Skip to content

Services: Unbound DNS: Blocklist - CNAME and A record on query fix #7815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
thojo0 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Services: Unbound DNS: Blocklist - CNAME and A record on query fix #7815

thojo0 wants to merge 3 commits into from
+4 −11

Conversation

@thojo0
Copy link

@thojo0 thojo0 commented Aug 26, 2024
edited
Loading

With the current zone settings, Unbound returns both, the A and CNAME (to it self) record on different safe search subdomains.

Affected subdomains:

  • safe.duckduckgo.com
  • strict.bing.com
  • safesearch.pixabay.com
  • safeapi.qwant.com

This commit fixes this issue.
I also checked this on official documentations to be as accurate as possible, so nothing else breaks again.

@AdSchellevis AdSchellevis force-pushed the master branch 5 times, most recently from 6586a65 to 607e32a Compare December 3, 2024 15:53
@AdSchellevis
Copy link
Member

AdSchellevis commented Feb 12, 2025

I don't mind merging, but can you share the documentation that you are referring to?

@thojo0
Copy link
Author

thojo0 commented Feb 12, 2025

DuckDuckGo

https://duckduckgo.com/duckduckgo-help-pages/features/safe-search/

For network administrators, you can force strict safe search for everyone on your network by mapping duckduckgo.com to safe.duckduckgo.com. Mapping to safe.duckduckgo.com will guarantee that safe search is enabled for all DuckDuckGo queries on the network, and that client safe search controls are disabled.

Bing

https://support.microsoft.com/en-us/topic/blocking-adult-content-with-safesearch-or-blocking-chat-946059ed-992b-46a0-944a-28e8fb8f1814

At a network level, map www.bing.com to strict.bing.com.

Pixabay

https://pixabay.com/blog/posts/block-adult-content-on-pixabay-at-your-school-or-w-140/

Set the DNS entry for pixabay.com to be a CNAME for safesearch.pixabay.com.

Qwant

I didn't find an official docs/blog but because the same problem was there I used the same way like on the other ones.

@AdSchellevis
Copy link
Member

AdSchellevis commented Feb 12, 2025

but this doesn't explain why we are changing the redirect to transparent in

local-zone: "duckduckgo.com" transparent

@thojo0
Copy link
Author

thojo0 commented Feb 12, 2025
edited
Loading

Ah sorry, I meant I checked the exact domains again.
the transparent zone I put there because of the CNAME+A record problem.

With the current zone settings, Unbound returns both, the A and CNAME (to it self) record on different safe search subdomains.

After some tests, this was the best solution to fix it and also the problem mentioned in #7301 without an explicit "whitelisting".

@AdSchellevis AdSchellevis force-pushed the master branch 2 times, most recently from bfdf0d3 to 968e5f9 Compare March 3, 2025 20:25
wetono
wetono suggested changes Apr 11, 2025
View reviewed changes
Copy link

@wetono wetono left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since I can't access duckduckgo with safesearch enabled because of the problem you described (I'm using a Windows DNS server because of AD and have the OPNsense as the upstreams DNS, when the Windows DNS server caches the duckduckgo.com entry it only gives the client the safe.duckduckgo.com CNAME safe.duckduckgo.com and not the A-Record, so the client can't access duckduckgo), I'm glad to see there's a pull request that fixes this! I did some testing and have two small suggestions for improvement, but otherwise it works as intended!

@thojo0 @wetono
remove duck.com
6dcf10d 
Co-authored-by: wetono <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@wetono wetono wetono requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thojo0 @AdSchellevis @wetono