| Message ID | 20190430161645.24261-1-michael.tremer@ipfire.org |
|---|---|
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 4B94085BD81 for <patchwork@web07.i.ipfire.org>; Tue, 30 Apr 2019 17:17:17 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44tmrX1tjrz57vqG; Tue, 30 Apr 2019 17:17:16 +0100 (BST) Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44tmrS468mz5Dw80; Tue, 30 Apr 2019 17:17:12 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1556641032; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:openpgp:autocrypt; bh=qomzqxQj3ycS2cBsvIAHS+/Tp//m5DjNLmwM4BjodoU=; b=m0OUSu9PwmsCzQuwS4mDZKT+YC3QmzzmDQ8qfoy4FV3/MABaYKLNGLu59AStJjiiV+gWrI 2N49xzB4R699ytT7BLNofMQSko29cRl2BA9DYMeYcfU+0GxVc0Ebuyce5jBpbbMDYf+aXk J2Z2EXnYzwaS/4sDwpDEGiqPA1jDebJ7r7EhSHOKJr6PtG0rgD4GYbLiXdDtVBFnONvsM1 giL0rPdxiZE+JH7VTwVggcX0GHlL+fTHyBvQFXrT0YGKqga5lQ2Fwu9glifiRn6Yi9hezc pZQh/wvAlIqD7IoWuPo90zUkIE7hC3FEicS7PVNZmhKphgD4kSr/NnE4dtdx3Q== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1556641032; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:openpgp:autocrypt; bh=qomzqxQj3ycS2cBsvIAHS+/Tp//m5DjNLmwM4BjodoU=; b=0ZQ71yrirPOMV8iXrtGmM8PIcN4SOfT8zr6pXtwE0Yv7pG6lLF3GJTEPOTnXBP7IBVaSjO PJuistM0/JoYI5Dg== From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [RFC PATCH 0/8] Provide an easy way to use Safe Search Date: Tue, 30 Apr 2019 17:16:37 +0100 Message-Id: <20190430161645.24261-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org Cc: Michael Tremer <michael.tremer@ipfire.org> X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
Provide an easy way to use Safe Search
|
|
Message
Michael Tremer
May 1, 2019, 2:16 a.m. UTC
For some users of IPFire, it makes a lot of sense to use Safe Search. Safe Search is a feature that some search engines provide to filter out pornography and other "adult" content from the search results. It makes sense to use this in schools or at home with smaller children. We used to have a checkbox in URL Filter which allowed to modify the search URL which no longer works because all search engines are using HTTPS. Some search engines provide a different way to enable Safe Search network wide by having special servers that can be contacted which always have Safe Search on. Those servers can be reached by changing the DNS response from the usual servers to those special ones. This patchset enables this for Google, Bing, DuckDuckGo and Yandex. These are all search engines I could find this support this. This patchset also removes the old URL Filter option. Please review and test. You can enable this by simply adding ENABLE_SAFE_SEARCH=on to /etc/sysconfig/unbound. Michael Tremer (8): unbound: Add switch to enable Google Safe Search unbound: Enable Bing SafeSearch unbound: Enbale DuckDuckGo safe search unbound: Move Safe Search zone setup to configuration file unbound: Add Yandex Safe Search unbound: Fix Bing domain name for SafeSearch unbound: Fix domain name for Google Safe Search URL Filter: Drop Safe Search feature config/unbound/unbound.conf | 3 + doc/language_issues.de | 1 + doc/language_issues.en | 1 - doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + html/cgi-bin/urlfilter.cgi | 62 ++--------- src/initscripts/system/unbound | 230 +++++++++++++++++++++++++++++++++++++++++ 12 files changed, 250 insertions(+), 54 deletions(-)
Comments
Hello Michael, hello *, just a few comments from my point of view: For a couple of reasons, I have always been against DNS-based filtering of malware, C&C traffic (including the oh-my-god-its-so-dangerous DNS tunneling) and other possible unwanted content. As more and more web traffic uses HTTPS today, I agree the proxy based Safe Search option does not make sense any more. However, manipulating DNS queries - or, worse, replies - makes network debugging and troubleshooting more harder, since the presence of such techniques might not be obvious. Talking about DNS replies, such manipulations look like an attack to DNSSEC-validating resolvers. If they are created "on purpose", detection of real attacks becomes harder. At this point, best regards to DNS based ad/tracker filters such as Pi-hole. DNS based Safe Search can be bypassed by using a different DNS server (of course, there have to be firewall rules in place to prohibit this, which I highly recommend in any given scenario). In case internet access is granted via local Squid proxy with an upstream one, administrators need to ensure _this_ machine will also force the Safe Search domains for resolving. Besides of that, I have no objection against this patchset. Thanks, and best regards, Peter Müller > For some users of IPFire, it makes a lot of sense to use Safe Search. > > Safe Search is a feature that some search engines provide to filter out > pornography and other "adult" content from the search results. It makes > sense to use this in schools or at home with smaller children. > > We used to have a checkbox in URL Filter which allowed to modify the > search URL which no longer works because all search engines are using > HTTPS. > > Some search engines provide a different way to enable Safe Search > network wide by having special servers that can be contacted which > always have Safe Search on. Those servers can be reached by changing > the DNS response from the usual servers to those special ones. > > This patchset enables this for Google, Bing, DuckDuckGo and Yandex. > > These are all search engines I could find this support this. > > This patchset also removes the old URL Filter option. > > Please review and test. You can enable this by simply adding > ENABLE_SAFE_SEARCH=on to /etc/sysconfig/unbound. > > Michael Tremer (8): > unbound: Add switch to enable Google Safe Search > unbound: Enable Bing SafeSearch > unbound: Enbale DuckDuckGo safe search > unbound: Move Safe Search zone setup to configuration file > unbound: Add Yandex Safe Search > unbound: Fix Bing domain name for SafeSearch > unbound: Fix domain name for Google Safe Search > URL Filter: Drop Safe Search feature > > config/unbound/unbound.conf | 3 + > doc/language_issues.de | 1 + > doc/language_issues.en | 1 - > doc/language_issues.es | 1 + > doc/language_issues.fr | 1 + > doc/language_issues.it | 1 + > doc/language_issues.nl | 1 + > doc/language_issues.pl | 1 + > doc/language_issues.ru | 1 + > doc/language_issues.tr | 1 + > html/cgi-bin/urlfilter.cgi | 62 ++--------- > src/initscripts/system/unbound | 230 +++++++++++++++++++++++++++++++++++++++++ > 12 files changed, 250 insertions(+), 54 deletions(-) >
Hello, Thanks for writing. I think this is a very important opinion to have on the record. I share your view. > On 30 Apr 2019, at 18:52, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, hello *, > > just a few comments from my point of view: > > For a couple of reasons, I have always been against DNS-based > filtering of malware, C&C traffic (including the oh-my-god-its-so-dangerous > DNS tunneling) and other possible unwanted content. > > As more and more web traffic uses HTTPS today, I agree the > proxy based Safe Search option does not make sense any more. > > However, manipulating DNS queries - or, worse, replies - makes > network debugging and troubleshooting more harder, since the > presence of such techniques might not be obvious. It is transparent for the client in that sense that the client sees the CNAME (for those who use it) and therefore would see “safe” or so in the name. But if you are on the web browser level then you don’t really see this at all. Agreed. > Talking about DNS replies, such manipulations look like an attack > to DNSSEC-validating resolvers. If they are created "on purpose", > detection of real attacks becomes harder. At this point, best > regards to DNS based ad/tracker filters such as Pi-hole. The search engines are all not using DNSSEC and presumably never will because they are employing this sort of techniques. However, I have no better idea how to force Safe Search on a network level. > DNS based Safe Search can be bypassed by using a different DNS > server (of course, there have to be firewall rules in place to > prohibit this, which I highly recommend in any given scenario). > In case internet access is granted via local Squid proxy with an > upstream one, administrators need to ensure _this_ machine will > also force the Safe Search domains for resolving. The idea to work on this came from a customer which is running a school network. Access to the internet is prohibited for most devices and no access is possible without going through the web proxy - at least for students. Of course this needs some good documentation and a button on the web UI. > Besides of that, I have no objection against this patchset. Although I also disagree with this approach in that sense that it will break DNSSEC, this works according to the “old” DNS protocol. This is also better than the HTTP request rewrite approach as it protects the privacy of the search queries. All in all, Safe Search is a necessity for schools. There is no other way to do this and for this is not too ugly. Please don’t forget to use Git tags. Best, -Michael > Thanks, and best regards, > Peter Müller > >> For some users of IPFire, it makes a lot of sense to use Safe Search. >> >> Safe Search is a feature that some search engines provide to filter out >> pornography and other "adult" content from the search results. It makes >> sense to use this in schools or at home with smaller children. >> >> We used to have a checkbox in URL Filter which allowed to modify the >> search URL which no longer works because all search engines are using >> HTTPS. >> >> Some search engines provide a different way to enable Safe Search >> network wide by having special servers that can be contacted which >> always have Safe Search on. Those servers can be reached by changing >> the DNS response from the usual servers to those special ones. >> >> This patchset enables this for Google, Bing, DuckDuckGo and Yandex. >> >> These are all search engines I could find this support this. >> >> This patchset also removes the old URL Filter option. >> >> Please review and test. You can enable this by simply adding >> ENABLE_SAFE_SEARCH=on to /etc/sysconfig/unbound. >> >> Michael Tremer (8): >> unbound: Add switch to enable Google Safe Search >> unbound: Enable Bing SafeSearch >> unbound: Enbale DuckDuckGo safe search >> unbound: Move Safe Search zone setup to configuration file >> unbound: Add Yandex Safe Search >> unbound: Fix Bing domain name for SafeSearch >> unbound: Fix domain name for Google Safe Search >> URL Filter: Drop Safe Search feature >> >> config/unbound/unbound.conf | 3 + >> doc/language_issues.de | 1 + >> doc/language_issues.en | 1 - >> doc/language_issues.es | 1 + >> doc/language_issues.fr | 1 + >> doc/language_issues.it | 1 + >> doc/language_issues.nl | 1 + >> doc/language_issues.pl | 1 + >> doc/language_issues.ru | 1 + >> doc/language_issues.tr | 1 + >> html/cgi-bin/urlfilter.cgi | 62 ++--------- >> src/initscripts/system/unbound | 230 +++++++++++++++++++++++++++++++++++++++++ >> 12 files changed, 250 insertions(+), 54 deletions(-) >> > > -- > The road to Hades is easy to travel. > -- Bion of Borysthenes