Derek del Barrio
Bing, Google, and YouTube Safe Search
Solid Border has many K-12 customers who depend on SafeSearch features in search engines. These features are constantly updated, usually without warning. This can cause issues when web filters that have worked for years are suddenly unable to filter adult content from image searches. Now with the move to SSL-everywhere, safe search is tougher than ever to enforce at the network level. In late 2014, we're starting to see the major search & content providers finally provide network-wide options for enabling safe search.
Bing has a network-wide option for schools. They can sign up their public IPs to enforce safe search and disable ads for Bing. bing.com/classroom/registration
Google & YouTube recently released a hostname called forcesafesearch.google.com. All Google and YouTube traffic destined to this hostname will be forced to enable Safe Search, with no options to disable it.
Google's documentation suggests that a CNAME be created in DNS to redirect traffic to this host. There are some complications with this, which we will not get into here. These instructions will guide you through creating A record entries for www.google.com and www.youtube.com with Windows DNS, though BIND and other servers will work similarly. Warning: DO NOT add zones for .com or google.com , this will only bring you heartache. You want your zone names to be www.google.com and www.youtube.com.
Currently, forcesafesearch.google.com resolves to 184.108.40.206. You can verify this at any command line by entering nslookup forcesafesearch.google.com
Once verified, create a new zone for www.youtube.com (and again for www.google.com)
Once the zone is created, you'll need to add an A record for the domain name that points to 220.127.116.11.
When you are finished, your zone should look like this:
Once this is in place you can test by performing an nslookup on www.google.com, it should resolve only to this IP address. Now test by browsing to www.google.com and www.youtube.com. All search requests, including images.google.com are redirected to www.google.com, so there is no need to worry about Google's other hostnames (at the time of this writing).
This is an all-or-nothing approach for the entire network that uses your DNS servers. If anyone uses a DNS server other than your DNS servers, they can bypass Google Safe Search. Your firewall should be locked down to only allow DNS requests from your approved DNS servers.
In YouTube Safety mode, live streams are blocked (yes, including reindeer cams). Videos that are uncategorized or in certain categories are invisible/blocked. Once implemented, videos will need to be categorized as education, training, or something innocuous to be allowed.
Google owns many domain names in other countries. We have a list can be downloaded here which can be imported directly to a Palo Alto Networks firewall as a Custom URL Category for blocking. If access to other countries are needed (such as for foreign language programs), they can be added to DNS in a similar way -- Ex: www.google.es can point to the same forcesafesearch.google.com address.
- What happens if Google gets rid of this hostname or IP? -- If some day this stops working, you'll want to first do an nslookup on forcesafesearch.google.com to a public DNS server to see if the IP has been changed. If that fails to resolve, we recommend removing these entries.
Derek del Barrio is President and Systems Engineer at Solid Border, Inc. Derek has been working in the IT Security field since 2000. CNSE (Palo Alto Networks) certified since 2012.