SafeSearch is an automated filter of pornography and other offensive content that’s built into search engines. If anyone enters an inappropriate or suggestive phrase, no results will be returned that could be considered unsafe or problematic.
In the past, enforcing SafeSearch for internet search engines required that traffic to those domains be proxied, and URL parameters sent to them would then be modified to enforce the filtering level. The major search engines have recently begun providing DNS based methods for enforcing SafeSearch. This is done by by allowing the use of CNAMEs for their primary domains pointing to dedicated SafeSearch domains instead.
This method of enforcing SafeSearch is supported for Google, YouTube, and Bing.
- Navigate to Policies > Management > DNS and Web Policies, then expand a policy.
- From the Summary screen, expand Advanced Settings and select Enforce SafeSearch.
- Click Save.
Verification for the SafeSearch feature works slightly differently than other category blocks. The simplest and most reliable way to ensure it is working is to either visit the site that SafeSearch is enforced for and checking the SafeSearch settings are enabled. Alternatively, you can run a lookup from the command line to see if the redirection is working.
Both tests must be done on a computer whose policy has SafeSearch enabled. The two methods are outlined below.
After searching in Google, you should see this in the top right corner.
Under Settings, you can select “Turn off SafeSearch”, but it will not have any effect.
Searching YouTube should show that “Restricted Mode” is on at the bottom of the results page. Expanding that will show that “Restricted Mode is enabled by your network administrator.
Under the menu icon in the top right corner, Bing will show that SafeSearch is set to “Strict”.
Clicking SafeSearch takes you to page describing SafeSearch, but the page will not give you an option to disable it.
Looking up each domain through an nslookup should return the following results:
nslookup www.google.com Non-authoritative answer: Name: forcesafesearch.google.com Address: 184.108.40.206 Aliases: www.google.com
nslookup www.youtube.com Non-authoritative answer: Name: restrictmoderate.youtube.com Addresses: 2001:4860:4802:32::78 220.127.116.11 Aliases: www.youtube.com
nslookup www.bing.com Non-authoritative answer: Name: a-0017.a-msedge.net Address: 18.104.22.168 Aliases: www.bing.com strict.bing.com strict-bing-com.a-0001.a-msedge.net
Note: The last alias for www.bing.com may change based on geo-location. The important part is that it says "strict" in the domain.
Typically, when a site is blocked for inappropriate content, Umbrella’s DNS service returns the address of the block page to a user instead of the address of the website. The SafeSearch functionality is enforced by using a CNAME to point to the SafeSearch domain, so there’s no actual blocking taking place. Instead, requests are effectively redirected to domains which will restrict the results returned by the search engine. The only request is to the search engine’s site and not to a restricted site and it is not possible to determine the intent to bypass SafeSearch. It’s also not possible to see the redirect in our reporting.