Unbound SafeSearchEnforcement with unbound.

[L&LD]

Unbound - SafeSearchEnforcement with unbound.

For those who want to enforce safe search with unbound..... #!/bin/sh URL="https://www.google.com/supported_domains" FILE="/etc/unbound/unbound.conf.d/safesearch.conf" #this can be where-ever your unbound config storage is. You will have to use include: option inside the main unbound.conf...

www.snbforums.com

 

[SomeWhereOverTheRainBow]

Alternatively use pi hole https://github.com/jaykepeters/PSS

Or if someone can make this into an easy addon, I would be very interested. Imagine the glory you coders

the problem with the pihole route is that it relies on persistent IP addresses and not ones that change or are different per geo-location such as the ones bing.com or duckduckgo use. The benefit of using the unbound route is that it relies strictly on redirecting the CNAME and unbound does the work of determining the IP. The draw back of relying on unbound to do this is this method is mainly only compatible if using unbound as a recursive resolver and not a forwarder to like google or cloudflare. Once unbound acts as a forwarder it sends the look ups to be handled else where.

 

[BreakingDad]

the problem with the pihole route is that it relies on persistent IP addresses and not ones that change or are different per geo-location such as the ones bing.com or duckduckgo use. The benefit of using the unbound route is that it relies strictly on redirecting the CNAME and unbound does the work of determining the IP. The draw back of relying on unbound to do this is this method is mainly only compatible if using unbound as a recursive resolver and not a forwarder to like google or cloudflare. Once unbound acts as a forwarder it sends the look ups to be handled else where.

Another option is https://github.com/AdguardTeam/AdGuardHome , which is personally what I am using now on a pi3, very easy for noobies as you just tick a box to enforce safe search, you can also block many services by means of a tick, malicious and adult sites and add as many advert lists as you desire. The code is public and the privacy policy is open.

 

[sturmstar]

Another option is https://github.com/AdguardTeam/AdGuardHome , which is personally what I am using now on a pi3

I used AdGuardHome - and I like it - but I had it on a separat device because I didn't knew how to combine it on asuswrt-merlin WITH unbound. I would like to use it directly on the router like:

DNS Query (Port 53) -> Asuswwrt-Merlin (dnsmasq) -> forward to AdguardHome (different port) -> forward to Unbound (to resolve)

Because if i advertise the router-ip to the clients - i can't specify a port - so dnsmasq should forward it to adguardhome instead to unbound and inside from adguardhome i can specify any port for unbound resolving (like 5353...)

Can you help me with that?

 

[BreakingDad]

I used AdGuardHome - and I like it - but I had it on a separat device because I didn't knew how to combine it on asuswrt-merlin WITH unbound. I would like to use it directly on the router like:

DNS Query (Port 53) -> Asuswwrt-Merlin (dnsmasq) -> forward to AdguardHome (different port) -> forward to Unbound (to resolve)

Because if i advertise the router-ip to the clients - i can't specify a port - so dnsmasq should forward it to adguardhome instead to unbound and inside from adguardhome i can specify any port for unbound resolving (like 5353...)

Can you help me with that?

As far as I am aware you cannot add Adguardhome easily to the router easily, sure it can probably be done, but I am not sure about space and cpu utilisation for it to run with everything else crammed on the router. I am aware diversion/unbound is another option but I don't want to cram more onto my already over loaded router (+ i like messing about with pi's)

The adblocking and safesearch that the clever people here seem to use is diversion and unbound with extras. I formerly used pi hole running off a raspberry pi, currently i use adguard on the same pi, as for me it is easier to configure the safe search than adding additonal scripts and code to pi hole, believe me I tried but I could not get safe search to work properly on pi-hole, wheras adblock it is so easy.

With adguard I point it to my ISP dns (so i get their family protection as well), in the router I have static ips, kid devices go to isp dns through adguard, everything else goes through quad 9.

Sorry this does not really answer your question but I am not that smart without doing a lot of research. I would assume theoretically being linux based it is possible however.

 

[SomeWhereOverTheRainBow]

As far as I am aware you cannot add Adguardhome easily to the router easily, sure it can probably be done, but I am not sure about space and cpu utilisation for it to run with everything else crammed on the router. I am aware diversion/unbound is another option but I don't want to cram more onto my already over loaded router (+ i like messing about with pi's)

The adblocking and safesearch that the clever people here seem to use is diversion and unbound with extras. I formerly used pi hole running off a raspberry pi, currently i use adguard on the same pi, as for me it is easier to configure the safe search than adding additonal scripts and code to pi hole, believe me I tried but I could not get safe search to work properly on pi-hole, wheras adblock it is so easy.

With adguard I point it to my ISP dns (so i get their family protection as well), in the router I have static ips, kid devices go to isp dns through adguard, everything else goes through quad 9.

Sorry this does not really answer your question but I am not that smart without doing a lot of research. I would assume theoretically being linux based it is possible however.

I run this script with my Pihole+Unbound configuration. I am also testing out the new Unbound Manager Beta.

 

[ugandy]

not sure if off topic, but are there other changes in beta 3.22 vs v3.21 ?

 

[SomeWhereOverTheRainBow]

not sure if off topic, but are there other changes in beta 3.22 vs v3.21 ?

completely off topic, but also a completely valid question.....

you can follow the beta commits here

Commits · MartineauUK/Unbound-Asuswrt-Merlin

Install and manage unbound (Recursive DNS) on Asus routers - Commits · MartineauUK/Unbound-Asuswrt-Merlin

github.com

but there is no change-log listing as of yet.

 

[SomeWhereOverTheRainBow]

For those who want to enforce safe search with unbound.....

#!/bin/sh

URL="https://www.google.com/supported_domains"
FILE="/etc/unbound/unbound.conf.d/safesearch.conf" #this can be where-ever your unbound config storage is. You will have to use include: option inside the main unbound.conf though.

f_nslookup() {
    local DOMAIN="$1"
    nslookup ${DOMAIN} 1.1.1.1 2>/dev/null | awk '/^Address[[:space:]][0-9]*\:[[:space:]]/{if($3 ~ /((((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)|(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:{2}(\/(1?[0-2][0-8]|[0-9][0-9]))?))/ && !/1\.1\.1\.1/)print $3}' | while read -r line; do { if [ "${line%%.*}" = "0" ] || [ -z "${line%%::*}" ]; then continue; elif [ "${line##*:}" = "${line}" ]; then printf "%s " "$line"; else printf "%s " "$line"; fi; }; done
}

printf "server:\n" > "${FILE}"
{
DOMAINS="$(curl $URL 2>/dev/null)"
for DOMAIN in $DOMAINS; do
    DOMAIN=$(printf "%s\n" "$DOMAIN" | cut -c 2-)
    printf 'local-zone: "www.%s." transparent\n' "$DOMAIN"
    printf 'local-data: "www.%s. CNAME forcesafesearch.google.com."\n' "$DOMAIN"
done
for DOMAIN in duckduckgo.com; do
    printf 'local-zone: "%s." transparent\n' "$DOMAIN"
    printf 'local-data: "%s. CNAME safe.%s."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "www.%s." transparent\n' "$DOMAIN"
    printf 'local-data: "www.%s. CNAME safe.%s."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "start.%s." transparent\n' "$DOMAIN"
    printf 'local-data: "start.%s. CNAME safe.%s."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "duck.com." transparent\n'
    printf 'local-data: "duck.com. CNAME safe.%s." \n' "$DOMAIN"
    printf 'local-zone: "www.duck.com." transparent\n'
    printf 'local-data: "www.duck.com. CNAME safe.%s."\n' "$DOMAIN"
done
for DOMAIN in bing.com; do
    printf 'local-zone: "%s." transparent\n' "$DOMAIN"
    printf 'local-data: "%s. CNAME strict.%s."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "www.%s." transparent\n' "$DOMAIN"
    printf 'local-data: "www.%s. CNAME strict.%s."\n' "$DOMAIN" "$DOMAIN"
done
for DOMAIN in qwant.com; do
    printf 'local-zone: "api.%s." transparent\n' "$DOMAIN"
    printf 'local-data: "api.%s. CNAME safeapi.%s."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "www.%s." transparent\n' "$DOMAIN"
    printf 'local-data: "www.%s. CNAME safeapi.%s."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "%s." transparent\n' "$DOMAIN"
    printf 'local-data: "%s. CNAME safeapi.%s."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "s1.%s." transparent\n' "$DOMAIN"
    printf 'local-data: "s1.%s. CNAME safeapi.%s."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "s2.%s." transparent\n' "$DOMAIN"
    printf 'local-data: "s2.%s. CNAME safeapi.%s."\n' "$DOMAIN" "$DOMAIN"
done
for DOMAIN in pixabay.com; do
    printf 'local-zone: "%s." transparent\n' "$DOMAIN"
    printf 'local-data: "%s. CNAME safesearch.%s."\n' "$DOMAIN" "$DOMAIN"
done
for DOMAIN in youtube; do
    printf 'local-zone: "www.%s.com." transparent\n' "$DOMAIN"
    printf 'local-data: "www.%s.com. CNAME restrictmoderate.%s.com."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "m.%s.com." transparent\n' "$DOMAIN"
    printf 'local-data: "m.%s.com. CNAME restrictmoderate.%s.com."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "%si.googleapis.com." transparent\n' "$DOMAIN"
    printf 'local-data: "%si.googleapis.com. CNAME restrictmoderate.%s.com."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "%s.googleapis.com." transparent\n' "$DOMAIN"
    printf 'local-data: "%s.googleapis.com. CNAME restrictmoderate.%s.com."\n' "$DOMAIN" "$DOMAIN"
    printf 'local-zone: "www.%s-nocookie.com." transparent\n' "$DOMAIN"
    printf 'local-data: "www.%s-nocookie.com. CNAME restrictmoderate.%s.com."\n' "$DOMAIN" "$DOMAIN"
done
for YANDEX in com ru ua by kz; do
    printf 'local-zone: "yandex.%s." transparent\n' "$YANDEX"
    printf 'local-data: "yandex.%s. CNAME familysearch.yandex.ru."\n' "$YANDEX"
    printf 'local-zone: "www.yandex.%s." transparent\n' "$YANDEX"
    printf 'local-data: "www.yandex.%s. CNAME familysearch.yandex.ru."\n' "$YANDEX"
done
for DOMAIN in forcesafesearch.google.com safe.duckduckgo.com restrictmoderate.youtube.com strict.bing.com safesearch.pixabay.com safeapi.qwant.com familysearch.yandex.ru; do
    for IPS in $(f_nslookup $DOMAIN); do
        if [ "$DOMAIN" = "forcesafesearch.google.com" ]; then
            if [ "${IPS##*:}" = "${IPS}" ]; then
                printf "%s\n" 'local-data: "'${DOMAIN}'. A '${IPS}'"'
                printf "%s\n" 'local-data: "'${DOMAIN}'. AAAA ::ffff:'${IPS}'"'
                printf "%s\n" 'local-data: "restrict.youtube.com. A '${IPS}'"'
                printf "%s\n" 'local-data: "restrict.youtube.com. AAAA ::ffff:'${IPS}'"'
            else
                printf "%s\n" 'local-data: "'${DOMAIN}'. AAAA '${IPS}'"'
                printf "%s\n" 'local-data: "restrict.youtube.com. AAAA '${IPS}'"'
            fi
        else
            if [ "${IPS##*:}" = "${IPS}" ]; then
                printf "%s\n" 'local-data: "'${DOMAIN}'. A '${IPS}'"'
                printf "%s\n" 'local-data: "'${DOMAIN}'. AAAA ::ffff:'${IPS}'"'
            else
                printf "%s\n" 'local-data: "'${DOMAIN}'. AAAA '${IPS}'"'
            fi
        fi
    done
done
} >> "${FILE}"

Not that this is a very popular mini-script on the market, but I just wanted to notify unbound_manager users that might use this script that I submitted changes to the original post, and submitted a pull request to @Martineau with the necessary changes. These changes ensures the script follows proper unbound syntax and logic which will allow safe-search to be optimal. The current changes should improve the overall desired outcome.

Update unbound_SafeSearch.sh by jumpsmm7 · Pull Request #26 · MartineauUK/Unbound-Asuswrt-Merlin

make that safe search script 100 percent compliant with unbound guide. overall this improvement fixes syntax, and makes safe-search script more robust.

github.com