How to enforce SafeSearch using Pi-Hole
If you have deployed Pi-Hole on your network, then you can enforce safe search using your Local DNS server.
This article explains how to do just that for Google, Bing, DuckDuckGo and YouTube.
This will affect all the devices connected to your network and using your P-Hole as DNS server. (Changing the DNS servers on your router)
This will not impact devices which have had the DNS servers manually set to an external provider.
There will be other ways of achieving the below, but I like knowing exactly what my setup is and manage it as required.
Getting the IP Addresses of the safe endpoints (safe_sites)
The first steps will be to gather the IP Addresses for the safe endpoints, to do that you run a “nslookup” for each of the “safe_sites”, use either CMD or PowerShell as shown below;

The above “nslookup” results in an IP Address, keep note of that, then do the same for the other “safe_sites” you may use.
Below is a list of those covered in this article (these were correct at the time of writing):
google:
safe_site: forcesafesearch.google.com
ip: 216.239.38.120
youtube:
safe_site: restrictmoderate.youtube.com
ip: 216.239.38.119
- OR
safe_site: restrict.youtube.com
ip: 216.239.38.120
bing:
safe_site: strict.bing.com
ip: 204.79.197.220
duckduckgo:
safe_site: safe.duckduckgo.com
ip: 52.142.126.100
Adding the above as DNS records in Pi-Hole
In Pi-Hole go to the dropdown “Local DNS” and click on “DNS Records”, then add the respective “Domain” (safe_site) and “IP Address” pairs as below;

Force the Search engines to resolve to the safer/strict endpoints
Now you can redirect any domains to the safer endpoint configured above by configuring “CNAMES”.
For each search engine you want to force Safe Search on, you create a “CNAME” record pointing to the respective “DNS Record”.
The example below redirects “google.com” to “forcesafesearch.google.com”.
You need to configure “CNAMES” for all other Google domains used, such as “google.co.uk“, “google.de“.

The same as above would go for “Bing” and “DuckDuckGo”, as below;
While “Bing” only needs one “CNAME” record, “DuckDuckGo” has a couple more, as for “YouTube”, there is a larger list of “CNAMES” required.
google:
safe_site: forcesafesearch.google.com
ip: 216.239.38.120
cnames:
- google.com
- google.co.uk
- google.de
(or any others you require)
youtube:
safe_site: restrictmoderate.youtube.com
ip: 216.239.38.119
- OR
safe_site: restrict.youtube.com
ip: 216.239.38.120
cnames:
- www.youtube.com
- m.youtube.com
- youtubeei.google.com
- youtube.googleapis.com
- www.youtube-nocookie.com
bing:
safe_site: strict.bing.com
ip: 204.79.197.220
cnames:
- bing.com
duckduckgo:
safe_site: safe.duckduckgo.com
ip: 52.142.126.100
cnames:
- duckduckgo.com
- duck.com
- start.duckduckgo.com
But does it work?
Assuming all was done as above, a search using Google should result on the below;

And if you click on “SafeSearch on” to try and disable it, you should see the below;

As for YouTube;

And you should also be unable to disable it, I can confirm this to work with the mobile apps as well.

To achieve the described above, you need to have completed the below (or similar setup);
Installing Pi-Hole on Ubuntu 22.04
Changing the DNS servers on your router
Using Pi-Hole on the go with OpenVPN
Hello,
I followed the above steps, but only Bing and Google work. Duckduckgo does not. It forces the SafeSearch to Moderate, but even if I change it to off or strict it will keep at Moderate, but the issue is that it still pulls adult sites like porn.com
Any ideas?
Thanks.
Hi,
I have just tested, and can confirm that “DuckDuckGo” settings show as moderate, but, when I do a search, the results are in fact restricted, with no results shown.
Mind testing again? I seem to get the expected results!
When searching, I get “No results found for xxxx.”
But when you browse using ipv6 this doesn’t work
Hi Rob,
Thank you for reaching out.
All the articles published are tested on my own network, have not had any issues with IPV6, neither have I realized that it didn’t work when using it. This is, however, due to having disabled IPv6 on my home network, which I don’t yet take seriously due to the many issues I’d have with other configuration (i.e Cloudflare).
Maybe not an option for you, but perhaps you could disable IPV6 as well, depending on your router?
A TP-Link, as my own, would allow you to do that fairly easily.
Step 1 – Navigate to the IPv6 Support tab menu -> IPv6 Setup
Step 2 – De-Select the Enable IPv6 checkbox
Step 3 – Save Settings
Step 4 – Reboot Router
If you want to disable IPv6 on a specific machine, assuming it to be on Windows here, I would use PowerShell as below:
$adapters = Get-NetAdapter
foreach ($adapter in $adapters) {
$adapterName = $adapter.Name
Disable-NetAdapterBinding -Name $adapterName -ComponentID ms_tcpip6
Write-Host "IPv6 disabled for adapter: $adapterName"
}
Save the script with a .ps1 extension (e.g., disable-ipv6.ps1). Then, open PowerShell with administrative privileges and navigate to the directory where the script is saved using the
cd
command.Execute the script by typing
.\disable-ipv6.ps1
and pressing Enter. It will loop through all network adapters and disable IPv6 bindings on each one. The script will display a message for each adapter where IPv6 has been disabled.Hope that helps