From patchwork Wed May  1 02:16:41 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 2228
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mail01.ipfire.org",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by web07.i.ipfire.org (Postfix) with ESMTPS id 8D6C485BD81
	for <patchwork@web07.i.ipfire.org>;
	Tue, 30 Apr 2019 17:17:30 +0100 (BST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 44tmrp0vlqz57JhQ;
	Tue, 30 Apr 2019 17:17:30 +0100 (BST)
Received: from ipfire.tremer.co.uk (unknown [88.215.19.234])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 44tmrV59s5z55Jp2;
	Tue, 30 Apr 2019 17:17:14 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201904rsa;
	t=1556641035; h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to:
	references:references:openpgp:autocrypt;
	bh=aCN32L5GnAPgP/oDrOqVtvh6ZolmXMut+cF37uxg2pw=;
	b=fmIUqHx0Be5sfs0HrInHFVbDFac7QkRtd5y6Vpa9KYaTqZCifYkX7oerEd20aXrtr21JDH
	WIhWdxJhFq42bHJu2vhCUdDD4IwCNFq10uIryTJIoyjl1PMhuW6vXtuYw17CXlattupM6u
	GSjfWXBAqwisIQrH0wYhFgX7KY0onPu3GDbhJ9VK6Fa2jwNIuLSbcg4Wo4wcLBNXlP9hBj
	+6qY8HbkcncwnhrOfDFGOW//iAR7DF9BMhRZR2rvht3I0nWB0l0DP9/02FFPQu5aIkpfrg
	LPq0wvT7Jjv9UKunOUYwXTc9DSLk/lC4qKhDJp7ykOfnD5Nfc0l1q0pCCSoR/Q==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201904ed25519; t=1556641035;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to:
	references:references:openpgp:autocrypt;
	bh=aCN32L5GnAPgP/oDrOqVtvh6ZolmXMut+cF37uxg2pw=;
	b=k5BGlkOpqPcZlAecY6Pebl6jJjBjpX3oT6x8Is5TWBKKzDO/k78+57tBOsWlne627cViiF
	9e0zj4r2rh69UJDA==
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [RFC PATCH 4/8] unbound: Move Safe Search zone setup to
	configuration file
Date: Tue, 30 Apr 2019 17:16:41 +0100
Message-Id: <20190430161645.24261-5-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.12.2
In-Reply-To: <20190430161645.24261-1-michael.tremer@ipfire.org>
References: <20190430161645.24261-1-michael.tremer@ipfire.org>
Authentication-Results: mail01.ipfire.org;
	auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org
Cc: Michael Tremer <michael.tremer@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/unbound/unbound.conf    |   3 +
 src/initscripts/system/unbound | 431 +++++++++++++++++++++--------------------
 2 files changed, 221 insertions(+), 213 deletions(-)

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index e20c3330d..4d492a5bc 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -81,6 +81,9 @@ server:
 	# Include any forward zones
 	include: "/etc/unbound/forward.conf"
 
+	# Include safe search settings
+	include: "/etc/unbound/safe-search.conf"
+
 remote-control:
 	control-enable: yes
 	control-use-cert: no
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 41117904f..951fda7ab 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -22,202 +22,6 @@ LOCAL_TTL=60
 # EDNS buffer size
 EDNS_DEFAULT_BUFFER_SIZE=4096
 
-GOOGLE_TLDS=(
-	google.ad
-	google.ae
-	google.al
-	google.am
-	google.as
-	google.at
-	google.az
-	google.ba
-	google.be
-	google.bf
-	google.bg
-	google.bi
-	google.bj
-	google.bs
-	google.bt
-	google.by
-	google.ca
-	google.cat
-	google.cd
-	google.cf
-	google.cg
-	google.ch
-	google.ci
-	google.cl
-	google.cm
-	google.cn
-	google.co.ao
-	google.co.bw
-	google.co.ck
-	google.co.cr
-	google.co.id
-	google.co.il
-	google.co.in
-	google.co.jp
-	google.co.ke
-	google.co.kr
-	google.co.ls
-	google.com
-	google.co.ma
-	google.com.af
-	google.com.ag
-	google.com.ai
-	google.com.ar
-	google.com.au
-	google.com.bd
-	google.com.bh
-	google.com.bn
-	google.com.bo
-	google.com.br
-	google.com.bz
-	google.com.co
-	google.com.cu
-	google.com.cy
-	google.com.do
-	google.com.ec
-	google.com.eg
-	google.com.et
-	google.com.fj
-	google.com.gh
-	google.com.gi
-	google.com.gt
-	google.com.hk
-	google.com.jm
-	google.com.kh
-	google.com.kw
-	google.com.lb
-	google.com.ly
-	google.com.mm
-	google.com.mt
-	google.com.mx
-	google.com.my
-	google.com.na
-	google.com.nf
-	google.com.ng
-	google.com.ni
-	google.com.np
-	google.com.om
-	google.com.pa
-	google.com.pe
-	google.com.pg
-	google.com.ph
-	google.com.pk
-	google.com.pr
-	google.com.py
-	google.com.qa
-	google.com.sa
-	google.com.sb
-	google.com.sg
-	google.com.sl
-	google.com.sv
-	google.com.tj
-	google.com.tr
-	google.com.tw
-	google.com.ua
-	google.com.uy
-	google.com.vc
-	google.com.vn
-	google.co.mz
-	google.co.nz
-	google.co.th
-	google.co.tz
-	google.co.ug
-	google.co.uk
-	google.co.uz
-	google.co.ve
-	google.co.vi
-	google.co.za
-	google.co.zm
-	google.co.zw
-	google.cv
-	google.cz
-	google.de
-	google.dj
-	google.dk
-	google.dm
-	google.dz
-	google.ee
-	google.es
-	google.fi
-	google.fm
-	google.fr
-	google.ga
-	google.ge
-	google.gg
-	google.gl
-	google.gm
-	google.gp
-	google.gr
-	google.gy
-	google.hn
-	google.hr
-	google.ht
-	google.hu
-	google.ie
-	google.im
-	google.iq
-	google.is
-	google.it
-	google.je
-	google.jo
-	google.kg
-	google.ki
-	google.kz
-	google.la
-	google.li
-	google.lk
-	google.lt
-	google.lu
-	google.lv
-	google.md
-	google.me
-	google.mg
-	google.mk
-	google.ml
-	google.mn
-	google.ms
-	google.mu
-	google.mv
-	google.mw
-	google.ne
-	google.nl
-	google.no
-	google.nr
-	google.nu
-	google.pl
-	google.pn
-	google.ps
-	google.pt
-	google.ro
-	google.rs
-	google.ru
-	google.rw
-	google.sc
-	google.se
-	google.sh
-	google.si
-	google.sk
-	google.sm
-	google.sn
-	google.so
-	google.sr
-	google.st
-	google.td
-	google.tg
-	google.tk
-	google.tl
-	google.tm
-	google.tn
-	google.to
-	google.tt
-	google.vg
-	google.vu
-	google.ws
-)
-
 # Load optional configuration
 [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
 
@@ -679,24 +483,227 @@ fix_time_if_dns_fail() {
 }
 
 # Sets up Safe Search for various search engines
-setup_safe_search() {
-	# Nothing to do if safe search is not enabled
-	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
-		return 0
-	fi
+write_safe_search_conf() {
+	local google_tlds=(
+		google.ad
+		google.ae
+		google.al
+		google.am
+		google.as
+		google.at
+		google.az
+		google.ba
+		google.be
+		google.bf
+		google.bg
+		google.bi
+		google.bj
+		google.bs
+		google.bt
+		google.by
+		google.ca
+		google.cat
+		google.cd
+		google.cf
+		google.cg
+		google.ch
+		google.ci
+		google.cl
+		google.cm
+		google.cn
+		google.co.ao
+		google.co.bw
+		google.co.ck
+		google.co.cr
+		google.co.id
+		google.co.il
+		google.co.in
+		google.co.jp
+		google.co.ke
+		google.co.kr
+		google.co.ls
+		google.com
+		google.co.ma
+		google.com.af
+		google.com.ag
+		google.com.ai
+		google.com.ar
+		google.com.au
+		google.com.bd
+		google.com.bh
+		google.com.bn
+		google.com.bo
+		google.com.br
+		google.com.bz
+		google.com.co
+		google.com.cu
+		google.com.cy
+		google.com.do
+		google.com.ec
+		google.com.eg
+		google.com.et
+		google.com.fj
+		google.com.gh
+		google.com.gi
+		google.com.gt
+		google.com.hk
+		google.com.jm
+		google.com.kh
+		google.com.kw
+		google.com.lb
+		google.com.ly
+		google.com.mm
+		google.com.mt
+		google.com.mx
+		google.com.my
+		google.com.na
+		google.com.nf
+		google.com.ng
+		google.com.ni
+		google.com.np
+		google.com.om
+		google.com.pa
+		google.com.pe
+		google.com.pg
+		google.com.ph
+		google.com.pk
+		google.com.pr
+		google.com.py
+		google.com.qa
+		google.com.sa
+		google.com.sb
+		google.com.sg
+		google.com.sl
+		google.com.sv
+		google.com.tj
+		google.com.tr
+		google.com.tw
+		google.com.ua
+		google.com.uy
+		google.com.vc
+		google.com.vn
+		google.co.mz
+		google.co.nz
+		google.co.th
+		google.co.tz
+		google.co.ug
+		google.co.uk
+		google.co.uz
+		google.co.ve
+		google.co.vi
+		google.co.za
+		google.co.zm
+		google.co.zw
+		google.cv
+		google.cz
+		google.de
+		google.dj
+		google.dk
+		google.dm
+		google.dz
+		google.ee
+		google.es
+		google.fi
+		google.fm
+		google.fr
+		google.ga
+		google.ge
+		google.gg
+		google.gl
+		google.gm
+		google.gp
+		google.gr
+		google.gy
+		google.hn
+		google.hr
+		google.ht
+		google.hu
+		google.ie
+		google.im
+		google.iq
+		google.is
+		google.it
+		google.je
+		google.jo
+		google.kg
+		google.ki
+		google.kz
+		google.la
+		google.li
+		google.lk
+		google.lt
+		google.lu
+		google.lv
+		google.md
+		google.me
+		google.mg
+		google.mk
+		google.ml
+		google.mn
+		google.ms
+		google.mu
+		google.mv
+		google.mw
+		google.ne
+		google.nl
+		google.no
+		google.nr
+		google.nu
+		google.pl
+		google.pn
+		google.ps
+		google.pt
+		google.ro
+		google.rs
+		google.ru
+		google.rw
+		google.sc
+		google.se
+		google.sh
+		google.si
+		google.sk
+		google.sm
+		google.sn
+		google.so
+		google.sr
+		google.st
+		google.td
+		google.tg
+		google.tk
+		google.tl
+		google.tm
+		google.tn
+		google.to
+		google.tt
+		google.vg
+		google.vu
+		google.ws
+	)
+
+	(
+		# Nothing to do if safe search is not enabled
+		if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
+			exit 0
+		fi
 
-	local domain
+		# This all belongs into the server: section
+		echo "server:"
 
-	# Bing
-	unbound-control local_data "bind.com CNAME strict.bing.com."
+		# Bing
+		echo "	local-zone: bing.com transparent"
+		echo "	local-data: \"bing.com CNAME strict.bing.com.\""
 
-	# DuckDuckGo
-	unbound-control local_data "duckduckgo.com CNAME safe.duckduckgo.com."
+		# DuckDuckGo
+		echo "	local-zone: duckduckgo.com transparent"
+		echo "	local-data: \"duckduckgo.com CNAME safe.duckduckgo.com.\""
 
-	# Google
-	for domain in ${GOOGLE_TLDS[@]}; do
-		unbound-control local_data "${domain} CNAME forcesafesearch.google.com."
-	done
+		# Google
+		local domain
+		for domain in ${google_tlds[@]}; do
+			echo "	local-zone: ${domain} transparent"
+			echo "	local-data: \"${domain} CNAME forcesafesearch.google.com.\""
+		done
+	) > /etc/unbound/safe-search.conf
 }
 
 case "$1" in
@@ -712,6 +719,7 @@ case "$1" in
 		# Update configuration files
 		write_tuning_conf
 		write_forward_conf
+		write_safe_search_conf
 
 		boot_mesg "Starting Unbound DNS Proxy..."
 		loadproc /usr/sbin/unbound || exit $?
@@ -719,9 +727,6 @@ case "$1" in
 		# Make own hostname resolveable
 		own_hostname
 
-		# Setup Safe Search
-		setup_safe_search
-
 		# Update any known forwarding name servers
 		update_forwarders