1. What is SafeSearch?

The SafeSearch mode offered by Google makes it possible to filter the search engine’s results by removing links to pornographic or violent content.

This feature may be helpful if children are to use your computer, smartphone or tablet.

The Bing and DuckDuckGo search engines or even YouTube offer something similar.

2. Goal

Today, many devices allow your children to go on the Internet (smartphone, game console, computer, tablet, etc.).

Some devices do not include a filtering feature or require an arduous configuration.

The purpose of this article is to be able to filter sexual or violent results thanks to your OPNsense router.

3. Configuration

a. Enable a DNS service.

Nowadays, the Unbound DNS Server is priorily enabled instead of Dnsmasq. That said, adding a "Host override" is done in the same way.

1. Go to Services / Unbound DNS / General and make sure the "Enable Unbound" box is checked.
2. Save

b. Create a rule to force catching on of DNS queries.

Note: From now on, most Web browsers or Operating Systems can use DNS over HTTPS (DoH).
Using DoH defeats the interception of DNS queries and efforts to default filter the search engine results.

1. Go to Firewall / NAT / Port forward and click on add to create a new rule.
2. Apply the following settings:

   Interface = LAN
   Protocol = TCP/UDP
   Destination = any
   Destination port range / from = DNS
   Destination port range / to = DNS
   Redirect target IP = Single host or network = 127.0.0.1
   Redirect target port = DNS
   Description = DNS redirection

3. Save
4. Go to Firewall / Rules / LAN and make sure the rule you just created is above the last rule which allows all connections.
   
   To move one or more rules, mark them and click on one of the arrows in the rightmost column.
   

   

5. Save.

c. Setting up domain names overrides

1. Go to Services / Unbound DNS / Overrides and create "Host overrides" to put up the moderation using OPNsense.
2. Create a Host override for Google.
   1. Click Add then apply the following settings:

      Host = www
      Domain = google.com
      IP = 216.239.38.120
      Description = forcesafesearch.google.com
      Alias: Host = www / Domain = google.co.uk
      Alias: Host = www / Domain = google.ca
      Alias: Host = www / Domain = google.com.au
      Alias: Host = www / Domain = google.ie
      Alias: Host = www / Domain = google.co.nz

   2. Save

Note: Ideally, all of the many Google access domain names such as google.com.hk or google.hu should be added as aliases, a list of which can be found here - https://gist.github.com/danielpunkass/2029185 .

3. Create a Host override for DuckDuckGo.
   1. Click Add then apply the following settings:

      Host = duckduckgo
      Domain = com
      IP = 52.142.126.100
      Description = safe.duckduckgo.com

   2. Save
4. Create a Host override for Bing.
   1. Click Add then apply the following settings:

      Host = www
      Domain = bing.com
      IP = 204.79.197.220
      Description = strict.bing.com

   2. Save
5. Create a Host override for YouTube.
   1. Click Add then apply the following settings:

      Host = www
      Domain = youtube.com
      IP = 216.239.38.120
      Description = restrict.youtube.com
      Alias: Host = m / Domain = youtube.com
      Alias: Host = youtube / Domain = googleapis.com
      Alias: Host = youtubei / Domain = googleapis.com
      Alias: Host = www / Domain = youtube-nocookie.com
      

   2. Save and click "Apply changes"

Note: Safe Search for YouTube: some safe content may be filtered or blocked.

4. Check

Once the configuration of OPNsense is complete, one must clear the Operating System DNS cache as well as the the Web browser DNS cache.

On Windows:

• Command prompt:

  ipconfig /flushdns

On macOS:

• from OS X Yosemite (10.10.4) to macOS Sierra (10.12), type in a terminal:

  sudo killall -HUP mDNSResponder

• with a later version, type in a terminal:

  sudo killall -HUP mDNSResponder; sudo killall mDNSResponderHelper; sudo dscacheutil -flushcache

On Linux

• If using the nscd DNS server as cache, type in a terminal:
  

  sudo nscd --invalidate=hosts

• If using the systemd-resolve service, use:
  

  sudo systemd-resolve --flush-caches

• If using the dnsmasq software, use:
  

  sudo systemctl restart dnsmasq

• If using the BIND software / the named service, use:
  

  sudo rndc flush

To flush the Web browser DNS cache, you should:

• With Google Chrome
  • go to chrome://net-internals/#dns then click on "Clear host cache".
• With Mozilla Firefox
  • go to about:networking#dns then click on "Clear DNS Cache".

Finally, try searching for some adult content websites you may have heard of.

You can also try searching for scenes depicting violence on YouTube.