projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #4118 from dibdot/travelmate
[feed/packages.git] / net / unbound / files / unbound.sh
1 #!/bin/sh
2 ##############################################################################
3 #
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License version 2 as
6 # published by the Free Software Foundation.
7 #
8 # This program is distributed in the hope that it will be useful,
9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # GNU General Public License for more details.
12 #
13 # Copyright (C) 2016 Eric Luehrsen
14 #
15 ##############################################################################
16 #
17 # This builds the basic UCI components currently supported for Unbound. It is
18 # intentionally NOT comprehensive and bundles a lot of options. The UCI is to
19 # be a simpler presentation of the total Unbound conf set.
20 #
21 ##############################################################################
22
23 UNBOUND_B_CONTROL=0
24 UNBOUND_B_SLAAC6_MAC=0
25 UNBOUND_B_DNSSEC=0
26 UNBOUND_B_DNS64=0
27 UNBOUND_B_GATE_NAME=0
28 UNBOUND_B_HIDE_BIND=1
29 UNBOUND_B_LOCL_BLCK=0
30 UNBOUND_B_LOCL_SERV=1
31 UNBOUND_B_MAN_CONF=0
32 UNBOUND_B_NTP_BOOT=1
33 UNBOUND_B_PRIV_BLCK=1
34 UNBOUND_B_QUERY_MIN=0
35 UNBOUND_B_QRY_MINST=0
36
37 UNBOUND_D_DOMAIN_TYPE=static
38 UNBOUND_D_DHCP_LINK=none
39 UNBOUND_D_LAN_FQDN=0
40 UNBOUND_D_PROTOCOL=mixed
41 UNBOUND_D_RESOURCE=small
42 UNBOUND_D_RECURSION=passive
43 UNBOUND_D_WAN_FQDN=0
44
45 UNBOUND_IP_DNS64="64:ff9b::/96"
46
47 UNBOUND_N_EDNS_SIZE=1280
48 UNBOUND_N_FWD_PORTS=""
49 UNBOUND_N_RX_PORT=53
50 UNBOUND_N_ROOT_AGE=9
51
52 UNBOUND_TTL_MIN=120
53
54 UNBOUND_TXT_DOMAIN=lan
55 UNBOUND_TXT_FWD_ZONE=""
56 UNBOUND_TXT_HOSTNAME=thisrouter
57
58 ##############################################################################
59
60 UNBOUND_LIBDIR=/usr/lib/unbound
61 UNBOUND_VARDIR=/var/lib/unbound
62
63 UNBOUND_PIDFILE=/var/run/unbound.pid
64
65 UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
66 UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
67 UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf
68 UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
69
70 UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
71 UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
72 UNBOUND_TIMEFILE=$UNBOUND_VARDIR/unbound.time
73
74 ##############################################################################
75
76 UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
77 UNBOUND_CONTROL=/usr/sbin/unbound-control
78 UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
79
80 ##############################################################################
81
82 . /lib/functions.sh
83 . /lib/functions/network.sh
84
85 . $UNBOUND_LIBDIR/dnsmasq.sh
86 . $UNBOUND_LIBDIR/iptools.sh
87 . $UNBOUND_LIBDIR/rootzone.sh
88
89 ##############################################################################
90
91 create_interface_dns() {
92 local cfg="$1"
93 local ipcommand logint ignore ifname ifdashname
94 local name names address addresses
95 local ulaprefix if_fqdn host_fqdn mode mode_ptr
96
97 # Create local-data: references for this hosts interfaces (router).
98 config_get logint "$cfg" interface
99 config_get_bool ignore "$cfg" ignore 0
100 network_get_device ifname "$cfg"
101
102 ifdashname="${ifname//./-}"
103 ipcommand="ip -o address show $ifname"
104 addresses="$($ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}')"
105 ulaprefix="$(uci_get network @globals[0] ula_prefix)"
106 host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"
107 if_fqdn="$ifdashname.$host_fqdn"
108
109
110 if [ -z "${ulaprefix%%:/*}" ] ; then
111 # Nonsense so this option isn't globbed below
112 ulaprefix="fdno:such:addr::/48"
113 fi
114
115
116 if [ "$ignore" -gt 0 ] ; then
117 mode="$UNBOUND_D_WAN_FQDN"
118
119 else
120 mode="$UNBOUND_D_LAN_FQDN"
121 fi
122
123
124 case "$mode" in
125 3)
126 mode_ptr="$host_fqdn"
127 names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
128 ;;
129
130 4)
131 mode_ptr="$if_fqdn"
132 names="$if_fqdn $host_fqdn $UNBOUND_TXT_HOSTNAME"
133 ;;
134
135 *)
136 mode_ptr="$UNBOUND_TXT_HOSTNAME"
137 names="$UNBOUND_TXT_HOSTNAME"
138 ;;
139 esac
140
141
142 if [ "$mode" -gt 1 ] ; then
143 {
144 for address in $addresses ; do
145 case $address in
146 fe80:*|169.254.*)
147 echo " # note link address $address"
148 ;;
149
150 [1-9a-f]*:*[0-9a-f])
151 # GA and ULA IP6 for HOST IN AAA records (ip command is robust)
152 for name in $names ; do
153 echo " local-data: \"$name. 120 IN AAAA $address\""
154 done
155 echo " local-data-ptr: \"$address 120 $mode_ptr\""
156 ;;
157
158 [1-9]*.*[0-9])
159 # Old fashioned HOST IN A records
160 for name in $names ; do
161 echo " local-data: \"$name. 120 IN A $address\""
162 done
163 echo " local-data-ptr: \"$address 120 $mode_ptr\""
164 ;;
165 esac
166 done
167 echo
168 } >> $UNBOUND_CONFFILE
169
170 elif [ "$mode" -gt 0 ] ; then
171 {
172 for address in $addresses ; do
173 case $address in
174 fe80:*|169.254.*)
175 echo " # note link address $address"
176 ;;
177
178 "${ulaprefix%%:/*}"*)
179 # Only this networks ULA and only hostname
180 echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
181 echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
182 ;;
183
184 [1-9]*.*[0-9])
185 echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""
186 echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
187 ;;
188 esac
189 done
190 echo
191 } >> $UNBOUND_CONFFILE
192 fi
193 }
194
195 ##############################################################################
196
197 create_access_control() {
198 local cfg="$1"
199 local subnets subnets4 subnets6
200 local validip4 validip6
201
202 network_get_subnets subnets4 "$cfg"
203 network_get_subnets6 subnets6 "$cfg"
204 subnets="$subnets4 $subnets6"
205
206
207 if [ -n "$subnets" ] ; then
208 for subnet in $subnets ; do
209 validip4=$( valid_subnet4 $subnet )
210 validip6=$( valid_subnet6 $subnet )
211
212
213 if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
214 # For each "network" UCI add "access-control:" white list for queries
215 echo " access-control: $subnet allow" >> $UNBOUND_CONFFILE
216 fi
217 done
218 fi
219 }
220
221 ##############################################################################
222
223 create_domain_insecure() {
224 echo " domain-insecure: \"$1\"" >> $UNBOUND_CONFFILE
225 }
226
227 ##############################################################################
228
229 unbound_mkdir() {
230 local resolvsym=0
231 local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile )
232 local dhcp_dir=$( dirname "$dhcp_origin" )
233
234
235 if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
236 resolvsym=1
237 else
238 /etc/init.d/dnsmasq enabled || resolvsym=1
239 fi
240
241
242 if [ "$resolvsym" -gt 0 ] ; then
243 rm -f /tmp/resolv.conf
244
245
246 {
247 # Set resolver file to local but not if /etc/init.d/dnsmasq will do it.
248 echo "nameserver 127.0.0.1"
249 echo "nameserver ::1"
250 echo "search $UNBOUND_TXT_DOMAIN"
251 } > /tmp/resolv.conf
252 fi
253
254
255 if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -d "$dhcp_dir" ] ; then
256 # make sure odhcpd has a directory to write (not done itself, yet)
257 mkdir -p "$dhcp_dir"
258 fi
259
260
261 if [ -f $UNBOUND_KEYFILE ] ; then
262 # Lets not lose RFC 5011 tracking if we don't have to
263 cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
264 fi
265
266
267 # Blind copy /etc/ to /var/lib/
268 mkdir -p $UNBOUND_VARDIR
269 rm -f $UNBOUND_VARDIR/dhcp_*
270 touch $UNBOUND_CONFFILE
271 touch $UNBOUND_SRV_CONF
272 touch $UNBOUND_EXT_CONF
273 cp -p /etc/unbound/* $UNBOUND_VARDIR/
274
275
276 if [ ! -f $UNBOUND_HINTFILE ] ; then
277 if [ -f /usr/share/dns/root.hints ] ; then
278 # Debian-like package dns-root-data
279 cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
280
281 else
282 logger -t unbound -s "iterator will use built-in root hints"
283 fi
284 fi
285
286
287 if [ ! -f $UNBOUND_KEYFILE ] ; then
288 if [ -f /usr/share/dns/root.key ] ; then
289 # Debian-like package dns-root-data
290 cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
291
292 elif [ -x $UNBOUND_ANCHOR ] ; then
293 $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
294
295 else
296 logger -t unbound -s "validator will use built-in trust anchor"
297 fi
298 fi
299
300
301 if [ -f $UNBOUND_KEYFILE.keep ] ; then
302 # root.key.keep is reused if newest
303 cp -u $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
304 rm -f $UNBOUND_KEYFILE.keep
305 fi
306
307
308 # Ensure access and prepare to jail
309 chown -R unbound:unbound $UNBOUND_VARDIR
310 chmod 775 $UNBOUND_VARDIR
311 chmod 664 $UNBOUND_VARDIR/*
312 }
313
314 ##############################################################################
315
316 unbound_control() {
317 if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
318 {
319 # Enable remote control tool, but only at local host for security
320 # You can hand write fancier encrypted access with /etc/..._ext.conf
321 echo "remote-control:"
322 echo " control-enable: yes"
323 echo " control-use-cert: no"
324 echo " control-interface: 127.0.0.1"
325 echo " control-interface: ::1"
326 echo
327 } >> $UNBOUND_CONFFILE
328 fi
329
330
331 {
332 # Amend your own extended clauses here like forward zones or disable
333 # above (local, no encryption) and amend your own remote encrypted control
334 echo
335 echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
336 echo
337 } >> $UNBOUND_CONFFILE
338 }
339
340 ##############################################################################
341
342 unbound_conf() {
343 local cfg="$1"
344 local rt_mem rt_conn modulestring
345
346
347 {
348 # Make fresh conf file
349 echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
350 echo
351 } > $UNBOUND_CONFFILE
352
353
354 {
355 # No threading
356 echo "server:"
357 echo " username: unbound"
358 echo " num-threads: 1"
359 echo " msg-cache-slabs: 1"
360 echo " rrset-cache-slabs: 1"
361 echo " infra-cache-slabs: 1"
362 echo " key-cache-slabs: 1"
363 echo
364 } >> $UNBOUND_CONFFILE
365
366
367 {
368 # Logging
369 echo " verbosity: 1"
370 echo " statistics-interval: 0"
371 echo " statistics-cumulative: no"
372 echo " extended-statistics: no"
373 echo
374 } >> $UNBOUND_CONFFILE
375
376
377 {
378 # Interfaces (access contol "option local_service")
379 echo " interface: 0.0.0.0"
380 echo " interface: ::0"
381 echo " outgoing-interface: 0.0.0.0"
382 echo " outgoing-interface: ::0"
383 echo
384 } >> $UNBOUND_CONFFILE
385
386
387 case "$UNBOUND_D_PROTOCOL" in
388 ip4_only)
389 {
390 echo " do-ip4: yes"
391 echo " do-ip6: no"
392 } >> $UNBOUND_CONFFILE
393 ;;
394
395 ip6_only)
396 {
397 echo " do-ip4: no"
398 echo " do-ip6: yes"
399 } >> $UNBOUND_CONFFILE
400 ;;
401
402 ip6_prefer)
403 {
404 echo " do-ip4: yes"
405 echo " do-ip6: yes"
406 echo " prefer-ip6: yes"
407 } >> $UNBOUND_CONFFILE
408 ;;
409
410 *)
411 {
412 echo " do-ip4: yes"
413 echo " do-ip6: yes"
414 } >> $UNBOUND_CONFFILE
415 ;;
416 esac
417
418
419 {
420 # protocol level tuning
421 echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
422 echo " msg-buffer-size: 8192"
423 echo " port: $UNBOUND_N_RX_PORT"
424 echo " outgoing-port-permit: 10240-65535"
425 echo
426 } >> $UNBOUND_CONFFILE
427
428
429 {
430 # Other harding and options for an embedded router
431 echo " harden-short-bufsize: yes"
432 echo " harden-large-queries: yes"
433 echo " harden-glue: yes"
434 echo " harden-below-nxdomain: no"
435 echo " harden-referral-path: no"
436 echo " use-caps-for-id: no"
437 echo
438 } >> $UNBOUND_CONFFILE
439
440
441 {
442 # Default Files
443 echo " use-syslog: yes"
444 echo " chroot: \"$UNBOUND_VARDIR\""
445 echo " directory: \"$UNBOUND_VARDIR\""
446 echo " pidfile: \"$UNBOUND_PIDFILE\""
447 } >> $UNBOUND_CONFFILE
448
449
450 if [ -f "$UNBOUND_HINTFILE" ] ; then
451 # Optional hints if found
452 echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
453 fi
454
455
456 if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then
457 {
458 echo " auto-trust-anchor-file: \"$UNBOUND_KEYFILE\""
459 echo
460 } >> $UNBOUND_CONFFILE
461
462 else
463 echo >> $UNBOUND_CONFFILE
464 fi
465
466
467 case "$UNBOUND_D_RESOURCE" in
468 # Tiny - Unbound's recommended cheap hardware config
469 tiny) rt_mem=1 ; rt_conn=1 ;;
470 # Small - Half RRCACHE and open ports
471 small) rt_mem=8 ; rt_conn=5 ;;
472 # Medium - Nearly default but with some added balancintg
473 medium) rt_mem=16 ; rt_conn=10 ;;
474 # Large - Double medium
475 large) rt_mem=32 ; rt_conn=10 ;;
476 # Whatever unbound does
477 *) rt_mem=0 ; rt_conn=0 ;;
478 esac
479
480
481 if [ "$rt_mem" -gt 0 ] ; then
482 {
483 # Set memory sizing parameters
484 echo " outgoing-range: $(($rt_conn*64))"
485 echo " num-queries-per-thread: $(($rt_conn*32))"
486 echo " outgoing-num-tcp: $(($rt_conn))"
487 echo " incoming-num-tcp: $(($rt_conn))"
488 echo " rrset-cache-size: $(($rt_mem*256))k"
489 echo " msg-cache-size: $(($rt_mem*128))k"
490 echo " key-cache-size: $(($rt_mem*128))k"
491 echo " neg-cache-size: $(($rt_mem*64))k"
492 echo " infra-cache-numhosts: $(($rt_mem*256))"
493 echo
494 } >> $UNBOUND_CONFFILE
495
496 else
497 logger -t unbound -s "default memory resource consumption"
498 fi
499
500 # Assembly of module-config: options is tricky; order matters
501 modulestring="iterator"
502
503
504 if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
505 if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
506 # DNSSEC chicken and egg with getting NTP time
507 echo " val-override-date: -1" >> $UNBOUND_CONFFILE
508 fi
509
510
511 {
512 echo " harden-dnssec-stripped: yes"
513 echo " val-clean-additional: yes"
514 echo " ignore-cd-flag: yes"
515 } >> $UNBOUND_CONFFILE
516
517
518 modulestring="validator $modulestring"
519 fi
520
521
522 if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then
523 echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
524
525 modulestring="dns64 $modulestring"
526 fi
527
528
529 {
530 # Print final module string
531 echo " module-config: \"$modulestring\""
532 echo
533 } >> $UNBOUND_CONFFILE
534
535
536 if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
537 {
538 # Some query privacy but "strict" will break some name servers
539 echo " qname-minimisation: yes"
540 echo " qname-minimisation-strict: yes"
541 } >> $UNBOUND_CONFFILE
542
543 elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
544 # Minor improvement on query privacy
545 echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
546
547 else
548 echo " qname-minimisation: no" >> $UNBOUND_CONFFILE
549 fi
550
551
552 case "$UNBOUND_D_RECURSION" in
553 passive)
554 {
555 echo " prefetch: no"
556 echo " prefetch-key: no"
557 echo " target-fetch-policy: \"0 0 0 0 0\""
558 echo
559 } >> $UNBOUND_CONFFILE
560 ;;
561
562 aggressive)
563 {
564 echo " prefetch: yes"
565 echo " prefetch-key: yes"
566 echo " target-fetch-policy: \"3 2 1 0 0\""
567 echo
568 } >> $UNBOUND_CONFFILE
569 ;;
570
571 *)
572 logger -t unbound -s "default recursion configuration"
573 ;;
574 esac
575
576
577 {
578 # Reload records more than 10 hours old
579 # DNSSEC 5 minute bogus cool down before retry
580 # Adaptive infrastructure info kept for 15 minutes
581 echo " cache-min-ttl: $UNBOUND_TTL_MIN"
582 echo " cache-max-ttl: 36000"
583 echo " val-bogus-ttl: 300"
584 echo " infra-host-ttl: 900"
585 echo
586 } >> $UNBOUND_CONFFILE
587
588
589 if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
590 {
591 # Block server id and version DNS TXT records
592 echo " hide-identity: yes"
593 echo " hide-version: yes"
594 echo
595 } >> $UNBOUND_CONFFILE
596 fi
597
598
599 if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
600 {
601 # Remove _upstream_ or global reponses with private addresses.
602 # Unbounds own "local zone" and "forward zone" may still use these.
603 # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
604 echo " private-address: 10.0.0.0/8"
605 echo " private-address: 100.64.0.0/10"
606 echo " private-address: 169.254.0.0/16"
607 echo " private-address: 172.16.0.0/12"
608 echo " private-address: 192.168.0.0/16"
609 echo " private-address: fc00::/8"
610 echo " private-address: fd00::/8"
611 echo " private-address: fe80::/10"
612 } >> $UNBOUND_CONFFILE
613 fi
614
615
616 if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
617 {
618 # Remove DNS reponses from upstream with loopback IP
619 # Black hole DNS method for ad blocking, so consider...
620 echo " private-address: 127.0.0.0/8"
621 echo " private-address: ::1/128"
622 echo
623 } >> $UNBOUND_CONFFILE
624
625 else
626 echo >> $UNBOUND_CONFFILE
627 fi
628
629
630 # Except and accept domains as insecure (DNSSEC); work around broken domains
631 config_list_foreach "$cfg" "domain_insecure" create_domain_insecure
632 echo >> $UNBOUND_CONFFILE
633 }
634
635 ##############################################################################
636
637 unbound_access() {
638 # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to
639 # each access-control IP block, and then divert access.
640 # -- "guest" WIFI will not be allowed to see local zone data
641 # -- "child" LAN can black whole a list of domains to http~deadpixel
642
643
644 if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
645 # Only respond to queries from which this device has an interface.
646 # Prevent DNS amplification attacks by not responding to the universe.
647 config_load network
648 config_foreach create_access_control interface
649
650
651 {
652 echo " access-control: 127.0.0.0/8 allow"
653 echo " access-control: ::1/128 allow"
654 echo " access-control: fe80::/10 allow"
655 echo
656 } >> $UNBOUND_CONFFILE
657
658 else
659 {
660 echo " access-control: 0.0.0.0/0 allow"
661 echo " access-control: ::0/0 allow"
662 echo
663 } >> $UNBOUND_CONFFILE
664 fi
665
666
667 {
668 # Amend your own "server:" stuff here
669 echo " include: $UNBOUND_SRV_CONF"
670 echo
671 } >> $UNBOUND_CONFFILE
672 }
673
674 ##############################################################################
675
676 unbound_adblock() {
677 # TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team
678 local adb_enabled adb_file
679
680 if [ ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
681 adb_enabled=0
682 else
683 /etc/init.d/adblock enabled && adb_enabled=1 || adb_enabled=0
684 fi
685
686
687 if [ "$adb_enabled" -gt 0 ] ; then
688 {
689 # Pull in your selected openwrt/pacakges/net/adblock generated lists
690 for adb_file in $UNBOUND_VARDIR/adb_list.* ; do
691 echo " include: $adb_file"
692 done
693 echo
694 } >> $UNBOUND_CONFFILE
695 fi
696 }
697
698 ##############################################################################
699
700 unbound_hostname() {
701 if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
702 {
703 # TODO: Unbound 1.6.0 added "tags" and "views" and we could make
704 # domains by interface to prevent DNS from "guest" to "home"
705 echo " local-zone: $UNBOUND_TXT_DOMAIN. $UNBOUND_D_DOMAIN_TYPE"
706 echo " domain-insecure: $UNBOUND_TXT_DOMAIN"
707 echo " private-domain: $UNBOUND_TXT_DOMAIN"
708 echo
709 echo " local-zone: $UNBOUND_TXT_HOSTNAME. $UNBOUND_D_DOMAIN_TYPE"
710 echo " domain-insecure: $UNBOUND_TXT_HOSTNAME"
711 echo " private-domain: $UNBOUND_TXT_HOSTNAME"
712 echo
713 } >> $UNBOUND_CONFFILE
714
715
716 case "$UNBOUND_D_DOMAIN_TYPE" in
717 deny|inform_deny|refuse|static)
718 {
719 # avoid upstream involvement in RFC6762 like responses (link only)
720 echo " local-zone: local. $UNBOUND_D_DOMAIN_TYPE"
721 echo " domain-insecure: local"
722 echo " private-domain: local"
723 echo
724 } >> $UNBOUND_CONFFILE
725 ;;
726 esac
727
728
729 if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
730 config_load dhcp
731 config_foreach create_interface_dns dhcp
732 fi
733
734
735 if [ -f "$UNBOUND_DHCP_CONF" ] ; then
736 {
737 # Seed DHCP records because dhcp scripts trigger externally
738 # Incremental Unbound restarts may drop unbound-control add records
739 echo " include: $UNBOUND_DHCP_CONF"
740 echo
741 } >> $UNBOUND_CONFFILE
742 fi
743 fi
744 }
745
746 ##############################################################################
747
748 unbound_uci() {
749 local cfg="$1"
750 local dnsmasqpath hostnm
751
752 hostnm="$(uci_get system.@system[0].hostname | awk '{print tolower($0)}')"
753 UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter}
754
755 config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
756 config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
757 config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
758 config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
759 config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
760 config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
761 config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
762 config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
763 config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
764 config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
765 config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
766 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
767
768 config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
769
770 config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
771 config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
772 config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
773
774 config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
775 config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
776 config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0
777 config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
778 config_get UNBOUND_D_RECURSION "$cfg" recursion passive
779 config_get UNBOUND_D_RESOURCE "$cfg" resource small
780 config_get UNBOUND_D_WAN_FQDN "$cfg" add_wan_fqdn 0
781
782 config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120
783 config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
784
785
786 if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
787 config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
788
789
790 if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
791 UNBOUND_D_DHCP_LINK=dnsmasq
792 logger -t unbound -s "Please use 'dhcp_link' selector instead"
793 fi
794 fi
795
796
797 if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
798 if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
799 UNBOUND_D_DHCP_LINK=none
800 else
801 /etc/init.d/dnsmasq enabled || UNBOUND_D_DHCP_LINK=none
802 fi
803
804
805 if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
806 logger -t unbound -s "cannot forward to dnsmasq"
807 fi
808 fi
809
810
811 if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
812 if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
813 UNBOUND_D_DHCP_LINK=none
814 else
815 /etc/init.d/odhcpd enabled || UNBOUND_D_DHCP_LINK=none
816 fi
817
818
819 if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
820 logger -t unbound -s "cannot receive records from odhcpd"
821 fi
822 fi
823
824
825 if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
826 -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
827 # exceeds range, back to default
828 UNBOUND_N_EDNS_SIZE=1280
829 fi
830
831
832 if [ "$UNBOUND_N_RX_PORT" -lt 1024 \
833 -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
834 # special port or in 5 digits, back to default
835 UNBOUND_N_RX_PORT=53
836 fi
837
838
839 if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
840 # that could have had awful side effects
841 UNBOUND_TTL_MIN=300
842 fi
843 }
844
845 ##############################################################################
846
847 unbound_start() {
848 config_load unbound
849 config_foreach unbound_uci unbound
850 unbound_mkdir
851
852
853 if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
854 unbound_conf
855 unbound_access
856 unbound_adblock
857
858 if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
859 dnsmasq_link
860 else
861 unbound_hostname
862 fi
863
864 unbound_control
865 fi
866 }
867
868 ##############################################################################
869
870 unbound_stop() {
871 local resolvsym=0
872
873 rootzone_update
874
875
876 if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
877 resolvsym=1
878 else
879 /etc/init.d/dnsmasq enabled || resolvsym=1
880 fi
881
882
883 if [ "$resolvsym" -gt 0 ] ; then
884 # set resolver file to normal, but don't stomp on dnsmasq
885 rm -f /tmp/resolv.conf
886 ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
887 fi
888
889
890 # Unbound has a log dump which takes time; don't overlap a "restart"
891 sleep 1
892 }
893
894 ##############################################################################
895
Mirror of packages feed