Unbound: blocklists: add SafeSearch option

plist

@@ -1126,6 +1126,7 @@
 /usr/local/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
 /usr/local/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf
 /usr/local/opnsense/service/templates/OPNsense/Unbound/core/root.min.hints
+/usr/local/opnsense/service/templates/OPNsense/Unbound/core/safesearch.conf
 /usr/local/opnsense/service/templates/OPNsense/Unbound/core/unbound_dhcpd.conf
 /usr/local/opnsense/service/templates/OPNsense/WebGui/+TARGETS
 /usr/local/opnsense/service/templates/OPNsense/WebGui/etc.php.ini

src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml

@@ -5,6 +5,13 @@
         <type>checkbox</type>
         <help>Enable the usage of DNS blocklists.</help>
     </field>
+    <field>
+        <id>unbound.dnsbl.safesearch</id>
+        <label>Enable SafeSearch</label>
+        <type>checkbox</type>
+        <style>safesearch</style>
+        <help>Enable the usage of SafeSearch on Google, DuckDuckGo, Bing, Qwant, PixaBay and YouTube</help>
+    </field>
     <field>
         <id>unbound.dnsbl.type</id>
         <label>Type of DNSBL</label>

src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml

@@ -108,6 +108,10 @@
                 <default>0</default>
                 <Required>Y</Required>
             </enabled>
+            <safesearch type="BooleanField">
+                <default>0</default>
+                <Required>N</Required>
+            </safesearch>
             <type type="OptionField">
                 <Required>N</Required>
                 <Multiple>Y</Multiple>

src/opnsense/mvc/app/views/OPNsense/Unbound/dnsbl.volt

@@ -28,16 +28,27 @@
 <script>
    $(document).ready(function() {
        var data_get_map = {'frm_dnsbl_settings':"/api/unbound/settings/get"};
+       let init_state = null;
        mapDataToFormUI(data_get_map).done(function(data){
            formatTokenizersUI();
            $('.selectpicker').selectpicker('refresh');
+           init_state = $('.safesearch').is(':checked');
        });
 
        $("#saveAct").SimpleActionButton({
           onPreAction: function() {
               const dfObj = new $.Deferred();
+              let safesearch_changed = !($('.safesearch').is(':checked') == init_state);
+              init_state = $('.safesearch').is(':checked');
               saveFormToEndpoint("/api/unbound/settings/set", 'frm_dnsbl_settings', function(){
-                  dfObj.resolve();
+                  if (safesearch_changed) {
+                      /* Restart Unbound and apply the DNSBL after it has finished */
+                      ajaxCall('/api/unbound/service/reconfigure', {}, function(data,status) {
+                          dfObj.resolve();
+                      });
+                  } else {
+                      dfObj.resolve();
+                  }
               });
               return dfObj;
           }

src/opnsense/service/templates/OPNsense/Unbound/core/+TARGETS

@@ -1,5 +1,6 @@
 advanced.conf:/var/unbound/advanced.conf
 blocklists.conf:/tmp/unbound-blocklists.conf
+safesearch.conf:/usr/local/etc/unbound.opnsense.d/safesearch.conf
 dot.conf:/usr/local/etc/unbound.opnsense.d/dot.conf
 private_domains.conf:/var/unbound/private_domains.conf
 domainoverrides.conf:/usr/local/etc/unbound.opnsense.d/domainoverrides.conf

src/opnsense/service/templates/OPNsense/Unbound/core/safesearch.conf

@@ -0,0 +1,90 @@
+{%
+    set google_domains = [
+        "google.com","google.ad","google.ae","google.com.af","google.com.ag",
+        "google.com.ai","google.al","google.am","google.co.ao",
+        "google.com.ar","google.as","google.at","google.com.au",
+        "google.az","google.ba","google.com.bd","google.be",
+        "google.bf","google.bg","google.com.bh","google.bi",
+        "google.bj","google.com.bn","google.com.bo","google.com.br",
+        "google.bs","google.bt","google.co.bw","google.by",
+        "google.com.bz","google.ca","google.cd","google.cf",
+        "google.cg","google.ch","google.ci","google.co.ck",
+        "google.cl","google.cm","google.cn","google.com.co",
+        "google.co.cr","google.com.cu","google.cv","google.com.cy",
+        "google.cz","google.de","google.dj","google.dk",
+        "google.dm","google.com.do","google.dz","google.com.ec",
+        "google.ee","google.com.eg","google.es","google.com.et",
+        "google.fi","google.com.fj","google.fm","google.fr",
+        "google.ga","google.ge","google.gg","google.com.gh",
+        "google.com.gi","google.gl","google.gm","google.gr",
+        "google.com.gt","google.gy","google.com.hk","google.hn",
+        "google.hr","google.ht","google.hu","google.co.id",
+        "google.ie","google.co.il","google.im","google.co.in",
+        "google.iq","google.is","google.it","google.je",
+        "google.com.jm","google.jo","google.co.jp","google.co.ke",
+        "google.com.kh","google.ki","google.kg","google.co.kr",
+        "google.com.kw","google.kz","google.la","google.com.lb",
+        "google.li","google.lk","google.co.ls","google.lt",
+        "google.lu","google.lv","google.com.ly","google.co.ma",
+        "google.md","google.me","google.mg","google.mk",
+        "google.ml","google.com.mm","google.mn","google.ms",
+        "google.com.mt","google.mu","google.mv","google.mw",
+        "google.com.mx","google.com.my","google.co.mz","google.com.na",
+        "google.com.ng","google.com.ni","google.ne","google.nl",
+        "google.no","google.com.np","google.nr","google.nu",
+        "google.co.nz","google.com.om","google.com.pa","google.com.pe",
+        "google.com.pg","google.com.ph","google.com.pk","google.pl",
+        "google.pn","google.com.pr","google.ps","google.pt",
+        "google.com.py","google.com.qa","google.ro","google.ru",
+        "google.rw","google.com.sa","google.com.sb","google.sc",
+        "google.se","google.com.sg","google.sh","google.si",
+        "google.sk","google.com.sl","google.sn","google.so",
+        "google.sm","google.sr","google.st","google.com.sv",
+        "google.td","google.tg","google.co.th","google.com.tj",
+        "google.tl","google.tm","google.tn","google.to",
+        "google.com.tr","google.tt","google.com.tw","google.co.tz",
+        "google.com.ua","google.co.ug","google.co.uk","google.com.uy",
+        "google.co.uz","google.com.vc","google.co.ve","google.vg",
+        "google.co.vi","google.com.vn","google.vu","google.ws",
+        "google.rs","google.co.za","google.co.zm","google.co.zw",
+        "google.cat"
+    ]
+%}
+{% if not helpers.empty('OPNsense.unboundplus.dnsbl.safesearch') %}
+server:
+# Google. TLDs are fetched from https://www.google.com/supported_domains.
+{%   for domain in google_domains %}
+local-zone: "www.{{ domain }}" redirect
+local-data: "www.{{ domain }} CNAME forcesafesearch.google.com"
+{%   endfor%}
+
+# DuckDuckGo
+local-zone: "duckduckgo.com" redirect
+local-data: "duckduckgo.com CNAME safe.duckduckgo.com"
+local-zone: "duck.com" redirect
+local-data: "duck.com CNAME safe.duckduckgo.com"
+
+# Bing
+local-zone: "bing.com" redirect
+local-data: "bing.com CNAME strict.bing.com"
+
+# YouTube
+local-zone: "www.youtube.com" redirect
+local-data: "www.youtube.com CNAME restrictmoderate.youtube.com"
+local-zone: "m.youtube.com" redirect
+local-data: "m.youtube.com CNAME restrictmoderate.youtube.com"
+local-zone: "youtubei.googleapis.com" redirect
+local-data: "youtubei.googleapis.com CNAME restrictmoderate.youtube.com"
+local-zone: "youtube.googleapis.com" redirect
+local-data: "youtube.googleapis.com CNAME restrictmoderate.youtube.com"
+local-zone: "www.youtube-nocookie.com" redirect
+local-data: "www.youtube-nocookie.com CNAME restrictmoderate.youtube.com"
+
+# Pixabay
+local-zone: "pixabay.com" redirect
+local-data: "pixabay.com CNAME safesearch.pixabay.com"
+
+# Qwant
+local-zone: "qwant.com" redirect
+local-data: "qwant.com CNAME safeapi.qwant.com"
+{% endif %}