What's new

Force SafeSearch in DuckDuckGo

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

macster2075

Very Senior Member
Hi,
I currently have a few scripts that force SafeSearch in Google and Bing wich work great...
For Google I am using this

echo address=/www.google.com/216.239.38.120 > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

DuckduckGo does not have an IP address for safe.duckduckgo.com -
I have tried the jffs below, but it doesn't work...

echo address=/www.duckduckgo.com/safe.duckduckgo.com > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

Any help on this?
Thanks.
 
Hi,
I currently have a few scripts that force SafeSearch in Google and Bing wich work great...
For Google I am using this

echo address=/www.google.com/216.239.38.120 > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

DuckduckGo does not have an IP address for safe.duckduckgo.com -
I have tried the jffs below, but it doesn't work...

echo address=/www.duckduckgo.com/safe.duckduckgo.com > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

Any help on this?
Thanks.
try
echo address=/duckduckgo.com/safe.duckduckgo.com > /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
 
here is a better block for duckduckgo.com
Code:
{
    echo 'address=/duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/www.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/start.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/duck.com/safe.duckduckgo.com'
    echo 'address=/www.duck.com/safe.duckduckgo.com'
} >> /jffs/configs/dnsmasq.conf.add
 
Last edited:
here is a better block for duckduckgo.com
Code:
{
    echo 'address=/duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/www.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/start.duckduckgo.com/safe.duckduckgo.com'
    echo 'address=/duck.com/safe.duckduckgo.com'
    echo 'address=/www.duck.com/safe.duckduckgo.com'
} >> /jffs/configs/dnsmasq.conf.add

Hi @SomeWhereOverTheRainBow, when I added these lines to dnsmasq.conf.add I get an error after I run the service restart_dnsmasq command:

Code:
Mar  4 12:45:31 dnsmasq[20586]: bad address at line 51 of /etc/dnsmasq.conf
Mar  4 12:45:31 dnsmasq[20586]: FAILED to start up

Line 51 is where the "address" lines start...
 
Hi @SomeWhereOverTheRainBow, when I added these lines to dnsmasq.conf.add I get an error after I run the service restart_dnsmasq command:

Code:
Mar  4 12:45:31 dnsmasq[20586]: bad address at line 51 of /etc/dnsmasq.conf
Mar  4 12:45:31 dnsmasq[20586]: FAILED to start up

Line 51 is where the "address" lines start...
you have to copy and paste those lines into the terminal.. don't add them directly to dnsmasq.conf.add


For best results, use the script 1 from this link


Code:
touch enforcesafe.sh && cat > "enforcesafe.sh" <<'EOF'
#!/bin/sh
URL="https://www.google.com/supported_domains"
FILE="/jffs/configs/dnsmasq.conf.add"

[ ! -f "$FILE" ] && touch $FILE
echo -e "\n# Enforced Safe Search:\n" >> "${FILE}"
DOMAINS="$(curl $URL 2>/dev/null)"
for DOMAIN in $DOMAINS; do
    DOMAIN=$(echo $DOMAIN | cut -c 2-)
    printf 'cname=www.%s,forcesafesearch.google.com \n' $DOMAIN >> "${FILE}"
done
#this version uses restrictmoderate.youtube.com
for DOMAIN in youtube; do
    printf 'cname=www.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=m.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%si.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%s.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=www.%s-nocookie.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in bing.com; do
    printf 'cname=%s,www.%s,strict.%s \n' $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in pixabay.com; do
    printf 'cname=%s,safesearch.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in duckduckgo.com; do
    printf 'cname=%s,www.%s,start.%s,safe.%s \n' $DOMAIN $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=duck.com,www.duck.com,safe.%s \n' $DOMAIN >> "${FILE}"
done
for DOMAIN in qwant.com; do
    printf 'cname=api.%s,safeapi.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
YANDEX="com ru ua by kz"
for DOMAIN in $YANDEX; do
    printf 'cname=yandex.%s,www.yandex.%s,familysearch.yandex.ru \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in forcesafesearch.google.com safe.duckduckgo.com restrictmoderate.youtube.com strict.bing.com safesearch.pixabay.com safeapi.qwant.com familysearch.yandex.ru; do
IPS="$(nslookup $DOMAIN | grep "Address" | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | sed -n 2p)"
    if [ "$DOMAIN" = "forcesafesearch.google.com" ]; then
        printf 'host-record=%s,restrict.youtube.com,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    else
        printf 'host-record=%s,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    fi
done
echo -e "\n# End of Enforced Safe Search #\n" >> "${FILE}"
service restart_dnsmasq >/dev/null 2>&1
EOF
sh enforcesafe.sh && rm -rf enforcesafe.sh


Copy and paste this script directly into the ssh terminal and press enter.

all of your safesearch needs will be covered.
 
Last edited:
you have to copy and paste those lines into the terminal.. don't add them directly to dnsmasq.conf.add


For best results, use the script 1 from this link


Code:
touch enforcesafe.sh && cat > "enforcesafe.sh" <<'EOF'
#!/bin/sh
URL="https://www.google.com/supported_domains"
FILE="/jffs/configs/dnsmasq.conf.add"

[ ! -f "$FILE" ] && touch $FILE
echo -e "\n# Enforced Safe Search:\n" >> "${FILE}"
DOMAINS="$(curl $URL 2>/dev/null)"
for DOMAIN in $DOMAINS; do
    DOMAIN=$(echo $DOMAIN | cut -c 2-)
    printf 'cname=www.%s,forcesafesearch.google.com \n' $DOMAIN >> "${FILE}"
done
#this version uses restrictmoderate.youtube.com
for DOMAIN in youtube; do
    printf 'cname=www.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=m.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%si.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%s.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=www.%s-nocookie.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in bing.com; do
    printf 'cname=%s,www.%s,strict.%s \n' $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in pixabay.com; do
    printf 'cname=%s,safesearch.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in duckduckgo.com; do
    printf 'cname=%s,www.%s,start.%s,safe.%s \n' $DOMAIN $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=duck.com,www.duck.com,safe.%s \n' $DOMAIN >> "${FILE}"
done
for DOMAIN in qwant.com; do
    printf 'cname=api.%s,safeapi.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
YANDEX="com ru ua by kz"
for DOMAIN in $YANDEX; do
    printf 'cname=yandex.%s,www.yandex.%s,familysearch.yandex.ru \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in forcesafesearch.google.com safe.duckduckgo.com restrictmoderate.youtube.com strict.bing.com safesearch.pixabay.com safeapi.qwant.com familysearch.yandex.ru; do
IPS="$(nslookup $DOMAIN | grep "Address" | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | sed -n 2p)"
    if [ "$DOMAIN" = "forcesafesearch.google.com" ]; then
        printf 'host-record=%s,restrict.youtube.com,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    else
        printf 'host-record=%s,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    fi
done
echo -e "\n# End of Enforced Safe Search #\n" >> "${FILE}"
service restart_dnsmasq >/dev/null 2>&1
EOF
sh enforcesafe.sh && rm -rf enforcesafe.sh


Copy and paste this script directly into the ssh terminal and press enter.

all of your safesearch needs will be covered.
Hi guys.. sorry to awake this thread again.
So, SafeSearch has been working great, no issues. However, I started using FireFox and I enabled DNS over HTTPS for more security. I noticed that if that's enabled, the dnsmasq configuration I have is bypassed. Is there a way to still enforce that rule over HTTPS?

I am using this..

address=/www.bing.com/204.79.197.220
address=/duckduckgo.com/ 52.149.247.1

address=/www.google.com/216.239.38.120

@
SomeWhereOverTheRainBow
If I add your script, will that still work over HTTPS?
 
However, I started using FireFox and I enabled DNS over HTTPS for more security. I noticed that if that's enabled, the dnsmasq configuration I have is bypassed. Is there a way to still enforce that rule over HTTPS?
No. DoH bypasses the router DNS completely. Ironic that you believe you are using DoH for “security” but it prevents you from enforcing safer searches. Those kiddies being protected from adult searches can use the same DoH tricks to bypass your safeguards once a classmate shows them how.
 
No. DoH bypasses the router DNS completely. Ironic that you believe you are using DoH for “security” but it prevents you from enforcing safer searches. Those kiddies being protected from adult searches can use the same DoH tricks to bypass your safeguards once a classmate shows them how.
"safer" meaning filtering adult sites...and I meant "security" as in my connection to the Internet being safer than using http. - So you're saying there's really nothing I can do at the router level with firewall to do this? - I've found a few sites that mention enforcing SafeSearch over HTTPS, but I don't know how to implement that on my router.
 
but I don't know how to implement that on my router.
You can't, if you're enabling DoH in the browser. That's the whole point of enabling DoH in the browser! If you want to encrypt the DNS requests of all of your clients you need to disable DoH on the clients and either use DoT on the router or setup another local DNS server (e.g. Pihole) that runs DoH.
 
You can't, if you're enabling DoH in the browser. That's the whole point of enabling DoH in the browser! If you want to encrypt the DNS requests of all of your clients you need to disable DoH on the clients and either use DoT on the router or setup another local DNS server (e.g. Pihole) that runs DoH.
I actually have a pihole machine running, but for some reason safesearch doesn't work. I had created another post regarding that issue, and it seems it's an issue with pihole.
So, to understand what you're saying... if I set pihole as the ONLY dns server and point all devices to it, even if they enable doh in the browser, they won't be able to bypass it?
 
...even if they enable doh in the browser, they won't be able to bypass it?
No, I'm saying the opposite. Enabling DoH in the browser will bypass whatever you else you do***. This is the main point of DoH. It takes control away from the network administrator and puts it in the hands of the user.

*** An exception is if you set "Prevent client auto DoH" to Yes in the router's WAN settings and the browser is configured to honour that setting.
 
oh ok.. I asked because you said this..."......If you want to encrypt the DNS requests of all of your clients...... or setup another local DNS server (e.g. Pihole) that runs DoH."
That made me think you meant if there's a Pihole DNS server, it could help with that.
 
But.. thank you Colin, enabling that setting in the router helped...for now. haha... now even if I enable doh in firefox, SafeSearch is still implemented.
 
HA!! - Spoke too soon.. that setting in the browser didn't actually block doh haha... I cleared cache and safesearch is no longer enabled :(
 
I actually have a pihole machine running, but for some reason safesearch doesn't work. I had created another post regarding that issue, and it seems it's an issue with pihole.
So, to understand what you're saying... if I set pihole as the ONLY dns server and point all devices to it, even if they enable doh in the browser, they won't be able to bypass it?
Sounds like you have your pihole configured in such away that it Bypasses using DNS from the router.

If you want to use safe-search from the router script, your pihole point must back to the router for dns thus not bypassing it. -i.e. the routers WAN-DNS1 and DNS2 is configured to some outbound dns such as 1.1.1.1 and 1.0.0.1, or you are using the routers DoT. Pihole custom DNS options points back to using the Router for DNS.

If you insist on using some alternative DNS for Pi-hole setup other than the router, You must configure a safe search option on the pihole itself and not rely on the router script. -i.e. where you have some odd configuration where Wan DNS 1 points to some outbound DNS and Wan DNS 2 points to pihole, and some weird configuration where Lan DNS points at your pihole and also points at the router itself.
 
Last edited:
Sounds like you have your pihole configured in such away that it Bypasses using DNS from the router.

If you want to use safe-search from the router script, your pihole point must back to the router for dns thus not bypassing it.

If you insist on using some alternative DNS for Pi-hole setup other than the router, You must configure a safe search option on the pihole itself and not rely on the router script.
Right.. I'm just looking for a way to prevent bypassing content filtering using DOH. I've been reading and watching videos on how to setup the pihole using dns over HTTPS, like Cloudfare, but I can't really rap my head around it.

Not entirely sure if doing this will prevent a user from bypassing filtering simply by enabling doh in Firefox even though the dns will be over doh...can you clarify?
 
Right.. I'm just looking for a way to prevent bypassing content filtering using DOH. I've been reading and watching videos on how to setup the pihole using dns over HTTPS, like Cloudfare, but I can't really rap my head around it.

Not entirely sure if doing this will prevent a user from bypassing filtering simply by enabling doh in Firefox even though the dns will be over doh...can you clarify?
Use your firewall to block out bound connections on port 443 to certain IP addresses know for DoH traffic. Another classic method is to block the DoH addresses similar to how you block advertisements on pihole. DoH connections before it starts out as a DoH connection ,has to be able to send a query to the server it is trying to connect. If you block this, then it has no way of ever establishing the connection.

Here is a good nobypass list

 
Last edited:
Use your firewall to block out bound connections on port 443 to certain IP addresses know for DoH traffic. Another classic method is to block the DoH addresses similar to how you block advertisements on pihole. DoH connections before it starts out as a DoH connection ,has to be able to send a query to the server it is trying to connect. If you block this, then it has no way of ever establishing the connection.

Here is a good nobypass list

So I would have to know which IP address are using outbound doh connection on port 443?
Based on the answers I got previously on this post, I thought doh would bypass all filtering at the router level, no matter what.. that's the impression I got from it.
But you're saying there's a way block that?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top