How to enforce SafeSearch using Pi-Hole

If you have deployed Pi-Hole on your network, then you can enforce safe search using your Local DNS server.
This article explains how to do just that for Google, Bing, DuckDuckGo and YouTube.

This will affect all the devices connected to your network and using your P-Hole as DNS server. (Changing the DNS servers on your router)
This will not impact devices which have had the DNS servers manually set to an external provider.

There will be other ways of achieving the below, but I like knowing exactly what my setup is and manage it as required.

Getting the IP Addresses of the safe endpoints (safe_sites)

The first steps will be to gather the IP Addresses for the safe endpoints, to do that you run a “nslookup” for each of the “safe_sites”, use either CMD or PowerShell as shown below;

nslookup

The above “nslookup” results in an IP Address, keep note of that, then do the same for the other “safe_sites” you may use.
Below is a list of those covered in this article (these were correct at the time of writing):

google:
  safe_site: forcesafesearch.google.com
  ip: 216.239.38.120

youtube:
  safe_site: restrictmoderate.youtube.com
  ip: 216.239.38.119
  - OR
  safe_site: restrict.youtube.com
  ip: 216.239.38.120

bing:
  safe_site: strict.bing.com
  ip: 204.79.197.220

duckduckgo:
  safe_site: safe.duckduckgo.com
  ip: 52.142.126.100

Adding the above as DNS records in Pi-Hole

In Pi-Hole go to the dropdown “Local DNS” and click on “DNS Records”, then add the respective “Domain” (safe_site) and “IP Address” pairs as below;

Local DNS Records

Force the Search engines to resolve to the safer/strict endpoints

Now you can redirect any domains to the safer endpoint configured above by configuring “CNAMES”.

For each search engine you want to force Safe Search on, you create a “CNAME” record pointing to the respective “DNS Record”.

The example below redirects “google.com” to “forcesafesearch.google.com”.
You need to configure “CNAMES” for all other Google domains used, such as “google.co.uk“, “google.de“.

Local CNAME Records

The same as above would go for “Bing” and “DuckDuckGo”, as below;

While “Bing” only needs one “CNAME” record, “DuckDuckGo” has a couple more, as for “YouTube”, there is a larger list of “CNAMES” required.

google:
  safe_site: forcesafesearch.google.com
  ip: 216.239.38.120
  cnames:
    - google.com
    - google.co.uk
    - google.de
(or any others you require)

youtube:
  safe_site: restrictmoderate.youtube.com
  ip: 216.239.38.119
  - OR
  safe_site: restrict.youtube.com
  ip: 216.239.38.120
  cnames:
    - www.youtube.com
    - m.youtube.com
    - youtubeei.google.com
    - youtube.googleapis.com
    - www.youtube-nocookie.com

bing:
  safe_site: strict.bing.com
  ip: 204.79.197.220
  cnames:
    - bing.com

duckduckgo:
  safe_site: safe.duckduckgo.com
  ip: 52.142.126.100
  cnames:
    - duckduckgo.com
    - duck.com
    - start.duckduckgo.com

But does it work?

Assuming all was done as above, a search using Google should result on the below;

Search Google

And if you click on “SafeSearch on” to try and disable it, you should see the below;

Try to Disable Safe Search

As for YouTube;

Check Youtube Settings

And you should also be unable to disable it, I can confirm this to work with the mobile apps as well.

Try disable Restrcited Mode in Youtube

To achieve the described above, you need to have completed the below (or similar setup);

Installing Pi-Hole on Ubuntu 22.04
Changing the DNS servers on your router
Using Pi-Hole on the go with OpenVPN

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *