Google Images Safe Search for Squid

Part 2: implementing SafeSearch at the DNS level

Redirects the specified domains to DNS IP addresses that the search engines had setup to serve filtered content (to block NSFW content), and will be applied network wide (not per profile). This will make some of the rewrite rules unnecessary.

1) Create custom template fragment for dnsmasq.conf

mkdir -p /etc/e-smith/templates-custom/etc/dnsmasq.conf/
vi /etc/e-smith/templates-custom/etc/dnsmasq.conf/42safesearch

Contents of 42safesearch file:

#
# 42safesearch fragment for dnsmasq.conf
#

# Bing (strict.bing.com.)
address=/www.bing.com/204.79.197.220


# Google (forcesafesearch.google.com.)
address=/google.com/216.239.38.120
address=/google.ad/216.239.38.120
address=/google.ae/216.239.38.120
address=/google.com.af/216.239.38.120
address=/google.com.ag/216.239.38.120
address=/google.com.ai/216.239.38.120
address=/google.al/216.239.38.120
address=/google.am/216.239.38.120
address=/google.co.ao/216.239.38.120
address=/google.com.ar/216.239.38.120
address=/google.as/216.239.38.120
address=/google.at/216.239.38.120
address=/google.com.au/216.239.38.120
address=/google.az/216.239.38.120
address=/google.ba/216.239.38.120
address=/google.com.bd/216.239.38.120
address=/google.be/216.239.38.120
address=/google.bf/216.239.38.120
address=/google.bg/216.239.38.120
address=/google.com.bh/216.239.38.120
address=/google.bi/216.239.38.120
address=/google.bj/216.239.38.120
address=/google.com.bn/216.239.38.120
address=/google.com.bo/216.239.38.120
address=/google.com.br/216.239.38.120
address=/google.bs/216.239.38.120
address=/google.bt/216.239.38.120
address=/google.co.bw/216.239.38.120
address=/google.by/216.239.38.120
address=/google.com.bz/216.239.38.120
address=/google.ca/216.239.38.120
address=/google.cd/216.239.38.120
address=/google.cf/216.239.38.120
address=/google.cg/216.239.38.120
address=/google.ch/216.239.38.120
address=/google.ci/216.239.38.120
address=/google.co.ck/216.239.38.120
address=/google.cl/216.239.38.120
address=/google.cm/216.239.38.120
address=/google.cn/216.239.38.120
address=/google.com.co/216.239.38.120
address=/google.co.cr/216.239.38.120
address=/google.com.cu/216.239.38.120
address=/google.cv/216.239.38.120
address=/google.com.cy/216.239.38.120
address=/google.cz/216.239.38.120
address=/google.de/216.239.38.120
address=/google.dj/216.239.38.120
address=/google.dk/216.239.38.120
address=/google.dm/216.239.38.120
address=/google.com.do/216.239.38.120
address=/google.dz/216.239.38.120
address=/google.com.ec/216.239.38.120
address=/google.ee/216.239.38.120
address=/google.com.eg/216.239.38.120
address=/google.es/216.239.38.120
address=/google.com.et/216.239.38.120
address=/google.fi/216.239.38.120
address=/google.com.fj/216.239.38.120
address=/google.fm/216.239.38.120
address=/google.fr/216.239.38.120
address=/google.ga/216.239.38.120
address=/google.ge/216.239.38.120
address=/google.gg/216.239.38.120
address=/google.com.gh/216.239.38.120
address=/google.com.gi/216.239.38.120
address=/google.gl/216.239.38.120
address=/google.gm/216.239.38.120
address=/google.gp/216.239.38.120
address=/google.gr/216.239.38.120
address=/google.com.gt/216.239.38.120
address=/google.gy/216.239.38.120
address=/google.com.hk/216.239.38.120
address=/google.hn/216.239.38.120
address=/google.hr/216.239.38.120
address=/google.ht/216.239.38.120
address=/google.hu/216.239.38.120
address=/google.co.id/216.239.38.120
address=/google.ie/216.239.38.120
address=/google.co.il/216.239.38.120
address=/google.im/216.239.38.120
address=/google.co.in/216.239.38.120
address=/google.iq/216.239.38.120
address=/google.is/216.239.38.120
address=/google.it/216.239.38.120
address=/google.je/216.239.38.120
address=/google.com.jm/216.239.38.120
address=/google.jo/216.239.38.120
address=/google.co.jp/216.239.38.120
address=/google.co.ke/216.239.38.120
address=/google.com.kh/216.239.38.120
address=/google.ki/216.239.38.120
address=/google.kg/216.239.38.120
address=/google.co.kr/216.239.38.120
address=/google.com.kw/216.239.38.120
address=/google.kz/216.239.38.120
address=/google.la/216.239.38.120
address=/google.com.lb/216.239.38.120
address=/google.li/216.239.38.120
address=/google.lk/216.239.38.120
address=/google.co.ls/216.239.38.120
address=/google.lt/216.239.38.120
address=/google.lu/216.239.38.120
address=/google.lv/216.239.38.120
address=/google.com.ly/216.239.38.120
address=/google.co.ma/216.239.38.120
address=/google.md/216.239.38.120
address=/google.me/216.239.38.120
address=/google.mg/216.239.38.120
address=/google.mk/216.239.38.120
address=/google.ml/216.239.38.120
address=/google.com.mm/216.239.38.120
address=/google.mn/216.239.38.120
address=/google.ms/216.239.38.120
address=/google.com.mt/216.239.38.120
address=/google.mu/216.239.38.120
address=/google.mv/216.239.38.120
address=/google.mw/216.239.38.120
address=/google.com.mx/216.239.38.120
address=/google.com.my/216.239.38.120
address=/google.co.mz/216.239.38.120
address=/google.com.na/216.239.38.120
address=/google.com.nf/216.239.38.120
address=/google.com.ng/216.239.38.120
address=/google.com.ni/216.239.38.120
address=/google.ne/216.239.38.120
address=/google.nl/216.239.38.120
address=/google.no/216.239.38.120
address=/google.com.np/216.239.38.120
address=/google.nr/216.239.38.120
address=/google.nu/216.239.38.120
address=/google.co.nz/216.239.38.120
address=/google.com.om/216.239.38.120
address=/google.com.pa/216.239.38.120
address=/google.com.pe/216.239.38.120
address=/google.com.pg/216.239.38.120
address=/google.com.ph/216.239.38.120
address=/google.com.pk/216.239.38.120
address=/google.pl/216.239.38.120
address=/google.pn/216.239.38.120
address=/google.com.pr/216.239.38.120
address=/google.ps/216.239.38.120
address=/google.pt/216.239.38.120
address=/google.com.py/216.239.38.120
address=/google.com.qa/216.239.38.120
address=/google.ro/216.239.38.120
address=/google.ru/216.239.38.120
address=/google.rw/216.239.38.120
address=/google.com.sa/216.239.38.120
address=/google.com.sb/216.239.38.120
address=/google.sc/216.239.38.120
address=/google.se/216.239.38.120
address=/google.com.sg/216.239.38.120
address=/google.sh/216.239.38.120
address=/google.si/216.239.38.120
address=/google.sk/216.239.38.120
address=/google.com.sl/216.239.38.120
address=/google.sn/216.239.38.120
address=/google.so/216.239.38.120
address=/google.sm/216.239.38.120
address=/google.sr/216.239.38.120
address=/google.st/216.239.38.120
address=/google.com.sv/216.239.38.120
address=/google.td/216.239.38.120
address=/google.tg/216.239.38.120
address=/google.co.th/216.239.38.120
address=/google.com.tj/216.239.38.120
address=/google.tk/216.239.38.120
address=/google.tl/216.239.38.120
address=/google.tm/216.239.38.120
address=/google.tn/216.239.38.120
address=/google.to/216.239.38.120
address=/google.com.tr/216.239.38.120
address=/google.tt/216.239.38.120
address=/google.com.tw/216.239.38.120
address=/google.co.tz/216.239.38.120
address=/google.com.ua/216.239.38.120
address=/google.co.ug/216.239.38.120
address=/google.co.uk/216.239.38.120
address=/google.com.uy/216.239.38.120
address=/google.co.uz/216.239.38.120
address=/google.com.vc/216.239.38.120
address=/google.co.ve/216.239.38.120
address=/google.vg/216.239.38.120
address=/google.co.vi/216.239.38.120
address=/google.com.vn/216.239.38.120
address=/google.vu/216.239.38.120
address=/google.ws/216.239.38.120
address=/google.rs/216.239.38.120
address=/google.co.za/216.239.38.120
address=/google.co.zm/216.239.38.120
address=/google.co.zw/216.239.38.120
address=/google.cat/216.239.38.120

# Youtube (restrictmoderate.youtube.com.)
#address=/www.youtube.com/216.239.38.119
#address=/m.youtube.com/216.239.38.119
#address=/youtubei.googleapis.com/216.239.38.119
#address=/youtube.googleapis.com/216.239.38.119
#address=/www.youtube-nocookie.com/216.239.38.119

# Youtube (restrict.youtube.com.)
address=/www.youtube.com/216.239.38.120
address=/m.youtube.com/216.239.38.120
address=/youtubei.googleapis.com/216.239.38.120
address=/youtube.googleapis.com/216.239.38.120
address=/www.youtube-nocookie.com/216.239.38.120

Note 1: Instead of embedding the IPs, the creation of this file can be scripted to get the template always build from current content.

Note 2: The recommended way is to create cname records, not pointing to an IP, but dnsmasq cannot resolve domains by itself and I didn’t look much further in the unbound settings.

2) Applied the changes:

signal-event nethserver-dnsmasq-save

3) Optional: some external DNS services can be used to filter additional content:
They can be configured in the DNS Servers section of the administration panel.
For instance, OpenDNS FamilyShield nameservers are:
208.67.222.123
208.67.220.123

Additional information:

• Bing - Block adult content with SafeSearch
• DuckDuckGo - Safe search + URL parameters
• Google - Block adult content at your school
• Tips for locking SafeSearch for network administrators
• Restrict YouTube content on your network or managed devices
• Google Apps - Block access to consumer accounts (not implemented in the example)

Great news, ile test it later today and provide feedback. Now if only the devs could turn this into a checkbox

Wow! This looks a great contribution, you’re making a real effort here.
@GG_jr @Freddy_Brignardello @Renan_Azedo_de_Olive @acsel10 @cswain @Mario_Spang are you interested in playing with it?

Apologies for only coming back now. However the above is working. Could the Devs please consider a GUI enable/disable function please. Thanks in advance.

It looks a great additional feature to our proxy. What do you think @dev_team @davide_marini ?

We should decide which implementation we would like to add: squidguard or dns based one?

If we don’t permit editing the safesarch options, a simple checkbox to enable the filter shouldn’t take more than a couple of hours of work.

Well. I wouldnt mind the squid guard based. But im just a single voice…

Hello !
Dear developers, the topic of discussion is very popular in my opinion - in schools similar module would be very necessary, but also the two. In my personal case, inspectors sometimes come to do the impossible … and such a regime, when it is possible to quickly convert large number of computers in the secure search - simply superb

Are you telling us that it would be a great addon for our content filter? I’m curious to know your feelings.

There should be no doubt, this is a MUST HAVE feature. There is no better way to break into the education field then having a secure proxy with ldap authentication, especially one that blocks social media and porn.

Yes, I agree, a vital function.
Forced secure search + SQUID on blacklists good solution is not always possible to switch to an alternative dns.

From myself I’d asked (since we use a modular system) to be able to install and dansguardan module. The Forum requests, I think that such an option would have been urgently needed for schools. Yes, porn and social networks can be disabled in the current configuration, but it is always the local language is meaningful momentum, and these points may block dansguardian says. Then plug in the schools - or white list of allowed, but you are restricted with access to the information in school or squid but then lists options …

Thanks to dnutan Marc for the configuration tips.
I could apply the dnsmask part on nethserver 7.3,
but no the squidguard part since squidguard templates to customize are no more there.

I could only find /etc/e-smith/templates/etc/squid/squid.conf/50squidguard which make use of rewriting rules:

more /etc/e-smith/templates/etc/squid/squid.conf/50squidguard
{
    my $status = $ufdb{'status'} || 'disabled';
    my $schildren = $squidguard{'StartupChildren'} || '5';
    my $ichildren = $squidguard{'IdleChildren'} || '5';
    my $mchildren = $squidguard{'MaxChildren'} || '20';
    if ($status eq 'enabled') {
        $OUT.="\n# Enable squidGuard \n";
        $OUT.="url_rewrite_program /usr/sbin/ufdbgclient -l /var/log/squid\n";
        $OUT.="url_rewrite_children $mchildren startup=$schildren idle=$ichildren concurrency=0\n";
        $OUT.='url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""'
    }
}

Does any one can explain me where I’m wrong ?
Thanks

In 7.3 squidGuard has been replaced by ufdbGuard.
You could add a line to /etc/ufdbguard/ufdbGuard.conf:

safe-search on

It could not work well due to https.
I follow google faq to block safe search through safesearch vip (see @dnutan link above: https://support.google.com/websearch/answer/186669?hl=en ).

Ok thanks :then I will relie only on the dns trick, which can be of course bypassed it specifying directly ip@ but this is enough for targetted user current skills .

To avoid usage of ip addresses, check Block access to sites accessed using IP address in the web filter.
http://docs.nethserver.org/en/latest/content_filter.html#filters

Hi,
I try to enable safesearch on Nethserver 7.4.1708 : i add a line to /etc/ufdbguard/ufdbGuard.conf
safe-search on
I choose transparent proxy mode with ssl
Unfortunately, the safe search don’t work

I also tried it in the past, but it never worked.

Maybe you can search/ask on Ufdbguard forum or mailing list

Hi,
yes i read the ReferenceManual : only find page 40
"option 3 : possible with configure DNS to have aCNAME record entry for www.google.com pointing to forcesafesearch.google.com "
but i don’t know whish file i need to edit

DNSMasq doesn’t support arbitrary CNAMEs, you’d need to redirect all DNS queries to unbound, then define the CNAME inside unbound itself.

In the end, it requires a complex configuration and you need a little bit of sysadmin skill to put it in place.

EDIT

@filippo_carletti suggested me a solution shared with a customer some time ago.

1. Create an host from server-manager: forcesafesearch.google.com = 216.239.38.120
2. Execute these commands:

mkdir -p /etc/e-smith/templates-custom/etc/dnsmasq.conf
for i in $(curl -s https://www.google.com/supported_domains ); do echo cname=www$i,forcesafesearch.google.com; done >/etc/e-smith/templates-custom/etc/dnsmasq.conf/60safesearch
expand-template /etc/dnsmasq.conf
service dnsmasq restart

Check if it works:

# host www.google.it
www.google.it is an alias for forcesafesearch.google.com.
forcesafesearch.google.com has address 216.239.38.120

Do not forget to create a firewall block rule from green/blue to red on port 53 UDP, to avoid filter bypass from clients.

Note: I never tested it, it’s just a translate cut&paste

OMG it works !!!
Thank you so much for the reply !!
@filippo_carletti