From patchwork Wed May  1 02:16:38 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 2225
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mail01.ipfire.org",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by web07.i.ipfire.org (Postfix) with ESMTPS id 9C91B85BD81
	for <patchwork@web07.i.ipfire.org>;
	Tue, 30 Apr 2019 17:17:20 +0100 (BST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 44tmrc0tJFz5Btsl;
	Tue, 30 Apr 2019 17:17:20 +0100 (BST)
Received: from ipfire.tremer.co.uk (unknown [88.215.19.234])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 44tmrT1mhVz5Dw8Y;
	Tue, 30 Apr 2019 17:17:13 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201904rsa;
	t=1556641033; h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to:
	references:references:openpgp:autocrypt;
	bh=5VX5FmMoKlWB3wQYRFl1/1bywcJROrc5yJ/We7jwFII=;
	b=DggvigS8Qo5+FrWI+MFoA6N0KosFO4FEdOlxjl0wFEWE2v8xT143fZNKonHOIDllckYwqU
	U4HoL0frPCxJQpkQ9E9A5yeLkTNDM0t46EHGgyqkfxomO+MVM8XqhgW/On+/7F6GmkWrLL
	IPQoUhKHRMZDWnHmJrMP+Iy6Ao6QMB4kY+MrumKOY1GyESONjvrNiNU0cZRiTmkmzLfAtV
	WLcDZlPAiuYzDeDYnj9D2xdwe3XMw89MEVK+QFcpoTnS9YtHu5UrEjYKgjXm2iQk/QjF/l
	/Sv0qy03rKKBTk/rjTb/X7gBokwN9dt1a00ccQN8pyt992sY5QXPbraDT9Ze0g==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201904ed25519; t=1556641033;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to:
	references:references:openpgp:autocrypt;
	bh=5VX5FmMoKlWB3wQYRFl1/1bywcJROrc5yJ/We7jwFII=;
	b=sCC0cpHfd4JrmwqrDKYl3hVRr8wAZIRxxgNzGdBEHIj0yiW5ItOhrEAgfcm78+qYMt073Z
	P99eqEyJdH7wGcAw==
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [RFC PATCH 1/8] unbound: Add switch to enable Google Safe Search
Date: Tue, 30 Apr 2019 17:16:38 +0100
Message-Id: <20190430161645.24261-2-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.12.2
In-Reply-To: <20190430161645.24261-1-michael.tremer@ipfire.org>
References: <20190430161645.24261-1-michael.tremer@ipfire.org>
Authentication-Results: mail01.ipfire.org;
	auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org
Cc: Michael Tremer <michael.tremer@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/unbound | 215 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 215 insertions(+)

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index fbb096e0d..4ac8331dc 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
 
 INSECURE_ZONES=
 USE_FORWARDERS=1
+ENABLE_SAFE_SEARCH=off
 
 # Cache any local zones for 60 seconds
 LOCAL_TTL=60
@@ -21,6 +22,202 @@ LOCAL_TTL=60
 # EDNS buffer size
 EDNS_DEFAULT_BUFFER_SIZE=4096
 
+GOOGLE_TLDS=(
+	google.ad
+	google.ae
+	google.al
+	google.am
+	google.as
+	google.at
+	google.az
+	google.ba
+	google.be
+	google.bf
+	google.bg
+	google.bi
+	google.bj
+	google.bs
+	google.bt
+	google.by
+	google.ca
+	google.cat
+	google.cd
+	google.cf
+	google.cg
+	google.ch
+	google.ci
+	google.cl
+	google.cm
+	google.cn
+	google.co.ao
+	google.co.bw
+	google.co.ck
+	google.co.cr
+	google.co.id
+	google.co.il
+	google.co.in
+	google.co.jp
+	google.co.ke
+	google.co.kr
+	google.co.ls
+	google.com
+	google.co.ma
+	google.com.af
+	google.com.ag
+	google.com.ai
+	google.com.ar
+	google.com.au
+	google.com.bd
+	google.com.bh
+	google.com.bn
+	google.com.bo
+	google.com.br
+	google.com.bz
+	google.com.co
+	google.com.cu
+	google.com.cy
+	google.com.do
+	google.com.ec
+	google.com.eg
+	google.com.et
+	google.com.fj
+	google.com.gh
+	google.com.gi
+	google.com.gt
+	google.com.hk
+	google.com.jm
+	google.com.kh
+	google.com.kw
+	google.com.lb
+	google.com.ly
+	google.com.mm
+	google.com.mt
+	google.com.mx
+	google.com.my
+	google.com.na
+	google.com.nf
+	google.com.ng
+	google.com.ni
+	google.com.np
+	google.com.om
+	google.com.pa
+	google.com.pe
+	google.com.pg
+	google.com.ph
+	google.com.pk
+	google.com.pr
+	google.com.py
+	google.com.qa
+	google.com.sa
+	google.com.sb
+	google.com.sg
+	google.com.sl
+	google.com.sv
+	google.com.tj
+	google.com.tr
+	google.com.tw
+	google.com.ua
+	google.com.uy
+	google.com.vc
+	google.com.vn
+	google.co.mz
+	google.co.nz
+	google.co.th
+	google.co.tz
+	google.co.ug
+	google.co.uk
+	google.co.uz
+	google.co.ve
+	google.co.vi
+	google.co.za
+	google.co.zm
+	google.co.zw
+	google.cv
+	google.cz
+	google.de
+	google.dj
+	google.dk
+	google.dm
+	google.dz
+	google.ee
+	google.es
+	google.fi
+	google.fm
+	google.fr
+	google.ga
+	google.ge
+	google.gg
+	google.gl
+	google.gm
+	google.gp
+	google.gr
+	google.gy
+	google.hn
+	google.hr
+	google.ht
+	google.hu
+	google.ie
+	google.im
+	google.iq
+	google.is
+	google.it
+	google.je
+	google.jo
+	google.kg
+	google.ki
+	google.kz
+	google.la
+	google.li
+	google.lk
+	google.lt
+	google.lu
+	google.lv
+	google.md
+	google.me
+	google.mg
+	google.mk
+	google.ml
+	google.mn
+	google.ms
+	google.mu
+	google.mv
+	google.mw
+	google.ne
+	google.nl
+	google.no
+	google.nr
+	google.nu
+	google.pl
+	google.pn
+	google.ps
+	google.pt
+	google.ro
+	google.rs
+	google.ru
+	google.rw
+	google.sc
+	google.se
+	google.sh
+	google.si
+	google.sk
+	google.sm
+	google.sn
+	google.so
+	google.sr
+	google.st
+	google.td
+	google.tg
+	google.tk
+	google.tl
+	google.tm
+	google.tn
+	google.to
+	google.tt
+	google.vg
+	google.vu
+	google.ws
+)
+
 # Load optional configuration
 [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
 
@@ -481,6 +678,21 @@ fix_time_if_dns_fail() {
 	fi
 }
 
+# Sets up Safe Search for various search engines
+setup_safe_search() {
+	# Nothing to do if safe search is not enabled
+	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
+		return 0
+	fi
+
+	local domain
+
+	# Google
+	for domain in ${GOOGLE_TLDS[@]}; do
+		unbound-control local_data "${domain} CNAME forcesafesearch.google.com."
+	done
+}
+
 case "$1" in
 	start)
 		# Print a nicer messagen when unbound is already running
@@ -501,6 +713,9 @@ case "$1" in
 		# Make own hostname resolveable
 		own_hostname
 
+		# Setup Safe Search
+		setup_safe_search
+
 		# Update any known forwarding name servers
 		update_forwarders