Use DNS to force youtube into restricted mode - and Pi-Hole


Use this:
Do you see how google has 300+ top level domains. Each of them needs a CNAME DNS record to enforce SafeSearch. The question I was asking was: Would I just need 1 host record for Google SafeSearch so I don’t have to put it in the hosts file? I don’t understand what your regex is for either. Is it to block other websites that may expose adult content?


Pi-hole has an name local.list and in the same way host-record works in DNSmasq so no need to use the hosts file.
You only need one entry as long the +300 cnames point to that.

Looking at the list it is covering TLD that Google is using. That is way use not a specific TLD in regex.
So you still need all +300 entries but you condence then to a few lines lines. As long the is on the end of each line.

You can’t use regex for that and my rules protects your own privacy.


So the list can be contracted a bit by putting each TLD on one line:

# /tmp/safesearch.txt generated on 12/30/2018 01:54 by pi-hole
# Google SafeSearch Implementation,,2001:4860:4802:32::78,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Or the Google part even more condensed but I think the top one is prefered:

# Google SafeSearch Implementation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


Ok, I see. You have IPV4 and IPv6 records. Could I put multiple IPV4 addresses to point to a host and dnsmasq would do it round robin? Or should I radnomly select an IP?

Happy New Year!


I am working on making a python command line tool to acomplish this very task. This is turning into more of a project and I don’t think bash will do the trick anymore. I will have it done by the end of the week.


Thanks, and a happy new year to you.

You can only enter one IPv4 and one IPv6 address so no round robin possible.

    Add A, AAAA and PTR records to the DNS. This adds one or more names to the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may appear in more than one --host-record and therefore be assigned more than one address. Only the first address creates a PTR record linking the address to the name. This is the same rule as is used reading hosts-files. --host-record options are considered to be read before host-files, so a name appearing there inhibits PTR-record creation if it appears in hosts-file also. Unlike hosts-files, names are not expanded, even when --expand-hosts is in effect. Short and long names may appear in the same --host-record, eg. --host-record=laptop,,,1234::100

    If the time-to-live is given, it overrides the default, which is zero or the value of --local-ttl. The value is a positive integer and gives the time-to-live in seconds.

Take your time and I had the impression that host-record made things easier. You are staying in the Pi-hole/DNSmasq environment.


Hi, you could do a script to go back this function? or a button to activate o deactivate? Thanks


Lets hope development picks this up when ready and implement it as extra feature in Pi-hole.


Yes, this is a very useful and important feature


Sure thing! I was initially planning that, just wouldn’t get to it until this week. Do you want the controls to be granular, for say enable and disable Youtube, Duckduckgo, Google SafeSearch, etc? Or do you just want all of those together in the script?

Please let me know,



Blacklist : is it possible to redirect to a specific address?

Thanks, I see. You can add multiple host-records and when you use the dig command, multiple IP addresses will be returned.,,,


I think it should be a feature included from the installation and the best would be if you could choose which domains to activate this function (YouTube, Duckduckgo, Google SafeSearch, etc), thank you for your time and consideration on the subject … but it is certainly helpful for families who have small children


Yes, I agree. As of now, the Enable and Disable functions have been added.


As you can read here, It’s a feature in AdGuard Home.


Perfect! need development for web interface feature! :slight_smile:


If this is a desired feature, please submit a feature request.

Use DNS to force youtube into restricted mode - and Pi-Hole

okok a do it now


For those having trouble getting DuckDuckGo into restricted mode, I may have found a solution to the problem. It seems only some IP addresses work, and when I tried using the script listed above it would not force restricted mode. I tried a few different IP addresses for the domain, and I found an IP that works. I am also going to list the safe search DNS option for Pixabay, if you don’t want to restrict this simply copy the lines related to DuckDuckGo.

In your /etc/hosts file put the following (separate the IP and domain by a tab character):

Create a new file, unless you already have one, here: /etc/dnsmasq.d/98-restrict.conf and copy the following:,,,

For me this has enabled safe search and removed the option to disable it. Hope this helps someone! I know I spent a while trying to figure this out, and thought I should let others know.


I don’t like to use the /etc/hosts file for this.


Thanks to jaykepeters, msatter, and jpgpi250 for their contributions to this thread… the information you provided has been very helpful to me!

I am hopeful that your work on this issue will help the devs to consider implementing “Safe Search” as an option in Pi-Hole!