I have been running a pi-hole to block ads on my home network for a while. It’s great! Not only are ads blocked, but it speeds up internet browsing because… the ads do not load. I wondered if it would be possible to use a pi-hole to make a child-safe internet experience to protect the little people in the house.
Sure, there are ways to do this in most routers but they are not ideal. I have an Orbi mesh from Netgear and this has two parental control options: “Live Parenting Control” which is seemingly being deprecated as they push “Circle” by Disney. If the words “by Disney” alone were not enough to trouble anybody, 1) it works by doing an ARP poisoning attack on the router, 2) Disney (or whoever) would be logging all requests from the network, and 3) the free version is limited and you have to pay for full protection. So, can a pi-hole be used to make a (free) child-safe internet experience? Yes! The trick is how to do that while maintaining a full-bodied internet for everyone else (and maintain ad-blocking for everyone).
Existing set-up
I have the Orbi router doing DHCP assignment (static IPs for some stuff and a range for dynamic assignment). DNS points to the ad-blocking pi-hole which is wired to the router. Yes, I know I can have the pi-hole doing DHCP and I have run it this way with a different router but this configuration is how I have it right now. The router doesn’t allow DNS settings to be assigned to each device. I’ll describe how I made the second pi-hole and then how I integrated it into this set up.
Making a blockhole
I bought a RPi Zero W, with pibow case, power supply and 8 GB SD card. My ad-blocker pi-hole runs on a RPi 3B+ and has a bigger card, but there was no need for something that would not handle much traffic.
I installed Raspbian Stretch Lite (I wasn’t sure if pi-hole is supported under Buster). Legacy downloads of Stretch are available from the Raspberry Pi website. The RPi zero has miniHDMI out to connect to a monitor for the setup. I customised it a bit, enabled ssh and VNC so that I could control it headlessly. Next I gave it the name blockhole to distinguish it from the other RPis on the network. I assigned a fixed IP via the router and then ran the pi-hole installation as described on the pi-hole site. I could see the dashboard and log in OK, so all was good.
At this point, I simply had a second ad-blocking pi-hole on my LAN with no device(s) on the network using it. Firstly, let’s turn it into a parental control device. I wanted three things:
1. Force safe search on Google, Bing, Duckduckgo and YouTube
There is a great thread on how to do this on the pi-hole discourse site. The relevant link is here. Jayke Peters made a really simple bash script to modify the appropriate files on a pi-hole to do this (other people in the thread worked out how to force safe search). In case that link disappears:
wget https://raw.githubusercontent.com/jaykepeters/Scripts/Deployment/Pi-hole_SafeSearch.sh
mv ./Pi-hole_SafeSearch.sh /usr/local/bin/
chmod a+x /usr/local/bin/Pi-hole_SafeSearch.sh
Pi-hole_SafeSearch.sh --enable
This can all be done via ssh to the blockhole. The last line needs to be run as sudo. You can check that it has generated the appropriate file by:
cd /etc/dnsmasq.d/
ls
You should see a file called 05-restrict.conf in there if everything went OK.
Enforcing safe search is such a great idea. Kids can type in a rude word into a search engine and get all kinds of inappropriate content. This change forces the search to be done via the “safe search” settings. It really works. The same rude word search with enforced safe search brings down harmless results on Google for example.
2. Block inappropriate sites outright
The script adds wildcard blocks to common terms found in adult site URLs. This means that these sites are just blocked outright. This is a good method. The alternative is to add blocklists to the pi-hole. There are some available on GitHub. Even those that have 1 million URLs will not block the sites that will spring up tomorrow or next week. So just blocking based on common terms like xxx should work better.
3. Add some more blocks
YouTube is forced into safe search, but what if you just want to block it outright? Or any other site? You can blacklist any site using the pi-hole admin page. Log in and select blacklist. The wildcard function will deal with URL variants. The script mentioned above adds to the blacklist other search engines, e.g. ecosia that have no safe search capacity. I added a bunch of other sites here that I wasn’t happy about, e.g. FaceBook to round off the blockhole.
Upstream DNS
On the ad-block pi-hole I use Cloudflare 1.1.1.1 as the upstream DNS. It is possible to use a service which has family filtering instead. OpenDNS has an option for doing this (which may be pay-for-service – I’m not sure). Neustar or other services will give filtering of inappropriate content. Note that they will be logging requests, but only from the kids devices, so it’s different to the Disney scenario mentioned above.
Integration into the network
The next step was to get it working with the existing network. As described above, we want to maintain a full-bodied but ad-blocked experience for everyone else.
The simplest method was to alter the DNS settings on the devices that the kids use. The DNS address is the blockhole and so they get child-safe internet. Depending on the device, the setting is quite obscure and can be locked in the case of a kid’s account on a Mac. If they figure out how to change the DNS, it is possible to hand out the blockhole address from the router and manually assign the ad-blocker pi-hole DNS to devices used by adults. It’s not perfect but it will do.
Finally, what about time-limiting the internet? Well, the router has options to pause the internet per device and it is possible to run the blockhole on a scheduler to only allow internet at certain times. This is not as sophisticated as the Circle system where there is an option to have x minutes of internet per day and the possibility to reward more minutes for good behaviour etc.
The point of this post was to share how to set up this system and integrate it with an existing pi-hole. None of the work is mine, it was all done with a bit of searching, but I thought it was worth posting my solution in case it helps other parents or carers out there.
If you use pi-hole to block ads or to make a blockhole, consider donating to this useful project.
—
The post title comes from the track “Child’s Play” from African Head Charge’s Akwaaba LP.
FYI, 8.8.8.8 is Google’s DNS. Cloudflare’s is 1.1.1.1
Thank you, yes you are correct and that is what I’m using. I’ll edit the post.
Could you write a follow-up about Circle’s more recent version, and how it compares with competitors like CleanRouter?
Thanks but getting below errors when executing sudo Pi-hole_SafeSearch.sh –enable
/usr/local/bin/Pi-hole_SafeSearch.sh: line 48: syntax error near unexpected token `^’
/usr/local/bin/Pi-hole_SafeSearch.sh: line 48: ` “(^|\.).+xxx$”‘
Hi Harry, not sure… a possibility is that there’s a smart inverted commas in the sh file that is causing the error. If you downloaded the script from https://raw.githubusercontent.com/jaykepeters/PSS/master/Pi-hole_SafeSearch.sh is should be fine, but if you did copy-paste, the ” can get changed.
I had same error, I think there is a format error in file, there is a easy command in Unix to fix formatting issues.
Install dos2unix
sudo apt install dos2unix
then, simply type below
dos2unix /usr/local/bin/Pi-hole_SafeSearch.sh
I get the same error. I opened a bug report on it at https://github.com/jaykepeters/PSS/issues
If you comment out line 192 it will run but not catch the regex. After messing with it, it started to work.
This was the last thing I was trying thinking it was a shell issue:
sudo bash /usr/local/bin/Pi-hole_SafeSearch.sh -e
after that it started working fine. No idea why.
Even after enabling, looks like my regex blocklist is not working as expected, I see” (^|\.).+sexy$ ” these type tags in Blacklist management but when I try to open websites with those words, it is still working. Any ideas?
That’s strange, when I add new regex to the blacklist it blocks them straight away.
If you check the logs in the block hole, can you verify that your test requests a) go via the block hole and b) were approved. If you login to the block hole via the web interface and click query logs, you should see forwarded domains as OK in green, blocked domains in red.
The people on the pi-hole sub-reddit can sort out most problems with configuration.
Clever and simple. Works exactly as advertised. And since I know how it works, I’m much more comfortable trusting this for the household as opposed to ARP poisoning and monitoring crap that is commercially available. Thanks for taking to the time to write it up and put the scripts together!
Check into nxfilter as well as pihole. I found pihole didn’t have everything I needed. Nxfilter seems to fit my needs for the rest of it