For some users of IPFire, it makes a lot of sense to use Safe Search.
Safe Search is a feature that some search engines provide to filter out pornography and other "adult" content from the search results. It makes sense to use this in schools or at home with smaller children.
We used to have a checkbox in URL Filter which allowed to modify the search URL which no longer works because all search engines are using HTTPS.
Some search engines provide a different way to enable Safe Search network wide by having special servers that can be contacted which always have Safe Search on. Those servers can be reached by changing the DNS response from the usual servers to those special ones.
This patchset enables this for Google, Bing, DuckDuckGo and Yandex.
These are all search engines I could find this support this.
This patchset also removes the old URL Filter option.
Please review and test. You can enable this by simply adding ENABLE_SAFE_SEARCH=on to /etc/sysconfig/unbound.
Michael Tremer (8): unbound: Add switch to enable Google Safe Search unbound: Enable Bing SafeSearch unbound: Enbale DuckDuckGo safe search unbound: Move Safe Search zone setup to configuration file unbound: Add Yandex Safe Search unbound: Fix Bing domain name for SafeSearch unbound: Fix domain name for Google Safe Search URL Filter: Drop Safe Search feature
config/unbound/unbound.conf | 3 + doc/language_issues.de | 1 + doc/language_issues.en | 1 - doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + html/cgi-bin/urlfilter.cgi | 62 ++--------- src/initscripts/system/unbound | 230 +++++++++++++++++++++++++++++++++++++++++ 12 files changed, 250 insertions(+), 54 deletions(-)
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/unbound | 215 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 215 insertions(+)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index fbb096e0d..4ac8331dc 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
INSECURE_ZONES= USE_FORWARDERS=1 +ENABLE_SAFE_SEARCH=off
# Cache any local zones for 60 seconds LOCAL_TTL=60 @@ -21,6 +22,202 @@ LOCAL_TTL=60 # EDNS buffer size EDNS_DEFAULT_BUFFER_SIZE=4096
+GOOGLE_TLDS=( + google.ad + google.ae + google.al + google.am + google.as + google.at + google.az + google.ba + google.be + google.bf + google.bg + google.bi + google.bj + google.bs + google.bt + google.by + google.ca + google.cat + google.cd + google.cf + google.cg + google.ch + google.ci + google.cl + google.cm + google.cn + google.co.ao + google.co.bw + google.co.ck + google.co.cr + google.co.id + google.co.il + google.co.in + google.co.jp + google.co.ke + google.co.kr + google.co.ls + google.com + google.co.ma + google.com.af + google.com.ag + google.com.ai + google.com.ar + google.com.au + google.com.bd + google.com.bh + google.com.bn + google.com.bo + google.com.br + google.com.bz + google.com.co + google.com.cu + google.com.cy + google.com.do + google.com.ec + google.com.eg + google.com.et + google.com.fj + google.com.gh + google.com.gi + google.com.gt + google.com.hk + google.com.jm + google.com.kh + google.com.kw + google.com.lb + google.com.ly + google.com.mm + google.com.mt + google.com.mx + google.com.my + google.com.na + google.com.nf + google.com.ng + google.com.ni + google.com.np + google.com.om + google.com.pa + google.com.pe + google.com.pg + google.com.ph + google.com.pk + google.com.pr + google.com.py + google.com.qa + google.com.sa + google.com.sb + google.com.sg + google.com.sl + google.com.sv + google.com.tj + google.com.tr + google.com.tw + google.com.ua + google.com.uy + google.com.vc + google.com.vn + google.co.mz + google.co.nz + google.co.th + google.co.tz + google.co.ug + google.co.uk + google.co.uz + google.co.ve + google.co.vi + google.co.za + google.co.zm + google.co.zw + google.cv + google.cz + google.de + google.dj + google.dk + google.dm + google.dz + google.ee + google.es + google.fi + google.fm + google.fr + google.ga + google.ge + google.gg + google.gl + google.gm + google.gp + google.gr + google.gy + google.hn + google.hr + google.ht + google.hu + google.ie + google.im + google.iq + google.is + google.it + google.je + google.jo + google.kg + google.ki + google.kz + google.la + google.li + google.lk + google.lt + google.lu + google.lv + google.md + google.me + google.mg + google.mk + google.ml + google.mn + google.ms + google.mu + google.mv + google.mw + google.ne + google.nl + google.no + google.nr + google.nu + google.pl + google.pn + google.ps + google.pt + google.ro + google.rs + google.ru + google.rw + google.sc + google.se + google.sh + google.si + google.sk + google.sm + google.sn + google.so + google.sr + google.st + google.td + google.tg + google.tk + google.tl + google.tm + google.tn + google.to + google.tt + google.vg + google.vu + google.ws +) + # Load optional configuration [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
@@ -481,6 +678,21 @@ fix_time_if_dns_fail() { fi }
+# Sets up Safe Search for various search engines +setup_safe_search() { + # Nothing to do if safe search is not enabled + if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then + return 0 + fi + + local domain + + # Google + for domain in ${GOOGLE_TLDS[@]}; do + unbound-control local_data "${domain} CNAME forcesafesearch.google.com." + done +} + case "$1" in start) # Print a nicer messagen when unbound is already running @@ -501,6 +713,9 @@ case "$1" in # Make own hostname resolveable own_hostname
+ # Setup Safe Search + setup_safe_search + # Update any known forwarding name servers update_forwarders
Hi,
Hm. Did I miss something?
Testing the Safesearch-Feature gives me:
"Hmm. We’re having trouble finding that site.
We can’t connect to the server at www.google.de."
=> I can't connect to ANY of the now "safe searching" search engines.
Only https://yandex.ru/ works...
Best, Matthias
On 30.04.2019 18:16, Michael Tremer wrote:
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
src/initscripts/system/unbound | 215 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 215 insertions(+)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index fbb096e0d..4ac8331dc 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
INSECURE_ZONES= USE_FORWARDERS=1 +ENABLE_SAFE_SEARCH=off
# Cache any local zones for 60 seconds LOCAL_TTL=60 @@ -21,6 +22,202 @@ LOCAL_TTL=60 # EDNS buffer size EDNS_DEFAULT_BUFFER_SIZE=4096
+GOOGLE_TLDS=(
- google.ad
- google.ae
- google.al
- google.am
- google.as
- google.at
- google.az
- google.ba
- google.be
- google.bf
- google.bg
- google.bi
- google.bj
- google.bs
- google.bt
- google.by
- google.ca
- google.cat
- google.cd
- google.cf
- google.cg
- google.ch
- google.ci
- google.cl
- google.cm
- google.cn
- google.co.ao
- google.co.bw
- google.co.ck
- google.co.cr
- google.co.id
- google.co.il
- google.co.in
- google.co.jp
- google.co.ke
- google.co.kr
- google.co.ls
- google.com
- google.co.ma
- google.com.af
- google.com.ag
- google.com.ai
- google.com.ar
- google.com.au
- google.com.bd
- google.com.bh
- google.com.bn
- google.com.bo
- google.com.br
- google.com.bz
- google.com.co
- google.com.cu
- google.com.cy
- google.com.do
- google.com.ec
- google.com.eg
- google.com.et
- google.com.fj
- google.com.gh
- google.com.gi
- google.com.gt
- google.com.hk
- google.com.jm
- google.com.kh
- google.com.kw
- google.com.lb
- google.com.ly
- google.com.mm
- google.com.mt
- google.com.mx
- google.com.my
- google.com.na
- google.com.nf
- google.com.ng
- google.com.ni
- google.com.np
- google.com.om
- google.com.pa
- google.com.pe
- google.com.pg
- google.com.ph
- google.com.pk
- google.com.pr
- google.com.py
- google.com.qa
- google.com.sa
- google.com.sb
- google.com.sg
- google.com.sl
- google.com.sv
- google.com.tj
- google.com.tr
- google.com.tw
- google.com.ua
- google.com.uy
- google.com.vc
- google.com.vn
- google.co.mz
- google.co.nz
- google.co.th
- google.co.tz
- google.co.ug
- google.co.uk
- google.co.uz
- google.co.ve
- google.co.vi
- google.co.za
- google.co.zm
- google.co.zw
- google.cv
- google.cz
- google.de
- google.dj
- google.dk
- google.dm
- google.dz
- google.ee
- google.es
- google.fi
- google.fm
- google.fr
- google.ga
- google.ge
- google.gg
- google.gl
- google.gm
- google.gp
- google.gr
- google.gy
- google.hn
- google.hr
- google.ht
- google.hu
- google.ie
- google.im
- google.iq
- google.is
- google.it
- google.je
- google.jo
- google.kg
- google.ki
- google.kz
- google.la
- google.li
- google.lk
- google.lt
- google.lu
- google.lv
- google.md
- google.me
- google.mg
- google.mk
- google.ml
- google.mn
- google.ms
- google.mu
- google.mv
- google.mw
- google.ne
- google.nl
- google.no
- google.nr
- google.nu
- google.pl
- google.pn
- google.ps
- google.pt
- google.ro
- google.rs
- google.ru
- google.rw
- google.sc
- google.se
- google.sh
- google.si
- google.sk
- google.sm
- google.sn
- google.so
- google.sr
- google.st
- google.td
- google.tg
- google.tk
- google.tl
- google.tm
- google.tn
- google.to
- google.tt
- google.vg
- google.vu
- google.ws
+)
# Load optional configuration [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
@@ -481,6 +678,21 @@ fix_time_if_dns_fail() { fi }
+# Sets up Safe Search for various search engines +setup_safe_search() {
- # Nothing to do if safe search is not enabled
- if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
return 0- fi
- local domain
- for domain in ${GOOGLE_TLDS[@]}; do
unbound-control local_data "${domain} CNAME forcesafesearch.google.com."- done
+}
case "$1" in start) # Print a nicer messagen when unbound is already running @@ -501,6 +713,9 @@ case "$1" in # Make own hostname resolveable own_hostname
# Setup Safe Searchsetup_safe_search- # Update any known forwarding name servers update_forwarders
Hi,
What happens when you run “dig google.com” on the console?
The zones should be transparent and resolve any names that are not overlayed by the user-data.
-Michael
On 1 May 2019, at 15:11, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
Hm. Did I miss something?
Testing the Safesearch-Feature gives me:
"Hmm. We’re having trouble finding that site.
We can’t connect to the server at www.google.de."
=> I can't connect to ANY of the now "safe searching" search engines.
Only https://yandex.ru/ works...
Best, Matthias
On 30.04.2019 18:16, Michael Tremer wrote:
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
src/initscripts/system/unbound | 215 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 215 insertions(+)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index fbb096e0d..4ac8331dc 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
INSECURE_ZONES= USE_FORWARDERS=1 +ENABLE_SAFE_SEARCH=off
# Cache any local zones for 60 seconds LOCAL_TTL=60 @@ -21,6 +22,202 @@ LOCAL_TTL=60 # EDNS buffer size EDNS_DEFAULT_BUFFER_SIZE=4096
+GOOGLE_TLDS=(
- google.ad
- google.ae
- google.al
- google.am
- google.as
- google.at
- google.az
- google.ba
- google.be
- google.bf
- google.bg
- google.bi
- google.bj
- google.bs
- google.bt
- google.by
- google.ca
- google.cat
- google.cd
- google.cf
- google.cg
- google.ch
- google.ci
- google.cl
- google.cm
- google.cn
- google.co.ao
- google.co.bw
- google.co.ck
- google.co.cr
- google.co.id
- google.co.il
- google.co.in
- google.co.jp
- google.co.ke
- google.co.kr
- google.co.ls
- google.com
- google.co.ma
- google.com.af
- google.com.ag
- google.com.ai
- google.com.ar
- google.com.au
- google.com.bd
- google.com.bh
- google.com.bn
- google.com.bo
- google.com.br
- google.com.bz
- google.com.co
- google.com.cu
- google.com.cy
- google.com.do
- google.com.ec
- google.com.eg
- google.com.et
- google.com.fj
- google.com.gh
- google.com.gi
- google.com.gt
- google.com.hk
- google.com.jm
- google.com.kh
- google.com.kw
- google.com.lb
- google.com.ly
- google.com.mm
- google.com.mt
- google.com.mx
- google.com.my
- google.com.na
- google.com.nf
- google.com.ng
- google.com.ni
- google.com.np
- google.com.om
- google.com.pa
- google.com.pe
- google.com.pg
- google.com.ph
- google.com.pk
- google.com.pr
- google.com.py
- google.com.qa
- google.com.sa
- google.com.sb
- google.com.sg
- google.com.sl
- google.com.sv
- google.com.tj
- google.com.tr
- google.com.tw
- google.com.ua
- google.com.uy
- google.com.vc
- google.com.vn
- google.co.mz
- google.co.nz
- google.co.th
- google.co.tz
- google.co.ug
- google.co.uk
- google.co.uz
- google.co.ve
- google.co.vi
- google.co.za
- google.co.zm
- google.co.zw
- google.cv
- google.cz
- google.de
- google.dj
- google.dk
- google.dm
- google.dz
- google.ee
- google.es
- google.fi
- google.fm
- google.fr
- google.ga
- google.ge
- google.gg
- google.gl
- google.gm
- google.gp
- google.gr
- google.gy
- google.hn
- google.hr
- google.ht
- google.hu
- google.ie
- google.im
- google.iq
- google.is
- google.it
- google.je
- google.jo
- google.kg
- google.ki
- google.kz
- google.la
- google.li
- google.lk
- google.lt
- google.lu
- google.lv
- google.md
- google.me
- google.mg
- google.mk
- google.ml
- google.mn
- google.ms
- google.mu
- google.mv
- google.mw
- google.ne
- google.nl
- google.no
- google.nr
- google.nu
- google.pl
- google.pn
- google.ps
- google.pt
- google.ro
- google.rs
- google.ru
- google.rw
- google.sc
- google.se
- google.sh
- google.si
- google.sk
- google.sm
- google.sn
- google.so
- google.sr
- google.st
- google.td
- google.tg
- google.tk
- google.tl
- google.tm
- google.tn
- google.to
- google.tt
- google.vg
- google.vu
- google.ws
+)
# Load optional configuration [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
@@ -481,6 +678,21 @@ fix_time_if_dns_fail() { fi }
+# Sets up Safe Search for various search engines +setup_safe_search() {
- # Nothing to do if safe search is not enabled
- if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
return 0- fi
- local domain
- for domain in ${GOOGLE_TLDS[@]}; do
unbound-control local_data "${domain} CNAME forcesafesearch.google.com."- done
+}
case "$1" in start) # Print a nicer messagen when unbound is already running @@ -501,6 +713,9 @@ case "$1" in # Make own hostname resolveable own_hostname
# Setup Safe Searchsetup_safe_search- # Update any known forwarding name servers update_forwarders
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/unbound | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 4ac8331dc..3b4da1dff 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -687,6 +687,9 @@ setup_safe_search() {
local domain
+ # Bing + unbound-control local_data "bind.com CNAME strict.bing.com." + # Google for domain in ${GOOGLE_TLDS[@]}; do unbound-control local_data "${domain} CNAME forcesafesearch.google.com."
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/unbound | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 3b4da1dff..41117904f 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -690,6 +690,9 @@ setup_safe_search() { # Bing unbound-control local_data "bind.com CNAME strict.bing.com."
+ # DuckDuckGo + unbound-control local_data "duckduckgo.com CNAME safe.duckduckgo.com." + # Google for domain in ${GOOGLE_TLDS[@]}; do unbound-control local_data "${domain} CNAME forcesafesearch.google.com."
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/unbound/unbound.conf | 3 + src/initscripts/system/unbound | 431 +++++++++++++++++++++-------------------- 2 files changed, 221 insertions(+), 213 deletions(-)
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index e20c3330d..4d492a5bc 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -81,6 +81,9 @@ server: # Include any forward zones include: "/etc/unbound/forward.conf"
+ # Include safe search settings + include: "/etc/unbound/safe-search.conf" + remote-control: control-enable: yes control-use-cert: no diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 41117904f..951fda7ab 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -22,202 +22,6 @@ LOCAL_TTL=60 # EDNS buffer size EDNS_DEFAULT_BUFFER_SIZE=4096
-GOOGLE_TLDS=( - google.ad - google.ae - google.al - google.am - google.as - google.at - google.az - google.ba - google.be - google.bf - google.bg - google.bi - google.bj - google.bs - google.bt - google.by - google.ca - google.cat - google.cd - google.cf - google.cg - google.ch - google.ci - google.cl - google.cm - google.cn - google.co.ao - google.co.bw - google.co.ck - google.co.cr - google.co.id - google.co.il - google.co.in - google.co.jp - google.co.ke - google.co.kr - google.co.ls - google.com - google.co.ma - google.com.af - google.com.ag - google.com.ai - google.com.ar - google.com.au - google.com.bd - google.com.bh - google.com.bn - google.com.bo - google.com.br - google.com.bz - google.com.co - google.com.cu - google.com.cy - google.com.do - google.com.ec - google.com.eg - google.com.et - google.com.fj - google.com.gh - google.com.gi - google.com.gt - google.com.hk - google.com.jm - google.com.kh - google.com.kw - google.com.lb - google.com.ly - google.com.mm - google.com.mt - google.com.mx - google.com.my - google.com.na - google.com.nf - google.com.ng - google.com.ni - google.com.np - google.com.om - google.com.pa - google.com.pe - google.com.pg - google.com.ph - google.com.pk - google.com.pr - google.com.py - google.com.qa - google.com.sa - google.com.sb - google.com.sg - google.com.sl - google.com.sv - google.com.tj - google.com.tr - google.com.tw - google.com.ua - google.com.uy - google.com.vc - google.com.vn - google.co.mz - google.co.nz - google.co.th - google.co.tz - google.co.ug - google.co.uk - google.co.uz - google.co.ve - google.co.vi - google.co.za - google.co.zm - google.co.zw - google.cv - google.cz - google.de - google.dj - google.dk - google.dm - google.dz - google.ee - google.es - google.fi - google.fm - google.fr - google.ga - google.ge - google.gg - google.gl - google.gm - google.gp - google.gr - google.gy - google.hn - google.hr - google.ht - google.hu - google.ie - google.im - google.iq - google.is - google.it - google.je - google.jo - google.kg - google.ki - google.kz - google.la - google.li - google.lk - google.lt - google.lu - google.lv - google.md - google.me - google.mg - google.mk - google.ml - google.mn - google.ms - google.mu - google.mv - google.mw - google.ne - google.nl - google.no - google.nr - google.nu - google.pl - google.pn - google.ps - google.pt - google.ro - google.rs - google.ru - google.rw - google.sc - google.se - google.sh - google.si - google.sk - google.sm - google.sn - google.so - google.sr - google.st - google.td - google.tg - google.tk - google.tl - google.tm - google.tn - google.to - google.tt - google.vg - google.vu - google.ws -) - # Load optional configuration [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
@@ -679,24 +483,227 @@ fix_time_if_dns_fail() { }
# Sets up Safe Search for various search engines -setup_safe_search() { - # Nothing to do if safe search is not enabled - if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then - return 0 - fi +write_safe_search_conf() { + local google_tlds=( + google.ad + google.ae + google.al + google.am + google.as + google.at + google.az + google.ba + google.be + google.bf + google.bg + google.bi + google.bj + google.bs + google.bt + google.by + google.ca + google.cat + google.cd + google.cf + google.cg + google.ch + google.ci + google.cl + google.cm + google.cn + google.co.ao + google.co.bw + google.co.ck + google.co.cr + google.co.id + google.co.il + google.co.in + google.co.jp + google.co.ke + google.co.kr + google.co.ls + google.com + google.co.ma + google.com.af + google.com.ag + google.com.ai + google.com.ar + google.com.au + google.com.bd + google.com.bh + google.com.bn + google.com.bo + google.com.br + google.com.bz + google.com.co + google.com.cu + google.com.cy + google.com.do + google.com.ec + google.com.eg + google.com.et + google.com.fj + google.com.gh + google.com.gi + google.com.gt + google.com.hk + google.com.jm + google.com.kh + google.com.kw + google.com.lb + google.com.ly + google.com.mm + google.com.mt + google.com.mx + google.com.my + google.com.na + google.com.nf + google.com.ng + google.com.ni + google.com.np + google.com.om + google.com.pa + google.com.pe + google.com.pg + google.com.ph + google.com.pk + google.com.pr + google.com.py + google.com.qa + google.com.sa + google.com.sb + google.com.sg + google.com.sl + google.com.sv + google.com.tj + google.com.tr + google.com.tw + google.com.ua + google.com.uy + google.com.vc + google.com.vn + google.co.mz + google.co.nz + google.co.th + google.co.tz + google.co.ug + google.co.uk + google.co.uz + google.co.ve + google.co.vi + google.co.za + google.co.zm + google.co.zw + google.cv + google.cz + google.de + google.dj + google.dk + google.dm + google.dz + google.ee + google.es + google.fi + google.fm + google.fr + google.ga + google.ge + google.gg + google.gl + google.gm + google.gp + google.gr + google.gy + google.hn + google.hr + google.ht + google.hu + google.ie + google.im + google.iq + google.is + google.it + google.je + google.jo + google.kg + google.ki + google.kz + google.la + google.li + google.lk + google.lt + google.lu + google.lv + google.md + google.me + google.mg + google.mk + google.ml + google.mn + google.ms + google.mu + google.mv + google.mw + google.ne + google.nl + google.no + google.nr + google.nu + google.pl + google.pn + google.ps + google.pt + google.ro + google.rs + google.ru + google.rw + google.sc + google.se + google.sh + google.si + google.sk + google.sm + google.sn + google.so + google.sr + google.st + google.td + google.tg + google.tk + google.tl + google.tm + google.tn + google.to + google.tt + google.vg + google.vu + google.ws + ) + + ( + # Nothing to do if safe search is not enabled + if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then + exit 0 + fi
- local domain + # This all belongs into the server: section + echo "server:"
- # Bing - unbound-control local_data "bind.com CNAME strict.bing.com." + # Bing + echo " local-zone: bing.com transparent" + echo " local-data: "bing.com CNAME strict.bing.com.""
- # DuckDuckGo - unbound-control local_data "duckduckgo.com CNAME safe.duckduckgo.com." + # DuckDuckGo + echo " local-zone: duckduckgo.com transparent" + echo " local-data: "duckduckgo.com CNAME safe.duckduckgo.com.""
- # Google - for domain in ${GOOGLE_TLDS[@]}; do - unbound-control local_data "${domain} CNAME forcesafesearch.google.com." - done + # Google + local domain + for domain in ${google_tlds[@]}; do + echo " local-zone: ${domain} transparent" + echo " local-data: "${domain} CNAME forcesafesearch.google.com."" + done + ) > /etc/unbound/safe-search.conf }
case "$1" in @@ -712,6 +719,7 @@ case "$1" in # Update configuration files write_tuning_conf write_forward_conf + write_safe_search_conf
boot_mesg "Starting Unbound DNS Proxy..." loadproc /usr/sbin/unbound || exit $? @@ -719,9 +727,6 @@ case "$1" in # Make own hostname resolveable own_hostname
- # Setup Safe Search - setup_safe_search - # Update any known forwarding name servers update_forwarders
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/unbound | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 951fda7ab..388b65c03 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -703,6 +703,10 @@ write_safe_search_conf() { echo " local-zone: ${domain} transparent" echo " local-data: "${domain} CNAME forcesafesearch.google.com."" done + + # Yandex + echo " local-zone: yandex.ru transparent" + echo " local-data: "yandex.ru A 213.180.193.56"" ) > /etc/unbound/safe-search.conf }
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/unbound | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 388b65c03..318656b80 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -691,7 +691,7 @@ write_safe_search_conf() {
# Bing echo " local-zone: bing.com transparent" - echo " local-data: "bing.com CNAME strict.bing.com."" + echo " local-data: "www.bing.com CNAME strict.bing.com.""
# DuckDuckGo echo " local-zone: duckduckgo.com transparent"
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/unbound | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 318656b80..3e372ff65 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -701,7 +701,7 @@ write_safe_search_conf() { local domain for domain in ${google_tlds[@]}; do echo " local-zone: ${domain} transparent" - echo " local-data: "${domain} CNAME forcesafesearch.google.com."" + echo " local-data: "www.${domain} CNAME forcesafesearch.google.com."" done
# Yandex
This is not working for quite some time now because all search engines have moved over to HTTPS. Therefore we no longer can manipulate the URL query string.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- doc/language_issues.de | 1 + doc/language_issues.en | 1 - doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + html/cgi-bin/urlfilter.cgi | 62 +++++++--------------------------------------- 10 files changed, 17 insertions(+), 54 deletions(-)
diff --git a/doc/language_issues.de b/doc/language_issues.de index 5f7bf7b5f..05be63aa9 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -706,6 +706,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.en b/doc/language_issues.en index 498bf4078..7ba4d1d24 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1995,7 +1995,6 @@ WARNING: untranslated string: urlfilter restore results = Restore results WARNING: untranslated string: urlfilter restore settings = Restore URL filter settings WARNING: untranslated string: urlfilter restore success = URL filter configuration has been restored. The URL filter must be restarted to activate the new settings. WARNING: untranslated string: urlfilter restore text = To restore a previously saved configuration upload the .tar.gz backup file below -WARNING: untranslated string: urlfilter safesearch = Enable SafeSearch WARNING: untranslated string: urlfilter sat = S WARNING: untranslated string: urlfilter saturday = Sat WARNING: untranslated string: urlfilter save and restart = Save and Restart diff --git a/doc/language_issues.es b/doc/language_issues.es index f3b695f24..220211cf8 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -631,6 +631,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.fr b/doc/language_issues.fr index af1f15ab7..d1386349a 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -747,6 +747,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.it b/doc/language_issues.it index 5da8a8dd7..10633c2ec 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -720,6 +720,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 6be2cb6b2..c4654c4af 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -715,6 +715,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.pl b/doc/language_issues.pl index f3b695f24..220211cf8 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -631,6 +631,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 53a655c99..6820bca75 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -634,6 +634,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 88baad746..d2d9b9c82 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -748,6 +748,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/html/cgi-bin/urlfilter.cgi b/html/cgi-bin/urlfilter.cgi index c3c327eec..28ffc8114 100644 --- a/html/cgi-bin/urlfilter.cgi +++ b/html/cgi-bin/urlfilter.cgi @@ -138,7 +138,6 @@ $filtersettings{'BLOCK_IP_ADDR'} = 'off'; $filtersettings{'BLOCK_ALL'} = 'off'; $filtersettings{'ENABLE_EMPTY_ADS'} = 'off'; $filtersettings{'ENABLE_GLOBAL_WHITELIST'} = 'off'; -$filtersettings{'ENABLE_SAFESEARCH'} = 'off'; $filtersettings{'ENABLE_LOG'} = 'off'; $filtersettings{'ENABLE_USERNAME_LOG'} = 'off'; $filtersettings{'ENABLE_CATEGORY_LOG'} = 'off'; @@ -1057,9 +1056,6 @@ $checked{'ENABLE_EMPTY_ADS'}{$filtersettings{'ENABLE_EMPTY_ADS'}} = "checked='ch $checked{'ENABLE_GLOBAL_WHITELIST'}{'off'} = ''; $checked{'ENABLE_GLOBAL_WHITELIST'}{'on'} = ''; $checked{'ENABLE_GLOBAL_WHITELIST'}{$filtersettings{'ENABLE_GLOBAL_WHITELIST'}} = "checked='checked'"; -$checked{'ENABLE_SAFESEARCH'}{'off'} = ''; -$checked{'ENABLE_SAFESEARCH'}{'on'} = ''; -$checked{'ENABLE_SAFESEARCH'}{$filtersettings{'ENABLE_SAFESEARCH'}} = "checked='checked'"; $checked{'ENABLE_LOG'}{'off'} = ''; $checked{'ENABLE_LOG'}{'on'} = ''; $checked{'ENABLE_LOG'}{$filtersettings{'ENABLE_LOG'}} = "checked='checked'"; @@ -1474,20 +1470,16 @@ print <<END <td><input type='checkbox' name='ENABLE_LOG' $checked{'ENABLE_LOG'}{'on'} /></td> </tr> <tr> - <td class='base'>$Lang::tr{'urlfilter safesearch'}:</td> - <td><input type='checkbox' name='ENABLE_SAFESEARCH' $checked{'ENABLE_SAFESEARCH'}{'on'} /></td> - <td class='base'>$Lang::tr{'urlfilter username log'}:</td> - <td><input type='checkbox' name='ENABLE_USERNAME_LOG' $checked{'ENABLE_USERNAME_LOG'}{'on'} /></td> -</tr> -<tr> <td class='base'>$Lang::tr{'urlfilter empty ads'}:</td> <td><input type='checkbox' name='ENABLE_EMPTY_ADS' $checked{'ENABLE_EMPTY_ADS'}{'on'} /></td> - <td class='base'>$Lang::tr{'urlfilter category log'}:</td> - <td><input type='checkbox' name='ENABLE_CATEGORY_LOG' $checked{'ENABLE_CATEGORY_LOG'}{'on'} /></td> + <td class='base'>$Lang::tr{'urlfilter username log'}:</td> + <td><input type='checkbox' name='ENABLE_USERNAME_LOG' $checked{'ENABLE_USERNAME_LOG'}{'on'} /></td> </tr> <tr> <td class='base'>$Lang::tr{'urlfilter block ip'}:</td> <td><input type='checkbox' name='BLOCK_IP_ADDR' $checked{'BLOCK_IP_ADDR'}{'on'} /></td> + <td class='base'>$Lang::tr{'urlfilter category log'}:</td> + <td><input type='checkbox' name='ENABLE_CATEGORY_LOG' $checked{'ENABLE_CATEGORY_LOG'}{'on'} /></td> </tr> <tr> <td class='base'>$Lang::tr{'urlfilter block all'}:</td> @@ -2834,47 +2826,15 @@ sub writeconfigfile } }
- if ((($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) || ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on')) - { + if (($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) { print FILE "rewrite rew-rule-1 {\n";
- if (($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) - { - print FILE " # rewrite localfiles\n"; - foreach (@repositoryfiles) - { - print FILE " s@.*/$_$@http://$netsettings%7B%27GREEN_ADDRESS%27%7D:$http_port/repository/$_%5C@i%5..."; - } - } - - if ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on') + print FILE " # rewrite localfiles\n"; + foreach (@repositoryfiles) { - print FILE " # rewrite safesearch\n"; - print FILE " s@(.*\Wgoogle\.\w+/(webhp|search|imghp|images|grphp|groups|nwshp|frghp|froogle)\?)(.*)(\bsafe=\w+)(.*)@\1\3safe=strict\5@i\n"; - print FILE " s@(.*\Wgoogle\.\w+/(webhp|search|imghp|images|grphp|groups|nwshp|frghp|froogle)\?)(.*)@\1safe=strict\&\3@i\n"; - print FILE " s@(.*\Wsearch\.yahoo\.\w+/search\W)(.*)(\bvm=\w+)(.*)@\1\2vm=r\4@i\n"; - print FILE " s@(.*\Wsearch\.yahoo\.\w+/search\W.*)@\1\&vm=r@i\n"; - print FILE " s@(.*\Walltheweb\.com/customize\?)(.*)(\bcopt_offensive=\w+)(.*)@\1\2copt_offensive=on\4@i\n"; - print FILE " s@(.*\Wbing\.\w+/)(.*)(\badlt=\w+)(.*)@\1\2adlt=strict\4@i\n"; - print FILE " s@(.*\Wbing\.\w+/.*)@\1\&adlt=strict@i\n"; + print FILE " s@.*/$_$@http://$netsettings%7B%27GREEN_ADDRESS%27%7D:$http_port/repository/$_%5C@i%5..."; } - print FILE "}\n\n"; - - if ((!($filtersettings{'UNFILTERED_CLIENTS'} eq '')) && ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on')) { - print FILE "rewrite rew-rule-2 {\n"; - if (($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) - { - print FILE " # rewrite localfiles\n"; - foreach (@repositoryfiles) - { - print FILE " s@.*/$_$@http://$netsettings%7B%27GREEN_ADDRESS%27%7D:$http_port/repository/$_%5C@i%5..."; - } - } else { - print FILE " # rewrite nothing\n"; - } - print FILE "}\n\n"; - } }
if (!($filtersettings{'UNFILTERED_CLIENTS'} eq '')) { @@ -3083,10 +3043,6 @@ sub writeconfigfile if (!($filtersettings{'UNFILTERED_CLIENTS'} eq '')) { print FILE " unfiltered {\n"; print FILE " pass all\n"; - if ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on') - { - print FILE " rewrite rew-rule-2\n"; - } print FILE " }\n\n"; } if (!($filtersettings{'BANNED_CLIENTS'} eq '')) { @@ -3215,7 +3171,7 @@ sub writeconfigfile print FILE " logfile".$ident." urlfilter.log\n"; } } - if ((($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) || ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on')) + if (($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) { print FILE " rewrite rew-rule-1\n"; }
Hello Michael, hello *,
just a few comments from my point of view:
For a couple of reasons, I have always been against DNS-based filtering of malware, C&C traffic (including the oh-my-god-its-so-dangerous DNS tunneling) and other possible unwanted content.
As more and more web traffic uses HTTPS today, I agree the proxy based Safe Search option does not make sense any more.
However, manipulating DNS queries - or, worse, replies - makes network debugging and troubleshooting more harder, since the presence of such techniques might not be obvious.
Talking about DNS replies, such manipulations look like an attack to DNSSEC-validating resolvers. If they are created "on purpose", detection of real attacks becomes harder. At this point, best regards to DNS based ad/tracker filters such as Pi-hole.
DNS based Safe Search can be bypassed by using a different DNS server (of course, there have to be firewall rules in place to prohibit this, which I highly recommend in any given scenario). In case internet access is granted via local Squid proxy with an upstream one, administrators need to ensure _this_ machine will also force the Safe Search domains for resolving.
Besides of that, I have no objection against this patchset.
Thanks, and best regards, Peter Müller
For some users of IPFire, it makes a lot of sense to use Safe Search.
Safe Search is a feature that some search engines provide to filter out pornography and other "adult" content from the search results. It makes sense to use this in schools or at home with smaller children.
We used to have a checkbox in URL Filter which allowed to modify the search URL which no longer works because all search engines are using HTTPS.
Some search engines provide a different way to enable Safe Search network wide by having special servers that can be contacted which always have Safe Search on. Those servers can be reached by changing the DNS response from the usual servers to those special ones.
This patchset enables this for Google, Bing, DuckDuckGo and Yandex.
These are all search engines I could find this support this.
This patchset also removes the old URL Filter option.
Please review and test. You can enable this by simply adding ENABLE_SAFE_SEARCH=on to /etc/sysconfig/unbound.
Michael Tremer (8): unbound: Add switch to enable Google Safe Search unbound: Enable Bing SafeSearch unbound: Enbale DuckDuckGo safe search unbound: Move Safe Search zone setup to configuration file unbound: Add Yandex Safe Search unbound: Fix Bing domain name for SafeSearch unbound: Fix domain name for Google Safe Search URL Filter: Drop Safe Search feature
config/unbound/unbound.conf | 3 + doc/language_issues.de | 1 + doc/language_issues.en | 1 - doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + html/cgi-bin/urlfilter.cgi | 62 ++--------- src/initscripts/system/unbound | 230 +++++++++++++++++++++++++++++++++++++++++ 12 files changed, 250 insertions(+), 54 deletions(-)
Hello,
Thanks for writing. I think this is a very important opinion to have on the record.
I share your view.
On 30 Apr 2019, at 18:52, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael, hello *,
just a few comments from my point of view:
For a couple of reasons, I have always been against DNS-based filtering of malware, C&C traffic (including the oh-my-god-its-so-dangerous DNS tunneling) and other possible unwanted content.
As more and more web traffic uses HTTPS today, I agree the proxy based Safe Search option does not make sense any more.
However, manipulating DNS queries - or, worse, replies - makes network debugging and troubleshooting more harder, since the presence of such techniques might not be obvious.
It is transparent for the client in that sense that the client sees the CNAME (for those who use it) and therefore would see “safe” or so in the name.
But if you are on the web browser level then you don’t really see this at all. Agreed.
Talking about DNS replies, such manipulations look like an attack to DNSSEC-validating resolvers. If they are created "on purpose", detection of real attacks becomes harder. At this point, best regards to DNS based ad/tracker filters such as Pi-hole.
The search engines are all not using DNSSEC and presumably never will because they are employing this sort of techniques. However, I have no better idea how to force Safe Search on a network level.
DNS based Safe Search can be bypassed by using a different DNS server (of course, there have to be firewall rules in place to prohibit this, which I highly recommend in any given scenario). In case internet access is granted via local Squid proxy with an upstream one, administrators need to ensure _this_ machine will also force the Safe Search domains for resolving.
The idea to work on this came from a customer which is running a school network. Access to the internet is prohibited for most devices and no access is possible without going through the web proxy - at least for students.
Of course this needs some good documentation and a button on the web UI.
Besides of that, I have no objection against this patchset.
Although I also disagree with this approach in that sense that it will break DNSSEC, this works according to the “old” DNS protocol.
This is also better than the HTTP request rewrite approach as it protects the privacy of the search queries.
All in all, Safe Search is a necessity for schools. There is no other way to do this and for this is not too ugly.
Please don’t forget to use Git tags.
Best, -Michael
Thanks, and best regards, Peter Müller
For some users of IPFire, it makes a lot of sense to use Safe Search.
Safe Search is a feature that some search engines provide to filter out pornography and other "adult" content from the search results. It makes sense to use this in schools or at home with smaller children.
We used to have a checkbox in URL Filter which allowed to modify the search URL which no longer works because all search engines are using HTTPS.
Some search engines provide a different way to enable Safe Search network wide by having special servers that can be contacted which always have Safe Search on. Those servers can be reached by changing the DNS response from the usual servers to those special ones.
This patchset enables this for Google, Bing, DuckDuckGo and Yandex.
These are all search engines I could find this support this.
This patchset also removes the old URL Filter option.
Please review and test. You can enable this by simply adding ENABLE_SAFE_SEARCH=on to /etc/sysconfig/unbound.
Michael Tremer (8): unbound: Add switch to enable Google Safe Search unbound: Enable Bing SafeSearch unbound: Enbale DuckDuckGo safe search unbound: Move Safe Search zone setup to configuration file unbound: Add Yandex Safe Search unbound: Fix Bing domain name for SafeSearch unbound: Fix domain name for Google Safe Search URL Filter: Drop Safe Search feature
config/unbound/unbound.conf | 3 + doc/language_issues.de | 1 + doc/language_issues.en | 1 - doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + html/cgi-bin/urlfilter.cgi | 62 ++--------- src/initscripts/system/unbound | 230 +++++++++++++++++++++++++++++++++++++++++ 12 files changed, 250 insertions(+), 54 deletions(-)
-- The road to Hades is easy to travel. -- Bion of Borysthenes
-
Matthias Fischer -
Michael Tremer -
Peter Müller