Hi,
There is no rewrite happening on google.com, only www.google.com.
The output looks fine.
I have decided to merge this patchset and we will ship it, but there is no way for users to activate it yet apart from manually editing the configuration file.
There must be some UI element later. That gives us some extra time to test it.
Can you apply the latest configuration and initscript from next and run tests again?
-Michael
On 3 May 2019, at 12:21, Matthias Fischer matthias.fischer@ipfire.org wrote:
On 03.05.2019 10:54, Michael Tremer wrote:
Hi,
Hi,
What happens when you run “dig google.com” on the console?
In browser, https://www.google.de/ gives me:
"Hmm. We’re having trouble finding that site."
'dig' results:
***SNIP*** root@ipfire: /etc/init.d # dig google.com
; <<>> DiG 9.11.6-P1 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25720 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A
;; ANSWER SECTION: google.com. 108 IN A 216.58.205.238
;; Query time: 418 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 03 13:09:28 CEST 2019 ;; MSG SIZE rcvd: 55 ***SNAP***
***SNIP*** root@ipfire: /etc/unbound # dig bing.com
; <<>> DiG 9.11.6-P1 <<>> bing.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45651 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bing.com. IN A
;; ANSWER SECTION: bing.com. 191 IN A 13.107.21.200 bing.com. 191 IN A 204.79.197.200
;; Query time: 158 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 03 13:12:11 CEST 2019 ;; MSG SIZE rcvd: 69 ***SNAP***
***SNIP*** root@ipfire: /etc/unbound # dig duckduckgo.com
; <<>> DiG 9.11.6-P1 <<>> duckduckgo.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2573 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;duckduckgo.com. IN A
;; ANSWER SECTION: duckduckgo.com. 3600 IN CNAME safe.duckduckgo.com.
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 03 13:13:15 CEST 2019 ;; MSG SIZE rcvd: 62 ***SNAP***
***SNIP*** root@ipfire: /etc/unbound # dig yandex.ru
; <<>> DiG 9.11.6-P1 <<>> yandex.ru ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43047 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;yandex.ru. IN A
;; ANSWER SECTION: yandex.ru. 3600 IN A 213.180.193.56
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 03 13:14:02 CEST 2019 ;; MSG SIZE rcvd: 54***SNAP***
The only site I can open in browser after restarting 'unbound' with "ENABLE_SAFE_SEARCH=on" is 'yandex.ru'. All others respond with "Server not found".
HTH, Matthias
The zones should be transparent and resolve any names that are not overlayed by the user-data.
-Michael
On 1 May 2019, at 15:11, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
Hm. Did I miss something?
Testing the Safesearch-Feature gives me:
"Hmm. We’re having trouble finding that site.
We can’t connect to the server at www.google.de."
=> I can't connect to ANY of the now "safe searching" search engines.
Only https://yandex.ru/ works...
Best, Matthias
On 30.04.2019 18:16, Michael Tremer wrote:
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
src/initscripts/system/unbound | 215 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 215 insertions(+)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index fbb096e0d..4ac8331dc 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
INSECURE_ZONES= USE_FORWARDERS=1 +ENABLE_SAFE_SEARCH=off
# Cache any local zones for 60 seconds LOCAL_TTL=60 @@ -21,6 +22,202 @@ LOCAL_TTL=60 # EDNS buffer size EDNS_DEFAULT_BUFFER_SIZE=4096
+GOOGLE_TLDS=(
- google.ad
- google.ae
- google.al
- google.am
- google.as
- google.at
- google.az
- google.ba
- google.be
- google.bf
- google.bg
- google.bi
- google.bj
- google.bs
- google.bt
- google.by
- google.ca
- google.cat
- google.cd
- google.cf
- google.cg
- google.ch
- google.ci
- google.cl
- google.cm
- google.cn
- google.co.ao
- google.co.bw
- google.co.ck
- google.co.cr
- google.co.id
- google.co.il
- google.co.in
- google.co.jp
- google.co.ke
- google.co.kr
- google.co.ls
- google.com
- google.co.ma
- google.com.af
- google.com.ag
- google.com.ai
- google.com.ar
- google.com.au
- google.com.bd
- google.com.bh
- google.com.bn
- google.com.bo
- google.com.br
- google.com.bz
- google.com.co
- google.com.cu
- google.com.cy
- google.com.do
- google.com.ec
- google.com.eg
- google.com.et
- google.com.fj
- google.com.gh
- google.com.gi
- google.com.gt
- google.com.hk
- google.com.jm
- google.com.kh
- google.com.kw
- google.com.lb
- google.com.ly
- google.com.mm
- google.com.mt
- google.com.mx
- google.com.my
- google.com.na
- google.com.nf
- google.com.ng
- google.com.ni
- google.com.np
- google.com.om
- google.com.pa
- google.com.pe
- google.com.pg
- google.com.ph
- google.com.pk
- google.com.pr
- google.com.py
- google.com.qa
- google.com.sa
- google.com.sb
- google.com.sg
- google.com.sl
- google.com.sv
- google.com.tj
- google.com.tr
- google.com.tw
- google.com.ua
- google.com.uy
- google.com.vc
- google.com.vn
- google.co.mz
- google.co.nz
- google.co.th
- google.co.tz
- google.co.ug
- google.co.uk
- google.co.uz
- google.co.ve
- google.co.vi
- google.co.za
- google.co.zm
- google.co.zw
- google.cv
- google.cz
- google.de
- google.dj
- google.dk
- google.dm
- google.dz
- google.ee
- google.es
- google.fi
- google.fm
- google.fr
- google.ga
- google.ge
- google.gg
- google.gl
- google.gm
- google.gp
- google.gr
- google.gy
- google.hn
- google.hr
- google.ht
- google.hu
- google.ie
- google.im
- google.iq
- google.is
- google.it
- google.je
- google.jo
- google.kg
- google.ki
- google.kz
- google.la
- google.li
- google.lk
- google.lt
- google.lu
- google.lv
- google.md
- google.me
- google.mg
- google.mk
- google.ml
- google.mn
- google.ms
- google.mu
- google.mv
- google.mw
- google.ne
- google.nl
- google.no
- google.nr
- google.nu
- google.pl
- google.pn
- google.ps
- google.pt
- google.ro
- google.rs
- google.ru
- google.rw
- google.sc
- google.se
- google.sh
- google.si
- google.sk
- google.sm
- google.sn
- google.so
- google.sr
- google.st
- google.td
- google.tg
- google.tk
- google.tl
- google.tm
- google.tn
- google.to
- google.tt
- google.vg
- google.vu
- google.ws
+)
# Load optional configuration [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
@@ -481,6 +678,21 @@ fix_time_if_dns_fail() { fi }
+# Sets up Safe Search for various search engines +setup_safe_search() {
- # Nothing to do if safe search is not enabled
- if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
return 0
- fi
- local domain
- for domain in ${GOOGLE_TLDS[@]}; do
unbound-control local_data "${domain} CNAME forcesafesearch.google.com."
- done
+}
case "$1" in start) # Print a nicer messagen when unbound is already running @@ -501,6 +713,9 @@ case "$1" in # Make own hostname resolveable own_hostname
# Setup Safe Search
setup_safe_search
- # Update any known forwarding name servers update_forwarders