Andrew Jorgensen
It's better than bad, it's good!

Bypass Google "Family WiFi" Site Blocking

One advertised feature of Google WiFi is that it can "block access to millions of explicit websites." You'd hope that Google would be a good source for content categorization and that may well be true, but the Family WiFi site blocking feature is trivial to bypass and kids are smart!

How It Works

Family WiFi site blocking works by overriding DNS responses. This is one of the most common ways to filter the Internet and it has the potential of being very effective. To contact a website your browser must first ask the Domain Name System which host on the Internet to contact. In your home that query normally goes to a caching DNS service running on your router. That service in turn queries a DNS service hosted by your ISP or some public DNS service. Ultimately these queries are answered by some authoritative source controlled by the owner of the domain.

Site blocking on Google WiFi happens at the caching DNS service on running on your Primary WiFi point. When a query comes in it's checks against Google's content categorization database. If the website is in the explicit category a false response is returned instead of the actual response. This is why when a secure website is blocked you get a security warning instead of a friendly page telling you you've been blocked. In that case your browser is trying to talk to the site it asked for but it's getting a response from some other host.

How to Bypass It

There are a few easy ways to bypass Family WiFi site blocking. Ironically the most effective means to get explicit content while "protected" by site blocking are provided by Google.

Change Your DNS Configuration

Most devices allow you to choose which DNS servers you use, instead of using the ones provided by the network. Changing your DNS to Google Public DNS at 8.8.8.8 and 8.8.4.4 will completely bypass site blocking. It will also get you around OpenDNS and other similar systems you might be using unless other steps are taken.

On recent Android devices you can also use Google Private DNS at dns.google. More on that later.

Search Explicit Content on Google and YouTube

Family WiFi site blocking does nothing to prevent you searching for explicit content on Google or YouTube. Even when a site you might go to is blocked you can usually see images and sometimes video right there in the search results.

What If Google Cared About Our Kids?

To be fair, Google is made of people and many of those people probably do care about our kids. But good business decisions aren't about what employees care about. In a publicly held company most business decisions must be made based on the impact to shareholder value. My hope is that in some small way this post will change the equation so that the good googlers who do care about our kids will be empowered to do something about it. Enough fairness. Here are my suggestions.

Enforce SafeSearch

Google allows organizations to enforce SafeSearch at the network level. I have a Circle device that does exactly this. It's done the same way the rest of this stuff is, by overriding a DNS response so that all your searches go to Google's SafeSearch servers instead. That Google WiFi doesn't already do this is completely mind blowing. This should have been the bare minimum they would do.

Enforce YouTube Restricted Mode

YouTube also has a way to enforce Restricted Mode, again by overriding some DNS responses. Again, it's mind blowing that Google WiFi doesn't already do this. Unfortunately YouTube has a hard time categorizing its content. They haven't even been able to keep videos with suicide instructions off of YouTube Kids. And there are a lot of perfectly safe videos that have been incorrectly flagged as explicit.

Block DNS Traversal

The ASUS router I used to use let me block DNS so that only queries destined for the router's own caching service, and queries originating at the router, could reach the Internet. When my kids configured their Chromebooks to use Google Public DNS instead of the router, DNS just stopped working. You can't do that yet with Google WiFi.

Block Private DNS

There are some newer ways to do DNS and they can be tricky to block. DNS-over-TLS and DNS-over-HTTPS both provide end-to-end encryption from the client device to the DNS service.

Google has its own DNS-over-TLS service and it's easy to configure an Android phone or tablet to use it. DNS-over-TLS runs over port 853 so blocking just that port would mostly plug that hole.

Google and Cloudflare both also offer DNS-over-HTTPS. This one is harder to block because it runs on port 443 where most of the web lives, but Cloudflare's is at 1.1.1.1 so it's easy to block that address and Google knows where theirs is. Keeping up with others is a cat and mouse game, but that's exactly what content categorization is about.

Do Something About Data Saver

As if Google hasn't already done enough to make it easy to bypass their own Family WiFi site blocking, they've also got a Data Saver feature in Chrome that should let you waltz around site blocking. It's been only marginally useful up to now because it only supported insecure HTTP websites, but they recently added HTTPS support. Most Internet filtering devices will block proxy and VPN services like Data Saver if configured to do so.

Deny by Default

Finally they could deny access to anything that hasn't been successfully categorized as not explicit. There's a lot of content out there and even Google can't categorize it all. But most of what people actually use is well known and Google could assume that if it's unknown it's not safe for kids.