Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
network enforced safe search with IP exclusions
« previous
next »
Print
Pages: [
1
]
Author
Topic: network enforced safe search with IP exclusions (Read 1210 times)
bmilton
Newbie
Posts: 3
Karma: 0
network enforced safe search with IP exclusions
«
on:
October 20, 2023, 11:42:57 pm »
Does anyone know if there is a way to force safe search on the whole network while being able to exclude specific IPs from enforcing it?
I've used the Unbound DNS Blocklist safesearch implementation which seems to be all or nothing.
Was looking at Zen Armor free edition which doesn't support Safe Search. The paid edition does, but then I don't see any indication that it's not also an all or nothing setup.
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: network enforced safe search with IP exclusions
«
Reply #1 on:
October 20, 2023, 11:47:41 pm »
can you define safe search?
Logged
bmilton
Newbie
Posts: 3
Karma: 0
Re: network enforced safe search with IP exclusions
«
Reply #2 on:
October 21, 2023, 03:52:11 pm »
I'm talking about this...
https://docs.opnsense.org/manual/unbound.html
"Enable SafeSearch: Force the usage of SafeSearch on Google, DuckDuckGo, Bing, Qwant, PixaBay and YouTube."
https://www.zenarmor.com/docs/network-security-tutorials/what-is-safe-search
"The Safe Search option is typically enabled for each user or endpoint. However, Zenarmor lets you turn on Safe Search Enforcement for each policy for every network user. This functionality is perfect for school networks where Safe Search is off by default for faculty and staff members but enabled by default for students. With the help of this capability, IT departments may effectively and globally manage Safe Search on the network"
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: network enforced safe search with IP exclusions
«
Reply #3 on:
October 21, 2023, 09:15:32 pm »
Right I see.
I suggest have a look at AdGuardHome plugin for opnsense. Light in resources, can use safesearch and can have per-device settings. Seems to tick all boxes.
Logged
bmilton
Newbie
Posts: 3
Karma: 0
Re: network enforced safe search with IP exclusions
«
Reply #4 on:
October 23, 2023, 11:19:41 pm »
I installed AdGuard and set it up for an alternate port 65535 since I was already running Unbound DNS.
Added a Query Forwarding rule in Unbound to forward to that port.
I can see traffic is flowing through AdGuard and I'm getting lots of cool details on the Adguard dashboard.
Thing is all of the traffic that hits adguard is coming from the same internal IP 192.168.1.1 (My LAN interface).
I see where I can add persistent clients in adguard with custom safesearch rules, but if I add a specific device IP here it gets ignored because all of the traffic is associated with the single IP 192.168.1.1
The runtime clients list shows individual device IPs but requests are all associated with the LAN interface.
Not sure how to get Adguard to see the requests as coming from individual devices. I even tried putting one device on a separate interface with a different IP range. That device is listed as 192.168.200.10 shows up in the adguard runtime list but the traffic requests are still associated with my LAN interface 192.168.1.1.
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: network enforced safe search with IP exclusions
«
Reply #5 on:
October 23, 2023, 11:32:22 pm »
The best thing to do (I think) is to swap listening ports. Have unbound on a custom port, say 65535, and AdguardHome on standard 53. You need to do it on the config file /usr/local/AdGuardHome/AdGuardHome.yaml
Then you have your devices given AdGuard's address (lan:53) as the DNS server to use when requesting the dhcp lease, instead of unbound and should hit AdG directly.
I have it like that and I see the clients nicely.
Then after that is OK, you can have a redirect rule for any stray non-encrypted query that ignores the lease information.
As to why the query forwarding rule doesn't keep the original IP, I couldn't tell.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
network enforced safe search with IP exclusions