Open source (or plain old free) web content filtering for children
January 9, 2020 2:56 AM Subscribe
Our daughter is now nine and we've given in and set her up with an account on the laptop using Apple's really rather good parental controls. We can setup when she is and isn't able to login, we can set which applications she can and can't open, and I've set it up so that her default search engine is Swiggle. I've even changed the URL bar behaviour in Chrome (which is the only allowed browser app on that account) so that if she uses the URL bar to search it doesn't just take her to Google.
HOWEVER
As we all probably know from fiddling with computers since we were small, it won't be long before she finds out she can simply search on Swiggle for Google, and from there get to Google, and from Google get to wherever she wants to be.
I didn't mention Apple's attempts at web content filtering in my above post because they are WOEFUL. I suppose they are a best attempt but they are SHOCKINGLY bad. If you do a web search for 'porn' using Google, all the usual links on the first page are clickable, instantly revealing some non-unseeable thumbnail images. It's only when you get to page three that one or two of the links when clicked result in a 'You cannot view this page". To say my wife was shocked at what was possible when supposedly under the control of web content filtering is an understatement!!
So....that got me thinking. How can I do web content filtering like organisations and institutions do it: upstream of the device itself.
We already run PiHole to provide adblocking for the network...so I had a few ideas, but not sure if anyone has any tips?
- Can I set DNS to PiHole on my router but then manually send a parentally managed child's account to use custom DNS, i.e NOT use PiHole and instead use something like CleanBrowsing?
- Can I setup PiHole to block unsuitable content for just one device and allow the other devices access as normal? It looks like there is some flexibility but it doesn't look easy. And there are lots of posts on the PiHole forum saying this isn't currently possible!
- Can I use software such as E2 Guardian to help? I'm not really sure where I would install E2 Guardian but at least it's peer reviewed and current, unlike GateSentry which is just available as a binary! Massively sketchy if you ask me...
What I'd really like is to use a Pi Zero I have kicking around as a man in the middle filter **for just that account** on that laptop on our network. Any ideas?!
THANK YOU!!
As we all probably know from fiddling with computers since we were small, it won't be long before she finds out she can simply search on Swiggle for Google, and from there get to Google, and from Google get to wherever she wants to be.
I didn't mention Apple's attempts at web content filtering in my above post because they are WOEFUL. I suppose they are a best attempt but they are SHOCKINGLY bad. If you do a web search for 'porn' using Google, all the usual links on the first page are clickable, instantly revealing some non-unseeable thumbnail images. It's only when you get to page three that one or two of the links when clicked result in a 'You cannot view this page". To say my wife was shocked at what was possible when supposedly under the control of web content filtering is an understatement!!
So....that got me thinking. How can I do web content filtering like organisations and institutions do it: upstream of the device itself.
We already run PiHole to provide adblocking for the network...so I had a few ideas, but not sure if anyone has any tips?
- Can I set DNS to PiHole on my router but then manually send a parentally managed child's account to use custom DNS, i.e NOT use PiHole and instead use something like CleanBrowsing?
- Can I setup PiHole to block unsuitable content for just one device and allow the other devices access as normal? It looks like there is some flexibility but it doesn't look easy. And there are lots of posts on the PiHole forum saying this isn't currently possible!
- Can I use software such as E2 Guardian to help? I'm not really sure where I would install E2 Guardian but at least it's peer reviewed and current, unlike GateSentry which is just available as a binary! Massively sketchy if you ask me...
What I'd really like is to use a Pi Zero I have kicking around as a man in the middle filter **for just that account** on that laptop on our network. Any ideas?!
THANK YOU!!
When my kids were younger, I used to have a filtering proxy called Diladele. It's based on Squid - you can install it on a Pi, and point the DNS on your daughter's laptop to it (so: it doesn't affect any other device that continues to use a standard DNS server). One of the things it does is to force Google searches into "safe mode", which may or may not help the seach preview behaviour that you're seeing. If you want to filter HTTPS, you also have to install a new root cert on the laptop so you can decrypt/re-encrypt traffic on the Pi.
The reason I stopped using it is because now we have multiple devices in the house (phones, friend's phones, etc) and it becomes a pain to visit each one and set the DNS / install the root cert manually - all the time knowing that they can work around anyway via their mobile data. Also, it breaks certain built-in Apple features such as the App Store, and whilst it was always possible to fix that with exceptions on a white-list, it was hard to keep up with the rate of change after iOS updates etc. But Diladele was a great product that I was really happy to use & recommend. The developer is also helpful & responsive over email if you have issues. It's a paid-for product, not open-source - although obviously it's built over a bunch of open-source components.
Now, I use OpenDNS. Anyone who connects to my wireless network gets an OpenDNS server as their DNS - and I can whitelist or blacklist categories or specific domains using their web interface. It's free for home/personal use, it works pretty well, and it could possibly even solve the issue that you mention with regard to search previews - you could blacklist google.com as a domain, or (prob better) you could block search engines as a whole category & then whitelist Swiggle as an exception. To work around the restrictions on other devices, I guess you'd only need to manually set a different DNS like 8.8.8.8.
Regardless of any/all of that, pharm is 100% correct that the real answer is to keep the laptop in a communal space, at least until your daughter is a few years older. Also: talk about it as a family & get her used to the idea that a lot of easily accessible content is Horrid & that she really doesn't want to see it, but that you're on her side & you'll help her to navigate.
posted by rd45 at 4:15 AM on January 9, 2020 [2 favorites]
The reason I stopped using it is because now we have multiple devices in the house (phones, friend's phones, etc) and it becomes a pain to visit each one and set the DNS / install the root cert manually - all the time knowing that they can work around anyway via their mobile data. Also, it breaks certain built-in Apple features such as the App Store, and whilst it was always possible to fix that with exceptions on a white-list, it was hard to keep up with the rate of change after iOS updates etc. But Diladele was a great product that I was really happy to use & recommend. The developer is also helpful & responsive over email if you have issues. It's a paid-for product, not open-source - although obviously it's built over a bunch of open-source components.
Now, I use OpenDNS. Anyone who connects to my wireless network gets an OpenDNS server as their DNS - and I can whitelist or blacklist categories or specific domains using their web interface. It's free for home/personal use, it works pretty well, and it could possibly even solve the issue that you mention with regard to search previews - you could blacklist google.com as a domain, or (prob better) you could block search engines as a whole category & then whitelist Swiggle as an exception. To work around the restrictions on other devices, I guess you'd only need to manually set a different DNS like 8.8.8.8.
Regardless of any/all of that, pharm is 100% correct that the real answer is to keep the laptop in a communal space, at least until your daughter is a few years older. Also: talk about it as a family & get her used to the idea that a lot of easily accessible content is Horrid & that she really doesn't want to see it, but that you're on her side & you'll help her to navigate.
posted by rd45 at 4:15 AM on January 9, 2020 [2 favorites]
We started off with parental controls, but they broke Scratch, one of the programming languages my son was using. So we agreed to turn them off and build trust instead. This is not a problem that can really be fixed well with technology. Public browsing, history audits, and talking about what's out there and why it's not all appropriate for children will teach kids a lot more than trying to lock down the network and setting up a you-vs-the-kid mindset.
posted by rikschell at 4:56 AM on January 9, 2020 [5 favorites]
posted by rikschell at 4:56 AM on January 9, 2020 [5 favorites]
Try Open DNS:
https://www.opendns.com/setupguide/#familyshield
It's simple and fairly hassle free.
Basically, it's changing the device's DNS servers for the account in question to:
208.67.222.123
208.67.220.123
there's a walkthrough on the site. If you decide to just do it for every account, it's fairly benign. It won't block 100%, but will catch most of the bad stuff, porn, etc.
posted by signal at 5:31 AM on January 9, 2020 [2 favorites]
https://www.opendns.com/setupguide/#familyshield
It's simple and fairly hassle free.
Basically, it's changing the device's DNS servers for the account in question to:
208.67.222.123
208.67.220.123
there's a walkthrough on the site. If you decide to just do it for every account, it's fairly benign. It won't block 100%, but will catch most of the bad stuff, porn, etc.
posted by signal at 5:31 AM on January 9, 2020 [2 favorites]
I had not heard of Swiggle but I played with it just now. "Porn" may be locked down, but "pron" gets you a Thai dating site and some art on Flickr. "Jeffrey Epstein autopsy" gets you photos of that from tabloids. An image search on "semen" leads to "https://theadonisalpha.com/how-to-ejaculate-further/". I wouldn't be comfortable with Swiggle for my kid, personally.
posted by xo at 5:48 AM on January 9, 2020 [1 favorite]
posted by xo at 5:48 AM on January 9, 2020 [1 favorite]
Hi,
I'm right in the middle of this with a 7 and 10 year old. I'm struggling with two iOS devices - it is a nightmare.
I agree with all the comments above, and supervision/education/trust is a big part of things.
However, I'm not concerned about the trust and education. I expect my kids to be smart enough to defeat any of my network security in 2-4 years. I want to avoid inadvertent or default searches to porn or hate speech. I'm working to filter DNS content to avoid that.
I use DNS filtering from CleanBrowsing.org – DNS that supposedly offers control over image searches, mixed content sites (Imgur, Reddit), locking YouTube Restricted Mode, locking safe search on popular search engines, and more.
The OpenDNS Family Shield DNS IP Addresses are:
• 208.67.222.123
• 208.67.220.123
in the Mac OS System Preferences you can set these DNS addresses and then click the lock button to make the changes require a password. That will bypass the piHole as DNS for that computer, though. You could install a local adblocking plugin on the child's mac to block ads and trackers.
You could also set your router or PiHole to use the clean browsing DNS servers as the outbound DNS post-filtering, and then use Network Settings on the mac to send DNS to the PiHole- but then anyone on the network will be banned from reddit, etc.
You could get two PiHoles - one for kid use that sends outbound DNS to Cleanbrowsing or other filtered DNS, and another for grown-ups that sends to outbound DNS of your choice. Two separate internal IP addresses for the PIHoles will allow you to go device by device.
posted by sol at 6:17 AM on January 9, 2020
I'm right in the middle of this with a 7 and 10 year old. I'm struggling with two iOS devices - it is a nightmare.
I agree with all the comments above, and supervision/education/trust is a big part of things.
However, I'm not concerned about the trust and education. I expect my kids to be smart enough to defeat any of my network security in 2-4 years. I want to avoid inadvertent or default searches to porn or hate speech. I'm working to filter DNS content to avoid that.
I use DNS filtering from CleanBrowsing.org – DNS that supposedly offers control over image searches, mixed content sites (Imgur, Reddit), locking YouTube Restricted Mode, locking safe search on popular search engines, and more.
The OpenDNS Family Shield DNS IP Addresses are:
• 208.67.222.123
• 208.67.220.123
in the Mac OS System Preferences you can set these DNS addresses and then click the lock button to make the changes require a password. That will bypass the piHole as DNS for that computer, though. You could install a local adblocking plugin on the child's mac to block ads and trackers.
You could also set your router or PiHole to use the clean browsing DNS servers as the outbound DNS post-filtering, and then use Network Settings on the mac to send DNS to the PiHole- but then anyone on the network will be banned from reddit, etc.
You could get two PiHoles - one for kid use that sends outbound DNS to Cleanbrowsing or other filtered DNS, and another for grown-ups that sends to outbound DNS of your choice. Two separate internal IP addresses for the PIHoles will allow you to go device by device.
posted by sol at 6:17 AM on January 9, 2020
I used to be responsible for this kind of network-level filtering as a sysadmin at a primary school. I retired a couple of years after the whole world decided to follow Google's lead and HTTPS everything by default for what I still consider to be inadequately thought-through reasons. Be that as it may, most of the Web is on HTTPS now, and that means there's now no way to do MITM content filtering without fatally compromising SSL security for everything and that's just not a price I'd be willing to pay.
As for DNS-based filtering: it's utterly trivial to work around. Anybody who wants to do it has an entire Internet full of helpful folks telling them how. It doesn't work for Australia and it won't work for you.
My carefully considered and I believe well-informed opinion, both as an ex IT professional with direct experience in the relevant area and as a parent, is that parental controls on Internet content are so completely useless in the face of even a modest level of will to defy them that putting them in place is counterproductive purely because the act of doing so creates that very will to defy.
You're way way better off with yourself and your kids on the same team from the outset, a team that has had frank discussions about there being all kinds of putrid crap available for the asking out there online, about the impossibility of unseeing certain things once seen, and about the best and most effective content filter being the one they carry around with them inside their own heads, the one that controls what it is they choose to go looking for.
What you want is buy-in from your kids about a deliberate stepping away from potentially nightmare-inducing content as standard policy. And when it comes right down to it, it's easier to get that than than it is to get genuine buy-in on not circumventing technological filters. Kids are smart. One or two analogies about the Internet being like a dog park: a fun place to visit, but you need to stay aware of where the dog crap is so you don't end up with it stuck to you and stinking up every place you walk, will make the point quite effectively.
What you also want is to be able to be there to counsel them when they have run headlong into something utterly foul and are having trouble dealing with it. If everybody acknowledges up-front that this is indeed something that will happen from time to time, and that you are not going to be shitty at them for having it happen, they're way more likely to keep you in the loop about what they're doing online than if they feel a need to hide those parts of it that involve a deliberate breaching of your parental control walls.
posted by flabdablet at 6:53 AM on January 9, 2020 [9 favorites]
As for DNS-based filtering: it's utterly trivial to work around. Anybody who wants to do it has an entire Internet full of helpful folks telling them how. It doesn't work for Australia and it won't work for you.
My carefully considered and I believe well-informed opinion, both as an ex IT professional with direct experience in the relevant area and as a parent, is that parental controls on Internet content are so completely useless in the face of even a modest level of will to defy them that putting them in place is counterproductive purely because the act of doing so creates that very will to defy.
You're way way better off with yourself and your kids on the same team from the outset, a team that has had frank discussions about there being all kinds of putrid crap available for the asking out there online, about the impossibility of unseeing certain things once seen, and about the best and most effective content filter being the one they carry around with them inside their own heads, the one that controls what it is they choose to go looking for.
What you want is buy-in from your kids about a deliberate stepping away from potentially nightmare-inducing content as standard policy. And when it comes right down to it, it's easier to get that than than it is to get genuine buy-in on not circumventing technological filters. Kids are smart. One or two analogies about the Internet being like a dog park: a fun place to visit, but you need to stay aware of where the dog crap is so you don't end up with it stuck to you and stinking up every place you walk, will make the point quite effectively.
What you also want is to be able to be there to counsel them when they have run headlong into something utterly foul and are having trouble dealing with it. If everybody acknowledges up-front that this is indeed something that will happen from time to time, and that you are not going to be shitty at them for having it happen, they're way more likely to keep you in the loop about what they're doing online than if they feel a need to hide those parts of it that involve a deliberate breaching of your parental control walls.
posted by flabdablet at 6:53 AM on January 9, 2020 [9 favorites]
By the way: people suck at taking advice. The better the advice, the worse we suck at taking it. And the advice we hand out to other people is quite often the advice we really should have taken ourselves.
We did attempt to restrict little ms. flabdablet's total screen time by technological means. I set up a dedicated SSID that was the only one her devices ever got a WPA2 passphrase for, on a time scheduler that restricted the hours during which she got Internet connectivity. As a working netadmin, I set this up unbreakably; there was simply no way for any of her devices, or any of those belonging to her friends and visitors, to get Internet access through our house's connection outside the designated hours.
That's how come she found out at such an early age how to set up a personal hotspot off her phone's mobile data connection. And because we rely on that phone to keep us up to date with blood glucose level monitoring data (she has Type 1 diabetes), we had no choice but to keep topping up the data allowance every time it "mysteriously" ran out again.
Didn't take her long to find out how to force a factory reset on any phone that wasn't performing to her liking, either.
posted by flabdablet at 11:36 AM on January 9, 2020 [3 favorites]
We did attempt to restrict little ms. flabdablet's total screen time by technological means. I set up a dedicated SSID that was the only one her devices ever got a WPA2 passphrase for, on a time scheduler that restricted the hours during which she got Internet connectivity. As a working netadmin, I set this up unbreakably; there was simply no way for any of her devices, or any of those belonging to her friends and visitors, to get Internet access through our house's connection outside the designated hours.
That's how come she found out at such an early age how to set up a personal hotspot off her phone's mobile data connection. And because we rely on that phone to keep us up to date with blood glucose level monitoring data (she has Type 1 diabetes), we had no choice but to keep topping up the data allowance every time it "mysteriously" ran out again.
Didn't take her long to find out how to force a factory reset on any phone that wasn't performing to her liking, either.
posted by flabdablet at 11:36 AM on January 9, 2020 [3 favorites]
flabdablet: "Didn't take her long to find out how to force a factory reset on any phone that wasn't performing to her liking, either."
Yeah, I'm raising my son to know how to break systems, as well. I still think there's value in avoiding him coming across stuff accidentally.
posted by signal at 12:45 PM on January 9, 2020
Yeah, I'm raising my son to know how to break systems, as well. I still think there's value in avoiding him coming across stuff accidentally.
posted by signal at 12:45 PM on January 9, 2020
This thread is closed to new comments.
That said, if you want separate DNS / proxy settings for your daughter’s account that she can’t evade, then the simplest way to do that is to make the main house WiFi only available to your account on the laptop & have her account connect to a different WiFi network which you control. Then you can feed all the traffic from this second network through whatever filtering you decide to use.
There are various ways to do this: You could use the WiFi on a Pi (although the signal won’t be great), or some commercial routers will let you setup multiple networks with different network settings. Eg set the DNS on the second network to point to a second PiHole.
posted by pharm at 3:43 AM on January 9, 2020 [5 favorites]