Brave has now broken this feature. Fire those groomers now. The whole point of safesearch.brave.com was to have a search url that could lock kids phones into safe search without the option to be toggled on.
But then some fool added a toggle off function DIRECTLY IN THE IMAGE SEARCH . What are you smoking?
@Mattches , perhaps this could be a good opportunity for the Search team to reconsider the priority of this issue? The current state of Search is unfortunately not safe for minors. Providing CNAME DNS filter support would also help protect Search users from potential exposure to child sexual abuse material (CSAM).
As per the above post, the “bypass_safesearch_strict” boolean in the Brave Search API should not be applicable for any SafeSearch users who are intentionally enforcing it (that is, either visiting the safesearch.brave.com domain or through the requested CNAME DNS record filter support, like how Google, Bing, and DuckDuckGo all support).
@brendan@Mattches Thanks so much for working on this change, as this will help make a positive difference for online safety worldwide. There are just a couple of important issues outstanding—there might be a bit of tech jargon here for the Brave Search team:
We suspect that the new system isn’t working correctly. We’ve successfully installed the CNAME system into our cloud database (setting search․brave․com to forcesafe․search․brave․com), but when a user opens search․brave․com and is automatically redirected to the safe․search․brave․com domain, they get a certificate error blocking them from doing anything, because a certificate for the forcesafe․search․brave․com domain is expected. In a nutshell, Brave Search stops working when we put the CNAME system in place, with regard to how Brave has implemented the CNAME system in its infrastructure. What we’ve usually seen for other search providers, such as Google, is that when a user browses Google (for example, through the www․google․com domain), the visitor isn’t redirected to another domain—they continue to browse as normal on www․google․com, but the DNS address networking in the background resolves to forcesafesearch․google․com, triggering the SafeSearch system with no actual domain redirects inside the browser required. I’m pretty sure that search engines with CNAME systems are meant to behave this way.
When browsing inside the enforced SafeSearch experience, the Images menu has a button called “Show this time”, which shouldn’t be available as an option. This is tied to the “bypass_safesearch_strict” feature in the Brave Search API, which also shouldn’t be available for users inside the enforced SafeSearch experience.
@brendan@Mattches our organization is considering backing “brave engine” to the blocked list if there’s no update on this. Is there something working in progress on your side?
My name is Kamil and I’m search platform engineer here in Brave.
@kirwan_safesurfer the issue you described with bypassing safesearch by using bypass_safesearch_strict query string has been solved this week. Thank you for reporting the issue.
I can confirm that the issue with the invalid certificate exists and is reproducible. The problem arises when a CNAME record is configured not just for search.brave.com, but also for all subdomains - *.search.brave.com We are actively addressing this issue. We expect to have it resolved by Q2 or Q3 of this year.
I’m from Control D, and our users requested we add Brave to the “safe search” feature we enable via DNS.
Your current implementation works, but could use an improvement to remove the following ambiguity, that requires extra rules.
Currently, we’re spoofing *.search.brave.com to forcesafe.search.brave.com CNAME, this works, however causes collateral damage for the following subdomains, as we treat * as a suffix match.
Since these are subdomains of search.brave.com, they inherit the CNAME spoof, which causes broken TLS as the certificate no longer matches for those 2 subdomains when spoofed. Extra rules for handling subdomains are required to make it work.
Ideally, the following should work without any extra rules, as is the case for all other search engines that support DNS based safe search enablement.
yegor@Office-Box:~$ ./doggo @https://dns.controld.dev/REDACTED search.brave.com
NAME TYPE CLASS TTL ADDRESS NAMESERVER
search.brave.com. CNAME IN 20s forcesafe.search.brave.com. https://dns.controld.dev/REDACTED
forcesafe.search.brave.com. A IN 300s 15.197.160.66 https://dns.controld.dev/REDACTED
forcesafe.search.brave.com. A IN 300s 3.33.205.124 https://dns.controld.dev/REDACTED
yegor@Office-Box:~$ ./doggo @https://dns.controld.dev/REDACTED safe.search.brave.com
NAME TYPE CLASS TTL ADDRESS NAMESERVER
safe.search.brave.com. CNAME IN 20s forcesafe.search.brave.com. https://dns.controld.dev/REDACTED
forcesafe.search.brave.com. A IN 291s 15.197.160.66 https://dns.controld.dev/REDACTED
forcesafe.search.brave.com. A IN 291s 3.33.205.124 https://dns.controld.dev/REDACTED
yegor@Office-Box:~$ ./doggo @https://dns.controld.dev/REDACTED cdn.search.brave.com
NAME TYPE CLASS TTL ADDRESS NAMESERVER
cdn.search.brave.com. CNAME IN 20s forcesafe.search.brave.com. https://dns.controld.dev/REDACTED
forcesafe.search.brave.com. A IN 287s 15.197.160.66 https://dns.controld.dev/REDACTED
forcesafe.search.brave.com. A IN 287s 3.33.205.124 https://dns.controld.dev/REDACTED
@steeven and @Mattches or even @y3ti . Just wanted to tag in as seems we haven’t had any updates since May. Not sure where things stand or what help, if any, can be given.
Sorry for the delay, Safesearch remains on our roadmap. It has been a busy few months for the team, but we will provide you with an update soon on this.
Can you guys please speed this up? This feature is really essential. On top of it, it would be even better to be able to lock the DNS provider in Security settings to clean browsing and make it impossible to unlock. Even if you delete brave and re-install it.
Awesome! What would be even better is not just enforcing safe search, but the DNS provider option within security settings. For example, I choose the Clean Browsing DNS, and then I can lock it by a password or time delay so nobody on the computer can turn it off. Also, this setting will still be applied if someone deletes the Brave app on their computer and re-installs it, because this would also be an easy way to disable/bypass it. For example, in Macbook, you can’t delete an app if it’s running, so if there was an option to keep Brave running and not be able to force quit it, it wouldn’t be able to be deleted.
The best way to do this is to have the DNS provider enable the CNAME system, and then lock the DNS servers onto your own device. For example, we get our users to download and install our app (which installs DNS over HTTPS for all applicable network adapters, which always redirects search requests through to the SafeSearch filtering), and then we get the user to change their Windows or Mac user account settings so that the DNS servers cannot be changed. This means that the filtering always works regardless of the web browser app being installed or not. We also make the secure DNS feature unavailable by setting a policy when our filtering is in place.
For anyone else looking to implement this, it seems to be working well with the following Adblock-style syntax rule: |search.brave.com^$dnsrewrite=NOERROR;CNAME;forcesafe.search.brave.com
The single pipe ensures it does not match subdomains of search.brave.com and cause certificate warnings.
I’m a big fan of Brave’s commitment to privacy and security, and I appreciate all the work that has gone into creating a browser that puts users first. However, I’d like to request an additional feature that I believe would make Brave even better, especially for families and those looking to enforce safer browsing experiences.
Currently, Google offers DNS-level SafeSearch enforcement (e.g., via 1.1.1.3 DNS) that automatically forces SafeSearch to be enabled on all devices connected to the network. This is a great feature for controlling and filtering explicit content at the network level, and it works across all browsers, including Google Chrome.
It would be incredibly helpful if Brave could implement a similar DNS-based SafeSearch enforcement for Brave Search. This feature would allow network administrators, parents, and educators to ensure that Brave Search results are always safe by default, without needing to manually configure SafeSearch in every browser session or device.
Why this feature is important:
It ensures that users of all ages are protected from explicit content when using Brave Search.
It provides a simple, network-wide solution for families, schools, and other environments where content filtering is needed.
It enhances the already robust privacy and security features of Brave, allowing it to compete with other browsers that provide similar DNS-based filtering options.
I hope the Brave team can consider adding this feature, as it would further solidify Brave as a safer and more secure option for users who want better control over their browsing experience.
Thank you for your hard work and dedication to improving internet privacy!
My dear friend,
This feature has been requested for 2 years now.
We are developers of the Open Source project Artica and we develop secure DNS and Proxy servers.
In schools, institutions and companies, the use of SafeSearch via DNS is mandatory and this is one of the reasons why Brave is not integrated in these entities.
Apparently, Brave’s developers don’t understand this.
First off, love what you’re doing with Brave! Been using it for a while now and it’s made browsing so much better.
Recently, I noticed my kids accidentally came across some inappropriate content while using Brave. I set up forcesafe.search.brave.com as the default search engine on my PC to enforce safe search, and it’s worked great for keeping things safe. However, I couldn’t find a way to do the same thing on mobile. With so many kids getting smartphones at younger ages, I think it’d be really helpful to have that option on mobile too.
Also, any chance of letting us add custom search engines on mobile like we can on desktop? That would be a nice touch.
Just think this would be a really useful feature, especially for families.
