Use DNS to force youtube into restricted mode - and Pi-Hole

Yes, I agree. As of now, the Enable and Disable functions have been added.

1 Like

As you can read here, It's a feature in AdGuard Home.

1 Like

Perfect! need development for web interface feature! :slight_smile:

If this is a desired feature, please submit a feature request.

okok a do it now

For those having trouble getting DuckDuckGo into restricted mode, I may have found a solution to the problem. It seems only some IP addresses work, and when I tried using the script listed above it would not force restricted mode. I tried a few different IP addresses for the domain, and I found an IP that works. I am also going to list the safe search DNS option for Pixabay, if you don't want to restrict this simply copy the lines related to DuckDuckGo.

In your /etc/hosts file put the following (separate the IP and domain by a tab character):

Create a new file, unless you already have one, here: /etc/dnsmasq.d/98-restrict.conf and copy the following:,,,

For me this has enabled safe search and removed the option to disable it. Hope this helps someone! I know I spent a while trying to figure this out, and thought I should let others know.


Thanks to jaykepeters, msatter, and jpgpi250 for their contributions to this thread... the information you provided has been very helpful to me!

I am hopeful that your work on this issue will help the devs to consider implementing "Safe Search" as an option in Pi-Hole!


@BluePuffin I have made an update to the script with your suggestions. You may have to remove /etc/dnsmasq.d/05-restrict.conf first for it to work.... Next I'll integrate some update function...

1 Like

@jaykepeters awesome job on the script! After I figured out I had to issue the command sudo ./ -e to enable safesearch. I was up and running with the safe search and youtube restricted mode enabled. I am having problem though with every other google domain that is not listed in the script ie when I have DNSSEC enable in the Pi-hole settings. When I disable DNSSEC the domains resolve with no problem. I have tried many different Upstream DNS servers all with the same response. Here is an example of my nslookup from my Windows 10 box. I get the same response directly on the Pi-hole box with dig. Let me know if you have any ideas.
DNSSEC Enabled:
Server: raspberrypi

*** raspberrypi can't find Server failed

C:\Windows\system32>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

DNSSEC Disabled
Server: raspberrypi

Non-authoritative answer:
Addresses: 2607:f8b0:4004:804::2005

1 Like

Thanks! I put that together in a weekend! That is an interesting issue. I haven't tested this out with DNSSEC. Maybe there is something else I have to add to the script to make it work... I will let you know if I find a solution.

I was going to say

I think this is because DNSSEC does not allow tampering with the response at the internal resolver level.

Thanks a lot @anon55913113! I am new to this myself.

@jaykepeters and @anon55913113 Thanks for your quick and helpful response. You two are doing great work keep it up. I am going to leave my DNSSEC disabled.

1 Like

I'm sorry - I'm trying to follow the instructions, but got stuck in the beginning. I've successfully set up Pi-hole on a Raspberry Pi 3 B+ with Stretch Lite. I've added the 05-restrict.conf-file in /etc/dnsmasq.d. However, when testing it out I get:

$ sudo dnsmasq --test
sudo: dnsmasq: command not found

I'm not sure how dnsmasq and pi-hole relate to each other. Should I install dnsmasq using

sudo apt-get install dnsmasq

? Or did I miss any other step? Not sure why dnsmasq is missing.

Not sure why it's not working for me. Any idea?

I got a suggestion to rename 05-restrict.conf to 02-restrict.conf, but that didn't help (except for restrict.conf I only have a 01-pihole.conf in the directory)

As previously noted, dnsmasq does not run as a separate process with Pi-Hole V4 and later, as the code is embedded in process pihole-FTL, which runs in place of dnsmasq.

What are the contents of your configuration file?

I see. I actually didn't test anything before commenting. I restarted Pi-hole (not sure if needed) and now everything seems to be working :tada:

Good observation. I had clicked the solution in error, now corrected.

1 Like

Asking for a little help please...

Where do I ran the script above? should it be in the /root folder or should in be in /opt/pihole folder?
In case I ran the script will the file /etc/dnsmasq.d/05-restrict.conf and the /tmp/safesearch.txt be created automatically?

do have to copy paste something on the /etc/pihole/reges.list and on the /etc/pihole/local.list?

do i have to change permissions on any of the files after running the script?

Thank you for this wonderful guide

1 Like

Thanks for reaching out! You can move the script into /usr/local/bin if you are on Debian/Ubuntu/Raspbian. Make sure that it has execute permissions chmod a+x <path to script>. It will create the file /tmp/safesearch.txt as well as /etc/dnsmasq.d/05-restrict.conf. To enable SafeSearch, use the command -e to enable, or whatever you renamed the file to. Hope that helps. If you have any further questions or need one on one help, please message me directly.



Thank You very much Jayke, its working

You helped make browsing safe for kids again for one more home.

1 Like