Ubuntu – How to you satisfy Google’s requirement to enforce SafeSearch at the network level


I have kids that are old enough to start getting curious, and, while I don't think it's an active problem, I'd rather avoid the usual garbage that comes along the average Google search. Google's SafeSearch is a good filter, but forcing it to be used at the network level has been a difficult proposition. This is (at least) their 3rd iteration of the process.

Per Google's current suggestion to force network users into SafeSearch:


To force SafeSearch for your network, you’ll need to update your DNS configuration. Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com.

I've seen a couple of articles about configuring dnsmasq to do this, but I'm running a local instance of bind as a forwarding caching server (using OpenDNS), but also hosting my internal domain. How would I configure bind with just this one CNAME for all of Google? I can't fathom how I would even start to make my server act as canonical for google.com, but pass through everything but the host "www".

(In the past, I've tried Dansguardian rewrites. Now, I've just gone through the effort of trying SquidGuard redirects. I can't seem to get this accomplished without ruining Google altogether. If there's an answer in proxy-land, or even iptables, I could do that as well. Just sayin'.)

Best Answer

  • From the ISC Docs about response policy it shows some sample BIND9 configuration which I have modified and posted below. (ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt):

    options {
      // other stuff
      response-policy {
         zone "www.google.com" policy CNAME forcesafesearch.google.com;
         zone "www.google.ca" policy CNAME forcesafesearch.google.com;
  • Related Question