unbound: Add Safe Search

This is a feature that will filter adult content from search
engine's results.

The old method of rewriting the HTTP request no longer works.

This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.

However, there is no better solution available to this and this
an optional feature, too.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

src/initscripts/system/unbound

@@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
 
 INSECURE_ZONES=
 USE_FORWARDERS=1
+ENABLE_SAFE_SEARCH=off
 
 # Cache any local zones for 60 seconds
 LOCAL_TTL=60
@@ -481,6 +482,234 @@ fix_time_if_dns_fail() {
 	fi
 }
 
+# Sets up Safe Search for various search engines
+write_safe_search_conf() {
+	local google_tlds=(
+		google.ad
+		google.ae
+		google.al
+		google.am
+		google.as
+		google.at
+		google.az
+		google.ba
+		google.be
+		google.bf
+		google.bg
+		google.bi
+		google.bj
+		google.bs
+		google.bt
+		google.by
+		google.ca
+		google.cat
+		google.cd
+		google.cf
+		google.cg
+		google.ch
+		google.ci
+		google.cl
+		google.cm
+		google.cn
+		google.co.ao
+		google.co.bw
+		google.co.ck
+		google.co.cr
+		google.co.id
+		google.co.il
+		google.co.in
+		google.co.jp
+		google.co.ke
+		google.co.kr
+		google.co.ls
+		google.com
+		google.co.ma
+		google.com.af
+		google.com.ag
+		google.com.ai
+		google.com.ar
+		google.com.au
+		google.com.bd
+		google.com.bh
+		google.com.bn
+		google.com.bo
+		google.com.br
+		google.com.bz
+		google.com.co
+		google.com.cu
+		google.com.cy
+		google.com.do
+		google.com.ec
+		google.com.eg
+		google.com.et
+		google.com.fj
+		google.com.gh
+		google.com.gi
+		google.com.gt
+		google.com.hk
+		google.com.jm
+		google.com.kh
+		google.com.kw
+		google.com.lb
+		google.com.ly
+		google.com.mm
+		google.com.mt
+		google.com.mx
+		google.com.my
+		google.com.na
+		google.com.nf
+		google.com.ng
+		google.com.ni
+		google.com.np
+		google.com.om
+		google.com.pa
+		google.com.pe
+		google.com.pg
+		google.com.ph
+		google.com.pk
+		google.com.pr
+		google.com.py
+		google.com.qa
+		google.com.sa
+		google.com.sb
+		google.com.sg
+		google.com.sl
+		google.com.sv
+		google.com.tj
+		google.com.tr
+		google.com.tw
+		google.com.ua
+		google.com.uy
+		google.com.vc
+		google.com.vn
+		google.co.mz
+		google.co.nz
+		google.co.th
+		google.co.tz
+		google.co.ug
+		google.co.uk
+		google.co.uz
+		google.co.ve
+		google.co.vi
+		google.co.za
+		google.co.zm
+		google.co.zw
+		google.cv
+		google.cz
+		google.de
+		google.dj
+		google.dk
+		google.dm
+		google.dz
+		google.ee
+		google.es
+		google.fi
+		google.fm
+		google.fr
+		google.ga
+		google.ge
+		google.gg
+		google.gl
+		google.gm
+		google.gp
+		google.gr
+		google.gy
+		google.hn
+		google.hr
+		google.ht
+		google.hu
+		google.ie
+		google.im
+		google.iq
+		google.is
+		google.it
+		google.je
+		google.jo
+		google.kg
+		google.ki
+		google.kz
+		google.la
+		google.li
+		google.lk
+		google.lt
+		google.lu
+		google.lv
+		google.md
+		google.me
+		google.mg
+		google.mk
+		google.ml
+		google.mn
+		google.ms
+		google.mu
+		google.mv
+		google.mw
+		google.ne
+		google.nl
+		google.no
+		google.nr
+		google.nu
+		google.pl
+		google.pn
+		google.ps
+		google.pt
+		google.ro
+		google.rs
+		google.ru
+		google.rw
+		google.sc
+		google.se
+		google.sh
+		google.si
+		google.sk
+		google.sm
+		google.sn
+		google.so
+		google.sr
+		google.st
+		google.td
+		google.tg
+		google.tk
+		google.tl
+		google.tm
+		google.tn
+		google.to
+		google.tt
+		google.vg
+		google.vu
+		google.ws
+	)
+
+	(
+		# Nothing to do if safe search is not enabled
+		if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
+			exit 0
+		fi
+
+		# This all belongs into the server: section
+		echo "server:"
+
+		# Bing
+		echo "	local-zone: bing.com transparent"
+		echo "	local-data: \"www.bing.com CNAME strict.bing.com.\""
+
+		# DuckDuckGo
+		echo "	local-zone: duckduckgo.com transparent"
+		echo "	local-data: \"duckduckgo.com CNAME safe.duckduckgo.com.\""
+
+		# Google
+		local domain
+		for domain in ${google_tlds[@]}; do
+			echo "	local-zone: ${domain} transparent"
+			echo "	local-data: \"www.${domain} CNAME forcesafesearch.google.com.\""
+		done
+
+		# Yandex
+		echo "	local-zone: yandex.ru transparent"
+		echo "	local-data: \"yandex.ru A 213.180.193.56\""
+	) > /etc/unbound/safe-search.conf
+}
+
 case "$1" in
 	start)
 		# Print a nicer messagen when unbound is already running
@@ -494,6 +723,7 @@ case "$1" in
 		# Update configuration files
 		write_tuning_conf
 		write_forward_conf
+		write_safe_search_conf
 
 		boot_mesg "Starting Unbound DNS Proxy..."
 		loadproc /usr/sbin/unbound || exit $?