DNS policies can be configured to enforce SafeSearch for Google, YouTube, and Bing.
SafeSearch is an automated filter of pornography and other offensive content that’s built into search engines. If anyone enters an inappropriate or suggestive phrase into a search engine, it returns no unsafe or problematic results. In the past, enforcing SafeSearch for internet search engines required the proxying of traffic to those domains with URL parameters sent to them modified to enforce the filtering level. The major search engines have recently begun providing DNS based methods for enforcing SafeSearch. This is done by allowing the use of CNAMEs for their primary domains pointing to dedicated SafeSearch domains instead.
Typically, when a site is blocked for inappropriate content, Umbrella’s DNS service returns the address of the block page instead of the address of the website. SafeSearch functionality is enforced by using a CNAME to point to the SafeSearch domain, so there’s no Umbrella destination blocking that occurs. Instead, requests are redirected to domains that restrict search engine results. The only request is to the search engine and not to a restricted site. It is therefore not possible to determine the intent to bypass SafeSearch. It’s also not possible to see the redirect in Umbrella reporting.
If you enabled App Control for Google apps, Safesearch no longer functions. For more information see SafeSearch and Application Control.
- Full Admin access to the Umbrella dashboard. See Manage User Roles.
- Navigate to Policies > Management > DNS Policies and expand a policy.
- From the Summary page, expand Advanced Settings, and then check Enforce SafeSearch.
- Click Save.
The most reliable way to confirm that SafeSearch is enabled through a DNS policy is to visit a site that SafeSearch is enforced for and confirm that SafeSearch settings are enabled. Alternatively, you can run a lookup from the command line to confirm redirection.
Tests must be done through an identity that is part of a DNS policy where SafeSearch enabled. For example, a computer that is accessing the internet by way of network identity.
After searching in Google, you should see a SafeSearch on indicator in the top right corner.
In the browser, under Settings, if you select Turn off SafeSearch, it has no effect and sites are remain blocked.
Searching YouTube should show that “Restricted Mode” is on at the bottom of the results page. Expanding this shows that “Restricted Mode is enabled by your network administrator.
Under the menu icon, Bing shows that SafeSearch is set to “Strict”.
Clicking SafeSearch takes you to a page describing SafeSearch, but there is no disable option.
Looking up each domain through an nslookup should return the following results:
nslookup www.google.com Non-authoritative answer: Name: forcesafesearch.google.com Address: 188.8.131.52 Aliases: www.google.com
nslookup www.youtube.com Non-authoritative answer: Name: restrictmoderate.youtube.com Addresses: 2001:4860:4802:32::78 184.108.40.206 Aliases: www.youtube.com
nslookup www.bing.com Non-authoritative answer: Name: a-0017.a-msedge.net Address: 220.127.116.11 Aliases: www.bing.com strict.bing.com strict-bing-com.a-0001.a-msedge.net
Updated about a month ago