How to enforce SafeSearch using Pi-Hole
If you have deployed Pi-Hole on your network, then you can enforce safe search using your Local DNS server.
This article explains how to do just that for Google, Bing, DuckDuckGo and YouTube.
This will affect all the devices connected to your network and using your P-Hole as DNS server. (Changing the DNS servers on your router)
This will not impact devices which have had the DNS servers manually set to an external provider.
There will be other ways of achieving the below, but I like knowing exactly what my setup is and manage it as required.
Getting the IP Addresses of the safe endpoints (safe_sites)
The first steps will be to gather the IP Addresses for the safe endpoints, to do that you run a “nslookup” for each of the “safe_sites”, use either CMD or PowerShell as shown below;
The above “nslookup” results in an IP Address, keep note of that, then do the same for the other “safe_sites” you may use.
Below is a list of those covered in this article (these were correct at the time of writing):
google: safe_site: forcesafesearch.google.com ip: 184.108.40.206 youtube: safe_site: restrictmoderate.youtube.com ip: 220.127.116.11 - OR safe_site: restrict.youtube.com ip: 18.104.22.168 bing: safe_site: strict.bing.com ip: 22.214.171.124 duckduckgo: safe_site: safe.duckduckgo.com ip: 126.96.36.199
Adding the above as DNS records in Pi-Hole
In Pi-Hole go to the dropdown “Local DNS” and click on “DNS Records”, then add the respective “Domain” (safe_site) and “IP Address” pairs as below;
Force the Search engines to resolve to the safer/strict endpoints
Now you can redirect any domains to the safer endpoint configured above by configuring “CNAMES”.
For each search engine you want to force Safe Search on, you create a “CNAME” record pointing to the respective “DNS Record”.
The example below redirects “google.com” to “forcesafesearch.google.com”.
You need to configure “CNAMES” for all other Google domains used, such as “google.co.uk“, “google.de“.
The same as above would go for “Bing” and “DuckDuckGo”, as below;
While “Bing” only needs one “CNAME” record, “DuckDuckGo” has a couple more, as for “YouTube”, there is a larger list of “CNAMES” required.
google: safe_site: forcesafesearch.google.com ip: 188.8.131.52 cnames: - google.com - google.co.uk - google.de (or any others you require) youtube: safe_site: restrictmoderate.youtube.com ip: 184.108.40.206 - OR safe_site: restrict.youtube.com ip: 220.127.116.11 cnames: - www.youtube.com - m.youtube.com - youtubeei.google.com - youtube.googleapis.com - www.youtube-nocookie.com bing: safe_site: strict.bing.com ip: 18.104.22.168 cnames: - bing.com duckduckgo: safe_site: safe.duckduckgo.com ip: 22.214.171.124 cnames: - duckduckgo.com - duck.com - start.duckduckgo.com
But does it work?
Assuming all was done as above, a search using Google should result on the below;
And if you click on “SafeSearch on” to try and disable it, you should see the below;
As for YouTube;
And you should also be unable to disable it, I can confirm this to work with the mobile apps as well.
To achieve the described above, you need to have completed the below (or similar setup);