Enable SafeSearch for DNS Policies
DNS policies can be configured to enforce SafeSearch for Google, YouTube, and Bing.
SafeSearch is an automated filter of pornography and other offensive adult content that is built into search engines. If someone enters an inappropriate or suggestive phrase into a search engine, the search engine only returns safe "family-friendly" results. In the past, enforcing SafeSearch for search engines required the proxying of traffic to those domains with URL parameters sent to them modified to enforce the filtering level. The major search engines have recently begun providing DNS based methods for enforcing SafeSearch. This is done by allowing the use of CNAMEs for their primary domains pointing to dedicated SafeSearch domains instead.
Typically, when a site is blocked for inappropriate content, Umbrella’s DNS service returns the address of the block page instead of the address of the website. SafeSearch functionality is enforced by using a CNAME to point to the SafeSearch domain, so there’s no Umbrella destination blocking that occurs. Instead, requests are redirected to domains that restrict search engine results. The only request is to the search engine and not to a restricted site. It is therefore not possible to determine the intent to bypass SafeSearch. It’s also not possible to see the redirect in Umbrella reporting.
If you enabled App Control for Google apps, Safesearch no longer functions. For more information see SafeSearch and Application Control.
Table of Contents
- Full Admin access to the Umbrella dashboard. See Manage User Roles.
- Navigate to Policies > Management > DNS Policies and expand a policy.
- From the Summary page, expand Advanced Settings, and then check Enforce SafeSearch.
- Click Save.
##Confirm that SafeSearch is Enabled
The most reliable way to confirm that SafeSearch is enabled through a DNS policy is to visit a site that SafeSearch is enforced for and confirm that SafeSearch settings are enabled. Alternatively, you can run a lookup from the command line to confirm redirection.
Tests must be done through an identity that is part of a DNS policy where SafeSearch enabled. For example, a computer that is accessing the internet by way of network identity.
Test Google, Youtube, and Bing
Google
After searching in Google, you should see a SafeSearch on indicator in the top right corner.
In the browser, under Settings, if you select Turn off SafeSearch, it has no effect and sites are remain blocked.
YouTube
Searching YouTube should show that “Restricted Mode” is on at the bottom of the results page. Expanding this shows that “Restricted Mode is enabled by your network administrator.
Microsoft Bing
Under the menu icon, Bing shows that SafeSearch is set to “Strict”.
Clicking SafeSearch takes you to a page describing SafeSearch, but there is no disable option.
Test Through a Lookup From the Command Line
Looking up each domain through an nslookup should return the following results:
nslookup www.google.com
Non-authoritative answer:
Name: forcesafesearch.google.com
Address: 216.239.38.120
Aliases: www.google.com
nslookup www.youtube.com
Non-authoritative answer:
Name: restrictmoderate.youtube.com
Addresses: 2001:4860:4802:32::78
216.239.38.120
Aliases: www.youtube.com
nslookup www.bing.com
Non-authoritative answer:
Name: a-0017.a-msedge.net
Address: 204.79.197.220
Aliases: www.bing.com
strict.bing.com
strict-bing-com.a-0001.a-msedge.net
Note: The last alias for www.bing.com may change based on geo-location. The important part is that it says "strict" in the domain.
Best Practices for DNS Policies < Enable SafeSearch for DNS Policies > Group Roaming Computers with Tags
Updated 12 months ago