Google has recently adjusted the default search behaviour to return results via HTTPS only. Whilst this offers the user greater 'security' it also includes the images and video searches... and means that it can no longer be scanned by the content filter. The content filter when setup in transparent mode for gateway filters only HTTP traffic - this makes it particularly difficult to prevent obscene material from appearing in the image searches.
To see a bit more information on transparent proxying see Dave Lopers posts here
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,27/func,view/id,57437/#57514
Google offers a work around to this problem with 'safe search' but this requires you to have a Google login, and is set on each browser...not particularly useful.
They do however offer some steps to force Safe Search through your gateway device, see
https://support.google.com/websearch/answer/186669?hl=en
What we are trying to do is create a local DNS filter similar to services such as OpenDNS. This assumes you are in transparent mode, ClearOS is your gateway device, the web proxy and content filter are running and your clients use ClearOS as the DNS server
1 - prevent outgoing DNS requests to external DNS servers from your network so that only your gateway can resolve DNS
2 - force web traffic directed to google.com to be directed to nosslsearch.google.com - a specific host that returns non-SSL results. This in itself gets us half way there as the content filter will be able to scan the results, but may let some images through
3 - to go one step further we want to dynamically amend the URL requested so that safe mode is always activated
4 - optionally block other HTTPS sites which would have bypassed the content filter with a simple change to the DNS server
NOTE! as always these sorts of things can be circumvented if you are determined enough, and DNS blocks can be worked around by using direct IP address URL requests. However this is intended to be difficult enough to prevent inadvertent browsing of objectionable material by children.
Step 1 - create an iptables entry to block all forward DNS traffic (affects only traffic originating from your LAN). DNS traffic will have to go via your ClearOS gateway and be forwarded by Dnsmasq. Add this rule to /etc/clearos/firewall.d/dnsblock
Restart the firewall with 'service firewall restart'
Step 2 - create a file at /etc/dnsmasq.d/nosslsearch.conf which redirects traffic to the nosslsearch.google.com IP address. Ideally you would add all used google subdomains so that users can't just skip to an international version of google, or better still just block all other domains
Restart the service 'service dnsmasq restart'
Step 3 - Assuming you have only one default filter group edit /etc/dansguardian-av/lists/urlregexplist and add the following lines which append "safe=vss" (undocumented 'very safe search') you can also use "safe=active"
Then restart the service 'service dansguardian-av restart'
You should now find that if you navigate to https://www.google.com it will redirect to http://www.google.com, and you will get a small warning when searching on the right hand side to confirm the SSL has been disabled.
You should also find that all URLs are now appended with "&safe=vss" (undocumented 'very safe mode') and with Safe Search forced on.
Step 4 - optional blocking of other HTTPS websites
One of the nice 'side effects' of forcing DNS through your gateway is that you can now easily control which HTTPS sites can be accessed. Previously the content filter would not have been able to block them and setting up specific iptables rules required many addresses and subnets. But now all it takes is an entry in /etc/dnsmasq.d/blockdomains.conf. The beauty of using dnsmasq for this purpose rather than editing the hosts file directly is that it accepts wildcards. Blocking social networking sites becomes a simple one line...
Note you could also redirect the request to an internal site explaining why said site is blocked... for another day
To see a bit more information on transparent proxying see Dave Lopers posts here
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,27/func,view/id,57437/#57514
Google offers a work around to this problem with 'safe search' but this requires you to have a Google login, and is set on each browser...not particularly useful.
They do however offer some steps to force Safe Search through your gateway device, see
https://support.google.com/websearch/answer/186669?hl=en
What we are trying to do is create a local DNS filter similar to services such as OpenDNS. This assumes you are in transparent mode, ClearOS is your gateway device, the web proxy and content filter are running and your clients use ClearOS as the DNS server
1 - prevent outgoing DNS requests to external DNS servers from your network so that only your gateway can resolve DNS
2 - force web traffic directed to google.com to be directed to nosslsearch.google.com - a specific host that returns non-SSL results. This in itself gets us half way there as the content filter will be able to scan the results, but may let some images through
3 - to go one step further we want to dynamically amend the URL requested so that safe mode is always activated
4 - optionally block other HTTPS sites which would have bypassed the content filter with a simple change to the DNS server
NOTE! as always these sorts of things can be circumvented if you are determined enough, and DNS blocks can be worked around by using direct IP address URL requests. However this is intended to be difficult enough to prevent inadvertent browsing of objectionable material by children.
Step 1 - create an iptables entry to block all forward DNS traffic (affects only traffic originating from your LAN). DNS traffic will have to go via your ClearOS gateway and be forwarded by Dnsmasq. Add this rule to /etc/clearos/firewall.d/dnsblock
iptables -I FORWARD -p udp --dport 53 -j DROP
Restart the firewall with 'service firewall restart'
Step 2 - create a file at /etc/dnsmasq.d/nosslsearch.conf which redirects traffic to the nosslsearch.google.com IP address. Ideally you would add all used google subdomains so that users can't just skip to an international version of google, or better still just block all other domains
address=/http://www.google.com/216.239.32.20" target="_blank">www.google.com/216.239.32.20
address=/www.google.co.uk/216.239.32.20
Restart the service 'service dnsmasq restart'
Step 3 - Assuming you have only one default filter group edit /etc/dansguardian-av/lists/urlregexplist and add the following lines which append "safe=vss" (undocumented 'very safe search') you can also use "safe=active"
"(^http://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/images\?)"->"\1safe=vss&"
"(^http://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/search\?)"->"\1safe=vss&"
"(^http://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/s\?)"->"\1safe=vss&"
Then restart the service 'service dansguardian-av restart'
You should now find that if you navigate to https://www.google.com it will redirect to http://www.google.com, and you will get a small warning when searching on the right hand side to confirm the SSL has been disabled.
You should also find that all URLs are now appended with "&safe=vss" (undocumented 'very safe mode') and with Safe Search forced on.
Step 4 - optional blocking of other HTTPS websites
One of the nice 'side effects' of forcing DNS through your gateway is that you can now easily control which HTTPS sites can be accessed. Previously the content filter would not have been able to block them and setting up specific iptables rules required many addresses and subnets. But now all it takes is an entry in /etc/dnsmasq.d/blockdomains.conf. The beauty of using dnsmasq for this purpose rather than editing the hosts file directly is that it accepts wildcards. Blocking social networking sites becomes a simple one line...
address=/encrypted.google.com/127.0.0.1
address=/facebook.com/127.0.0.1
address=/twitter.com/127.0.0.1
address=/plus.google.com/127.0.0.1
address=/youtube.com/127.0.0.1
Note you could also redirect the request to an internal site explaining why said site is blocked... for another day
Share this post:
Responses (29)
-
Accepted Answer
Remember my trick to force DNS lookups through the server:
Change 172.17.2.1 to your ClearOS LAN IP.iptables -t nat -I PREROUTING -p tcp --dport 53 -d ! 172.17.2.1 -i eth1 -j DNAT --to-destination 172.17.2.1
iptables -t nat -I PREROUTING -p udp --dport 53 -d ! 172.17.2.1 -i eth1 -j DNAT --to-destination 172.17.2.1 -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Thanks for this Tim.
Working here, but had to add the last line to:
/etc/dansguardian-av/lists/urlregexplist
#Tim's VSS setting
"(^http://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/images\?)"->"\1safe=vss&"
"(^http://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/search\?)"->"\1safe=vss&"
"(^http://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/s\?)"->"\1safe=vss&"
"(^http://[0-9a-z]+\.google\.[a-z]+[-/%.0-9a-z]*/q\?)"->"\1safe=vss&"
If, for example, I search for snakes, the url becomes:
http://www.google.com/#q=snakes
Adding that last line, in my case, changed the url to:
http://www.google.com/#q=snakes&safe=vss
Thanks again!
This is wonderful! -
Accepted Answer
-
Accepted Answer
Thanks Bryan I was following the Google technical post and hadn't noticed the additional search query format. Because the search results are returned unencrypted the content filter should remove anything obscene based on the word categories, but enabling safe search for this is a nice touch
Hi Shauib, you can enable / disable internet access on a time basis using the web access control app
http://www.clearcenter.com/support/documentation/user_guide/web_access_control
or the principles in the following post to create and modify scripts with cron.
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,27/func,view/id,44245/ -
Accepted Answer
-
Accepted Answer
That would be great Peter.
I have a related, but unrelated question someone may be able to answer for me.
And, this may just be specific to my set-up for some reason.
It seems the weighted phrase limits don't apply to google search result listings (even when using non-ssl search.)
For example, if I search for 'sex' in google, with very aggressive weighted phrase limits enabled, and the vss string added, non-ssl search, I still get some results listed in the google search results I'm not too interested in the kids seeing (ever in their lives!)
However, the same search on bing.com DOES trigger the weighted phrase limit right away and no search results display.
For example, after gooing sex, the list of books that appear at the top of the results look very interesting... for myself.
And once you click through, the pages are blocked, but the actual google search result listing never seems to get blocked.
I'm just wondering if this is the how google works or possibly something on my end.
Maybe I'm being too overprotective
I had noticed this behavior in the past, and have switched the kids over to bing because weighted phrases seem to work better.
Just wonder if anyone has any insight on this.
Thanks... -
Accepted Answer
Watching network traffic when doing a Google Search is interesting. First, every new letter typed into the search bar generates a web request. That's how the Google "instant predictions" feature works of course. When you hit enter, it's all Ajax/Javascript in the background and about a dozen individual web requests are made to Google. The search results are not sent back as plain HTML, but a mostly unreadable payload. I'm guessing Google is compressing stuff and doing other tricks to be efficient. Since most of the payload is unreadable, the usual phrase list filtering used by the content filter is not effective. Nor is the deep URL analysis. -
Accepted Answer
-
Accepted Answer
Peter,
Interesting ... that probably explains why even after making the dnsmasq changes (mentioned in a prevoius post in another thread) that I'm still seeing some unwanted stuff getting through.
It may be fighting a losing battle to try and use some box in the middle for web filtering? With various type of things driving more and more connections to be encrypted a significant portion of the usefulness of Dansguardian is being eliminated.
I don't understand the reason behind Google enforcing encryption on all connections (or at least all connections of a certain type). It makes things difficult for the home user, or a school, to setup proper boundaries. But if a nation wanted to control the population it would still have the ability to force everything through a proxy (I believe) and thus the potential for the nation to continue monitoring the activity of its citizens? Sure, your web browser will complain that the far end of the connection cannot be verified. But the citizen won't be able to do anything about that. So how does what Google has done do any real good?
Peter Baldwin wrote:
Watching network traffic when doing a Google Search is interesting. First, every new letter typed into the search bar generates a web request. That's how the Google "instant predictions" feature works of course. When you hit enter, it's all Ajax/Javascript in the background and about a dozen individual web requests are made to Google. The search results are not sent back as plain HTML, but a mostly unreadable payload. I'm guessing Google is compressing stuff and doing other tricks to be efficient. Since most of the payload is unreadable, the usual phrase list filtering used by the content filter is not effective. Nor is the deep URL analysis.
-
Accepted Answer
Also consider adding the following in file urlregexplist
"^https://www(.google.com.*$)"->"https://nosslsearch\1"
-
Accepted Answer
That doesn't work for me - you have to implement the redirect to host nosslsearch via the DNS record advised in my post?
You can't access https://nosslsearch directly... -
Accepted Answer
-
Accepted Answer
Hi,
The school where I installed Clearos 5.2 called me because the filtering was not working anymore and I found this post.
I have been trying to adapt this solution to cc5.2 but this does not work.
Came back home , just used this on my Clearos 6.2 and it works straight.
on 5.2 , I have put some entries in the local DNS to force the nossl trick.
But playing with the urlregexp is apparently not chnaging anything on 5.2
Any known differences between the 2 dansguardian-av version ?
I would like to avoid installing 6.2 at school because they love Tim's plugin to allow grey/white list on the fly for which I have never had time to try to adapt for 6.2 -
Accepted Answer
-
Accepted Answer
It works now. I had a second look and just realised I did trap myself like a rookie hmy:
The idea was 1st to filter all searchengine and allow only google in safe mode.
So I enabled the 'websearch' option in the fitler list which blocked all search website.
So I added google in white list which bypassed the filtering and url rewriting
Lesson learned... Now works fine ! -
Accepted Answer
Sorry to drag up an old post, but I'm having some difficulty getting this to work 100% of the time. :huh:
I have 6.5.0 (final) setup and running here at home. Content filter and transparent proxy are running fine, but wanted to block inappropriate google search results...which led me to this thread. I followed the steps, but have one odd behavior going on.
If I open up a Chrome window and do a search from the address bar (just type in what I'm searching for in the address bar) it behaves as what I believe is "normal"...meaning if I search for porn it will tell me that safe search is active and did not search for my terms...even though I have safe search turned off in the browser's settings. Yes! This is what I want to have happen.
However, if I browse first to www.google.com (no http or https, just the www) and then enter the same search phrase on the web page's form it will return all kinds of nasty stuff. Here is where things get interesting...the URL displayed in the browser's address bar at this point does in fact show "&safe=vss" along with all of the trash terms I put into my search. If I simply refresh the page it acts like it should and gives me the google results page saying it could not find anything because it did not search for the nasty terms I entered.
Of course, if I do try to follow one of the links or if I click on "images" or "videos" at this point the content filter does block me, which is great, but I really don't want to get all those bad search results in the first place when someone searches from www.google.com itself.
Any ideas what to check? I have gone through the steps several times that Tim laid out. The only doubt I had during the whole process was in Step one. I did not have a file called /etc/clearos/firewall.d/dnsblock so I created it as root then added the iptables line Tim mentions. -
Accepted Answer
hmm if you ping www.google.com from a client PC does it return the nosslsearch IP address? if not then Step 2 (DNS) isn't configured quite right, and the Safe Search rewrite rules will not work with SSL queries
It's likely that Chrome is initiating a SSL search query first before you refresh the page - I'll try and replicate it here -
Accepted Answer
The ping test from a client returns the nossl ip address from the nosslsearch.conf (216.239.32.20), so that portion is working as expected.
I did the following next...not sure why, but it seems to have made the difference.
First, I opened up Chrome and browsed to "www.google.com" and noticed in the top right hand corner that I was "signed in" to my Google account. I signed out of the account and then opened a new tab in Chrome to try the scenario again where I browse to "www.google.com" and then enter the search containing the bad terms. Same result as before; I get the results that should be blocked because the URL in the browser has "&safe=vss". I then closed Chrome completely and tried Firefox and IE...both were already installed. Browsing to the search page on those browsers and entering in the bad search term acted properly...saying that it did not search for all of the terms because safe search was enabled. Hmm...opened up Chrome again (previously closed it), and now I am not getting the bad search results when searching from the "www.google.com" web form!
So, I must have needed to sign out of Google and then close/open Chrome for everything to work right. I will try the same on another client once I mosey back upstairs. -
Accepted Answer
Just to update on this post. Google has changed their approach...again. You can now force SafeSearch by just redirecting DNS requests to a special virtual IP address at forcesafesearch.google.com (216.239.38.120). If enabled properly your browser will give a little warning to say that SafeSearch has been enabled on the network
Note that this still uses an HTTPS connection so you can no longer refine your filtering using the ClearOS content filter... for now nosslsearch.google.com still works which prevents HTTPS
So instead at Step 2 - create a file at /etc/dnsmasq.d/nosslsearch.conf with the new IP address
address=/www.google.com/216.239.38.120
address=/www.google.co.uk/216.239.38.120
And then you no longer need Step 3 - Dansguardian-AV to rewrite the URL request to force SafeSearch.
If you want to block all Google domains (http://en.wikipedia.org/wiki/List_of_Google_domains) then you'll need something like:-
address=/www.google.com/216.239.38.120
address=/www.google.ac/216.239.38.120
address=/www.google.ad/216.239.38.120
address=/www.google.ae/216.239.38.120
address=/www.google.com.af/216.239.38.120
address=/www.google.com.ag/216.239.38.120
address=/www.google.com.ai/216.239.38.120
address=/www.google.al/216.239.38.120
address=/www.google.am/216.239.38.120
address=/www.google.co.ao/216.239.38.120
address=/www.google.com.ar/216.239.38.120
address=/www.google.as/216.239.38.120
address=/www.google.at/216.239.38.120
address=/www.google.com.au/216.239.38.120
address=/www.google.az/216.239.38.120
address=/www.google.ba/216.239.38.120
address=/www.google.com.bd/216.239.38.120
address=/www.google.be/216.239.38.120
address=/www.google.bf/216.239.38.120
address=/www.google.bg/216.239.38.120
address=/www.google.com.bh/216.239.38.120
address=/www.google.bi/216.239.38.120
address=/www.google.bj/216.239.38.120
address=/www.google.com.bn/216.239.38.120
address=/www.google.com.bo/216.239.38.120
address=/www.google.com.br/216.239.38.120
address=/www.google.bs/216.239.38.120
address=/www.google.bt/216.239.38.120
address=/www.google.co.bw/216.239.38.120
address=/www.google.by/216.239.38.120
address=/www.google.com.bz/216.239.38.120
address=/www.google.ca/216.239.38.120
address=/www.google.com.kh/216.239.38.120
address=/www.google.cc/216.239.38.120
address=/www.google.cd/216.239.38.120
address=/www.google.cf/216.239.38.120
address=/www.google.cat/216.239.38.120
address=/www.google.cg/216.239.38.120
address=/www.google.ch/216.239.38.120
address=/www.google.ci/216.239.38.120
address=/www.google.co.ck/216.239.38.120
address=/www.google.cl/216.239.38.120
address=/www.google.cm/216.239.38.120
address=/www.google.cn/216.239.38.120
address=/www.g.cn/216.239.38.120
address=/www.google.com.co/216.239.38.120
address=/www.google.co.cr/216.239.38.120
address=/www.google.com.cu/216.239.38.120
address=/www.google.cv/216.239.38.120
address=/www.google.com.cy/216.239.38.120
address=/www.google.cz/216.239.38.120
address=/www.google.de/216.239.38.120
address=/www.google.dj/216.239.38.120
address=/www.google.dk/216.239.38.120
address=/www.google.dm/216.239.38.120
address=/www.google.com.do/216.239.38.120
address=/www.google.dz/216.239.38.120
address=/www.google.com.ec/216.239.38.120
address=/www.google.ee/216.239.38.120
address=/www.google.com.eg/216.239.38.120
address=/www.google.es/216.239.38.120
address=/www.google.com.et/216.239.38.120
address=/www.google.fi/216.239.38.120
address=/www.google.com.fj/216.239.38.120
address=/www.google.fm/216.239.38.120
address=/www.google.fr/216.239.38.120
address=/www.google.ga/216.239.38.120
address=/www.google.ge/216.239.38.120
address=/www.google.gf/216.239.38.120
address=/www.google.gg/216.239.38.120
address=/www.google.com.gh/216.239.38.120
address=/www.google.com.gi/216.239.38.120
address=/www.google.gl/216.239.38.120
address=/www.google.gm/216.239.38.120
address=/www.google.gp/216.239.38.120
address=/www.google.gr/216.239.38.120
address=/www.google.com.gt/216.239.38.120
address=/www.google.gy/216.239.38.120
address=/www.google.com.hk/216.239.38.120
address=/www.google.hn/216.239.38.120
address=/www.google.hr/216.239.38.120
address=/www.google.ht/216.239.38.120
address=/www.google.hu/216.239.38.120
address=/www.google.co.id/216.239.38.120
address=/www.google.ir/216.239.38.120
address=/www.google.iq/216.239.38.120
address=/www.google.ie/216.239.38.120
address=/www.google.co.il/216.239.38.120
address=/www.google.im/216.239.38.120
address=/www.google.co.in/216.239.38.120
address=/www.google.io/216.239.38.120
address=/www.google.is/216.239.38.120
address=/www.google.it/216.239.38.120
address=/www.google.je/216.239.38.120
address=/www.google.com.jm/216.239.38.120
address=/www.google.jo/216.239.38.120
address=/www.google.co.jp/216.239.38.120
address=/www.google.co.ke/216.239.38.120
address=/www.google.ki/216.239.38.120
address=/www.google.kg/216.239.38.120
address=/www.google.co.kr/216.239.38.120
address=/www.google.com.kw/216.239.38.120
address=/www.google.kz/216.239.38.120
address=/www.google.la/216.239.38.120
address=/www.google.com.lb/216.239.38.120
address=/www.google.com.lc/216.239.38.120
address=/www.google.li/216.239.38.120
address=/www.google.lk/216.239.38.120
address=/www.google.co.ls/216.239.38.120
address=/www.google.lt/216.239.38.120
address=/www.google.lu/216.239.38.120
address=/www.google.lv/216.239.38.120
address=/www.google.com.ly/216.239.38.120
address=/www.google.co.ma/216.239.38.120
address=/www.google.md/216.239.38.120
address=/www.google.me/216.239.38.120
address=/www.google.mg/216.239.38.120
address=/www.google.mk/216.239.38.120
address=/www.google.ml/216.239.38.120
address=/www.google.com.mm/216.239.38.120
address=/www.google.mn/216.239.38.120
address=/www.google.ms/216.239.38.120
address=/www.google.com.mt/216.239.38.120
address=/www.google.mu/216.239.38.120
address=/www.google.mv/216.239.38.120
address=/www.google.mw/216.239.38.120
address=/www.google.com.mx/216.239.38.120
address=/www.google.com.my/216.239.38.120
address=/www.google.co.mz/216.239.38.120
address=/www.google.com.na/216.239.38.120
address=/www.google.ne/216.239.38.120
address=/www.google.com.nf/216.239.38.120
address=/www.google.com.ng/216.239.38.120
address=/www.google.com.ni/216.239.38.120
address=/www.google.nl/216.239.38.120
address=/www.google.no/216.239.38.120
address=/www.google.com.np/216.239.38.120
address=/www.google.nr/216.239.38.120
address=/www.google.nu/216.239.38.120
address=/www.google.co.nz/216.239.38.120
address=/www.google.com.om/216.239.38.120
address=/www.google.com.pa/216.239.38.120
address=/www.google.com.pe/216.239.38.120
address=/www.google.com.ph/216.239.38.120
address=/www.google.com.pk/216.239.38.120
address=/www.google.pl/216.239.38.120
address=/www.google.com.pg/216.239.38.120
address=/www.google.pn/216.239.38.120
address=/www.google.com.pr/216.239.38.120
address=/www.google.ps/216.239.38.120
address=/www.google.pt/216.239.38.120
address=/www.google.com.py/216.239.38.120
address=/www.google.com.qa/216.239.38.120
address=/www.google.ro/216.239.38.120
address=/www.google.rs/216.239.38.120
address=/www.google.ru/216.239.38.120
address=/www.google.rw/216.239.38.120
address=/www.google.com.sa/216.239.38.120
address=/www.google.com.sb/216.239.38.120
address=/www.google.sc/216.239.38.120
address=/www.google.se/216.239.38.120
address=/www.google.com.sg/216.239.38.120
address=/www.google.sh/216.239.38.120
address=/www.google.si/216.239.38.120
address=/www.google.sk/216.239.38.120
address=/www.google.com.sl/216.239.38.120
address=/www.google.sn/216.239.38.120
address=/www.google.sm/216.239.38.120
address=/www.google.so/216.239.38.120
address=/www.google.st/216.239.38.120
address=/www.google.com.sv/216.239.38.120
address=/www.google.td/216.239.38.120
address=/www.google.tg/216.239.38.120
address=/www.google.co.th/216.239.38.120
address=/www.google.com.tj/216.239.38.120
address=/www.google.tk/216.239.38.120
address=/www.google.tl/216.239.38.120
address=/www.google.tm/216.239.38.120
address=/www.google.to/216.239.38.120
address=/www.google.tn/216.239.38.120
address=/www.google.com.tn/216.239.38.120
address=/www.google.com.tr/216.239.38.120
address=/www.google.tt/216.239.38.120
address=/www.google.com.tw/216.239.38.120
address=/www.google.co.tz/216.239.38.120
address=/www.google.com.ua/216.239.38.120
address=/www.google.co.ug/216.239.38.120
address=/www.google.co.uk/216.239.38.120
address=/www.google.us/216.239.38.120
address=/www.google.com.uy/216.239.38.120
address=/www.google.co.uz/216.239.38.120
address=/www.google.com.vc/216.239.38.120
address=/www.google.co.ve/216.239.38.120
address=/www.google.vg/216.239.38.120
address=/www.google.co.vi/216.239.38.120
address=/www.google.com.vn/216.239.38.120
address=/www.google.vu/216.239.38.120
address=/www.google.ws/216.239.38.120
address=/www.google.co.za/216.239.38.120
address=/www.google.co.zm/216.239.38.120
address=/www.google.co.zw/216.239.38.120 -
Accepted Answer
That's much cleaner to implement and it allows SSL too! The feature is queued up to be done in ClearOS 7.0 (tracker) -
Accepted Answer
-
Accepted Answer
Tim Burgess wrote:
Just to update on this post. Google has changed their approach...again. You can now force SafeSearch by just redirecting DNS requests to a special virtual IP address at forcesafesearch.google.com (216.239.38.120). If enabled properly your browser will give a little warning to say that SafeSearch has been enabled on the network
Note that this still uses an HTTPS connection so you can no longer refine your filtering using the ClearOS content filter... for now nosslsearch.google.com still works which prevents HTTPS
So instead at Step 2 - create a file at /etc/dnsmasq.d/nosslsearch.conf with the new IP address
address=/www.google.com/216.239.38.120
address=/www.google.co.uk/216.239.38.120
And then you no longer need Step 3 - Dansguardian-AV to rewrite the URL request to force SafeSearch.
If you want to block all Google domains (http://en.wikipedia.org/wiki/List_of_Google_domains) then you'll need something like:-
address=/www.google.com/216.239.38.120
address=/www.google.ac/216.239.38.120
address=/www.google.ad/216.239.38.120
address=/www.google.ae/216.239.38.120
address=/www.google.com.af/216.239.38.120
address=/www.google.com.ag/216.239.38.120
address=/www.google.com.ai/216.239.38.120
address=/www.google.al/216.239.38.120
address=/www.google.am/216.239.38.120
address=/www.google.co.ao/216.239.38.120
address=/www.google.com.ar/216.239.38.120
address=/www.google.as/216.239.38.120
address=/www.google.at/216.239.38.120
address=/www.google.com.au/216.239.38.120
address=/www.google.az/216.239.38.120
address=/www.google.ba/216.239.38.120
address=/www.google.com.bd/216.239.38.120
address=/www.google.be/216.239.38.120
address=/www.google.bf/216.239.38.120
address=/www.google.bg/216.239.38.120
address=/www.google.com.bh/216.239.38.120
address=/www.google.bi/216.239.38.120
address=/www.google.bj/216.239.38.120
address=/www.google.com.bn/216.239.38.120
address=/www.google.com.bo/216.239.38.120
address=/www.google.com.br/216.239.38.120
address=/www.google.bs/216.239.38.120
address=/www.google.bt/216.239.38.120
address=/www.google.co.bw/216.239.38.120
address=/www.google.by/216.239.38.120
address=/www.google.com.bz/216.239.38.120
address=/www.google.ca/216.239.38.120
address=/www.google.com.kh/216.239.38.120
address=/www.google.cc/216.239.38.120
address=/www.google.cd/216.239.38.120
address=/www.google.cf/216.239.38.120
address=/www.google.cat/216.239.38.120
address=/www.google.cg/216.239.38.120
address=/www.google.ch/216.239.38.120
address=/www.google.ci/216.239.38.120
address=/www.google.co.ck/216.239.38.120
address=/www.google.cl/216.239.38.120
address=/www.google.cm/216.239.38.120
address=/www.google.cn/216.239.38.120
address=/www.g.cn/216.239.38.120
address=/www.google.com.co/216.239.38.120
address=/www.google.co.cr/216.239.38.120
address=/www.google.com.cu/216.239.38.120
address=/www.google.cv/216.239.38.120
address=/www.google.com.cy/216.239.38.120
address=/www.google.cz/216.239.38.120
address=/www.google.de/216.239.38.120
address=/www.google.dj/216.239.38.120
address=/www.google.dk/216.239.38.120
address=/www.google.dm/216.239.38.120
address=/www.google.com.do/216.239.38.120
address=/www.google.dz/216.239.38.120
address=/www.google.com.ec/216.239.38.120
address=/www.google.ee/216.239.38.120
address=/www.google.com.eg/216.239.38.120
address=/www.google.es/216.239.38.120
address=/www.google.com.et/216.239.38.120
address=/www.google.fi/216.239.38.120
address=/www.google.com.fj/216.239.38.120
address=/www.google.fm/216.239.38.120
address=/www.google.fr/216.239.38.120
address=/www.google.ga/216.239.38.120
address=/www.google.ge/216.239.38.120
address=/www.google.gf/216.239.38.120
address=/www.google.gg/216.239.38.120
address=/www.google.com.gh/216.239.38.120
address=/www.google.com.gi/216.239.38.120
address=/www.google.gl/216.239.38.120
address=/www.google.gm/216.239.38.120
address=/www.google.gp/216.239.38.120
address=/www.google.gr/216.239.38.120
address=/www.google.com.gt/216.239.38.120
address=/www.google.gy/216.239.38.120
address=/www.google.com.hk/216.239.38.120
address=/www.google.hn/216.239.38.120
address=/www.google.hr/216.239.38.120
address=/www.google.ht/216.239.38.120
address=/www.google.hu/216.239.38.120
address=/www.google.co.id/216.239.38.120
address=/www.google.ir/216.239.38.120
address=/www.google.iq/216.239.38.120
address=/www.google.ie/216.239.38.120
address=/www.google.co.il/216.239.38.120
address=/www.google.im/216.239.38.120
address=/www.google.co.in/216.239.38.120
address=/www.google.io/216.239.38.120
address=/www.google.is/216.239.38.120
address=/www.google.it/216.239.38.120
address=/www.google.je/216.239.38.120
address=/www.google.com.jm/216.239.38.120
address=/www.google.jo/216.239.38.120
address=/www.google.co.jp/216.239.38.120
address=/www.google.co.ke/216.239.38.120
address=/www.google.ki/216.239.38.120
address=/www.google.kg/216.239.38.120
address=/www.google.co.kr/216.239.38.120
address=/www.google.com.kw/216.239.38.120
address=/www.google.kz/216.239.38.120
address=/www.google.la/216.239.38.120
address=/www.google.com.lb/216.239.38.120
address=/www.google.com.lc/216.239.38.120
address=/www.google.li/216.239.38.120
address=/www.google.lk/216.239.38.120
address=/www.google.co.ls/216.239.38.120
address=/www.google.lt/216.239.38.120
address=/www.google.lu/216.239.38.120
address=/www.google.lv/216.239.38.120
address=/www.google.com.ly/216.239.38.120
address=/www.google.co.ma/216.239.38.120
address=/www.google.md/216.239.38.120
address=/www.google.me/216.239.38.120
address=/www.google.mg/216.239.38.120
address=/www.google.mk/216.239.38.120
address=/www.google.ml/216.239.38.120
address=/www.google.com.mm/216.239.38.120
address=/www.google.mn/216.239.38.120
address=/www.google.ms/216.239.38.120
address=/www.google.com.mt/216.239.38.120
address=/www.google.mu/216.239.38.120
address=/www.google.mv/216.239.38.120
address=/www.google.mw/216.239.38.120
address=/www.google.com.mx/216.239.38.120
address=/www.google.com.my/216.239.38.120
address=/www.google.co.mz/216.239.38.120
address=/www.google.com.na/216.239.38.120
address=/www.google.ne/216.239.38.120
address=/www.google.com.nf/216.239.38.120
address=/www.google.com.ng/216.239.38.120
address=/www.google.com.ni/216.239.38.120
address=/www.google.nl/216.239.38.120
address=/www.google.no/216.239.38.120
address=/www.google.com.np/216.239.38.120
address=/www.google.nr/216.239.38.120
address=/www.google.nu/216.239.38.120
address=/www.google.co.nz/216.239.38.120
address=/www.google.com.om/216.239.38.120
address=/www.google.com.pa/216.239.38.120
address=/www.google.com.pe/216.239.38.120
address=/www.google.com.ph/216.239.38.120
address=/www.google.com.pk/216.239.38.120
address=/www.google.pl/216.239.38.120
address=/www.google.com.pg/216.239.38.120
address=/www.google.pn/216.239.38.120
address=/www.google.com.pr/216.239.38.120
address=/www.google.ps/216.239.38.120
address=/www.google.pt/216.239.38.120
address=/www.google.com.py/216.239.38.120
address=/www.google.com.qa/216.239.38.120
address=/www.google.ro/216.239.38.120
address=/www.google.rs/216.239.38.120
address=/www.google.ru/216.239.38.120
address=/www.google.rw/216.239.38.120
address=/www.google.com.sa/216.239.38.120
address=/www.google.com.sb/216.239.38.120
address=/www.google.sc/216.239.38.120
address=/www.google.se/216.239.38.120
address=/www.google.com.sg/216.239.38.120
address=/www.google.sh/216.239.38.120
address=/www.google.si/216.239.38.120
address=/www.google.sk/216.239.38.120
address=/www.google.com.sl/216.239.38.120
address=/www.google.sn/216.239.38.120
address=/www.google.sm/216.239.38.120
address=/www.google.so/216.239.38.120
address=/www.google.st/216.239.38.120
address=/www.google.com.sv/216.239.38.120
address=/www.google.td/216.239.38.120
address=/www.google.tg/216.239.38.120
address=/www.google.co.th/216.239.38.120
address=/www.google.com.tj/216.239.38.120
address=/www.google.tk/216.239.38.120
address=/www.google.tl/216.239.38.120
address=/www.google.tm/216.239.38.120
address=/www.google.to/216.239.38.120
address=/www.google.tn/216.239.38.120
address=/www.google.com.tn/216.239.38.120
address=/www.google.com.tr/216.239.38.120
address=/www.google.tt/216.239.38.120
address=/www.google.com.tw/216.239.38.120
address=/www.google.co.tz/216.239.38.120
address=/www.google.com.ua/216.239.38.120
address=/www.google.co.ug/216.239.38.120
address=/www.google.co.uk/216.239.38.120
address=/www.google.us/216.239.38.120
address=/www.google.com.uy/216.239.38.120
address=/www.google.co.uz/216.239.38.120
address=/www.google.com.vc/216.239.38.120
address=/www.google.co.ve/216.239.38.120
address=/www.google.vg/216.239.38.120
address=/www.google.co.vi/216.239.38.120
address=/www.google.com.vn/216.239.38.120
address=/www.google.vu/216.239.38.120
address=/www.google.ws/216.239.38.120
address=/www.google.co.za/216.239.38.120
address=/www.google.co.zm/216.239.38.120
address=/www.google.co.zw/216.239.38.120
I use Tomato firmware on my Linksys E2000 router.
Thanks for the code..this is what I have been looking for.. but, right now I have been putting some of this code in my dnsmasq text section, but I can only input so many..if I try to input all of them, I get an error saying It needs to be under 2058.. I guess I don't have enough memory in my router
But where do I input this code?
is there a script or iptable I can use so I don't run out of memory? -
Accepted Answer
I just need to add: for youtube safe search you could create a file named something like safeyotube.conf at at /etc/dnsmasq.d/ ("touch /etc/dnsmasq.d/safeyotube.conf") with this IP address:
address=/www.youtube.com/216.239.38.120
address=/m.youtube.com/216.239.38.120
address=/youtubei.googleapis.com/216.239.38.120
address=/youtube.googleapis.com/216.239.38.120
address=/www.youtube-nocookie.com/216.239.38.120
and then "service dnsmasq restart"
so now youtube just show appropiated content.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »