Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Services: Unbound DNS: Blocklist - CNAME and A record on query fix #7815

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Services: Unbound DNS: Blocklist - CNAME and A record on query fix #7815

wants to merge 1 commit into from

Conversation

thojo0
Copy link

@thojo0 thojo0 commented Aug 26, 2024
edited
Loading

With the current zone settings, Unbound returns both, the A and CNAME (to it self) record on different safe search subdomains.

Affected subdomains:

  • safe.duckduckgo.com
  • strict.bing.com
  • safesearch.pixabay.com
  • safeapi.qwant.com

This commit fixes this issue.
I also checked this on official documentations to be as accurate as possible, so nothing else breaks again.

@AdSchellevis AdSchellevis force-pushed the master branch 5 times, most recently from 6586a65 to 607e32a Compare December 3, 2024 15:53
@AdSchellevis
Copy link
Member

I don't mind merging, but can you share the documentation that you are referring to?

@thojo0
Copy link
Author

thojo0 commented Feb 12, 2025

DuckDuckGo

https://duckduckgo.com/duckduckgo-help-pages/features/safe-search/

For network administrators, you can force strict safe search for everyone on your network by mapping duckduckgo.com to safe.duckduckgo.com. Mapping to safe.duckduckgo.com will guarantee that safe search is enabled for all DuckDuckGo queries on the network, and that client safe search controls are disabled.

Bing

https://support.microsoft.com/en-us/topic/blocking-adult-content-with-safesearch-or-blocking-chat-946059ed-992b-46a0-944a-28e8fb8f1814

At a network level, map www.bing.com to strict.bing.com.

Pixabay

https://pixabay.com/blog/posts/block-adult-content-on-pixabay-at-your-school-or-w-140/

Set the DNS entry for pixabay.com to be a CNAME for safesearch.pixabay.com.

Qwant

I didn't find an official docs/blog but because the same problem was there I used the same way like on the other ones.

@AdSchellevis
Copy link
Member

but this doesn't explain why we are changing the redirect to transparent in

local-zone: "duckduckgo.com" transparent

@thojo0
Copy link
Author

thojo0 commented Feb 12, 2025
edited
Loading

Ah sorry, I meant I checked the exact domains again.
the transparent zone I put there because of the CNAME+A record problem.

With the current zone settings, Unbound returns both, the A and CNAME (to it self) record on different safe search subdomains.

After some tests, this was the best solution to fix it and also the problem mentioned in #7301 without an explicit "whitelisting".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thojo0 @AdSchellevis