From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [RFC PATCH 1/8] unbound: Add switch to enable Google Safe Search Date: Wed, 15 May 2019 18:57:09 +0100 Message-ID: <6862D800-8DB2-4F87-8C9B-0465C356D400@ipfire.org> In-Reply-To: =?utf-8?q?=3C1557912652436=2E817208=2E60bbab54bd8108d5aee46bfda?= =?utf-8?q?b1b18772ea02224=40spica=2Etelekom=2Ede=3E?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5451381123379190091==" List-Id: --===============5451381123379190091== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Cool. Have a nice one! > On 15 May 2019, at 10:30, fischerm42(a)t-online.de wrote: >=20 > Hi, >=20 > will take a look when we're back from vacation. >=20 > Best, > Matthias >=20 >=20 > -----Original-Nachricht----- > Betreff: Re: [RFC PATCH 1/8] unbound: Add switch to enable Google Safe Sear= ch > Datum: 2019-05-13T17:47:58+0200 > Von: "Michael Tremer" > An: "Matthias Fischer" >=20 > Hi, >=20 > There is no rewrite happening on google.com, only www.google.com. >=20 > The output looks fine. >=20 > I have decided to merge this patchset and we will ship it, but there is no = way for users to activate it yet apart from manually editing the configuratio= n file. >=20 > There must be some UI element later. That gives us some extra time to test = it. >=20 > Can you apply the latest configuration and initscript from next and run tes= ts again? >=20 > -Michael >=20 >> On 3 May 2019, at 12:21, Matthias Fischer = wrote: >>=20 >> On 03.05.2019 10:54, Michael Tremer wrote: >>> Hi, >>=20 >> Hi, >>=20 >>> What happens when you run =E2=80=9Cdig google.com=E2=80=9D on the console? >>=20 >> In browser, https://www.google.de/ gives me: >>=20 >> "Hmm. We=E2=80=99re having trouble finding that site." >>=20 >> 'dig' results: >>=20 >> ***SNIP*** >> root(a)ipfire: /etc/init.d # dig google.com >>=20 >> ; <<>> DiG 9.11.6-P1 <<>> google.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25720 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >>=20 >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;google.com. IN A >>=20 >> ;; ANSWER SECTION: >> google.com. 108 IN A 216.58.205.238 >>=20 >> ;; Query time: 418 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Fri May 03 13:09:28 CEST 2019 >> ;; MSG SIZE rcvd: 55 >> ***SNAP*** >>=20 >> ***SNIP*** >> root(a)ipfire: /etc/unbound # dig bing.com >>=20 >> ; <<>> DiG 9.11.6-P1 <<>> bing.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45651 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 >>=20 >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;bing.com. IN A >>=20 >> ;; ANSWER SECTION: >> bing.com. 191 IN A 13.107.21.200 >> bing.com. 191 IN A 204.79.197.200 >>=20 >> ;; Query time: 158 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Fri May 03 13:12:11 CEST 2019 >> ;; MSG SIZE rcvd: 69 >> ***SNAP*** >>=20 >> ***SNIP*** >> root(a)ipfire: /etc/unbound # dig duckduckgo.com >>=20 >> ; <<>> DiG 9.11.6-P1 <<>> duckduckgo.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2573 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >>=20 >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;duckduckgo.com. IN A >>=20 >> ;; ANSWER SECTION: >> duckduckgo.com. 3600 IN CNAME safe.duckduckgo.com. >>=20 >> ;; Query time: 0 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Fri May 03 13:13:15 CEST 2019 >> ;; MSG SIZE rcvd: 62 >> ***SNAP*** >>=20 >> ***SNIP*** >> root(a)ipfire: /etc/unbound # dig yandex.ru >>=20 >> ; <<>> DiG 9.11.6-P1 <<>> yandex.ru >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43047 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >>=20 >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;yandex.ru. IN A >>=20 >> ;; ANSWER SECTION: >> yandex.ru. 3600 IN A 213.180.193.56 >>=20 >> ;; Query time: 0 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Fri May 03 13:14:02 CEST 2019 >> ;; MSG SIZE rcvd: 54***SNAP*** >>=20 >> The only site I can open in browser after restarting 'unbound' with >> "ENABLE_SAFE_SEARCH=3Don" is 'yandex.ru'. All others respond with "Server >> not found". >>=20 >> HTH, >> Matthias >>=20 >>> The zones should be transparent and resolve any names that are not overla= yed by the user-data. >>>=20 >>> -Michael >>>=20 >>>> On 1 May 2019, at 15:11, Matthias Fischer wrote: >>>>=20 >>>> Hi, >>>>=20 >>>> Hm. Did I miss something? >>>>=20 >>>> Testing the Safesearch-Feature gives me: >>>>=20 >>>> "Hmm. We=E2=80=99re having trouble finding that site. >>>>=20 >>>> We can=E2=80=99t connect to the server at www.google.de." >>>>=20 >>>> =3D> I can't connect to ANY of the now "safe searching" search engines. >>>>=20 >>>> Only https://yandex.ru/ works... >>>>=20 >>>> Best, >>>> Matthias >>>>=20 >>>> On 30.04.2019 18:16, Michael Tremer wrote: >>>>> Signed-off-by: Michael Tremer >>>>> --- >>>>> src/initscripts/system/unbound | 215 ++++++++++++++++++++++++++++++++++= +++++++ >>>>> 1 file changed, 215 insertions(+) >>>>>=20 >>>>> diff --git a/src/initscripts/system/unbound b/src/initscripts/system/un= bound >>>>> index fbb096e0d..4ac8331dc 100644 >>>>> --- a/src/initscripts/system/unbound >>>>> +++ b/src/initscripts/system/unbound >>>>> @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL=3D"dnssec-failed.org" >>>>>=20 >>>>> INSECURE_ZONES=3D >>>>> USE_FORWARDERS=3D1 >>>>> +ENABLE_SAFE_SEARCH=3Doff >>>>>=20 >>>>> # Cache any local zones for 60 seconds >>>>> LOCAL_TTL=3D60 >>>>> @@ -21,6 +22,202 @@ LOCAL_TTL=3D60 >>>>> # EDNS buffer size >>>>> EDNS_DEFAULT_BUFFER_SIZE=3D4096 >>>>>=20 >>>>> +GOOGLE_TLDS=3D( >>>>> + google.ad >>>>> + google.ae >>>>> + google.al >>>>> + google.am >>>>> + google.as >>>>> + google.at >>>>> + google.az >>>>> + google.ba >>>>> + google.be >>>>> + google.bf >>>>> + google.bg >>>>> + google.bi >>>>> + google.bj >>>>> + google.bs >>>>> + google.bt >>>>> + google.by >>>>> + google.ca >>>>> + google.cat >>>>> + google.cd >>>>> + google.cf >>>>> + google.cg >>>>> + google.ch >>>>> + google.ci >>>>> + google.cl >>>>> + google.cm >>>>> + google.cn >>>>> + google.co.ao >>>>> + google.co.bw >>>>> + google.co.ck >>>>> + google.co.cr >>>>> + google.co.id >>>>> + google.co.il >>>>> + google.co.in >>>>> + google.co.jp >>>>> + google.co.ke >>>>> + google.co.kr >>>>> + google.co.ls >>>>> + google.com >>>>> + google.co.ma >>>>> + google.com.af >>>>> + google.com.ag >>>>> + google.com.ai >>>>> + google.com.ar >>>>> + google.com.au >>>>> + google.com.bd >>>>> + google.com.bh >>>>> + google.com.bn >>>>> + google.com.bo >>>>> + google.com.br >>>>> + google.com.bz >>>>> + google.com.co >>>>> + google.com.cu >>>>> + google.com.cy >>>>> + google.com.do >>>>> + google.com.ec >>>>> + google.com.eg >>>>> + google.com.et >>>>> + google.com.fj >>>>> + google.com.gh >>>>> + google.com.gi >>>>> + google.com.gt >>>>> + google.com.hk >>>>> + google.com.jm >>>>> + google.com.kh >>>>> + google.com.kw >>>>> + google.com.lb >>>>> + google.com.ly >>>>> + google.com.mm >>>>> + google.com.mt >>>>> + google.com.mx >>>>> + google.com.my >>>>> + google.com.na >>>>> + google.com.nf >>>>> + google.com.ng >>>>> + google.com.ni >>>>> + google.com.np >>>>> + google.com.om >>>>> + google.com.pa >>>>> + google.com.pe >>>>> + google.com.pg >>>>> + google.com.ph >>>>> + google.com.pk >>>>> + google.com.pr >>>>> + google.com.py >>>>> + google.com.qa >>>>> + google.com.sa >>>>> + google.com.sb >>>>> + google.com.sg >>>>> + google.com.sl >>>>> + google.com.sv >>>>> + google.com.tj >>>>> + google.com.tr >>>>> + google.com.tw >>>>> + google.com.ua >>>>> + google.com.uy >>>>> + google.com.vc >>>>> + google.com.vn >>>>> + google.co.mz >>>>> + google.co.nz >>>>> + google.co.th >>>>> + google.co.tz >>>>> + google.co.ug >>>>> + google.co.uk >>>>> + google.co.uz >>>>> + google.co.ve >>>>> + google.co.vi >>>>> + google.co.za >>>>> + google.co.zm >>>>> + google.co.zw >>>>> + google.cv >>>>> + google.cz >>>>> + google.de >>>>> + google.dj >>>>> + google.dk >>>>> + google.dm >>>>> + google.dz >>>>> + google.ee >>>>> + google.es >>>>> + google.fi >>>>> + google.fm >>>>> + google.fr >>>>> + google.ga >>>>> + google.ge >>>>> + google.gg >>>>> + google.gl >>>>> + google.gm >>>>> + google.gp >>>>> + google.gr >>>>> + google.gy >>>>> + google.hn >>>>> + google.hr >>>>> + google.ht >>>>> + google.hu >>>>> + google.ie >>>>> + google.im >>>>> + google.iq >>>>> + google.is >>>>> + google.it >>>>> + google.je >>>>> + google.jo >>>>> + google.kg >>>>> + google.ki >>>>> + google.kz >>>>> + google.la >>>>> + google.li >>>>> + google.lk >>>>> + google.lt >>>>> + google.lu >>>>> + google.lv >>>>> + google.md >>>>> + google.me >>>>> + google.mg >>>>> + google.mk >>>>> + google.ml >>>>> + google.mn >>>>> + google.ms >>>>> + google.mu >>>>> + google.mv >>>>> + google.mw >>>>> + google.ne >>>>> + google.nl >>>>> + google.no >>>>> + google.nr >>>>> + google.nu >>>>> + google.pl >>>>> + google.pn >>>>> + google.ps >>>>> + google.pt >>>>> + google.ro >>>>> + google.rs >>>>> + google.ru >>>>> + google.rw >>>>> + google.sc >>>>> + google.se >>>>> + google.sh >>>>> + google.si >>>>> + google.sk >>>>> + google.sm >>>>> + google.sn >>>>> + google.so >>>>> + google.sr >>>>> + google.st >>>>> + google.td >>>>> + google.tg >>>>> + google.tk >>>>> + google.tl >>>>> + google.tm >>>>> + google.tn >>>>> + google.to >>>>> + google.tt >>>>> + google.vg >>>>> + google.vu >>>>> + google.ws >>>>> +) >>>>> + >>>>> # Load optional configuration >>>>> [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound >>>>>=20 >>>>> @@ -481,6 +678,21 @@ fix_time_if_dns_fail() { >>>>> fi >>>>> } >>>>>=20 >>>>> +# Sets up Safe Search for various search engines >>>>> +setup_safe_search() { >>>>> + # Nothing to do if safe search is not enabled >>>>> + if [ "${ENABLE_SAFE_SEARCH}" !=3D "on" ]; then >>>>> + return 0 >>>>> + fi >>>>> + >>>>> + local domain >>>>> + >>>>> + # Google >>>>> + for domain in ${GOOGLE_TLDS[@]}; do >>>>> + unbound-control local_data "${domain} CNAME forcesafesearch.google.c= om." >>>>> + done >>>>> +} >>>>> + >>>>> case "$1" in >>>>> start) >>>>> # Print a nicer messagen when unbound is already running >>>>> @@ -501,6 +713,9 @@ case "$1" in >>>>> # Make own hostname resolveable >>>>> own_hostname >>>>>=20 >>>>> + # Setup Safe Search >>>>> + setup_safe_search >>>>> + >>>>> # Update any known forwarding name servers >>>>> update_forwarders >>>>>=20 >>>>>=20 >>>>=20 >>>=20 >>>=20 >>=20 >=20 > =EF=BB=BF --===============5451381123379190091==--