8000 Services: Unbound DNS: Blocklist - CNAME and A record on query fix by thojo0 · Pull Request #7815 · opnsense/core · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Services: Unbound DNS: Blocklist - CNAME and A record on query fix #7815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Services: Unbound DNS: Blocklist - CNAME and A record on query fix #7815

wants to merge 3 commits into from

Conversation

thojo0
Copy link
@thojo0 thojo0 commented Aug 26, 2024
edited
Loading

With the current zone settings, Unbound returns both, the A and CNAME (to it self) record on different safe search subdomains.

Affected subdomains:

  • safe.duckduckgo.com
  • strict.bing.com
  • safesearch.pixabay.com
  • safeapi.qwant.com

This commit fixes this issue.
I also checked this on official documentations to be as ac 8000 curate as possible, so nothing else breaks again.

@AdSchellevis AdSchellevis force-pushed the master branch 5 times, most recently from 6586a65 to 607e32a Compare December 3, 2024 15:53
@AdSchellevis
Copy link
Member

I don't mind merging, but can you share the documentation that you are referring to?

@thojo0
Copy link
Author
thojo0 commented Feb 12, 2025

DuckDuckGo

https://duckduckgo.com/duckduckgo-help-pages/features/safe-search/

For network administrators, you can force strict safe search for everyone on your network by mapping duckduckgo.com to safe.duckduckgo.com. Mapping to safe.duckduckgo.com will guarantee that safe search is enabled for all DuckDuckGo queries on the network, and that client safe search controls are disabled.

Bing

https://support.microsoft.com/en-us/topic/blocking-adult-content-with-safesearch-or-blocking-chat-946059ed-992b-46a0-944a-28e8fb8f1814

At a network level, map www.bing.com to strict.bing.com.

Pixabay

https://pixabay.com/blog/posts/block-adult-content-on-pixabay-at-your-school-or-w-140/

Set the DNS entry for pixabay.com to be a CNAME for safesearch.pixabay.com.

Qwant

I didn't find an official docs/blog but because the same problem was there I used the same way like on the other ones.

@AdSchellevis
Copy link
Member

but this doesn't explain why we are changing the redirect to transparent in

local-zone: "duckduckgo.com" transparent

@thojo0
Copy link
Author
thojo0 commented Feb 12, 2025
edited
Loading

Ah sorry, I meant I checked the exact domains again.
the transparent zone I put there because of the CNAME+A record problem.

With the current zone settings, Unbound returns both, the A and CNAME (to it self) record on different safe search subdomains.

After some tests, this was the best solution to fix it and also the problem mentioned in #7301 without an explicit "whitelisting".

@AdSchellevis AdSchellevis force-pushed the master branch 2 times, most recently from bfdf0d3 to 968e5f9 Compare March 3, 2025 20:25
wetono
wetono suggested changes Apr 11, 2025
View reviewed changes
Copy link
@wetono wetono left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since I can't access duckduckgo with safesearch enabled because of the problem you described (I'm using a Windows DNS server because of AD and have the OPNsense as the upstreams DNS, when the Windows DNS server caches the duckduckgo.com entry it only gives the client the safe.duckduckgo.com CNAME safe.duckduckgo.com and not the A-Record, so the client can't access duckduckgo), I'm glad to see there's a pull request that fixes this! I did some testing and have two small suggestions for improvement, but otherwise it works as intended!

@thojo0 @wetono
remove duck.com
6dcf10d 
Co-authored-by: wetono <info@janosch-weber.de>
@thojo0 @wetono
remove qwant -> not working
63368d4 
Co-authored-by: wetono <info@janosch-weber.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wetono wetono wetono requested changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thojo0 @AdSchellevis @wetono
0