Sophos Firewall: SafeSearch - Enforcement when using the DPI Engine

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


During the webcast on November 14, 2019 there was the following question and answer:

Q: Web filtering using TLS interception, not Web Proxy - will safesearch be possible using the TLS interception feature in the future?

A: SafeSearch, depending on the content provider, still requires the proxy. We’re looking to add specific hosts in the Sophos Firewall to simplify defining proxy policies for those sites. In that way, you can rely on DPI and TLS for everything else and use the proxy for the specific safe search sites. For Google, at least, there are safe search enforcement alternatives that don’t require the firewall e.g. inserting a DNS record into your DNS server.


I wanted to give instructions on how to enforce SafeSearch in Google and Bing, as well as YouTube restrictions when using DPI mode web filtering.

Google, Bing, and Yahoo provide a mechanism for proxies to enforce SafeSearch using header manipulation.
Google and Bing provide a mechanism for proxies to enforce SafeSearch using DNS manipulation. YouTube provides a mechanism for restricted mode.

In Sophos Firewall, if you use the web proxy, you can enforce SafeSearch by editing the Web Policy and selecting the "Enforce SafeSearch" checkbox. This will enable DNS manipulation (which works with or without HTTPS decryption) and header manipulation when HTTPS is being decrypted.

In Sophos Firewall, SafeSearch cannot be enforced if you use the DPI mode web filtering. The DPI engine can't change IP Address the client is connecting to, nor can it manipulate headers.

However, an administrator can still enforce SafeSearch by changing the resolution on the DNS server clients on your network use.  This might be your network's Sophos Firewall, AD server, router, or other DNS server. Using a DNS CNAME means that clients trying to resolve DomainA will always get the answer to DomainB, which is good if the IP address for DomainB ever changes. However, we have noticed that these domains have existed for years, and the IPs have never changed. Therefore, if a CNAME is not possible, you can use just resolve to the SafeSearch IPs directly.


Google
Change the DNS entry for the following domains to be a CNAME for forcesafesearch.google.com.
www.google.com
Country specific Google domains (www.google.com/supported_domains)
More Information: support.google.com/.../186669

Bing
Change the DNS entry for the following domains to be a CNAME for strict.bing.com.
www.bing.com
More Information: help.bing.microsoft.com/

YouTube
Change the DNS entry for the following domains to be a CNAME for restrict.youtube.com or restrictmoderate.youtube.com
www.youtube.com
m.youtube.com
youtubei.googleapis.com
youtube.googleapis.com
www.youtube-nocookie.com
More Information: support.google.com/.../6214622

 

Steps if you are using the Sophos Firewall as the DNS resolver on your clients:
Go to Network, DNS, and Add DNS host entry.
For the domain name put in the domain to be overridden (eg www.google.com).
For the IP address, put the IP of the CNAME domain (eg 216.239.38.120)




Horizontal line, grammar, substituted XG for Sophos Firewall
[edited by: emmosophos at 1:18 AM (GMT -8) on 15 Nov 2023]
  • Will the adding specific hosts be ready for when v18 reaches a GA stage or will this come in a later release. We have different safe search policies for users, depending on their age and the time of day they are accessing so changing the DNS globally is not an option for us.

  • BenjaminMiller said:

    Will the adding specific hosts be ready for when v18 reaches a GA stage or will this come in a later release. We have different safe search policies for users, depending on their age and the time of day they are accessing so changing the DNS globally is not an option for us.

    It will be added in EAP3.  There is a new FQDN Host Group containing hosts of all the search engines.  You can then create a firewall rule that only applies to those hosts, and which uses the web proxy that supports configuring as part of the Web Policy that is in 17.5.  The later firewall rules that apply to other traffic can still use the DPI Engine.

     

  • Duckduckgo is a proxy based service not a straight internet connection which more than likely will mess with your DNS settings.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • We have discovered that there can be an issue with YouTube Restricted Mode in the Chrome browser sometimes showing search results that are not restricted. Videos themselves are correctly blocked.

    Scope:
    Web Proxy mode only
    HTTPS Decryption Off only
    Transparent mode only
    Chrome browser only (issue not reproduced in other browsers, but could occur)

    In this configuration, the proxy will do the CNAME override and replace the YouTube IPs with restricted YouTube IPs, the client/browser is unaware that this is happening. Chrome will occasionally make a connection to a domain that is not part of he restricted mode to do a Google search and then reuse that connection to do a YouTube search. This causes the search to occur on an IP where YouTube restrictions are not enforced.

    The symptom is that on occasion, searches will contain links to restricted video, but on refresh those videos disappear from the search results. Attempting the view any of the videos and restrictions are enforced.

    The solution is to have the clients access YouTube using the restricted IPs directly, rather than the proxy secretly changing to he restricted IPs. Anyone who is experiencing the problem and would like a solution should use the method described in this post regarding DPI mode.