net/unbound/files/unbound.sh

   1 #!/bin/sh
   2 ##############################################################################
   3 #
   4 # This program is free software; you can redistribute it and/or modify
   5 # it under the terms of the GNU General Public License version 2 as
   6 # published by the Free Software Foundation.
   7 #
   8 # This program is distributed in the hope that it will be useful,
   9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11 # GNU General Public License for more details.
  12 #
  13 # Copyright (C) 2016 Eric Luehrsen
  14 #
  15 ##############################################################################
  16 #
  17 # This builds the basic UCI components currently supported for Unbound. It is
  18 # intentionally NOT comprehensive and bundles a lot of options. The UCI is to
  19 # be a simpler presentation of the total Unbound conf set.
  20 #
  21 ##############################################################################
  22
  23 UNBOUND_B_CONTROL=0
  24 UNBOUND_B_DNSMASQ=0
  25 UNBOUND_B_DNSSEC=0
  26 UNBOUND_B_GATE_NAME=0
  27 UNBOUND_B_LOCL_BLCK=0
  28 UNBOUND_B_LOCL_NAME=0
  29 UNBOUND_B_LOCL_SERV=1
  30 UNBOUND_B_MAN_CONF=0
  31 UNBOUND_B_NTP_BOOT=1
  32 UNBOUND_B_PRIV_BLCK=1
  33 UNBOUND_B_QUERY_MIN=0
  34
  35 UNBOUND_D_RESOURCE=small
  36 UNBOUND_D_RECURSION=passive
  37
  38 UNBOUND_TXT_FWD_ZONE=""
  39 UNBOUND_TTL_MIN=120
  40
  41 UNBOUND_N_EDNS_SIZE=1280
  42 UNBOUND_N_FWD_PORTS=""
  43 UNBOUND_N_RX_PORT=53
  44 UNBOUND_N_ROOT_AGE=28
  45
  46 ##############################################################################
  47
  48 UNBOUND_ANCHOR=/usr/bin/unbound-anchor
  49 UNBOUND_CONTROL=/usr/bin/unbound-control
  50
  51 UNBOUND_LIBDIR=/usr/lib/unbound
  52
  53 UNBOUND_PIDFILE=/var/run/unbound.pid
  54
  55 UNBOUND_VARDIR=/var/lib/unbound
  56 UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
  57 UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
  58 UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
  59 UNBOUND_TIMEFILE=$UNBOUND_VARDIR/unbound.time
  60 UNBOUND_CHECKFILE=$UNBOUND_VARDIR/unbound.check
  61
  62 ##############################################################################
  63
  64 . /lib/functions.sh
  65 . /lib/functions/network.sh
  66
  67 . $UNBOUND_LIBDIR/dnsmasq.sh
  68 . $UNBOUND_LIBDIR/iptools.sh
  69 . $UNBOUND_LIBDIR/rootzone.sh
  70
  71 ##############################################################################
  72
  73 create_access_control() {
  74   local cfg="$1"
  75   local subnets subnets4 subnets6
  76   local validip4 validip6
  77
  78   network_get_subnets  subnets4 "$cfg"
  79   network_get_subnets6 subnets6 "$cfg"
  80   subnets="$subnets4 $subnets6"
  81
  82
  83   if [ -n "$subnets" ] ; then
  84     for subnet in $subnets ; do
  85       validip4=$( valid_subnet4 $subnet )
  86       validip6=$( valid_subnet6 $subnet )
  87
  88
  89       if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
  90         # For each "network" UCI add "access-control:" white list for queries
  91         echo "  access-control: $subnet allow" >> $UNBOUND_CONFFILE
  92       fi
  93     done
  94   fi
  95 }
  96
  97 ##############################################################################
  98
  99 create_domain_insecure() {
 100   echo "  domain-insecure: \"$1\"" >> $UNBOUND_CONFFILE
 101 }
 102
 103 ##############################################################################
 104
 105 unbound_mkdir() {
 106   mkdir -p $UNBOUND_VARDIR
 107   touch $UNBOUND_CONFFILE
 108
 109
 110   if [ -f /etc/unbound/root.hints ] ; then
 111     # Your own local copy of root.hints
 112     cp -p /etc/unbound/root.hints $UNBOUND_HINTFILE
 113
 114   elif [ -f /usr/share/dns/root.hints ] ; then
 115     # Debian-like package dns-root-data
 116     cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
 117
 118   else
 119     logger -t unbound -s "iterator will use built-in root hints"
 120   fi
 121
 122
 123   if [ -f /etc/unbound/root.key ] ; then
 124     # Your own local copy of a root.key
 125     cp -p /etc/unbound/root.key $UNBOUND_KEYFILE
 126
 127   elif [ -f /usr/share/dns/root.key ] ; then
 128     # Debian-like package dns-root-data
 129     cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
 130
 131   elif [ -x "$UNBOUND_ANCHOR" ] ; then
 132     $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
 133
 134   else
 135     logger -t unbound -s "validator will use built-in trust anchor"
 136   fi
 137 }
 138
 139 ##############################################################################
 140
 141 unbound_conf() {
 142   local cfg=$1
 143   local rt_mem rt_conn
 144
 145   {
 146     # Make fresh conf file
 147     echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
 148     echo
 149   } > $UNBOUND_CONFFILE
 150
 151
 152   if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
 153     {
 154       # Enable remote control tool, but only at local host for security
 155       echo "remote-control:"
 156       echo "  control-enable: yes"
 157       echo "  control-use-cert: no"
 158       echo "  control-interface: 127.0.0.1"
 159       echo "  control-interface: ::1"
 160       echo
 161     } >> $UNBOUND_CONFFILE
 162
 163   else
 164     {
 165       # "control:" clause is seperate before "server:" so we can append
 166       # dnsmasq "server:" parts and "forward:" cluases towards the end.
 167       echo "remote-control:"
 168       echo "  control-enable: no"
 169       echo
 170     } >> $UNBOUND_CONFFILE
 171   fi
 172
 173
 174   {
 175     # No threading
 176     echo "server:"
 177     echo "  username: unbound"
 178     echo "  num-threads: 1"
 179     echo "  msg-cache-slabs: 1"
 180     echo "  rrset-cache-slabs: 1"
 181     echo "  infra-cache-slabs: 1"
 182     echo "  key-cache-slabs: 1"
 183     echo
 184   } >> $UNBOUND_CONFFILE
 185
 186
 187   {
 188     # Logging
 189     echo "  verbosity: 1"
 190     echo "  statistics-interval: 0"
 191     echo "  statistics-cumulative: no"
 192     echo "  extended-statistics: no"
 193     echo
 194   } >> $UNBOUND_CONFFILE
 195
 196
 197   {
 198     # Interfaces (access contol "option local_service")
 199     echo "  interface: 0.0.0.0"
 200     echo "  interface: ::0"
 201     echo "  outgoing-interface: 0.0.0.0"
 202     echo "  outgoing-interface: ::0"
 203     echo
 204   } >> $UNBOUND_CONFFILE
 205
 206
 207   {
 208     # protocol level tuning
 209     echo "  edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
 210     echo "  msg-buffer-size: 8192"
 211     echo "  port: $UNBOUND_N_RX_PORT"
 212     echo "  outgoing-port-permit: 10240-65535"
 213     echo
 214   } >> $UNBOUND_CONFFILE
 215
 216
 217   {
 218     # Other harding and options for an embedded router
 219     echo "  harden-short-bufsize: yes"
 220     echo "  harden-large-queries: yes"
 221     echo "  harden-glue: yes"
 222     echo "  harden-below-nxdomain: no"
 223     echo "  harden-referral-path: no"
 224     echo "  use-caps-for-id: no"
 225     echo
 226   } >> $UNBOUND_CONFFILE
 227
 228
 229   {
 230     # Default Files
 231     echo "  use-syslog: yes"
 232     echo "  chroot: \"$UNBOUND_VARDIR\""
 233     echo "  directory: \"$UNBOUND_VARDIR\""
 234     echo "  pidfile: \"$UNBOUND_PIDFILE\""
 235   } >> $UNBOUND_CONFFILE
 236
 237
 238   if [ -f "$UNBOUND_HINTFILE" ] ; then
 239     # Optional hints if found
 240     echo "  root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
 241   fi
 242
 243
 244   if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then
 245     {
 246       echo "  auto-trust-anchor-file: \"$UNBOUND_KEYFILE\""
 247       echo
 248     } >> $UNBOUND_CONFFILE
 249
 250   else
 251     echo >> $UNBOUND_CONFFILE
 252   fi
 253
 254
 255   case "$UNBOUND_D_RESOURCE" in
 256     # Tiny - Unbound's recommended cheap hardware config
 257     tiny)   rt_mem=1  ; rt_conn=1 ;;
 258     # Small - Half RRCACHE and open ports
 259     small)  rt_mem=8  ; rt_conn=5 ;;
 260     # Medium - Nearly default but with some added balancintg
 261     medium) rt_mem=16 ; rt_conn=10 ;;
 262     # Large - Double medium
 263     large)  rt_mem=32 ; rt_conn=10 ;;
 264     # Whatever unbound does
 265     *) rt_mem=0 ; rt_conn=0 ;;
 266   esac
 267
 268
 269   if [ "$rt_mem" -gt 0 ] ; then
 270     {
 271       # Set memory sizing parameters
 272       echo "  outgoing-range: $(($rt_conn*64))"
 273       echo "  num-queries-per-thread: $(($rt_conn*32))"
 274       echo "  outgoing-num-tcp: $(($rt_conn))"
 275       echo "  incoming-num-tcp: $(($rt_conn))"
 276       echo "  rrset-cache-size: $(($rt_mem*256))k"
 277       echo "  msg-cache-size: $(($rt_mem*128))k"
 278       echo "  key-cache-size: $(($rt_mem*128))k"
 279       echo "  neg-cache-size: $(($rt_mem*64))k"
 280       echo "  infra-cache-numhosts: $(($rt_mem*256))"
 281       echo
 282     } >> $UNBOUND_CONFFILE
 283
 284   else
 285     logger -t unbound -s "default memory resource consumption"
 286   fi
 287
 288
 289   if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
 290     if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
 291       # DNSSEC chicken and egg with getting NTP time
 292       echo "  val-override-date: -1" >> $UNBOUND_CONFFILE
 293     fi
 294
 295
 296     {
 297       # Validation of DNSSEC
 298       echo "  module-config: \"validator iterator\""
 299       echo "  harden-dnssec-stripped: yes"
 300       echo "  val-clean-additional: yes"
 301       echo "  ignore-cd-flag: yes"
 302       echo
 303     } >> $UNBOUND_CONFFILE
 304
 305   else
 306     {
 307       # Just iteration without DNSSEC
 308       echo "  module-config: \"iterator\""
 309       echo
 310     } >> $UNBOUND_CONFFILE
 311   fi
 312
 313
 314   if [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
 315     # Minor improvement on query privacy
 316     echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
 317
 318   else
 319     echo "  qname-minimisation: no" >> $UNBOUND_CONFFILE
 320   fi
 321
 322
 323   case "$UNBOUND_D_RECURSION" in
 324     passive)
 325       {
 326         echo "  prefetch: no"
 327         echo "  prefetch-key: no"
 328         echo "  target-fetch-policy: \"0 0 0 0 0\""
 329         echo
 330       } >> $UNBOUND_CONFFILE
 331       ;;
 332
 333     aggressive)
 334       {
 335         echo "  prefetch: yes"
 336         echo "  prefetch-key: yes"
 337         echo "  target-fetch-policy: \"3 2 1 0 0\""
 338         echo
 339       } >> $UNBOUND_CONFFILE
 340       ;;
 341
 342     *)
 343       logger -t unbound -s "default recursion configuration"
 344       ;;
 345   esac
 346
 347
 348   {
 349     # Reload records more than 10 hours old
 350     # DNSSEC 5 minute bogus cool down before retry
 351     # Adaptive infrastructure info kept for 15 minutes
 352     echo "  cache-min-ttl: $UNBOUND_TTL_MIN"
 353     echo "  cache-max-ttl: 36000"
 354     echo "  val-bogus-ttl: 300"
 355     echo "  infra-host-ttl: 900"
 356     echo
 357   } >> $UNBOUND_CONFFILE
 358
 359
 360   if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
 361     {
 362       # Remove DNS reponses from upstream with private IP
 363       echo "  private-address: 10.0.0.0/8"
 364       echo "  private-address: 169.254.0.0/16"
 365       echo "  private-address: 172.16.0.0/12"
 366       echo "  private-address: 192.168.0.0/16"
 367       echo "  private-address: fc00::/8"
 368       echo "  private-address: fd00::/8"
 369       echo "  private-address: fe80::/10"
 370     } >> $UNBOUND_CONFFILE
 371   fi
 372
 373
 374   if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
 375     {
 376       # Remove DNS reponses from upstream with loopback IP
 377       # Black hole DNS method for ad blocking, so consider...
 378       echo "  private-address: 127.0.0.0/8"
 379       echo "  private-address: ::1/128"
 380       echo
 381     } >> $UNBOUND_CONFFILE
 382
 383   else
 384     echo >> $UNBOUND_CONFFILE
 385   fi
 386
 387
 388   # Domain Exceptions
 389   config_list_foreach "$cfg" "domain_insecure" create_domain_insecure
 390   echo >> $UNBOUND_CONFFILE
 391
 392
 393   ####################
 394   # UCI @ network    #
 395   ####################
 396
 397
 398   if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
 399     # Only respond to queries from which this device has an interface.
 400     # Prevent DNS amplification attacks by not responding to the universe.
 401     config_load network
 402     config_foreach create_access_control interface
 403
 404     {
 405       echo "  access-control: 127.0.0.0/8 allow"
 406       echo "  access-control: ::1/128 allow"
 407       echo "  access-control: fe80::/10 allow"
 408       echo
 409     } >> $UNBOUND_CONFFILE
 410
 411   else
 412     {
 413       echo "  access-control: 0.0.0.0/0 allow"
 414       echo "  access-control: ::0/0 allow"
 415       echo
 416     } >> $UNBOUND_CONFFILE
 417   fi
 418 }
 419
 420 ##############################################################################
 421
 422 unbound_uci() {
 423   local cfg=$1
 424   local dnsmasqpath
 425
 426   ####################
 427   # UCI @ unbound    #
 428   ####################
 429
 430   config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmsaq_gate_name 0
 431   config_get_bool UNBOUND_B_DNSMASQ   "$cfg" dnsmasq_link_dns 0
 432   config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0
 433   config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
 434   config_get_bool UNBOUND_B_MAN_CONF  "$cfg" manual_conf 0
 435   config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
 436   config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
 437   config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
 438   config_get_bool UNBOUND_B_CONTROL   "$cfg" unbound_control 0
 439   config_get_bool UNBOUND_B_DNSSEC    "$cfg" validator  0
 440   config_get_bool UNBOUND_B_NTP_BOOT  "$cfg" validator_ntp 1
 441
 442   config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
 443   config_get UNBOUND_N_RX_PORT   "$cfg" listen_port 53
 444   config_get UNBOUND_D_RECURSION "$cfg" recursion passive
 445   config_get UNBOUND_D_RESOURCE  "$cfg" resource small
 446   config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 7
 447   config_get UNBOUND_TTL_MIN     "$cfg" ttl_min 120
 448
 449
 450   if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
 451     dnsmasqpath=$( which dnsmasq )
 452
 453
 454     if [ ! -x "$dnsmasqpath" ] ; then
 455       logger -t unbound -s "cannot forward to dnsmasq"
 456       UNBOUND_B_DNSMASQ=0
 457     fi
 458   fi
 459
 460
 461   if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
 462     -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
 463     # exceeds range, back to default
 464     UNBOUND_N_EDNS_SIZE=1280
 465   fi
 466
 467
 468   if [ "$UNBOUND_N_RX_PORT" -lt 1024 \
 469     -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
 470     # special port or in 5 digits, back to default
 471     UNBOUND_N_RX_PORT=53
 472   fi
 473
 474
 475   if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
 476     # that could have had awful side effects
 477     UNBOUND_TTL_MIN=300
 478   fi
 479
 480
 481   if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
 482     # Don't want this being triggered. Maybe we could, but then the
 483     # base conf you provide would need to be just right.
 484     UNBOUND_B_DNSMASQ=0
 485
 486   else
 487     unbound_conf $cfg
 488   fi
 489 }
 490
 491 ##############################################################################
 492
 493 unbound_own () {
 494   # Debug UCI
 495   {
 496     echo "# $UNBOUND_CHECKFILE generated by UCI $( date )"
 497     echo
 498     set | grep ^UNBOUND_
 499   } > $UNBOUND_CHECKFILE
 500
 501
 502   if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
 503     # You are doing your own thing, so just copy /etc/ to /var/
 504     cp -p /etc/unbound/* $UNBOUND_VARDIR/
 505   fi
 506
 507
 508   # Ensure access and prepare to jail
 509   chown -R unbound:unbound $UNBOUND_VARDIR
 510   chmod 775 $UNBOUND_VARDIR
 511   chmod 664 $UNBOUND_VARDIR/*
 512 }
 513
 514 ##############################################################################
 515
 516 unbound_prepare() {
 517   # Make a home for Unbound in /var/lib/unbound
 518   unbound_mkdir
 519
 520   # Load up the chunks of UCI
 521   config_load unbound
 522   config_foreach unbound_uci unbound
 523
 524   # Unbound primary DNS, and dnsmasq side service DHCP-DNS (dnsmasq.sh)
 525   dnsmasq_link
 526
 527   # Unbound needs chroot ownership
 528   unbound_own
 529 }
 530
 531 ##############################################################################
 532