $file
fi
}

update_ip_address restrict.youtube.com
update_ip_address restrictmoderate.youtube.com
update_ip_address strict.bing.com
update_ip_address forcesafesearch.google.com
update_ip_address safe.duckduckgo.com

Hope this helps…

@DL6ER: as suggested somewhere in this topic, this might be a nice feature to add to the web interface, so users can activate / deactivate safe search with a single click.


How can I use Pi-hole for all my devices except one (or more)?
#24

I didn’t get duck to work. My post had a link to duck settings, which states you have to append to the URL to force safe searches, not sure if the approach discussed here can do that.


#25

According to this, using safe.duckduckgo.com is a solution, among others.

I use edge, just typed ‘nude’ in the address bar, this is the result:

I have no idea how to remove the possibility to turn off the option to disable the safe search. Anybody?


#26

any step by step tuto or full install script by any chance ?


#27

https://safe.duckduckgo.com/?q=nude&t=ffsb&ia=web&kp=0

&kp=0 does the trick.

You can put in front but then cname won’t work.

I hope it works.

:sunglasses:

Update: it won’t help you much but there is also a page by duckduckgo that has no javascript and seems to run default in safe.

https://duckduckgo.com/html/

The HTML version is also as search plug-in available for browser. In Firefox it works great.


#28

Unfortunately, this doesn’t help. pihole handles DNS entries and isn’t capable of adding/modifying stuff to URL’s, at least not that I know of.

The idea is to provide safe search without any local user interaction, local installation on the target machine(s), or possibility to tamper with the result.


#29

Pinhole can’t do this but DNSmasq still can set a cname. Duckduckgo blocked this by using also a cname for the safe. sub domain. I tested with safe.pi-hole.net and cname was used and I had the IP off duckduckgo.com

.com/lite/. com/html/ .com/?kp=0 will all three will not show the ability to switch to an other not safe search level.


#30

Hey folks, I have made a script to make this much easier!
https://raw.githubusercontent.com/jaykepeters/Scripts/Deployment/Pi-hole_SafeSearch.sh


#31

That looks nice and I have not tested it and was browsing through the code and you could replace: silently service pihole-FTL restart by pihole restartdns reload so you don’t have to use service/systemctl.

This replacement will do the same, but then done by Pi-hole itself.

There is a safesearch version of duckduck.go: https://duck.co/help/features/safe-search

Something like this?

duckduckgoSS=(
    cname=duckduckgo.com,safe.duckduckgo.com
    cname=www.duckduckgo.com,safe.duckduckgo.com
    cname=duck.com,safe.duckduckgo.com
    cname=www.duck.com,safe.duckduckgo.com
)

#32

Thanks for the feedback, @msatter! I will work to implement this into the next version within an hour or so. I am not 100% sure if DuckDuckGo can be forced into SafeSearch all the time, but for now we will just add it to the CNAME’s in “/etc/dnsmasq.d/05-restrict.conf” and safe.duckduckgo.com will be added to the hosts file, per your request. You are more than welcome to collaborate with me on this on GitHub as well.


#33

I think your idea works!
And when I try to turn safesearch off, it stays on! DuckDuckGo must have recently added this functionality as it did not work earlier this year (May/June)


#34

I tried it myself and I don’t see it using safe.duckduckgo.com and when I am searching, it searches not safe.

I tried above the earlier cname implementation but never got a working solution like you in May/June.

If it is working for the other search engines then it is great then leave the duckduckgo exclusion enforced.


#35

You will never see it using forcesafesearch.google.com or safe.duckduckgo.com in the web browser, DNS does that behind the scenes. That is because it is a CNAME record. I may have mislead you, I attempted to to it in May/June but it did not work. Now it does work. This has been an open feature request with duckduckgo for some time now.

As you can see below, it is working for me:
image

How do the last lines of /etc/dnsmasq.d/05-restrict.conf and /etc/hosts look?

I have tried this with two pi-holes and I can confirm it is working. Is your devices’ DNS cache cleared and is it using Pi-hole as it’s ONLY dns server? This would cause conflict.

Try my main Public Pi-hole at 35.188.83.81, and only use 35.239.60.156 if that does not respond… They should have Safesearch enabled…


#36

My bad. I didn’t implement the entries in the host file so I had only a half of the needed implementation.

I will have a new go at it.


#37

It works great and I have found a way to not have to edit the /etc/hosts file and compact the lines even more:

host-record=safe.duckduckgo.com,50.16.250.179
cname=duckduckgo.com,www.duckduckgo.com,safe.duckduckgo.com
cname=duck.com,www.duck.com,safe.duckduckgo.com

So you only have to edit the 05-restrict.conf file to make CNAME working for safesearch.

Also the regex part could be more efficient if those are TLD.

REGEX=(
    "\.xxx$"
    "\.sexy$"
    "\.webcam$"
    "\.sex$"
    "\.porn$"
    "\.tube$"
    "\.cam$"
    "\.adult$"

They are anchored at the end with “$” so that makes it more easy.


#38

Thanks for checking it out! I will work on that tomorrow… So can you really eliminate the hosts entries now? How about google since there are 300+ domains…


#39

I did only test the duckduckgo part and if it works there then it should also work on other domains you want to CNAME.

I did not see a long list +300 of Google domains. In regex I have the following lines for Google:

### Google ####################################################################
(cast|mtalk|nosslsearch|safebrowsing|x)\.google(apis)?\.[a-z]{2,7}$
googlepages.?\.[a-z]{2,7}$
(visualwebsiteoptimizer|spiffymachine)\.[a-z]{2,7}$
1e1[0-9]{2,2}\.[a-z]{2,7}$
google-{0,}(analytic|syndication|(ad|tag)[a-z0-9]*-?(service|manager))[s]?\.[a-z]{2,7}$
double-{0,1}clic(k|k[\.]?by-{0,1}google)\.[a-z]{2,7}$
(google|partner|pub)-{0,}ads{0,}-{0,}(apis{0,})\.[a-z]{2,7}$ 

\.[a-z]{2,7}$ matches any TLD between between 2 and 7 characters long.


#40

And where would this be added?


#41

This goes in the /etc/pihole/regex.list file.

If you have for me the +300 Google list then I can check it against this regex filter.

I got also one for Facebook complete blocker, because that is spying as bad as Google does. The Google regex only blocks spying stuff and I am going far in that.