From a7df22c44b1b07cb10c69ec7e4b2ed841b6a1163 Mon Sep 17 00:00:00 2001
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Sat, 4 Jun 2016 12:19:41 +0200
Subject: [PATCH] add example google/bing safesearch or strict mode network
 wide DNS script for PowerDNS Recursor

---
 pdns/recursordist/examples/safesearch.lua | 55 +++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 pdns/recursordist/examples/safesearch.lua

diff --git a/pdns/recursordist/examples/safesearch.lua b/pdns/recursordist/examples/safesearch.lua
new file mode 100644
index 0000000000..dd7c5b39fc
--- /dev/null
+++ b/pdns/recursordist/examples/safesearch.lua
@@ -0,0 +1,55 @@
+--[[
+    Both Google and Bing offer ways to enforce the use of their 'safesearch' or 'strict' functionality
+    for some or all of your users. This script provides a 'handleSafeSearch' function that
+    implements enforced safe search for Google and Bing.
+
+    First, get the google supported domain lists, and format it for Lua:
+    
+    $ (echo 'return{' ; for a in $(curl https://www.google.com/supported_domains) ; do echo \"$a\",; done ; echo '}') > googledomains.lua
+
+    and then load this script with 'pdns-lua-script=safesearch.lua' in recursor.conf
+
+    For Bing, only 'www.bing.com' is relevant.
+
+    There is a comment below in preresolve where you could insert code to determine if a particular user should be filtered or not
+]]--
+
+googledomains={}
+for k,v in pairs(dofile("googledomains.lua"))
+do
+    googledomains["www"..v]=1
+    googledomains["encrypted"..v]=2  -- this will allow you to search unfiltered
+    googledomains["ipv6"..v]=2       -- this too
+end
+
+    
+function handleSafeSearch(dq)
+         local name = dq.qname:toStringNoDot():lower();
+         local status = googledomains[name]
+         if( status == 1) then
+                 dq:addAnswer(pdns.CNAME, "forcesafesearch.google.com")
+                 dq.rcode=0
+                 dq.followupFunction="followCNAMERecords"
+                 return true
+         elseif( status == 2) then
+                 dq.rcode=pdns.NXDOMAIN 
+                 -- inserting actual SOA record is a nice touch but requires figuring out country code
+                 return true
+         elseif(name=="www.bing.com") then
+                 dq:addAnswer(pdns.CNAME, "strict.bing.com")
+                 dq.rcode=0
+                 dq.followupFunction="followCNAMERecords"
+                 return true
+         end
+
+         return false
+end
+
+function preresolve(dq) 
+        -- this is where you would test if the requesting IP address should be filtered or not
+        -- if you do that, add: dq.variable=true to prevent packetcaching
+        if(handleSafeSearch(dq)) then
+            return true;
+        end 
+        return false;
+end
-- 
2.47.2