Hello Michael, hello *,
just a few comments from my point of view:
For a couple of reasons, I have always been against DNS-based filtering of malware, C&C traffic (including the oh-my-god-its-so-dangerous DNS tunneling) and other possible unwanted content.
As more and more web traffic uses HTTPS today, I agree the proxy based Safe Search option does not make sense any more.
However, manipulating DNS queries - or, worse, replies - makes network debugging and troubleshooting more harder, since the presence of such techniques might not be obvious.
Talking about DNS replies, such manipulations look like an attack to DNSSEC-validating resolvers. If they are created "on purpose", detection of real attacks becomes harder. At this point, best regards to DNS based ad/tracker filters such as Pi-hole.
DNS based Safe Search can be bypassed by using a different DNS server (of course, there have to be firewall rules in place to prohibit this, which I highly recommend in any given scenario). In case internet access is granted via local Squid proxy with an upstream one, administrators need to ensure _this_ machine will also force the Safe Search domains for resolving.
Besides of that, I have no objection against this patchset.
Thanks, and best regards, Peter Müller
For some users of IPFire, it makes a lot of sense to use Safe Search.
Safe Search is a feature that some search engines provide to filter out pornography and other "adult" content from the search results. It makes sense to use this in schools or at home with smaller children.
We used to have a checkbox in URL Filter which allowed to modify the search URL which no longer works because all search engines are using HTTPS.
Some search engines provide a different way to enable Safe Search network wide by having special servers that can be contacted which always have Safe Search on. Those servers can be reached by changing the DNS response from the usual servers to those special ones.
This patchset enables this for Google, Bing, DuckDuckGo and Yandex.
These are all search engines I could find this support this.
This patchset also removes the old URL Filter option.
Please review and test. You can enable this by simply adding ENABLE_SAFE_SEARCH=on to /etc/sysconfig/unbound.
Michael Tremer (8): unbound: Add switch to enable Google Safe Search unbound: Enable Bing SafeSearch unbound: Enbale DuckDuckGo safe search unbound: Move Safe Search zone setup to configuration file unbound: Add Yandex Safe Search unbound: Fix Bing domain name for SafeSearch unbound: Fix domain name for Google Safe Search URL Filter: Drop Safe Search feature
config/unbound/unbound.conf | 3 + doc/language_issues.de | 1 + doc/language_issues.en | 1 - doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + html/cgi-bin/urlfilter.cgi | 62 ++--------- src/initscripts/system/unbound | 230 +++++++++++++++++++++++++++++++++++++++++ 12 files changed, 250 insertions(+), 54 deletions(-)