From 661ab1538964bf3b114689b7d173c4f372785b8b Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 11 May 2019 04:19:37 +0100 Subject: [PATCH] unbound: Add Safe Search MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This is a feature that will filter adult content from search engine's results. The old method of rewriting the HTTP request no longer works. This method changes the DNS response for supported search engines which violates our belief in DNSSEC and won't allow these search engines to ever enable DNSSEC. However, there is no better solution available to this and this an optional feature, too. Signed-off-by: Michael Tremer Reviewed-by: Peter Müller --- config/unbound/unbound.conf | 3 + src/initscripts/system/unbound | 230 +++++++++++++++++++++++++++++++++ 2 files changed, 233 insertions(+) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index e20c3330d7..4d492a5bc1 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -81,6 +81,9 @@ server: # Include any forward zones include: "/etc/unbound/forward.conf" + # Include safe search settings + include: "/etc/unbound/safe-search.conf" + remote-control: control-enable: yes control-use-cert: no diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index fbb096e0d7..3e372ff65f 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org" INSECURE_ZONES= USE_FORWARDERS=1 +ENABLE_SAFE_SEARCH=off # Cache any local zones for 60 seconds LOCAL_TTL=60 @@ -481,6 +482,234 @@ fix_time_if_dns_fail() { fi } +# Sets up Safe Search for various search engines +write_safe_search_conf() { + local google_tlds=( + google.ad + google.ae + google.al + google.am + google.as + google.at + google.az + google.ba + google.be + google.bf + google.bg + google.bi + google.bj + google.bs + google.bt + google.by + google.ca + google.cat + google.cd + google.cf + google.cg + google.ch + google.ci + google.cl + google.cm + google.cn + google.co.ao + google.co.bw + google.co.ck + google.co.cr + google.co.id + google.co.il + google.co.in + google.co.jp + google.co.ke + google.co.kr + google.co.ls + google.com + google.co.ma + google.com.af + google.com.ag + google.com.ai + google.com.ar + google.com.au + google.com.bd + google.com.bh + google.com.bn + google.com.bo + google.com.br + google.com.bz + google.com.co + google.com.cu + google.com.cy + google.com.do + google.com.ec + google.com.eg + google.com.et + google.com.fj + google.com.gh + google.com.gi + google.com.gt + google.com.hk + google.com.jm + google.com.kh + google.com.kw + google.com.lb + google.com.ly + google.com.mm + google.com.mt + google.com.mx + google.com.my + google.com.na + google.com.nf + google.com.ng + google.com.ni + google.com.np + google.com.om + google.com.pa + google.com.pe + google.com.pg + google.com.ph + google.com.pk + google.com.pr + google.com.py + google.com.qa + google.com.sa + google.com.sb + google.com.sg + google.com.sl + google.com.sv + google.com.tj + google.com.tr + google.com.tw + google.com.ua + google.com.uy + google.com.vc + google.com.vn + google.co.mz + google.co.nz + google.co.th + google.co.tz + google.co.ug + google.co.uk + google.co.uz + google.co.ve + google.co.vi + google.co.za + google.co.zm + google.co.zw + google.cv + google.cz + google.de + google.dj + google.dk + google.dm + google.dz + google.ee + google.es + google.fi + google.fm + google.fr + google.ga + google.ge + google.gg + google.gl + google.gm + google.gp + google.gr + google.gy + google.hn + google.hr + google.ht + google.hu + google.ie + google.im + google.iq + google.is + google.it + google.je + google.jo + google.kg + google.ki + google.kz + google.la + google.li + google.lk + google.lt + google.lu + google.lv + google.md + google.me + google.mg + google.mk + google.ml + google.mn + google.ms + google.mu + google.mv + google.mw + google.ne + google.nl + google.no + google.nr + google.nu + google.pl + google.pn + google.ps + google.pt + google.ro + google.rs + google.ru + google.rw + google.sc + google.se + google.sh + google.si + google.sk + google.sm + google.sn + google.so + google.sr + google.st + google.td + google.tg + google.tk + google.tl + google.tm + google.tn + google.to + google.tt + google.vg + google.vu + google.ws + ) + + ( + # Nothing to do if safe search is not enabled + if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then + exit 0 + fi + + # This all belongs into the server: section + echo "server:" + + # Bing + echo " local-zone: bing.com transparent" + echo " local-data: \"www.bing.com CNAME strict.bing.com.\"" + + # DuckDuckGo + echo " local-zone: duckduckgo.com transparent" + echo " local-data: \"duckduckgo.com CNAME safe.duckduckgo.com.\"" + + # Google + local domain + for domain in ${google_tlds[@]}; do + echo " local-zone: ${domain} transparent" + echo " local-data: \"www.${domain} CNAME forcesafesearch.google.com.\"" + done + + # Yandex + echo " local-zone: yandex.ru transparent" + echo " local-data: \"yandex.ru A 213.180.193.56\"" + ) > /etc/unbound/safe-search.conf +} + case "$1" in start) # Print a nicer messagen when unbound is already running @@ -494,6 +723,7 @@ case "$1" in # Update configuration files write_tuning_conf write_forward_conf + write_safe_search_conf boot_mesg "Starting Unbound DNS Proxy..." loadproc /usr/sbin/unbound || exit $? -- 2.39.2