Force SafeSearch in DuckDuckGo

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

macster2075

Senior Member
Hi,
I currently have a few scripts that force SafeSearch in Google and Bing wich work great...
For Google I am using this

echo address=/www.google.com/216.239.38.120 > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

DuckduckGo does not have an IP address for safe.duckduckgo.com -
I have tried the jffs below, but it doesn't work...

echo address=/www.duckduckgo.com/safe.duckduckgo.com > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

Any help on this?
Thanks.
 

intr0

Regular Contributor
Hi,
I currently have a few scripts that force SafeSearch in Google and Bing wich work great...
For Google I am using this

echo address=/www.google.com/216.239.38.120 > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

DuckduckGo does not have an IP address for safe.duckduckgo.com -
I have tried the jffs below, but it doesn't work...

echo address=/www.duckduckgo.com/safe.duckduckgo.com > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

Any help on this?
Thanks.
try
echo address=/duckduckgo.com/safe.duckduckgo.com > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
 

SomeWhereOverTheRainBow

Part of the Furniture
here is a better block for duckduckgo.com
Code:
{
    echo 'address=/duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/www.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/start.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/duck.com/safe.duckduckgo.com'
    echo 'address=/www.duck.com/safe.duckduckgo.com'
} >> /jffs/configs/dnsmasq.conf.add
 
Last edited:

lordtech

Occasional Visitor
here is a better block for duckduckgo.com
Code:
{
    echo 'address=/duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/www.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/start.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/duck.com/safe.duckduckgo.com'
    echo 'address=/www.duck.com/safe.duckduckgo.com'
} >> /jffs/configs/dnsmasq.conf.add

Hi @SomeWhereOverTheRainBow, when I added these lines to dnsmasq.conf.add I get an error after I run the service restart_dnsmasq command:

Code:
Mar  4 12:45:31 dnsmasq[20586]: bad address at line 51 of /etc/dnsmasq.conf
Mar  4 12:45:31 dnsmasq[20586]: FAILED to start up

Line 51 is where the "address" lines start...
 

SomeWhereOverTheRainBow

Part of the Furniture
Hi @SomeWhereOverTheRainBow, when I added these lines to dnsmasq.conf.add I get an error after I run the service restart_dnsmasq command:

Code:
Mar  4 12:45:31 dnsmasq[20586]: bad address at line 51 of /etc/dnsmasq.conf
Mar  4 12:45:31 dnsmasq[20586]: FAILED to start up

Line 51 is where the "address" lines start...
you have to copy and paste those lines into the terminal.. don't add them directly to dnsmasq.conf.add


For best results, use the script 1 from this link


Code:
touch enforcesafe.sh && cat > "enforcesafe.sh" <<'EOF'
#!/bin/sh
URL="https://www.google.com/supported_domains"
FILE="/jffs/configs/dnsmasq.conf.add"

[ ! -f "$FILE" ] && touch $FILE
echo -e "\n# Enforced Safe Search:\n" >> "${FILE}"
DOMAINS="$(curl $URL 2>/dev/null)"
for DOMAIN in $DOMAINS; do
    DOMAIN=$(echo $DOMAIN | cut -c 2-)
    printf 'cname=www.%s,forcesafesearch.google.com \n' $DOMAIN >> "${FILE}"
done
#this version uses restrictmoderate.youtube.com
for DOMAIN in youtube; do
    printf 'cname=www.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=m.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%si.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%s.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=www.%s-nocookie.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in bing.com; do
    printf 'cname=%s,www.%s,strict.%s \n' $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in pixabay.com; do
    printf 'cname=%s,safesearch.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in duckduckgo.com; do
    printf 'cname=%s,www.%s,start.%s,safe.%s \n' $DOMAIN $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=duck.com,www.duck.com,safe.%s \n' $DOMAIN >> "${FILE}"
done
for DOMAIN in qwant.com; do
    printf 'cname=api.%s,safeapi.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
YANDEX="com ru ua by kz"
for DOMAIN in $YANDEX; do
    printf 'cname=yandex.%s,www.yandex.%s,familysearch.yandex.ru \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in forcesafesearch.google.com safe.duckduckgo.com restrictmoderate.youtube.com strict.bing.com safesearch.pixabay.com safeapi.qwant.com familysearch.yandex.ru; do
IPS="$(nslookup $DOMAIN | grep "Address" | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | sed -n 2p)"
    if [ "$DOMAIN" = "forcesafesearch.google.com" ]; then
        printf 'host-record=%s,restrict.youtube.com,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    else
        printf 'host-record=%s,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    fi
done
echo -e "\n# End of Enforced Safe Search #\n" >> "${FILE}"
service restart_dnsmasq >/dev/null 2>&1
EOF
sh enforcesafe.sh && rm -rf enforcesafe.sh


Copy and paste this script directly into the ssh terminal and press enter.

all of your safesearch needs will be covered.
 
Last edited:

macster2075

Senior Member
you have to copy and paste those lines into the terminal.. don't add them directly to dnsmasq.conf.add


For best results, use the script 1 from this link


Code:
touch enforcesafe.sh && cat > "enforcesafe.sh" <<'EOF'
#!/bin/sh
URL="https://www.google.com/supported_domains"
FILE="/jffs/configs/dnsmasq.conf.add"

[ ! -f "$FILE" ] && touch $FILE
echo -e "\n# Enforced Safe Search:\n" >> "${FILE}"
DOMAINS="$(curl $URL 2>/dev/null)"
for DOMAIN in $DOMAINS; do
    DOMAIN=$(echo $DOMAIN | cut -c 2-)
    printf 'cname=www.%s,forcesafesearch.google.com \n' $DOMAIN >> "${FILE}"
done
#this version uses restrictmoderate.youtube.com
for DOMAIN in youtube; do
    printf 'cname=www.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=m.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%si.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%s.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=www.%s-nocookie.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in bing.com; do
    printf 'cname=%s,www.%s,strict.%s \n' $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in pixabay.com; do
    printf 'cname=%s,safesearch.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in duckduckgo.com; do
    printf 'cname=%s,www.%s,start.%s,safe.%s \n' $DOMAIN $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=duck.com,www.duck.com,safe.%s \n' $DOMAIN >> "${FILE}"
done
for DOMAIN in qwant.com; do
    printf 'cname=api.%s,safeapi.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
YANDEX="com ru ua by kz"
for DOMAIN in $YANDEX; do
    printf 'cname=yandex.%s,www.yandex.%s,familysearch.yandex.ru \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in forcesafesearch.google.com safe.duckduckgo.com restrictmoderate.youtube.com strict.bing.com safesearch.pixabay.com safeapi.qwant.com familysearch.yandex.ru; do
IPS="$(nslookup $DOMAIN | grep "Address" | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | sed -n 2p)"
    if [ "$DOMAIN" = "forcesafesearch.google.com" ]; then
        printf 'host-record=%s,restrict.youtube.com,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    else
        printf 'host-record=%s,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    fi
done
echo -e "\n# End of Enforced Safe Search #\n" >> "${FILE}"
service restart_dnsmasq >/dev/null 2>&1
EOF
sh enforcesafe.sh && rm -rf enforcesafe.sh


Copy and paste this script directly into the ssh terminal and press enter.

all of your safesearch needs will be covered.
Hi guys.. sorry to awake this thread again.
So, SafeSearch has been working great, no issues. However, I started using FireFox and I enabled DNS over HTTPS for more security. I noticed that if that's enabled, the dnsmasq configuration I have is bypassed. Is there a way to still enforce that rule over HTTPS?

I am using this..

address=/www.bing.com/204.79.197.220
address=/duckduckgo.com/ 52.149.247.1

address=/www.google.com/216.239.38.120

@
SomeWhereOverTheRainBow
If I add your script, will that still work over HTTPS?
 

dave14305

Part of the Furniture
However, I started using FireFox and I enabled DNS over HTTPS for more security. I noticed that if that's enabled, the dnsmasq configuration I have is bypassed. Is there a way to still enforce that rule over HTTPS?
No. DoH bypasses the router DNS completely. Ironic that you believe you are using DoH for “security” but it prevents you from enforcing safer searches. Those kiddies being protected from adult searches can use the same DoH tricks to bypass your safeguards once a classmate shows them how.
 

macster2075

Senior Member
No. DoH bypasses the router DNS completely. Ironic that you believe you are using DoH for “security” but it prevents you from enforcing safer searches. Those kiddies being protected from adult searches can use the same DoH tricks to bypass your safeguards once a classmate shows them how.
"safer" meaning filtering adult sites...and I meant "security" as in my connection to the Internet being safer than using http. - So you're saying there's really nothing I can do at the router level with firewall to do this? - I've found a few sites that mention enforcing SafeSearch over HTTPS, but I don't know how to implement that on my router.
 

ColinTaylor

Part of the Furniture
but I don't know how to implement that on my router.
You can't, if you're enabling DoH in the browser. That's the whole point of enabling DoH in the browser! If you want to encrypt the DNS requests of all of your clients you need to disable DoH on the clients and either use DoT on the router or setup another local DNS server (e.g. Pihole) that runs DoH.
 

macster2075

Senior Member
You can't, if you're enabling DoH in the browser. That's the whole point of enabling DoH in the browser! If you want to encrypt the DNS requests of all of your clients you need to disable DoH on the clients and either use DoT on the router or setup another local DNS server (e.g. Pihole) that runs DoH.
I actually have a pihole machine running, but for some reason safesearch doesn't work. I had created another post regarding that issue, and it seems it's an issue with pihole.
So, to understand what you're saying... if I set pihole as the ONLY dns server and point all devices to it, even if they enable doh in the browser, they won't be able to bypass it?
 

ColinTaylor

Part of the Furniture
...even if they enable doh in the browser, they won't be able to bypass it?
No, I'm saying the opposite. Enabling DoH in the browser will bypass whatever you else you do***. This is the main point of DoH. It takes control away from the network administrator and puts it in the hands of the user.

*** An exception is if you set "Prevent client auto DoH" to Yes in the router's WAN settings and the browser is configured to honour that setting.
 

macster2075

Senior Member
oh ok.. I asked because you said this..."......If you want to encrypt the DNS requests of all of your clients...... or setup another local DNS server (e.g. Pihole) that runs DoH."
That made me think you meant if there's a Pihole DNS server, it could help with that.
 

macster2075

Senior Member
But.. thank you Colin, enabling that setting in the router helped...for now. haha... now even if I enable doh in firefox, SafeSearch is still implemented.
 

macster2075

Senior Member
HA!! - Spoke too soon.. that setting in the browser didn't actually block doh haha... I cleared cache and safesearch is no longer enabled :(
 

SomeWhereOverTheRainBow

Part of the Furniture
I actually have a pihole machine running, but for some reason safesearch doesn't work. I had created another post regarding that issue, and it seems it's an issue with pihole.
So, to understand what you're saying... if I set pihole as the ONLY dns server and point all devices to it, even if they enable doh in the browser, they won't be able to bypass it?
Sounds like you have your pihole configured in such away that it Bypasses using DNS from the router.

If you want to use safe-search from the router script, your pihole point must back to the router for dns thus not bypassing it. -i.e. the routers WAN-DNS1 and DNS2 is configured to some outbound dns such as 1.1.1.1 and 1.0.0.1, or you are using the routers DoT. Pihole custom DNS options points back to using the Router for DNS.

If you insist on using some alternative DNS for Pi-hole setup other than the router, You must configure a safe search option on the pihole itself and not rely on the router script. -i.e. where you have some odd configuration where Wan DNS 1 points to some outbound DNS and Wan DNS 2 points to pihole, and some weird configuration where Lan DNS points at your pihole and also points at the router itself.
 
Last edited:

macster2075

Senior Member
Sounds like you have your pihole configured in such away that it Bypasses using DNS from the router.

If you want to use safe-search from the router script, your pihole point must back to the router for dns thus not bypassing it.

If you insist on using some alternative DNS for Pi-hole setup other than the router, You must configure a safe search option on the pihole itself and not rely on the router script.
Right.. I'm just looking for a way to prevent bypassing content filtering using DOH. I've been reading and watching videos on how to setup the pihole using dns over HTTPS, like Cloudfare, but I can't really rap my head around it.

Not entirely sure if doing this will prevent a user from bypassing filtering simply by enabling doh in Firefox even though the dns will be over doh...can you clarify?
 

SomeWhereOverTheRainBow

Part of the Furniture
Right.. I'm just looking for a way to prevent bypassing content filtering using DOH. I've been reading and watching videos on how to setup the pihole using dns over HTTPS, like Cloudfare, but I can't really rap my head around it.

Not entirely sure if doing this will prevent a user from bypassing filtering simply by enabling doh in Firefox even though the dns will be over doh...can you clarify?
Use your firewall to block out bound connections on port 443 to certain IP addresses know for DoH traffic. Another classic method is to block the DoH addresses similar to how you block advertisements on pihole. DoH connections before it starts out as a DoH connection ,has to be able to send a query to the server it is trying to connect. If you block this, then it has no way of ever establishing the connection.

Here is a good nobypass list

 
Last edited:

macster2075

Senior Member
Use your firewall to block out bound connections on port 443 to certain IP addresses know for DoH traffic. Another classic method is to block the DoH addresses similar to how you block advertisements on pihole. DoH connections before it starts out as a DoH connection ,has to be able to send a query to the server it is trying to connect. If you block this, then it has no way of ever establishing the connection.

Here is a good nobypass list

So I would have to know which IP address are using outbound doh connection on port 443?
Based on the answers I got previously on this post, I thought doh would bypass all filtering at the router level, no matter what.. that's the impression I got from it.
But you're saying there's a way block that?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top