2 ##############################################################################
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License version 2 as
6 # published by the Free Software Foundation.
8 # This program is distributed in the hope that it will be useful,
9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # GNU General Public License for more details.
13 # Copyright (C) 2016 Eric Luehrsen
15 ##############################################################################
17 # Unbound is a full featured recursive server with many options. The UCI
18 # provided tries to simplify and bundle options. This should make Unbound
19 # easier to deploy. Even light duty routers may resolve recursively instead of
20 # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
21 # features as used in base LEDE/OpenWrt. If there is a desire for more
22 # detailed tuning, then manual conf file overrides are also made available.
24 ##############################################################################
43 UB_D_DOMAIN_TYPE
=static
50 UB_D_RECURSION
=passive
54 UB_IP_DNS64
="64:ff9b::/96"
64 UB_TXT_HOSTNAME
=thisrouter
66 ##############################################################################
68 # reset as a combo with UB_B_NTP_BOOT and some time stamp files
71 # keep track of assignments during inserted resource records
76 UB_LIST_ZONE_SERVERS
=""
79 ##############################################################################
82 .
/lib
/functions
/network.sh
84 .
/usr
/lib
/unbound
/defaults.sh
85 .
/usr
/lib
/unbound
/dnsmasq.sh
86 .
/usr
/lib
/unbound
/iptools.sh
88 ##############################################################################
90 bundle_all_networks
() {
92 local ifname ifdashname validip
93 local subnet subnets subnets4 subnets6
95 network_get_subnets subnets4
"$cfg"
96 network_get_subnets6 subnets6
"$cfg"
97 network_get_device ifname
"$cfg"
99 ifdashname
="${ifname//./-}"
100 subnets
="$subnets4 $subnets6"
103 if [ -n "$subnets" ] ; then
104 for subnet
in $subnets ; do
105 validip
=$
( valid_subnet_any
$subnet )
108 if [ "$validip" = "ok" ] ; then
109 UB_LIST_NETW_ALL
="$UB_LIST_NETW_ALL $ifdashname@$subnet"
115 ##############################################################################
117 bundle_lan_networks
() {
119 local interface ifsubnet ifname ifdashname ignore
121 config_get_bool ignore
"$cfg" ignore
0
122 config_get interface
"$cfg" interface
""
123 network_get_device ifname
"$interface"
124 ifdashname
="${ifname//./-}"
127 if [ $ignore -eq 0 ] && [ -n "$ifdashname" ] \
128 && [ -n "$UB_LIST_NETW_ALL" ] ; then
129 for ifsubnet
in $UB_LIST_NETW_ALL ; do
132 # Special GLA protection for local block; ULA protected default
133 UB_LIST_NETW_LAN
="$UB_LIST_NETW_LAN $ifsubnet"
140 ##############################################################################
142 bundle_wan_networks
() {
146 if [ -n "$UB_LIST_NETW_ALL" ] ; then
147 for ifsubnet
in $UB_LIST_NETW_ALL ; do
148 case $UB_LIST_NETW_LAN in
150 # If LAN, then not WAN ...
154 UB_LIST_NETW_WAN
="$UB_LIST_NETW_WAN $ifsubnet"
161 ##############################################################################
163 bundle_resolv_conf_servers
() {
164 local resolvers
=$
( awk '/nameserver/ { print $2 }' $UB_RESOLV_AUTO )
165 UB_LIST_ZONE_SERVERS
="$UB_LIST_ZONE_SERVERS $resolvers"
168 ##############################################################################
170 bundle_zone_names
() {
171 UB_LIST_ZONE_NAMES
="$UB_LIST_ZONE_NAMES $1"
174 ##############################################################################
176 bundle_zone_servers
() {
177 UB_LIST_ZONE_SERVERS
="$UB_LIST_ZONE_SERVERS $1"
180 ##############################################################################
182 bundle_domain_insecure
() {
183 UB_LIST_INSECURE
="$UB_LIST_INSECURE $1"
186 ##############################################################################
192 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
193 local dhcp_origin
=$
( uci_get dhcp.@odhcpd
[0].leasefile
)
194 local dhcp_dir
=$
( dirname $dhcp_origin )
197 if [ ! -d "$dhcp_dir" ] ; then
198 # make sure odhcpd has a directory to write (not done itself, yet)
204 if [ -f $UB_RKEY_FILE ] ; then
205 filestuff
=$
( cat $UB_RKEY_FILE )
209 *"state=2 [ VALID ]"*)
210 # Lets not lose RFC 5011 tracking if we don't have to
211 cp -p $UB_RKEY_FILE $UB_RKEY_FILE.keep
217 # Blind copy /etc/unbound to /var/lib/unbound
219 rm -f $UB_VARDIR/dhcp_
*
221 cp -p /etc
/unbound
/* $UB_VARDIR/
224 if [ ! -f $UB_RHINT_FILE ] ; then
225 if [ -f /usr
/share
/dns
/root.hints
] ; then
226 # Debian-like package dns-root-data
227 cp -p /usr
/share
/dns
/root.hints
$UB_RHINT_FILE
229 elif [ $UB_B_READY -eq 0 ] ; then
230 logger
-t unbound
-s "default root hints (built in root-servers.net)"
235 if [ ! -f $UB_RKEY_FILE ] ; then
236 if [ -f /usr
/share
/dns
/root.key
] ; then
237 # Debian-like package dns-root-data
238 cp -p /usr
/share
/dns
/root.key
$UB_RKEY_FILE
240 elif [ -x $UB_ANCHOR ] ; then
241 $UB_ANCHOR -a $UB_RKEY_FILE
243 elif [ $UB_B_READY -eq 0 ] ; then
244 logger
-t unbound
-s "default trust anchor (built in root DS record)"
249 if [ -f $UB_RKEY_FILE.keep
] ; then
250 # root.key.keep is reused if newest
251 cp -u $UB_RKEY_FILE.keep
$UB_RKEY_FILE
252 rm -f $UB_RKEY_FILE.keep
256 if [ -f $UB_TLS_ETC_FILE ] ; then
257 # copy the cert bundle into jail
258 cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
262 # Ensure access and prepare to jail
263 chown
-R unbound
:unbound
$UB_VARDIR
265 chmod 644 $UB_VARDIR/*
268 if [ -f $UB_CTLKEY_FILE ] ||
[ -f $UB_CTLPEM_FILE ] \
269 ||
[ -f $UB_SRVKEY_FILE ] ||
[ -f $UB_SRVPEM_FILE ] ; then
270 # Keys (some) exist already; do not create new ones
271 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
272 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
274 elif [ -x /usr
/sbin
/unbound-control-setup
] ; then
275 case "$UB_D_CONTROL" in
277 # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
278 /usr
/sbin
/unbound-control-setup
-d $UB_VARDIR
280 chown
-R unbound
:unbound
$UB_CTLKEY_FILE $UB_CTLPEM_FILE \
281 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
283 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
284 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
286 cp -p $UB_CTLKEY_FILE /etc
/unbound
/unbound_control.key
287 cp -p $UB_CTLPEM_FILE /etc
/unbound
/unbound_control.pem
288 cp -p $UB_SRVKEY_FILE /etc
/unbound
/unbound_server.key
289 cp -p $UB_SRVPEM_FILE /etc
/unbound
/unbound_server.pem
295 if [ -f "$UB_TIME_FILE" ] ; then
296 # NTP is done so its like you actually had an RTC
300 elif [ $UB_B_NTP_BOOT -eq 0 ] ; then
301 # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
302 date -Is > $UB_TIME_FILE
307 # DNSSEC-TIME will not reconcile
313 ##############################################################################
316 echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF
319 if [ $UB_D_CONTROL -gt 1 ] ; then
320 if [ ! -f $UB_CTLKEY_FILE ] ||
[ ! -f $UB_CTLPEM_FILE ] \
321 ||
[ ! -f $UB_SRVKEY_FILE ] ||
[ ! -f $UB_SRVPEM_FILE ] ; then
322 # Key files need to be present; if unbound-control-setup was found, then
323 # they might have been made during unbound_makedir() above.
329 case "$UB_D_CONTROL" in
332 # Local Host Only Unencrypted Remote Control
333 echo "remote-control:"
334 echo " control-enable: yes"
335 echo " control-use-cert: no"
336 echo " control-interface: 127.0.0.1"
337 echo " control-interface: ::1"
344 # Local Host Only Encrypted Remote Control
345 echo "remote-control:"
346 echo " control-enable: yes"
347 echo " control-use-cert: yes"
348 echo " control-interface: 127.0.0.1"
349 echo " control-interface: ::1"
350 echo " server-key-file: $UB_SRVKEY_FILE"
351 echo " server-cert-file: $UB_SRVPEM_FILE"
352 echo " control-key-file: $UB_CTLKEY_FILE"
353 echo " control-cert-file: $UB_CTLPEM_FILE"
360 # Network Encrypted Remote Control
361 # (3) may auto setup and (4) must have static key/pem files
362 # TODO: add UCI list for interfaces to bind
363 echo "remote-control:"
364 echo " control-enable: yes"
365 echo " control-use-cert: yes"
366 echo " control-interface: 0.0.0.0"
367 echo " control-interface: ::0"
368 echo " server-key-file: $UB_SRVKEY_FILE"
369 echo " server-cert-file: $UB_SRVPEM_FILE"
370 echo " control-key-file: $UB_CTLKEY_FILE"
371 echo " control-cert-file: $UB_CTLPEM_FILE"
378 ##############################################################################
383 local servers_host
=""
384 local zone_sym zone_name zone_type zone_enabled zone_file
385 local tls_upstream fallback
386 local server port tls_port tls_index tls_suffix url_dir dns_ast
388 if [ ! -f "$UB_ZONE_CONF" ] ; then
389 echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF
393 config_get_bool zone_enabled
"$cfg" enabled
0
396 if [ $zone_enabled -eq 1 ] ; then
397 # these lists are built for each zone; empty to start
398 UB_LIST_ZONE_NAMES
=""
399 UB_LIST_ZONE_SERVERS
=""
401 config_get zone_type
"$cfg" zone_type
""
402 config_get port
"$cfg" port
""
403 config_get tls_index
"$cfg" tls_index
""
404 config_get tls_port
"$cfg" tls_port
853
405 config_get url_dir
"$cfg" url_dir
""
406 config_get dns_ast
"$cfg" dns_assist none
408 config_get_bool resolv_conf
"$cfg" resolv_conf
0
409 config_get_bool fallback
"$cfg" fallback
1
410 config_get_bool tls_upstream
"$cfg" tls_upstream
0
412 config_list_foreach
"$cfg" zone_name bundle_zone_names
413 config_list_foreach
"$cfg" server bundle_zone_servers
415 # string formating for Unbound syntax
416 tls_suffix
="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}"
417 [ $fallback -eq 0 ] && fallback
=no || fallback
=yes
418 [ $tls_upstream -eq 0 ] && tls_upstream
=no || tls_upstream
=yes
421 if [ $resolv_conf -eq 1 ] ; then
422 bundle_resolv_conf_servers
432 if [ -x /usr
/sbin
/bind ] && [ -x /etc
/init.d
/bind ] ; then
433 if /etc
/init.d
/bind enabled
; then
444 if [ -x /usr
/sbin
/dnsmasq
] && [ -x /etc
/init.d
/dnsmasq
] ; then
445 if /etc
/init.d
/dnsmasq enabled
; then
456 if [ -x /usr
/sbin
/ipset-dns
] && [ -x /etc
/init.d
/ipset-dns
] ; then
457 if /etc
/init.d
/ipset-dns enabled
; then
468 if [ -x /usr
/sbin
/nsd
] && [ -x /etc
/init.d
/nsd
] ; then
469 if /etc
/init.d
/nsd enabled
; then
480 # Prevent a soft-brick event through local forwarding loops. Declare your
481 # assistant program and this will check to be sure it is there.
486 if [ $dns_ast -gt 0 ] ; then
493 if [ $UB_B_NTP_BOOT -eq 0 ] && [ -n "$UB_LIST_ZONE_NAMES" ] \
494 && { [ -n "$url_dir" ] ||
[ -n "$UB_LIST_ZONE_SERVERS" ] ; } ; then
495 # Note AXFR may have large downloads. If NTP restart is configured,
496 # then this can cause procd to force a process kill.
497 for zone_name
in $UB_LIST_ZONE_NAMES ; do
498 if [ "$zone_name" = "." ] ; then
504 zone_file
=$zone_name.zone
505 zone_file
=${zone_file//../.}
510 # generate an auth-zone: with switches for prefetch cache
512 echo " name: $zone_sym"
513 for server
in $UB_LIST_ZONE_SERVERS ; do
514 echo " master: $server${port:+@${port}}"
516 if [ -n "$url_dir" ] ; then
517 echo " url: $url_dir$zone_file"
519 echo " fallback-enabled: $fallback"
520 echo " for-downstream: no"
521 echo " for-upstream: yes"
522 echo " zonefile: $zone_file"
530 if [ ! -f $UB_TLS_FWD_FILE ] && [ "$tls_upstream" = "yes" ] ; then
531 logger
-p 4 -t unbound
-s \
532 "Forward-zone TLS benefits from authentication in package 'ca-bundle'"
536 if [ -n "$UB_LIST_ZONE_NAMES" ] && [ -n "$UB_LIST_ZONE_SERVERS" ] ; then
537 for server
in $UB_LIST_ZONE_SERVERS ; do
538 if [ "$( valid_subnet_any $server )" = "ok" ] \
539 ||
{ [ "$( local_subnet $server )" = "ok" ] \
540 && [ $dns_ast -gt 0 ] ; } ; then
542 *@
[0-9]*|
*#[A-Za-z0-9]*)
543 # unique Unbound option for server address
544 servers_ip
="$servers_ip $server"
548 if [ "$tls_upstream" = "yes" ] ; then
549 servers_ip
="$servers_ip $server$tls_suffix"
551 servers_ip
="$servers_ip $server${port:+@${port}}"
558 *@
[0-9]*|
*#[A-Za-z0-9]*)
559 # unique Unbound option for server host name
560 servers_host
="$servers_host $server"
564 if [ "$tls_upstream" = "yes" ] ; then
565 servers_host
="$servers_host $server${tls_port:+@${tls_port}}"
567 servers_host
="$servers_host $server${port:+@${port}}"
575 for zonename
in $UB_LIST_ZONE_NAMES ; do
577 # generate a forward-zone with or without tls
579 echo " name: $zonename"
580 for server
in $servers_host ; do
581 echo " forward-host: $server"
583 for server
in $servers_ip ; do
584 echo " forward-addr: $server"
586 echo " forward-first: $fallback"
587 echo " forward-tls-upstream: $tls_upstream"
595 if [ -n "$UB_LIST_ZONE_NAMES" ] && [ -n "$UB_LIST_ZONE_SERVERS" ] ; then
596 for zonename
in $UB_LIST_ZONE_NAMES ; do
598 # generate a stub-zone: or ensure short cut to authority NS
600 echo " name: $zonename"
601 for server
in $UB_LIST_ZONE_SERVERS ; do
602 echo " stub-addr: $server${port:+@${port}}"
604 echo " stub-first: $fallback"
613 echo " # Special zone $zonename was not enabled or had UCI conflicts."
620 ##############################################################################
623 local rt_mem rt_conn rt_buff modulestring domain ifsubnet moduleopts
626 # server: for this whole function
627 echo "# $UB_CORE_CONF generated by UCI $( date -Is )"
629 echo " username: unbound"
630 echo " chroot: $UB_VARDIR"
631 echo " directory: $UB_VARDIR"
632 echo " pidfile: $UB_PIDFILE"
636 if [ -f "$UB_TLS_FWD_FILE" ] ; then
637 # TLS cert bundle for upstream forwarder and https zone files
638 # This is loaded before drop to root, so pull from /etc/ssl
639 echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
643 if [ -f "$UB_RHINT_FILE" ] ; then
644 # Optional hints if found
645 echo " root-hints: $UB_RHINT_FILE" >> $UB_CORE_CONF
649 if [ $UB_B_DNSSEC -gt 0 ] && [ -f "$UB_RKEY_FILE" ] ; then
651 echo " auto-trust-anchor-file: $UB_RKEY_FILE"
656 echo >> $UB_CORE_CONF
660 if [ $UB_N_THREADS -gt 1 ] \
661 && $PROG -V |
grep -q "Linked libs:.*libevent" ; then
662 # heavy variant using "threads" may need substantial resources
663 echo " num-threads: 2" >> $UB_CORE_CONF
665 # light variant with one "process" is much more efficient with light traffic
666 echo " num-threads: 1" >> $UB_CORE_CONF
671 # Limited threading (2) with one shared slab
672 echo " msg-cache-slabs: 1"
673 echo " rrset-cache-slabs: 1"
674 echo " infra-cache-slabs: 1"
675 echo " key-cache-slabs: 1"
676 echo " ratelimit-slabs: 1"
677 echo " ip-ratelimit-slabs: 1"
680 echo " use-syslog: yes"
681 echo " statistics-interval: 0"
682 echo " statistics-cumulative: no"
686 if [ $UB_D_VERBOSE -ge 0 ] && [ $UB_D_VERBOSE -le 5 ] ; then
687 echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF
691 if [ $UB_B_EXT_STATS -gt 0 ] ; then
694 echo " extended-statistics: yes"
701 echo " extended-statistics: no"
707 if [ $UB_B_IF_AUTO -gt 0 ] ; then
708 echo " interface-automatic: yes" >> $UB_CORE_CONF
712 if [ $UB_B_DNS_ASSIST -gt 0 ] ; then
713 echo " do-not-query-localhost: no" >> $UB_CORE_CONF
717 case "$UB_D_PROTOCOL" in
720 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
721 echo " port: $UB_N_RX_PORT"
722 echo " outgoing-port-permit: 10240-65535"
723 echo " interface: 0.0.0.0"
724 echo " outgoing-interface: 0.0.0.0"
733 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
734 echo " port: $UB_N_RX_PORT"
735 echo " outgoing-port-permit: 10240-65535"
736 echo " interface: ::0"
737 echo " outgoing-interface: ::0"
746 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
747 echo " port: $UB_N_RX_PORT"
748 echo " outgoing-port-permit: 10240-65535"
749 echo " interface: 0.0.0.0"
750 echo " interface: ::0"
751 echo " outgoing-interface: 0.0.0.0"
760 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
761 echo " port: $UB_N_RX_PORT"
762 echo " outgoing-port-permit: 10240-65535"
763 echo " interface: 0.0.0.0"
764 echo " interface: ::0"
765 echo " outgoing-interface: 0.0.0.0"
766 echo " outgoing-interface: ::0"
769 echo " prefer-ip6: yes"
776 # Interface Wildcard (access contol handled by "option local_service")
777 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
778 echo " port: $UB_N_RX_PORT"
779 echo " outgoing-port-permit: 10240-65535"
780 echo " interface: 0.0.0.0"
781 echo " interface: ::0"
782 echo " outgoing-interface: 0.0.0.0"
783 echo " outgoing-interface: ::0"
791 if [ $UB_B_READY -eq 0 ] ; then
792 logger
-t unbound
-s "default protocol configuration"
797 # outgoing-interface has useful defaults; incoming is localhost though
798 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
799 echo " port: $UB_N_RX_PORT"
800 echo " outgoing-port-permit: 10240-65535"
801 echo " interface: 0.0.0.0"
802 echo " interface: ::0"
809 case "$UB_D_RESOURCE" in
810 # Tiny - Unbound's recommended cheap hardware config
811 tiny
) rt_mem
=1 ; rt_conn
=5 ; rt_buff
=1 ;;
812 # Small - Half RRCACHE and open ports
813 small
) rt_mem
=8 ; rt_conn
=10 ; rt_buff
=2 ;;
814 # Medium - Nearly default but with some added balancintg
815 medium
) rt_mem
=16 ; rt_conn
=20 ; rt_buff
=4 ;;
816 # Large - Double medium
817 large
) rt_mem
=32 ; rt_conn
=50 ; rt_buff
=4 ;;
818 # Whatever unbound does
819 *) rt_mem
=0 ; rt_conn
=0 ;;
823 if [ $rt_mem -gt 0 ] ; then
825 # Other harding and options for an embedded router
826 echo " harden-short-bufsize: yes"
827 echo " harden-large-queries: yes"
828 echo " harden-glue: yes"
829 echo " use-caps-for-id: no"
831 # Set memory sizing parameters
832 echo " msg-buffer-size: $(($rt_buff*8192))"
833 echo " outgoing-range: $(($rt_conn*32))"
834 echo " num-queries-per-thread: $(($rt_conn*16))"
835 echo " outgoing-num-tcp: $(($rt_conn))"
836 echo " incoming-num-tcp: $(($rt_conn))"
837 echo " rrset-cache-size: $(($rt_mem*256))k"
838 echo " msg-cache-size: $(($rt_mem*128))k"
839 echo " stream-wait-size: $(($rt_mem*128))k"
840 echo " key-cache-size: $(($rt_mem*128))k"
841 echo " neg-cache-size: $(($rt_mem*32))k"
842 echo " ratelimit-size: $(($rt_mem*32))k"
843 echo " ip-ratelimit-size: $(($rt_mem*32))k"
844 echo " infra-cache-numhosts: $(($rt_mem*256))"
848 elif [ $UB_B_READY -eq 0 ] ; then
849 logger
-t unbound
-s "default memory configuration"
853 # Assembly of module-config: options is tricky; order matters
854 moduleopts
="$( /usr/sbin/unbound -V )"
855 modulestring
="iterator"
860 modulestring
="python $modulestring"
865 if [ $UB_B_DNSSEC -gt 0 ] ; then
866 if [ $UB_B_NTP_BOOT -gt 0 ] ; then
867 # DNSSEC chicken and egg with getting NTP time
868 echo " val-override-date: -1" >> $UB_CORE_CONF
873 echo " harden-dnssec-stripped: yes"
874 echo " val-clean-additional: yes"
875 echo " ignore-cd-flag: yes"
879 modulestring
="validator $modulestring"
885 modulestring
="subnetcache $modulestring"
890 if [ $UB_B_DNS64 -gt 0 ] ; then
891 echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF
893 modulestring
="dns64 $modulestring"
898 # Print final module string
899 echo " module-config: \"$modulestring\""
904 case "$UB_D_RECURSION" in
907 # Some query privacy but "strict" will break some servers
908 if [ $UB_B_QRY_MINST -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
909 echo " qname-minimisation: yes"
910 echo " qname-minimisation-strict: yes"
911 elif [ $UB_B_QUERY_MIN -gt 0 ] ; then
912 echo " qname-minimisation: yes"
914 echo " qname-minimisation: no"
916 # Use DNSSEC to quickly understand NXDOMAIN ranges
917 if [ $UB_B_DNSSEC -gt 0 ] ; then
918 echo " aggressive-nsec: yes"
919 echo " prefetch-key: no"
923 echo " target-fetch-policy: \"0 0 0 0 0\""
930 # Some query privacy but "strict" will break some servers
931 if [ $UB_B_QRY_MINST -gt 0 ] && [ $UB_B_QUERY_MIN -gt 0 ] ; then
932 echo " qname-minimisation: yes"
933 echo " qname-minimisation-strict: yes"
934 elif [ $UB_B_QUERY_MIN -gt 0 ] ; then
935 echo " qname-minimisation: yes"
937 echo " qname-minimisation: no"
939 # Use DNSSEC to quickly understand NXDOMAIN ranges
940 if [ $UB_B_DNSSEC -gt 0 ] ; then
941 echo " aggressive-nsec: yes"
942 echo " prefetch-key: yes"
944 # Prefetch what can be
945 echo " prefetch: yes"
946 echo " target-fetch-policy: \"3 2 1 0 0\""
952 if [ $UB_B_READY -eq 0 ] ; then
953 logger
-t unbound
-s "default recursion configuration"
959 if [ 10 -lt $UB_N_RATE_LMT ] && [ $UB_N_RATE_LMT -lt 100000 ] ; then
961 # Protect the server from query floods which is helpful on weaker CPU
962 # Per client rate limit is half the maximum to leave head room open
963 echo " ratelimit: $UB_N_RATE_LMT"
964 echo " ip-ratelimit: $(($UB_N_RATE_LMT/2))"
971 # Reload records more than 20 hours old
972 # DNSSEC 5 minute bogus cool down before retry
973 # Adaptive infrastructure info kept for 15 minutes
974 echo " cache-min-ttl: $UB_TTL_MIN"
975 echo " cache-max-ttl: 72000"
976 echo " val-bogus-ttl: 300"
977 echo " infra-host-ttl: 900"
982 if [ $UB_B_HIDE_BIND -gt 0 ] ; then
984 # Block server id and version DNS TXT records
985 echo " hide-identity: yes"
986 echo " hide-version: yes"
992 if [ $UB_D_PRIV_BLCK -gt 0 ] ; then
994 # Remove _upstream_ or global reponses with private addresses.
995 # Unbounds own "local zone" and "forward zone" may still use these.
996 # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
997 echo " private-address: 10.0.0.0/8"
998 echo " private-address: 100.64.0.0/10"
999 echo " private-address: 169.254.0.0/16"
1000 echo " private-address: 172.16.0.0/12"
1001 echo " private-address: 192.168.0.0/16"
1002 echo " private-address: fc00::/7"
1003 echo " private-address: fe80::/10"
1009 if [ -n "$UB_LIST_NETW_LAN" ] && [ $UB_D_PRIV_BLCK -gt 1 ] ; then
1011 for ifsubnet
in $UB_LIST_NETW_LAN ; do
1013 *@
[1-9][0-9a-f][0-9a-f][0-9a-f]:*:[0-9a-f]*)
1014 # Remove global DNS responses with your local network IP6 GLA
1015 echo " private-address: ${ifsubnet#*@}"
1024 if [ $UB_B_LOCL_BLCK -gt 0 ] ; then
1026 # Remove DNS reponses from upstream with loopback IP
1027 # Black hole DNS method for ad blocking, so consider...
1028 echo " private-address: 127.0.0.0/8"
1029 echo " private-address: ::1/128"
1035 if [ -n "$UB_LIST_INSECURE" ] ; then
1037 for domain
in $UB_LIST_INSECURE ; do
1038 # Except and accept domains without (DNSSEC); work around broken domains
1039 echo " domain-insecure: $domain"
1046 if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
1048 for ifsubnet
in $UB_LIST_NETW_ALL ; do
1049 # Only respond to queries from subnets which have an interface.
1050 # Prevent DNS amplification attacks by not responding to the universe.
1051 echo " access-control: ${ifsubnet#*@} allow"
1053 echo " access-control: 127.0.0.0/8 allow"
1054 echo " access-control: ::1/128 allow"
1055 echo " access-control: fe80::/10 allow"
1061 echo " access-control: 0.0.0.0/0 allow"
1062 echo " access-control: ::0/0 allow"
1068 ##############################################################################
1070 unbound_hostname
() {
1071 local ifsubnet ifarpa ifaddr ifname iffqdn
1072 local ulaprefix hostfqdn name names namerec ptrrec
1075 echo "# $UB_HOST_CONF generated by UCI $( date -Is )" > $UB_HOST_CONF
1078 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
1080 echo "# Local zone is handled by dnsmasq"
1084 elif [ -n "$UB_TXT_DOMAIN" ] \
1085 && { [ $UB_D_WAN_FQDN -gt 0 ] ||
[ $UB_D_LAN_FQDN -gt 0 ] ; } ; then
1086 case "$UB_D_DOMAIN_TYPE" in
1087 deny|inform_deny|refuse|static
)
1089 # type static means only this router has your domain
1090 echo " domain-insecure: $UB_TXT_DOMAIN"
1091 echo " private-domain: $UB_TXT_DOMAIN"
1092 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
1093 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XSOA\""
1094 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\""
1095 echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'"
1097 if [ "$UB_TXT_DOMAIN" != "local" ] ; then
1098 # avoid involvement in RFC6762, unless it is the local zone name
1099 echo " local-zone: local always_nxdomain"
1106 inform|transparent|typetransparent
)
1108 # transparent will permit forward-zone: or stub-zone: clauses
1109 echo " private-domain: $UB_TXT_DOMAIN"
1110 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
1119 # Hostname as TLD works, but not transparent through recursion (singular)
1120 echo " domain-insecure: $UB_TXT_HOSTNAME"
1121 echo " private-domain: $UB_TXT_HOSTNAME"
1122 echo " local-zone: $UB_TXT_HOSTNAME static"
1123 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XSOA\""
1124 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XNS\""
1125 echo " local-data: '$UB_TXT_HOSTNAME. $UB_XTXT'"
1130 if [ -n "$UB_LIST_NETW_WAN" ] ; then
1131 for ifsubnet
in $UB_LIST_NETW_WAN ; do
1132 ifaddr
=${ifsubnet#*@}
1134 ifarpa
=$
( host_ptr_any
"$ifaddr" )
1137 if [ -n "$ifarpa" ] ; then
1138 if [ $UB_D_WAN_FQDN -gt 0 ] ; then
1140 # Create a static zone for WAN host record only (singular)
1141 echo " domain-insecure: $ifarpa"
1142 echo " private-address: $ifaddr"
1143 echo " local-zone: $ifarpa static"
1144 echo " local-data: \"$ifarpa. $UB_XSOA\""
1145 echo " local-data: \"$ifarpa. $UB_XNS\""
1146 echo " local-data: '$ifarpa. $UB_MTXT'"
1150 elif [ $zonetype -gt 0 ] ; then
1152 echo " local-zone: $ifarpa transparent"
1161 if [ -n "$UB_LIST_NETW_LAN" ] ; then
1162 for ifsubnet
in $UB_LIST_NETW_LAN ; do
1163 ifarpa
=$
( domain_ptr_any
"${ifsubnet#*@}" )
1166 if [ -n "$ifarpa" ] ; then
1167 if [ $zonetype -eq 2 ] ; then
1169 # Do NOT forward queries with your ip6.arpa or in-addr.arpa
1170 echo " domain-insecure: $ifarpa"
1171 echo " local-zone: $ifarpa static"
1172 echo " local-data: \"$ifarpa. $UB_XSOA\""
1173 echo " local-data: \"$ifarpa. $UB_XNS\""
1174 echo " local-data: '$ifarpa. $UB_XTXT'"
1178 elif [ $zonetype -eq 1 ] && [ $UB_D_PRIV_BLCK -eq 0 ] ; then
1180 echo " local-zone: $ifarpa transparent"
1189 ulaprefix
=$
( uci_get network.@globals
[0].ula_prefix
)
1190 ulaprefix
=${ulaprefix%%:/*}
1191 hostfqdn
="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
1194 if [ -z "$ulaprefix" ] ; then
1195 # Nonsense so this option isn't globbed below
1196 ulaprefix
="fdno:such:addr::"
1200 if [ "$UB_LIST_NETW_LAN" ] && [ $UB_D_LAN_FQDN -gt 0 ] ; then
1201 for ifsubnet
in $UB_LIST_NETW_LAN ; do
1202 ifaddr
=${ifsubnet#*@}
1204 ifname
=${ifsubnet%@*}
1205 iffqdn
="$ifname.$hostfqdn"
1208 if [ $UB_D_LAN_FQDN -eq 4 ] ; then
1209 names
="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1210 ptrrec
=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1211 echo "$ptrrec" >> $UB_HOST_CONF
1213 elif [ $UB_D_LAN_FQDN -eq 3 ] ; then
1214 names
="$hostfqdn $UB_TXT_HOSTNAME"
1215 ptrrec
=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1216 echo "$ptrrec" >> $UB_HOST_CONF
1219 names
="$UB_TXT_HOSTNAME"
1220 ptrrec
=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1221 echo "$ptrrec" >> $UB_HOST_CONF
1225 for name
in $names ; do
1228 # IP6 ULA only is assigned for OPTION 1
1229 namerec
=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1230 echo "$namerec" >> $UB_HOST_CONF
1234 namerec
=" local-data: \"$name. 300 IN A $ifaddr\""
1235 echo "$namerec" >> $UB_HOST_CONF
1239 if [ $UB_D_LAN_FQDN -gt 1 ] ; then
1240 # IP6 GLA is assigned for higher options
1241 namerec
=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1242 echo "$namerec" >> $UB_HOST_CONF
1247 echo >> $UB_HOST_CONF
1252 if [ -n "$UB_LIST_NETW_WAN" ] && [ $UB_D_WAN_FQDN -gt 0 ] ; then
1253 for ifsubnet
in $UB_LIST_NETW_WAN ; do
1254 ifaddr
=${ifsubnet#*@}
1256 ifname
=${ifsubnet%@*}
1257 iffqdn
="$ifname.$hostfqdn"
1260 if [ $UB_D_WAN_FQDN -eq 4 ] ; then
1261 names
="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1262 ptrrec
=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1263 echo "$ptrrec" >> $UB_HOST_CONF
1265 elif [ $UB_D_WAN_FQDN -eq 3 ] ; then
1266 names
="$hostfqdn $UB_TXT_HOSTNAME"
1267 ptrrec
=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1268 echo "$ptrrec" >> $UB_HOST_CONF
1271 names
="$UB_TXT_HOSTNAME"
1272 ptrrec
=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1273 echo "$ptrrec" >> $UB_HOST_CONF
1277 for name
in $names ; do
1280 # IP6 ULA only is assigned for OPTION 1
1281 namerec
=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1282 echo "$namerec" >> $UB_HOST_CONF
1286 namerec
=" local-data: \"$name. 300 IN A $ifaddr\""
1287 echo "$namerec" >> $UB_HOST_CONF
1291 if [ $UB_D_WAN_FQDN -gt 1 ] ; then
1292 # IP6 GLA is assigned for higher options
1293 namerec
=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1294 echo "$namerec" >> $UB_HOST_CONF
1299 echo >> $UB_HOST_CONF
1302 fi # end if uci valid
1305 ##############################################################################
1311 hostnm
=$
( uci_get system.@system
[0].hostname |
awk '{print tolower($0)}' )
1312 UB_TXT_HOSTNAME
=${hostnm:-thisrouter}
1314 config_get_bool UB_B_SLAAC6_MAC
"$cfg" dhcp4_slaac6
0
1315 config_get_bool UB_B_DNS64
"$cfg" dns64
0
1316 config_get_bool UB_B_EXT_STATS
"$cfg" extended_stats
0
1317 config_get_bool UB_B_HIDE_BIND
"$cfg" hide_binddata
1
1318 config_get_bool UB_B_LOCL_SERV
"$cfg" localservice
1
1319 config_get_bool UB_B_MAN_CONF
"$cfg" manual_conf
0
1320 config_get_bool UB_B_QUERY_MIN
"$cfg" query_minimize
0
1321 config_get_bool UB_B_QRY_MINST
"$cfg" query_min_strict
0
1322 config_get_bool UB_B_AUTH_ROOT
"$cfg" prefetch_root
0
1323 config_get_bool UB_B_LOCL_BLCK
"$cfg" rebind_localhost
0
1324 config_get_bool UB_B_DNSSEC
"$cfg" validator
0
1325 config_get_bool UB_B_NTP_BOOT
"$cfg" validator_ntp
1
1326 config_get_bool UB_B_IF_AUTO
"$cfg" interface_auto
1
1328 config_get UB_IP_DNS64
"$cfg" dns64_prefix
"64:ff9b::/96"
1330 config_get UB_N_EDNS_SIZE
"$cfg" edns_size
1280
1331 config_get UB_N_RX_PORT
"$cfg" listen_port
53
1332 config_get UB_N_ROOT_AGE
"$cfg" root_age
9
1333 config_get UB_N_THREADS
"$cfg" num_threads
1
1334 config_get UB_N_RATE_LMT
"$cfg" rate_limit
0
1336 config_get UB_D_CONTROL
"$cfg" unbound_control
0
1337 config_get UB_D_DOMAIN_TYPE
"$cfg" domain_type static
1338 config_get UB_D_DHCP_LINK
"$cfg" dhcp_link none
1339 config_get UB_D_EXTRA_DNS
"$cfg" add_extra_dns
0
1340 config_get UB_D_LAN_FQDN
"$cfg" add_local_fqdn
0
1341 config_get UB_D_PRIV_BLCK
"$cfg" rebind_protection
1
1342 config_get UB_D_PROTOCOL
"$cfg" protocol mixed
1343 config_get UB_D_RECURSION
"$cfg" recursion passive
1344 config_get UB_D_RESOURCE
"$cfg" resource small
1345 config_get UB_D_VERBOSE
"$cfg" verbosity
1
1346 config_get UB_D_WAN_FQDN
"$cfg" add_wan_fqdn
0
1348 config_get UB_TTL_MIN
"$cfg" ttl_min
120
1349 config_get UB_TXT_DOMAIN
"$cfg" domain lan
1351 config_list_foreach
"$cfg" domain_insecure bundle_domain_insecure
1354 if [ "$UB_D_DHCP_LINK" = "none" ] ; then
1355 config_get_bool UB_B_DNSMASQ
"$cfg" dnsmasq_link_dns
0
1358 if [ $UB_B_DNSMASQ -gt 0 ] ; then
1359 UB_D_DHCP_LINK
=dnsmasq
1362 if [ $UB_B_READY -eq 0 ] ; then
1363 logger
-t unbound
-s "Please use 'dhcp_link' selector instead"
1369 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
1370 if [ ! -x /usr
/sbin
/dnsmasq
] ||
[ ! -x /etc
/init.d
/dnsmasq
] ; then
1373 /etc
/init.d
/dnsmasq enabled || UB_D_DHCP_LINK
=none
1377 if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then
1378 logger
-t unbound
-s "cannot forward to dnsmasq"
1383 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
1384 if [ ! -x /usr
/sbin
/odhcpd
] ||
[ ! -x /etc
/init.d
/odhcpd
] ; then
1387 /etc
/init.d
/odhcpd enabled || UB_D_DHCP_LINK
=none
1391 if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then
1392 logger
-t unbound
-s "cannot receive records from odhcpd"
1397 if [ $UB_N_EDNS_SIZE -lt 512 ] ||
[ 4096 -lt $UB_N_EDNS_SIZE ] ; then
1398 logger
-t unbound
-s "edns_size exceeds range, using default"
1403 if [ $UB_N_RX_PORT -ne 53 ] \
1404 && { [ $UB_N_RX_PORT -lt 1024 ] ||
[ 10240 -lt $UB_N_RX_PORT ] ; } ; then
1405 logger
-t unbound
-s "privileged port or in 5 digits, using default"
1410 if [ $UB_TTL_MIN -gt 1800 ] ; then
1411 logger
-t unbound
-s "ttl_min could have had awful side effects, using 300"
1416 ##############################################################################
1420 local adb_files
=$
( ls $UB_VARDIR/adb_list.
* 2>/dev
/null
)
1422 echo "# $UB_TOTAL_CONF generated by UCI $( date -Is )" > $UB_TOTAL_CONF
1425 if [ -f "$UB_CORE_CONF" ] ; then
1426 # Yes this all looks busy, but it is in TMPFS. Working on separate files
1427 # and piecing together is easier. UCI order is less constrained.
1428 cat $UB_CORE_CONF >> $UB_TOTAL_CONF
1433 if [ -f "$UB_HOST_CONF" ] ; then
1434 # UCI definitions of local host or local subnet
1435 cat $UB_HOST_CONF >> $UB_TOTAL_CONF
1440 if [ -f $UB_SRVMASQ_CONF ] ; then
1441 # UCI found link to dnsmasq
1442 cat $UB_SRVMASQ_CONF >> $UB_TOTAL_CONF
1447 if [ -f "$UB_DHCP_CONF" ] ; then
1449 # Seed DHCP records because dhcp scripts trigger externally
1450 # Incremental Unbound restarts may drop unbound-control records
1451 echo "include: $UB_DHCP_CONF"
1457 if [ -z "$adb_files" ] ||
[ ! -x /usr
/bin
/adblock.sh
] \
1458 ||
[ ! -x /etc
/init.d
/adblock
] ; then
1461 elif /etc
/init.d
/adblock enabled
; then
1464 # Pull in your selected openwrt/pacakges/net/adblock generated lists
1465 echo "include: $UB_VARDIR/adb_list.*"
1474 if [ -f $UB_SRV_CONF ] ; then
1476 # Pull your own "server:" options here
1477 echo "include: $UB_SRV_CONF"
1483 if [ -f "$UB_ZONE_CONF" ] ; then
1484 # UCI defined forward, stub, and auth zones
1485 cat $UB_ZONE_CONF >> $UB_TOTAL_CONF
1490 if [ -f "$UB_CTRL_CONF" ] ; then
1491 # UCI defined control application connection
1492 cat $UB_CTRL_CONF >> $UB_TOTAL_CONF
1497 if [ -f "$UB_EXTMASQ_CONF" ] ; then
1498 # UCI found link to dnsmasq
1499 cat $UB_EXTMASQ_CONF >> $UB_TOTAL_CONF
1504 if [ -f "$UB_EXT_CONF" ] ; then
1506 # Pull your own extend feature clauses here
1507 echo "include: $UB_EXT_CONF"
1513 ##############################################################################
1516 if [ "$UB_N_RX_PORT" != "53" ] ; then
1517 # unbound is not the default on target resolver
1518 echo "do nothing" >/dev
/null
1520 elif [ -x /etc
/init.d
/dnsmasq
] \
1521 && /etc
/init.d
/dnsmasq enabled \
1522 && nslookup localhost
127.0.0.1#53 >/dev/null 2>&1 ; then
1523 # unbound is configured for port 53, but dnsmasq is enabled, and a resolver
1524 # is already listening on port 53. Let dnsmasq manage resolve.conf.
1525 # This also works to prevent clobbering while changing UCI.
1526 echo "do nothing" >/dev
/null
1529 # unbound listens on 127.0.0.1#53 so set resolver file to local.
1530 rm -f $UB_RESOLV_CONF
1533 echo "# $UB_RESOLV_CONF generated by Unbound UCI $( date -Is )"
1534 echo "nameserver 127.0.0.1"
1535 echo "nameserver ::1"
1536 echo "search $UB_TXT_DOMAIN."
1541 ##############################################################################
1545 config_foreach unbound_uci unbound
1549 if [ $UB_B_MAN_CONF -eq 0 ] ; then
1550 # iterate zones before we load other UCI
1551 # forward-zone: auth-zone: and stub-zone:
1552 config_foreach unbound_zone zone
1553 # associate potential DNS RR with interfaces
1555 config_foreach bundle_all_networks interface
1557 config_foreach bundle_lan_networks dhcp
1574 ##############################################################################