Use DNS to force youtube into restricted mode - and Pi-Hole

While this doesn't relate directly to pi-hole (I'm not trying to block YouTube ads), I figured this community may be able to offer insight on layering uses of dnsmasq on top of a pihole device.

I've found here: Control YouTube content available to users - Google Workspace Admin Help, that youtube offers an alternate URL that can be used as a cname for their primary domains that will force youtube into restricted/semi restricted modes.

Essentially, it's this:

Configure Domain Name System (DNS) on your network to add a Canonical Name (CNAME) for the following hostnames:

www.youtube.com
m.youtube.com
youtubei.googleapis.com
youtube.googleapis.com
www.youtube-nocookie.com

For Strict Restricted YouTube access, add restrict.youtube.com as a CNAME for these domains. For Moderate Restricted YouTube access, add restrictmoderate.youtube.com as a CNAME for these domains.

I've been trying to figure out how to/if I can leverage my pihole machine to achieve this, or if I'll have to get another device/server to do it.

I've tried adding cnames to the dnsmasq.conf file, and adding records to a hosts file, but I always get dnsmasq errors and it won't restart, or it restarts and doesn't perform the redirect via the cname - so I'm sure I'm doing something wrong.

This seems close to what I'm trying to do, but even these steps don't yelid any fruit.

Wondering if anyone with more dnsmasq/pihole experience can lend any advice.

If it makes a difference, I'm running pihole on Ubuntu 16.04 server.
Thanks

Edit: @jpgpi250 solved this problem in post #4 - changed the answer to post 15 where @jpgpi250 graciously spells out the steps to achieve all of this step by step

I don't understand what it is, you're trying to achieve (interested), the problem however is a duplicate cname
I've created the file from the link you reffered and ran dnsmasq --test
dnsmasq says:

dnsmasq --test
dnsmasq: duplicate CNAME at line 5 of /etc/dnsmasq.d/restrict.conf

remove the fifth line and dnsmasq will start.

What this 'should' do, is essentially filter out mature content from YouTube. For example, on my tablet when I let my kids use it, I cna go into YouTube preferences and flip on the Restricted tab, and if they try to access a flagged video, it blocks them. What I want is for this function to just always work on my devices, without needing to turn on settings in each users browser.

Ah, --test helped. I should have noticed the duplicated line, thanks.

So - now I have dnsmasq successfully restarting, but it's still not returning the right stuff.

root@pihole:~# dig @localhost www.youtube.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost www.youtube.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5781
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.youtube.com. IN A

;; ANSWER SECTION:
www.youtube.com. 300 IN A 64.233.177.190

What I've done:
added this to dnsmasq.conf:

cname=www.youtube.com,restrict.youtube.com
cname=youtube-ui.l.google.com,restrict.youtube.com
cname=m.youtube.com,restrict.youtube.com
cname=googleapis.l.google.com,restrict.youtube.com
cname=youtube.googleapis.com,restrict.youtube.com

added this to /etc/hosts:

173.194.219.190 www.youtube.com
173.194.219.100 m.youtube.com
74.125.196.95 googleapis.l.google.com
74.125.138.95 youtube.googleapis.com
173.194.219.136 youtube-ui.l.google.com

I've also created a file (/etc/hosts.mydomain) with the same records as in /etc/hosts, and added:
/etc/dnsmasq.d/02-mydns.conf:

addn-hosts=/etc/hosts.mydomain

to read in the hosts entries from hosts.mydomain

But - I still don't see restricted.youtube.com show when I dig. I feel like I'm close, but missing something small.

The dnsmasq help from the man page
<quote>
--cname=<cname>,<target>
Return a CNAME record which indicates that is really . There are significant limitations on the target; it must be a DNS name which is known to dnsmasq from /etc/hosts (or additional hosts files), from DHCP, from --interface-name or from another --cname. If the target does not satisfy this criteria, the whole cname is ignored. The cname must be unique, but it is permissable to have more than one cname pointing to the same target.
</quote>
It seems (that is how I read the man entry) you have to make an entry in /etc/hosts file for the target e.g. for restrict.youtube.com (and remove the other entries)

I don't think that is necessary, even counter productive, dnsmasq handles /etc/hosts automatically.

Keep us informed, this may be an option for many users

Gah, that was it! I was putting the wrong stuff in the hosts file, I misinterpreted the definition of target. Thanks!

root@pihole:~# dig @localhost www.youtube.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost www.youtube.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18667
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.youtube.com. IN A

;; ANSWER SECTION:
www.youtube.com. 300 IN CNAME restrict.youtube.com.
restrict.youtube.com. 300 IN A 216.239.38.120

So - now - yes, YouTube loads in Restricted Mode:

Awesome!

So - all that really needs to be done is to add the requisite domains to dnsmasq.conf as per the Google website, and then add 'restrict.youtube.com' with it's current IP address to the /etc/hosts file, and restart dnsmasq.

Now -- I guess the next thing would be write a script that checks to see if that IP address has changed, and if so - update the hosts file. That's beyond me, but I guess if one day youtube doesn't work, it's easy enough to check to see if it's changed and update the hosts file.

Thanks!

Additionally, though I haven't tested it, this same method can be used to force Google Safe Search. Though it obviously doesn't help with any other search engines.

  1. Add a new CNAME record on your local DNS server for your local Google domain(s) pointing to forcesafesearch.google.com. For this example, we will be using www.google.com. Create a CNAME record for www.google.com that points to forcesafesearch.google.com.

<edit> update the script to allow correct processing for strict.bing.com entry</edit>

Possible solution:
Create update_hosts.sh, make the script executable

#!/bin/bash

update_ip_address() {
file=/etc/hosts
if [[ $(grep $1 $file) ]]; then
	IP=$(dig +noall +answer +short @8.8.8.8 $1 | \
		grep -oE '((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\.){3}((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))')
	sed -i "/$1/ s/.*/$IP\t$1/g" $file
fi
}

update_ip_address restrict.youtube.com
update_ip_address restrictmoderate.youtube.com
update_ip_address strict.bing.com
update_ip_address forcesafesearch.google.com

Run sudo ./update_hosts.sh to update the hosts file or create a cron file to do it for you.

That works like a champ. Thanks!

I'll throw that in the crontab, and let it run once a week or something, and it'll keep the pi in-line whenever it restarts dnsmasq naturally.

Thanks for all your help here.

In case anyone was keeping score, I realized I have the wrong URL's in this post/in my .conf file.
Here's what SHOULD be in dnsmasq.conf:

cname=www.youtube.com,restrict.youtube.com
cname=m.youtube.com,restrict.youtube.com
cname=youtube.googleapis.com,restrict.youtube.com
cname=youtubei.googleapis.com,restrict.youtube.com
cname=www.youtube-nocookie.com,restrict.youtube.com

with this in /etc/hosts

216.239.38.120 restrict.youtube.com

Then run the script from above periodically to keep the IP address correct in hosts.

The IP of restrict.youtube.com is to be mapped to www.youtube.com, m.youtube.com, etc. So in the host file

216.239.38.120 www.youtube.com
216.239.38.120 m.youtube.com
216.239.38.120 youtube.googleapis.com
216.239.38.120 youtubei.googleapis.com
216.239.38.120 www.youtube-nocookie.com

Personally, I'd use the host record as a backup/alternative if the CNAME method isn't working by itself.

I initially thought this too, but it's not the case. This is what jpgpi250 pointed out earlier. What needs to be in the hosts file is the 'restrict' entry.

And - dnsmasq requires this entry in the hosts in order for the cname record to work -- it didn't work at all until I had restrict in the hosts file (not all the other youtube URL's -- it didn't work at all that way.

This is what I with the records I posted a couple of posts ago:

dig @localhost www.youtube.com

; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> @localhost www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18203
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.youtube.com. IN A

;; ANSWER SECTION:
www.youtube.com. 300 IN CNAME restrict.youtube.com.
restrict.youtube.com. 300 IN A 216.239.38.120

I can also confirm a notable reduction in youtube content after making this change.

Last new observation:

There are 2 levels of restriction available 'restrict' and 'restrictmoderate'

'restrict' is their STRICT mode. This is definitely highly restrictive.
'restrirctmoderate' is, as it says MODERATE. This is (apparently) what you get when you turn on the restriction switch inside of the Youtube app. So - in my case, this is actually the level that I want in place in my house for now.

I'm really new to pi-hole, I was trying to keep up with what you guys were doing but I'm having a hard time.
Could you possibly make a step be step on how you did this?
And also if you figured out the Google Safe Search thing.
Thanks in advance. :grinning_face_with_smiling_eyes:

1 Like

Reference for domain names here and here

Create a file /etc/dnsmasq.d/05-restrict.conf, us a higher number if you already have a 05 entry. Don't use 01 (pihole core) 02 (pihole dhcp) or 03 (pihole wildcards):

# reference: https://support.opendns.com/hc/en-us/articles/227986807-How-to-Enforcing-Google-SafeSearch-YouTube-and-Bing

# YouTube
# you can also implement a moderate setting
# replace restrict.youtube.com with restrictmoderate.youtube.com
cname=www.youtube.com,restrict.youtube.com
cname=m.youtube.com,restrict.youtube.com
cname=youtubei.googleapis.com,restrict.youtube.com
cname=youtube.googleapis.com,restrict.youtube.com
cname=www.youtube-nocookie.com,restrict.youtube.com

# SafeSearch
cname=www.google.com,forcesafesearch.google.com

# Bing Family Filter
cname=www.bing.com,strict.bing.com

test (for typo's) - should report dnsmasq: syntax check OK.

dnsmasq --test

edit your hosts file

sudo nano /etc/hosts

enter the following entries (leave the original content, just add the following)

216.239.38.120	restrict.youtube.com
216.239.38.119	restrictmoderate.youtube.com
216.239.38.120	forcesafesearch.google.com
204.79.197.220	strict.bing.com

restart the dns service

sudo service dnsmasq restart

I don't think it's really necessary to update the addresses regularly, since it would brake protection for a lot of people worldwide, if they changed, but you can run (from time to time) the script that's listed above. The script has changed to allow for the additional entries to be processed correctly!

haven't tried safe search or youtube (kingmoocow seems to have had good results) but bing produces this:

8 Likes

This is well done, thanks for getting to this first.

The added 05 file is also probably a much better practice than what I'm currently doing - putting the cname entries in the dnsmasq.conf file (however it doesn't appear that this file gets overwritten by pihole updates - though it's possible that it gets muddled by other updates in the future (I also haven't yet noticed that 02 and 03 are reserved, guess I haven't added anything that created them).

The addition of bing is also a nice touch. I still haven't tested google safe search though - I'll do that today.

Wish there was a more comprehensive place to find all of these types of settings - the palo alto is good; maybe there really just are not many engines that do this kind of thing.

Thank you so much for your answer and how quickly you got back to me.
I just had one more question.


What is the command to create a /etc/dnsmasq.d/05-restrict.conf? And add in the links.
I'm running it on the Raspberry Pi 3 running Dietpi.
Also I'm just curious, how long have you guys been at this stuff?
When I read people's discussions I'm shocked at how many geniuses are out there and how little I know. There are so many pi projects that are really cool.
So far my favorites are Retropie and Pi-hole

You can find a detailed basic installation manual here. This manual assumes raspbian jessie lite, version march 2017, but most things will be identical. Among other things, it explains how to setup putty and winscp, witch will allow you to create/edit files easier.

you might want to append the solution w/ duckduckgo settings?

= DUCKDUCKGO =
duckduck settings

something like
cname=www.duckduckgo.com,safe.duckduckgo.com and then, of coarse, update the host file w/ IP

= YAHOO =
Not sure if this helps or not; to my knowledge you need a proxy to append, is that true?

"Appending vm=r to a Yahoo search query URL also enables the strictest safe search settings."

Old thread, sorry. Would love to see this as a built-in feature that can be enabled/disabled within the UI. Just a thought...

1 Like

Hi,
I just set up pi-hole today so I'm still learning a lot. I'm trying to force Google and youtube to safe search. Attached is an image of my 05-restrict.conf file and my /etc/hosts file. I've also set up Bing safe search.

Bing safe search works. Google and Youtube do not block anything. Searching for 'Porn', 'Nude', etc bring up what you would expect from Google and Youtube while Bing tells me I"m under protected search.

For testing whether it's working I've flushed the cache of pi-hole and tried using Firefox and Chrome in incognito mode to make sure nothing was cached.

Any ideas why this configuration is not working for Google and Youtube?