Tutorial Forcing SafeSearch Tutorial

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

SomeWhereOverTheRainBow

Very Senior Member
There are many approaches to this topic and RMerlin's Wiki https://github.com/RMerl/asuswrt-merlin.ng/wiki/Enforce-Safesearch
-briefly delves on the concept using dnsmasq. Instead of reinventing the wheel over and over again with this topic, below is a small script and instructions for users that wish to explore this topic.
simply copy and paste the below script into SSH terminal + Press Enter and everything is taken care of. Before testing it is important to clear/refresh any browsers and/or cache on test devices.

To reduce risk IP changes this script is adapted for using fresh IP addresses:
Code:
touch enforcesafe.sh && cat > "enforcesafe.sh" <<'EOF'
#!/bin/sh
URL="https://www.google.com/supported_domains"
FILE="/jffs/configs/dnsmasq.conf.add"

[ ! -f "$FILE" ] && touch $FILE
echo -e "\n# Enforced Safe Search:\n" >> "${FILE}"
DOMAINS="$(curl $URL 2>/dev/null)"
for DOMAIN in $DOMAINS; do
    DOMAIN=$(echo $DOMAIN | cut -c 2-)
    printf 'cname=www.%s,forcesafesearch.google.com \n' $DOMAIN >> "${FILE}"
done
#this version uses restrictmoderate.youtube.com
for DOMAIN in youtube; do
    printf 'cname=www.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=m.%s.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%si.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%s.googleapis.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=www.%s-nocookie.com,restrictmoderate.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in bing.com; do
    printf 'cname=%s,www.%s,strict.%s \n' $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in pixabay.com; do
    printf 'cname=%s,safesearch.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in duckduckgo.com; do
    printf 'cname=%s,www.%s,start.%s,safe.%s \n' $DOMAIN $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=duck.com,www.duck.com,safe.%s \n' $DOMAIN >> "${FILE}"
done
for DOMAIN in qwant.com; do
    printf 'cname=api.%s,safeapi.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
YANDEX="com ru ua by kz"
for DOMAIN in $YANDEX; do
    printf 'cname=yandex.%s,www.yandex.%s,familysearch.yandex.ru \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in forcesafesearch.google.com safe.duckduckgo.com restrictmoderate.youtube.com strict.bing.com safesearch.pixabay.com safeapi.qwant.com familysearch.yandex.ru; do
IPS="$(nslookup $DOMAIN | grep "Address" | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | sed -n 2p)"
    if [ "$DOMAIN" = "forcesafesearch.google.com" ]; then
        printf 'host-record=%s,restrict.youtube.com,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    else
        printf 'host-record=%s,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    fi
done
echo -e "\n# End of Enforced Safe Search #\n" >> "${FILE}"
service restart_dnsmasq >/dev/null 2>&1
EOF
sh enforcesafe.sh && rm -rf enforcesafe.sh
On a side note for users that want a restrict.youtube.com instead of a lower level restrictmoderate.youtube.com:
Code:
touch enforcesafe.sh && cat > "enforcesafe.sh" <<'EOF'
#!/bin/sh
URL="https://www.google.com/supported_domains"
FILE="/jffs/configs/dnsmasq.conf.add"

[ ! -f "$FILE" ] && touch $FILE
echo -e "\n# Enforced Safe Search:\n" >> "${FILE}"
DOMAINS="$(curl $URL 2>/dev/null)"
for DOMAIN in $DOMAINS; do
    DOMAIN=$(echo $DOMAIN | cut -c 2-)
    printf 'cname=www.%s,forcesafesearch.google.com \n' $DOMAIN >> "${FILE}"
done
#this version uses restrict.youtube.com
for DOMAIN in youtube; do
    printf 'cname=www.%s.com,restrict.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=m.%s.com,restrict.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%si.googleapis.com,restrict.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=%s.googleapis.com,restrict.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=www.%s-nocookie.com,restrict.%s.com \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in bing.com; do
    printf 'cname=%s,www.%s,strict.%s \n' $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in pixabay.com; do
    printf 'cname=%s,safesearch.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in duckduckgo.com; do
    printf 'cname=%s,www.%s,start.%s,safe.%s \n' $DOMAIN $DOMAIN $DOMAIN $DOMAIN >> "${FILE}"
    printf 'cname=duck.com,www.duck.com,safe.%s \n' $DOMAIN >> "${FILE}"
done
for DOMAIN in qwant.com; do
    printf 'cname=api.%s,safeapi.%s \n' $DOMAIN $DOMAIN >> "${FILE}"
done
YANDEX="com ru ua by kz"
for DOMAIN in $YANDEX; do
    printf 'cname=yandex.%s,www.yandex.%s,familysearch.yandex.ru \n' $DOMAIN $DOMAIN >> "${FILE}"
done
for DOMAIN in forcesafesearch.google.com safe.duckduckgo.com restrictmoderate.youtube.com strict.bing.com safesearch.pixabay.com safeapi.qwant.com familysearch.yandex.ru; do
IPS="$(nslookup $DOMAIN | grep "Address" | grep -oE "\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | sed -n 2p)"
    if [ "$DOMAIN" = "forcesafesearch.google.com" ]; then
        printf 'host-record=%s,restrict.youtube.com,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    else
        printf 'host-record=%s,%s,::ffff:%s \n' $DOMAIN $IPS $IPS >> "${FILE}"
    fi
done
echo -e "\n# End of Enforced Safe Search #\n" >> "${FILE}"
service restart_dnsmasq >/dev/null 2>&1
EOF
sh enforcesafe.sh && rm -rf enforcesafe.sh
Results:
Code:
#########################################################
/tmp/home/root# dig www.google.com @192.168.1.1

; <<>> DiG 9.16.8 <<>> www.google.com @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26812
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         0       IN      CNAME   forcesafesearch.google.com.
forcesafesearch.google.com. 0   IN      A       216.239.38.120

;; Query time: 1 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Jan 31 21:32:53 EST 2021
;; MSG SIZE  rcvd: 99
#########################################################
/tmp/home/root# dig www.youtube.com @192.168.1.1

; <<>> DiG 9.16.8 <<>> www.youtube.com @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1420
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.youtube.com.               IN      A

;; ANSWER SECTION:
www.youtube.com.        0       IN      CNAME   restrictmoderate.youtube.com.
restrictmoderate.youtube.com. 0 IN      A       216.239.38.119

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Jan 31 21:33:42 EST 2021
;; MSG SIZE  rcvd: 102
#########################################################
/tmp/home/root# dig youtube.com @192.168.1.1

; <<>> DiG 9.16.8 <<>> youtube.com @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16207
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;youtube.com.                   IN      A

;; ANSWER SECTION:
youtube.com.            0       IN      CNAME   restrictmoderate.youtube.com.
restrictmoderate.youtube.com. 0 IN      A       216.239.38.119

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Jan 31 21:34:25 EST 2021
;; MSG SIZE  rcvd: 98
#########################################################
/tmp/home/root# dig duckduckgo.com @192.168.1.1

; <<>> DiG 9.16.8 <<>> duckduckgo.com @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4671
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;duckduckgo.com.                        IN      A

;; ANSWER SECTION:
duckduckgo.com.         0       IN      CNAME   safe.duckduckgo.com.
safe.duckduckgo.com.    0       IN      A       52.149.247.1

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Jan 31 21:34:57 EST 2021
;; MSG SIZE  rcvd: 92
#########################################################
 
Last edited:

MvW

Senior Member
There are many approaches to this topic and RMerlin's Wiki https://github.com/RMerl/asuswrt-merlin.ng/wiki/Enforce-Safesearch
-briefly delves on the concept using dnsmasq. Instead of reinventing the wheel over and over again with this topic, below is a small script and instructions for users that wish to explore this topic.
simply copy and paste the below script into SSH terminal + Press Enter and everything is taken care of.

Thanks, that seems to work flawlessly. Will this survive a reboot or even upgrade, without factory reset, or does it need to by applied again after any of these events?
 

MvW

Senior Member
Actually, something is wrong. DNS doesn't work anymore after I executed your script, dnsmasq seems to fail so there's no resolving being done anymore.

From the logs:

Code:
Jan 29 19:20:51 RT-AC86U dnsmasq[10753]: bad address at line 266 of /etc/dnsmasq.conf
Jan 29 19:20:51 RT-AC86U dnsmasq[10753]: FAILED to start up[/ICODE]

line 266 of /etc/dnsmasq.conf shows
[CODE]address=/duckduckgo.com/safe.duckduckgo.com[/ICODE]

Seems like your script has broken dnsmasqs config and I don't have the knowledge to see how.

I made a backup of settings and off jffs prior to running your script.

What should I do to fix this?
 
Last edited:

MvW

Senior Member
I restored settings and jffs after I connected to the routers IP and gaining access to the WebUI. I think your script might need some more tinkering...
 
Last edited:

MvW

Senior Member
Thanks for the confirmation. However, as mentioned above I had to overwrite your modifications by restoring my backups which I made prior to running your script, as dnsmasq fails to start after the modifications. See details above. If you need more info let me know, I'd love to get this working, but in its currents state it's breaks dnsmasq. Thanks for the effort though!
 

SomeWhereOverTheRainBow

Very Senior Member
Actually, something is wrong. DNS doesn't work anymore after I executed your script, dnsmasq seems to fail so there's no resolving being done anymore.

From the logs:

Jan 29 19:20:51 RT-AC86U dnsmasq[10753]: bad address at line 266 of /etc/dnsmasq.conf
Jan 29 19:20:51 RT-AC86U dnsmasq[10753]: FAILED to start up


line 266 of /etc/dnsmasq.conf shows
address=/duckduckgo.com/safe.duckduckgo.com

Seems like your script has broken dnsmasqs config and I don't have the knowledge to see how.

I made a backup of settings and off jffs prior to running your script.

What should I do to fix this?
Well without knowing what address was at line 266 of your dnsmasq.conf idk what was causing the issue. I removed the mock ipv4 to ipv6 addresses thinking it might have been that, you can give the script a try again if you like nvm it is the duckduckgo. I got a fix
 

MvW

Senior Member
Well without knowing what address was at line 266 of your dnsmasq.conf idk what was causing the issue. I removed the mock ipv4 to ipv6 addresses thinking it might have been that, you can give the script a try again if you like nvm it is the duckduckgo. I got a fix

From my post above:

From the logs:

Code:
Jan 29 19:20:51 RT-AC86U dnsmasq[10753]: bad address at line 266 of /etc/dnsmasq.conf
Jan 29 19:20:51 RT-AC86U dnsmasq[10753]: FAILED to start up[/ICODE]

line 266 of /etc/dnsmasq.conf shows
[CODE]address=/duckduckgo.com/safe.duckduckgo.com[/ICODE]
[/QUOTE]
 
Last edited:

MvW

Senior Member
it is fixed
should work now.

I switched DuckDuckgo to cname method just keep in mind that the IP address for safe.duckduckgo has been subject to change overtime.
Just reran the edited script, now google.com and google.nl etc. can't be found anymore. Any suggestions before I restore the freshly made backup again?

dnsmasq.log shows
Code:
Jan 29 21:29:10 dnsmasq[1434]: query[A] google.com from 10.0.12.21
21:29:10 dnsmasq[1434]: query[A] google.com from 10.0.12.21
Jan 29 21:29:10 dnsmasq[1434]: config google.com is <CNAME>
21:29:10 dnsmasq[1434]: config google.com is <CNAME>
Jan 29 21:29:11 dnsmasq[1434]: query[A] google.com from 10.0.12.21
21:29:11 dnsmasq[1434]: query[A] google.com from 10.0.12.21
Jan 29 21:29:11 dnsmasq[1434]: config google.com is <CNAME>
21:29:11 dnsmasq[1434]: config google.com is <CNAME>
Jan 29 21:29:11 dnsmasq[1434]: query[A] google.com from 10.0.12.21
21:29:11 dnsmasq[1434]: query[A] google.com from 10.0.12.21
Jan 29 21:29:11 dnsmasq[1434]: config google.com is <CNAME>
21:29:11 dnsmasq[1434]: config google.com is <CNAME>
 
Last edited:

MvW

Senior Member
if you can use your broswers i wouldn't worry about it.

Just reran the edited script, now google.com and google.nl etc. can't be found anymore.

As mentioned above, after your last modifications, none of the google domains are being resolved anymore. So, basically google can't be reached, but times out with a DNS error in any browserf. I just restored the last backup and google can be reached again, so I fear you broke something while fixing the duckduckgo issue (which is perfectly reachable now).
 

MvW

Senior Member
I hate so say it, but when I ran your script again just this morning, before the rest of the house woke up, suddenly duckduckgo isn't reachable anymore. Which is my default search engine on all computers, phones and tablets in the house. Google works fine now, everything runs through safesearch, but apparently duckduckgo is broken now. Could please have another look at the script, something else has gone broken, because after restoring my backup duckduckgo is available again, so it must be in the modifications your script makes in the dnsmasq config. Thanks again for your effort.
 

SomeWhereOverTheRainBow

Very Senior Member
I hate so say it, but when I ran your script again just this morning, before the rest of the house woke up, suddenly duckduckgo isn't reachable anymore. Which is my default search engine on all computers, phones and tablets in the house. Google works fine now, everything runs through safesearch, but apparently duckduckgo is broken now. Could please have another look at the script, something else has gone broken, because after restoring my backup duckduckgo is available again, so it must be in the modifications your script makes in the dnsmasq config. Thanks again for your effort.
I just ran the current script i have posted, every line comes out perfectly
no issues with dnsmasq either.
 

MvW

Senior Member
Strange. I'll have another look tonight when the rest sleeps and run the same commands you posted above.

It's not like I have to reboot the router or anything alike after installing your script? Nothing in your first post pointed at that, so I have just pasted the script, executed the generated command at the end of the script and tested it's functionality.
 

SomeWhereOverTheRainBow

Very Senior Member
Strange. I'll have another look tonight when the rest sleeps and run the same commands you posted above.

It's not like I have to reboot the router or anything alike after installing your script? Nothing in your first post pointed at that, so I have just pasted the script, executed the generated command at the end of the script and tested it's functionality.
just copy and paste the coded section into your SSH terminal. it appends the lines to /jffs/configs/dnsmasq.conf.add . then restarts dnsmasq. keep in mind you may want to refresh your web browsers or clear any cache on your testing devices.
 

MvW

Senior Member
I re-applied your script and now everything is reachable. I cleared all history and caches to be sure, but even before that duckduckgo.com was reachable, so I'm not sure whether you changed something in the mean time. There's one thing I noticed though: safesearch settings on duckduckgo show 'Moderate' instead of 'Strict'. I noticed the IP-adress in my dig output below differs from yours. This could just be regional or load balancing, but could you check on duckduckgo.com > settings > whether safe search is set to Moderate or strict? Moderate still shows some pretty graphic results which I'd like to block.

Your help is muchly appreciated.

Code:
dig www.duckduckgo.com @10.0.12.1

; <<>> DiG 9.16.8 <<>> www.duckduckgo.com @10.0.12.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.duckduckgo.com.            IN      A

;; ANSWER SECTION:
www.duckduckgo.com.     0       IN      CNAME   safe.duckduckgo.com.
safe.duckduckgo.com.    0       IN      A       52.142.126.100

;; Query time: 10 msec
;; SERVER: 10.0.12.1#53(10.0.12.1)
;; WHEN: Sat Jan 30 18:59:58 CET 2021
;; MSG SIZE  rcvd: 96

One last thing: in a previous post you warned that the IP-address for safe.duckduckgo is know to change frequently. How to keep up with the changes? Just can I just edit the up in your script and re-run it, or should I should I do something else?
 

MvW

Senior Member
I just discovered that when going to Settings on safe.duckduckgo.com Safe Search is set to Moderate. So I've sent them a message asking to clarify. Redirecting towards safe.duckduckgo.com is pretty useless this way, as Moderate is the default setting...
 

SomeWhereOverTheRainBow

Very Senior Member
I just discovered that when going to Settings on safe.duckduckgo.com Safe Search is set to Moderate. So I've sent them a message asking to clarify. Redirecting towards safe.duckduckgo.com is pretty useless this way, as Moderate is the default setting...
Your settings won't get changed your search results are directed at the dns level.
 

MvW

Senior Member
Your settings won't get changed your search results are directed at the dns lev

Thanks for your reply, but I think you're missing my point. I understand how the redirection at DNS level works, but safe.duckduckgo.com isn't working as it is supposed to. From their support pages:

By using safe.duckduckgo.com instead. Searches from safe.duckduckgo.com always have safe search set to "strict".
Source: https://help.duckduckgo.com/duckduckgo-help-pages/features/safe-search/

According to the settings at safe.duckduckgo it's set to Moderate search results and when testing I do get explicit search results, which would like to protect my kid from seeing.

So your script is working fine now, but apparently safe.duckduckgo.com isn't.
 

SomeWhereOverTheRainBow

Very Senior Member
Thanks for your reply, but I think you're missing my point. I understand how the redirection at DNS level works, but safe.duckduckgo.com isn't working as it is supposed to. From their support pages:


Source: https://help.duckduckgo.com/duckduckgo-help-pages/features/safe-search/

According to the settings at safe.duckduckgo it's set to Moderate search results and when testing I do get explicit search results, which would like to protect my kid from seeing.

So your script is working fine now, but apparently safe.duckduckgo.com isn't.
It appears the issue was not coming from the router but the actual devices builtin cache. And the answer to your issue is that some domains refresh quicker than others, duckduckgo seems to take a bit long to refresh with in the cache, while other domains did not. This required you to purge the cache on the devices as it was not getting new information from the routers dns.
 

MvW

Senior Member
It appears the issue was not coming from the router but the actual devices builtin cache. And the answer to your issue is that some domains refresh quicker than others, duckduckgo seems to take a bit long to refresh with in the cache, while other domains did not. This required you to purge the cache on the devices as it was not getting new information from the routers dns.
It appears you are right. As I said your script seems to work fine after the modifications you've made, so this was in no way an attack on your effort, so please don't feel offended.

Nevertheless I still think it's strange that safe.duckduckgo, shows 'Moderate' Safe Search settings, instead of Strict (at least, that's the option shown at their settings page), regardless of what the search results are showing, but that now seems to be completely beyond the scope of this thread. That's odd, or is am I the only one thinking that they're completely missing the point they're trying to achieve with safe.duckduckgo. When visiting Google it clearly shows 'Safesearch on' and there's no (obvious) way around it. If and when I'll receive a reply from Duckduckgo, I'll share it.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top