From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 13 May 2026 16:56:17 +0000 (+0100)
Subject: knot-resolver: Implement Safe Search for the other search engines
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b07d54091d2e986fe8b5430b208ef5aa92eb1612;p=ipfire-2.x.git

knot-resolver: Implement Safe Search for the other search engines

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/knot-resolver/kresd.conf b/config/knot-resolver/kresd.conf
index 89db09938..1c8853a21 100644
--- a/config/knot-resolver/kresd.conf
+++ b/config/knot-resolver/kresd.conf
@@ -172,24 +172,21 @@ local GOOGLE_TLDS = {
 }
 
 -- Implements Google Safe Search
-local function safesearch_google(state, query)
-	local qname = kres.dname2str(query.sname)
+local function safesearch_google(response)
+	return function(state, query)
+		local qname = kres.dname2str(query.sname)
 
-	-- Check if we need to handle this
-	if not qname:match("^google%.") and not qname:match("^www%.google%.") then
-		return policy.PASS
-	end
+		-- Check if we need to handle this
+		if not qname:match("^google%.") and not qname:match("^www%.google%.") then
+			return policy.PASS
+		end
 
-	-- Check if the TLD is any of the valid Google TLDs
-	for i, tld in ipairs(GOOGLE_TLDS) do
-		if qname == string.format("google.%s.", tld)
-				or qname == string.format("www.google.%s.", tld) then
-			return policy.ANSWER({
-				[kres.type.CNAME] = {
-					rdata = kres.str2dname("forcesafesearch.google.com."),
-					ttl   = 60
-				}
-			})
+		-- Check if the TLD is any of the valid Google TLDs
+		for i, tld in ipairs(GOOGLE_TLDS) do
+			if qname == string.format("google.%s.", tld)
+					or qname == string.format("www.google.%s.", tld) then
+				return response
+			end
 		end
 	end
 end
@@ -204,8 +201,48 @@ local function load_safesearch()
 		return
 	end
 
+	-- Helper to respond with a CNAME
+	local function response(name)
+		return policy.ANSWER({
+			[kres.type.CNAME] = {
+				rdata = kres.str2dname(name),
+				ttl   = 60,
+			}
+		})
+	end
+
 	-- Enable Googe Safe Search
-	policy.add(safesearch_google)
+	policy.add(safesearch_google(response("forcesafesearch.google.com")))
+
+	-- Enable Bing Strict Search
+	policy.add(
+		policy.domains(
+			response("strict.bing.com"),
+			{ "bing.com", "www.bing.com" }
+		)
+	)
+
+	-- Enable DuckDuckGo Safe Search
+	policy.add(
+		policy.domains(
+			response("safe.duckduckgo.com"),
+			{ "duckduckgo.com", "www.duckduckgo.com" }
+		)
+	)
+
+	-- Enable Yandex Family Search
+	policy.add(
+		policy.domains(
+			response("familysearch.yandex.com"),
+			{ "yandex.com", "www.yandex.com" }
+		)
+	)
+	policy.add(
+		policy.domains(
+			response("familysearch.yandex.ru"),
+			{ "yandex.ru", "www.yandex.ru" }
+		)
+	)
 end
 
 -- Loads the Forwarding Rules