Helpful ReplyHot!DNS Filter: Enable Safe search for Google, but don't restrict YouTube

Author
aley
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/03 01:41:05
  • Status: offline
2017/11/03 01:44:35 (permalink)
0

DNS Filter: Enable Safe search for Google, but don't restrict YouTube

We're using a few FortiGate 50E with FortiOS 5.6.2 and DNS filtering, which works great (properly enforces SafeSearch over SSL/TLS without requiring a local certificate to be installed).
 
However, when Safe search is enforced, YouTube restrictions must be set to "strict" or "moderate". Even moderate YouTube restriction blocks LOTS of videos that aren't in any way problematic for a school.
 
Is there a way to have Safe search enabled for search engines (Google, Bing, etc.) but not restrict YouTube?
post edited by aley - 2018/07/20 07:18:01
#1
sub7even
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/01/05 23:39:41
  • Status: offline
Re: DNS Filter: Enable Safe search for Google, but don't restrict YouTube 2017/11/06 16:22:35 (permalink)
0
looking forward to get updated reply from this as well..
#2
gabriel
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/02 10:13:41
  • Status: offline
Re: DNS Filter: Enable Safe search for Google, but don't restrict YouTube 2018/10/02 10:14:19 (permalink)
0
Hi, anyone have solved this?
#3
blackhole_route
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: DNS Filter: Enable Safe search for Google, but don't restrict YouTube 2018/10/13 16:31:56 (permalink)
0
It looks like this is possible at the CLI, at least on FortiOS 6.0.2. You can set safe-search enable on the dnsfilter profile, but not set youtube restricted.
config dnsfilter profile
edit profilename
set safe-search enable
unset youtube-restrict
end
 
 
Another option which requires a bit of work is to set up an internal recursive DNS server to do this. Rewrite the documented google.com domains (using something like BIND RPZ's) to forcesafesearch.google.com (https://support.google.com/websearch/answer/186669?hl=en) , and depending on internal client address, rewrite www.youtube.com (and other associated domains) to restrict.youtube.com or restrictmoderate.youtube.com. Google use to publish the list of domains to rewrite publicly but now apparently have restricted access to that information only to GSuite Admin accounts. If you need it, I can dig it up from config files I'm running currently....
#4
golemb
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/15 08:52:37
  • Status: offline
Re: DNS Filter: Enable Safe search for Google, but don't restrict YouTube 2018/10/15 09:08:51 (permalink)
0
I would love a easy built in solution for this, educational environment.   The Enforce Safe Search works great for Google / Bing search engines, users can't turn it off via the browser.   Works on every device.   My users hate it so I know its working
 
The YouTube filter is way to restrictive even on moderate, this is where the problem is for my users.   I tried the above CLI commands on one of my FortiGates firewalls as were running FortiOS 6.02.  They do execute without error in the CLI but when browsing to YouTube after making the changes via the CLI YouTube still in restricted mode.   I don't know if someone else can confirm this.
 
If there was an option via DNS filtering to leave YouTube unfiltered that would be super.   Three options for YouTube  Strict, Moderate, Unfiltered.   Could this be a feature request?
 
I have looked at the cookbook for the internal recursive DNS setup, don't really want to go down that path if I don't have too.
post edited by golemb - 2018/10/15 09:48:28
#5
Silver
Gold Member
  • Total Posts : 269
  • Scores: -1
  • Reward points: 0
  • Joined: 2013/02/25 00:43:47
  • Status: offline
Re: DNS Filter: Enable Safe search for Google, but don't restrict YouTube 2019/05/24 00:53:32 (permalink)
0
Dear All,
anyone can help to block safe search without ssl deep inspection. but users should not be able to have the options to turn off safe search into there browsers.
 
Thanks
silver
#6
jonathanaxford
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/08/24 00:27:00
  • Status: offline
Re: DNS Filter: Enable Safe search for Google, but don't restrict YouTube 2019/08/28 06:10:12 (permalink)
0
Hi all,
 
Resurrecting this thread in the vain hope that a solution was found...
 
We are relying on the DNS Filter to force google safesearch but the youtube restrictions are killing us. We currently have no option of implementing SSL Inspection so would like to try and keep the DNS filter in place, but remove any filtering for youtube...
 
Cheers
 
Jon
#7
lcstn
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/04 05:52:19
  • Status: offline
Re: DNS Filter: Enable Safe search for Google, but don't restrict YouTube 2019/09/04 06:28:49 (permalink)
0
Ditto here. Our school is running a 100E on 6.0.3. I'm hoping to keep this thread alive for any resolution to this issue.
#8
jonathanaxford
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/08/24 00:27:00
  • Status: offline
Re: DNS Filter: Enable Safe search for Google, but don't restrict YouTube 2019/09/04 07:08:43 (permalink) ☄ Helpfulby lcstn 2019/09/04 07:36:31
0
Hi all,
 
I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter. 
 
Cheers

Jon
#9
lcstn
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/04 05:52:19
  • Status: offline
Re: DNS Filter: Enable Safe search for Google, but don't restrict YouTube 2019/09/04 07:39:20 (permalink)
0
jonathanaxford
Hi all,
 
I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter. 
 
Cheers

Jon




Jon, thanks for that info. At least I now have some sort of confirmation on the issue. We hope to be implementing SSL inspection in the coming months, so hopefully that'll alleviate some of my users' woes.
#10
Dave Hall
Expert Member
  • Total Posts : 1477
  • Scores: 163
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: DNS Filter: Enable Safe search for Google, but don't restrict YouTube 2019/09/04 08:59:37 (permalink)
0
An alternate solution from the old Cookbook receipt (pre-dating the DNS filter) is to set up a local DNS database and/or create a hairpin "loopback" dns server to "enforce" or redirect DNS queries to itself, for google safe search. 
 
The original source link was https://cookbook.fortinet.com/blocking-adultmature-content-google-safesearch/ but the site has since been moved "in-house" to docs.fortinet.com, so not sure where the document is now or if it's been revised or need to.
 
My original scripting notes for the setup as follow, though I do recall adding/adjusting something to get it to fully work (I think it was adding another DNS record.)
 
=================================

config system interface
edit "dns-loop"
set vdom "root"
set ip 10.10.10.10 255.255.255.255
set type loopback
next
end

=================================

config system settings
set gui-dns-database enable
end

=================================

config system dns-database
edit "Google"
set domain "google.com"
set authoritative disable
config dns-entry
edit 1
set hostname "www"
set ip 216.239.38.120
next
edit 2
set hostname "google.com"
set ip 216.239.38.120
next
end
next
edit "Google Canada"
set domain "google.ca"
set authoritative disable
config dns-entry
edit 1
set hostname "www"
set ip 216.239.38.120
next
end
next
end

=================================

config system dns-server
edit "internal_net"
next
edit "dns-loop"
next
end

=================================

config firewall vip
edit "dns-vip"
set type load-balance
set src-filter "192.168.93.1-192.168.93.250"
set extip 0.0.0.0-239.255.255.255
set extintf "internal_net"
set arp-reply disable
set portforward enable
set mappedip "10.10.10.10"
set protocol udp
set extport 53
set mappedport 53
next
end

=================================

config firewall policy
edit 0
set name "Map-to-DNS-Internal"
set srcintf "internal_net"
set dstintf "dns-loop"
set srcaddr "all"
set dstaddr "dns-vip"
set action accept
set schedule "always"
set service "DNS"
next
end

=================================

NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
#11
Jump to:
© 2019 APG vNext Commercial Version 5.5