From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [RFC PATCH 1/8] unbound: Add switch to enable Google Safe Search
Date: Wed, 15 May 2019 18:57:09 +0100 [thread overview]
Message-ID: <6862D800-8DB2-4F87-8C9B-0465C356D400@ipfire.org> (raw)
In-Reply-To: =?utf-8?q?=3C1557912652436=2E817208=2E60bbab54bd8108d5aee46bfda?= =?utf-8?q?b1b18772ea02224=40spica=2Etelekom=2Ede=3E?=
[-- Attachment #1: Type: text/plain, Size: 10831 bytes --]
Cool. Have a nice one!
> On 15 May 2019, at 10:30, fischerm42(a)t-online.de wrote:
>
> Hi,
>
> will take a look when we're back from vacation.
>
> Best,
> Matthias
>
>
> -----Original-Nachricht-----
> Betreff: Re: [RFC PATCH 1/8] unbound: Add switch to enable Google Safe Search
> Datum: 2019-05-13T17:47:58+0200
> Von: "Michael Tremer" <michael.tremer(a)ipfire.org>
> An: "Matthias Fischer" <matthias.fischer(a)ipfire.org>
>
> Hi,
>
> There is no rewrite happening on google.com, only www.google.com.
>
> The output looks fine.
>
> I have decided to merge this patchset and we will ship it, but there is no way for users to activate it yet apart from manually editing the configuration file.
>
> There must be some UI element later. That gives us some extra time to test it.
>
> Can you apply the latest configuration and initscript from next and run tests again?
>
> -Michael
>
>> On 3 May 2019, at 12:21, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>
>> On 03.05.2019 10:54, Michael Tremer wrote:
>>> Hi,
>>
>> Hi,
>>
>>> What happens when you run “dig google.com” on the console?
>>
>> In browser, https://www.google.de/ gives me:
>>
>> "Hmm. We’re having trouble finding that site."
>>
>> 'dig' results:
>>
>> ***SNIP***
>> root(a)ipfire: /etc/init.d # dig google.com
>>
>> ; <<>> DiG 9.11.6-P1 <<>> google.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25720
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;google.com. IN A
>>
>> ;; ANSWER SECTION:
>> google.com. 108 IN A 216.58.205.238
>>
>> ;; Query time: 418 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Fri May 03 13:09:28 CEST 2019
>> ;; MSG SIZE rcvd: 55
>> ***SNAP***
>>
>> ***SNIP***
>> root(a)ipfire: /etc/unbound # dig bing.com
>>
>> ; <<>> DiG 9.11.6-P1 <<>> bing.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45651
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;bing.com. IN A
>>
>> ;; ANSWER SECTION:
>> bing.com. 191 IN A 13.107.21.200
>> bing.com. 191 IN A 204.79.197.200
>>
>> ;; Query time: 158 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Fri May 03 13:12:11 CEST 2019
>> ;; MSG SIZE rcvd: 69
>> ***SNAP***
>>
>> ***SNIP***
>> root(a)ipfire: /etc/unbound # dig duckduckgo.com
>>
>> ; <<>> DiG 9.11.6-P1 <<>> duckduckgo.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2573
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;duckduckgo.com. IN A
>>
>> ;; ANSWER SECTION:
>> duckduckgo.com. 3600 IN CNAME safe.duckduckgo.com.
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Fri May 03 13:13:15 CEST 2019
>> ;; MSG SIZE rcvd: 62
>> ***SNAP***
>>
>> ***SNIP***
>> root(a)ipfire: /etc/unbound # dig yandex.ru
>>
>> ; <<>> DiG 9.11.6-P1 <<>> yandex.ru
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43047
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;yandex.ru. IN A
>>
>> ;; ANSWER SECTION:
>> yandex.ru. 3600 IN A 213.180.193.56
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Fri May 03 13:14:02 CEST 2019
>> ;; MSG SIZE rcvd: 54***SNAP***
>>
>> The only site I can open in browser after restarting 'unbound' with
>> "ENABLE_SAFE_SEARCH=on" is 'yandex.ru'. All others respond with "Server
>> not found".
>>
>> HTH,
>> Matthias
>>
>>> The zones should be transparent and resolve any names that are not overlayed by the user-data.
>>>
>>> -Michael
>>>
>>>> On 1 May 2019, at 15:11, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>>>>
>>>> Hi,
>>>>
>>>> Hm. Did I miss something?
>>>>
>>>> Testing the Safesearch-Feature gives me:
>>>>
>>>> "Hmm. We’re having trouble finding that site.
>>>>
>>>> We can’t connect to the server at www.google.de."
>>>>
>>>> => I can't connect to ANY of the now "safe searching" search engines.
>>>>
>>>> Only https://yandex.ru/ works...
>>>>
>>>> Best,
>>>> Matthias
>>>>
>>>> On 30.04.2019 18:16, Michael Tremer wrote:
>>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>> ---
>>>>> src/initscripts/system/unbound | 215 +++++++++++++++++++++++++++++++++++++++++
>>>>> 1 file changed, 215 insertions(+)
>>>>>
>>>>> diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
>>>>> index fbb096e0d..4ac8331dc 100644
>>>>> --- a/src/initscripts/system/unbound
>>>>> +++ b/src/initscripts/system/unbound
>>>>> @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
>>>>>
>>>>> INSECURE_ZONES=
>>>>> USE_FORWARDERS=1
>>>>> +ENABLE_SAFE_SEARCH=off
>>>>>
>>>>> # Cache any local zones for 60 seconds
>>>>> LOCAL_TTL=60
>>>>> @@ -21,6 +22,202 @@ LOCAL_TTL=60
>>>>> # EDNS buffer size
>>>>> EDNS_DEFAULT_BUFFER_SIZE=4096
>>>>>
>>>>> +GOOGLE_TLDS=(
>>>>> + google.ad
>>>>> + google.ae
>>>>> + google.al
>>>>> + google.am
>>>>> + google.as
>>>>> + google.at
>>>>> + google.az
>>>>> + google.ba
>>>>> + google.be
>>>>> + google.bf
>>>>> + google.bg
>>>>> + google.bi
>>>>> + google.bj
>>>>> + google.bs
>>>>> + google.bt
>>>>> + google.by
>>>>> + google.ca
>>>>> + google.cat
>>>>> + google.cd
>>>>> + google.cf
>>>>> + google.cg
>>>>> + google.ch
>>>>> + google.ci
>>>>> + google.cl
>>>>> + google.cm
>>>>> + google.cn
>>>>> + google.co.ao
>>>>> + google.co.bw
>>>>> + google.co.ck
>>>>> + google.co.cr
>>>>> + google.co.id
>>>>> + google.co.il
>>>>> + google.co.in
>>>>> + google.co.jp
>>>>> + google.co.ke
>>>>> + google.co.kr
>>>>> + google.co.ls
>>>>> + google.com
>>>>> + google.co.ma
>>>>> + google.com.af
>>>>> + google.com.ag
>>>>> + google.com.ai
>>>>> + google.com.ar
>>>>> + google.com.au
>>>>> + google.com.bd
>>>>> + google.com.bh
>>>>> + google.com.bn
>>>>> + google.com.bo
>>>>> + google.com.br
>>>>> + google.com.bz
>>>>> + google.com.co
>>>>> + google.com.cu
>>>>> + google.com.cy
>>>>> + google.com.do
>>>>> + google.com.ec
>>>>> + google.com.eg
>>>>> + google.com.et
>>>>> + google.com.fj
>>>>> + google.com.gh
>>>>> + google.com.gi
>>>>> + google.com.gt
>>>>> + google.com.hk
>>>>> + google.com.jm
>>>>> + google.com.kh
>>>>> + google.com.kw
>>>>> + google.com.lb
>>>>> + google.com.ly
>>>>> + google.com.mm
>>>>> + google.com.mt
>>>>> + google.com.mx
>>>>> + google.com.my
>>>>> + google.com.na
>>>>> + google.com.nf
>>>>> + google.com.ng
>>>>> + google.com.ni
>>>>> + google.com.np
>>>>> + google.com.om
>>>>> + google.com.pa
>>>>> + google.com.pe
>>>>> + google.com.pg
>>>>> + google.com.ph
>>>>> + google.com.pk
>>>>> + google.com.pr
>>>>> + google.com.py
>>>>> + google.com.qa
>>>>> + google.com.sa
>>>>> + google.com.sb
>>>>> + google.com.sg
>>>>> + google.com.sl
>>>>> + google.com.sv
>>>>> + google.com.tj
>>>>> + google.com.tr
>>>>> + google.com.tw
>>>>> + google.com.ua
>>>>> + google.com.uy
>>>>> + google.com.vc
>>>>> + google.com.vn
>>>>> + google.co.mz
>>>>> + google.co.nz
>>>>> + google.co.th
>>>>> + google.co.tz
>>>>> + google.co.ug
>>>>> + google.co.uk
>>>>> + google.co.uz
>>>>> + google.co.ve
>>>>> + google.co.vi
>>>>> + google.co.za
>>>>> + google.co.zm
>>>>> + google.co.zw
>>>>> + google.cv
>>>>> + google.cz
>>>>> + google.de
>>>>> + google.dj
>>>>> + google.dk
>>>>> + google.dm
>>>>> + google.dz
>>>>> + google.ee
>>>>> + google.es
>>>>> + google.fi
>>>>> + google.fm
>>>>> + google.fr
>>>>> + google.ga
>>>>> + google.ge
>>>>> + google.gg
>>>>> + google.gl
>>>>> + google.gm
>>>>> + google.gp
>>>>> + google.gr
>>>>> + google.gy
>>>>> + google.hn
>>>>> + google.hr
>>>>> + google.ht
>>>>> + google.hu
>>>>> + google.ie
>>>>> + google.im
>>>>> + google.iq
>>>>> + google.is
>>>>> + google.it
>>>>> + google.je
>>>>> + google.jo
>>>>> + google.kg
>>>>> + google.ki
>>>>> + google.kz
>>>>> + google.la
>>>>> + google.li
>>>>> + google.lk
>>>>> + google.lt
>>>>> + google.lu
>>>>> + google.lv
>>>>> + google.md
>>>>> + google.me
>>>>> + google.mg
>>>>> + google.mk
>>>>> + google.ml
>>>>> + google.mn
>>>>> + google.ms
>>>>> + google.mu
>>>>> + google.mv
>>>>> + google.mw
>>>>> + google.ne
>>>>> + google.nl
>>>>> + google.no
>>>>> + google.nr
>>>>> + google.nu
>>>>> + google.pl
>>>>> + google.pn
>>>>> + google.ps
>>>>> + google.pt
>>>>> + google.ro
>>>>> + google.rs
>>>>> + google.ru
>>>>> + google.rw
>>>>> + google.sc
>>>>> + google.se
>>>>> + google.sh
>>>>> + google.si
>>>>> + google.sk
>>>>> + google.sm
>>>>> + google.sn
>>>>> + google.so
>>>>> + google.sr
>>>>> + google.st
>>>>> + google.td
>>>>> + google.tg
>>>>> + google.tk
>>>>> + google.tl
>>>>> + google.tm
>>>>> + google.tn
>>>>> + google.to
>>>>> + google.tt
>>>>> + google.vg
>>>>> + google.vu
>>>>> + google.ws
>>>>> +)
>>>>> +
>>>>> # Load optional configuration
>>>>> [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
>>>>>
>>>>> @@ -481,6 +678,21 @@ fix_time_if_dns_fail() {
>>>>> fi
>>>>> }
>>>>>
>>>>> +# Sets up Safe Search for various search engines
>>>>> +setup_safe_search() {
>>>>> + # Nothing to do if safe search is not enabled
>>>>> + if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
>>>>> + return 0
>>>>> + fi
>>>>> +
>>>>> + local domain
>>>>> +
>>>>> + # Google
>>>>> + for domain in ${GOOGLE_TLDS[@]}; do
>>>>> + unbound-control local_data "${domain} CNAME forcesafesearch.google.com."
>>>>> + done
>>>>> +}
>>>>> +
>>>>> case "$1" in
>>>>> start)
>>>>> # Print a nicer messagen when unbound is already running
>>>>> @@ -501,6 +713,9 @@ case "$1" in
>>>>> # Make own hostname resolveable
>>>>> own_hostname
>>>>>
>>>>> + # Setup Safe Search
>>>>> + setup_safe_search
>>>>> +
>>>>> # Update any known forwarding name servers
>>>>> update_forwarders
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>
next reply other threads:[~2019-05-15 17:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-15 17:57 Michael Tremer [this message]
[not found] <f1a1c35f-48e1-f726-26a2-c49aef953035@ipfire.org>
2019-05-13 15:47 ` Michael Tremer
[not found] <20190430161645.24261-2-michael.tremer@ipfire.org>
2019-05-01 13:11 ` Matthias Fischer
2019-05-03 8:54 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6862D800-8DB2-4F87-8C9B-0465C356D400@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox