CNAMES in Unbound

[Mr_Cus]

Hello,

Is there a plan to bring the ability to use CNAMES as overrides in unbound to the WebUI?

Ticking "Safe Search" in the UI includes an extra bit of unbound config which uses CNAMES in the config, but I'm in the position where I need(*) to disable CoPilot/Bing Chat, and Microsoft's recommendation is to do it at the DNS level with a handful of CNAMES.

Side question: how hard would it be for someone half not-smart like myself to add another tickbox under "enforce safesearch" to "disable copilot" and include an extra config file?

*: "I" am a Highschool, putting an LLM right into the OS was not what the teachers wanted!

[Patrick M. Hausen]

Unbound on OPNsense does support aliases in the overrides section.

EDIT: sorry that does not create a CNAME but just an A or AAAA while skipping the PTR that a regular host override creates.

But it seems like they don't work like most people would expect them to, see:
https://www.bentasker.co.uk/posts/documentation/linux/279-unbound-adding-custom-dns-records.html

[Mr_Cus]

Correct, we only get A/AAAA by default, no CNAME option.

But, CNAMES do work, opnSense is already using them to do what I want, but with difference services.

I did some investigation at work today.

The file /var/unbound/etc/safesearch.conf will be populated with "things" when you tick "Enable SafeSearch" on the "Blocklist" page (maybe this should be moved somewhere more reasonable, like "advanced" - it's not really a blocklist feature, it's a safety feature if your network has children on it.)

The aforementiond safesearch.conf is generated every time you start/restart the service, so it can't be edited directly, the changes are lost at service restart. But it does enable Safe Search for google, youtube, bing, qwant, and some others, and uses CNAMEs to do it.

The file appears to be generated by /usr/local/opnsense/service/templates/OPNsense/Unbound/core/safesearch.conf

Which has stanzas for all sorts of things. I added and changed the following:

Code Select Expand

# Bing
local-zone: "bing.com" redirect
local-data: "bing.com CNAME nochat.bing.com"

#CoPilot
local-zone: "copilot.microsoft.com" redirect
local-data: "copilot.microsoft.com CNAME cdp.copilot.microsoft.com"

# YouTube
local-zone: "www.youtube.com" redirect
local-data: "www.youtube.com CNAME restrict.youtube.com"
local-zone: "m.youtube.com" redirect
local-data: "m.youtube.com CNAME restrict.youtube.com"
local-zone: "youtubei.googleapis.com" redirect
local-data: "youtubei.googleapis.com CNAME restrict.youtube.com"
local-zone: "youtube.googleapis.com" redirect
local-data: "youtube.googleapis.com CNAME restrict.youtube.com"
local-zone: "www.youtube-nocookie.com" redirect
local-data: "www.youtube-nocookie.com CNAME restrict.youtube.com"

The bing entry was already there, but I changed it from "restrict.bing" to "nochat.bing" which disabled CoPilot nearly everywhere in Windows 11. The Microsoft stanza directly below it ensures you can't use CoPilot without having ADP enabled on your account.

Essentially, CoPilot will remember everything it ever learns about you, unless you pay microsoft extra money, or know that it can be disabled with random DNS CNAMEs. Unless you're under 18, in which case, you're not elligible for privacy protection at all.

and finally - I've changed the restrictmodeate.youtube to just restrict.youtube because that better aligns with our school policy.

So. I know what needs to change, how do I get this into the official opnSense Unbound plugin? Probably as two options "safe search" and "disable copilot" because there are probably people on the planet that do want to use copilot.

[franco]

Keep in mind CNAME support in Unbound is fragile:

https://github.com/NLnetLabs/unbound/issues/747#issuecomment-1271102835

As for the safe search it might make sense to add all of them as a list of option. Feature requests welcome on GitHub.


Cheers,
Franco