DNS Safe Search

Zyxel_Richard
Zyxel_Richard Posts: 254  Zyxel Employee
Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Security
edited May 17 in Security Service

DNS Safe Search

Introduction

DNS Safe Search is a feature designed to enhance content filtering on firewalls by automatically enforcing safe search mode on popular search engines. This feature ensures that inappropriate or adult-oriented content is filtered out when users perform web searches. DNS Safe Search is currently available on firewalls and not yet supported on security routers.

How DNS Safe Search Works

DNS Safe Search works by intercepting DNS queries from client devices and redirecting them to safe search versions of search engine websites. This process ensures that the safe search feature cannot be disabled by the client browser.

Types of Safe Search

There are two primary types of safe search implementations:

  • DNS Safe Search:
    • Mechanism: Intercepts and spoofs DNS queries of search engines to redirect users to safe search domains.
    • Supported Engines: Google, YouTube, and Bing.
  • SSL Inspection Safe Search:
    • Mechanism: Uses SSL inspection to modify HTTPS responses from search engines, adding safe search parameters to the URL.
    • Implementation: Found on on-premise firewalls.

Advantages and Disadvantages

DNS Safe Search

Advantages:
  • Minimal Performance Impact: Enabling DNS Safe Search does not significantly affect network performance.
  • Ease of Implementation: Requires no additional setup on end devices.
  • Automatic Redirection: Users are automatically redirected to safe search domains.
Disadvantages:
  • Requires Unencrypted DNS Queries: Cannot intercept encrypted DNS queries (DNS over TLS or HTTPS).
  • Limited Search Engines: Currently supports only Google, YouTube, and Bing.

SSL Inspection Safe Search

Advantages:
  • Intercepts Encrypted DNS Queries: Can intercept and modify encrypted DNS queries.
  • Comprehensive Filtering: Can apply safe search settings more broadly.
Disadvantages:
  • Performance Impact: SSL inspection can reduce network performance.
  • Complex Setup: Requires importing valid certificates on end devices to avoid browser warnings.

Enabling DNS Safe Search

To enable DNS Safe Search, follow these steps:

  • Navigate to Content Filtering: Go to the content filtering section in your firewall's configuration interface.
  • Create a Profile: Click on the "Add" button to create a new content filter profile.
  • Enable DNS Safe Search: In the profile settings, enable the DNS Safe Search option. Optionally, enable "Restrict YouTube Access" to set YouTube to strict or moderate safe search.
  • Select Categories: At least one content filtering category must be selected for the profile to be active. Avoid selecting "Streaming Media" if testing YouTube safe search to prevent blocking YouTube.
  • Bind Profile to Security Policy: Apply the content filter profile to a security policy to enforce DNS Safe Search on specified traffic.

Additional Information

Handling Advanced Users

  • Static DNS Configuration: Even if a user manually sets a static DNS server, the firewall intercepts all DNS queries that pass through it, ensuring safe search enforcement.

Verification

  • Testing Safe Search: Perform a search using terms like "porn" to verify that explicit content is filtered out. The search engine should display a message indicating that safe search settings are controlled by an administrator.

Conclusion

DNS Safe Search is a powerful feature that enhances content filtering by ensuring safe search settings are enforced across supported search engines. This feature is easy to implement, has minimal performance impact, and significantly improves network safety by filtering inappropriate content.