Posted: Wed Jul 31, 2013 22:00 Post subject: Enforcing Google SafeSearch with dd-wrt
I am looking for a way to enforce Safesearch on Google. I would want it to be implemented directly into the dd-wrt router so that so that all the devices can be protected. I need to perform two tasks.
The first is to redirect all Google quries to the non-SSL version of Google. This is because no filtering can be achieved on SSL connexions. Google says this can be done this way :
Quote:
To utilize the no SSL option for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.com.
We will not serve SSL search results for requests that we receive on this VIP. If we receive a search request over port 443, the certificate handshake will complete successfully, but we will then redirect the user to a non-SSL search experience.
Can this operation be achieved through dd-wrt ?
The second task is to enforce strict safesearch.
Quote:
To enable SafeSearch throughout a school network, you can use a proxy server to append &safe=active directly to all search URLs. This will enable strict SafeSearch.
Google sends search queries along URL paths like google.com/search?..., google.com/images?..., google.com/s?... Schools that activate SafeSearch with a proxy should keep their filters updated to include /search, /s, and /images URLs.
Again, can this be done in dd-wrt ? Assuming, of course, that the first task is completed.
Thank you for any suggestion that could help me solve this issue.
1. Use OpenDNS server for DNS
2. Setup the network with the right level of OpenDNS filtering
3. configure the router via firewall rules to prevent a smart kid from bypassing the router established DNS server. If they do try to bypass, their request will be denied/rejected.
This will NOT prevent an restricted (adult) item from showing up in the 'search results', but will definitely prevent access to the restricted site.
This is a temporary solution. I agree, it is not the most efficient since filtered content can and will show up on the search results, specifically 'Images'. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Thanks for the quick reply. I already use Open DNS and it's great. But I want to do what I originally requested. Surely there is a way in DD-WRT to point all www.google.com requests to their no ssl URL as outlined in the link above? I just need someone to spell it out to me step by step as I don't understand the router command line syntax. But I can copy and paste
Couple options come to mind. I am sure there is brighter grey matter that can comment and come up with a better suggestion.
1. Use DNSMasq - Wondering is you can use the --server option to redirect all things google.com to nsslsearch.google.com
2. Use a iptables (firewall) rule to have a URL redirection. It 'could' be as simple as redirecting everything destined for www.google.com to 216.239.32.20
These are just a couple shots in the dark. You could experiment or wait for an expert to stop by. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Posted: Sat Oct 26, 2013 14:00 Post subject: Thank you
ndewan - thank you for your quick responses. Could you give me a bit more detail or point me to a tutorial on syntax for the suggestions you have made? When you say "Use DNSMasq - Wondering is you can use the --server option to redirect all things google.com to nsslsearch.google.com " What would I type in and where?
Take a look at the DNSMasq section on the 'Services' page. I am thinking, and don't know for sure if you could 'enable local DNS' and setup some 'additional DNSMasq Options' to do what you are trying to do.
Follow the following link to get more information on DNSMasq.
I might not be able to help you further, but would like to hear where you land up. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Can you use a DNS name in a firewall rule. I could be wrong, but I thought iptable rules worked with ipaddresses only.
Using the DNSMasq option, could the OP use DNS names for both sides ..
address=/google.com/nosslsearch.google.com
@OP's
Do post your results as you try these options. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Those who are hell bent on getting to it will .. by hook or by crook They would just use another search engine ...
But there are times where objectionable content may be presented without explicitly being asked for. You can see it in certain environments (schools and workplaces), organizations have to make a good faith effort to restrict/prevent certain content. Not even making an effort will drag the organization through mud in this litigious environment.
the OP is already using OpenDNS installed, so is protected to a large extent. I think, the concern is limiting negative content in the search results, specifically if one were to use the 'Images' or 'video' option. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================