unbound: Configure Safe Search dynamically

The safe search code relied on working DNS resolution, but was executed before unbound was even started and no network was brought up. That resulted in no records being created and nothing being filtered. This will now set/reset safe search when the system connects to the Internet. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2019-12-09 23:36:59 +00:00
parent 1ec1e499d0
commit d7190078ce
6 changed files with 65 additions and 42 deletions
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
--- a/src/initscripts/networking/red.up/06-safe-search
+++ b/src/initscripts/networking/red.up/06-safe-search
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /etc/init.d/unbound update-safe-search
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -549,7 +549,7 @@ resolve() {
 }

 # Sets up Safe Search for various search engines
-write_safe_search_conf() {
+update_safe_search() {
 	local google_tlds=(
 		google.ad
 		google.ae
@@ -746,51 +746,59 @@ write_safe_search_conf() {
 		google.ws
 	)

-	(
-		# Nothing to do if safe search is not enabled
-		if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
-			exit 0
-		fi
+	# Cleanup previous settings
+	unbound-control local_zone_remove "bing.com" >/dev/null
+	unbound-control local_zone_remove "duckduckgo.com" >/dev/null
+	unbound-control local_zone_remove "yandex.com" >/dev/null
+	unbound-control local_zone_remove "yandex.ru" >/dev/null
+	unbound-control local_zone_remove "youtube.com" >/dev/null

-		# This all belongs into the server: section
-		echo "server:"
+	local domain
+	for domain in ${google_tlds[@]}; do
+		unbound-control local_zone_remove "${domain}"
+	done >/dev/null

-		# Bing
-		echo "	local-zone: bing.com transparent"
-		for address in $(resolve "strict.bing.com"); do
-			echo "	local-data: \"www.bing.com ${LOCAL_TTL} IN A ${address}\""
-		done
+	# Nothing to do if safe search is not enabled
+	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
+		return 0
+	fi

-		# DuckDuckGo
-		echo "	local-zone: duckduckgo.com typetransparent"
-		for address in $(resolve "safe.duckduckgo.com"); do
-			echo "	local-data: \"duckduckgo.com ${LOCAL_TTL} IN A ${address}\""
-		done
+	# Bing
+	unbound-control bing.com transparent >/dev/null
+	for address in $(resolve "strict.bing.com"); do
+		unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
+	done >/dev/null

-		# Google
-		addresses="$(resolve "forcesafesearch.google.com")"
-		local domain
-		for domain in ${google_tlds[@]}; do
-			echo "	local-zone: ${domain} transparent"
-			for address in ${addresses}; do
-				echo "	local-data: \"www.${domain} ${LOCAL_TTL} IN A ${address}\""
-			done
-		done
+	# DuckDuckGo
+	unbound-control local_zone duckduckgo.com typetransparent >/dev/null
+	for address in $(resolve "safe.duckduckgo.com"); do
+		unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
+	done >/dev/null

-		# Yandex
-		for domain in yandex.com yandex.ru; do
-			echo "	local-zone: ${domain} typetransparent"
-			for address in $(resolve "familysearch.${domain}"); do
-				echo "	local-data: \"${domain} ${LOCAL_TTL} IN A ${address}\""
-			done
-		done
+	# Google
+	local addresses="$(resolve "forcesafesearch.google.com")"
+	for domain in ${google_tlds[@]}; do
+		unbound-control local_zone "${domain}" transparent >/dev/null
+		for address in ${addresses}; do
+			unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
+		done >/dev/null
+	done

-		# YouTube
-		echo "	local-zone: youtube.com transparent"
-		for address in $(resolve "restrictmoderate.youtube.com"); do
-			echo "	local-data: \"www.youtube.com ${LOCAL_TTL} IN A ${address}\""
-		done
-	) > /etc/unbound/safe-search.conf
+	# Yandex
+	for domain in yandex.com yandex.ru; do
+		unbound-control local_zone "${domain}" typetransparent >/dev/null
+		for address in $(resolve "familysearch.${domain}"); do
+			unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
+		done >/dev/null
+	done
+
+	# YouTube
+	unbound-control local_zone youtube.com transparent >/dev/null
+	for address in $(resolve "restrictmoderate.youtube.com"); do
+		unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
+	done >/dev/null
+
+	return 0
 }

 case "$1" in
@@ -806,7 +814,6 @@ case "$1" in
 		# Update configuration files
 		write_tuning_conf
 		write_forward_conf
-		write_safe_search_conf

 		boot_mesg "Starting Unbound DNS Proxy..."
 		loadproc /usr/sbin/unbound || exit $?
@@ -817,6 +824,11 @@ case "$1" in
 		# Update any known forwarding name servers
 		update_forwarders

+		# Install Safe Search rules when the system is already online
+		if [ -e "/var/ipfire/red/active" ]; then
+			update_safe_search
+		fi
+
 		# Update hosts
 		update_hosts

@@ -905,8 +917,12 @@ case "$1" in
 		resolve "${2}"
 		;;

+	update-safe-search)
+		update_safe_search
+		;;
+
 	*)
-		echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve}"
+		echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve|update-safe-search}"
 		exit 1
 		;;
 esac