Unbound Force SafeSearch option blocks YouTube Live Streams?

[ibrewster]

I'm new to OpnSense, just setting up a test router to replace my current router that doesn't do enough for me, so please forgive me if I am missing something obvious.

I turned on the filtering options of the Unbound server, including the Force SafeSearch option, and testing looked good at first - everything worked as expected.

Then I went to YouTube and tried to pull up a live stream that I watch all the time (NASASpaceflight Starbase Live), only to find that *none* of their live streams were listed, and trying to go directly to the one in question gave a "video is not available" error. Much (very frustrating, due to caching I assume) testing later, I discovered that this appears to be due to the Force SafeSearch option. With it enabled, I can't see the live streams, with it disabled I can.

Is this a known issue? If so, is there any way to work around it? I honestly can't understand why forcing SafeSearch would have any effect on YouTube Live streams...

Thanks for any help!

EDIT: Running OPNsense version 23.7.7

[ibrewster]

So as an alternative to checking the "Force SafeSearch" box, I thought I might just manually set up forcing SafeSearch as per the directions here: https://support.google.com/websearch/answer/186669?hl=en, which for a network instruct you to set www.google.com as a CNAME for forcesafesearch.google.com.

So how would I do this in OPNsense? I am aware of the overrides section of unbound, but that only allows me to create an A record that points www.google.com to a different *IP address* not refers it to a different hostname. This works, but if the IP address of forcesafesearch.google.com ever changes, it will break and need to be updated, so it's not an ideal solution.

How can I create a CNAME record in OPNsense unbound? Thanks.

[ibrewster]

So after much digging, it appears that the IP returned for forcesafesearch.google.com is a "virtual" IP address that should be safe to put into the overrides section of unbound. So then I moved on to bing.com, which has something similar with strict.bing.com - only the user can easily go in and turn off safe search there. Apparently going to strict.bing.com simply sets it on initially, and I can't find any way to disable the ability to turn it off. Sigh.

Oh well, at least things will be somewhat safer for my son... unless someone has ideas for how I can improve things more?

[cookiemonster]

someone asked a similar question recently, how to enable safesearch.
My suggestion is to use AdGuardHome, there's a plugin from mimugmail that allows you to run it directly and easily on OPN. There you can enable safesearch for the whole network and apply exclusions/inclusons per client too.

[ibrewster]

Well, the built in unbound has a checkbox to do the same thing (thus leading to this thread), but perhaps AdGuardHome's version works without also blocking YouTube live streams?

[cookiemonster]

maybe. Both block domain queries based on predefined lists. Unbound defaults in the docs
https://docs.opnsense.org/manual/unbound.html#blocklists
Read the documentation for AdG and see what lists it can be used on it.
Once you start using domain blocking you'll need to start tweaking to your needs. In other words you'll find there are exceptions you'd want. This is where AdG makes it easier in my opinion to do those tweaks.
As to that particular exception you want for your streams, I don't know if it is difficult to do or not.
YouTube is notorriously difficult to block within it. Blocking ads for instance is not possible with normal network adblockers. As to whether is the same with particular "shows" I don't know.