Google Images Safe Search for Squid

Part 2: implementing SafeSearch at the DNS level

Redirects the specified domains to DNS IP addresses that the search engines had setup to serve filtered content (to block NSFW content), and will be applied network wide (not per profile). This will make some of the rewrite rules unnecessary.

1) Create custom template fragment for dnsmasq.conf

mkdir -p /etc/e-smith/templates-custom/etc/dnsmasq.conf/
vi /etc/e-smith/templates-custom/etc/dnsmasq.conf/42safesearch

Contents of 42safesearch file:

#
# 42safesearch fragment for dnsmasq.conf
#

# Bing (strict.bing.com.)
address=/www.bing.com/204.79.197.220


# Google (forcesafesearch.google.com.)
address=/google.com/216.239.38.120
address=/google.ad/216.239.38.120
address=/google.ae/216.239.38.120
address=/google.com.af/216.239.38.120
address=/google.com.ag/216.239.38.120
address=/google.com.ai/216.239.38.120
address=/google.al/216.239.38.120
address=/google.am/216.239.38.120
address=/google.co.ao/216.239.38.120
address=/google.com.ar/216.239.38.120
address=/google.as/216.239.38.120
address=/google.at/216.239.38.120
address=/google.com.au/216.239.38.120
address=/google.az/216.239.38.120
address=/google.ba/216.239.38.120
address=/google.com.bd/216.239.38.120
address=/google.be/216.239.38.120
address=/google.bf/216.239.38.120
address=/google.bg/216.239.38.120
address=/google.com.bh/216.239.38.120
address=/google.bi/216.239.38.120
address=/google.bj/216.239.38.120
address=/google.com.bn/216.239.38.120
address=/google.com.bo/216.239.38.120
address=/google.com.br/216.239.38.120
address=/google.bs/216.239.38.120
address=/google.bt/216.239.38.120
address=/google.co.bw/216.239.38.120
address=/google.by/216.239.38.120
address=/google.com.bz/216.239.38.120
address=/google.ca/216.239.38.120
address=/google.cd/216.239.38.120
address=/google.cf/216.239.38.120
address=/google.cg/216.239.38.120
address=/google.ch/216.239.38.120
address=/google.ci/216.239.38.120
address=/google.co.ck/216.239.38.120
address=/google.cl/216.239.38.120
address=/google.cm/216.239.38.120
address=/google.cn/216.239.38.120
address=/google.com.co/216.239.38.120
address=/google.co.cr/216.239.38.120
address=/google.com.cu/216.239.38.120
address=/google.cv/216.239.38.120
address=/google.com.cy/216.239.38.120
address=/google.cz/216.239.38.120
address=/google.de/216.239.38.120
address=/google.dj/216.239.38.120
address=/google.dk/216.239.38.120
address=/google.dm/216.239.38.120
address=/google.com.do/216.239.38.120
address=/google.dz/216.239.38.120
address=/google.com.ec/216.239.38.120
address=/google.ee/216.239.38.120
address=/google.com.eg/216.239.38.120
address=/google.es/216.239.38.120
address=/google.com.et/216.239.38.120
address=/google.fi/216.239.38.120
address=/google.com.fj/216.239.38.120
address=/google.fm/216.239.38.120
address=/google.fr/216.239.38.120
address=/google.ga/216.239.38.120
address=/google.ge/216.239.38.120
address=/google.gg/216.239.38.120
address=/google.com.gh/216.239.38.120
address=/google.com.gi/216.239.38.120
address=/google.gl/216.239.38.120
address=/google.gm/216.239.38.120
address=/google.gp/216.239.38.120
address=/google.gr/216.239.38.120
address=/google.com.gt/216.239.38.120
address=/google.gy/216.239.38.120
address=/google.com.hk/216.239.38.120
address=/google.hn/216.239.38.120
address=/google.hr/216.239.38.120
address=/google.ht/216.239.38.120
address=/google.hu/216.239.38.120
address=/google.co.id/216.239.38.120
address=/google.ie/216.239.38.120
address=/google.co.il/216.239.38.120
address=/google.im/216.239.38.120
address=/google.co.in/216.239.38.120
address=/google.iq/216.239.38.120
address=/google.is/216.239.38.120
address=/google.it/216.239.38.120
address=/google.je/216.239.38.120
address=/google.com.jm/216.239.38.120
address=/google.jo/216.239.38.120
address=/google.co.jp/216.239.38.120
address=/google.co.ke/216.239.38.120
address=/google.com.kh/216.239.38.120
address=/google.ki/216.239.38.120
address=/google.kg/216.239.38.120
address=/google.co.kr/216.239.38.120
address=/google.com.kw/216.239.38.120
address=/google.kz/216.239.38.120
address=/google.la/216.239.38.120
address=/google.com.lb/216.239.38.120
address=/google.li/216.239.38.120
address=/google.lk/216.239.38.120
address=/google.co.ls/216.239.38.120
address=/google.lt/216.239.38.120
address=/google.lu/216.239.38.120
address=/google.lv/216.239.38.120
address=/google.com.ly/216.239.38.120
address=/google.co.ma/216.239.38.120
address=/google.md/216.239.38.120
address=/google.me/216.239.38.120
address=/google.mg/216.239.38.120
address=/google.mk/216.239.38.120
address=/google.ml/216.239.38.120
address=/google.com.mm/216.239.38.120
address=/google.mn/216.239.38.120
address=/google.ms/216.239.38.120
address=/google.com.mt/216.239.38.120
address=/google.mu/216.239.38.120
address=/google.mv/216.239.38.120
address=/google.mw/216.239.38.120
address=/google.com.mx/216.239.38.120
address=/google.com.my/216.239.38.120
address=/google.co.mz/216.239.38.120
address=/google.com.na/216.239.38.120
address=/google.com.nf/216.239.38.120
address=/google.com.ng/216.239.38.120
address=/google.com.ni/216.239.38.120
address=/google.ne/216.239.38.120
address=/google.nl/216.239.38.120
address=/google.no/216.239.38.120
address=/google.com.np/216.239.38.120
address=/google.nr/216.239.38.120
address=/google.nu/216.239.38.120
address=/google.co.nz/216.239.38.120
address=/google.com.om/216.239.38.120
address=/google.com.pa/216.239.38.120
address=/google.com.pe/216.239.38.120
address=/google.com.pg/216.239.38.120
address=/google.com.ph/216.239.38.120
address=/google.com.pk/216.239.38.120
address=/google.pl/216.239.38.120
address=/google.pn/216.239.38.120
address=/google.com.pr/216.239.38.120
address=/google.ps/216.239.38.120
address=/google.pt/216.239.38.120
address=/google.com.py/216.239.38.120
address=/google.com.qa/216.239.38.120
address=/google.ro/216.239.38.120
address=/google.ru/216.239.38.120
address=/google.rw/216.239.38.120
address=/google.com.sa/216.239.38.120
address=/google.com.sb/216.239.38.120
address=/google.sc/216.239.38.120
address=/google.se/216.239.38.120
address=/google.com.sg/216.239.38.120
address=/google.sh/216.239.38.120
address=/google.si/216.239.38.120
address=/google.sk/216.239.38.120
address=/google.com.sl/216.239.38.120
address=/google.sn/216.239.38.120
address=/google.so/216.239.38.120
address=/google.sm/216.239.38.120
address=/google.sr/216.239.38.120
address=/google.st/216.239.38.120
address=/google.com.sv/216.239.38.120
address=/google.td/216.239.38.120
address=/google.tg/216.239.38.120
address=/google.co.th/216.239.38.120
address=/google.com.tj/216.239.38.120
address=/google.tk/216.239.38.120
address=/google.tl/216.239.38.120
address=/google.tm/216.239.38.120
address=/google.tn/216.239.38.120
address=/google.to/216.239.38.120
address=/google.com.tr/216.239.38.120
address=/google.tt/216.239.38.120
address=/google.com.tw/216.239.38.120
address=/google.co.tz/216.239.38.120
address=/google.com.ua/216.239.38.120
address=/google.co.ug/216.239.38.120
address=/google.co.uk/216.239.38.120
address=/google.com.uy/216.239.38.120
address=/google.co.uz/216.239.38.120
address=/google.com.vc/216.239.38.120
address=/google.co.ve/216.239.38.120
address=/google.vg/216.239.38.120
address=/google.co.vi/216.239.38.120
address=/google.com.vn/216.239.38.120
address=/google.vu/216.239.38.120
address=/google.ws/216.239.38.120
address=/google.rs/216.239.38.120
address=/google.co.za/216.239.38.120
address=/google.co.zm/216.239.38.120
address=/google.co.zw/216.239.38.120
address=/google.cat/216.239.38.120

# Youtube (restrictmoderate.youtube.com.)
#address=/www.youtube.com/216.239.38.119
#address=/m.youtube.com/216.239.38.119
#address=/youtubei.googleapis.com/216.239.38.119
#address=/youtube.googleapis.com/216.239.38.119
#address=/www.youtube-nocookie.com/216.239.38.119

# Youtube (restrict.youtube.com.)
address=/www.youtube.com/216.239.38.120
address=/m.youtube.com/216.239.38.120
address=/youtubei.googleapis.com/216.239.38.120
address=/youtube.googleapis.com/216.239.38.120
address=/www.youtube-nocookie.com/216.239.38.120

Note 1: Instead of embedding the IPs, the creation of this file can be scripted to get the template always build from current content.

Note 2: The recommended way is to create cname records, not pointing to an IP, but dnsmasq cannot resolve domains by itself and I didn’t look much further in the unbound settings.

2) Applied the changes:

signal-event nethserver-dnsmasq-save

3) Optional: some external DNS services can be used to filter additional content:
They can be configured in the DNS Servers section of the administration panel.
For instance, OpenDNS FamilyShield nameservers are:
208.67.222.123
208.67.220.123

Additional information:

• Bing - Block adult content with SafeSearch
• DuckDuckGo - Safe search + URL parameters
• Google - Block adult content at your school
• Tips for locking SafeSearch for network administrators
• Restrict YouTube content on your network or managed devices
• Google Apps - Block access to consumer accounts (not implemented in the example)