projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #11353 from kvuorine/fwknop-fixes
[feed/packages.git] / net / unbound / files / unbound.sh
1 #!/bin/sh
2 ##############################################################################
3 #
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License version 2 as
6 # published by the Free Software Foundation.
7 #
8 # This program is distributed in the hope that it will be useful,
9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # GNU General Public License for more details.
12 #
13 # Copyright (C) 2016 Eric Luehrsen
14 #
15 ##############################################################################
16 #
17 # Unbound is a full featured recursive server with many options. The UCI
18 # provided tries to simplify and bundle options. This should make Unbound
19 # easier to deploy. Even light duty routers may resolve recursively instead of
20 # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
21 # features as used in base LEDE/OpenWrt. If there is a desire for more
22 # detailed tuning, then manual conf file overrides are also made available.
23 #
24 ##############################################################################
25
26 UB_B_AUTH_ROOT=0
27 UB_B_DNS_ASSIST=0
28 UB_B_DNSSEC=0
29 UB_B_DNS64=0
30 UB_B_EXT_STATS=0
31 UB_B_GATE_NAME=0
32 UB_B_HIDE_BIND=1
33 UB_B_IF_AUTO=1
34 UB_B_LOCL_BLCK=0
35 UB_B_LOCL_SERV=1
36 UB_B_MAN_CONF=0
37 UB_B_NTP_BOOT=1
38 UB_B_QUERY_MIN=0
39 UB_B_QRY_MINST=0
40 UB_B_SLAAC6_MAC=0
41
42 UB_D_CONTROL=0
43 UB_D_DOMAIN_TYPE=static
44 UB_D_DHCP_LINK=none
45 UB_D_EXTRA_DNS=0
46 UB_D_LAN_FQDN=0
47 UB_D_PRIV_BLCK=1
48 UB_D_PROTOCOL=mixed
49 UB_D_RESOURCE=small
50 UB_D_RECURSION=passive
51 UB_D_VERBOSE=1
52 UB_D_WAN_FQDN=0
53
54 UB_IP_DNS64="64:ff9b::/96"
55
56 UB_N_EDNS_SIZE=1280
57 UB_N_RX_PORT=53
58 UB_N_ROOT_AGE=9
59 UB_N_THREADS=1
60 UB_N_RATE_LMT=0
61
62 UB_TTL_MIN=120
63 UB_TXT_DOMAIN=lan
64 UB_TXT_HOSTNAME=thisrouter
65
66 ##############################################################################
67
68 # reset as a combo with UB_B_NTP_BOOT and some time stamp files
69 UB_B_READY=1
70
71 # keep track of assignments during inserted resource records
72 UB_LIST_NETW_ALL=""
73 UB_LIST_NETW_LAN=""
74 UB_LIST_NETW_WAN=""
75 UB_LIST_INSECURE=""
76 UB_LIST_ZONE_SERVERS=""
77 UB_LIST_ZONE_NAMES=""
78
79 ##############################################################################
80
81 . /lib/functions.sh
82 . /lib/functions/network.sh
83
84 . /usr/lib/unbound/defaults.sh
85 . /usr/lib/unbound/dnsmasq.sh
86 . /usr/lib/unbound/iptools.sh
87
88 ##############################################################################
89
90 bundle_all_networks() {
91 local cfg="$1"
92 local ifname ifdashname validip
93 local subnet subnets subnets4 subnets6
94
95 network_get_subnets subnets4 "$cfg"
96 network_get_subnets6 subnets6 "$cfg"
97 network_get_device ifname "$cfg"
98
99 ifdashname="${ifname//./-}"
100 subnets="$subnets4 $subnets6"
101
102
103 if [ -n "$subnets" ] ; then
104 for subnet in $subnets ; do
105 validip=$( valid_subnet_any $subnet )
106
107
108 if [ "$validip" = "ok" ] ; then
109 UB_LIST_NETW_ALL="$UB_LIST_NETW_ALL $ifdashname@$subnet"
110 fi
111 done
112 fi
113 }
114
115 ##############################################################################
116
117 bundle_lan_networks() {
118 local cfg="$1"
119 local interface ifsubnet ifname ifdashname ignore
120
121 config_get_bool ignore "$cfg" ignore 0
122 config_get interface "$cfg" interface ""
123 network_get_device ifname "$interface"
124 ifdashname="${ifname//./-}"
125
126
127 if [ $ignore -eq 0 ] && [ -n "$ifdashname" ] \
128 && [ -n "$UB_LIST_NETW_ALL" ] ; then
129 for ifsubnet in $UB_LIST_NETW_ALL ; do
130 case $ifsubnet in
131 "${ifdashname}"@*)
132 # Special GLA protection for local block; ULA protected default
133 UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
134 ;;
135 esac
136 done
137 fi
138 }
139
140 ##############################################################################
141
142 bundle_wan_networks() {
143 local ifsubnet
144
145
146 if [ -n "$UB_LIST_NETW_ALL" ] ; then
147 for ifsubnet in $UB_LIST_NETW_ALL ; do
148 case $UB_LIST_NETW_LAN in
149 *"${ifsubnet}"*)
150 # If LAN, then not WAN ...
151 ;;
152
153 *)
154 UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
155 ;;
156 esac
157 done
158 fi
159 }
160
161 ##############################################################################
162
163 bundle_resolv_conf_servers() {
164 local resolvers=$( awk '/nameserver/ { print $2 }' $UB_RESOLV_AUTO )
165 UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $resolvers"
166 }
167
168 ##############################################################################
169
170 bundle_zone_names() {
171 UB_LIST_ZONE_NAMES="$UB_LIST_ZONE_NAMES $1"
172 }
173
174 ##############################################################################
175
176 bundle_zone_servers() {
177 UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $1"
178 }
179
180 ##############################################################################
181
182 bundle_domain_insecure() {
183 UB_LIST_INSECURE="$UB_LIST_INSECURE $1"
184 }
185
186 ##############################################################################
187
188 unbound_mkdir() {
189 local filestuff
190
191
192 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
193 local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
194 local dhcp_dir=$( dirname $dhcp_origin )
195
196
197 if [ ! -d "$dhcp_dir" ] ; then
198 # make sure odhcpd has a directory to write (not done itself, yet)
199 mkdir -p "$dhcp_dir"
200 fi
201 fi
202
203
204 if [ -f $UB_RKEY_FILE ] ; then
205 filestuff=$( cat $UB_RKEY_FILE )
206
207
208 case "$filestuff" in
209 *"state=2 [ VALID ]"*)
210 # Lets not lose RFC 5011 tracking if we don't have to
211 cp -p $UB_RKEY_FILE $UB_RKEY_FILE.keep
212 ;;
213 esac
214 fi
215
216
217 # Blind copy /etc/unbound to /var/lib/unbound
218 mkdir -p $UB_VARDIR
219 rm -f $UB_VARDIR/dhcp_*
220 touch $UB_TOTAL_CONF
221 cp -p /etc/unbound/* $UB_VARDIR/
222
223
224 if [ ! -f $UB_RHINT_FILE ] ; then
225 if [ -f /usr/share/dns/root.hints ] ; then
226 # Debian-like package dns-root-data
227 cp -p /usr/share/dns/root.hints $UB_RHINT_FILE
228
229 elif [ $UB_B_READY -eq 0 ] ; then
230 logger -t unbound -s "default root hints (built in root-servers.net)"
231 fi
232 fi
233
234
235 if [ ! -f $UB_RKEY_FILE ] ; then
236 if [ -f /usr/share/dns/root.key ] ; then
237 # Debian-like package dns-root-data
238 cp -p /usr/share/dns/root.key $UB_RKEY_FILE
239
240 elif [ -x $UB_ANCHOR ] ; then
241 $UB_ANCHOR -a $UB_RKEY_FILE
242
243 elif [ $UB_B_READY -eq 0 ] ; then
244 logger -t unbound -s "default trust anchor (built in root DS record)"
245 fi
246 fi
247
248
249 if [ -f $UB_RKEY_FILE.keep ] ; then
250 # root.key.keep is reused if newest
251 cp -u $UB_RKEY_FILE.keep $UB_RKEY_FILE
252 rm -f $UB_RKEY_FILE.keep
253 fi
254
255
256 if [ -f $UB_TLS_ETC_FILE ] ; then
257 # copy the cert bundle into jail
258 cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
259 fi
260
261
262 # Ensure access and prepare to jail
263 chown -R unbound:unbound $UB_VARDIR
264 chmod 755 $UB_VARDIR
265 chmod 644 $UB_VARDIR/*
266
267
268 if [ -f $UB_CTLKEY_FILE ] || [ -f $UB_CTLPEM_FILE ] \
269 || [ -f $UB_SRVKEY_FILE ] || [ -f $UB_SRVPEM_FILE ] ; then
270 # Keys (some) exist already; do not create new ones
271 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
272 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
273
274 elif [ -x /usr/sbin/unbound-control-setup ] ; then
275 case "$UB_D_CONTROL" in
276 [2-3])
277 # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
278 /usr/sbin/unbound-control-setup -d $UB_VARDIR
279
280 chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
281 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
282
283 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
284 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
285
286 cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key
287 cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem
288 cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key
289 cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem
290 ;;
291 esac
292 fi
293
294
295 if [ -f "$UB_TIME_FILE" ] ; then
296 # NTP is done so its like you actually had an RTC
297 UB_B_READY=1
298 UB_B_NTP_BOOT=0
299
300 elif [ $UB_B_NTP_BOOT -eq 0 ] ; then
301 # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
302 date -Is > $UB_TIME_FILE
303 UB_B_READY=0
304 UB_B_NTP_BOOT=0
305
306 else
307 # DNSSEC-TIME will not reconcile
308 UB_B_READY=0
309 UB_B_NTP_BOOT=1
310 fi
311 }
312
313 ##############################################################################
314
315 unbound_control() {
316 echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF
317
318
319 if [ $UB_D_CONTROL -gt 1 ] ; then
320 if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \
321 || [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then
322 # Key files need to be present; if unbound-control-setup was found, then
323 # they might have been made during unbound_makedir() above.
324 UB_D_CONTROL=0
325 fi
326 fi
327
328
329 case "$UB_D_CONTROL" in
330 1)
331 {
332 # Local Host Only Unencrypted Remote Control
333 echo "remote-control:"
334 echo " control-enable: yes"
335 echo " control-use-cert: no"
336 echo " control-interface: 127.0.0.1"
337 echo " control-interface: ::1"
338 echo
339 } >> $UB_CTRL_CONF
340 ;;
341
342 2)
343 {
344 # Local Host Only Encrypted Remote Control
345 echo "remote-control:"
346 echo " control-enable: yes"
347 echo " control-use-cert: yes"
348 echo " control-interface: 127.0.0.1"
349 echo " control-interface: ::1"
350 echo " server-key-file: $UB_SRVKEY_FILE"
351 echo " server-cert-file: $UB_SRVPEM_FILE"
352 echo " control-key-file: $UB_CTLKEY_FILE"
353 echo " control-cert-file: $UB_CTLPEM_FILE"
354 echo
355 } >> $UB_CTRL_CONF
356 ;;
357
358 [3-4])
359 {
360 # Network Encrypted Remote Control
361 # (3) may auto setup and (4) must have static key/pem files
362 # TODO: add UCI list for interfaces to bind
363 echo "remote-control:"
364 echo " control-enable: yes"
365 echo " control-use-cert: yes"
366 echo " control-interface: 0.0.0.0"
367 echo " control-interface: ::0"
368 echo " server-key-file: $UB_SRVKEY_FILE"
369 echo " server-cert-file: $UB_SRVPEM_FILE"
370 echo " control-key-file: $UB_CTLKEY_FILE"
371 echo " control-cert-file: $UB_CTLPEM_FILE"
372 echo
373 } >> $UB_CTRL_CONF
374 ;;
375 esac
376 }
377
378 ##############################################################################
379
380 unbound_zone() {
381 local cfg=$1
382 local servers_ip=""
383 local servers_host=""
384 local zone_sym zone_name zone_type zone_enabled zone_file
385 local tls_upstream fallback
386 local server port tls_port tls_index tls_suffix url_dir dns_ast
387
388 if [ ! -f "$UB_ZONE_CONF" ] ; then
389 echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF
390 fi
391
392
393 config_get_bool zone_enabled "$cfg" enabled 0
394
395
396 if [ $zone_enabled -eq 1 ] ; then
397 # these lists are built for each zone; empty to start
398 UB_LIST_ZONE_NAMES=""
399 UB_LIST_ZONE_SERVERS=""
400
401 config_get zone_type "$cfg" zone_type ""
402 config_get port "$cfg" port ""
403 config_get tls_index "$cfg" tls_index ""
404 config_get tls_port "$cfg" tls_port 853
405 config_get url_dir "$cfg" url_dir ""
406 config_get dns_ast "$cfg" dns_assist none
407
408 config_get_bool resolv_conf "$cfg" resolv_conf 0
409 config_get_bool fallback "$cfg" fallback 1
410 config_get_bool tls_upstream "$cfg" tls_upstream 0
411
412 config_list_foreach "$cfg" zone_name bundle_zone_names
413 config_list_foreach "$cfg" server bundle_zone_servers
414
415 # string formating for Unbound syntax
416 tls_suffix="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}"
417 [ $fallback -eq 0 ] && fallback=no || fallback=yes
418 [ $tls_upstream -eq 0 ] && tls_upstream=no || tls_upstream=yes
419
420
421 if [ $resolv_conf -eq 1 ] ; then
422 bundle_resolv_conf_servers
423 fi
424
425 else
426 zone_type=skip
427 fi
428
429
430 case "$dns_ast" in
431 bind)
432 if [ -x /usr/sbin/bind ] && [ -x /etc/init.d/bind ] ; then
433 if /etc/init.d/bind enabled ; then
434 dns_ast=1
435 else
436 dns_ast=0
437 fi
438 else
439 dns_ast=0
440 fi
441 ;;
442
443 dnsmasq)
444 if [ -x /usr/sbin/dnsmasq ] && [ -x /etc/init.d/dnsmasq ] ; then
445 if /etc/init.d/dnsmasq enabled ; then
446 dns_ast=1
447 else
448 dns_ast=0
449 fi
450 else
451 dns_ast=0
452 fi
453 ;;
454
455 ipset-dns)
456 if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then
457 if /etc/init.d/ipset-dns enabled ; then
458 dns_ast=1
459 else
460 dns_ast=0
461 fi
462 else
463 dns_ast=0
464 fi
465 ;;
466
467 nsd)
468 if [ -x /usr/sbin/nsd ] && [ -x /etc/init.d/nsd ] ; then
469 if /etc/init.d/nsd enabled ; then
470 dns_ast=1
471 else
472 dns_ast=0
473 fi
474 else
475 dns_ast=0
476 fi
477 ;;
478
479 *)
480 # Prevent a soft-brick event through local forwarding loops. Declare your
481 # assistant program and this will check to be sure it is there.
482 dns_ast=0
483 esac
484
485
486 if [ $dns_ast -gt 0 ] ; then
487 UB_B_DNS_ASSIST=1
488 fi
489
490
491 case $zone_type in
492 auth_zone)
493 if [ $UB_B_NTP_BOOT -eq 0 ] && [ -n "$UB_LIST_ZONE_NAMES" ] \
494 && { [ -n "$url_dir" ] || [ -n "$UB_LIST_ZONE_SERVERS" ] ; } ; then
495 # Note AXFR may have large downloads. If NTP restart is configured,
496 # then this can cause procd to force a process kill.
497 for zone_name in $UB_LIST_ZONE_NAMES ; do
498 if [ "$zone_name" = "." ] ; then
499 zone_sym=.
500 zone_name=root
501 zone_file=root.zone
502 else
503 zone_sym=$zone_name
504 zone_file=$zone_name.zone
505 zone_file=${zone_file//../.}
506 fi
507
508
509 {
510 # generate an auth-zone: with switches for prefetch cache
511 echo "auth-zone:"
512 echo " name: $zone_sym"
513 for server in $UB_LIST_ZONE_SERVERS ; do
514 echo " master: $server${port:+@${port}}"
515 done
516 if [ -n "$url_dir" ] ; then
517 echo " url: $url_dir$zone_file"
518 fi
519 echo " fallback-enabled: $fallback"
520 echo " for-downstream: no"
521 echo " for-upstream: yes"
522 echo " zonefile: $zone_file"
523 echo
524 } >> $UB_ZONE_CONF
525 done
526 fi
527 ;;
528
529 forward_zone)
530 if [ ! -f $UB_TLS_FWD_FILE ] && [ "$tls_upstream" = "yes" ] ; then
531 logger -p 4 -t unbound -s \
532 "Forward-zone TLS benefits from authentication in package 'ca-bundle'"
533 fi
534
535
536 if [ -n "$UB_LIST_ZONE_NAMES" ] && [ -n "$UB_LIST_ZONE_SERVERS" ] ; then
537 for server in $UB_LIST_ZONE_SERVERS ; do
538 if [ "$( valid_subnet_any $server )" = "ok" ] \
539 || { [ "$( local_subnet $server )" = "ok" ] \
540 && [ $dns_ast -gt 0 ] ; } ; then
541 case $server in
542 *@[0-9]*|*#[A-Za-z0-9]*)
543 # unique Unbound option for server address
544 servers_ip="$servers_ip $server"
545 ;;
546
547 *)
548 if [ "$tls_upstream" = "yes" ] ; then
549 servers_ip="$servers_ip $server$tls_suffix"
550 else
551 servers_ip="$servers_ip $server${port:+@${port}}"
552 fi
553 ;;
554 esac
555
556 else
557 case $server in
558 *@[0-9]*|*#[A-Za-z0-9]*)
559 # unique Unbound option for server host name
560 servers_host="$servers_host $server"
561 ;;
562
563 *)
564 if [ "$tls_upstream" = "yes" ] ; then
565 servers_host="$servers_host $server${tls_port:+@${tls_port}}"
566 else
567 servers_host="$servers_host $server${port:+@${port}}"
568 fi
569 ;;
570 esac
571 fi
572 done
573
574
575 for zonename in $UB_LIST_ZONE_NAMES ; do
576 {
577 # generate a forward-zone with or without tls
578 echo "forward-zone:"
579 echo " name: $zonename"
580 for server in $servers_host ; do
581 echo " forward-host: $server"
582 done
583 for server in $servers_ip ; do
584 echo " forward-addr: $server"
585 done
586 echo " forward-first: $fallback"
587 echo " forward-tls-upstream: $tls_upstream"
588 echo
589 } >> $UB_ZONE_CONF
590 done
591 fi
592 ;;
593
594 stub_zone)
595 if [ -n "$UB_LIST_ZONE_NAMES" ] && [ -n "$UB_LIST_ZONE_SERVERS" ] ; then
596 for zonename in $UB_LIST_ZONE_NAMES ; do
597 {
598 # generate a stub-zone: or ensure short cut to authority NS
599 echo "stub-zone:"
600 echo " name: $zonename"
601 for server in $UB_LIST_ZONE_SERVERS ; do
602 echo " stub-addr: $server${port:+@${port}}"
603 done
604 echo " stub-first: $fallback"
605 echo
606 } >> $UB_ZONE_CONF
607 done
608 fi
609 ;;
610
611 *)
612 {
613 echo " # Special zone $zonename was not enabled or had UCI conflicts."
614 echo
615 } >> $UB_ZONE_CONF
616 ;;
617 esac
618 }
619
620 ##############################################################################
621
622 unbound_conf() {
623 local rt_mem rt_conn rt_buff modulestring domain ifsubnet moduleopts
624
625 {
626 # server: for this whole function
627 echo "# $UB_CORE_CONF generated by UCI $( date -Is )"
628 echo "server:"
629 echo " username: unbound"
630 echo " chroot: $UB_VARDIR"
631 echo " directory: $UB_VARDIR"
632 echo " pidfile: $UB_PIDFILE"
633 } > $UB_CORE_CONF
634
635
636 if [ -f "$UB_TLS_FWD_FILE" ] ; then
637 # TLS cert bundle for upstream forwarder and https zone files
638 # This is loaded before drop to root, so pull from /etc/ssl
639 echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
640 fi
641
642
643 if [ -f "$UB_RHINT_FILE" ] ; then
644 # Optional hints if found
645 echo " root-hints: $UB_RHINT_FILE" >> $UB_CORE_CONF
646 fi
647
648
649 if [ $UB_B_DNSSEC -gt 0 ] && [ -f "$UB_RKEY_FILE" ] ; then
650 {
651 echo " auto-trust-anchor-file: $UB_RKEY_FILE"
652 echo
653 } >> $UB_CORE_CONF
654
655 else
656 echo >> $UB_CORE_CONF
657 fi
658
659
660 if [ $UB_N_THREADS -gt 1 ] \
661 && $PROG -V | grep -q "Linked libs:.*libevent" ; then
662 # heavy variant using "threads" may need substantial resources
663 echo " num-threads: 2" >> $UB_CORE_CONF
664 else
665 # light variant with one "process" is much more efficient with light traffic
666 echo " num-threads: 1" >> $UB_CORE_CONF
667 fi
668
669
670 {
671 # Limited threading (2) with one shared slab
672 echo " msg-cache-slabs: 1"
673 echo " rrset-cache-slabs: 1"
674 echo " infra-cache-slabs: 1"
675 echo " key-cache-slabs: 1"
676 echo " ratelimit-slabs: 1"
677 echo " ip-ratelimit-slabs: 1"
678 echo
679 # Logging
680 echo " use-syslog: yes"
681 echo " statistics-interval: 0"
682 echo " statistics-cumulative: no"
683 } >> $UB_CORE_CONF
684
685
686 if [ $UB_D_VERBOSE -ge 0 ] && [ $UB_D_VERBOSE -le 5 ] ; then
687 echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF
688 fi
689
690
691 if [ $UB_B_EXT_STATS -gt 0 ] ; then
692 {
693 # Log More
694 echo " extended-statistics: yes"
695 echo
696 } >> $UB_CORE_CONF
697
698 else
699 {
700 # Log Less
701 echo " extended-statistics: no"
702 echo
703 } >> $UB_CORE_CONF
704 fi
705
706
707 if [ $UB_B_IF_AUTO -gt 0 ] ; then
708 echo " interface-automatic: yes" >> $UB_CORE_CONF
709 fi
710
711
712 if [ $UB_B_DNS_ASSIST -gt 0 ] ; then
713 echo " do-not-query-localhost: no" >> $UB_CORE_CONF
714 fi
715
716
717 case "$UB_D_PROTOCOL" in
718 ip4_only)
719 {
720 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
721 echo " port: $UB_N_RX_PORT"
722 echo " outgoing-port-permit: 10240-65535"
723 echo " interface: 0.0.0.0"
724 echo " outgoing-interface: 0.0.0.0"
725 echo " do-ip4: yes"
726 echo " do-ip6: no"
727 echo
728 } >> $UB_CORE_CONF
729 ;;
730
731 ip6_only)
732 {
733 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
734 echo " port: $UB_N_RX_PORT"
735 echo " outgoing-port-permit: 10240-65535"
736 echo " interface: ::0"
737 echo " outgoing-interface: ::0"
738 echo " do-ip4: no"
739 echo " do-ip6: yes"
740 echo
741 } >> $UB_CORE_CONF
742 ;;
743
744 ip6_local)
745 {
746 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
747 echo " port: $UB_N_RX_PORT"
748 echo " outgoing-port-permit: 10240-65535"
749 echo " interface: 0.0.0.0"
750 echo " interface: ::0"
751 echo " outgoing-interface: 0.0.0.0"
752 echo " do-ip4: yes"
753 echo " do-ip6: yes"
754 echo
755 } >> $UB_CORE_CONF
756 ;;
757
758 ip6_prefer)
759 {
760 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
761 echo " port: $UB_N_RX_PORT"
762 echo " outgoing-port-permit: 10240-65535"
763 echo " interface: 0.0.0.0"
764 echo " interface: ::0"
765 echo " outgoing-interface: 0.0.0.0"
766 echo " outgoing-interface: ::0"
767 echo " do-ip4: yes"
768 echo " do-ip6: yes"
769 echo " prefer-ip6: yes"
770 echo
771 } >> $UB_CORE_CONF
772 ;;
773
774 mixed)
775 {
776 # Interface Wildcard (access contol handled by "option local_service")
777 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
778 echo " port: $UB_N_RX_PORT"
779 echo " outgoing-port-permit: 10240-65535"
780 echo " interface: 0.0.0.0"
781 echo " interface: ::0"
782 echo " outgoing-interface: 0.0.0.0"
783 echo " outgoing-interface: ::0"
784 echo " do-ip4: yes"
785 echo " do-ip6: yes"
786 echo
787 } >> $UB_CORE_CONF
788 ;;
789
790 *)
791 if [ $UB_B_READY -eq 0 ] ; then
792 logger -t unbound -s "default protocol configuration"
793 fi
794
795
796 {
797 # outgoing-interface has useful defaults; incoming is localhost though
798 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
799 echo " port: $UB_N_RX_PORT"
800 echo " outgoing-port-permit: 10240-65535"
801 echo " interface: 0.0.0.0"
802 echo " interface: ::0"
803 echo
804 } >> $UB_CORE_CONF
805 ;;
806 esac
807
808
809 case "$UB_D_RESOURCE" in
810 # Tiny - Unbound's recommended cheap hardware config
811 tiny) rt_mem=1 ; rt_conn=5 ; rt_buff=1 ;;
812 # Small - Half RRCACHE and open ports
813 small) rt_mem=8 ; rt_conn=10 ; rt_buff=2 ;;
814 # Medium - Nearly default but with some added balancintg
815 medium) rt_mem=16 ; rt_conn=20 ; rt_buff=4 ;;
816 # Large - Double medium
817 large) rt_mem=32 ; rt_conn=50 ; rt_buff=4 ;;
818 # Whatever unbound does
819 *) rt_mem=0 ; rt_conn=0 ;;
820 esac
821
822
823 if [ $rt_mem -gt 0 ] ; then
824 {
825 # Other harding and options for an embedded router
826 echo " harden-short-bufsize: yes"
827 echo " harden-large-queries: yes"
828 echo " harden-glue: yes"
829 echo " use-caps-for-id: no"
830 echo
831 # Set memory sizing parameters
832 echo " msg-buffer-size: $(($rt_buff*8192))"
833 echo " outgoing-range: $(($rt_conn*32))"
834 echo " num-queries-per-thread: $(($rt_conn*16))"
835 echo " outgoing-num-tcp: $(($rt_conn))"
836 echo " incoming-num-tcp: $(($rt_conn))"
837 echo " rrset-cache-size: $(($rt_mem*256))k"
838 echo " msg-cache-size: $(($rt_mem*128))k"
839 echo " stream-wait-size: $(($rt_mem*128))k"
840 echo " key-cache-size: $(($rt_mem*128))k"
841 echo " neg-cache-size: $(($rt_mem*32))k"
842 echo " ratelimit-size: $(($rt_mem*32))k"
843 echo " ip-ratelimit-size: $(($rt_mem*32))k"
844 echo " infra-cache-numhosts: $(($rt_mem*256))"
845 echo
846 } >> $UB_CORE_CONF
847
848 elif [ $UB_B_READY -eq 0 ] ; then
849 logger -t unbound -s "default memory configuration"
850 fi
851
852
853 # Assembly of module-config: options is tricky; order matters
854 moduleopts="$( /usr/sbin/unbound -V )"
855 modulestring="iterator"
856
857
858 case $moduleopts in
859 *with-python*)
860 modulestring="python $modulestring"
861 ;;
862 esac
863
864
865 if [ $UB_B_DNSSEC -gt 0 ] ; then
866 if [ $UB_B_NTP_BOOT -gt 0 ] ; then
867 # DNSSEC chicken and egg with getting NTP time
868 echo " val-override-date: -1" >> $UB_CORE_CONF
869 fi
870
871
872 {
873 echo " harden-dnssec-stripped: yes"
874 echo " val-clean-additional: yes"
875 echo " ignore-cd-flag: yes"
876 } >> $UB_CORE_CONF
877
878
879 modulestring="validator $modulestring"
880 fi
881
882
883 case $moduleopts in
884 *enable-subnet*)
885 modulestring="subnetcache $modulestring"
886 ;;
887 esac
888
889
890 if [ $UB_B_DNS64 -gt 0 ] ; then
891 echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF
892
893 modulestring="dns64 $modulestring"
894 fi
895
896
897 {
898 # Print final module string
899 echo " module-config: \"$modulestring\""
900 echo
901 } >> $UB_CORE_CONF
902
903
904 case "$UB_D_RECURSION" in
905 passive)
906 {
907 # Some query privacy but "strict" will break some servers
908 if [ $UB_B_QRY_MINST -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
909 echo " qname-minimisation: yes"
910 echo " qname-minimisation-strict: yes"
911 elif [ $UB_B_QUERY_MIN -gt 0 ] ; then
912 echo " qname-minimisation: yes"
913 else
914 echo " qname-minimisation: no"
915 fi
916 # Use DNSSEC to quickly understand NXDOMAIN ranges
917 if [ $UB_B_DNSSEC -gt 0 ] ; then
918 echo " aggressive-nsec: yes"
919 echo " prefetch-key: no"
920 fi
921 # On demand fetching
922 echo " prefetch: no"
923 echo " target-fetch-policy: \"0 0 0 0 0\""
924 echo
925 } >> $UB_CORE_CONF
926 ;;
927
928 aggressive)
929 {
930 # Some query privacy but "strict" will break some servers
931 if [ $UB_B_QRY_MINST -gt 0 ] && [ $UB_B_QUERY_MIN -gt 0 ] ; then
932 echo " qname-minimisation: yes"
933 echo " qname-minimisation-strict: yes"
934 elif [ $UB_B_QUERY_MIN -gt 0 ] ; then
935 echo " qname-minimisation: yes"
936 else
937 echo " qname-minimisation: no"
938 fi
939 # Use DNSSEC to quickly understand NXDOMAIN ranges
940 if [ $UB_B_DNSSEC -gt 0 ] ; then
941 echo " aggressive-nsec: yes"
942 echo " prefetch-key: yes"
943 fi
944 # Prefetch what can be
945 echo " prefetch: yes"
946 echo " target-fetch-policy: \"3 2 1 0 0\""
947 echo
948 } >> $UB_CORE_CONF
949 ;;
950
951 *)
952 if [ $UB_B_READY -eq 0 ] ; then
953 logger -t unbound -s "default recursion configuration"
954 fi
955 ;;
956 esac
957
958
959 if [ 10 -lt $UB_N_RATE_LMT ] && [ $UB_N_RATE_LMT -lt 100000 ] ; then
960 {
961 # Protect the server from query floods which is helpful on weaker CPU
962 # Per client rate limit is half the maximum to leave head room open
963 echo " ratelimit: $UB_N_RATE_LMT"
964 echo " ip-ratelimit: $(($UB_N_RATE_LMT/2))"
965 echo
966 } >> $UB_CORE_CONF
967 fi
968
969
970 {
971 # Reload records more than 20 hours old
972 # DNSSEC 5 minute bogus cool down before retry
973 # Adaptive infrastructure info kept for 15 minutes
974 echo " cache-min-ttl: $UB_TTL_MIN"
975 echo " cache-max-ttl: 72000"
976 echo " val-bogus-ttl: 300"
977 echo " infra-host-ttl: 900"
978 echo
979 } >> $UB_CORE_CONF
980
981
982 if [ $UB_B_HIDE_BIND -gt 0 ] ; then
983 {
984 # Block server id and version DNS TXT records
985 echo " hide-identity: yes"
986 echo " hide-version: yes"
987 echo
988 } >> $UB_CORE_CONF
989 fi
990
991
992 if [ $UB_D_PRIV_BLCK -gt 0 ] ; then
993 {
994 # Remove _upstream_ or global reponses with private addresses.
995 # Unbounds own "local zone" and "forward zone" may still use these.
996 # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
997 echo " private-address: 10.0.0.0/8"
998 echo " private-address: 100.64.0.0/10"
999 echo " private-address: 169.254.0.0/16"
1000 echo " private-address: 172.16.0.0/12"
1001 echo " private-address: 192.168.0.0/16"
1002 echo " private-address: fc00::/7"
1003 echo " private-address: fe80::/10"
1004 echo
1005 } >> $UB_CORE_CONF
1006 fi
1007
1008
1009 if [ -n "$UB_LIST_NETW_LAN" ] && [ $UB_D_PRIV_BLCK -gt 1 ] ; then
1010 {
1011 for ifsubnet in $UB_LIST_NETW_LAN ; do
1012 case $ifsubnet in
1013 *@[1-9][0-9a-f][0-9a-f][0-9a-f]:*:[0-9a-f]*)
1014 # Remove global DNS responses with your local network IP6 GLA
1015 echo " private-address: ${ifsubnet#*@}"
1016 ;;
1017 esac
1018 done
1019 echo
1020 } >> $UB_CORE_CONF
1021 fi
1022
1023
1024 if [ $UB_B_LOCL_BLCK -gt 0 ] ; then
1025 {
1026 # Remove DNS reponses from upstream with loopback IP
1027 # Black hole DNS method for ad blocking, so consider...
1028 echo " private-address: 127.0.0.0/8"
1029 echo " private-address: ::1/128"
1030 echo
1031 } >> $UB_CORE_CONF
1032 fi
1033
1034
1035 if [ -n "$UB_LIST_INSECURE" ] ; then
1036 {
1037 for domain in $UB_LIST_INSECURE ; do
1038 # Except and accept domains without (DNSSEC); work around broken domains
1039 echo " domain-insecure: $domain"
1040 done
1041 echo
1042 } >> $UB_CORE_CONF
1043 fi
1044
1045
1046 if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
1047 {
1048 for ifsubnet in $UB_LIST_NETW_ALL ; do
1049 # Only respond to queries from subnets which have an interface.
1050 # Prevent DNS amplification attacks by not responding to the universe.
1051 echo " access-control: ${ifsubnet#*@} allow"
1052 done
1053 echo " access-control: 127.0.0.0/8 allow"
1054 echo " access-control: ::1/128 allow"
1055 echo " access-control: fe80::/10 allow"
1056 echo
1057 } >> $UB_CORE_CONF
1058
1059 else
1060 {
1061 echo " access-control: 0.0.0.0/0 allow"
1062 echo " access-control: ::0/0 allow"
1063 echo
1064 } >> $UB_CORE_CONF
1065 fi
1066 }
1067
1068 ##############################################################################
1069
1070 unbound_hostname() {
1071 local ifsubnet ifarpa ifaddr ifname iffqdn
1072 local ulaprefix hostfqdn name names namerec ptrrec
1073 local zonetype=0
1074
1075 echo "# $UB_HOST_CONF generated by UCI $( date -Is )" > $UB_HOST_CONF
1076
1077
1078 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
1079 {
1080 echo "# Local zone is handled by dnsmasq"
1081 echo
1082 } >> $UB_HOST_CONF
1083
1084 elif [ -n "$UB_TXT_DOMAIN" ] \
1085 && { [ $UB_D_WAN_FQDN -gt 0 ] || [ $UB_D_LAN_FQDN -gt 0 ] ; } ; then
1086 case "$UB_D_DOMAIN_TYPE" in
1087 deny|inform_deny|refuse|static)
1088 {
1089 # type static means only this router has your domain
1090 echo " domain-insecure: $UB_TXT_DOMAIN"
1091 echo " private-domain: $UB_TXT_DOMAIN"
1092 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
1093 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XSOA\""
1094 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\""
1095 echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'"
1096 echo
1097 if [ "$UB_TXT_DOMAIN" != "local" ] ; then
1098 # avoid involvement in RFC6762, unless it is the local zone name
1099 echo " local-zone: local always_nxdomain"
1100 echo
1101 fi
1102 } >> $UB_HOST_CONF
1103 zonetype=2
1104 ;;
1105
1106 inform|transparent|typetransparent)
1107 {
1108 # transparent will permit forward-zone: or stub-zone: clauses
1109 echo " private-domain: $UB_TXT_DOMAIN"
1110 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
1111 echo
1112 } >> $UB_HOST_CONF
1113 zonetype=1
1114 ;;
1115 esac
1116
1117
1118 {
1119 # Hostname as TLD works, but not transparent through recursion (singular)
1120 echo " domain-insecure: $UB_TXT_HOSTNAME"
1121 echo " private-domain: $UB_TXT_HOSTNAME"
1122 echo " local-zone: $UB_TXT_HOSTNAME static"
1123 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XSOA\""
1124 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XNS\""
1125 echo " local-data: '$UB_TXT_HOSTNAME. $UB_XTXT'"
1126 echo
1127 } >> $UB_HOST_CONF
1128
1129
1130 if [ -n "$UB_LIST_NETW_WAN" ] ; then
1131 for ifsubnet in $UB_LIST_NETW_WAN ; do
1132 ifaddr=${ifsubnet#*@}
1133 ifaddr=${ifaddr%/*}
1134 ifarpa=$( host_ptr_any "$ifaddr" )
1135
1136
1137 if [ -n "$ifarpa" ] ; then
1138 if [ $UB_D_WAN_FQDN -gt 0 ] ; then
1139 {
1140 # Create a static zone for WAN host record only (singular)
1141 echo " domain-insecure: $ifarpa"
1142 echo " private-address: $ifaddr"
1143 echo " local-zone: $ifarpa static"
1144 echo " local-data: \"$ifarpa. $UB_XSOA\""
1145 echo " local-data: \"$ifarpa. $UB_XNS\""
1146 echo " local-data: '$ifarpa. $UB_MTXT'"
1147 echo
1148 } >> $UB_HOST_CONF
1149
1150 elif [ $zonetype -gt 0 ] ; then
1151 {
1152 echo " local-zone: $ifarpa transparent"
1153 echo
1154 } >> $UB_HOST_CONF
1155 fi
1156 fi
1157 done
1158 fi
1159
1160
1161 if [ -n "$UB_LIST_NETW_LAN" ] ; then
1162 for ifsubnet in $UB_LIST_NETW_LAN ; do
1163 ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
1164
1165
1166 if [ -n "$ifarpa" ] ; then
1167 if [ $zonetype -eq 2 ] ; then
1168 {
1169 # Do NOT forward queries with your ip6.arpa or in-addr.arpa
1170 echo " domain-insecure: $ifarpa"
1171 echo " local-zone: $ifarpa static"
1172 echo " local-data: \"$ifarpa. $UB_XSOA\""
1173 echo " local-data: \"$ifarpa. $UB_XNS\""
1174 echo " local-data: '$ifarpa. $UB_XTXT'"
1175 echo
1176 } >> $UB_HOST_CONF
1177
1178 elif [ $zonetype -eq 1 ] && [ $UB_D_PRIV_BLCK -eq 0 ] ; then
1179 {
1180 echo " local-zone: $ifarpa transparent"
1181 echo
1182 } >> $UB_HOST_CONF
1183 fi
1184 fi
1185 done
1186 fi
1187
1188
1189 ulaprefix=$( uci_get network.@globals[0].ula_prefix )
1190 ulaprefix=${ulaprefix%%:/*}
1191 hostfqdn="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
1192
1193
1194 if [ -z "$ulaprefix" ] ; then
1195 # Nonsense so this option isn't globbed below
1196 ulaprefix="fdno:such:addr::"
1197 fi
1198
1199
1200 if [ "$UB_LIST_NETW_LAN" ] && [ $UB_D_LAN_FQDN -gt 0 ] ; then
1201 for ifsubnet in $UB_LIST_NETW_LAN ; do
1202 ifaddr=${ifsubnet#*@}
1203 ifaddr=${ifaddr%/*}
1204 ifname=${ifsubnet%@*}
1205 iffqdn="$ifname.$hostfqdn"
1206
1207
1208 if [ $UB_D_LAN_FQDN -eq 4 ] ; then
1209 names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1210 ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1211 echo "$ptrrec" >> $UB_HOST_CONF
1212
1213 elif [ $UB_D_LAN_FQDN -eq 3 ] ; then
1214 names="$hostfqdn $UB_TXT_HOSTNAME"
1215 ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1216 echo "$ptrrec" >> $UB_HOST_CONF
1217
1218 else
1219 names="$UB_TXT_HOSTNAME"
1220 ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1221 echo "$ptrrec" >> $UB_HOST_CONF
1222 fi
1223
1224
1225 for name in $names ; do
1226 case $ifaddr in
1227 "${ulaprefix}"*)
1228 # IP6 ULA only is assigned for OPTION 1
1229 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1230 echo "$namerec" >> $UB_HOST_CONF
1231 ;;
1232
1233 [1-9]*.*[0-9])
1234 namerec=" local-data: \"$name. 300 IN A $ifaddr\""
1235 echo "$namerec" >> $UB_HOST_CONF
1236 ;;
1237
1238 *)
1239 if [ $UB_D_LAN_FQDN -gt 1 ] ; then
1240 # IP6 GLA is assigned for higher options
1241 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1242 echo "$namerec" >> $UB_HOST_CONF
1243 fi
1244 ;;
1245 esac
1246 done
1247 echo >> $UB_HOST_CONF
1248 done
1249 fi
1250
1251
1252 if [ -n "$UB_LIST_NETW_WAN" ] && [ $UB_D_WAN_FQDN -gt 0 ] ; then
1253 for ifsubnet in $UB_LIST_NETW_WAN ; do
1254 ifaddr=${ifsubnet#*@}
1255 ifaddr=${ifaddr%/*}
1256 ifname=${ifsubnet%@*}
1257 iffqdn="$ifname.$hostfqdn"
1258
1259
1260 if [ $UB_D_WAN_FQDN -eq 4 ] ; then
1261 names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1262 ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1263 echo "$ptrrec" >> $UB_HOST_CONF
1264
1265 elif [ $UB_D_WAN_FQDN -eq 3 ] ; then
1266 names="$hostfqdn $UB_TXT_HOSTNAME"
1267 ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1268 echo "$ptrrec" >> $UB_HOST_CONF
1269
1270 else
1271 names="$UB_TXT_HOSTNAME"
1272 ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1273 echo "$ptrrec" >> $UB_HOST_CONF
1274 fi
1275
1276
1277 for name in $names ; do
1278 case $ifaddr in
1279 "${ulaprefix}"*)
1280 # IP6 ULA only is assigned for OPTION 1
1281 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1282 echo "$namerec" >> $UB_HOST_CONF
1283 ;;
1284
1285 [1-9]*.*[0-9])
1286 namerec=" local-data: \"$name. 300 IN A $ifaddr\""
1287 echo "$namerec" >> $UB_HOST_CONF
1288 ;;
1289
1290 *)
1291 if [ $UB_D_WAN_FQDN -gt 1 ] ; then
1292 # IP6 GLA is assigned for higher options
1293 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1294 echo "$namerec" >> $UB_HOST_CONF
1295 fi
1296 ;;
1297 esac
1298 done
1299 echo >> $UB_HOST_CONF
1300 done
1301 fi
1302 fi # end if uci valid
1303 }
1304
1305 ##############################################################################
1306
1307 unbound_uci() {
1308 local cfg="$1"
1309 local hostnm
1310
1311 hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' )
1312 UB_TXT_HOSTNAME=${hostnm:-thisrouter}
1313
1314 config_get_bool UB_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
1315 config_get_bool UB_B_DNS64 "$cfg" dns64 0
1316 config_get_bool UB_B_EXT_STATS "$cfg" extended_stats 0
1317 config_get_bool UB_B_HIDE_BIND "$cfg" hide_binddata 1
1318 config_get_bool UB_B_LOCL_SERV "$cfg" localservice 1
1319 config_get_bool UB_B_MAN_CONF "$cfg" manual_conf 0
1320 config_get_bool UB_B_QUERY_MIN "$cfg" query_minimize 0
1321 config_get_bool UB_B_QRY_MINST "$cfg" query_min_strict 0
1322 config_get_bool UB_B_AUTH_ROOT "$cfg" prefetch_root 0
1323 config_get_bool UB_B_LOCL_BLCK "$cfg" rebind_localhost 0
1324 config_get_bool UB_B_DNSSEC "$cfg" validator 0
1325 config_get_bool UB_B_NTP_BOOT "$cfg" validator_ntp 1
1326 config_get_bool UB_B_IF_AUTO "$cfg" interface_auto 1
1327
1328 config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
1329
1330 config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
1331 config_get UB_N_RX_PORT "$cfg" listen_port 53
1332 config_get UB_N_ROOT_AGE "$cfg" root_age 9
1333 config_get UB_N_THREADS "$cfg" num_threads 1
1334 config_get UB_N_RATE_LMT "$cfg" rate_limit 0
1335
1336 config_get UB_D_CONTROL "$cfg" unbound_control 0
1337 config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static
1338 config_get UB_D_DHCP_LINK "$cfg" dhcp_link none
1339 config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0
1340 config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0
1341 config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1
1342 config_get UB_D_PROTOCOL "$cfg" protocol mixed
1343 config_get UB_D_RECURSION "$cfg" recursion passive
1344 config_get UB_D_RESOURCE "$cfg" resource small
1345 config_get UB_D_VERBOSE "$cfg" verbosity 1
1346 config_get UB_D_WAN_FQDN "$cfg" add_wan_fqdn 0
1347
1348 config_get UB_TTL_MIN "$cfg" ttl_min 120
1349 config_get UB_TXT_DOMAIN "$cfg" domain lan
1350
1351 config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
1352
1353
1354 if [ "$UB_D_DHCP_LINK" = "none" ] ; then
1355 config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
1356
1357
1358 if [ $UB_B_DNSMASQ -gt 0 ] ; then
1359 UB_D_DHCP_LINK=dnsmasq
1360
1361
1362 if [ $UB_B_READY -eq 0 ] ; then
1363 logger -t unbound -s "Please use 'dhcp_link' selector instead"
1364 fi
1365 fi
1366 fi
1367
1368
1369 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
1370 if [ ! -x /usr/sbin/dnsmasq ] || [ ! -x /etc/init.d/dnsmasq ] ; then
1371 UB_D_DHCP_LINK=none
1372 else
1373 /etc/init.d/dnsmasq enabled || UB_D_DHCP_LINK=none
1374 fi
1375
1376
1377 if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then
1378 logger -t unbound -s "cannot forward to dnsmasq"
1379 fi
1380 fi
1381
1382
1383 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
1384 if [ ! -x /usr/sbin/odhcpd ] || [ ! -x /etc/init.d/odhcpd ] ; then
1385 UB_D_DHCP_LINK=none
1386 else
1387 /etc/init.d/odhcpd enabled || UB_D_DHCP_LINK=none
1388 fi
1389
1390
1391 if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then
1392 logger -t unbound -s "cannot receive records from odhcpd"
1393 fi
1394 fi
1395
1396
1397 if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then
1398 logger -t unbound -s "edns_size exceeds range, using default"
1399 UB_N_EDNS_SIZE=1280
1400 fi
1401
1402
1403 if [ $UB_N_RX_PORT -ne 53 ] \
1404 && { [ $UB_N_RX_PORT -lt 1024 ] || [ 10240 -lt $UB_N_RX_PORT ] ; } ; then
1405 logger -t unbound -s "privileged port or in 5 digits, using default"
1406 UB_N_RX_PORT=53
1407 fi
1408
1409
1410 if [ $UB_TTL_MIN -gt 1800 ] ; then
1411 logger -t unbound -s "ttl_min could have had awful side effects, using 300"
1412 UB_TTL_MIN=300
1413 fi
1414 }
1415
1416 ##############################################################################
1417
1418 unbound_include() {
1419 local adb_enabled
1420 local adb_files=$( ls $UB_VARDIR/adb_list.* 2>/dev/null )
1421
1422 echo "# $UB_TOTAL_CONF generated by UCI $( date -Is )" > $UB_TOTAL_CONF
1423
1424
1425 if [ -f "$UB_CORE_CONF" ] ; then
1426 # Yes this all looks busy, but it is in TMPFS. Working on separate files
1427 # and piecing together is easier. UCI order is less constrained.
1428 cat $UB_CORE_CONF >> $UB_TOTAL_CONF
1429 rm $UB_CORE_CONF
1430 fi
1431
1432
1433 if [ -f "$UB_HOST_CONF" ] ; then
1434 # UCI definitions of local host or local subnet
1435 cat $UB_HOST_CONF >> $UB_TOTAL_CONF
1436 rm $UB_HOST_CONF
1437 fi
1438
1439
1440 if [ -f $UB_SRVMASQ_CONF ] ; then
1441 # UCI found link to dnsmasq
1442 cat $UB_SRVMASQ_CONF >> $UB_TOTAL_CONF
1443 rm $UB_SRVMASQ_CONF
1444 fi
1445
1446
1447 if [ -f "$UB_DHCP_CONF" ] ; then
1448 {
1449 # Seed DHCP records because dhcp scripts trigger externally
1450 # Incremental Unbound restarts may drop unbound-control records
1451 echo "include: $UB_DHCP_CONF"
1452 echo
1453 } >> $UB_TOTAL_CONF
1454 fi
1455
1456
1457 if [ -z "$adb_files" ] || [ ! -x /usr/bin/adblock.sh ] \
1458 || [ ! -x /etc/init.d/adblock ] ; then
1459 adb_enabled=0
1460
1461 elif /etc/init.d/adblock enabled ; then
1462 adb_enabled=1
1463 {
1464 # Pull in your selected openwrt/pacakges/net/adblock generated lists
1465 echo "include: $UB_VARDIR/adb_list.*"
1466 echo
1467 } >> $UB_TOTAL_CONF
1468
1469 else
1470 adb_enabled=0
1471 fi
1472
1473
1474 if [ -f $UB_SRV_CONF ] ; then
1475 {
1476 # Pull your own "server:" options here
1477 echo "include: $UB_SRV_CONF"
1478 echo
1479 } >> $UB_TOTAL_CONF
1480 fi
1481
1482
1483 if [ -f "$UB_ZONE_CONF" ] ; then
1484 # UCI defined forward, stub, and auth zones
1485 cat $UB_ZONE_CONF >> $UB_TOTAL_CONF
1486 rm $UB_ZONE_CONF
1487 fi
1488
1489
1490 if [ -f "$UB_CTRL_CONF" ] ; then
1491 # UCI defined control application connection
1492 cat $UB_CTRL_CONF >> $UB_TOTAL_CONF
1493 rm $UB_CTRL_CONF
1494 fi
1495
1496
1497 if [ -f "$UB_EXTMASQ_CONF" ] ; then
1498 # UCI found link to dnsmasq
1499 cat $UB_EXTMASQ_CONF >> $UB_TOTAL_CONF
1500 rm $UB_EXTMASQ_CONF
1501 fi
1502
1503
1504 if [ -f "$UB_EXT_CONF" ] ; then
1505 {
1506 # Pull your own extend feature clauses here
1507 echo "include: $UB_EXT_CONF"
1508 echo
1509 } >> $UB_TOTAL_CONF
1510 fi
1511 }
1512
1513 ##############################################################################
1514
1515 resolv_setup() {
1516 if [ "$UB_N_RX_PORT" != "53" ] ; then
1517 # unbound is not the default on target resolver
1518 echo "do nothing" >/dev/null
1519
1520 elif [ -x /etc/init.d/dnsmasq ] \
1521 && /etc/init.d/dnsmasq enabled \
1522 && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
1523 # unbound is configured for port 53, but dnsmasq is enabled, and a resolver
1524 # is already listening on port 53. Let dnsmasq manage resolve.conf.
1525 # This also works to prevent clobbering while changing UCI.
1526 echo "do nothing" >/dev/null
1527
1528 else
1529 # unbound listens on 127.0.0.1#53 so set resolver file to local.
1530 rm -f $UB_RESOLV_CONF
1531
1532 {
1533 echo "# $UB_RESOLV_CONF generated by Unbound UCI $( date -Is )"
1534 echo "nameserver 127.0.0.1"
1535 echo "nameserver ::1"
1536 echo "search $UB_TXT_DOMAIN."
1537 } > $UB_RESOLV_CONF
1538 fi
1539 }
1540
1541 ##############################################################################
1542
1543 unbound_start() {
1544 config_load unbound
1545 config_foreach unbound_uci unbound
1546 unbound_mkdir
1547
1548
1549 if [ $UB_B_MAN_CONF -eq 0 ] ; then
1550 # iterate zones before we load other UCI
1551 # forward-zone: auth-zone: and stub-zone:
1552 config_foreach unbound_zone zone
1553 # associate potential DNS RR with interfaces
1554 config_load network
1555 config_foreach bundle_all_networks interface
1556 config_load dhcp
1557 config_foreach bundle_lan_networks dhcp
1558 bundle_wan_networks
1559 # server:
1560 unbound_conf
1561 unbound_hostname
1562 # control:
1563 unbound_control
1564 # dnsmasq
1565 dnsmasq_link
1566 # merge
1567 unbound_include
1568 fi
1569
1570
1571 resolv_setup
1572 }
1573
1574 ##############################################################################
1575
Mirror of packages feed