Cool. Have a nice one! > On 15 May 2019, at 10:30, fischerm42(a)t-online.de wrote: > > Hi, > > will take a look when we're back from vacation. > > Best, > Matthias > > > -----Original-Nachricht----- > Betreff: Re: [RFC PATCH 1/8] unbound: Add switch to enable Google Safe Search > Datum: 2019-05-13T17:47:58+0200 > Von: "Michael Tremer" > An: "Matthias Fischer" > > Hi, > > There is no rewrite happening on google.com, only www.google.com. > > The output looks fine. > > I have decided to merge this patchset and we will ship it, but there is no way for users to activate it yet apart from manually editing the configuration file. > > There must be some UI element later. That gives us some extra time to test it. > > Can you apply the latest configuration and initscript from next and run tests again? > > -Michael > >> On 3 May 2019, at 12:21, Matthias Fischer wrote: >> >> On 03.05.2019 10:54, Michael Tremer wrote: >>> Hi, >> >> Hi, >> >>> What happens when you run “dig google.com” on the console? >> >> In browser, https://www.google.de/ gives me: >> >> "Hmm. We’re having trouble finding that site." >> >> 'dig' results: >> >> ***SNIP*** >> root(a)ipfire: /etc/init.d # dig google.com >> >> ; <<>> DiG 9.11.6-P1 <<>> google.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25720 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;google.com. IN A >> >> ;; ANSWER SECTION: >> google.com. 108 IN A 216.58.205.238 >> >> ;; Query time: 418 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Fri May 03 13:09:28 CEST 2019 >> ;; MSG SIZE rcvd: 55 >> ***SNAP*** >> >> ***SNIP*** >> root(a)ipfire: /etc/unbound # dig bing.com >> >> ; <<>> DiG 9.11.6-P1 <<>> bing.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45651 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;bing.com. IN A >> >> ;; ANSWER SECTION: >> bing.com. 191 IN A 13.107.21.200 >> bing.com. 191 IN A 204.79.197.200 >> >> ;; Query time: 158 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Fri May 03 13:12:11 CEST 2019 >> ;; MSG SIZE rcvd: 69 >> ***SNAP*** >> >> ***SNIP*** >> root(a)ipfire: /etc/unbound # dig duckduckgo.com >> >> ; <<>> DiG 9.11.6-P1 <<>> duckduckgo.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2573 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;duckduckgo.com. IN A >> >> ;; ANSWER SECTION: >> duckduckgo.com. 3600 IN CNAME safe.duckduckgo.com. >> >> ;; Query time: 0 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Fri May 03 13:13:15 CEST 2019 >> ;; MSG SIZE rcvd: 62 >> ***SNAP*** >> >> ***SNIP*** >> root(a)ipfire: /etc/unbound # dig yandex.ru >> >> ; <<>> DiG 9.11.6-P1 <<>> yandex.ru >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43047 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;yandex.ru. IN A >> >> ;; ANSWER SECTION: >> yandex.ru. 3600 IN A 213.180.193.56 >> >> ;; Query time: 0 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Fri May 03 13:14:02 CEST 2019 >> ;; MSG SIZE rcvd: 54***SNAP*** >> >> The only site I can open in browser after restarting 'unbound' with >> "ENABLE_SAFE_SEARCH=on" is 'yandex.ru'. All others respond with "Server >> not found". >> >> HTH, >> Matthias >> >>> The zones should be transparent and resolve any names that are not overlayed by the user-data. >>> >>> -Michael >>> >>>> On 1 May 2019, at 15:11, Matthias Fischer wrote: >>>> >>>> Hi, >>>> >>>> Hm. Did I miss something? >>>> >>>> Testing the Safesearch-Feature gives me: >>>> >>>> "Hmm. We’re having trouble finding that site. >>>> >>>> We can’t connect to the server at www.google.de." >>>> >>>> => I can't connect to ANY of the now "safe searching" search engines. >>>> >>>> Only https://yandex.ru/ works... >>>> >>>> Best, >>>> Matthias >>>> >>>> On 30.04.2019 18:16, Michael Tremer wrote: >>>>> Signed-off-by: Michael Tremer >>>>> --- >>>>> src/initscripts/system/unbound | 215 +++++++++++++++++++++++++++++++++++++++++ >>>>> 1 file changed, 215 insertions(+) >>>>> >>>>> diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound >>>>> index fbb096e0d..4ac8331dc 100644 >>>>> --- a/src/initscripts/system/unbound >>>>> +++ b/src/initscripts/system/unbound >>>>> @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org" >>>>> >>>>> INSECURE_ZONES= >>>>> USE_FORWARDERS=1 >>>>> +ENABLE_SAFE_SEARCH=off >>>>> >>>>> # Cache any local zones for 60 seconds >>>>> LOCAL_TTL=60 >>>>> @@ -21,6 +22,202 @@ LOCAL_TTL=60 >>>>> # EDNS buffer size >>>>> EDNS_DEFAULT_BUFFER_SIZE=4096 >>>>> >>>>> +GOOGLE_TLDS=( >>>>> + google.ad >>>>> + google.ae >>>>> + google.al >>>>> + google.am >>>>> + google.as >>>>> + google.at >>>>> + google.az >>>>> + google.ba >>>>> + google.be >>>>> + google.bf >>>>> + google.bg >>>>> + google.bi >>>>> + google.bj >>>>> + google.bs >>>>> + google.bt >>>>> + google.by >>>>> + google.ca >>>>> + google.cat >>>>> + google.cd >>>>> + google.cf >>>>> + google.cg >>>>> + google.ch >>>>> + google.ci >>>>> + google.cl >>>>> + google.cm >>>>> + google.cn >>>>> + google.co.ao >>>>> + google.co.bw >>>>> + google.co.ck >>>>> + google.co.cr >>>>> + google.co.id >>>>> + google.co.il >>>>> + google.co.in >>>>> + google.co.jp >>>>> + google.co.ke >>>>> + google.co.kr >>>>> + google.co.ls >>>>> + google.com >>>>> + google.co.ma >>>>> + google.com.af >>>>> + google.com.ag >>>>> + google.com.ai >>>>> + google.com.ar >>>>> + google.com.au >>>>> + google.com.bd >>>>> + google.com.bh >>>>> + google.com.bn >>>>> + google.com.bo >>>>> + google.com.br >>>>> + google.com.bz >>>>> + google.com.co >>>>> + google.com.cu >>>>> + google.com.cy >>>>> + google.com.do >>>>> + google.com.ec >>>>> + google.com.eg >>>>> + google.com.et >>>>> + google.com.fj >>>>> + google.com.gh >>>>> + google.com.gi >>>>> + google.com.gt >>>>> + google.com.hk >>>>> + google.com.jm >>>>> + google.com.kh >>>>> + google.com.kw >>>>> + google.com.lb >>>>> + google.com.ly >>>>> + google.com.mm >>>>> + google.com.mt >>>>> + google.com.mx >>>>> + google.com.my >>>>> + google.com.na >>>>> + google.com.nf >>>>> + google.com.ng >>>>> + google.com.ni >>>>> + google.com.np >>>>> + google.com.om >>>>> + google.com.pa >>>>> + google.com.pe >>>>> + google.com.pg >>>>> + google.com.ph >>>>> + google.com.pk >>>>> + google.com.pr >>>>> + google.com.py >>>>> + google.com.qa >>>>> + google.com.sa >>>>> + google.com.sb >>>>> + google.com.sg >>>>> + google.com.sl >>>>> + google.com.sv >>>>> + google.com.tj >>>>> + google.com.tr >>>>> + google.com.tw >>>>> + google.com.ua >>>>> + google.com.uy >>>>> + google.com.vc >>>>> + google.com.vn >>>>> + google.co.mz >>>>> + google.co.nz >>>>> + google.co.th >>>>> + google.co.tz >>>>> + google.co.ug >>>>> + google.co.uk >>>>> + google.co.uz >>>>> + google.co.ve >>>>> + google.co.vi >>>>> + google.co.za >>>>> + google.co.zm >>>>> + google.co.zw >>>>> + google.cv >>>>> + google.cz >>>>> + google.de >>>>> + google.dj >>>>> + google.dk >>>>> + google.dm >>>>> + google.dz >>>>> + google.ee >>>>> + google.es >>>>> + google.fi >>>>> + google.fm >>>>> + google.fr >>>>> + google.ga >>>>> + google.ge >>>>> + google.gg >>>>> + google.gl >>>>> + google.gm >>>>> + google.gp >>>>> + google.gr >>>>> + google.gy >>>>> + google.hn >>>>> + google.hr >>>>> + google.ht >>>>> + google.hu >>>>> + google.ie >>>>> + google.im >>>>> + google.iq >>>>> + google.is >>>>> + google.it >>>>> + google.je >>>>> + google.jo >>>>> + google.kg >>>>> + google.ki >>>>> + google.kz >>>>> + google.la >>>>> + google.li >>>>> + google.lk >>>>> + google.lt >>>>> + google.lu >>>>> + google.lv >>>>> + google.md >>>>> + google.me >>>>> + google.mg >>>>> + google.mk >>>>> + google.ml >>>>> + google.mn >>>>> + google.ms >>>>> + google.mu >>>>> + google.mv >>>>> + google.mw >>>>> + google.ne >>>>> + google.nl >>>>> + google.no >>>>> + google.nr >>>>> + google.nu >>>>> + google.pl >>>>> + google.pn >>>>> + google.ps >>>>> + google.pt >>>>> + google.ro >>>>> + google.rs >>>>> + google.ru >>>>> + google.rw >>>>> + google.sc >>>>> + google.se >>>>> + google.sh >>>>> + google.si >>>>> + google.sk >>>>> + google.sm >>>>> + google.sn >>>>> + google.so >>>>> + google.sr >>>>> + google.st >>>>> + google.td >>>>> + google.tg >>>>> + google.tk >>>>> + google.tl >>>>> + google.tm >>>>> + google.tn >>>>> + google.to >>>>> + google.tt >>>>> + google.vg >>>>> + google.vu >>>>> + google.ws >>>>> +) >>>>> + >>>>> # Load optional configuration >>>>> [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound >>>>> >>>>> @@ -481,6 +678,21 @@ fix_time_if_dns_fail() { >>>>> fi >>>>> } >>>>> >>>>> +# Sets up Safe Search for various search engines >>>>> +setup_safe_search() { >>>>> + # Nothing to do if safe search is not enabled >>>>> + if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then >>>>> + return 0 >>>>> + fi >>>>> + >>>>> + local domain >>>>> + >>>>> + # Google >>>>> + for domain in ${GOOGLE_TLDS[@]}; do >>>>> + unbound-control local_data "${domain} CNAME forcesafesearch.google.com." >>>>> + done >>>>> +} >>>>> + >>>>> case "$1" in >>>>> start) >>>>> # Print a nicer messagen when unbound is already running >>>>> @@ -501,6 +713,9 @@ case "$1" in >>>>> # Make own hostname resolveable >>>>> own_hostname >>>>> >>>>> + # Setup Safe Search >>>>> + setup_safe_search >>>>> + >>>>> # Update any known forwarding name servers >>>>> update_forwarders >>>>> >>>>> >>>> >>> >>> >> > >