2 ##############################################################################
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License version 2 as
6 # published by the Free Software Foundation.
8 # This program is distributed in the hope that it will be useful,
9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # GNU General Public License for more details.
13 # Copyright (C) 2016 Eric Luehrsen
15 ##############################################################################
17 # This builds the basic UCI components currently supported for Unbound. It is
18 # intentionally NOT comprehensive and bundles a lot of options. The UCI is to
19 # be a simpler presentation of the total Unbound conf set.
21 ##############################################################################
24 UNBOUND_B_SLAAC6_MAC
=0
37 UNBOUND_D_DOMAIN_TYPE
=static
38 UNBOUND_D_DHCP_LINK
=none
40 UNBOUND_D_PROTOCOL
=mixed
41 UNBOUND_D_RESOURCE
=small
42 UNBOUND_D_RECURSION
=passive
45 UNBOUND_IP_DNS64
="64:ff9b::/96"
47 UNBOUND_N_EDNS_SIZE
=1280
48 UNBOUND_N_FWD_PORTS
=""
54 UNBOUND_TXT_DOMAIN
=lan
55 UNBOUND_TXT_FWD_ZONE
=""
56 UNBOUND_TXT_HOSTNAME
=thisrouter
58 ##############################################################################
60 UNBOUND_LIBDIR
=/usr
/lib
/unbound
61 UNBOUND_VARDIR
=/var
/lib
/unbound
63 UNBOUND_PIDFILE
=/var
/run
/unbound.pid
65 UNBOUND_SRV_CONF
=$UNBOUND_VARDIR/unbound_srv.conf
66 UNBOUND_EXT_CONF
=$UNBOUND_VARDIR/unbound_ext.conf
67 UNBOUND_DHCP_CONF
=$UNBOUND_VARDIR/unbound_dhcp.conf
68 UNBOUND_CONFFILE
=$UNBOUND_VARDIR/unbound.conf
70 UNBOUND_KEYFILE
=$UNBOUND_VARDIR/root.key
71 UNBOUND_HINTFILE
=$UNBOUND_VARDIR/root.hints
72 UNBOUND_TIMEFILE
=$UNBOUND_VARDIR/unbound.
time
74 ##############################################################################
76 UNBOUND_ANCHOR
=/usr
/sbin
/unbound-anchor
77 UNBOUND_CONTROL
=/usr
/sbin
/unbound-control
78 UNBOUND_CONTROL_CFG
="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
80 ##############################################################################
83 .
/lib
/functions
/network.sh
85 .
$UNBOUND_LIBDIR/dnsmasq.sh
86 .
$UNBOUND_LIBDIR/iptools.sh
87 .
$UNBOUND_LIBDIR/rootzone.sh
89 ##############################################################################
91 create_interface_dns
() {
93 local ipcommand logint ignore ifname ifdashname
94 local name names address addresses
95 local ulaprefix if_fqdn host_fqdn mode mode_ptr
97 # Create local-data: references for this hosts interfaces (router).
98 config_get logint
"$cfg" interface
99 config_get_bool ignore
"$cfg" ignore
0
100 network_get_device ifname
"$cfg"
102 ifdashname
="${ifname//./-}"
103 ipcommand
="ip -o address show $ifname"
104 addresses
="$($ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}')"
105 ulaprefix
="$(uci_get network @globals[0] ula_prefix)"
106 host_fqdn
="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"
107 if_fqdn
="$ifdashname.$host_fqdn"
110 if [ -z "${ulaprefix%%:/*}" ] ; then
111 # Nonsense so this option isn't globbed below
112 ulaprefix
="fdno:such:addr::/48"
116 if [ "$ignore" -gt 0 ] ; then
117 mode
="$UNBOUND_D_WAN_FQDN"
119 mode
="$UNBOUND_D_LAN_FQDN"
125 mode_ptr
="$host_fqdn"
126 names
="$host_fqdn $UNBOUND_TXT_HOSTNAME"
130 if [ -z "$ifdashname" ] ; then
131 # race conditions at init can rarely cause a blank device return
132 # the record format is invalid and Unbound won't load the conf file
133 mode_ptr
="$host_fqdn"
134 names
="$host_fqdn $UNBOUND_TXT_HOSTNAME"
137 names
="$if_fqdn $host_fqdn $UNBOUND_TXT_HOSTNAME"
142 mode_ptr
="$UNBOUND_TXT_HOSTNAME"
143 names
="$UNBOUND_TXT_HOSTNAME"
148 if [ "$mode" -gt 1 ] ; then
150 for address
in $addresses ; do
153 echo " # note link address $address"
157 # GA and ULA IP6 for HOST IN AAA records (ip command is robust)
158 for name
in $names ; do
159 echo " local-data: \"$name. 120 IN AAAA $address\""
161 echo " local-data-ptr: \"$address 120 $mode_ptr\""
165 # Old fashioned HOST IN A records
166 for name
in $names ; do
167 echo " local-data: \"$name. 120 IN A $address\""
169 echo " local-data-ptr: \"$address 120 $mode_ptr\""
174 } >> $UNBOUND_CONFFILE
176 elif [ "$mode" -gt 0 ] ; then
178 for address
in $addresses ; do
181 echo " # note link address $address"
184 "${ulaprefix%%:/*}"*)
185 # Only this networks ULA and only hostname
186 echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
187 echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
191 echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""
192 echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
197 } >> $UNBOUND_CONFFILE
201 ##############################################################################
203 create_access_control
() {
205 local subnets subnets4 subnets6
206 local validip4 validip6
208 network_get_subnets subnets4
"$cfg"
209 network_get_subnets6 subnets6
"$cfg"
210 subnets
="$subnets4 $subnets6"
213 if [ -n "$subnets" ] ; then
214 for subnet
in $subnets ; do
215 validip4
=$
( valid_subnet4
$subnet )
216 validip6
=$
( valid_subnet6
$subnet )
219 if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
220 # For each "network" UCI add "access-control:" white list for queries
221 echo " access-control: $subnet allow" >> $UNBOUND_CONFFILE
227 ##############################################################################
229 create_domain_insecure
() {
230 echo " domain-insecure: \"$1\"" >> $UNBOUND_CONFFILE
233 ##############################################################################
237 local dhcp_origin
=$
( uci get dhcp.@odhcpd
[0].leasefile
)
238 local dhcp_dir
=$
( dirname "$dhcp_origin" )
242 if [ ! -x /usr
/sbin
/dnsmasq
-o ! -x /etc
/init.d
/dnsmasq
] ; then
245 /etc
/init.d
/dnsmasq enabled || resolvsym
=1
249 if [ "$resolvsym" -gt 0 ] ; then
250 rm -f /tmp
/resolv.conf
254 # Set resolver file to local but not if /etc/init.d/dnsmasq will do it.
255 echo "nameserver 127.0.0.1"
256 echo "nameserver ::1"
257 echo "search $UNBOUND_TXT_DOMAIN"
262 if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -d "$dhcp_dir" ] ; then
263 # make sure odhcpd has a directory to write (not done itself, yet)
268 if [ -f $UNBOUND_KEYFILE ] ; then
269 filestuff
=$
( cat $UNBOUND_KEYFILE )
273 *"state=2 [ VALID ]"*)
274 # Lets not lose RFC 5011 tracking if we don't have to
275 cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
281 # Blind copy /etc/ to /var/lib/
282 mkdir
-p $UNBOUND_VARDIR
283 rm -f $UNBOUND_VARDIR/dhcp_
*
284 touch $UNBOUND_CONFFILE
285 touch $UNBOUND_SRV_CONF
286 touch $UNBOUND_EXT_CONF
287 cp -p /etc
/unbound
/* $UNBOUND_VARDIR/
290 if [ ! -f $UNBOUND_HINTFILE ] ; then
291 if [ -f /usr
/share
/dns
/root.hints
] ; then
292 # Debian-like package dns-root-data
293 cp -p /usr
/share
/dns
/root.hints
$UNBOUND_HINTFILE
296 logger
-t unbound
-s "iterator will use built-in root hints"
301 if [ ! -f $UNBOUND_KEYFILE ] ; then
302 if [ -f /usr
/share
/dns
/root.key
] ; then
303 # Debian-like package dns-root-data
304 cp -p /usr
/share
/dns
/root.key
$UNBOUND_KEYFILE
306 elif [ -x $UNBOUND_ANCHOR ] ; then
307 $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
310 logger
-t unbound
-s "validator will use built-in trust anchor"
315 if [ -f $UNBOUND_KEYFILE.keep
] ; then
316 # root.key.keep is reused if newest
317 cp -u $UNBOUND_KEYFILE.keep
$UNBOUND_KEYFILE
318 rm -f $UNBOUND_KEYFILE.keep
322 # Ensure access and prepare to jail
323 chown
-R unbound
:unbound
$UNBOUND_VARDIR
324 chmod 775 $UNBOUND_VARDIR
325 chmod 664 $UNBOUND_VARDIR/*
328 ##############################################################################
331 if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
333 # Enable remote control tool, but only at local host for security
334 # You can hand write fancier encrypted access with /etc/..._ext.conf
335 echo "remote-control:"
336 echo " control-enable: yes"
337 echo " control-use-cert: no"
338 echo " control-interface: 127.0.0.1"
339 echo " control-interface: ::1"
341 } >> $UNBOUND_CONFFILE
346 # Amend your own extended clauses here like forward zones or disable
347 # above (local, no encryption) and amend your own remote encrypted control
349 echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
351 } >> $UNBOUND_CONFFILE
354 ##############################################################################
358 local rt_mem rt_conn modulestring
362 # Make fresh conf file
363 echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
365 } > $UNBOUND_CONFFILE
371 echo " username: unbound"
372 echo " num-threads: 1"
373 echo " msg-cache-slabs: 1"
374 echo " rrset-cache-slabs: 1"
375 echo " infra-cache-slabs: 1"
376 echo " key-cache-slabs: 1"
378 } >> $UNBOUND_CONFFILE
384 echo " statistics-interval: 0"
385 echo " statistics-cumulative: no"
386 echo " extended-statistics: no"
388 } >> $UNBOUND_CONFFILE
392 # Interfaces (access contol "option local_service")
393 echo " interface: 0.0.0.0"
394 echo " interface: ::0"
395 echo " outgoing-interface: 0.0.0.0"
396 echo " outgoing-interface: ::0"
398 } >> $UNBOUND_CONFFILE
401 case "$UNBOUND_D_PROTOCOL" in
406 } >> $UNBOUND_CONFFILE
413 } >> $UNBOUND_CONFFILE
420 echo " prefer-ip6: yes"
421 } >> $UNBOUND_CONFFILE
428 } >> $UNBOUND_CONFFILE
434 # protocol level tuning
435 echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
436 echo " msg-buffer-size: 8192"
437 echo " port: $UNBOUND_N_RX_PORT"
438 echo " outgoing-port-permit: 10240-65535"
440 } >> $UNBOUND_CONFFILE
444 # Other harding and options for an embedded router
445 echo " harden-short-bufsize: yes"
446 echo " harden-large-queries: yes"
447 echo " harden-glue: yes"
448 echo " harden-below-nxdomain: no"
449 echo " harden-referral-path: no"
450 echo " use-caps-for-id: no"
452 } >> $UNBOUND_CONFFILE
457 echo " use-syslog: yes"
458 echo " chroot: \"$UNBOUND_VARDIR\""
459 echo " directory: \"$UNBOUND_VARDIR\""
460 echo " pidfile: \"$UNBOUND_PIDFILE\""
461 } >> $UNBOUND_CONFFILE
464 if [ -f "$UNBOUND_HINTFILE" ] ; then
465 # Optional hints if found
466 echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
470 if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then
472 echo " auto-trust-anchor-file: \"$UNBOUND_KEYFILE\""
474 } >> $UNBOUND_CONFFILE
477 echo >> $UNBOUND_CONFFILE
481 case "$UNBOUND_D_RESOURCE" in
482 # Tiny - Unbound's recommended cheap hardware config
483 tiny
) rt_mem
=1 ; rt_conn
=1 ;;
484 # Small - Half RRCACHE and open ports
485 small
) rt_mem
=8 ; rt_conn
=5 ;;
486 # Medium - Nearly default but with some added balancintg
487 medium
) rt_mem
=16 ; rt_conn
=10 ;;
488 # Large - Double medium
489 large
) rt_mem
=32 ; rt_conn
=10 ;;
490 # Whatever unbound does
491 *) rt_mem
=0 ; rt_conn
=0 ;;
495 if [ "$rt_mem" -gt 0 ] ; then
497 # Set memory sizing parameters
498 echo " outgoing-range: $(($rt_conn*64))"
499 echo " num-queries-per-thread: $(($rt_conn*32))"
500 echo " outgoing-num-tcp: $(($rt_conn))"
501 echo " incoming-num-tcp: $(($rt_conn))"
502 echo " rrset-cache-size: $(($rt_mem*256))k"
503 echo " msg-cache-size: $(($rt_mem*128))k"
504 echo " key-cache-size: $(($rt_mem*128))k"
505 echo " neg-cache-size: $(($rt_mem*64))k"
506 echo " infra-cache-numhosts: $(($rt_mem*256))"
508 } >> $UNBOUND_CONFFILE
511 logger
-t unbound
-s "default memory resource consumption"
514 # Assembly of module-config: options is tricky; order matters
515 modulestring
="iterator"
518 if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
519 if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
520 # DNSSEC chicken and egg with getting NTP time
521 echo " val-override-date: -1" >> $UNBOUND_CONFFILE
526 echo " harden-dnssec-stripped: yes"
527 echo " val-clean-additional: yes"
528 echo " ignore-cd-flag: yes"
529 } >> $UNBOUND_CONFFILE
532 modulestring
="validator $modulestring"
536 if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then
537 echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
539 modulestring
="dns64 $modulestring"
544 # Print final module string
545 echo " module-config: \"$modulestring\""
547 } >> $UNBOUND_CONFFILE
550 if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
552 # Some query privacy but "strict" will break some name servers
553 echo " qname-minimisation: yes"
554 echo " qname-minimisation-strict: yes"
555 } >> $UNBOUND_CONFFILE
557 elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
558 # Minor improvement on query privacy
559 echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
562 echo " qname-minimisation: no" >> $UNBOUND_CONFFILE
566 case "$UNBOUND_D_RECURSION" in
570 echo " prefetch-key: no"
571 echo " target-fetch-policy: \"0 0 0 0 0\""
573 } >> $UNBOUND_CONFFILE
578 echo " prefetch: yes"
579 echo " prefetch-key: yes"
580 echo " target-fetch-policy: \"3 2 1 0 0\""
582 } >> $UNBOUND_CONFFILE
586 logger
-t unbound
-s "default recursion configuration"
592 # Reload records more than 10 hours old
593 # DNSSEC 5 minute bogus cool down before retry
594 # Adaptive infrastructure info kept for 15 minutes
595 echo " cache-min-ttl: $UNBOUND_TTL_MIN"
596 echo " cache-max-ttl: 36000"
597 echo " val-bogus-ttl: 300"
598 echo " infra-host-ttl: 900"
600 } >> $UNBOUND_CONFFILE
603 if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
605 # Block server id and version DNS TXT records
606 echo " hide-identity: yes"
607 echo " hide-version: yes"
609 } >> $UNBOUND_CONFFILE
613 if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
615 # Remove _upstream_ or global reponses with private addresses.
616 # Unbounds own "local zone" and "forward zone" may still use these.
617 # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
618 echo " private-address: 10.0.0.0/8"
619 echo " private-address: 100.64.0.0/10"
620 echo " private-address: 169.254.0.0/16"
621 echo " private-address: 172.16.0.0/12"
622 echo " private-address: 192.168.0.0/16"
623 echo " private-address: fc00::/8"
624 echo " private-address: fd00::/8"
625 echo " private-address: fe80::/10"
626 } >> $UNBOUND_CONFFILE
630 if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
632 # Remove DNS reponses from upstream with loopback IP
633 # Black hole DNS method for ad blocking, so consider...
634 echo " private-address: 127.0.0.0/8"
635 echo " private-address: ::1/128"
637 } >> $UNBOUND_CONFFILE
640 echo >> $UNBOUND_CONFFILE
644 # Except and accept domains as insecure (DNSSEC); work around broken domains
645 config_list_foreach
"$cfg" "domain_insecure" create_domain_insecure
646 echo >> $UNBOUND_CONFFILE
649 ##############################################################################
652 # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to
653 # each access-control IP block, and then divert access.
654 # -- "guest" WIFI will not be allowed to see local zone data
655 # -- "child" LAN can black whole a list of domains to http~deadpixel
658 if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
659 # Only respond to queries from which this device has an interface.
660 # Prevent DNS amplification attacks by not responding to the universe.
662 config_foreach create_access_control interface
666 echo " access-control: 127.0.0.0/8 allow"
667 echo " access-control: ::1/128 allow"
668 echo " access-control: fe80::/10 allow"
670 } >> $UNBOUND_CONFFILE
674 echo " access-control: 0.0.0.0/0 allow"
675 echo " access-control: ::0/0 allow"
677 } >> $UNBOUND_CONFFILE
682 # Amend your own "server:" stuff here
683 echo " include: $UNBOUND_SRV_CONF"
685 } >> $UNBOUND_CONFFILE
688 ##############################################################################
691 # TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team
692 local adb_enabled adb_file
694 if [ ! -x /usr
/bin
/adblock.sh
-o ! -x /etc
/init.d
/adblock
] ; then
697 /etc
/init.d
/adblock enabled
&& adb_enabled
=1 || adb_enabled
=0
701 if [ "$adb_enabled" -gt 0 ] ; then
703 # Pull in your selected openwrt/pacakges/net/adblock generated lists
704 for adb_file
in $UNBOUND_VARDIR/adb_list.
* ; do
705 echo " include: $adb_file"
708 } >> $UNBOUND_CONFFILE
712 ##############################################################################
715 if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
717 # TODO: Unbound 1.6.0 added "tags" and "views" and we could make
718 # domains by interface to prevent DNS from "guest" to "home"
719 echo " local-zone: $UNBOUND_TXT_DOMAIN. $UNBOUND_D_DOMAIN_TYPE"
720 echo " domain-insecure: $UNBOUND_TXT_DOMAIN"
721 echo " private-domain: $UNBOUND_TXT_DOMAIN"
723 echo " local-zone: $UNBOUND_TXT_HOSTNAME. $UNBOUND_D_DOMAIN_TYPE"
724 echo " domain-insecure: $UNBOUND_TXT_HOSTNAME"
725 echo " private-domain: $UNBOUND_TXT_HOSTNAME"
727 } >> $UNBOUND_CONFFILE
730 case "$UNBOUND_D_DOMAIN_TYPE" in
731 deny|inform_deny|refuse|static
)
733 # avoid upstream involvement in RFC6762 like responses (link only)
734 echo " local-zone: local. $UNBOUND_D_DOMAIN_TYPE"
735 echo " domain-insecure: local"
736 echo " private-domain: local"
738 } >> $UNBOUND_CONFFILE
743 if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
745 config_foreach create_interface_dns dhcp
749 if [ -f "$UNBOUND_DHCP_CONF" ] ; then
751 # Seed DHCP records because dhcp scripts trigger externally
752 # Incremental Unbound restarts may drop unbound-control add records
753 echo " include: $UNBOUND_DHCP_CONF"
755 } >> $UNBOUND_CONFFILE
760 ##############################################################################
764 local dnsmasqpath hostnm
766 hostnm
="$(uci_get system.@system[0].hostname | awk '{print tolower($0)}')"
767 UNBOUND_TXT_HOSTNAME
=${hostnm:-thisrouter}
769 config_get_bool UNBOUND_B_SLAAC6_MAC
"$cfg" dhcp4_slaac6
0
770 config_get_bool UNBOUND_B_DNS64
"$cfg" dns64
0
771 config_get_bool UNBOUND_B_HIDE_BIND
"$cfg" hide_binddata
1
772 config_get_bool UNBOUND_B_LOCL_SERV
"$cfg" localservice
1
773 config_get_bool UNBOUND_B_MAN_CONF
"$cfg" manual_conf
0
774 config_get_bool UNBOUND_B_QUERY_MIN
"$cfg" query_minimize
0
775 config_get_bool UNBOUND_B_QRY_MINST
"$cfg" query_min_strict
0
776 config_get_bool UNBOUND_B_PRIV_BLCK
"$cfg" rebind_protection
1
777 config_get_bool UNBOUND_B_LOCL_BLCK
"$cfg" rebind_localhost
0
778 config_get_bool UNBOUND_B_CONTROL
"$cfg" unbound_control
0
779 config_get_bool UNBOUND_B_DNSSEC
"$cfg" validator
0
780 config_get_bool UNBOUND_B_NTP_BOOT
"$cfg" validator_ntp
1
782 config_get UNBOUND_IP_DNS64
"$cfg" dns64_prefix
"64:ff9b::/96"
784 config_get UNBOUND_N_EDNS_SIZE
"$cfg" edns_size
1280
785 config_get UNBOUND_N_RX_PORT
"$cfg" listen_port
53
786 config_get UNBOUND_N_ROOT_AGE
"$cfg" root_age
9
788 config_get UNBOUND_D_DOMAIN_TYPE
"$cfg" domain_type static
789 config_get UNBOUND_D_DHCP_LINK
"$cfg" dhcp_link none
790 config_get UNBOUND_D_LAN_FQDN
"$cfg" add_local_fqdn
0
791 config_get UNBOUND_D_PROTOCOL
"$cfg" protocol mixed
792 config_get UNBOUND_D_RECURSION
"$cfg" recursion passive
793 config_get UNBOUND_D_RESOURCE
"$cfg" resource small
794 config_get UNBOUND_D_WAN_FQDN
"$cfg" add_wan_fqdn
0
796 config_get UNBOUND_TTL_MIN
"$cfg" ttl_min
120
797 config_get UNBOUND_TXT_DOMAIN
"$cfg" domain lan
800 if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
801 config_get_bool UNBOUND_B_DNSMASQ
"$cfg" dnsmasq_link_dns
0
804 if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
805 UNBOUND_D_DHCP_LINK
=dnsmasq
806 logger
-t unbound
-s "Please use 'dhcp_link' selector instead"
811 if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
812 if [ ! -x /usr
/sbin
/dnsmasq
-o ! -x /etc
/init.d
/dnsmasq
] ; then
813 UNBOUND_D_DHCP_LINK
=none
815 /etc
/init.d
/dnsmasq enabled || UNBOUND_D_DHCP_LINK
=none
819 if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
820 logger
-t unbound
-s "cannot forward to dnsmasq"
825 if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
826 if [ ! -x /usr
/sbin
/odhcpd
-o ! -x /etc
/init.d
/odhcpd
] ; then
827 UNBOUND_D_DHCP_LINK
=none
829 /etc
/init.d
/odhcpd enabled || UNBOUND_D_DHCP_LINK
=none
833 if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
834 logger
-t unbound
-s "cannot receive records from odhcpd"
839 if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
840 -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
841 # exceeds range, back to default
842 UNBOUND_N_EDNS_SIZE
=1280
846 if [ "$UNBOUND_N_RX_PORT" -lt 1024 \
847 -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
848 # special port or in 5 digits, back to default
853 if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
854 # that could have had awful side effects
859 ##############################################################################
863 config_foreach unbound_uci unbound
867 if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
872 if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
882 ##############################################################################
890 if [ ! -x /usr
/sbin
/dnsmasq
-o ! -x /etc
/init.d
/dnsmasq
] ; then
893 /etc
/init.d
/dnsmasq enabled || resolvsym
=1
897 if [ "$resolvsym" -gt 0 ] ; then
898 # set resolver file to normal, but don't stomp on dnsmasq
899 rm -f /tmp
/resolv.conf
900 ln -s /tmp
/resolv.conf.auto
/tmp
/resolv.conf
904 ##############################################################################