For parental control, I testet to build a cheap solution which can protect a small network.
I testet with a D-Link DIR-505 and OpenWRT BB v14.7 r42625

https://support.google.com/youtube/answer/6214622?hl=de

With DNSMasq, it is not possible to configure "Response Policy Zones" than creates the needed CNAME to force the protected mode on youtube and google searches. BUT, we can create simple A records, that do the job.

It is a good idea to block the whole categorie "search engines" in OpenDNS dashboard. After that, do an exception for google, that is safe enough to protect growing children at home.

Here are my notes, how to build this protection with a simple OpenWRT router.

Setup OpenWRT and configure IP Range as needed.

  • Configure DNS Masq to serve OpenDNS Nameserver by dhcp /etc/config/dhcp
config dnsmasq
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option rebind_protection '0'
list server '208.67.222.222'
list server '208.67.220.220'
option local '/lan/'
option domain 'lan'
option authoritative '1'
option logqueries '0'

config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '20'
option limit '50'
option force '1'
#option dhcp_option '3,192.168.1.254' #default route
  • Register account on www.opendns.com and configure your network depending on your needs
  • Install DDNS scripts on OpenWRT
opkg update
opkg install wget ca-certificates
  • Configure ddns script to update your home wan ip
    /etc/config/opendns_updater.sh
#!/bin/sh
# DESC: script to change dyn IP at openvpn.com
# $Revision: 1.1 $
# $RCSfile: opendns_updater.sh,v $
# $Author: chris $
# Copyright (c) Chris Ruettimann <chris@bitbull.ch>

# This software is licensed to you under the GNU General Public License.
# There is NO WARRANTY for this software, express or
# implied, including the implied warranties of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
# along with this software; if not, see
# http://www.gnu.org/licenses/gpl.txt

# OpenWRT: opkg update ; opkt install wget
#           vi /etc/config/opendns_updater.sh #put script here
#           chmod 700 /etc/config/opendns_updater.sh
#           crontab -e  #put: */10 * * * * /etc/config/opendns_updater.sh
#           /etc/init.d/cron enable ; /etc/init.d/cron restart

PATH=/sbin:/bin:/usr/sbin:/usr/bin
#------------------ MyVariables -------------------------------------
USR=user@domain.com
PW=secret123
NETW=MyNetworkName
#------------------------------------------------------------------
URL="https://updates.opendns.com/nic/update?hostname=$NETW"

test -f /tmp/odns.ip || touch /tmp/odns.ip
LASTIP=`cat /tmp/odns.ip`
CURRENTIP=`wget -q -O - ip.changeip.com | grep ^[0-9]`

# compare
if [ "$CURRENTIP" != "$LASTIP" ]
then
   logger -t `basename $0` "LASTIP=$LASTIP CURRENTIP=$CURRENTIP, update it now"
   wget -nv --http-user="$USR" --http-password="$PW" -O - "$URL" 2>&1 | grep -q good
   if [ $? -eq 0 ]
   then                                                                    
      logger -t `basename $0` "update successful"                          
      echo "$CURRENTIP" > /tmp/odns.ip                                     
   else                                                                                                                     
      logger -t `basename $0` "update failed, try exec: wget -nv --http-user=\"$USR\" --http-password=\"$PW\" -O - \"$URL\""
   fi                                                                           
else                                                                            
   logger -t `basename $0` "LASTIP=$LASTIP CURRENTIP=$CURRENTIP, do noting"     
fi                                                                              
                                                                                
                                                                                
################################################################################
  • Change the VARS according your needs and enable the script
chmod 700 /etc/config/opendns_updater.sh

crontab -e  
---------------------
*/10 * * * * /etc/config/opendns_updater.sh
---------------------

/etc/init.d/cron enable 
/etc/init.d/cron restart

Configure DNS Masq to force Google and Youtube safe search in /etc/dnsmasq.conf

# youtube restricted search
address=/youtubei.googleapis.com/216.239.38.120
address=/m.youtube.com/216.239.38.120
address=/www.youtube.com/216.239.38.120

# youtube mobile clients
address=/android.googleapis.com/216.239.38.120
address=/android.clients.google.com/216.239.38.120
address=/www.youtube-nocookie.com/216.239.38.120
address=/android.googleapis.com/216.239.38.120
address=/www.googleapis.com/216.239.38.120

# google safe search
address=/www.google.com/216.239.38.120
address=/www.google.ac/216.239.38.120
address=/www.google.ad/216.239.38.120
address=/www.google.ae/216.239.38.120
address=/www.google.af/216.239.38.120
address=/www.google.ag/216.239.38.120
address=/www.google.al/216.239.38.120
address=/www.google.am/216.239.38.120
address=/www.google.as/216.239.38.120
address=/www.google.at/216.239.38.120
address=/www.google.az/216.239.38.120
address=/www.google.ba/216.239.38.120
address=/www.google.be/216.239.38.120
address=/www.google.bf/216.239.38.120
address=/www.google.bg/216.239.38.120
address=/www.google.bi/216.239.38.120
address=/www.google.bj/216.239.38.120
address=/www.google.bs/216.239.38.120
address=/www.google.bt/216.239.38.120
address=/www.google.by/216.239.38.120
address=/www.google.ca/216.239.38.120
address=/www.google.cat/216.239.38.120
address=/www.google.cc/216.239.38.120
address=/www.google.cd/216.239.38.120
address=/www.google.cf/216.239.38.120
address=/www.google.cg/216.239.38.120
address=/www.google.ch/216.239.38.120
address=/www.google.ci/216.239.38.120
address=/www.google.cl/216.239.38.120
address=/www.google.cm/216.239.38.120
address=/www.google.cn/216.239.38.120
address=/www.google.co.ao/216.239.38.120
address=/www.google.co.bw/216.239.38.120
address=/www.google.co.ck/216.239.38.120
address=/www.google.co.cr/216.239.38.120
address=/www.google.co.hu/216.239.38.120
address=/www.google.co.id/216.239.38.120
address=/www.google.co.il/216.239.38.120
address=/www.google.co.im/216.239.38.120
address=/www.google.co.in/216.239.38.120
address=/www.google.co.je/216.239.38.120
address=/www.google.co.jp/216.239.38.120
address=/www.google.co.ke/216.239.38.120
address=/www.google.co.kr/216.239.38.120
address=/www.google.co.ls/216.239.38.120
address=/www.google.co.ma/216.239.38.120
address=/www.google.co.mz/216.239.38.120
address=/www.google.co.nz/216.239.38.120
address=/www.google.co.th/216.239.38.120
address=/www.google.co.tz/216.239.38.120
address=/www.google.co.ug/216.239.38.120
address=/www.google.co.uk/216.239.38.120
address=/www.google.co.uz/216.239.38.120
address=/www.google.co.ve/216.239.38.120
address=/www.google.co.vi/216.239.38.120
address=/www.google.co.za/216.239.38.120
address=/www.google.co.zm/216.239.38.120
address=/www.google.co.zw/216.239.38.120
address=/www.google.com.af/216.239.38.120
address=/www.google.com.ag/216.239.38.120
address=/www.google.com.ai/216.239.38.120
address=/www.google.com.ar/216.239.38.120
address=/www.google.com.au/216.239.38.120
address=/www.google.com.bd/216.239.38.120
address=/www.google.com.bh/216.239.38.120
address=/www.google.com.bn/216.239.38.120
address=/www.google.com.bo/216.239.38.120
address=/www.google.com.br/216.239.38.120
address=/www.google.com.by/216.239.38.120
address=/www.google.com.bz/216.239.38.120
address=/www.google.com.cn/216.239.38.120
address=/www.google.com.co/216.239.38.120
address=/www.google.com.cu/216.239.38.120
address=/www.google.com.cy/216.239.38.120
address=/www.google.com.do/216.239.38.120
address=/www.google.com.ec/216.239.38.120
address=/www.google.com.eg/216.239.38.120
address=/www.google.com.et/216.239.38.120
address=/www.google.com.fj/216.239.38.120
address=/www.google.com.ge/216.239.38.120
address=/www.google.com.gh/216.239.38.120
address=/www.google.com.gi/216.239.38.120
address=/www.google.com.gr/216.239.38.120
address=/www.google.com.gt/216.239.38.120
address=/www.google.com.hk/216.239.38.120
address=/www.google.com.iq/216.239.38.120
address=/www.google.com.jm/216.239.38.120
address=/www.google.com.jo/216.239.38.120
address=/www.google.com.kh/216.239.38.120
address=/www.google.com.kw/216.239.38.120
address=/www.google.com.lb/216.239.38.120
address=/www.google.com.ly/216.239.38.120
address=/www.google.com.mm/216.239.38.120
address=/www.google.com.mt/216.239.38.120
address=/www.google.com.mx/216.239.38.120
address=/www.google.com.my/216.239.38.120
address=/www.google.com.na/216.239.38.120
address=/www.google.com.nf/216.239.38.120
address=/www.google.com.ng/216.239.38.120
address=/www.google.com.ni/216.239.38.120
address=/www.google.com.np/216.239.38.120
address=/www.google.com.nr/216.239.38.120
address=/www.google.com.om/216.239.38.120
address=/www.google.com.pa/216.239.38.120
address=/www.google.com.pe/216.239.38.120
address=/www.google.com.pg/216.239.38.120
address=/www.google.com.ph/216.239.38.120
address=/www.google.com.pk/216.239.38.120
address=/www.google.com.pl/216.239.38.120
address=/www.google.com.pr/216.239.38.120
address=/www.google.com.py/216.239.38.120
address=/www.google.com.qa/216.239.38.120
address=/www.google.com.ru/216.239.38.120
address=/www.google.com.sa/216.239.38.120
address=/www.google.com.sb/216.239.38.120
address=/www.google.com.sg/216.239.38.120
address=/www.google.com.sl/216.239.38.120
address=/www.google.com.sv/216.239.38.120
address=/www.google.com.tj/216.239.38.120
address=/www.google.com.tn/216.239.38.120
address=/www.google.com.tr/216.239.38.120
address=/www.google.com.tw/216.239.38.120
address=/www.google.com.ua/216.239.38.120
address=/www.google.com.uy/216.239.38.120
address=/www.google.com.vc/216.239.38.120
address=/www.google.com.ve/216.239.38.120
address=/www.google.com.vn/216.239.38.120
address=/www.google.cv/216.239.38.120
address=/www.google.cz/216.239.38.120
address=/www.google.de/216.239.38.120
address=/www.google.dj/216.239.38.120
address=/www.google.dk/216.239.38.120
address=/www.google.dm/216.239.38.120
address=/www.google.dz/216.239.38.120
address=/www.google.ee/216.239.38.120
address=/www.google.es/216.239.38.120
address=/www.google.eus/216.239.38.120
address=/www.google.fi/216.239.38.120
address=/www.google.fm/216.239.38.120
address=/www.google.fr/216.239.38.120
address=/www.google.frl/216.239.38.120
address=/www.google.ga/216.239.38.120
address=/www.google.gal/216.239.38.120
address=/www.google.ge/216.239.38.120
address=/www.google.gg/216.239.38.120
address=/www.google.gl/216.239.38.120
address=/www.google.gm/216.239.38.120
address=/www.google.gp/216.239.38.120
address=/www.google.gr/216.239.38.120
address=/www.google.gy/216.239.38.120
address=/www.google.hk/216.239.38.120
address=/www.google.hn/216.239.38.120
address=/www.google.hr/216.239.38.120
address=/www.google.ht/216.239.38.120
address=/www.google.hu/216.239.38.120
address=/www.google.ie/216.239.38.120
address=/www.google.im/216.239.38.120
address=/www.google.in/216.239.38.120
address=/www.google.info/216.239.38.120
address=/www.google.iq/216.239.38.120
address=/www.google.ir/216.239.38.120
address=/www.google.is/216.239.38.120
address=/www.google.it/216.239.38.120
address=/www.google.it.ao/216.239.38.120
address=/www.google.je/216.239.38.120
address=/www.google.jo/216.239.38.120
address=/www.google.jobs/216.239.38.120
address=/www.google.jp/216.239.38.120
address=/www.google.kg/216.239.38.120
address=/www.google.ki/216.239.38.120
address=/www.google.kz/216.239.38.120
address=/www.google.la/216.239.38.120
address=/www.google.li/216.239.38.120
address=/www.google.lk/216.239.38.120
address=/www.google.lt/216.239.38.120
address=/www.google.lu/216.239.38.120
address=/www.google.lv/216.239.38.120
address=/www.google.md/216.239.38.120
address=/www.google.me/216.239.38.120
address=/www.google.mg/216.239.38.120
address=/www.google.mk/216.239.38.120
address=/www.google.ml/216.239.38.120
address=/www.google.mn/216.239.38.120
address=/www.google.ms/216.239.38.120
address=/www.google.mu/216.239.38.120
address=/www.google.mv/216.239.38.120
address=/www.google.mw/216.239.38.120
address=/www.google.ne/216.239.38.120
address=/www.google.ne.jp/216.239.38.120
address=/www.google.net/216.239.38.120
address=/www.google.ng/216.239.38.120
address=/www.google.nl/216.239.38.120
address=/www.google.no/216.239.38.120
address=/www.google.nr/216.239.38.120
address=/www.google.nu/216.239.38.120
address=/www.google.off.ai/216.239.38.120
address=/www.google.pk/216.239.38.120
address=/www.google.pl/216.239.38.120
address=/www.google.pn/216.239.38.120
address=/www.google.ps/216.239.38.120
address=/www.google.pt/216.239.38.120
address=/www.google.ro/216.239.38.120
address=/www.google.rs/216.239.38.120
address=/www.google.ru/216.239.38.120
address=/www.google.rw/216.239.38.120
address=/www.google.sc/216.239.38.120
address=/www.google.se/216.239.38.120
address=/www.google.sh/216.239.38.120
address=/www.google.si/216.239.38.120
address=/www.google.sk/216.239.38.120
address=/www.google.sm/216.239.38.120
address=/www.google.sn/216.239.38.120
address=/www.google.so/216.239.38.120
address=/www.google.sr/216.239.38.120
address=/www.google.st/216.239.38.120
address=/www.google.td/216.239.38.120
address=/www.google.tel/216.239.38.120
address=/www.google.tg/216.239.38.120
address=/www.google.tk/216.239.38.120
address=/www.google.tl/216.239.38.120
address=/www.google.tm/216.239.38.120
address=/www.google.tn/216.239.38.120
address=/www.google.to/216.239.38.120
address=/www.google.tt/216.239.38.120
address=/www.google.ua/216.239.38.120
address=/www.google.us/216.239.38.120
address=/www.google.uz/216.239.38.120
address=/www.google.vg/216.239.38.120
address=/www.google.vu/216.239.38.120
address=/www.google.ws/216.239.38.120

Move DNS Masq config file into config folder

mv /etc/dnsmasq.conf /etc/config/
ln -s /etc/config/dnsmasq.conf /etc/dnsmasq.conf
ls -l /etc/dnsmasq.conf
  • Enable all the services (make sure :)
for d in /etc/init.d/cron /etc/init.d/dnsmasq /etc/init.d/uhttpd
do
   $d enable
   $d restart
done

That's all, not bad for 25 CHF :-)

 

A small note at the end:

Android Youtube clients drove me crazy, safe search did not work with it and I got no hint on the internet ... even not with google :-)
Enable DNS query logging: option logqueries '1' in /etc/config/dhcp
/etc/init.d/dnsmasq restart
lograd -r
Fire pron query on mobile client :-)