In the educational world, YouTube has been considered a ‘bad’ word. This is a bit troubling considering the wealth of information that is available on YouTube which could be used for educational purposes. Many school districts are unaware of the tools they have to filter YouTube which may reduce the likelihood of a student stumbling across content that may be objectionable. One of the best tools currently available is the ability to force filtering of YouTube by using a Response Policy Zone, or RPZ. By using a RPZ you can force filtering of all devices on your network given they are using your DNS server. In this article, we’ll focus on the configuration on an existing Bind9 server running on *nix. The setup is pretty simple and should take about 10 minutes to complete if you are already using Bind as your name server and have a familiarity with *nix.
The first thing we will need to do is to add a response-policy to the global options area. Some Linux distributions will put the global options in their own file (ie: /etc/bin/named.conf.options). Your options should look like this…
options {
// All your existing setting should be here...
response-policy { zone "rpz"; };
};
Next we need to define the zone for the RPZ, it is typically best to place the zone definition in your *.local file (ie: /etc/bind/named.conf.local)
zone "rpz" IN {
type master;
file "/etc/bind/rpdb.zone";
allow-query {none;};
};
Lastly we need to create and define the /etc/rpdb.zone file. This file should look something like this…
$ORIGIN rpz.
$TTL 1H
@ IN SOA dns1.yourdomain.com. root.yourdomain.com. (
7
1H
15m
30d
2h )
NS LOCALHOST.
www.youtube.com IN CNAME restrict.youtube.com.
m.youtube.com IN CNAME restrict.youtube.com.
youtubei.googleapis.com IN CNAME restrict.youtube.com.
youtube.googleapis.com IN CNAME restrict.youtube.com.
www.youtube-nocookie.com IN CNAME restrict.youtube.com.
// These are for safe search and have nothing to do with youtube, but
// you might be interested in implementing these as well.
google.com IN CNAME forcesafesearch.google.com.
www.google.com IN CNAME forcesafesearch.google.com.
A few things to note:
- You will need to change your SOA addresses, in this case, we used the placeholders of dns1.yourdomain.com. root.yourdomain.com.
- Do not add periods after www.youtube.com, m.youtube.com, and youtubei.googleapis.com like you would normally for FQDNs. You don’t use them in a RPZ file.
After this, restart Bind and let’s test it out!
nslookup www.youtube.com
You should get a non-authoritative answer of restrict.youtube.com
If so, you should be all set, head over to www.youtube.com and type in your favorite naughty search word and you should get a message like…
If your results aren’t filtered, don’t panic, this is where the named-checkconf utility comes to the rescue.
sudo named-checkconf -z /etc/bind/named.conf
You should not see any errors when running this command, if you do see errors correct them and try again.
YouTube also provides the following page to help troubleshoot any issues you may encounter.
https://www.youtube.com/check_content_restrictions
It should be stated that YouTube filtering isn’t perfect by any means, it involves self-reporting of the content uploaded as well as end-user reporting, so don’t be surprised if something does get through.