From: Michael Tremer Date: Sat, 11 May 2019 03:19:37 +0000 (+0100) Subject: unbound: Add Safe Search X-Git-Tag: v2.23-core133~130 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=661ab1538964bf3b114689b7d173c4f372785b8b;hp=76630c43368bb52095873e90836000f9f44952e9 unbound: Add Safe Search This is a feature that will filter adult content from search engine's results. The old method of rewriting the HTTP request no longer works. This method changes the DNS response for supported search engines which violates our belief in DNSSEC and won't allow these search engines to ever enable DNSSEC. However, there is no better solution available to this and this an optional feature, too. Signed-off-by: Michael Tremer Reviewed-by: Peter Müller --- diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index e20c3330d7..4d492a5bc1 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -81,6 +81,9 @@ server: # Include any forward zones include: "/etc/unbound/forward.conf" + # Include safe search settings + include: "/etc/unbound/safe-search.conf" + remote-control: control-enable: yes control-use-cert: no diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index fbb096e0d7..3e372ff65f 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org" INSECURE_ZONES= USE_FORWARDERS=1 +ENABLE_SAFE_SEARCH=off # Cache any local zones for 60 seconds LOCAL_TTL=60 @@ -481,6 +482,234 @@ fix_time_if_dns_fail() { fi } +# Sets up Safe Search for various search engines +write_safe_search_conf() { + local google_tlds=( + google.ad + google.ae + google.al + google.am + google.as + google.at + google.az + google.ba + google.be + google.bf + google.bg + google.bi + google.bj + google.bs + google.bt + google.by + google.ca + google.cat + google.cd + google.cf + google.cg + google.ch + google.ci + google.cl + google.cm + google.cn + google.co.ao + google.co.bw + google.co.ck + google.co.cr + google.co.id + google.co.il + google.co.in + google.co.jp + google.co.ke + google.co.kr + google.co.ls + google.com + google.co.ma + google.com.af + google.com.ag + google.com.ai + google.com.ar + google.com.au + google.com.bd + google.com.bh + google.com.bn + google.com.bo + google.com.br + google.com.bz + google.com.co + google.com.cu + google.com.cy + google.com.do + google.com.ec + google.com.eg + google.com.et + google.com.fj + google.com.gh + google.com.gi + google.com.gt + google.com.hk + google.com.jm + google.com.kh + google.com.kw + google.com.lb + google.com.ly + google.com.mm + google.com.mt + google.com.mx + google.com.my + google.com.na + google.com.nf + google.com.ng + google.com.ni + google.com.np + google.com.om + google.com.pa + google.com.pe + google.com.pg + google.com.ph + google.com.pk + google.com.pr + google.com.py + google.com.qa + google.com.sa + google.com.sb + google.com.sg + google.com.sl + google.com.sv + google.com.tj + google.com.tr + google.com.tw + google.com.ua + google.com.uy + google.com.vc + google.com.vn + google.co.mz + google.co.nz + google.co.th + google.co.tz + google.co.ug + google.co.uk + google.co.uz + google.co.ve + google.co.vi + google.co.za + google.co.zm + google.co.zw + google.cv + google.cz + google.de + google.dj + google.dk + google.dm + google.dz + google.ee + google.es + google.fi + google.fm + google.fr + google.ga + google.ge + google.gg + google.gl + google.gm + google.gp + google.gr + google.gy + google.hn + google.hr + google.ht + google.hu + google.ie + google.im + google.iq + google.is + google.it + google.je + google.jo + google.kg + google.ki + google.kz + google.la + google.li + google.lk + google.lt + google.lu + google.lv + google.md + google.me + google.mg + google.mk + google.ml + google.mn + google.ms + google.mu + google.mv + google.mw + google.ne + google.nl + google.no + google.nr + google.nu + google.pl + google.pn + google.ps + google.pt + google.ro + google.rs + google.ru + google.rw + google.sc + google.se + google.sh + google.si + google.sk + google.sm + google.sn + google.so + google.sr + google.st + google.td + google.tg + google.tk + google.tl + google.tm + google.tn + google.to + google.tt + google.vg + google.vu + google.ws + ) + + ( + # Nothing to do if safe search is not enabled + if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then + exit 0 + fi + + # This all belongs into the server: section + echo "server:" + + # Bing + echo " local-zone: bing.com transparent" + echo " local-data: \"www.bing.com CNAME strict.bing.com.\"" + + # DuckDuckGo + echo " local-zone: duckduckgo.com transparent" + echo " local-data: \"duckduckgo.com CNAME safe.duckduckgo.com.\"" + + # Google + local domain + for domain in ${google_tlds[@]}; do + echo " local-zone: ${domain} transparent" + echo " local-data: \"www.${domain} CNAME forcesafesearch.google.com.\"" + done + + # Yandex + echo " local-zone: yandex.ru transparent" + echo " local-data: \"yandex.ru A 213.180.193.56\"" + ) > /etc/unbound/safe-search.conf +} + case "$1" in start) # Print a nicer messagen when unbound is already running @@ -494,6 +723,7 @@ case "$1" in # Update configuration files write_tuning_conf write_forward_conf + write_safe_search_conf boot_mesg "Starting Unbound DNS Proxy..." loadproc /usr/sbin/unbound || exit $?