Using BIND to enforce Google SafeSearch…

sgoldtho

Does anybody know how to configure BIND on pfSense to enforce Google SafeSeach?

From Google support page <https: support.google.com="" websearch="" answer="" 186669?hl="en">:
"Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com".

Thanks,
Steve</https:>

sgoldtho

Got something to work, by…

1. Creating a View with Recursion=Yes, match-clients=any, allow-recursion=any

2. Created a Zones for google.com with:
         Zone Type        = Master
         View                = the name given to the view above.
         Name Server    = the name of the pfSense host
         Base Domain IP = 127.0.0.1
         allow-query      = any
         Domain Record  = www - CNAME - forcesafesearch.google.com

This seems to work for www.google.com, if I ping www.google.com it returns the address of forcesafesearch.google.com (216.239.38.120)...

Does this mean I have to add a Zone entry for all of the possible Google domains or is there a more efficient way to configure it?

sgoldtho

Got it working for all 193 Google domains, you can find them all here <https: www.google.com="" supported_domains="">…

Also this Google Support page <https: support.google.com="" websearch="" answer="" 186669?hl="en">.

What I did:

1. Delete the previously created View and Zone.

2. In the Custom Options section of the Settings tab add the line -
       response-policy { zone "rpz-google"; };

3. In the Global Settings section of the Settings tab add the lines -
       zone "rpz-google" {
           type master;
           file "master/rpz-google.DB";
           allow-query {none;};
       };

4. ssh to psSense open a shell and 'cd /cf/named/etc/namedb/master' then create a zone file rpz-google.DB

The zone file looks a bit like this:

---

$TTL 128
;
$ORIGIN rpz-google.

; Database file rpz-google.DB for rpz-google zone.

rpz-google.      IN  SOA localhost.        root.localhost. (
                2474766874 ; serial
                1d ; refresh
                2h ; retry
                4w ; expire
                1h ; default_ttl
                )

;
; Zone Records
; Google SafeSearch
@        IN NS  localhost.
google.com              CNAME  forcesafesearch.google.com.
www.google.com      CNAME  forcesafesearch.google.com.
google.com.uk        CNAME  forcesafesearch.google.com.
www.google.co.uk    CNAME  forcesafesearch.google.com.

; pattern repeats for the other 191 domains...

---

Things to do, make it work with Views and other Zones...

Any feedback appreciated,
Steve</https:></https:>

miken32

@sgoldtho:

The zone file looks a bit like this:

$TTL 128
;
$ORIGIN rpz-google.

; Database file rpz-google.DB for rpz-google zone.

rpz-google.      IN  SOA localhost.         root.localhost. (
                2474766874 ; serial
                1d ; refresh
                2h ; retry
                4w ; expire
                1h ; default_ttl
                )

;
; Zone Records
; Google SafeSearch
@        IN NS  localhost.
google.com              CNAME   forcesafesearch.google.com.
www.google.com      CNAME   forcesafesearch.google.com.
google.com.uk         CNAME   forcesafesearch.google.com.
www.google.co.uk    CNAME   forcesafesearch.google.com.

; pattern repeats for the other 191 domains…

If you're working with a reponse policy zone, you can use an asterisk for wildcard. *.google.com, etc.

mrtumnus

I tried this approach for duckduckgo.com => safe.duckduckgo.com (which has a dynamic IP, or at least has been observed to change). However, this does not seem to result in a proper DNS response. Normally, you'd get a CNAME response along with the A record for the target of the CNAME. However, this only returns the CNAME by itself, which results in failure to resolve for all the clients I tried (browser, ping, nslookup, dig, curl). I wonder if there's a way to force bind to resolve the CNAME target and serve it up as an A record.