December 3, 2014
Derek del Barrio

Bing, Google, and YouTube Safe Search

Solid Border has many K-12 customers who depend on SafeSearch features in search engines. These features are constantly updated, usually without warning. This can cause issues when web filters that have worked for years are suddenly unable to filter adult content from image searches. Now with the move to SSL-everywhere, safe search is tougher than ever to enforce at the network level. In late 2014, we're starting to see the major search & content providers finally provide network-wide options for enabling safe search.

Bing has a network-wide option for schools. They can sign up their public IPs to enforce safe search and disable ads for Bing. bing.com/classroom/registration

Google & YouTube recently released a hostname called forcesafesearch.google.com. All Google and YouTube traffic destined to this hostname will be forced to enable Safe Search, with no options to disable it.

Google's documentation suggests that a CNAME be created in DNS to redirect traffic to this host. There are some complications with this, which we will not get into here. These instructions will guide you through creating A record entries for www.google.com and www.youtube.com with Windows DNS, though BIND and other servers will work similarly. Warning: DO NOT add zones for .com or google.com , this will only bring you heartache. You want your zone names to be www.google.com and www.youtube.com.

Currently, forcesafesearch.google.com resolves to 216.239.38.120. You can verify this at any command line by entering nslookup forcesafesearch.google.com

Once verified, create a new zone for www.youtube.com (and again for www.google.com)

zone

Once the zone is created, you'll need to add an A record for the domain name that points to 216.239.38.120.

new-host

When you are finished, your zone should look like this:

dns-manager

Once this is in place you can test by performing an nslookup on www.google.com, it should resolve only to this IP address. Now test by browsing to www.google.com and www.youtube.com. All search requests, including images.google.com are redirected to www.google.com, so there is no need to worry about Google's other hostnames (at the time of this writing).

CAVEATS:

Derek del Barrio is President and Systems Engineer at Solid Border, Inc. Derek has been working in the IT Security field since 2000. CNSE (Palo Alto Networks) certified since 2012.