diff options
| author | Gregory L. Dietsche <gregory.dietsche@cuw.edu> | 2020-04-06 12:09:08 -0500 |
|---|---|---|
| committer | Gregory L. Dietsche <gregory.dietsche@cuw.edu> | 2020-04-11 23:20:47 -0500 |
| commit | ee6400c9528116768491702a1b6e32b91a198890 (patch) | |
| tree | 0c513bf99871e2123c8ffc8841f06491a53c8fbd /net/family-dns/files | |
| parent | cd79e9288576d5cf46455171d9b1b3374e90cd6d (diff) | |
family-dns: add new package
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
Diffstat (limited to 'net/family-dns/files')
| -rw-r--r-- | net/family-dns/files/family-dns-update | 95 | ||||
| -rw-r--r-- | net/family-dns/files/family-dns.conf | 14 | ||||
| -rw-r--r-- | net/family-dns/files/family-dns.uci-defaults | 9 | ||||
| -rwxr-xr-x | net/family-dns/files/test-family-dns | 124 |
4 files changed, 242 insertions, 0 deletions
diff --git a/net/family-dns/files/family-dns-update b/net/family-dns/files/family-dns-update new file mode 100644 index 000000000..6771a0a7e --- /dev/null +++ b/net/family-dns/files/family-dns-update @@ -0,0 +1,95 @@ +#!/bin/sh +# +# Copyright (c) 2020 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu> +# This is free software, licensed under the MIT License +# +. /lib/functions.sh + +config_load 'family-dns' +config_get_bool enabled default enabled 0 +config_get_bool redirect_dns default redirect_dns 0 +config_get dns default dns default + +#uninstall and disable are designed to be equivalent. +if [ "$1" = "uninstall" ] ; then + enabled=0 +fi + +# Set OpenWrt Defaults +uci -q batch <<-EOT + set network.wan.peerdns='1' + set network.wan6.peerdns='1' + delete network.wan.dns + delete network.wan6.dns + delete firewall.family_dns_lan +EOT + +if [ "$enabled" -ne 1 ] ; then + echo 'Activating Default ISP DNS server(s)' +else + # We don't want to use ISP DNS servers because they don't filter queries + uci set network.wan.peerdns='0' + uci set network.wan6.peerdns='0' + + # Configure the DNS server(s) that will handle filtering. + echo "Activating $dns" + case $dns in + cleanbrowsing-adult-filter) + uci add_list network.wan.dns=185.228.168.10 + uci add_list network.wan.dns=185.228.169.11 + uci add_list network.wan6.dns=2a0d:2a00:1::1 + uci add_list network.wan6.dns=2a0d:2a00:2::1 + ;; + cleanbrowsing-family-filter) + uci add_list network.wan.dns=185.228.168.168 + uci add_list network.wan.dns=185.228.169.168 + uci add_list network.wan6.dns=2a0d:2a00:1:: + uci add_list network.wan6.dns=2a0d:2a00:2:: + ;; + cloudflare-malware-and-adult-content) + uci add_list network.wan.dns=1.1.1.3 + uci add_list network.wan.dns=1.0.0.3 + uci add_list network.wan6.dns=2606:4700:4700::1113 + uci add_list network.wan6.dns=2606:4700:4700::1003 + ;; + cisco-family-shield) + uci add_list network.wan.dns=208.67.222.123 + uci add_list network.wan.dns=208.67.220.123 + uci add_list network.wan6.dns=::ffff:d043:de7b + uci add_list network.wan6.dns=::ffff:d043:dc7b + ;; + *) + echo "$dns" is not supported. + uci revert network + redirect_dns=0 + ;; + esac + + if [ "$redirect_dns" -eq 1 ] ; then + echo Activating DNS redirect + zone=lan + ip=$(uci get network.$zone.ipaddr) + + uci -q batch <<-EOT + set firewall.family_dns_lan=redirect + add_list firewall.family_dns_lan.proto='tcp' + add_list firewall.family_dns_lan.proto='udp' + set firewall.family_dns_lan.src_dport='53' + set firewall.family_dns_lan.dest_ip='$ip' + set firewall.family_dns_lan.target='DNAT' + set firewall.family_dns_lan.src='$zone' + set firewall.family_dns_lan.dest='$zone' + set firewall.family_dns_lan.name='family-dns redirect for $zone zone' +EOT + fi +fi + +uci -q batch <<-EOT + commit network + commit firewall +EOT + +/etc/init.d/network reload +/etc/init.d/dnsmasq reload +/etc/init.d/firewall reload 2>/dev/null + diff --git a/net/family-dns/files/family-dns.conf b/net/family-dns/files/family-dns.conf new file mode 100644 index 000000000..bfe950f51 --- /dev/null +++ b/net/family-dns/files/family-dns.conf @@ -0,0 +1,14 @@ +# Copyright (c) 2020 Gregory L. Dietsche +# This is free software, licensed under the MIT License +# +# run family-dns-update after making configuration changes. +# + +config family-dns default + option enabled 1 + option redirect_dns 1 + option dns 'cleanbrowsing-adult-filter' + #option dns 'cleanbrowsing-family-filter' + #option dns 'cloudflare-malware-and-adult-content' + #option dns 'cisco-family-shield' + diff --git a/net/family-dns/files/family-dns.uci-defaults b/net/family-dns/files/family-dns.uci-defaults new file mode 100644 index 000000000..9eaaa0b66 --- /dev/null +++ b/net/family-dns/files/family-dns.uci-defaults @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Copyright (c) 2020 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu> +# This is free software, licensed under the MIT License +# + +/usr/sbin/family-dns-update + +exit 0 diff --git a/net/family-dns/files/test-family-dns b/net/family-dns/files/test-family-dns new file mode 100755 index 000000000..ff017fb67 --- /dev/null +++ b/net/family-dns/files/test-family-dns @@ -0,0 +1,124 @@ +#!/bin/sh +# +# Copyright (c) 2020 Gregory L. Dietsche <Gregory.Dietsche@cuw.edu> +# This is free software, licensed under the MIT License +# + +######################## +#Yucky global variables# +######################## +global_result=0 + +# A list of adult websites that support both IPv4 and IPv6 +IPv4andIPv6EnabledSiteList="https://xhamster.com https://www.watchmyexgf.net https://gaymaletube.com" + +expect_not_safe(){ + title=$1 + size=$2 + web=$3 + + actual=$(wget -4 -O - "$web" | wc -l) 2> /dev/null + if [ "$actual" -gt "$size" ] ; then + echo "$title: IPv4: $size/$actual. NOT SAFE" + else + echo "$title: IPv4: SAFE. $actual (expected not safe!) ***************" + global_result=1 + fi + + actual=$(wget -6 -O - "$web" | wc -l) 2> /dev/null + if [ "$actual" -gt "$size" ] ; then + echo "$title: IPv6: $size/$actual. NOT SAFE" + else + echo "$title: IPv6: SAFE. $actual (expected not safe!) ***************" + global_result=1 + fi + return $global_result +} + +expect_safe(){ + title=$1 + size=$2 + web=$3 + + actual=$(wget -4 -O - "$web" | wc -l) 2> /dev/null + if [ "$actual" -gt "$size" ] ; then + echo "$title: IPv4: $size/$actual. NOT SAFE ******************" + global_result=1 + else + echo "$title: IPv4: SAFE. $actual" + fi + + actual=$(wget -6 -O - "$web" | wc -l) 2> /dev/null + if [ "$actual" -gt "$size" ] ; then + echo "$title: IPv6: $size/$actual. NOT SAFE ******************" + global_result=1 + else + echo "$title: IPv6: SAFE. $actual" + fi +} + + +test_not_safe(){ + uci set family-dns.default.enabled=0 + uci commit family-dns + family-dns-update + + echo "******************************" + echo "Testing Without Protection ***" + echo "******************************" + c=0 + for site in ${IPv4andIPv6EnabledSiteList}; do + expect_not_safe "Site $c" 500 "$site" + c=$((c+1)) + done + + uci set family-dns.default.enabled=1 + uci commit family-dns + family-dns-update + + echo +} + +test_filter(){ + echo "******************************" + echo "Testing With Protection ***" + echo "******************************" + echo testing "$1" + + uci set family-dns.default.dns="$1" + uci commit family-dns + family-dns-update + + c=0 + for site in ${IPv4andIPv6EnabledSiteList}; do + expect_safe "Testing Site $c" 500 "$site" + c=$((c+1)) + done + + echo +} + +############################################# +## Main Tests ## +############################################# +test_not_safe +test_filter cisco-family-shield +test_filter cloudflare-malware-and-adult-content +test_filter cleanbrowsing-family-filter +test_filter cleanbrowsing-adult-filter + +# with cleanbrowsing-adult-filter on, run this test on a different device (not the router) +# the result should be 0 when redirect_dns=1 and the result should be 1 when redirect_dns=0 +#count=$(nslookup -query=A www.sex.com 8.8.8.8 | grep NXDOMAIN | wc -l) +#if [ $count -eq 1 ]; then +# echo Clean Browsing returned NXDOMAIN. This is expected. +#else +# echo Clean Browsing did not return NXDOMAIN. This is NOT expected. +#fi + + + +if [ $global_result -ne 0 ]; then + echo '************ Test(s) failed! ********************************************************' +fi +exit $global_result |