]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 76630c4)
unbound: Add Safe Search
authorMichael Tremer <michael.tremer@ipfire.org>
Sat, 11 May 2019 03:19:37 +0000 (04:19 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Sat, 11 May 2019 03:19:37 +0000 (04:19 +0100)
This is a feature that will filter adult content from search
engine's results.

The old method of rewriting the HTTP request no longer works.

This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.

However, there is no better solution available to this and this
an optional feature, too.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
config/unbound/unbound.conf patch | blob | blame | history
src/initscripts/system/unbound patch | blob | blame | history

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index e20c3330d7045ac93856ee1eb2e01d7d41b62d83..4d492a5bc13ac36de4b9f18b41e9ef5373bcdfdb 100644 (file)
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -81,6 +81,9 @@ server:
        # Include any forward zones
        include: "/etc/unbound/forward.conf"
 
        # Include any forward zones
        include: "/etc/unbound/forward.conf"
 
+       # Include safe search settings
+       include: "/etc/unbound/safe-search.conf"
+
 remote-control:
        control-enable: yes
        control-use-cert: no
 remote-control:
        control-enable: yes
        control-use-cert: no
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index fbb096e0d7bd0ad8c7318f76f1f499accda3dd6b..3e372ff65fab038697327425bd0188c31e17117e 100644 (file)
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
 
 INSECURE_ZONES=
 USE_FORWARDERS=1
 
 INSECURE_ZONES=
 USE_FORWARDERS=1
+ENABLE_SAFE_SEARCH=off
 
 # Cache any local zones for 60 seconds
 LOCAL_TTL=60
 
 # Cache any local zones for 60 seconds
 LOCAL_TTL=60
@@ -481,6 +482,234 @@ fix_time_if_dns_fail() {
        fi
 }
 
        fi
 }
 
+# Sets up Safe Search for various search engines
+write_safe_search_conf() {
+       local google_tlds=(
+               google.ad
+               google.ae
+               google.al
+               google.am
+               google.as
+               google.at
+               google.az
+               google.ba
+               google.be
+               google.bf
+               google.bg
+               google.bi
+               google.bj
+               google.bs
+               google.bt
+               google.by
+               google.ca
+               google.cat
+               google.cd
+               google.cf
+               google.cg
+               google.ch
+               google.ci
+               google.cl
+               google.cm
+               google.cn
+               google.co.ao
+               google.co.bw
+               google.co.ck
+               google.co.cr
+               google.co.id
+               google.co.il
+               google.co.in
+               google.co.jp
+               google.co.ke
+               google.co.kr
+               google.co.ls
+               google.com
+               google.co.ma
+               google.com.af
+               google.com.ag
+               google.com.ai
+               google.com.ar
+               google.com.au
+               google.com.bd
+               google.com.bh
+               google.com.bn
+               google.com.bo
+               google.com.br
+               google.com.bz
+               google.com.co
+               google.com.cu
+               google.com.cy
+               google.com.do
+               google.com.ec
+               google.com.eg
+               google.com.et
+               google.com.fj
+               google.com.gh
+               google.com.gi
+               google.com.gt
+               google.com.hk
+               google.com.jm
+               google.com.kh
+               google.com.kw
+               google.com.lb
+               google.com.ly
+               google.com.mm
+               google.com.mt
+               google.com.mx
+               google.com.my
+               google.com.na
+               google.com.nf
+               google.com.ng
+               google.com.ni
+               google.com.np
+               google.com.om
+               google.com.pa
+               google.com.pe
+               google.com.pg
+               google.com.ph
+               google.com.pk
+               google.com.pr
+               google.com.py
+               google.com.qa
+               google.com.sa
+               google.com.sb
+               google.com.sg
+               google.com.sl
+               google.com.sv
+               google.com.tj
+               google.com.tr
+               google.com.tw
+               google.com.ua
+               google.com.uy
+               google.com.vc
+               google.com.vn
+               google.co.mz
+               google.co.nz
+               google.co.th
+               google.co.tz
+               google.co.ug
+               google.co.uk
+               google.co.uz
+               google.co.ve
+               google.co.vi
+               google.co.za
+               google.co.zm
+               google.co.zw
+               google.cv
+               google.cz
+               google.de
+               google.dj
+               google.dk
+               google.dm
+               google.dz
+               google.ee
+               google.es
+               google.fi
+               google.fm
+               google.fr
+               google.ga
+               google.ge
+               google.gg
+               google.gl
+               google.gm
+               google.gp
+               google.gr
+               google.gy
+               google.hn
+               google.hr
+               google.ht
+               google.hu
+               google.ie
+               google.im
+               google.iq
+               google.is
+               google.it
+               google.je
+               google.jo
+               google.kg
+               google.ki
+               google.kz
+               google.la
+               google.li
+               google.lk
+               google.lt
+               google.lu
+               google.lv
+               google.md
+               google.me
+               google.mg
+               google.mk
+               google.ml
+               google.mn
+               google.ms
+               google.mu
+               google.mv
+               google.mw
+               google.ne
+               google.nl
+               google.no
+               google.nr
+               google.nu
+               google.pl
+               google.pn
+               google.ps
+               google.pt
+               google.ro
+               google.rs
+               google.ru
+               google.rw
+               google.sc
+               google.se
+               google.sh
+               google.si
+               google.sk
+               google.sm
+               google.sn
+               google.so
+               google.sr
+               google.st
+               google.td
+               google.tg
+               google.tk
+               google.tl
+               google.tm
+               google.tn
+               google.to
+               google.tt
+               google.vg
+               google.vu
+               google.ws
+       )
+
+       (
+               # Nothing to do if safe search is not enabled
+               if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
+                       exit 0
+               fi
+
+               # This all belongs into the server: section
+               echo "server:"
+
+               # Bing
+               echo "  local-zone: bing.com transparent"
+               echo "  local-data: \"www.bing.com CNAME strict.bing.com.\""
+
+               # DuckDuckGo
+               echo "  local-zone: duckduckgo.com transparent"
+               echo "  local-data: \"duckduckgo.com CNAME safe.duckduckgo.com.\""
+
+               # Google
+               local domain
+               for domain in ${google_tlds[@]}; do
+                       echo "  local-zone: ${domain} transparent"
+                       echo "  local-data: \"www.${domain} CNAME forcesafesearch.google.com.\""
+               done
+
+               # Yandex
+               echo "  local-zone: yandex.ru transparent"
+               echo "  local-data: \"yandex.ru A 213.180.193.56\""
+       ) > /etc/unbound/safe-search.conf
+}
+
 case "$1" in
        start)
                # Print a nicer messagen when unbound is already running
 case "$1" in
        start)
                # Print a nicer messagen when unbound is already running
@@ -494,6 +723,7 @@ case "$1" in
                # Update configuration files
                write_tuning_conf
                write_forward_conf
                # Update configuration files
                write_tuning_conf
                write_forward_conf
+               write_safe_search_conf
 
                boot_mesg "Starting Unbound DNS Proxy..."
                loadproc /usr/sbin/unbound || exit $?
 
                boot_mesg "Starting Unbound DNS Proxy..."
                loadproc /usr/sbin/unbound || exit $?
IPFire 2.x development tree