The Umbrella Deployment Documentation Developer Hub

Welcome to the Umbrella Deployment Documentation developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella Deployment Documentation as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

What is SafeSearch

SafeSearch is an automated filter of pornography and other offensive content that’s built into search engines. If anyone enters an inappropriate or suggestive phrase, no results will be returned that could be considered unsafe or problematic.

In the past, enforcing SafeSearch for internet search engines required that traffic to those domains be proxied, and URL parameters sent to them would then be modified to enforce the filtering level. The major search engines have recently begun providing DNS based methods for enforcing SafeSearch. This is done by by allowing the use of CNAMEs for their primary domains pointing to dedicated SafeSearch domains instead.

This method of enforcing SafeSearch is supported for Google, YouTube, and Bing.

Enable SafeSearch for a Policy

  1. Navigate to Policies > Management > DNS and Web Policies, then expand a policy.
  2. From the Summary screen, expand Advanced Settings and select Enforce SafeSearch.
  3. Click Save.

How to verify SafeSearch was Enforced for a Given Query

Verification for the SafeSearch feature works slightly differently than other category blocks. The simplest and most reliable way to ensure it is working is to either visit the site that SafeSearch is enforced for and checking the SafeSearch settings are enabled. Alternatively, you can run a lookup from the command line to see if the redirection is working.

Both tests must be done on a computer whose policy has SafeSearch enabled. The two methods are outlined below.

Testing for Google, Youtube and Bing

Google
After searching in Google, you should see this in the top right corner.

Under Settings, you can select “Turn off SafeSearch”, but it will not have any effect.

YouTube

Searching YouTube should show that “Restricted Mode” is on at the bottom of the results page. Expanding that will show that “Restricted Mode is enabled by your network administrator.

Microsoft Bing

Under the menu icon in the top right corner, Bing will show that SafeSearch is set to “Strict”.

Clicking SafeSearch takes you to page describing SafeSearch, but the page will not give you an option to disable it.

Testing Through a Lookup from Command Line

Looking up each domain through an nslookup should return the following results:

nslookup www.google.com

Non-authoritative answer:
Name:    forcesafesearch.google.com
Address:  216.239.38.120
Aliases:  www.google.com
nslookup www.youtube.com

Non-authoritative answer:
Name:     restrictmoderate.youtube.com
Addresses:  2001:4860:4802:32::78
          216.239.38.120
Aliases:  www.youtube.com
nslookup www.bing.com

Non-authoritative answer:
Name:    a-0017.a-msedge.net
Address:  204.79.197.220
Aliases:  www.bing.com
          strict.bing.com
          strict-bing-com.a-0001.a-msedge.net

Note: The last alias for www.bing.com may change based on geo-location. The important part is that it says "strict" in the domain.

How the Service Works for Reports and Blocks

Typically, when a site is blocked for inappropriate content, Umbrella’s DNS service returns the address of the block page to a user instead of the address of the website. The SafeSearch functionality is enforced by using a CNAME to point to the SafeSearch domain, so there’s no actual blocking taking place. Instead, requests are effectively redirected to domains which will restrict the results returned by the search engine. The only request is to the search engine’s site and not to a restricted site and it is not possible to determine the intent to bypass SafeSearch. It’s also not possible to see the redirect in our reporting.


Understanding Content Categories < What is SafeSearch > Group Roaming Computers with Tags