Re: [RFC PATCH 1/8] unbound: Add switch to enable Google Safe Search

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 9946 bytes --]

Hi,

There is no rewrite happening on google.com, only www.google.com.

The output looks fine.

I have decided to merge this patchset and we will ship it, but there is no way for users to activate it yet apart from manually editing the configuration file.

There must be some UI element later. That gives us some extra time to test it.

Can you apply the latest configuration and initscript from next and run tests again?

-Michael

> On 3 May 2019, at 12:21, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> On 03.05.2019 10:54, Michael Tremer wrote:
>> Hi,
> 
> Hi,
> 
>> What happens when you run “dig google.com” on the console?
> 
> In browser, https://www.google.de/ gives me:
> 
> "Hmm. We’re having trouble finding that site."
> 
> 'dig' results:
> 
> ***SNIP***
> root(a)ipfire: /etc/init.d # dig google.com
> 
> ; <<>> DiG 9.11.6-P1 <<>> google.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25720
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;google.com.                    IN      A
> 
> ;; ANSWER SECTION:
> google.com.             108     IN      A       216.58.205.238
> 
> ;; Query time: 418 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri May 03 13:09:28 CEST 2019
> ;; MSG SIZE  rcvd: 55
> ***SNAP***
> 
> ***SNIP***
> root(a)ipfire: /etc/unbound # dig bing.com
> 
> ; <<>> DiG 9.11.6-P1 <<>> bing.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45651
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;bing.com.                      IN      A
> 
> ;; ANSWER SECTION:
> bing.com.               191     IN      A       13.107.21.200
> bing.com.               191     IN      A       204.79.197.200
> 
> ;; Query time: 158 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri May 03 13:12:11 CEST 2019
> ;; MSG SIZE  rcvd: 69
> ***SNAP***
> 
> ***SNIP***
> root(a)ipfire: /etc/unbound # dig duckduckgo.com
> 
> ; <<>> DiG 9.11.6-P1 <<>> duckduckgo.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2573
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;duckduckgo.com.                        IN      A
> 
> ;; ANSWER SECTION:
> duckduckgo.com.         3600    IN      CNAME   safe.duckduckgo.com.
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri May 03 13:13:15 CEST 2019
> ;; MSG SIZE  rcvd: 62
> ***SNAP***
> 
> ***SNIP***
> root(a)ipfire: /etc/unbound # dig yandex.ru
> 
> ; <<>> DiG 9.11.6-P1 <<>> yandex.ru
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43047
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;yandex.ru.                     IN      A
> 
> ;; ANSWER SECTION:
> yandex.ru.              3600    IN      A       213.180.193.56
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri May 03 13:14:02 CEST 2019
> ;; MSG SIZE  rcvd: 54***SNAP***
> 
> The only site I can open in browser after restarting 'unbound' with
> "ENABLE_SAFE_SEARCH=on" is 'yandex.ru'. All others respond with "Server
> not found".
> 
> HTH,
> Matthias
> 
>> The zones should be transparent and resolve any names that are not overlayed by the user-data.
>> 
>> -Michael
>> 
>>> On 1 May 2019, at 15:11, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>> 
>>> Hi,
>>> 
>>> Hm. Did I miss something?
>>> 
>>> Testing the Safesearch-Feature gives me:
>>> 
>>> "Hmm. We’re having trouble finding that site.
>>> 
>>> We can’t connect to the server at www.google.de."
>>> 
>>> => I can't connect to ANY of the now "safe searching" search engines.
>>> 
>>> Only https://yandex.ru/ works...
>>> 
>>> Best,
>>> Matthias
>>> 
>>> On 30.04.2019 18:16, Michael Tremer wrote:
>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>> ---
>>>> src/initscripts/system/unbound | 215 +++++++++++++++++++++++++++++++++++++++++
>>>> 1 file changed, 215 insertions(+)
>>>> 
>>>> diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
>>>> index fbb096e0d..4ac8331dc 100644
>>>> --- a/src/initscripts/system/unbound
>>>> +++ b/src/initscripts/system/unbound
>>>> @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
>>>> 
>>>> INSECURE_ZONES=
>>>> USE_FORWARDERS=1
>>>> +ENABLE_SAFE_SEARCH=off
>>>> 
>>>> # Cache any local zones for 60 seconds
>>>> LOCAL_TTL=60
>>>> @@ -21,6 +22,202 @@ LOCAL_TTL=60
>>>> # EDNS buffer size
>>>> EDNS_DEFAULT_BUFFER_SIZE=4096
>>>> 
>>>> +GOOGLE_TLDS=(
>>>> +	google.ad
>>>> +	google.ae
>>>> +	google.al
>>>> +	google.am
>>>> +	google.as
>>>> +	google.at
>>>> +	google.az
>>>> +	google.ba
>>>> +	google.be
>>>> +	google.bf
>>>> +	google.bg
>>>> +	google.bi
>>>> +	google.bj
>>>> +	google.bs
>>>> +	google.bt
>>>> +	google.by
>>>> +	google.ca
>>>> +	google.cat
>>>> +	google.cd
>>>> +	google.cf
>>>> +	google.cg
>>>> +	google.ch
>>>> +	google.ci
>>>> +	google.cl
>>>> +	google.cm
>>>> +	google.cn
>>>> +	google.co.ao
>>>> +	google.co.bw
>>>> +	google.co.ck
>>>> +	google.co.cr
>>>> +	google.co.id
>>>> +	google.co.il
>>>> +	google.co.in
>>>> +	google.co.jp
>>>> +	google.co.ke
>>>> +	google.co.kr
>>>> +	google.co.ls
>>>> +	google.com
>>>> +	google.co.ma
>>>> +	google.com.af
>>>> +	google.com.ag
>>>> +	google.com.ai
>>>> +	google.com.ar
>>>> +	google.com.au
>>>> +	google.com.bd
>>>> +	google.com.bh
>>>> +	google.com.bn
>>>> +	google.com.bo
>>>> +	google.com.br
>>>> +	google.com.bz
>>>> +	google.com.co
>>>> +	google.com.cu
>>>> +	google.com.cy
>>>> +	google.com.do
>>>> +	google.com.ec
>>>> +	google.com.eg
>>>> +	google.com.et
>>>> +	google.com.fj
>>>> +	google.com.gh
>>>> +	google.com.gi
>>>> +	google.com.gt
>>>> +	google.com.hk
>>>> +	google.com.jm
>>>> +	google.com.kh
>>>> +	google.com.kw
>>>> +	google.com.lb
>>>> +	google.com.ly
>>>> +	google.com.mm
>>>> +	google.com.mt
>>>> +	google.com.mx
>>>> +	google.com.my
>>>> +	google.com.na
>>>> +	google.com.nf
>>>> +	google.com.ng
>>>> +	google.com.ni
>>>> +	google.com.np
>>>> +	google.com.om
>>>> +	google.com.pa
>>>> +	google.com.pe
>>>> +	google.com.pg
>>>> +	google.com.ph
>>>> +	google.com.pk
>>>> +	google.com.pr
>>>> +	google.com.py
>>>> +	google.com.qa
>>>> +	google.com.sa
>>>> +	google.com.sb
>>>> +	google.com.sg
>>>> +	google.com.sl
>>>> +	google.com.sv
>>>> +	google.com.tj
>>>> +	google.com.tr
>>>> +	google.com.tw
>>>> +	google.com.ua
>>>> +	google.com.uy
>>>> +	google.com.vc
>>>> +	google.com.vn
>>>> +	google.co.mz
>>>> +	google.co.nz
>>>> +	google.co.th
>>>> +	google.co.tz
>>>> +	google.co.ug
>>>> +	google.co.uk
>>>> +	google.co.uz
>>>> +	google.co.ve
>>>> +	google.co.vi
>>>> +	google.co.za
>>>> +	google.co.zm
>>>> +	google.co.zw
>>>> +	google.cv
>>>> +	google.cz
>>>> +	google.de
>>>> +	google.dj
>>>> +	google.dk
>>>> +	google.dm
>>>> +	google.dz
>>>> +	google.ee
>>>> +	google.es
>>>> +	google.fi
>>>> +	google.fm
>>>> +	google.fr
>>>> +	google.ga
>>>> +	google.ge
>>>> +	google.gg
>>>> +	google.gl
>>>> +	google.gm
>>>> +	google.gp
>>>> +	google.gr
>>>> +	google.gy
>>>> +	google.hn
>>>> +	google.hr
>>>> +	google.ht
>>>> +	google.hu
>>>> +	google.ie
>>>> +	google.im
>>>> +	google.iq
>>>> +	google.is
>>>> +	google.it
>>>> +	google.je
>>>> +	google.jo
>>>> +	google.kg
>>>> +	google.ki
>>>> +	google.kz
>>>> +	google.la
>>>> +	google.li
>>>> +	google.lk
>>>> +	google.lt
>>>> +	google.lu
>>>> +	google.lv
>>>> +	google.md
>>>> +	google.me
>>>> +	google.mg
>>>> +	google.mk
>>>> +	google.ml
>>>> +	google.mn
>>>> +	google.ms
>>>> +	google.mu
>>>> +	google.mv
>>>> +	google.mw
>>>> +	google.ne
>>>> +	google.nl
>>>> +	google.no
>>>> +	google.nr
>>>> +	google.nu
>>>> +	google.pl
>>>> +	google.pn
>>>> +	google.ps
>>>> +	google.pt
>>>> +	google.ro
>>>> +	google.rs
>>>> +	google.ru
>>>> +	google.rw
>>>> +	google.sc
>>>> +	google.se
>>>> +	google.sh
>>>> +	google.si
>>>> +	google.sk
>>>> +	google.sm
>>>> +	google.sn
>>>> +	google.so
>>>> +	google.sr
>>>> +	google.st
>>>> +	google.td
>>>> +	google.tg
>>>> +	google.tk
>>>> +	google.tl
>>>> +	google.tm
>>>> +	google.tn
>>>> +	google.to
>>>> +	google.tt
>>>> +	google.vg
>>>> +	google.vu
>>>> +	google.ws
>>>> +)
>>>> +
>>>> # Load optional configuration
>>>> [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
>>>> 
>>>> @@ -481,6 +678,21 @@ fix_time_if_dns_fail() {
>>>> 	fi
>>>> }
>>>> 
>>>> +# Sets up Safe Search for various search engines
>>>> +setup_safe_search() {
>>>> +	# Nothing to do if safe search is not enabled
>>>> +	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
>>>> +		return 0
>>>> +	fi
>>>> +
>>>> +	local domain
>>>> +
>>>> +	# Google
>>>> +	for domain in ${GOOGLE_TLDS[@]}; do
>>>> +		unbound-control local_data "${domain} CNAME forcesafesearch.google.com."
>>>> +	done
>>>> +}
>>>> +
>>>> case "$1" in
>>>> 	start)
>>>> 		# Print a nicer messagen when unbound is already running
>>>> @@ -501,6 +713,9 @@ case "$1" in
>>>> 		# Make own hostname resolveable
>>>> 		own_hostname
>>>> 
>>>> +		# Setup Safe Search
>>>> +		setup_safe_search
>>>> +
>>>> 		# Update any known forwarding name servers
>>>> 		update_forwarders
>>>> 
>>>> 
>>> 
>> 
>> 
>