Using BIND to enforce Google SafeSearch…
-
Does anybody know how to configure BIND on pfSense to enforce Google SafeSeach?
From Google support page <https: support.google.com="" websearch="" answer="" 186669?hl="en">:
"Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com".Thanks,
Steve</https:> -
Got something to work, by…
-
Creating a View with Recursion=Yes, match-clients=any, allow-recursion=any
-
Created a Zones for google.com with:
Zone Type = Master
View = the name given to the view above.
Name Server = the name of the pfSense host
Base Domain IP = 127.0.0.1
allow-query = any
Domain Record = www - CNAME - forcesafesearch.google.com
This seems to work for www.google.com, if I ping www.google.com it returns the address of forcesafesearch.google.com (216.239.38.120)...
Does this mean I have to add a Zone entry for all of the possible Google domains or is there a more efficient way to configure it?
-
-
Got it working for all 193 Google domains, you can find them all here <https: www.google.com="" supported_domains="">…
Also this Google Support page <https: support.google.com="" websearch="" answer="" 186669?hl="en">.
What I did:
-
Delete the previously created View and Zone.
-
In the Custom Options section of the Settings tab add the line -
response-policy { zone "rpz-google"; }; -
In the Global Settings section of the Settings tab add the lines -
zone "rpz-google" {
type master;
file "master/rpz-google.DB";
allow-query {none;};
}; -
ssh to psSense open a shell and 'cd /cf/named/etc/namedb/master' then create a zone file rpz-google.DB
The zone file looks a bit like this:
$TTL 128
;
$ORIGIN rpz-google.; Database file rpz-google.DB for rpz-google zone.
rpz-google. IN SOA localhost. root.localhost. (
2474766874 ; serial
1d ; refresh
2h ; retry
4w ; expire
1h ; default_ttl
);
; Zone Records
; Google SafeSearch
@ IN NS localhost.
google.com CNAME forcesafesearch.google.com.
www.google.com CNAME forcesafesearch.google.com.
google.com.uk CNAME forcesafesearch.google.com.
www.google.co.uk CNAME forcesafesearch.google.com.; pattern repeats for the other 191 domains...
Things to do, make it work with Views and other Zones...
Any feedback appreciated,
Steve</https:></https:> -
-
The zone file looks a bit like this:
$TTL 128 ; $ORIGIN rpz-google. ; Database file rpz-google.DB for rpz-google zone. rpz-google. IN SOA localhost. root.localhost. ( 2474766874 ; serial 1d ; refresh 2h ; retry 4w ; expire 1h ; default_ttl ) ; ; Zone Records ; Google SafeSearch @ IN NS localhost. google.com CNAME forcesafesearch.google.com. www.google.com CNAME forcesafesearch.google.com. google.com.uk CNAME forcesafesearch.google.com. www.google.co.uk CNAME forcesafesearch.google.com. ; pattern repeats for the other 191 domains…
If you're working with a reponse policy zone, you can use an asterisk for wildcard. *.google.com, etc.
-
I tried this approach for duckduckgo.com => safe.duckduckgo.com (which has a dynamic IP, or at least has been observed to change). However, this does not seem to result in a proper DNS response. Normally, you'd get a CNAME response along with the A record for the target of the CNAME. However, this only returns the CNAME by itself, which results in failure to resolve for all the clients I tried (browser, ping, nslookup, dig, curl). I wonder if there's a way to force bind to resolve the CNAME target and serve it up as an A record.