Using BIND to enforce Google SafeSearch…
- 
 Does anybody know how to configure BIND on pfSense to enforce Google SafeSeach? From Google support page <https: support.google.com="" websearch="" answer="" 186669?hl="en">: 
 "Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com".Thanks, 
 Steve</https:>
- 
 Got something to work, by… - 
Creating a View with Recursion=Yes, match-clients=any, allow-recursion=any 
- 
Created a Zones for google.com with: 
 Zone Type = Master
 View = the name given to the view above.
 Name Server = the name of the pfSense host
 Base Domain IP = 127.0.0.1
 allow-query = any
 Domain Record = www - CNAME - forcesafesearch.google.com
 This seems to work for www.google.com, if I ping www.google.com it returns the address of forcesafesearch.google.com (216.239.38.120)... Does this mean I have to add a Zone entry for all of the possible Google domains or is there a more efficient way to configure it? 
- 
- 
 Got it working for all 193 Google domains, you can find them all here <https: www.google.com="" supported_domains="">… Also this Google Support page <https: support.google.com="" websearch="" answer="" 186669?hl="en">. What I did: - 
Delete the previously created View and Zone. 
- 
In the Custom Options section of the Settings tab add the line - 
 response-policy { zone "rpz-google"; };
- 
In the Global Settings section of the Settings tab add the lines - 
 zone "rpz-google" {
 type master;
 file "master/rpz-google.DB";
 allow-query {none;};
 };
- 
ssh to psSense open a shell and 'cd /cf/named/etc/namedb/master' then create a zone file rpz-google.DB 
 The zone file looks a bit like this: 
 $TTL 128 
 ;
 $ORIGIN rpz-google.; Database file rpz-google.DB for rpz-google zone. rpz-google. IN SOA localhost. root.localhost. ( 
 2474766874 ; serial
 1d ; refresh
 2h ; retry
 4w ; expire
 1h ; default_ttl
 ); 
 ; Zone Records
 ; Google SafeSearch
 @ IN NS localhost.
 google.com CNAME forcesafesearch.google.com.
 www.google.com CNAME forcesafesearch.google.com.
 google.com.uk CNAME forcesafesearch.google.com.
 www.google.co.uk CNAME forcesafesearch.google.com.; pattern repeats for the other 191 domains... 
 Things to do, make it work with Views and other Zones... Any feedback appreciated, 
 Steve</https:></https:>
- 
- 
 The zone file looks a bit like this: $TTL 128 ; $ORIGIN rpz-google. ; Database file rpz-google.DB for rpz-google zone. rpz-google. IN SOA localhost. root.localhost. ( 2474766874 ; serial 1d ; refresh 2h ; retry 4w ; expire 1h ; default_ttl ) ; ; Zone Records ; Google SafeSearch @ IN NS localhost. google.com CNAME forcesafesearch.google.com. www.google.com CNAME forcesafesearch.google.com. google.com.uk CNAME forcesafesearch.google.com. www.google.co.uk CNAME forcesafesearch.google.com. ; pattern repeats for the other 191 domains…If you're working with a reponse policy zone, you can use an asterisk for wildcard. *.google.com, etc. 
- 
 I tried this approach for duckduckgo.com => safe.duckduckgo.com (which has a dynamic IP, or at least has been observed to change). However, this does not seem to result in a proper DNS response. Normally, you'd get a CNAME response along with the A record for the target of the CNAME. However, this only returns the CNAME by itself, which results in failure to resolve for all the clients I tried (browser, ping, nslookup, dig, curl). I wonder if there's a way to force bind to resolve the CNAME target and serve it up as an A record. 
