unbound: Add Safe Search
authorMichael Tremer <michael.tremer@ipfire.org>
Sat, 11 May 2019 03:19:37 +0000 (04:19 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Sat, 11 May 2019 03:19:37 +0000 (04:19 +0100)
This is a feature that will filter adult content from search
engine's results.

The old method of rewriting the HTTP request no longer works.

This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.

However, there is no better solution available to this and this
an optional feature, too.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
config/unbound/unbound.conf
src/initscripts/system/unbound

index e20c333..4d492a5 100644 (file)
@@ -81,6 +81,9 @@ server:
        # Include any forward zones
        include: "/etc/unbound/forward.conf"
 
+       # Include safe search settings
+       include: "/etc/unbound/safe-search.conf"
+
 remote-control:
        control-enable: yes
        control-use-cert: no
index fbb096e..3e372ff 100644 (file)
@@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
 
 INSECURE_ZONES=
 USE_FORWARDERS=1
+ENABLE_SAFE_SEARCH=off
 
 # Cache any local zones for 60 seconds
 LOCAL_TTL=60
@@ -481,6 +482,234 @@ fix_time_if_dns_fail() {
        fi
 }
 
+# Sets up Safe Search for various search engines
+write_safe_search_conf() {
+       local google_tlds=(
+               google.ad
+               google.ae
+               google.al
+               google.am
+               google.as
+               google.at
+               google.az
+               google.ba
+               google.be
+               google.bf
+               google.bg
+               google.bi
+               google.bj
+               google.bs
+               google.bt
+               google.by
+               google.ca
+               google.cat
+               google.cd
+               google.cf
+               google.cg
+               google.ch
+               google.ci
+               google.cl
+               google.cm
+               google.cn
+               google.co.ao
+               google.co.bw
+               google.co.ck
+               google.co.cr
+               google.co.id
+               google.co.il
+               google.co.in
+               google.co.jp
+               google.co.ke
+               google.co.kr
+               google.co.ls
+               google.com
+               google.co.ma
+               google.com.af
+               google.com.ag
+               google.com.ai
+               google.com.ar
+               google.com.au
+               google.com.bd
+               google.com.bh
+               google.com.bn
+               google.com.bo
+               google.com.br
+               google.com.bz
+               google.com.co
+               google.com.cu
+               google.com.cy
+               google.com.do
+               google.com.ec
+               google.com.eg
+               google.com.et
+               google.com.fj
+               google.com.gh
+               google.com.gi
+               google.com.gt
+               google.com.hk
+               google.com.jm
+               google.com.kh
+               google.com.kw
+               google.com.lb
+               google.com.ly
+               google.com.mm
+               google.com.mt
+               google.com.mx
+               google.com.my
+               google.com.na
+               google.com.nf
+               google.com.ng
+               google.com.ni
+               google.com.np
+               google.com.om
+               google.com.pa
+               google.com.pe
+               google.com.pg
+               google.com.ph
+               google.com.pk
+               google.com.pr
+               google.com.py
+               google.com.qa
+               google.com.sa
+               google.com.sb
+               google.com.sg
+               google.com.sl
+               google.com.sv
+               google.com.tj
+               google.com.tr
+               google.com.tw
+               google.com.ua
+               google.com.uy
+               google.com.vc
+               google.com.vn
+               google.co.mz
+               google.co.nz
+               google.co.th
+               google.co.tz
+               google.co.ug
+               google.co.uk
+               google.co.uz
+               google.co.ve
+               google.co.vi
+               google.co.za
+               google.co.zm
+               google.co.zw
+               google.cv
+               google.cz
+               google.de
+               google.dj
+               google.dk
+               google.dm
+               google.dz
+               google.ee
+               google.es
+               google.fi
+               google.fm
+               google.fr
+               google.ga
+               google.ge
+               google.gg
+               google.gl
+               google.gm
+               google.gp
+               google.gr
+               google.gy
+               google.hn
+               google.hr
+               google.ht
+               google.hu
+               google.ie
+               google.im
+               google.iq
+               google.is
+               google.it
+               google.je
+               google.jo
+               google.kg
+               google.ki
+               google.kz
+               google.la
+               google.li
+               google.lk
+               google.lt
+               google.lu
+               google.lv
+               google.md
+               google.me
+               google.mg
+               google.mk
+               google.ml
+               google.mn
+               google.ms
+               google.mu
+               google.mv
+               google.mw
+               google.ne
+               google.nl
+               google.no
+               google.nr
+               google.nu
+               google.pl
+               google.pn
+               google.ps
+               google.pt
+               google.ro
+               google.rs
+               google.ru
+               google.rw
+               google.sc
+               google.se
+               google.sh
+               google.si
+               google.sk
+               google.sm
+               google.sn
+               google.so
+               google.sr
+               google.st
+               google.td
+               google.tg
+               google.tk
+               google.tl
+               google.tm
+               google.tn
+               google.to
+               google.tt
+               google.vg
+               google.vu
+               google.ws
+       )
+
+       (
+               # Nothing to do if safe search is not enabled
+               if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
+                       exit 0
+               fi
+
+               # This all belongs into the server: section
+               echo "server:"
+
+               # Bing
+               echo "  local-zone: bing.com transparent"
+               echo "  local-data: \"www.bing.com CNAME strict.bing.com.\""
+
+               # DuckDuckGo
+               echo "  local-zone: duckduckgo.com transparent"
+               echo "  local-data: \"duckduckgo.com CNAME safe.duckduckgo.com.\""
+
+               # Google
+               local domain
+               for domain in ${google_tlds[@]}; do
+                       echo "  local-zone: ${domain} transparent"
+                       echo "  local-data: \"www.${domain} CNAME forcesafesearch.google.com.\""
+               done
+
+               # Yandex
+               echo "  local-zone: yandex.ru transparent"
+               echo "  local-data: \"yandex.ru A 213.180.193.56\""
+       ) > /etc/unbound/safe-search.conf
+}
+
 case "$1" in
        start)
                # Print a nicer messagen when unbound is already running
@@ -494,6 +723,7 @@ case "$1" in
                # Update configuration files
                write_tuning_conf
                write_forward_conf
+               write_safe_search_conf
 
                boot_mesg "Starting Unbound DNS Proxy..."
                loadproc /usr/sbin/unbound || exit $?