The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Enable SafeSearch for DNS Policies

DNS policies can be configured to enforce SafeSearch for Google, YouTube, and Bing.

SafeSearch is an automated filter of pornography and other offensive content that’s built into search engines. If anyone enters an inappropriate or suggestive phrase into a search engine, it returns no unsafe or problematic results. In the past, enforcing SafeSearch for internet search engines required the proxying of traffic to those domains with URL parameters sent to them modified to enforce the filtering level. The major search engines have recently begun providing DNS based methods for enforcing SafeSearch. This is done by allowing the use of CNAMEs for their primary domains pointing to dedicated SafeSearch domains instead.

Typically, when a site is blocked for inappropriate content, Umbrella’s DNS service returns the address of the block page instead of the address of the website. SafeSearch functionality is enforced by using a CNAME to point to the SafeSearch domain, so there’s no Umbrella destination blocking that occurs. Instead, requests are redirected to domains that restrict search engine results. The only request is to the search engine and not to a restricted site. It is therefore not possible to determine the intent to bypass SafeSearch. It’s also not possible to see the redirect in Umbrella reporting.

If you enabled App Control for Google apps, Safesearch no longer functions. For more information see SafeSearch and Application Control.

Table of Contents

Prerequisites

Procedure

  1. Navigate to Policies > Management > DNS Policies and expand a policy.
  1. From the Summary page, expand Advanced Settings, and then check Enforce SafeSearch.
  2. Click Save.

Confirm that SafeSearch is Enabled

The most reliable way to confirm that SafeSearch is enabled through a DNS policy is to visit a site that SafeSearch is enforced for and confirm that SafeSearch settings are enabled. Alternatively, you can run a lookup from the command line to confirm redirection.

Tests must be done through an identity that is part of a DNS policy where SafeSearch enabled. For example, a computer that is accessing the internet by way of network identity.

Test Google, Youtube, and Bing

Google
After searching in Google, you should see a SafeSearch on indicator in the top right corner.

In the browser, under Settings, if you select Turn off SafeSearch, it has no effect and sites are remain blocked.

YouTube

Searching YouTube should show that “Restricted Mode” is on at the bottom of the results page. Expanding this shows that “Restricted Mode is enabled by your network administrator.

Microsoft Bing

Under the menu icon, Bing shows that SafeSearch is set to “Strict”.

Clicking SafeSearch takes you to a page describing SafeSearch, but there is no disable option.

Test Through a Lookup From the Command Line

Looking up each domain through an nslookup should return the following results:

nslookup www.google.com

Non-authoritative answer:
Name:    forcesafesearch.google.com
Address:  216.239.38.120
Aliases:  www.google.com
nslookup www.youtube.com

Non-authoritative answer:
Name:     restrictmoderate.youtube.com
Addresses:  2001:4860:4802:32::78
          216.239.38.120
Aliases:  www.youtube.com
nslookup www.bing.com

Non-authoritative answer:
Name:    a-0017.a-msedge.net
Address:  204.79.197.220
Aliases:  www.bing.com
          strict.bing.com
          strict-bing-com.a-0001.a-msedge.net

Note: The last alias for www.bing.com may change based on geo-location. The important part is that it says "strict" in the domain.


Best Practices for DNS Policies < Enable SafeSearch for DNS Policies > Group Roaming Computers with Tags

Updated about a month ago

Enable SafeSearch for DNS Policies


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.