2 ##############################################################################
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License version 2 as
6 # published by the Free Software Foundation.
8 # This program is distributed in the hope that it will be useful,
9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # GNU General Public License for more details.
13 # Copyright (C) 2016 Eric Luehrsen
15 ##############################################################################
17 # Unbound is a full featured recursive server with many options. The UCI
18 # provided tries to simplify and bundle options. This should make Unbound
19 # easier to deploy. Even light duty routers may resolve recursively instead of
20 # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
21 # features as used in base LEDE/OpenWrt. If there is a desire for more
22 # detailed tuning, then manual conf file overrides are also made available.
24 ##############################################################################
41 UB_D_DOMAIN_TYPE
=static
48 UB_D_RECURSION
=passive
52 UB_IP_DNS64
="64:ff9b::/96"
60 UB_TXT_HOSTNAME
=thisrouter
62 ##############################################################################
64 # reset as a combo with UB_B_NTP_BOOT and some time stamp files
67 # keep track of assignments during inserted resource records
72 UB_LIST_ZONE_SERVERS
=""
75 ##############################################################################
78 .
/lib
/functions
/network.sh
80 .
/usr
/lib
/unbound
/defaults.sh
81 .
/usr
/lib
/unbound
/dnsmasq.sh
82 .
/usr
/lib
/unbound
/iptools.sh
84 ##############################################################################
86 bundle_all_networks
() {
88 local ifname ifdashname validip
89 local subnet subnets subnets4 subnets6
91 network_get_subnets subnets4
"$cfg"
92 network_get_subnets6 subnets6
"$cfg"
93 network_get_device ifname
"$cfg"
95 ifdashname
="${ifname//./-}"
96 subnets
="$subnets4 $subnets6"
99 if [ -n "$subnets" ] ; then
100 for subnet
in $subnets ; do
101 validip
=$
( valid_subnet_any
$subnet )
104 if [ "$validip" = "ok" ] ; then
105 UB_LIST_NETW_ALL
="$UB_LIST_NETW_ALL $ifdashname@$subnet"
111 ##############################################################################
113 bundle_lan_networks
() {
115 local interface ifsubnet ifname ifdashname ignore
117 config_get_bool ignore
"$cfg" ignore
0
118 config_get interface
"$cfg" interface
""
119 network_get_device ifname
"$interface"
120 ifdashname
="${ifname//./-}"
123 if [ "$ignore" -eq 0 -a -n "$ifdashname" -a -n "$UB_LIST_NETW_ALL" ] ; then
124 for ifsubnet
in $UB_LIST_NETW_ALL ; do
127 # Special GLA protection for local block; ULA protected as a catagory
128 UB_LIST_NETW_LAN
="$UB_LIST_NETW_LAN $ifsubnet"
135 ##############################################################################
137 bundle_wan_networks
() {
141 if [ -n "$UB_LIST_NETW_ALL" ] ; then
142 for ifsubnet
in $UB_LIST_NETW_ALL ; do
143 case $UB_LIST_NETW_LAN in
145 # If LAN, then not WAN ...
149 UB_LIST_NETW_WAN
="$UB_LIST_NETW_WAN $ifsubnet"
156 ##############################################################################
158 bundle_resolv_conf_servers
() {
159 local resolvers
=$
( awk '/nameserver/ { print $2 }' /tmp
/resolv.conf.auto
)
160 UB_LIST_ZONE_SERVERS
="$UB_LIST_ZONE_SERVERS $resolvers"
163 ##############################################################################
165 bundle_zone_names
() {
166 UB_LIST_ZONE_NAMES
="$UB_LIST_ZONE_NAMES $1"
169 ##############################################################################
171 bundle_zone_servers
() {
172 UB_LIST_ZONE_SERVERS
="$UB_LIST_ZONE_SERVERS $1"
175 ##############################################################################
177 bundle_domain_insecure
() {
178 UB_LIST_INSECURE
="$UB_LIST_INSECURE $1"
181 ##############################################################################
187 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
188 local dhcp_origin
=$
( uci_get dhcp.@odhcpd
[0].leasefile
)
189 local dhcp_dir
=$
( dirname $dhcp_origin )
192 if [ ! -d "$dhcp_dir" ] ; then
193 # make sure odhcpd has a directory to write (not done itself, yet)
199 if [ -f $UB_RKEY_FILE ] ; then
200 filestuff
=$
( cat $UB_RKEY_FILE )
204 *"state=2 [ VALID ]"*)
205 # Lets not lose RFC 5011 tracking if we don't have to
206 cp -p $UB_RKEY_FILE $UB_RKEY_FILE.keep
212 # Blind copy /etc/unbound to /var/lib/unbound
214 rm -f $UB_VARDIR/dhcp_
*
216 cp -p /etc
/unbound
/* $UB_VARDIR/
219 if [ ! -f $UB_RHINT_FILE ] ; then
220 if [ -f /usr
/share
/dns
/root.hints
] ; then
221 # Debian-like package dns-root-data
222 cp -p /usr
/share
/dns
/root.hints
$UB_RHINT_FILE
224 elif [ "$UB_B_READY" -eq 0 ] ; then
225 logger
-t unbound
-s "default root hints (built in root-servers.net)"
230 if [ ! -f $UB_RKEY_FILE ] ; then
231 if [ -f /usr
/share
/dns
/root.key
] ; then
232 # Debian-like package dns-root-data
233 cp -p /usr
/share
/dns
/root.key
$UB_RKEY_FILE
235 elif [ -x $UB_ANCHOR ] ; then
236 $UB_ANCHOR -a $UB_RKEY_FILE
238 elif [ "$UB_B_READY" -eq 0 ] ; then
239 logger
-t unbound
-s "default trust anchor (built in root DS record)"
244 if [ -f $UB_RKEY_FILE.keep
] ; then
245 # root.key.keep is reused if newest
246 cp -u $UB_RKEY_FILE.keep
$UB_RKEY_FILE
247 rm -f $UB_RKEY_FILE.keep
251 if [ -f $UB_TLS_ETC_FILE ] ; then
252 # copy the cert bundle into jail
253 cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
257 # Ensure access and prepare to jail
258 chown
-R unbound
:unbound
$UB_VARDIR
260 chmod 644 $UB_VARDIR/*
263 if [ -f $UB_CTLKEY_FILE -o -f $UB_CTLPEM_FILE \
264 -o -f $UB_SRVKEY_FILE -o -f $UB_SRVPEM_FILE ] ; then
265 # Keys (some) exist already; do not create new ones
266 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
267 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
269 elif [ -x /usr
/sbin
/unbound-control-setup
] ; then
270 case "$UB_D_CONTROL" in
272 # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
273 /usr
/sbin
/unbound-control-setup
-d $UB_VARDIR
275 chown
-R unbound
:unbound
$UB_CTLKEY_FILE $UB_CTLPEM_FILE \
276 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
278 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
279 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
281 cp -p $UB_CTLKEY_FILE /etc
/unbound
/unbound_control.key
282 cp -p $UB_CTLPEM_FILE /etc
/unbound
/unbound_control.pem
283 cp -p $UB_SRVKEY_FILE /etc
/unbound
/unbound_server.key
284 cp -p $UB_SRVPEM_FILE /etc
/unbound
/unbound_server.pem
290 if [ -f "$UB_TIME_FILE" ] ; then
291 # NTP is done so its like you actually had an RTC
295 elif [ "$UB_B_NTP_BOOT" -eq 0 ] ; then
296 # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
297 date -Is > $UB_TIME_FILE
302 # DNSSEC-TIME will not reconcile
308 ##############################################################################
311 echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF
314 if [ "$UB_D_CONTROL" -gt 1 ] ; then
315 if [ ! -f $UB_CTLKEY_FILE -o ! -f $UB_CTLPEM_FILE \
316 -o ! -f $UB_SRVKEY_FILE -o ! -f $UB_SRVPEM_FILE ] ; then
317 # Key files need to be present; if unbound-control-setup was found, then
318 # they might have been made during unbound_makedir() above.
324 case "$UB_D_CONTROL" in
327 # Local Host Only Unencrypted Remote Control
328 echo "remote-control:"
329 echo " control-enable: yes"
330 echo " control-use-cert: no"
331 echo " control-interface: 127.0.0.1"
332 echo " control-interface: ::1"
339 # Local Host Only Encrypted Remote Control
340 echo "remote-control:"
341 echo " control-enable: yes"
342 echo " control-use-cert: yes"
343 echo " control-interface: 127.0.0.1"
344 echo " control-interface: ::1"
345 echo " server-key-file: $UB_SRVKEY_FILE"
346 echo " server-cert-file: $UB_SRVPEM_FILE"
347 echo " control-key-file: $UB_CTLKEY_FILE"
348 echo " control-cert-file: $UB_CTLPEM_FILE"
355 # Network Encrypted Remote Control
356 # (3) may auto setup and (4) must have static key/pem files
357 # TODO: add UCI list for interfaces to bind
358 echo "remote-control:"
359 echo " control-enable: yes"
360 echo " control-use-cert: yes"
361 echo " control-interface: 0.0.0.0"
362 echo " control-interface: ::0"
363 echo " server-key-file: $UB_SRVKEY_FILE"
364 echo " server-cert-file: $UB_SRVPEM_FILE"
365 echo " control-key-file: $UB_CTLKEY_FILE"
366 echo " control-cert-file: $UB_CTLPEM_FILE"
373 ##############################################################################
378 local servers_host
=""
379 local zone_sym zone_name zone_type zone_enabled zone_file
380 local tls_upstream fallback
381 local server port tls_port tls_index tls_suffix url_dir
383 if [ ! -f "$UB_ZONE_CONF" ] ; then
384 echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF
388 config_get_bool zone_enabled
"$cfg" enabled
0
391 if [ "$zone_enabled" -eq 1 ] ; then
392 # these lists are built for each zone; empty to start
393 UB_LIST_ZONE_NAMES
=""
394 UB_LIST_ZONE_SERVERS
=""
396 config_get zone_type
"$cfg" zone_type
""
397 config_get port
"$cfg" port
""
398 config_get tls_index
"$cfg" tls_index
""
399 config_get tls_port
"$cfg" tls_port
853
400 config_get url_dir
"$cfg" url_dir
""
402 config_get_bool resolv_conf
"$cfg" resolv_conf
0
403 config_get_bool fallback
"$cfg" fallback
1
404 config_get_bool tls_upstream
"$cfg" tls_upstream
0
406 config_list_foreach
"$cfg" zone_name bundle_zone_names
407 config_list_foreach
"$cfg" server bundle_zone_servers
409 # string formating for Unbound syntax
410 tls_suffix
="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}"
411 [ "$fallback" -eq 0 ] && fallback
=no || fallback
=yes
412 [ "$tls_upstream" -eq 0 ] && tls_upstream
=no || tls_upstream
=yes
415 if [ $resolv_conf -eq 1 ] ; then
416 bundle_resolv_conf_servers
426 if [ "$UB_B_NTP_BOOT" -eq 0 -a -n "$UB_LIST_ZONE_NAMES" \
427 -a \
( -n "$url_dir" -o -n "$UB_LIST_ZONE_SERVERS" \
) ] ; then
428 # Note AXFR may have large downloads. If NTP restart is configured,
429 # then this can cause procd to force a process kill.
430 for zone_name
in $UB_LIST_ZONE_NAMES ; do
431 if [ "$zone_name" = "." ] ; then
437 zone_file
=$zone_name.zone
438 zone_file
=${zone_file//../.}
443 # generate an auth-zone: with switches for prefetch cache
445 echo " name: $zone_sym"
446 for server
in $UB_LIST_ZONE_SERVERS ; do
447 echo " master: $server${port:+@${port}}"
449 if [ -n "$url_dir" ] ; then
450 echo " url: $url_dir$zone_file"
452 echo " fallback-enabled: $fallback"
453 echo " for-downstream: no"
454 echo " for-upstream: yes"
455 echo " zonefile: $zone_file"
463 if [ ! -f $UB_TLS_FWD_FILE -a "$tls_upstream" = "yes" ] ; then
464 logger
-p 4 -t unbound
-s \
465 "Forward-zone TLS benefits from authentication in package 'ca-bundle'"
469 if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
470 for server
in $UB_LIST_ZONE_SERVERS ; do
471 if [ "$( valid_subnet_any $server )" = "not" ] ; then
474 # unique Unbound option for server host name
475 servers_host
="$servers_host $server"
479 if [ "$tls_upstream" = "yes" ] ; then
480 servers_host
="$servers_host $server${tls_port:+@${tls_port}}"
482 servers_host
="$servers_host $server${port:+@${port}}"
489 # unique Unbound option for server address
490 servers_ip
="$servers_ip $server"
494 if [ "$tls_upstream" = "yes" ] ; then
495 servers_ip
="$servers_ip $server$tls_suffix"
497 servers_ip
="$servers_ip $server${port:+@${port}}"
504 for zonename
in $UB_LIST_ZONE_NAMES ; do
506 # generate a forward-zone with or without tls
508 echo " name: $zonename"
509 for server
in $servers_host ; do
510 echo " forward-host: $server"
512 for server
in $servers_ip ; do
513 echo " forward-addr: $server"
515 echo " forward-first: $fallback"
516 echo " forward-tls-upstream: $tls_upstream"
524 if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
525 for zonename
in $UB_LIST_ZONE_NAMES ; do
527 # generate a stub-zone: or ensure short cut to authority NS
529 echo " name: $zonename"
530 for server
in $UB_LIST_ZONE_SERVERS ; do
531 echo " stub-addr: $server${port:+@${port}}"
533 echo " stub-first: $fallback"
542 ##############################################################################
545 local rt_mem rt_conn rt_buff modulestring domain ifsubnet nsubnet
548 # server: for this whole function
549 echo "# $UB_CORE_CONF generated by UCI $( date -Is )"
551 echo " username: unbound"
552 echo " chroot: $UB_VARDIR"
553 echo " directory: $UB_VARDIR"
554 echo " pidfile: $UB_PIDFILE"
558 if [ -f "$UB_TLS_FWD_FILE" ] ; then
559 # TLS cert bundle for upstream forwarder and https zone files
560 # This is loaded before drop to root, so pull from /etc/ssl
561 echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
565 if [ -f "$UB_RHINT_FILE" ] ; then
566 # Optional hints if found
567 echo " root-hints: $UB_RHINT_FILE" >> $UB_CORE_CONF
571 if [ "$UB_B_DNSSEC" -gt 0 -a -f "$UB_RKEY_FILE" ] ; then
573 echo " auto-trust-anchor-file: $UB_RKEY_FILE"
578 echo >> $UB_CORE_CONF
584 echo " num-threads: 1"
585 echo " msg-cache-slabs: 1"
586 echo " rrset-cache-slabs: 1"
587 echo " infra-cache-slabs: 1"
588 echo " key-cache-slabs: 1"
591 echo " use-syslog: yes"
592 echo " statistics-interval: 0"
593 echo " statistics-cumulative: no"
597 if [ "$UB_D_VERBOSE" -ge 0 -a "$UB_D_VERBOSE" -le 5 ] ; then
598 echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF
602 if [ "$UB_B_EXT_STATS" -gt 0 ] ; then
605 echo " extended-statistics: yes"
612 echo " extended-statistics: no"
618 case "$UB_D_PROTOCOL" in
621 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
622 echo " port: $UB_N_RX_PORT"
623 echo " outgoing-port-permit: 10240-65535"
624 echo " interface: 0.0.0.0"
625 echo " outgoing-interface: 0.0.0.0"
634 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
635 echo " port: $UB_N_RX_PORT"
636 echo " outgoing-port-permit: 10240-65535"
637 echo " interface: ::0"
638 echo " outgoing-interface: ::0"
647 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
648 echo " port: $UB_N_RX_PORT"
649 echo " outgoing-port-permit: 10240-65535"
650 echo " interface: 0.0.0.0"
651 echo " interface: ::0"
652 echo " outgoing-interface: 0.0.0.0"
661 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
662 echo " port: $UB_N_RX_PORT"
663 echo " outgoing-port-permit: 10240-65535"
664 echo " interface: 0.0.0.0"
665 echo " interface: ::0"
666 echo " outgoing-interface: 0.0.0.0"
667 echo " outgoing-interface: ::0"
670 echo " prefer-ip6: yes"
677 # Interface Wildcard (access contol handled by "option local_service")
678 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
679 echo " port: $UB_N_RX_PORT"
680 echo " outgoing-port-permit: 10240-65535"
681 echo " interface: 0.0.0.0"
682 echo " interface: ::0"
683 echo " outgoing-interface: 0.0.0.0"
684 echo " outgoing-interface: ::0"
692 if [ "$UB_B_READY" -eq 0 ] ; then
693 logger
-t unbound
-s "default protocol configuration"
698 # outgoing-interface has useful defaults; incoming is localhost though
699 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
700 echo " port: $UB_N_RX_PORT"
701 echo " outgoing-port-permit: 10240-65535"
702 echo " interface: 0.0.0.0"
703 echo " interface: ::0"
710 case "$UB_D_RESOURCE" in
711 # Tiny - Unbound's recommended cheap hardware config
712 tiny
) rt_mem
=1 ; rt_conn
=2 ; rt_buff
=1 ;;
713 # Small - Half RRCACHE and open ports
714 small
) rt_mem
=8 ; rt_conn
=10 ; rt_buff
=2 ;;
715 # Medium - Nearly default but with some added balancintg
716 medium
) rt_mem
=16 ; rt_conn
=15 ; rt_buff
=4 ;;
717 # Large - Double medium
718 large
) rt_mem
=32 ; rt_conn
=20 ; rt_buff
=4 ;;
719 # Whatever unbound does
720 *) rt_mem
=0 ; rt_conn
=0 ;;
724 if [ "$rt_mem" -gt 0 ] ; then
726 # Other harding and options for an embedded router
727 echo " harden-short-bufsize: yes"
728 echo " harden-large-queries: yes"
729 echo " harden-glue: yes"
730 echo " use-caps-for-id: no"
732 # Set memory sizing parameters
733 echo " msg-buffer-size: $(($rt_buff*8192))"
734 echo " outgoing-range: $(($rt_conn*32))"
735 echo " num-queries-per-thread: $(($rt_conn*16))"
736 echo " outgoing-num-tcp: $(($rt_conn))"
737 echo " incoming-num-tcp: $(($rt_conn))"
738 echo " rrset-cache-size: $(($rt_mem*256))k"
739 echo " msg-cache-size: $(($rt_mem*128))k"
740 echo " key-cache-size: $(($rt_mem*128))k"
741 echo " neg-cache-size: $(($rt_mem*64))k"
742 echo " infra-cache-numhosts: $(($rt_mem*256))"
746 elif [ "$UB_B_READY" -eq 0 ] ; then
747 logger
-t unbound
-s "default memory configuration"
751 # Assembly of module-config: options is tricky; order matters
752 modulestring
="iterator"
755 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
756 if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then
757 # DNSSEC chicken and egg with getting NTP time
758 echo " val-override-date: -1" >> $UB_CORE_CONF
763 echo " harden-dnssec-stripped: yes"
764 echo " val-clean-additional: yes"
765 echo " ignore-cd-flag: yes"
769 modulestring
="validator $modulestring"
773 if [ "$UB_B_DNS64" -gt 0 ] ; then
774 echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF
776 modulestring
="dns64 $modulestring"
781 # Print final module string
782 echo " module-config: \"$modulestring\""
787 case "$UB_D_RECURSION" in
790 # Some query privacy but "strict" will break some servers
791 if [ "$UB_B_QRY_MINST" -gt 0 \
792 -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
793 echo " qname-minimisation: yes"
794 echo " qname-minimisation-strict: yes"
795 elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
796 echo " qname-minimisation: yes"
798 echo " qname-minimisation: no"
800 # Use DNSSEC to quickly understand NXDOMAIN ranges
801 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
802 echo " aggressive-nsec: yes"
803 echo " prefetch-key: no"
807 echo " target-fetch-policy: \"0 0 0 0 0\""
814 # Some query privacy but "strict" will break some servers
815 if [ "$UB_B_QRY_MINST" -gt 0 \
816 -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
817 echo " qname-minimisation: yes"
818 echo " qname-minimisation-strict: yes"
819 elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
820 echo " qname-minimisation: yes"
822 echo " qname-minimisation: no"
824 # Use DNSSEC to quickly understand NXDOMAIN ranges
825 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
826 echo " aggressive-nsec: yes"
827 echo " prefetch-key: yes"
829 # Prefetch what can be
830 echo " prefetch: yes"
831 echo " target-fetch-policy: \"3 2 1 0 0\""
837 if [ "$UB_B_READY" -eq 0 ] ; then
838 logger
-t unbound
-s "default recursion configuration"
845 # Reload records more than 20 hours old
846 # DNSSEC 5 minute bogus cool down before retry
847 # Adaptive infrastructure info kept for 15 minutes
848 echo " cache-min-ttl: $UB_TTL_MIN"
849 echo " cache-max-ttl: 72000"
850 echo " val-bogus-ttl: 300"
851 echo " infra-host-ttl: 900"
856 if [ "$UB_B_HIDE_BIND" -gt 0 ] ; then
858 # Block server id and version DNS TXT records
859 echo " hide-identity: yes"
860 echo " hide-version: yes"
866 if [ "$UB_D_PRIV_BLCK" -gt 0 ] ; then
868 # Remove _upstream_ or global reponses with private addresses.
869 # Unbounds own "local zone" and "forward zone" may still use these.
870 # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
871 echo " private-address: 10.0.0.0/8"
872 echo " private-address: 100.64.0.0/10"
873 echo " private-address: 169.254.0.0/16"
874 echo " private-address: 172.16.0.0/12"
875 echo " private-address: 192.168.0.0/16"
876 echo " private-address: fc00::/7"
877 echo " private-address: fe80::/10"
883 if [ -n "$UB_LIST_NETW_LAN" -a "$UB_D_PRIV_BLCK" -gt 1 ] ; then
885 for ifsubnet
in $UB_LIST_NETW_LAN ; do
887 *@
[1-9][0-9a-f][0-9a-f][0-9a-f]:*:[0-9a-f]*)
888 # Remove global DNS responses with your local network IP6 GLA
889 echo " private-address: ${ifsubnet#*@}"
898 if [ "$UB_B_LOCL_BLCK" -gt 0 ] ; then
900 # Remove DNS reponses from upstream with loopback IP
901 # Black hole DNS method for ad blocking, so consider...
902 echo " private-address: 127.0.0.0/8"
903 echo " private-address: ::1/128"
909 if [ -n "$UB_LIST_INSECURE" ] ; then
911 for domain
in $UB_LIST_INSECURE ; do
912 # Except and accept domains without (DNSSEC); work around broken domains
913 echo " domain-insecure: $domain"
920 if [ "$UB_B_LOCL_SERV" -gt 0 -a -n "$UB_LIST_NETW_ALL" ] ; then
922 for ifsubnet
in $UB_LIST_NETW_ALL ; do
923 # Only respond to queries from subnets which have an interface.
924 # Prevent DNS amplification attacks by not responding to the universe.
925 echo " access-control: ${ifsubnet#*@} allow"
927 echo " access-control: 127.0.0.0/8 allow"
928 echo " access-control: ::1/128 allow"
929 echo " access-control: fe80::/10 allow"
935 echo " access-control: 0.0.0.0/0 allow"
936 echo " access-control: ::0/0 allow"
942 ##############################################################################
945 local ifsubnet ifarpa ifaddr ifname iffqdn
946 local ulaprefix hostfqdn name names namerec ptrrec
949 echo "# $UB_HOST_CONF generated by UCI $( date -Is )" > $UB_HOST_CONF
952 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
954 echo "# Local zone is handled by dnsmasq"
958 elif [ -n "$UB_TXT_DOMAIN" \
959 -a \
( "$UB_D_WAN_FQDN" -gt 0 -o "$UB_D_LAN_FQDN" -gt 0 \
) ] ; then
960 case "$UB_D_DOMAIN_TYPE" in
961 deny|inform_deny|refuse|static
)
963 # type static means only this router has your domain
964 echo " domain-insecure: $UB_TXT_DOMAIN"
965 echo " private-domain: $UB_TXT_DOMAIN"
966 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
967 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XSOA\""
968 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\""
969 echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'"
971 # avoid upstream involvement in RFC6762
972 echo " domain-insecure: local"
973 echo " private-domain: local"
974 echo " local-zone: local $UB_D_DOMAIN_TYPE"
975 echo " local-data: \"local. $UB_XSOA\""
976 echo " local-data: \"local. $UB_XNS\""
977 echo " local-data: 'local. $UB_LTXT'"
983 transparent|typetransparent
)
985 # transparent will permit forward-zone: or stub-zone: clauses
986 echo " private-domain: $UB_TXT_DOMAIN"
987 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
996 # Hostname as TLD works, but not transparent through recursion (singular)
997 echo " domain-insecure: $UB_TXT_HOSTNAME"
998 echo " private-domain: $UB_TXT_HOSTNAME"
999 echo " local-zone: $UB_TXT_HOSTNAME static"
1000 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XSOA\""
1001 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XNS\""
1002 echo " local-data: '$UB_TXT_HOSTNAME. $UB_XTXT'"
1007 if [ -n "$UB_LIST_NETW_WAN" ] ; then
1008 for ifsubnet
in $UB_LIST_NETW_WAN ; do
1009 ifaddr
=${ifsubnet#*@}
1011 ifarpa
=$
( host_ptr_any
"$ifaddr" )
1014 if [ -n "$ifarpa" ] ; then
1015 if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then
1017 # Create a static zone for WAN host record only (singular)
1018 echo " domain-insecure: $ifarpa"
1019 echo " private-address: $ifaddr"
1020 echo " local-zone: $ifarpa static"
1021 echo " local-data: \"$ifarpa. $UB_XSOA\""
1022 echo " local-data: \"$ifarpa. $UB_XNS\""
1023 echo " local-data: '$ifarpa. $UB_MTXT'"
1027 elif [ "$zonetype" -gt 0 ] ; then
1029 echo " local-zone: $ifarpa transparent"
1038 if [ -n "$UB_LIST_NETW_LAN" ] ; then
1039 for ifsubnet
in $UB_LIST_NETW_LAN ; do
1040 ifarpa
=$
( domain_ptr_any
"${ifsubnet#*@}" )
1043 if [ -n "$ifarpa" ] ; then
1044 if [ "$zonetype" -eq 2 ] ; then
1046 # Do NOT forward queries with your ip6.arpa or in-addr.arpa
1047 echo " domain-insecure: $ifarpa"
1048 echo " local-zone: $ifarpa static"
1049 echo " local-data: \"$ifarpa. $UB_XSOA\""
1050 echo " local-data: \"$ifarpa. $UB_XNS\""
1051 echo " local-data: '$ifarpa. $UB_XTXT'"
1055 elif [ "$zonetype" -eq 1 -a "$UB_D_PRIV_BLCK" -eq 0 ] ; then
1057 echo " local-zone: $ifarpa transparent"
1066 ulaprefix
=$
( uci_get network.@globals
[0].ula_prefix
)
1067 ulaprefix
=${ulaprefix%%:/*}
1068 hostfqdn
="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
1071 if [ -z "$ulaprefix" ] ; then
1072 # Nonsense so this option isn't globbed below
1073 ulaprefix
="fdno:such:addr::"
1077 if [ "$UB_LIST_NETW_LAN" -a "$UB_D_LAN_FQDN" -gt 0 ] ; then
1078 for ifsubnet
in $UB_LIST_NETW_LAN ; do
1079 ifaddr
=${ifsubnet#*@}
1081 ifname
=${ifsubnet%@*}
1082 iffqdn
="$ifname.$hostfqdn"
1085 if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then
1086 names
="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1087 ptrrec
=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1088 echo "$ptrrec" >> $UB_HOST_CONF
1090 elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then
1091 names
="$hostfqdn $UB_TXT_HOSTNAME"
1092 ptrrec
=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1093 echo "$ptrrec" >> $UB_HOST_CONF
1096 names
="$UB_TXT_HOSTNAME"
1097 ptrrec
=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1098 echo "$ptrrec" >> $UB_HOST_CONF
1102 for name
in $names ; do
1105 # IP6 ULA only is assigned for OPTION 1
1106 namerec
=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1107 echo "$namerec" >> $UB_HOST_CONF
1111 namerec
=" local-data: \"$name. 300 IN A $ifaddr\""
1112 echo "$namerec" >> $UB_HOST_CONF
1116 if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then
1117 # IP6 GLA is assigned for higher options
1118 namerec
=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1119 echo "$namerec" >> $UB_HOST_CONF
1124 echo >> $UB_HOST_CONF
1129 if [ -n "$UB_LIST_NETW_WAN" -a "$UB_D_WAN_FQDN" -gt 0 ] ; then
1130 for ifsubnet
in $UB_LIST_NETW_WAN ; do
1131 ifaddr
=${ifsubnet#*@}
1133 ifname
=${ifsubnet%@*}
1134 iffqdn
="$ifname.$hostfqdn"
1137 if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then
1138 names
="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1139 ptrrec
=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1140 echo "$ptrrec" >> $UB_HOST_CONF
1142 elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then
1143 names
="$hostfqdn $UB_TXT_HOSTNAME"
1144 ptrrec
=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1145 echo "$ptrrec" >> $UB_HOST_CONF
1148 names
="$UB_TXT_HOSTNAME"
1149 ptrrec
=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1150 echo "$ptrrec" >> $UB_HOST_CONF
1154 for name
in $names ; do
1157 # IP6 ULA only is assigned for OPTION 1
1158 namerec
=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1159 echo "$namerec" >> $UB_HOST_CONF
1163 namerec
=" local-data: \"$name. 300 IN A $ifaddr\""
1164 echo "$namerec" >> $UB_HOST_CONF
1168 if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then
1169 # IP6 GLA is assigned for higher options
1170 namerec
=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1171 echo "$namerec" >> $UB_HOST_CONF
1176 echo >> $UB_HOST_CONF
1179 fi # end if uci valid
1182 ##############################################################################
1186 local dnsmasqpath hostnm
1188 hostnm
=$
( uci_get system.@system
[0].hostname |
awk '{print tolower($0)}' )
1189 UB_TXT_HOSTNAME
=${hostnm:-thisrouter}
1191 config_get_bool UB_B_SLAAC6_MAC
"$cfg" dhcp4_slaac6
0
1192 config_get_bool UB_B_DNS64
"$cfg" dns64
0
1193 config_get_bool UB_B_EXT_STATS
"$cfg" extended_stats
0
1194 config_get_bool UB_B_HIDE_BIND
"$cfg" hide_binddata
1
1195 config_get_bool UB_B_LOCL_SERV
"$cfg" localservice
1
1196 config_get_bool UB_B_MAN_CONF
"$cfg" manual_conf
0
1197 config_get_bool UB_B_QUERY_MIN
"$cfg" query_minimize
0
1198 config_get_bool UB_B_QRY_MINST
"$cfg" query_min_strict
0
1199 config_get_bool UB_B_AUTH_ROOT
"$cfg" prefetch_root
0
1200 config_get_bool UB_B_LOCL_BLCK
"$cfg" rebind_localhost
0
1201 config_get_bool UB_B_DNSSEC
"$cfg" validator
0
1202 config_get_bool UB_B_NTP_BOOT
"$cfg" validator_ntp
1
1204 config_get UB_IP_DNS64
"$cfg" dns64_prefix
"64:ff9b::/96"
1206 config_get UB_N_EDNS_SIZE
"$cfg" edns_size
1280
1207 config_get UB_N_RX_PORT
"$cfg" listen_port
53
1208 config_get UB_N_ROOT_AGE
"$cfg" root_age
9
1210 config_get UB_D_CONTROL
"$cfg" unbound_control
0
1211 config_get UB_D_DOMAIN_TYPE
"$cfg" domain_type static
1212 config_get UB_D_DHCP_LINK
"$cfg" dhcp_link none
1213 config_get UB_D_EXTRA_DNS
"$cfg" add_extra_dns
0
1214 config_get UB_D_LAN_FQDN
"$cfg" add_local_fqdn
0
1215 config_get UB_D_PRIV_BLCK
"$cfg" rebind_protection
1
1216 config_get UB_D_PROTOCOL
"$cfg" protocol mixed
1217 config_get UB_D_RECURSION
"$cfg" recursion passive
1218 config_get UB_D_RESOURCE
"$cfg" resource small
1219 config_get UB_D_VERBOSE
"$cfg" verbosity
1
1220 config_get UB_D_WAN_FQDN
"$cfg" add_wan_fqdn
0
1222 config_get UB_TTL_MIN
"$cfg" ttl_min
120
1223 config_get UB_TXT_DOMAIN
"$cfg" domain lan
1225 config_list_foreach
"$cfg" domain_insecure bundle_domain_insecure
1228 if [ "$UB_D_DHCP_LINK" = "none" ] ; then
1229 config_get_bool UB_B_DNSMASQ
"$cfg" dnsmasq_link_dns
0
1232 if [ "$UB_B_DNSMASQ" -gt 0 ] ; then
1233 UB_D_DHCP_LINK
=dnsmasq
1236 if [ "$UB_B_READY" -eq 0 ] ; then
1237 logger
-t unbound
-s "Please use 'dhcp_link' selector instead"
1243 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
1244 if [ ! -x /usr
/sbin
/dnsmasq
-o ! -x /etc
/init.d
/dnsmasq
] ; then
1247 /etc
/init.d
/dnsmasq enabled || UB_D_DHCP_LINK
=none
1251 if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
1252 logger
-t unbound
-s "cannot forward to dnsmasq"
1257 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
1258 if [ ! -x /usr
/sbin
/odhcpd
-o ! -x /etc
/init.d
/odhcpd
] ; then
1261 /etc
/init.d
/odhcpd enabled || UB_D_DHCP_LINK
=none
1265 if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
1266 logger
-t unbound
-s "cannot receive records from odhcpd"
1271 if [ "$UB_N_EDNS_SIZE" -lt 512 \
1272 -o 4096 -lt "$UB_N_EDNS_SIZE" ] ; then
1273 logger
-t unbound
-s "edns_size exceeds range, using default"
1278 if [ "$UB_N_RX_PORT" -ne 53 \
1279 -a \
( "$UB_N_RX_PORT" -lt 1024 -o 10240 -lt "$UB_N_RX_PORT" \
) ] ; then
1280 logger
-t unbound
-s "privileged port or in 5 digits, using default"
1285 if [ "$UB_TTL_MIN" -gt 1800 ] ; then
1286 logger
-t unbound
-s "ttl_min could have had awful side effects, using 300"
1291 ##############################################################################
1295 local adb_files
=$
( ls $UB_VARDIR/adb_list.
* 2>/dev
/null
)
1297 echo "# $UB_TOTAL_CONF generated by UCI $( date -Is )" > $UB_TOTAL_CONF
1300 if [ -f "$UB_CORE_CONF" ] ; then
1301 # Yes this all looks busy, but it is in TMPFS. Working on separate files
1302 # and piecing together is easier. UCI order is less constrained.
1303 cat $UB_CORE_CONF >> $UB_TOTAL_CONF
1308 if [ -f "$UB_HOST_CONF" ] ; then
1309 # UCI definitions of local host or local subnet
1310 cat $UB_HOST_CONF >> $UB_TOTAL_CONF
1315 if [ -f $UB_SRVMASQ_CONF ] ; then
1316 # UCI found link to dnsmasq
1317 cat $UB_SRVMASQ_CONF >> $UB_TOTAL_CONF
1322 if [ -f "$UB_DHCP_CONF" ] ; then
1324 # Seed DHCP records because dhcp scripts trigger externally
1325 # Incremental Unbound restarts may drop unbound-control records
1326 echo "include: $UB_DHCP_CONF"
1332 if [ -z "$adb_files" \
1333 -o ! -x /usr
/bin
/adblock.sh
-o ! -x /etc
/init.d
/adblock
] ; then
1336 elif /etc
/init.d
/adblock enabled
; then
1339 # Pull in your selected openwrt/pacakges/net/adblock generated lists
1340 echo "include: $UB_VARDIR/adb_list.*"
1349 if [ -f $UB_SRV_CONF ] ; then
1351 # Pull your own "server:" options here
1352 echo "include: $UB_SRV_CONF"
1358 if [ -f "$UB_ZONE_CONF" ] ; then
1359 # UCI defined forward, stub, and auth zones
1360 cat $UB_ZONE_CONF >> $UB_TOTAL_CONF
1365 if [ -f "$UB_CTRL_CONF" ] ; then
1366 # UCI defined control application connection
1367 cat $UB_CTRL_CONF >> $UB_TOTAL_CONF
1372 if [ -f "$UB_EXTMASQ_CONF" ] ; then
1373 # UCI found link to dnsmasq
1374 cat $UB_EXTMASQ_CONF >> $UB_TOTAL_CONF
1379 if [ -f "$UB_EXT_CONF" ] ; then
1381 # Pull your own extend feature clauses here
1382 echo "include: $UB_EXT_CONF"
1388 ##############################################################################
1391 if [ "$UB_N_RX_PORT" != "53" ] ; then
1394 elif [ -x /etc
/init.d
/dnsmasq
] \
1395 && /etc
/init.d
/dnsmasq enabled \
1396 && nslookup localhost
127.0.0.1#53 >/dev/null 2>&1 ; then
1397 # unbound is configured for port 53, but dnsmasq is enabled and a resolver
1398 # listens on localhost:53, lets assume dnsmasq manages the resolver file.
1400 # really check if dnsmasq runs a local (main) resolver in stead of using
1401 # nslookup that times out when no resolver listens on localhost:53.
1406 # unbound is designated to listen on 127.0.0.1#53,
1407 # set resolver file to local.
1408 rm -f /tmp
/resolv.conf
1411 echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )"
1412 echo "nameserver 127.0.0.1"
1413 echo "nameserver ::1"
1414 echo "search $UB_TXT_DOMAIN."
1415 } > /tmp
/resolv.conf
1418 ##############################################################################
1422 config_foreach unbound_uci unbound
1426 if [ "$UB_B_MAN_CONF" -eq 0 ] ; then
1427 # iterate zones before we load other UCI
1428 # forward-zone: auth-zone: and stub-zone:
1429 config_foreach unbound_zone zone
1430 # associate potential DNS RR with interfaces
1432 config_foreach bundle_all_networks interface
1434 config_foreach bundle_lan_networks dhcp
1451 ##############################################################################