Although it is one of the oldest protocols that is still used on the Internet, DNS is far from "old". It has been changed and updated many times and many applications are now relying on it that didn't in the first place. Without DNS we would not find the servers that serve us the websites that we want, emails won't reach the right server and we now even use it to distribute key material with DANE.
Those applications have all not been foreseen by the designers of the Internet, but additions like DNSSEC allow us to use DNS in a more flexible way. What hasn't been foreseen in those times was that the whole Internet will be using HTTPS.
How does it work?
Safe Search used to work as follows. When a HTTP request was being sent to the search engine, the IPFire proxy would have added a flag that tells the search engine to filter adult and violent content. Since everyone is using HTTPS now, we no longer can intercept that HTTP request and change it without breaking the encryption.
That is why DNS has now a new responsibility: Divert those DNS requests to servers that only serve the filtered content. For Google that would be
forcesafesearch.google.com instead of
google.com. So when a request is being sent to google.com, it would instead be sent to a different server that already knows that it is responsible for Safe Search. That way, the request itself no longer has to be modified.
Currently this is supported for:
At the time of writing, those websites are the only ones that I am aware of that support it.
Who is it for?
If you are running IPFire in a school, you can now filter adult content, violent, criminal and other websites that are not suitable for children or teenagers from the search results. Videos just won't play either. Because it is being implement using DNS, there are no additional settings needed on the devices. That means even when you are running BYOD in your school, your network won't allow to view such content.
A large downside is that it cannot be controlled what is being blocked. That is all up to the operators of those websites. If you have a class about sex education, some results that you might want may be filtered. However, you can still browse those websites directly, because Safe Search only changes the search results.
For better protection, you will still have to deploy the URL filter and force your devices to use the proxy in order to filter direct access to unsuitable websites.
This feature has been developed and tested in close partnership with Brecht-Schule Hamburg, Germany for who it is very important to protect their students, but who are also very interested in trying new things and improving IPFire for their own use.