Google safe search enforce

rudy · March 22, 2021, 5:16am

Hi team,

I have enable web filtering for porn but users can view images of blocked websites when they click on images in Google search results.

I have seen that i have to enforce Google safe search. is it possible with a Peplink Balance ?

Thanks
Rudy,

stego · March 22, 2021, 7:03am

No it doesn’t support it. I have a B20x and the only way for me to enforce across all devices on my network was to setup an internal NextDNS DNS resolver. I used a RaspBerry Pi.

There are ways users could circumvent this by changing their DNS config on their device unless you enforcer DNS proxy and forwarding on the Peplink balance. But this won’t work with an internal DNS resolver as the Peplink Balance will proxy and forward all DNS traffic from your DNS resolver back to itself creating an endless loop. I don’t have forwarding and proxy enabled because of this.

Not sure if there is a way for Peplink to address this in the firmware.

The other way users could circumvent is to use a VPN. I block VPN use on my home network by using IPSEC application control block in the Balance20x.

jmjones · March 22, 2021, 11:44am

Sorry @Rudy – I kind of believe stego – he seems to know what he is talking about. Personally, I haven’t needed to tackle this particular issue - so, I will be of no help to you. I do wish you luck in your adventure though.

@stego
Yikes, that is quite the predicament. Other than Peplink adding an option to “exclude” an IP from the proxy and forwarding (which is probably the cleanest way and most likely shouldn’t be that difficult to implement). There are probably some other ways that they could implement it under the covers (unbeknownst to the users)

Here are a few “out of the box” kind of ideas. forewarning - none of them are “good” or practical. You seem extremely knowledgeable and have most likely already considered them - but, just in case…

Would it be possible to create a point to point VPN tunnel (or any other tunnel) between the RaspBerry Pi and somewhere else on the internet? If so, you could configure the Pi to be the resolver for the B20X and point the Pi at the DNS resolver you want on the internet (ISP, google, etc). You would then need to configure your clients to use the B20X as its DNS source (and the B20X always points to your Pi). Then you could proxy and forward again. The DNS requests from your Pi wouldn’t be “intercepted” due to it going through a tunnel. You would get your local resolver (which is where you are “blocking” access) and you would “catch” devices that change their DNS resolver (and enforce your “blocking”).

Another option would be to use the firewall to block all outbound UDP port 123 traffic except from your Pi device. This is a bit “brute-ish” in my opinion but it probably would keep folks from changing their assigned DNS server settings. Name resolution would simply not work if they changed it to something other than your local resolver. Forcing unknown application failures may or may not be the “right” approach - but, it is definitely effective.

stego · March 22, 2021, 1:14pm

That’s what I was thinking. Wonder if this should be a feature request.

jmjones · March 22, 2021, 1:23pm

@stego
I could see others using this option for similar reasons, submit it and see what they say. I have seen them implement some other features upon request. Good luck buddy!

@rudy
What kind of environment are you working inside of? There are lots of non-network based ways to configure browsers and other software depending on what kind of infrastructure/standards you have in place. i.e. Windows machines use domain controllers, Macs have a product called Jamf, etc. Maybe we can help come up with something for ya.

rudy · March 22, 2021, 11:12pm

Hi @jmjones

I am in a school with windows domain controllers, i think i will use the force google safe search engine through the Windows hosts file method

jmjones · March 23, 2021, 5:31am

Personally, I would avoid that method. Most virus scanners will block access to this host file remotely. You could potentially do the same thing with your Balance routers DNS service. Basically, you are wanting “something” that translates google.com to forcesafesearch.google.com. I don’t know of a clever way to do that, but if you are already going to set static IP lookup information in the host files across your windows network – you can set up “Local DNS Records” in the Balance LAN settings to do this in a centrally managed way.

I am sure that someone around here will have a crafty mechanism to do this with strictly DNS trickery. Seems like you could create a local alias/cname for google.com to map to safesearch.google.com (or something like that). Kind of nice of google to offer a network based solution to an application level parameter by offering VIPs specific to safesearch – I wasn’t aware that they were doing that.

Good luck in your adventures.

rudy · March 23, 2021, 2:37pm

Hi @jmjones,

Thanks for your alert.
I have tried to use LAN → DNS Proxy Settings → Local DNS Records of the Peplink. It works in my lab. I will try it in production environnemnet and schedule the reboot of users PCs at midnight. I will let you know the result.

Kind regards,
Rudy