Using DNSMasq to force google safe search returns 404 error

[jadog]

I configured my DNSMasq file to divert yahoo.com to google safe search. I used the instructions as outlined here:

https://www.snbforums.com/threads/f...-youtube-and-google-search.38497/#post-317638

An example of what is present in the dnsmasq.conf.add file is below:

address=/www.google.com/216.239.38.120
address=/www.yahoo.com/216.239.38.120

Google works great and forces safe search. However, I was expecting when going to yahoo.com to land on google's search, but instead I get a 404 error webpage. Any ideas what I'm doing wrong?

 

[SomeWhereOverTheRainBow]

I configured my DNSMasq file to divert yahoo.com to google safe search. I used the instructions as outlined here:

https://www.snbforums.com/threads/f...-youtube-and-google-search.38497/#post-317638

An example of what is present in the dnsmasq.conf.add file is below:

address=/www.google.com/216.239.38.120
address=/www.yahoo.com/216.239.38.120

Google works great and forces safe search. However, I was expecting when going to yahoo.com to land on google's search, but instead I get a 404 error webpage. Any ideas what I'm doing wrong?

Though it is possible with dnsmasq, I have had better luck doing this with rules using the dnscypt proxy 2. I recommend you take a look at that if you haven't already, or forwarding clients you want to use safe search using dns filter and cleanbrowsing family forcing devices on a client basis or using a global filter set to that, where the dns service takes care of the rest.

 

[jadog]

I should have clarified that I'm using Diversion for ad-blocking. If I use Cleanbrowsing or a dns filter, then Diversion fails to work. Have you found a way to get your method to work while retaining the benefits of Diversion?

 

[ColinTaylor]

If you direct your clients to use the router as their DNS server, and then specify Cleanbrowsing at the router's upstream DNS you will get the benefits of both.

 

[jadog]

If you direct your clients to use the router as their DNS server, and then specify Cleanbrowsing at the router's upstream DNS you will get the benefits of both.

I presume that is not a setting I can change on the router to force clients to use the router as the DNS server? I was hoping not to have to change settings at a device level if possible.

 

[ColinTaylor]

I presume that is not a setting I can change on the router to force clients to use the router as the DNS server?

DNSFilter with Global Filter Mode set to Router (as per the description on that page).

 

[jadog]

You mean like this?

I have tried this and any devices assigned to CleanBrowsing's DNS will not use Diversion. Are you getting results a different way?

 

[SomeWhereOverTheRainBow]

You mean like this?

I have tried this and any devices assigned to CleanBrowsing's DNS will not use Diversion. Are you getting results a different way?

Per the Wisdom of Colin Talor

• Change your Wan DNS1 and 2 to match Cleanbrowsing familys or Set your DoT servers to be Cleanbrowsing familys (alternatively you can use adguard family as well but adguard blocks ads you cant crontrol without adguard home).
• Set Global Filter Mode to Router

This will allow for all clients to use cleanbrowsing family(or adguard family w/e you choose).

 

[SomeWhereOverTheRainBow]

Here is some alternative DNSMASQ options for forcing safesearch.

# force google safesearch
host-record=forcesafesearch.google.com,216.239.38.120
cname=www.google.com,forcesafesearch.google.com

# force bing family filter
host-record=strict.bing.com,204.79.197.220
cname=www.bing.com,strict.bing.com

# force youtube restricted mode
host-record=restrictmoderate.youtube.com,216.239.38.119
cname=www.youtube.com,restrictmoderate.youtube.com
cname=m.youtube.com,restrictmoderate.youtube.com
cname=youtubei.googleapis.com,restrictmoderate.youtube.com
cname=youtube.googleapis.com,restrictmoderate.youtube.com
cname=www.youtube-nocookie.com,restrictmoderate.youtube.com

 

[SomeWhereOverTheRainBow]

google has the most CNAMES but you can find an adequate list here
https://www.leowkahman.com/2017/09/11/enforce-safe-search-on-google-youtube-bing/
by the way the website also list info for IPV6 alternatives as well.

you can do duck duck go as well

host-record=safe.duckduckgo.com,46.137.218.113
cname=duckduckgo.com,safe.duckduckgo.com
cname=www.duckduckgo.com,safe.duckduckgo.com

 

[dave14305]

However, I was expecting when going to yahoo.com to land on google's search, but instead I get a 404 error webpage. Any ideas what I'm doing wrong?

Redirecting yahoo.com to google.com won’t pass https verification in the browser (request to yahoo.com will return cert from google.com).

 

[SomeWhereOverTheRainBow]

why not just enforce yahoo safe search

 

[ColinTaylor]

I have tried this and any devices assigned to CleanBrowsing's DNS will not use Diversion. Are you getting results a different way?

By specifying "CleanBrowsing" there as the DNS server you are still bypassing the router. You need to specify "Router" as the DNS server, either globally or per device.

Then as @SomeWhereOverTheRainBow said you need to also set CleanBrowsing as the WAN DNS server.

Make sure you don't have any DNS servers specified under LAN - DHCP Server as that will only confuse matters.

 

[SomeWhereOverTheRainBow]

Redirecting yahoo.com to google.com won’t pass https verification in the browser (request to yahoo.com will return cert from google.com).

would it be valid to also include the ipv6 alternative in this line as well

host-record=safe.duckduckgo.com,46.137.218.113,::ffff:46.137.218.113

or would a second host-record need to be defined for it?

 

[jadog]

Per the Wisdom of Colin Talor

• Change your Wan DNS1 and 2 to match Cleanbrowsing familys or Set your DoT servers to be Cleanbrowsing familys (alternatively you can use adguard family as well but adguard blocks ads you cant crontrol without adguard home).
• Set Global Filter Mode to Router

This will allow for all clients to use cleanbrowsing family(or adguard family w/e you choose).

Ok, I think I'm getting closer, but with the settings you stated by setting the Global Filter mode to router and not specifying any clients, I then set the WAN DNS 1 and 2 as you said. When I visit an ad site, Diversion does not filter the ads. Can you check my below settings to confirm?

There are no DNS servers specified under LAN - DHCP Server.

 

[SomeWhereOverTheRainBow]

Ok, I think I'm getting closer, but with the settings you stated by setting the Global Filter mode to router and not specifying any clients, I then set the WAN DNS 1 and 2 as you said. When I visit an ad site, Diversion does not filter the ads. Can you check my below settings to confirm?

There are no DNS servers specified under LAN - DHCP Server.

what do you dnsfilter settings look like? the wan settings look correct.

 

[ColinTaylor]

"Forward local domain queries..." should also be set to No. (Although that's not the cause of your problem.)

The secondary DNS address is 185.228.169.168.

EDIT: Make sure you've flushed the DNS cache on your client (or reboot it) and check the Diversion log file to see if you're getting any hits.

 

[jadog]

I updated the router settings per your advice. I also rebooted my router and PC. Still the same and when I test an ad site, they are present and the Diversion log is quiet. Also, when I visit https://dnsleaktest.com, it shows Cleanbrowsing.org as my DNS. You must have a setting somewhere else that I'm missing...

Maybe I need to enable the DNS Privacy Protocol and set the profile to Cleanbrowsing?

 

[ColinTaylor]

Maybe I need to enable the DNS Privacy Protocol and set the profile to Cleanbrowsing?

No. That's just going to add a whole new level of complexity for no reason.

I suspect this is a Diversion issue. With your current setup you could actually turn off DNS Filter and "well behaved" DHCP clients should still go to Diversion (and then onto Cleanbrowsing).

 

[SomeWhereOverTheRainBow]

I updated the router settings per your advice. I also rebooted my router and PC. Still the same and when I test an ad site, they are present and the Diversion log is quiet. Also, when I visit https://dnsleaktest.com, it shows Cleanbrowsing.org as my DNS. You must have a setting somewhere else that I'm missing...

Maybe I need to enable the DNS Privacy Protocol and set the profile to Cleanbrowsing?

Please make sure dns filter.has no other specified options listed for clients and router selected for global mode if specifying clients make sure they are set to router mode as well