Using a DNS Sinkhole to Enforce Content Restriction

Typically, a DNS sinkhole directs traffic away from a particular target. This procedure describes how to configure a DNS sinkhole to redirect traffic to the Google SafeSearch Virtual IP Address (VIP), which imposes content filters on Google and YouTube search results.

Because Google SafeSearch uses a single IPv4 address for the VIP, hosts must use IPv4 addressing.

Caution

If your network includes proxy servers, this content restriction method is not effective unless you position your threat defense devices between the proxy servers and the Internet.

This procedure describes enforcing content restriction for Google searches only. To enforce content restriction for other search engines, see Using Access Control Rules to Enforce Content Restriction.

Before you begin

This procedure applies to threat defense only, and requires the IPS license.

Procedure

Step 1

Obtain a list of supported Google domains via the following URL: https://www.google.com/supported_domains.

Step 2

Create a custom DNS list on your local computer, and add the following entries:

  • To enforce Google SafeSearch, add an entry for each supported Google domain.
  • To enforce YouTube Restricted Mode, add a "youtube.com" entry.

The custom DNS list must be in text file (.txt) format. Each line of the text file must specify an individual domain name, stripped of any leading periods. For example, the supported domain ".google.com" must appear as "google.com".

Step 3

Upload the custom DNS list to the management center; see Uploading New Security Intelligence Lists to the Secure Firewall Management Center.

Step 4

Determine the IPv4 address for the Google SafeSearch VIP. For example, run nslookup on forcesafesearch.google.com.

Step 5

Create a sinkhole object for the SafeSearch VIP; see Creating Sinkhole Objects.

Use the following values for this object:

  • IPv4 Address—Enter the SafeSearch VIP address.

  • IPv6 Address—Enter the IPv6 loopback address (::1).

  • Log Connections to Sinkhole—Click Log Connections.

  • Type—Choose None.

Step 6

Create a basic DNS policy; see Creating Basic DNS Policies.

Step 7

Add a DNS rule for the sinkhole; see Creating and Editing DNS Rules.

For this rule:

  • Check the Enabled check box.

  • Choose Sinkhole from the Action drop-down list.

  • Choose the sinkhole object you created from the Sinkhole drop-down list.

  • Add the custom DNS list you created to the Selected Items list on DNS.

  • (Optional) Choose a network in Networks to limit content restriction to specific users. For example, if you want to limit content restriction to student users, assign students to a different subnet than faculty, and specify that subnet in this rule.

Step 8

Associate the DNS policy with an access control policy; see Associating Other Policies with Access Control.

Step 9

Deploy configuration changes.