From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] unbound: Configure Safe Search dynamically
Date: Mon, 09 Dec 2019 23:36:59 +0000 [thread overview]
Message-ID: <20191209233659.3767-1-michael.tremer@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 8509 bytes --]
The safe search code relied on working DNS resolution, but
was executed before unbound was even started and no network
was brought up.
That resulted in no records being created and nothing being
filtered.
This will now set/reset safe search when the system connects
to the Internet.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/rootfiles/common/aarch64/initscripts | 1 +
config/rootfiles/common/armv5tel/initscripts | 1 +
config/rootfiles/common/i586/initscripts | 1 +
config/rootfiles/common/x86_64/initscripts | 1 +
src/initscripts/networking/red.up/06-safe-search | 3 +
src/initscripts/system/unbound | 100 +++++++++++++----------
6 files changed, 65 insertions(+), 42 deletions(-)
create mode 100644 src/initscripts/networking/red.up/06-safe-search
diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 202da7372..6b08fcac6 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 202da7372..6b08fcac6 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 9d4f7e5f3..23b1938f4 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index 9d4f7e5f3..23b1938f4 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/src/initscripts/networking/red.up/06-safe-search b/src/initscripts/networking/red.up/06-safe-search
new file mode 100644
index 000000000..14ff93b45
--- /dev/null
+++ b/src/initscripts/networking/red.up/06-safe-search
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /etc/init.d/unbound update-safe-search
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 8eaf3734a..61d62beb1 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -549,7 +549,7 @@ resolve() {
}
# Sets up Safe Search for various search engines
-write_safe_search_conf() {
+update_safe_search() {
local google_tlds=(
google.ad
google.ae
@@ -746,51 +746,59 @@ write_safe_search_conf() {
google.ws
)
- (
- # Nothing to do if safe search is not enabled
- if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
- exit 0
- fi
+ # Cleanup previous settings
+ unbound-control local_zone_remove "bing.com" >/dev/null
+ unbound-control local_zone_remove "duckduckgo.com" >/dev/null
+ unbound-control local_zone_remove "yandex.com" >/dev/null
+ unbound-control local_zone_remove "yandex.ru" >/dev/null
+ unbound-control local_zone_remove "youtube.com" >/dev/null
- # This all belongs into the server: section
- echo "server:"
+ local domain
+ for domain in ${google_tlds[@]}; do
+ unbound-control local_zone_remove "${domain}"
+ done >/dev/null
- # Bing
- echo " local-zone: bing.com transparent"
- for address in $(resolve "strict.bing.com"); do
- echo " local-data: \"www.bing.com ${LOCAL_TTL} IN A ${address}\""
- done
+ # Nothing to do if safe search is not enabled
+ if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
+ return 0
+ fi
- # DuckDuckGo
- echo " local-zone: duckduckgo.com typetransparent"
- for address in $(resolve "safe.duckduckgo.com"); do
- echo " local-data: \"duckduckgo.com ${LOCAL_TTL} IN A ${address}\""
- done
+ # Bing
+ unbound-control bing.com transparent >/dev/null
+ for address in $(resolve "strict.bing.com"); do
+ unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
+ done >/dev/null
+
+ # DuckDuckGo
+ unbound-control local_zone duckduckgo.com typetransparent >/dev/null
+ for address in $(resolve "safe.duckduckgo.com"); do
+ unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
+ done >/dev/null
+
+ # Google
+ local addresses="$(resolve "forcesafesearch.google.com")"
+ for domain in ${google_tlds[@]}; do
+ unbound-control local_zone "${domain}" transparent >/dev/null
+ for address in ${addresses}; do
+ unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
+ done >/dev/null
+ done
- # Google
- addresses="$(resolve "forcesafesearch.google.com")"
- local domain
- for domain in ${google_tlds[@]}; do
- echo " local-zone: ${domain} transparent"
- for address in ${addresses}; do
- echo " local-data: \"www.${domain} ${LOCAL_TTL} IN A ${address}\""
- done
- done
+ # Yandex
+ for domain in yandex.com yandex.ru; do
+ unbound-control local_zone "${domain}" typetransparent >/dev/null
+ for address in $(resolve "familysearch.${domain}"); do
+ unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
+ done >/dev/null
+ done
- # Yandex
- for domain in yandex.com yandex.ru; do
- echo " local-zone: ${domain} typetransparent"
- for address in $(resolve "familysearch.${domain}"); do
- echo " local-data: \"${domain} ${LOCAL_TTL} IN A ${address}\""
- done
- done
+ # YouTube
+ unbound-control local_zone youtube.com transparent >/dev/null
+ for address in $(resolve "restrictmoderate.youtube.com"); do
+ unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
+ done >/dev/null
- # YouTube
- echo " local-zone: youtube.com transparent"
- for address in $(resolve "restrictmoderate.youtube.com"); do
- echo " local-data: \"www.youtube.com ${LOCAL_TTL} IN A ${address}\""
- done
- ) > /etc/unbound/safe-search.conf
+ return 0
}
case "$1" in
@@ -806,7 +814,6 @@ case "$1" in
# Update configuration files
write_tuning_conf
write_forward_conf
- write_safe_search_conf
boot_mesg "Starting Unbound DNS Proxy..."
loadproc /usr/sbin/unbound || exit $?
@@ -817,6 +824,11 @@ case "$1" in
# Update any known forwarding name servers
update_forwarders
+ # Install Safe Search rules when the system is already online
+ if [ -e "/var/ipfire/red/active" ]; then
+ update_safe_search
+ fi
+
# Update hosts
update_hosts
@@ -905,8 +917,12 @@ case "$1" in
resolve "${2}"
;;
+ update-safe-search)
+ update_safe_search
+ ;;
+
*)
- echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve}"
+ echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve|update-safe-search}"
exit 1
;;
esac
--
2.12.2
reply other threads:[~2019-12-09 23:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191209233659.3767-1-michael.tremer@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox