Enable SafeSearch
SafeSearch is an automated filter of pornography and other offensive content that’s built into search engines. If anyone enters an inappropriate or suggestive phrase, no results will be returned that could be considered unsafe or problematic.
In the past, enforcing SafeSearch for internet search engines required that traffic to those domains be proxied, and URL parameters sent to them would then be modified to enforce the filtering level. The major search engines have recently begun providing DNS-based methods for enforcing SafeSearch. This task is done by allowing the use of CNAMEs for their primary domains pointing to dedicated SafeSearch domains instead.
Typically, when a site is blocked for inappropriate content, Umbrella’s DNS service returns the address of the block page to a user instead of the address of the website. The SafeSearch functionality is enforced by using a CNAME to point to the SafeSearch domain, so there’s no actual blocking taking place. Instead, requests are effectively redirected to domains which will restrict the results returned by the search engine. The only request is to the search engine’s site and not to a restricted site, and it is not possible to determine the intent to bypass SafeSearch. It’s also not possible to see the redirect in Umbrella reporting.
This method of enforcing SafeSearch is supported for Google, YouTube, and Bing.
If you enabled App Control for Google apps, SafeSearch no longer functions. For more information, see SafeSearch and Application Control.
Table of Contents
Prerequisites
- Full admin access to the Umbrella dashboard. See Manage User Roles.
Procedure
- Navigate to Policies > Management > All Policies and expand a policy.
- From the Summary screen, expand Advanced Settings and select Enforce SafeSearch.
- Click Save.
Confirm that SafeSearch is Enabled
Verification for the SafeSearch feature works slightly differently than other category blocks. The simplest and most reliable way to ensure it is working is to visit the site that SafeSearch is enforced for and checking the SafeSearch settings are enabled. Alternatively, you can run a lookup from the command line to see if the redirection is working.
Both tests must be done on a computer whose policy has SafeSearch enabled. The two methods are outlined below.
Test for Google, Youtube, and Bing
Google
After searching in Google, you should see the phrase "SafeSearch on" in the top right corner.
Under Settings, you can select “Turn off SafeSearch,” but it will not have any effect.
YouTube
Searching YouTube should show that “Restricted Mode” is on at the bottom of the results page. Expanding the section will display the message “Restricted Mode is enabled by your network administrator."
Microsoft Bing
Under the menu icon in the top right corner, Bing will show that SafeSearch is set to “Strict.”
Clicking SafeSearch will take you to a page describing SafeSearch, but the page will not give you an option to disable it.
Test Through a Lookup From the Command Line
Looking up each domain through an nslookup should return the following results:
nslookup www.google.com
Non-authoritative answer:
Name: forcesafesearch.google.com
Address: 216.239.38.120
Aliases: www.google.com
nslookup www.youtube.com
Non-authoritative answer:
Name: restrictmoderate.youtube.com
Addresses: 2001:4860:4802:32::78
216.239.38.120
Aliases: www.youtube.com
nslookup www.bing.com
Non-authoritative answer:
Name: a-0017.a-msedge.net
Address: 204.79.197.220
Aliases: www.bing.com
strict.bing.com
strict-bing-com.a-0001.a-msedge.net
Note: The last alias for www.bing.com may change based on geo-location. The important part is that it says "strict" in the domain.
Umbrella Policy Tester < Enable SafeSearch > Group Roaming Computers with Tags
Updated 12 months ago