opnsense
Services: Unbound DNS: Blocklist - CNAME and A record on query fix
With the current zone settings, Unbound returns both, the A and CNAME (to it self) record on different safe search subdomains.
Affected subdomains:
safe.duckduckgo.comstrict.bing.comsafesearch.pixabay.comsafeapi.qwant.com
This commit fixes this issue. I also checked this on official documentations to be as accurate as possible, so nothing else breaks again.
I don't mind merging, but can you share the documentation that you are referring to?
DuckDuckGo
https://duckduckgo.com/duckduckgo-help-pages/features/safe-search/
For network administrators, you can force strict safe search for everyone on your network by mapping duckduckgo.com to safe.duckduckgo.com. Mapping to safe.duckduckgo.com will guarantee that safe search is enabled for all DuckDuckGo queries on the network, and that client safe search controls are disabled.
Bing
https://support.microsoft.com/en-us/topic/blocking-adult-content-with-safesearch-or-blocking-chat-946059ed-992b-46a0-944a-28e8fb8f1814
At a network level, map www.bing.com to strict.bing.com.
Pixabay
https://pixabay.com/blog/posts/block-adult-content-on-pixabay-at-your-school-or-w-140/
Set the DNS entry for pixabay.com to be a CNAME for safesearch.pixabay.com.
Qwant
I didn't find an official docs/blog but because the same problem was there I used the same way like on the other ones.
but this doesn't explain why we are changing the redirect to transparent in
local-zone: "duckduckgo.com" transparent
Ah sorry, I meant I checked the exact domains again. the transparent zone I put there because of the CNAME+A record problem.
With the current zone settings, Unbound returns both, the A and CNAME (to it self) record on different safe search subdomains.
After some tests, this was the best solution to fix it and also the problem mentioned in #7301 without an explicit "whitelisting".