Use DNS to force youtube into restricted mode - and Pi-Hole

#65

@BluePuffin I have made an update to the script with your suggestions. You may have to remove /etc/dnsmasq.d/05-restrict.conf first for it to work… Next I’ll integrate some update function…

1 Like

#66

@jaykepeters awesome job on the script! After I figured out I had to issue the command sudo ./Pi-hole_SafeSearch.sh -e to enable safesearch. I was up and running with the safe search and youtube restricted mode enabled. I am having problem though with every other google domain that is not listed in the script ie mail.google.com time.google.com when I have DNSSEC enable in the Pi-hole settings. When I disable DNSSEC the domains resolve with no problem. I have tried many different Upstream DNS servers all with the same response. Here is an example of my nslookup from my Windows 10 box. I get the same response directly on the Pi-hole box with dig. Let me know if you have any ideas.
DNSSEC Enabled:
C:\Windows\system32>nslookup mail.google.com
Server: raspberrypi
Address: 192.168.10.53

*** raspberrypi can’t find mail.google.com: Server failed

C:\Windows\system32>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

DNSSEC Disabled
C:\Windows\system32>nslookup mail.google.com
Server: raspberrypi
Address: 192.168.10.53

Non-authoritative answer:
Name: googlemail.l.google.com
Addresses: 2607:f8b0:4004:804::2005
172.217.7.133
Aliases: mail.google.com

1 Like

#67

Thanks! I put that together in a weekend! That is an interesting issue. I haven’t tested this out with DNSSEC. Maybe there is something else I have to add to the script to make it work… I will let you know if I find a solution.

0 Likes

#68

I don’t think that you can bypass DNSSEC if that is active. The restricted setup is exactly doing what DNSSEC it made for.

Maybe Unbound can provide information for the secured domains and so Pi-hole won’t know that that domain is DNSSEC protected.

I use Unbound and that is sitting between Pi-hole and upstream. Unbound does the DNSSEC, so anything happening in Pi-hole is and not going upstream is DNSSEC unaware.

1 Like

#69

I was going to say

I think this is because DNSSEC does not allow tampering with the response at the internal resolver level.

Thanks a lot @msatter! I am new to this myself.

0 Likes

#70

@jaykepeters and @msatter Thanks for your quick and helpful response. You two are doing great work keep it up. I am going to leave my DNSSEC disabled.

1 Like

#71

I’m sorry - I’m trying to follow the instructions, but got stuck in the beginning. I’ve successfully set up Pi-hole on a Raspberry Pi 3 B+ with Stretch Lite. I’ve added the 05-restrict.conf-file in /etc/dnsmasq.d. However, when testing it out I get:

$ sudo dnsmasq --test
sudo: dnsmasq: command not found

I’m not sure how dnsmasq and pi-hole relate to each other. Should I install dnsmasq using

sudo apt-get install dnsmasq

? Or did I miss any other step? Not sure why dnsmasq is missing.

0 Likes

#72

Don’t install dnsmasq because it is already integrated in Pihole.

0 Likes

#73

Not sure why it’s not working for me. Any idea?

I got a suggestion to rename 05-restrict.conf to 02-restrict.conf, but that didn’t help (except for restrict.conf I only have a 01-pihole.conf in the directory)

0 Likes

#74

As previously noted, dnsmasq does not run as a separate process with Pi-Hole V4 and later, as the code is embedded in process pihole-FTL, which runs in place of dnsmasq.

What are the contents of your configuration file?

0 Likes

#75

I see. I actually didn’t test anything before commenting. I restarted Pi-hole (not sure if needed) and now everything seems to be working :tada:

0 Likes

#76

Special to see the solution tag on an thread running since a few years with many different writers.

Secondly there was not a problem that had to resolved. It is a implementation of controling access to safe versions of sites if available.

Thirdly the implementation is still ongoing and not all is resolved and awaiting for new ideas.

0 Likes

#77

Good observation. I had clicked the solution in error, now corrected.

1 Like