unbound: Configure Safe Search dynamically

The safe search code relied on working DNS resolution, but
was executed before unbound was even started and no network
was brought up.

That resulted in no records being created and nothing being
filtered.

This will now set/reset safe search when the system connects
to the Internet.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

config/rootfiles/common/aarch64/initscripts

@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes

config/rootfiles/common/armv5tel/initscripts

@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes

config/rootfiles/common/i586/initscripts

@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes

config/rootfiles/common/x86_64/initscripts

@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes

src/initscripts/networking/red.up/06-safe-search

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /etc/init.d/unbound update-safe-search

src/initscripts/system/unbound

@@ -549,7 +549,7 @@ resolve() {
 }
 
 # Sets up Safe Search for various search engines
-write_safe_search_conf() {
+update_safe_search() {
 	local google_tlds=(
 		google.ad
 		google.ae
@@ -746,51 +746,59 @@ write_safe_search_conf() {
 		google.ws
 	)
 
-	(
+	# Cleanup previous settings
-		# Nothing to do if safe search is not enabled
+	unbound-control local_zone_remove "bing.com" >/dev/null
-		if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
+	unbound-control local_zone_remove "duckduckgo.com" >/dev/null
-			exit 0
+	unbound-control local_zone_remove "yandex.com" >/dev/null
-		fi
+	unbound-control local_zone_remove "yandex.ru" >/dev/null
+	unbound-control local_zone_remove "youtube.com" >/dev/null
 
-		# This all belongs into the server: section
+	local domain
-		echo "server:"
+	for domain in ${google_tlds[@]}; do
+		unbound-control local_zone_remove "${domain}"
+	done >/dev/null
 
-		# Bing
+	# Nothing to do if safe search is not enabled
-		echo "	local-zone: bing.com transparent"
+	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
-		for address in $(resolve "strict.bing.com"); do
+		return 0
-			echo "	local-data: \"www.bing.com ${LOCAL_TTL} IN A ${address}\""
+	fi
-		done
 
-		# DuckDuckGo
+	# Bing
-		echo "	local-zone: duckduckgo.com typetransparent"
+	unbound-control bing.com transparent >/dev/null
-		for address in $(resolve "safe.duckduckgo.com"); do
+	for address in $(resolve "strict.bing.com"); do
-			echo "	local-data: \"duckduckgo.com ${LOCAL_TTL} IN A ${address}\""
+		unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
-		done
+	done >/dev/null
 
-		# Google
+	# DuckDuckGo
-		addresses="$(resolve "forcesafesearch.google.com")"
+	unbound-control local_zone duckduckgo.com typetransparent >/dev/null
-		local domain
+	for address in $(resolve "safe.duckduckgo.com"); do
-		for domain in ${google_tlds[@]}; do
+		unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
-			echo "	local-zone: ${domain} transparent"
+	done >/dev/null
-			for address in ${addresses}; do
-				echo "	local-data: \"www.${domain} ${LOCAL_TTL} IN A ${address}\""
-			done
-		done
 
-		# Yandex
+	# Google
-		for domain in yandex.com yandex.ru; do
+	local addresses="$(resolve "forcesafesearch.google.com")"
-			echo "	local-zone: ${domain} typetransparent"
+	for domain in ${google_tlds[@]}; do
-			for address in $(resolve "familysearch.${domain}"); do
+		unbound-control local_zone "${domain}" transparent >/dev/null
-				echo "	local-data: \"${domain} ${LOCAL_TTL} IN A ${address}\""
+		for address in ${addresses}; do
-			done
+			unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
-		done
+		done >/dev/null
+	done
 
-		# YouTube
+	# Yandex
-		echo "	local-zone: youtube.com transparent"
+	for domain in yandex.com yandex.ru; do
-		for address in $(resolve "restrictmoderate.youtube.com"); do
+		unbound-control local_zone "${domain}" typetransparent >/dev/null
-			echo "	local-data: \"www.youtube.com ${LOCAL_TTL} IN A ${address}\""
+		for address in $(resolve "familysearch.${domain}"); do
-		done
+			unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
-	) > /etc/unbound/safe-search.conf
+		done >/dev/null
+	done
+
+	# YouTube
+	unbound-control local_zone youtube.com transparent >/dev/null
+	for address in $(resolve "restrictmoderate.youtube.com"); do
+		unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
+	done >/dev/null
+
+	return 0
 }
 
 case "$1" in
@@ -806,7 +814,6 @@ case "$1" in
 		# Update configuration files
 		write_tuning_conf
 		write_forward_conf
-		write_safe_search_conf
 
 		boot_mesg "Starting Unbound DNS Proxy..."
 		loadproc /usr/sbin/unbound || exit $?
@@ -817,6 +824,11 @@ case "$1" in
 		# Update any known forwarding name servers
 		update_forwarders
 
+		# Install Safe Search rules when the system is already online
+		if [ -e "/var/ipfire/red/active" ]; then
+			update_safe_search
+		fi
+
 		# Update hosts
 		update_hosts
 
@@ -905,8 +917,12 @@ case "$1" in
 		resolve "${2}"
 		;;
 
+	update-safe-search)
+		update_safe_search
+		;;
+
 	*)
-		echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve}"
+		echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve|update-safe-search}"
 		exit 1
 		;;
 esac