Knowledge Base  >   Firewall  > 

Force LAN Clients to use Google Safesearch

SafeSearch is a feature offered by major search engines—such as YouTube, Google, Bing, and DuckDuckGo. It helps filter out inappropriate or explicit content from search results. By using the LAN DNS feature, network administrators can enforce SafeSearch for all LAN clients, ensuring that searches across these platforms automatically apply content filtering. Compared to DrayOS 4, where users had to manually map IP addresses or CNAMEs through the LAN DNS function, DrayOS 5 offers a dedicated SafeSearch option. Administrators can now apply SafeSearch to LAN clients with just a few simple selections and checkmarks.

1. Check the IP address SafeSearch in your area: For Windows users, run Command Prompt and enter command “nslookup forcesafesearch.google.com”, record the answer
a screenshot of command prompt window

2. On Vigor Router, set up LAN DNS for Google Search: Go to Applications >> LAN DNS/DNS Forwarding, and click on an index number to edit a profile.

  1. Enable this profile.
  2. Enter Profile name.
  3. Enter Google Search's URL for Domain Name
  4. In IP Address List, click Add. In the pop-up window, enter the IP address of SafeSearch in Host's IP Address, and click OK.
  5. Click OK to apply the settings

a screenshot of DrayOS LAN DNS settings

    
3. With the LAN DNS configuration, when LAN client open Google Search, they will be redirected to Google SafeSearch, and will see a message says that SafeSearch has turned on.
a screenshot of a browser opening Google it shows SafeSearch has turned on

Troubleshooting

If SafeSearch is not turned on as expected. please try the following

  1. Clear DNS cache on the LAN hosts for the LAN DNS to work. For Windows users, this may be done by entering ipconfig/flushdns in command prompt.
  2. Clear the browser's history and cookies.
Router Setup
  1. Enable Force DNS Redirection. Go to Configuration > LAN, click More Settings to view the Force DNS Redirection setting. Toggle the Enabled button to enable Force DNS Redirection.
  2. Create a Keyword Object. Go to Configurations > Objects > Keyword Object, click +Add to include the public DoH DNS server domain names below:
    • Google: dns.google
    • Cloudflare: cloudflare-dns.com
    • OpenDNS: doh.opendns.com
    • NextDNS: dns.nextdns.io
    • Quad9: dns.quad9.net
    • CleanBrowsing: doh.cleanbrowsing.org
  3. Create a Content Filter rule to block the connections that match the keyword objects via Security > Content Filters.
  4. Create Service Objects for UDP Port 443 (used by some DNSCrypt servers) and TCP Port 853 (DNS over TLS) via Configurations > Objects > Service Object.
  5. Create an IP Filter rule to block UDP Port 443 and TCP Port 853 via Security > IP Filters.
  6. Set up LAN DNS SafeSearch profile for Google Search on Vigor Router: Go to Configuration >> DNS >> LAN DNS / Forwarding, and click + Add to add a new profile.
Verification

With the LAN DNS SafeSearch configurations, when a LAN client opens Google Search, they will be redirected to Google SafeSearch. If a LAN user searches for improper content, the search results will be filtered and the page may display a warning message.

Troubleshooting

If SafeSearch is not turned on as expected, please try the following:

  1. Use ping to verify if the ping to www.google.com is redirected to forcesafesearch.google.com successfully. If not, try using ipconfig /flushdns to clear the DNS cache and check if the DNS query goes through the Vigor Router.
  2. If the ping redirection works but SafeSearch is still not enabled, the client may have enabled DoH or DoT secure DNS servers. Clear the browser cache and check the syslog to verify whether the firewall settings have blocked the secure DNS servers.

1. Enable DNS Redirection at LAN >> General Setup.

a screenshot of Vigor3900 LAN General setup  

2. Create a LAN DNS profile, go to LAN >> LAN DNS, click Add to add a new profile, input profile name, and enable this profile.

a screenshot of Vigor3900 LAN DNS profile  

3. There are two methods to set up the Domain Name, by IP and by CNAME, you may use either one of them.

By IP
  1. Input www.google.* as Domain Name
  2. Select “IP” as Type
  3. Input the 216.239.38.120 in IP address, which is the virtual IP for Google SafeSearch (Note that the IP address may change, you may confirm the IP address by typing "nslookup forcesafesearch.google.com” in command prompt.)
    4. a screenshot of Vigor3900 LAN DNS profile of type IP By CNAME
    1. Input www.google.com or www.google.com.tw in Domain name. (Wildcard * is not supported in CNAME mode yet.)
    2. Select "CNAME" as Type
    3. Input forcesafesearch.google.com as CNAME. By using CNAME, the router will resolve forcesafesearch.google.com automatically
    a screenshot of Vigor3900 LAN DNS profile with type CNAME 

    4. Verifying the settings: Go to www.google.com, we should see the message “SafeSearch has turned on”. (If it's not, try clearing the browser's cookies first)

    a screenshot of a browser opening Google and it shows SafeSearch has turned on

Published On:2025-12-16 

Share

Was this helpful?   

book icon

Knowledge Base