Skip to main content
AravindhN
AravindhN
New Member
September 2, 2025
Question

SafeSearch Enforcement Issue on Mobile Devices

  • September 2, 2025
  • 1 reply
  • 686 views

Requirement
The enforcement is working correctly on laptops with both the web filter and DNS filter enabled. However, on mobile devices, the Chrome browser loads the homepage initially, but subsequent pages are blocked. The expected behavior is that SafeSearch should be enforced right from the homepage, ensuring that even the homepage loads through the enforced SafeSearch..

Use case: College, School

Step-1
Create the loopback interface for enforcing DNS.
Note: The IP address should not be configured anywhere else.

AravindhN_12-1756818760838.png

Step 2: Enable the DNS Database under Feature Visibility.

AravindhN_13-1756818760843.png

Step 3: Block the P**ography category in the Web Filter and enable SafeSearch.

AravindhN_14-1756818760846.png

AravindhN_15-1756818760847.png

Step 4: Block the P**ography category in the DNS Filter as well, and enable Enforce SafeSearch.

AravindhN_16-1756818760850.png

Step 5: For the DNS-Loopback interface, enable the DNS Filter and set the mode to Recursive.
AravindhN_17-1756818760852.png

Step 6: Create the DNS entry for SafeSearch-Google.
I.AravindhN_18-1756818760854.pngII.

AravindhN_19-1756818760858.png


CLI commands for creating the DNS entry to enforce SafeSearch

config system dns-database

    edit "SafeSearch-Google"

        set domain "google.com"

        set authoritative disable

        config dns-entry

            edit 1

                set type CNAME

                set hostname "www"

                set canonical-name "forcesafesearch.google.com"

            next

        end

    next

    edit "google.com"

        set domain "google.cat"

        set authoritative disable

        config dns-entry

            edit 1

                set hostname "www"

                set ip 216.239.38.120

            next

        end

    next

end



Step 7: Policy Creation

You need to assign the DNS server IP as the Loopback interface IP to the devices. Then, create a DNS allow policy above the internet policy. Make sure that NAT is disabled for the DNS service.

 
 

Screenshot 2025-09-02 185310.png


Results:

The Result will be enabled the Enforce search by default to all browsers as mentioned below Screenshot.

AravindhN_21-1756818760866.jpeg

 



DNS filter Logs:

AravindhN_22-1756818760869.png

 







 

 

1 reply

mamatka6
mamatka6
New Member
September 2, 2025

It sounds like what you really want is some kind of content blocking at the network level. What you're talking about sounds like deploying an agent of some kind to individual hosts. IMO the network based solution is going to be easier to administrate than an agent master/slave type application.

Sivaramakrishna
Sivaramakrishna
New Member
September 3, 2025

Here, no agent is required. He tried to block a category (for example, the Adult category), which is successfully blocked on systems but not on mobile devices. To address this, he enforced Safe Search by creating a DNS loopback interface in the firewall, which is mapped to the DNS filter and applied in the policy. This way, users receive the DNS server IP as the loopback interface IP configured in the firewall. Whenever a user tries to access adult content, the DNS server enforces Safe Search.

Terms & ConditionsAccessibility statement