Re: [RFC PATCH 0/8] Provide an easy way to use Safe Search

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 4956 bytes --]

Hello,

Thanks for writing. I think this is a very important opinion to have on the record.

I share your view.

> On 30 Apr 2019, at 18:52, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael, hello *,
> 
> just a few comments from my point of view:
> 
> For a couple of reasons, I have always been against DNS-based
> filtering of malware, C&C traffic (including the oh-my-god-its-so-dangerous
> DNS tunneling) and other possible unwanted content.
> 
> As more and more web traffic uses HTTPS today, I agree the
> proxy based Safe Search option does not make sense any more.
> 
> However, manipulating DNS queries - or, worse, replies - makes
> network debugging and troubleshooting more harder, since the
> presence of such techniques might not be obvious.

It is transparent for the client in that sense that the client sees the CNAME (for those who use it) and therefore would see “safe” or so in the name.

But if you are on the web browser level then you don’t really see this at all. Agreed.

> Talking about DNS replies, such manipulations look like an attack
> to DNSSEC-validating resolvers. If they are created "on purpose",
> detection of real attacks becomes harder. At this point, best
> regards to DNS based ad/tracker filters such as Pi-hole.

The search engines are all not using DNSSEC and presumably never will because they are employing this sort of techniques. However, I have no better idea how to force Safe Search on a network level.

> DNS based Safe Search can be bypassed by using a different DNS
> server (of course, there have to be firewall rules in place to
> prohibit this, which I highly recommend in any given scenario).
> In case internet access is granted via local Squid proxy with an
> upstream one, administrators need to ensure _this_ machine will
> also force the Safe Search domains for resolving.

The idea to work on this came from a customer which is running a school network. Access to the internet is prohibited for most devices and no access is possible without going through the web proxy - at least for students.

Of course this needs some good documentation and a button on the web UI.

> Besides of that, I have no objection against this patchset.

Although I also disagree with this approach in that sense that it will break DNSSEC, this works according to the “old” DNS protocol.

This is also better than the HTTP request rewrite approach as it protects the privacy of the search queries.

All in all, Safe Search is a necessity for schools. There is no other way to do this and for this is not too ugly.

Please don’t forget to use Git tags.

Best,
-Michael

> Thanks, and best regards,
> Peter Müller
> 
>> For some users of IPFire, it makes a lot of sense to use Safe Search.
>> 
>> Safe Search is a feature that some search engines provide to filter out
>> pornography and other "adult" content from the search results. It makes
>> sense to use this in schools or at home with smaller children.
>> 
>> We used to have a checkbox in URL Filter which allowed to modify the
>> search URL which no longer works because all search engines are using
>> HTTPS.
>> 
>> Some search engines provide a different way to enable Safe Search
>> network wide by having special servers that can be contacted which
>> always have Safe Search on. Those servers can be reached by changing
>> the DNS response from the usual servers to those special ones.
>> 
>> This patchset enables this for Google, Bing, DuckDuckGo and Yandex.
>> 
>> These are all search engines I could find this support this.
>> 
>> This patchset also removes the old URL Filter option.
>> 
>> Please review and test. You can enable this by simply adding
>> ENABLE_SAFE_SEARCH=on to /etc/sysconfig/unbound.
>> 
>> Michael Tremer (8):
>>  unbound: Add switch to enable Google Safe Search
>>  unbound: Enable Bing SafeSearch
>>  unbound: Enbale DuckDuckGo safe search
>>  unbound: Move Safe Search zone setup to configuration file
>>  unbound: Add Yandex Safe Search
>>  unbound: Fix Bing domain name for SafeSearch
>>  unbound: Fix domain name for Google Safe Search
>>  URL Filter: Drop Safe Search feature
>> 
>> config/unbound/unbound.conf    |   3 +
>> doc/language_issues.de         |   1 +
>> doc/language_issues.en         |   1 -
>> doc/language_issues.es         |   1 +
>> doc/language_issues.fr         |   1 +
>> doc/language_issues.it         |   1 +
>> doc/language_issues.nl         |   1 +
>> doc/language_issues.pl         |   1 +
>> doc/language_issues.ru         |   1 +
>> doc/language_issues.tr         |   1 +
>> html/cgi-bin/urlfilter.cgi     |  62 ++---------
>> src/initscripts/system/unbound | 230 +++++++++++++++++++++++++++++++++++++++++
>> 12 files changed, 250 insertions(+), 54 deletions(-)
>> 
> 
> -- 
> The road to Hades is easy to travel.
> 	-- Bion of Borysthenes