PKG_NAME:=unbound
PKG_VERSION:=1.6.0
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
define Package/unbound/conffiles
/etc/config/unbound
/etc/unbound/unbound.conf
+/etc/unbound/unbound_ext.conf
+/etc/unbound/unbound_srv.conf
endef
define Build/InstallDev
$(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \
$(1)/etc/unbound/unbound.conf
$(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key
+ $(INSTALL_DATA) ./files/unbound_ext.conf $(1)/etc/unbound/unbound_ext.conf
+ $(INSTALL_DATA) ./files/unbound_srv.conf $(1)/etc/unbound/unbound_srv.conf
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_DATA) ./files/unbound.uci $(1)/etc/config/unbound
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
- $(INSTALL_BIN) ./files/unbound.iface $(1)/etc/hotplug.d/iface/25-unbound
+ $(INSTALL_BIN) ./files/unbound.iface $(1)/etc/hotplug.d/iface/25-unbound
$(INSTALL_DIR) $(1)/etc/hotplug.d/ntp
- $(INSTALL_BIN) ./files/unbound.ntpd $(1)/etc/hotplug.d/ntp/25-unbound
+ $(INSTALL_BIN) ./files/unbound.ntpd $(1)/etc/hotplug.d/ntp/25-unbound
$(INSTALL_DIR) $(1)/etc/init.d
- $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
+ $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
$(INSTALL_DIR) $(1)/usr/lib/unbound
+ $(INSTALL_BIN) ./files/odhcpd.sh $(1)/usr/lib/unbound/odhcpd.sh
+ $(INSTALL_DATA) ./files/odhcpd.awk $(1)/usr/lib/unbound/odhcpd.awk
$(INSTALL_DATA) ./files/dnsmasq.sh $(1)/usr/lib/unbound/dnsmasq.sh
$(INSTALL_DATA) ./files/iptools.sh $(1)/usr/lib/unbound/iptools.sh
$(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh
$(eval $(call BuildPackage,unbound-control-setup))
$(eval $(call BuildPackage,unbound-host))
$(eval $(call BuildPackage,libunbound))
+
This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
-## Work with dnsmasq
-Some UCI options will help Unbound and dnsmasq work together in **parallel**. The default DHCP and DNS stub resolver in OpenWrt is dnsmasq, and it will continue to serve this purpose. The following partial examples will make Unbound the primary DNS server, and make dnsmasq only provide DNS to local DHCP.
+## HOW TO Integrate with DHCP
+Some UCI options and scripts help Unbound to work with DHCP servers to load the local DNS. The examples provided here are serial dnsmasq-unbound, parallel dnsmasq-unbound, and unbound scripted with odhcpd.
+
+### Serial dnsmasq
+In this case, dnsmasq is not changed *much* with respect to the default OpenWRT/LEDE configuration. Here dnsmasq is forced to use the local Unbound instance as the lone upstream DNS server, instead of your ISP. This may be the easiest implementation, but performance degradation can occur in high volume networks. dnsmasq and Unbound effectively have the same information in memory, and all transfers are double handled.
**/etc/config/unbound**:
config unbound
- option dnsmasq_link_dns '1'
+ option add_local_fqdn '0'
+ option add_wan_fqdn '0'
+ option dhcp_link 'none'
+ # dnsmasq should not forward your domain to unbound, but if...
+ option domain 'yourdomain'
+ option domain_type 'refuse'
+ option listen_port '1053'
...
**/etc/config/dhcp**:
config dnsmasq
- option option noresolv '1'
- option resolvfile '<empty>'
+ option noresolv '1'
+ option resolvfile ''
+ option port '53'
+ list server '127.0.0.1#1053'
+ list server '::1#1053'
+ ...
+
+### Parallel dnsmasq
+In this case, Unbound serves your local network directly for all purposes. It will look over to dnsmasq for DHCP-DNS resolution. Unbound is generally accessible on port 53, and dnsmasq is only accessed at 127.0.0.1:1053 by Unbound. Although you can dig/drill/nslookup remotely with the proper directives.
+
+**/etc/config/unbound**:
+
+ config unbound
+ option dhcp_link 'dnsmasq'
+ option listen_port '53'
+ ...
+
+**/etc/config/dhcp**:
+
+ config dnsmasq
+ option domain 'yourdomain'
+ option noresolv '1'
+ option resolvfile ''
option port '1053'
...
- config dhcp '<name>'
+ config dhcp 'lan'
list dhcp_option 'option:dns-server,0.0.0.0'
...
-Alternatives are mentioned here for completeness. DHCP event scripts which write host records are difficult to formulate for Unbound, NSD, or Bind. These programs sometimes need to be forcefully reloaded with host configuration, and reloads can bust cache. **Serial** configuration between dnsmasq and Unbound can be made on 127.0.0.1 with an off-port like #1053. This may double cache storage and incur unnecessary transfer delay.
+### Only odhcpd
+Why use dnsmasq you might ask? Well test, try, and review. You can have Unbound and odhcpd only. When odhcpd configures as DHCP lease, it will call a script. The script provided with Unbound will read the lease file and enter DHCP-DNS records as much as dnsmasq once did.
+
+*note: You must install unbound-control. The lease file loads are done without starting, stopping, or re-writing conf files.*
+
+*note: if you run the default LEDE/OpenWrt setup with dnsmasq and odhcpd, then use the link to dnsmasq. Unbound will pole dnsmasq. dnsmasq merges its lease file and odhcpd lease file.*
+
+**/etc/config/unbound**:
+
+ config unbound
+ # name your router in DNS
+ option add_local_fqdn '1'
+ option add_wan_fqdn '1'
+ option dhcp_link 'odhcpd'
+ # add SLAAC inferred from DHCPv4
+ option dhcp4_slaac6 '1'
+ option domain 'lan'
+ option domain_type 'static'
+ option listen_port '53'
+ option rebind_protection '1'
+ # install unbound-control and set this
+ option unbound_control '1'
+ ...
+
+**/etc/config/dhcp**:
+
+ config dhcp 'lan'
+ option dhcpv4 'server'
+ option dhcpv6 'server'
+ option interface 'lan'
+ # short times help renew events to refresh dns
+ option leasetime '4h'
+ option ra 'server'
+ option ra_management '1'
+ # issue your ULA and avoid default [fe80::]
+ list dns 'fdxx:xxxx:xxxx::1'
+
+ config odhcpd 'odhcpd'
+ option maindhcp '1'
+ option leasefile '/var/lib/odhcpd/dhcp.leases'
+ # this is where the magic happens
+ option leasetrigger '/usr/lib/unbound/odhcpd.sh'
## Back to Manual Configuration
-You don't want UCI, but don't worry. We have UCI for that. However, OpenWrt or LEDE are targeted at embedded machines with flash ROM. The initialization scripts do a few things to protect flash ROM.
+Yes, there is a UCI to disable the rest of Unbound UCI. However, OpenWrt or LEDE are targeted at embedded machines with flash ROM. The initialization scripts do a few things to protect flash ROM.
-All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, RAM). Edit your manual `/etc/unbound/unbound.conf` to reference this `/var/lib/unbound` location for included files. Note in preparation for a jail, `/var/lib/unbound` is `chown unbound`. Configure for security in`/etc/unbound/unbound.conf` with options `username:unbound` and `chroot:/var/lib/unbound`.
+### Completely Manual (almost)
+All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, RAM). Edit your manual `/etc/unbound/unbound.conf` to reference this `/var/lib/unbound` location for included files. Note in preparation for a jail, `/var/lib/unbound` is `chown unbound`. Configure for security in`/etc/unbound/unbound.conf` with options `username:unbound` and `chroot:/var/lib/unbound`.
-Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider this UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash). Keep the DNSKEY updated with your choice of flash activity.
+Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider the age UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash).
**/etc/config/unbound**:
option manual_conf '1'
option root_age '30'
+### Hybrid Manual/UCI
+You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation.
+
+The former will be added to the end of the `server:` clause. The later will be added to the end of the file for extended `forward:` and `view:` clauses. You can also disable unbound-control in the UCI which only allows "localhost" connections unencrypted, and then add an encrypted remote `control:` clause.
+
## Complete List of UCI Options
**/etc/config/unbound**:
config unbound
Currently only one instance is supported.
+ option add_local_fqdn '0'
+ Level. This puts your routers host name in the LAN (local) DNS.
+ Each level is more detailed and comprehensive.
+ 0 - Disabled
+ 1 - Host Name on only the primary address
+ 2 - Host Name on all addresses found (except link)
+ 3 - FQDN and host name on all addresses (except link)
+ 4 - Above and interfaces named <iface>.<hostname>.<domain>
+
+ option add_wan_fqdn '0'
+ Level. Same as previous option only this applies to the WAN. WAN
+ are inferred by a UCI `config dhcp` entry that contains the line
+ option ignore '1'.
+
option dns64 '0'
Boolean. Enable DNS64 through Unbound in order to bridge networks
that are IPV6 only and IPV4 only (see RFC6052).
option dns64_prefix '64:ff9b::/96'
IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64.
- You should use RFC6052 "well known" address, unless you also
+ You should use RFC6052 "well known" address, unless you also
redirect to a proxy or gateway for your NAT64.
- option dnsmasq_gate_name '0'
- Boolean. Forward PTR records for interfaces not serving DHCP.
- Assume these are WAN. Example dnsmasq option here to provide
- logs with a name when your ISP won't link DHCP-DNS.
- "dnsmasq.conf: interface-name=way-out.myrouter.lan,eth0.1"
-
- option dnsmasq_link_dns '0'
- Boolean. Master link to dnsmasq. Parse /etc/config/dhcp for dnsmasq
- options. Forward domain such as "lan" and PTR records for DHCP
- interfaces and their deligated subnets, IP4 and IP6.
-
- option dnsmasq_only_local '0'
- TODO: not yet implemented
- Boolean. Restrict link to dnsmasq. DNS only to local host. Obscure
- names of other connected hosts on the network. Example:
- "drill -x 198.51.100.17 ~ IN PTR way-out.myrouter.lan"
- "drill -x 192.168.10.1 ~ IN PTR guest-wifi.myrouter.lan"
- "drill -x 192.168.10.201 ~ NODATA" (insted of james-laptop.lan)
+ option dhcp_link 'none'
+ Program Name. Link to one of the supported programs we have scripts
+ for. You may also need to install a trigger script in the DHCP
+ servers configuration. See HOW TO above.
+
+ option dhcp4_slaac6 '0'
+ Boolean. Some DHCP servers do this natively (dnsmasq). Otherwise
+ the script provided with this package will try to fabricate SLAAC
+ IP6 addresses from DHCPv4 MAC records.
+
+ option domain 'lan'
+ Unbound local-zone: <domain> <type>. This is used to suffix all
+ host records, and maintain a local zone. When dnsmasq is dhcp_link
+ however, then this option is ignored (dnsmasq does it all).
+
+ option domain_type 'static'
+ Unbound local-zone: <domain> <type>. This allows you to lock
+ down or allow forwarding of your domain, your router host name
+ without suffix, and leakage of RFC6762 "local."
option edns_size '1280'
- Bytes. Extended DNS is necessary for DNSSEC. However, it can run
+ Bytes. Extended DNS is necessary for DNSSEC. However, it can run
into MTU issues. Use this size in bytes to manage drop outs.
option hide_binddata '1'
- Boolean. If enabled version.server, version.bind, id.server, and
+ Boolean. If enabled version.server, version.bind, id.server, and
hostname.bind queries are refused.
option listen_port '53'
configuration. Make changes to /etc/unbound/unbound.conf.
option protocol 'mixed'
- Unbound can limit its protocol: "ip4_only" for ISP behind the time,
- "ip6_only" for testing, "ip6_prefer" for ISP with good IP6 support,
- or default-all "mixed." This affects the protocol used to
- communicate. The DNS responses always include hosts respective IP4
- and IP6 data.
+ Unbound can limit its protocol used for recursive queries.
+ Set 'ip4_only' to avoid issues if you do not have native IP6.
+ Set 'ip6_prefer' to possibly improve performance as well as
+ not consume NAT paths for the client computers.
+ Do not use 'ip6_only' unless testing.
option query_minimize '0'
Boolean. Enable a minor privacy option. Don't let each server know
List. Domains or pointers that you wish to skip DNSSEC. Your DHCP
domains and pointers in dnsmasq will get this automatically.
+## Deprecated UCI
+The dnsmasq specific UCI will still work as well as they did, but please use `option dhcp_link 'dnsmasq'` above. Local host name and WAN host name will be lifted and configured from DHCP UCI subpart dnsmasq. (`dnsmasq_gate_name`, `dnsmasq_link_dns`, `dnsmasq_only_local`)
+
#
##############################################################################
-create_local_zone() {
+dnsmasq_local_zone() {
local cfg="$1"
- local fwd_port fwd_domain
+ local fwd_port fwd_domain wan_fqdn
+ # dnsmasq domain and interface assignment settings will control config
config_get fwd_domain "$cfg" domain
- config_get fwd_port "$cfg" port
+ config_get fwd_port "$cfg" port
+ config_get wan_fqdn "$cfg" add_wan_fqdn
+
+
+ if [ -n "$wan_fqdn" ] ; then
+ UNBOUND_D_WAN_FQDN=$wan_fqdn
+ fi
if [ -n "$fwd_domain" -a -n "$fwd_port" -a ! "$fwd_port" -eq 53 ] ; then
##############################################################################
-create_local_arpa() {
+dnsmasq_local_arpa() {
local cfg="$1"
local logint dhcpv4 dhcpv6 ignore
local subnets subnets4 subnets6
forward=""
elif [ "$ignore" -gt 0 ] ; then
- if [ "$UNBOUND_B_GATE_NAME" -gt 0 ] ; then
+ if [ "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
# Only forward the one gateway host.
forward="host"
##############################################################################
-forward_local_zone() {
+dnsmasq_forward_zone() {
if [ -n "$UNBOUND_N_FWD_PORTS" -a -n "$UNBOUND_TXT_FWD_ZONE" ] ; then
for fwd_domain in $UNBOUND_TXT_FWD_ZONE ; do
{
- # This is derived of create_local_zone/arpa
+ # This is derived of dnsmasq_local_zone/arpa
# but forward: clauses need to be seperate
echo "forward-zone:"
echo " name: \"$fwd_domain.\""
##############################################################################
dnsmasq_link() {
- ####################
- # UCI @ dhcp #
- ####################
-
-
- if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
- # Forward to dnsmasq on same host for DHCP lease hosts
- echo " do-not-query-localhost: no" >> $UNBOUND_CONFFILE
- # Look at dnsmasq settings
- config_load dhcp
- # Zone for DHCP / SLAAC-PING DOMAIN
- config_foreach create_local_zone dnsmasq
- # Zone for DHCP / SLAAC-PING ARPA
- config_foreach create_local_arpa dhcp
- # Now create ALL seperate forward: clauses
- forward_local_zone
- fi
+ # Forward to dnsmasq on same host for DHCP lease hosts
+ echo " do-not-query-localhost: no" >> $UNBOUND_CONFFILE
+ # Look at dnsmasq settings
+ config_load dhcp
+ # Zone for DHCP / SLAAC-PING DOMAIN
+ config_foreach dnsmasq_local_zone dnsmasq
+ # Zone for DHCP / SLAAC-PING ARPA
+ config_foreach dnsmasq_local_arpa dhcp
+ # Now create ALL seperate forward: clauses
+ dnsmasq_forward_zone
}
##############################################################################
--- /dev/null
+#!/usr/bin/awk
+##############################################################################
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# Copyright (C) 2016 Eric Luehrsen
+#
+##############################################################################
+#
+# Turn DHCP records into meaningful A, AAAA, and PTR records. Also lift a
+# function from dnsmasq and use DHCPv4 MAC to find IPV6 SLAAC hosts.
+#
+# External Parameters
+# "hostfile" = where this script will cache host DNS data
+# "domain" = text domain suffix
+# "bslaac" = boolean, use DHCPv4 MAC to find GA and ULA IPV6 SLAAC
+# "bisolt" = boolean, format <host>.<network>.<domain>. so you can isolate
+#
+##############################################################################
+
+/^#/ {
+ # We need to pick out DHCP v4 or v6 records
+ net = $2 ; id = $3 ; cls = $4 ; hst = $5 ; adr = $9 ;
+ cdr = adr ;
+ sub( /\/.*/, "", adr ) ;
+ sub( /.*\//, "", cdr ) ;
+
+
+ if ( bisolt == 1 ) {
+ # TODO: this might be better with a substituion option,
+ # or per DHCP pool do-not-DNS option, but its getting busy here.
+ fqdn = net
+ fqdn = sub( /\./, "-", fqdn ) ;
+ fqdn = tolower( hst "." fqdn "." domain ) ;
+ }
+
+ else {
+ fqdn = tolower( hst "." domain ) ;
+ }
+
+
+ if ( cls == "ipv4" ) {
+ if ( NF == 8 ) {
+ # odhcpd errata in field format without host name
+ adr = $8 ; hst = "-" ; cdr = adr ;
+ sub( /\/.*/, "", adr ) ;
+ sub( /.*\//, "", cdr ) ;
+ }
+
+
+ if (( cdr == 32 ) && ( hst != "-" )) {
+ # only for provided hostnames and full /32 assignments
+ ptr = adr ; qpr = "" ; split( ptr, ptr, "." ) ;
+ slaac = slaac_eui64( id ) ;
+ for( i=1; i<=4; i++ ) { qpr = ( ptr[i] "." qpr) ; }
+
+ # DHCP A and PTR records with FQDN
+ x = ( fqdn ". 120 IN A " adr ) ;
+ y = ( qpr "in-addr.arpa. 120 IN PTR " fqdn ) ;
+ print ( x "\n" y ) > hostfile ;
+
+
+ if ((bslaac == 1) && (slaac != 0)) {
+ # UCI option to discover IPV6 routed SLAAC addresses
+ # NOT TODO - ping probe take too long when added in awk-rule loop
+ cmd = ( "ip -6 --oneline route show dev " net ) ;
+
+
+ while ( ( cmd | getline adr ) > 0 ) {
+ if ( substr( adr, 1, 5 ) <= "fd00:" ) {
+ # GA or ULA routed addresses only (not LL or MC)
+ sub( /\/.*/, "", adr ) ;
+ adr = ( adr slaac ) ;
+ if ( split( adr, tmp0, ":" ) >= 8 ) { sub( "::", ":", adr ) ; }
+ qpr = ipv6_ptr( adr ) ;
+ x = ( fqdn ". 120 IN AAAA " adr ) ;
+ y = ( qpr " 120 IN PTR " fqdn ) ;
+ print ( x "\n" y ) > hostfile ;
+ }
+ }
+
+
+ close( cmd ) ;
+ }
+ }
+ }
+
+ else {
+ if (( cdr == 128 ) && ( hst != "-" )) {
+ # only for provided hostnames and full /128 assignments
+ qpr = ipv6_ptr( adr ) ;
+ x = ( fqdn ". 120 IN AAAA " adr ) ;
+ y = ( qpr " 120 IN PTR " fqdn ) ;
+ print ( x "\n" y ) > hostfile ;
+ }
+ }
+}
+
+##############################################################################
+
+function ipv6_ptr( ipv6, arpa, ary, end, i, j, new6, sz, start ) {
+ # IPV6 colon flexibility is a challenge when creating [ptr].ip6.arpa.
+ sz = split( ipv6, ary, ":" ) ; end = 9 - sz ;
+
+
+ for( i=1; i<=sz; i++ ) {
+ if( length(ary[i]) == 0 ) {
+ for( j=1; j<=end; j++ ) { ary[i] = ( ary[i] "0000" ) ; }
+ }
+
+ else {
+ ary[i] = substr( ( "0000" ary[i] ), length( ary[i] )+5-4 ) ;
+ }
+ }
+
+
+ new6 = ary[1] ;
+ for( i = 2; i <= sz; i++ ) { new6 = ( new6 ary[i] ) ; }
+ start = length( new6 ) ;
+ for( i=start; i>0; i-- ) { arpa = ( arpa substr( new6, i, 1 ) ) ; } ;
+ gsub( /./, "&\.", arpa ) ; arpa = ( arpa "ip6.arpa" ) ;
+
+ return arpa ;
+}
+
+##############################################################################
+
+function slaac_eui64( mac, ary, glbit, eui64 ) {
+ if ( length(mac) >= 12 ) {
+ # RFC2373 and use DHCPv4 registered MAC to find SLAAC addresses
+ split( mac , ary , "" ) ;
+ glbit = ( "0x" ary[2] ) ;
+ glbit = sprintf( "%d", glbit ) ;
+ glbit = or( glbit, 2 ) ;
+ ary[2] = sprintf( "%x", glbit ) ;
+ eui64 = ( ary[1] ary[2] ary[3] ary[4] ":" ary[5] ary[6] "ff:fe" ) ;
+ eui64 = ( eui64 ary[7] ary[8] ":" ary[9] ary[10] ary[11] ary[12] ) ;
+ }
+
+ else {
+ eui64 = 0 ;
+ }
+
+
+ return eui64 ;
+}
+
+##############################################################################
+
--- /dev/null
+#!/bin/sh
+##############################################################################
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# Copyright (C) 2016 Eric Luehrsen
+#
+##############################################################################
+#
+# This script facilitates alternate installation of Unbound+odhcpd and no
+# need for dnsmasq. There are some limitations, but it works and is small.
+# The lease file is parsed to make "zone-data:" and "local-data:" entries.
+#
+# config odhcpd 'odhcpd'
+# option leasetrigger '/usr/lib/unbound/odhcpd.sh'
+#
+##############################################################################
+
+# Common file location definitions
+. /usr/lib/unbound/unbound.sh
+
+##############################################################################
+
+odhcpd_settings() {
+ # This trigger is out of normal init context, so we need to read some UCI.
+ local cfg="$1"
+ config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
+ config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
+}
+
+##############################################################################
+
+odhcpd_zonedata() {
+ local dns_ls_add=$UNBOUND_VARDIR/dhcp_dns.add
+ local dns_ls_del=$UNBOUND_VARDIR/dhcp_dns.del
+ local dhcp_ls_new=$UNBOUND_VARDIR/dhcp_lease.new
+ local dhcp_ls_old=$UNBOUND_VARDIR/dhcp_lease.old
+ local dhcp_ls_add=$UNBOUND_VARDIR/dhcp_lease.add
+ local dhcp_ls_del=$UNBOUND_VARDIR/dhcp_lease.del
+ local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile )
+
+ config_load unbound
+ config_foreach odhcpd_settings unbound
+
+
+ if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a -f "$dhcp_origin" ] ; then
+ # Capture the lease file which could be changing often,
+ # and unbound-control only for changes in hosts (or else...)
+ cat $dhcp_origin | sort > $dhcp_ls_new
+ touch $dhcp_ls_old
+ sort $dhcp_ls_new $dhcp_ls_old $dhcp_ls_old | uniq -u > $dhcp_ls_add
+ sort $dhcp_ls_old $dhcp_ls_new $dhcp_ls_new | uniq -u > $dhcp_ls_del
+
+ # Go through the messy business of coding up A, AAAA, and PTR records.
+ awk -v hostfile=$dns_ls_del -v domain=$UNBOUND_TXT_DOMAIN \
+ -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 \
+ -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_del
+
+ awk -v hostfile=$dns_ls_add -v domain=$UNBOUND_TXT_DOMAIN \
+ -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 \
+ -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_add
+
+
+ if [ -f "$dns_ls_del" ] ; then
+ cat $dns_ls_del | $UNBOUND_CONTROL_CFG local_datas_remove
+ fi
+
+
+ if [ -f "$dns_ls_add" ] ; then
+ cat $dns_ls_add | $UNBOUND_CONTROL_CFG local_datas
+ fi
+
+
+ # prepare next round
+ mv $dhcp_ls_new $dhcp_ls_old
+ rm -f $dns_ls_del $dns_ls_add
+ fi
+}
+
+##############################################################################
+
+odhcpd_zonedata
+
+##############################################################################
+
##############################################################################
start_service() {
- unbound_prepare
+ # complex UCI work
+ unbound_start
+ # standard procd clause
procd_open_instance
procd_set_param command $PROG -d -c $UNBOUND_CONFFILE
procd_set_param respawn
##############################################################################
stop_service() {
- rootzone_update
+ unbound_stop
}
##############################################################################
service_triggers() {
- procd_add_reload_trigger "dhcp"
- procd_add_reload_trigger "network"
- procd_add_reload_trigger "unbound"
+ procd_add_reload_trigger "dhcp" "network" "unbound"
}
##############################################################################
##############################################################################
-if [ "$ACTION" = stratum -a ! -f "$UNBOUND_TIMEFILE" ] \
- && /etc/init.d/unbound enabled ; then
- #
+if [ "$ACTION" = stratum -a ! -f "$UNBOUND_TIMEFILE" ] ; then
echo "ntpd: $( date )" > $UNBOUND_TIMEFILE
- /etc/init.d/unbound restart
+ /etc/init.d/unbound enabled && /etc/init.d/unbound restart
fi
##############################################################################
##############################################################################
UNBOUND_B_CONTROL=0
-UNBOUND_B_DNSMASQ=0
+UNBOUND_B_SLAAC6_MAC=0
UNBOUND_B_DNSSEC=0
UNBOUND_B_DNS64=0
UNBOUND_B_GATE_NAME=0
UNBOUND_B_HIDE_BIND=1
UNBOUND_B_LOCL_BLCK=0
-UNBOUND_B_LOCL_NAME=0
UNBOUND_B_LOCL_SERV=1
UNBOUND_B_MAN_CONF=0
UNBOUND_B_NTP_BOOT=1
UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0
-UNBOUND_IP_DNS64="64:ff9b::/96"
-
+UNBOUND_D_DOMAIN_TYPE=static
+UNBOUND_D_DHCP_LINK=none
+UNBOUND_D_LAN_FQDN=0
+UNBOUND_D_PROTOCOL=mixed
UNBOUND_D_RESOURCE=small
UNBOUND_D_RECURSION=passive
-UNBOUND_D_PROTOCOL=mixed
+UNBOUND_D_WAN_FQDN=0
-UNBOUND_TXT_FWD_ZONE=""
-UNBOUND_TTL_MIN=120
+UNBOUND_IP_DNS64="64:ff9b::/96"
UNBOUND_N_EDNS_SIZE=1280
UNBOUND_N_FWD_PORTS=""
UNBOUND_N_RX_PORT=53
UNBOUND_N_ROOT_AGE=28
-##############################################################################
+UNBOUND_TTL_MIN=120
+
+UNBOUND_TXT_DOMAIN=lan
+UNBOUND_TXT_FWD_ZONE=""
+UNBOUND_TXT_HOSTNAME=thisrouter
-UNBOUND_ANCHOR=/usr/bin/unbound-anchor
-UNBOUND_CONTROL=/usr/bin/unbound-control
+##############################################################################
UNBOUND_LIBDIR=/usr/lib/unbound
+UNBOUND_VARDIR=/var/lib/unbound
UNBOUND_PIDFILE=/var/run/unbound.pid
-UNBOUND_VARDIR=/var/lib/unbound
+UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
+UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
+
UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_TIMEFILE=$UNBOUND_VARDIR/unbound.time
-UNBOUND_CHECKFILE=$UNBOUND_VARDIR/unbound.check
+
+##############################################################################
+
+UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
+UNBOUND_CONTROL=/usr/sbin/unbound-control
+UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
##############################################################################
##############################################################################
+create_interface_dns() {
+ local cfg="$1"
+ local ipcommand logint ignore ifname ifdashname
+ local name names address addresses
+ local ulaprefix if_fqdn host_fqdn mode mode_ptr
+
+ # Create local-data: references for this hosts interfaces (router).
+ config_get logint "$cfg" interface
+ config_get_bool ignore "$cfg" ignore 0
+ network_get_device ifname "$cfg"
+
+ ifdashname="${ifname//./-}"
+ ipcommand="ip -o address show $ifname"
+ addresses="$($ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}')"
+ ulaprefix="$(uci_get network @globals[0] ula_prefix)"
+ host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"
+ if_fqdn="$ifdashname.$host_fqdn"
+
+
+ if [ "$ignore" -gt 0 ] ; then
+ mode="$UNBOUND_D_WAN_FQDN"
+
+ else
+ mode="$UNBOUND_D_LAN_FQDN"
+ fi
+
+
+ case "$mode" in
+ 3)
+ mode_ptr="$host_fqdn"
+ names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
+ ;;
+
+ 4)
+ mode_ptr="$if_fqdn"
+ names="$if_fqdn $host_fqdn $UNBOUND_TXT_HOSTNAME"
+ ;;
+
+ *)
+ mode_ptr="$UNBOUND_TXT_HOSTNAME"
+ names="$UNBOUND_TXT_HOSTNAME"
+ ;;
+ esac
+
+
+ if [ "$mode" -gt 1 ] ; then
+ {
+ for address in $addresses ; do
+ case $address in
+ fe80:*|169.254.*)
+ echo " # note link address $address"
+ ;;
+
+ [1-9a-f]*:*[0-9a-f])
+ # GA and ULA IP6 for HOST IN AAA records (ip command is robust)
+ for name in $names ; do
+ echo " local-data: \"$name. 120 IN AAAA $address\""
+ done
+ echo " local-data-ptr: \"$address 120 $mode_ptr\""
+ ;;
+
+ [1-9]*.*[0-9])
+ # Old fashioned HOST IN A records
+ for name in $names ; do
+ echo " local-data: \"$name. 120 IN A $address\""
+ done
+ echo " local-data-ptr: \"$address 120 $mode_ptr\""
+ ;;
+ esac
+ done
+ echo
+ } >> $UNBOUND_CONFFILE
+
+ elif [ "$mode" -gt 0 ] ; then
+ {
+ for address in $addresses ; do
+ case $address in
+ fe80:*|169.254.*)
+ echo " # note link address $address"
+ ;;
+
+ "${ulaprefix%%:/*}"*)
+ # Only this networks ULA and only hostname
+ echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
+ echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
+ ;;
+
+ [1-9]*.*[0-9])
+ echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""
+ echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
+ ;;
+ esac
+ done
+ echo
+ } >> $UNBOUND_CONFFILE
+ fi
+}
+
+##############################################################################
+
create_access_control() {
local cfg="$1"
local subnets subnets4 subnets6
##############################################################################
unbound_mkdir() {
- mkdir -p $UNBOUND_VARDIR
- touch $UNBOUND_CONFFILE
+ local resolvsym=0
+ local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile )
+ local dhcp_dir=$( dirname "$dhcp_origin" )
- if [ -f /etc/unbound/root.hints ] ; then
- # Your own local copy of root.hints
- cp -p /etc/unbound/root.hints $UNBOUND_HINTFILE
+ if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
+ resolvsym=1
+ else
+ /etc/init.d/dnsmasq enabled || resolvsym=1
+ fi
- elif [ -f /usr/share/dns/root.hints ] ; then
- # Debian-like package dns-root-data
- cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
- else
- logger -t unbound -s "iterator will use built-in root hints"
+ if [ "$resolvsym" -gt 0 ] ; then
+ rm -f /tmp/resolv.conf
+
+
+ {
+ # Set resolver file to local but not if /etc/init.d/dnsmasq will do it.
+ echo "nameserver 127.0.0.1"
+ echo "nameserver ::1"
+ echo "search $UNBOUND_TXT_DOMAIN"
+ } > /tmp/resolv.conf
+ fi
+
+
+ if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -d "$dhcp_dir" ] ; then
+ # make sure odhcpd has a directory to write (not done itself, yet)
+ mkdir -p "$dhcp_dir"
fi
- if [ -f /etc/unbound/root.key ] ; then
- # Your own local copy of a root.key
- cp -p /etc/unbound/root.key $UNBOUND_KEYFILE
+ mkdir -p $UNBOUND_VARDIR
+ rm -f $UNBOUND_VARDIR/dhcp_*
+ touch $UNBOUND_CONFFILE
+ touch $UNBOUND_SRV_CONF
+ touch $UNBOUND_EXT_CONF
+ cp -p /etc/unbound/* $UNBOUND_VARDIR/
- elif [ -f /usr/share/dns/root.key ] ; then
- # Debian-like package dns-root-data
- cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
- elif [ -x "$UNBOUND_ANCHOR" ] ; then
- $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
+ if [ ! -f $UNBOUND_HINTFILE ] ; then
+ if [ -f /usr/share/dns/root.hints ] ; then
+ # Debian-like package dns-root-data
+ cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
- else
- logger -t unbound -s "validator will use built-in trust anchor"
+ else
+ logger -t unbound -s "iterator will use built-in root hints"
+ fi
fi
-}
-##############################################################################
-unbound_conf() {
- local cfg=$1
- local rt_mem rt_conn modulestring
+ if [ ! -f $UNBOUND_KEYFILE ] ; then
+ if [ -f /usr/share/dns/root.key ] ; then
+ # Debian-like package dns-root-data
+ cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
- {
- # Make fresh conf file
- echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
- echo
- } > $UNBOUND_CONFFILE
+ elif [ -x "$UNBOUND_ANCHOR" ] ; then
+ $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
+
+ else
+ logger -t unbound -s "validator will use built-in trust anchor"
+ fi
+ fi
+
+
+ # Ensure access and prepare to jail
+ chown -R unbound:unbound $UNBOUND_VARDIR
+ chmod 775 $UNBOUND_VARDIR
+ chmod 664 $UNBOUND_VARDIR/*
+}
+##############################################################################
+unbound_control() {
if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
{
# Enable remote control tool, but only at local host for security
+ # You can hand write fancier encrypted access with /etc/..._ext.conf
echo "remote-control:"
echo " control-enable: yes"
echo " control-use-cert: no"
echo " control-interface: ::1"
echo
} >> $UNBOUND_CONFFILE
-
- else
- {
- # "control:" clause is seperate before "server:" so we can append
- # dnsmasq "server:" parts and "forward:" cluases towards the end.
- echo "remote-control:"
- echo " control-enable: no"
- echo
- } >> $UNBOUND_CONFFILE
fi
+ {
+ # Amend your own extended clauses here like forward zones or disable
+ # above (local, no encryption) and amend your own remote encrypted control
+ echo
+ echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
+ echo
+ } >> $UNBOUND_CONFFILE
+}
+
+##############################################################################
+
+unbound_conf() {
+ local cfg="$1"
+ local rt_mem rt_conn modulestring
+
+
+ {
+ # Make fresh conf file
+ echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
+ echo
+ } > $UNBOUND_CONFFILE
+
+
{
# No threading
echo "server:"
fi
- # Domain Exceptions
+ # Except and accept domains as insecure (DNSSEC); work around broken domains
config_list_foreach "$cfg" "domain_insecure" create_domain_insecure
echo >> $UNBOUND_CONFFILE
+}
+##############################################################################
- ####################
- # UCI @ network #
- ####################
+unbound_access() {
+ # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to
+ # each access-control IP block, and then divert access.
+ # -- "guest" WIFI will not be allowed to see local zone data
+ # -- "child" LAN can black whole a list of domains to http~deadpixel
if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
config_load network
config_foreach create_access_control interface
+
{
echo " access-control: 127.0.0.0/8 allow"
echo " access-control: ::1/128 allow"
echo
} >> $UNBOUND_CONFFILE
fi
+
+
+ {
+ # Amend your own "server:" stuff here
+ echo
+ echo "include: $UNBOUND_SRV_CONF"
+ echo
+ } >> $UNBOUND_CONFFILE
+}
+
+##############################################################################
+
+unbound_hostname() {
+ if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
+ {
+ # TODO: Unbound 1.6.0 added "tags" and "views" and we could make
+ # domains by interface to prevent DNS from "guest" to "home"
+ echo " local-zone: $UNBOUND_TXT_DOMAIN. $UNBOUND_D_DOMAIN_TYPE"
+ echo " domain-insecure: $UNBOUND_TXT_DOMAIN"
+ echo " private-domain: $UNBOUND_TXT_DOMAIN"
+ echo
+ echo " local-zone: $UNBOUND_TXT_HOSTNAME. $UNBOUND_D_DOMAIN_TYPE"
+ echo " domain-insecure: $UNBOUND_TXT_HOSTNAME"
+ echo " private-domain: $UNBOUND_TXT_HOSTNAME"
+ echo
+ } >> $UNBOUND_CONFFILE
+
+
+ case "$UNBOUND_D_DOMAIN_TYPE" in
+ deny|inform_deny|refuse|static)
+ {
+ # avoid upstream involvement in RFC6762 like responses (link only)
+ echo " local-zone: local. $UNBOUND_D_DOMAIN_TYPE"
+ echo " domain-insecure: local"
+ echo " private-domain: local"
+ echo
+ } >> $UNBOUND_CONFFILE
+ ;;
+ esac
+
+
+ if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
+ config_load dhcp
+ config_foreach create_interface_dns dhcp
+ fi
+ fi
}
##############################################################################
unbound_uci() {
- local cfg=$1
- local dnsmasqpath
-
- ####################
- # UCI @ unbound #
- ####################
-
- config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
- config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmasq_gate_name 0
- config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
- config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
- config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0
- config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
- config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
- config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
- config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
- config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
- config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
- config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
- config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
- config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
+ local cfg="$1"
+ local dnsmasqpath hostnm
+
+ hostnm="$(uci_get system.@system[0].hostname | awk '{print tolower($0)}')"
+ UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter}
+
+ config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
+ config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
+ config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
+ config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
+ config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
+ config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
+ config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
+ config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
+ config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
+ config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
+ config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
+ config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7
- config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
- config_get UNBOUND_D_RECURSION "$cfg" recursion passive
- config_get UNBOUND_D_RESOURCE "$cfg" resource small
+ config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
+ config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
+ config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0
+ config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
+ config_get UNBOUND_D_RECURSION "$cfg" recursion passive
+ config_get UNBOUND_D_RESOURCE "$cfg" resource small
+ config_get UNBOUND_D_WAN_FQDN "$cfg" add_wan_fqdn 0
config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120
+ config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
+
+ if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
+ config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
- if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
- dnsmasqpath=$( which dnsmasq )
+
+ if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
+ UNBOUND_D_DHCP_LINK=dnsmasq
+ logger -t unbound -s "Please use 'dhcp_link' selector instead"
+ fi
+ fi
- if [ ! -x "$dnsmasqpath" ] ; then
+ if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
+ if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
+ UNBOUND_D_DHCP_LINK=none
+ else
+ /etc/init.d/dnsmasq enabled || UNBOUND_D_DHCP_LINK=none
+ fi
+
+
+ if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
logger -t unbound -s "cannot forward to dnsmasq"
- UNBOUND_B_DNSMASQ=0
+ fi
+ fi
+
+
+ if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
+ if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
+ UNBOUND_D_DHCP_LINK=none
+ else
+ /etc/init.d/odhcpd enabled || UNBOUND_D_DHCP_LINK=none
+ fi
+
+
+ if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
+ logger -t unbound -s "cannot receive records from odhcpd"
fi
fi
# that could have had awful side effects
UNBOUND_TTL_MIN=300
fi
-
-
- if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
- # Don't want this being triggered. Maybe we could, but then the
- # base conf you provide would need to be just right.
- UNBOUND_B_DNSMASQ=0
-
- else
- unbound_conf $cfg
- fi
}
##############################################################################
-unbound_own () {
- # Debug UCI
- {
- echo "# $UNBOUND_CHECKFILE generated by UCI $( date )"
- echo
- set | grep ^UNBOUND_
- } > $UNBOUND_CHECKFILE
+unbound_start() {
+ config_load unbound
+ config_foreach unbound_uci unbound
+ unbound_mkdir
- if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
- # You are doing your own thing, so just copy /etc/ to /var/
- cp -p /etc/unbound/* $UNBOUND_VARDIR/
- fi
+ if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
+ unbound_conf
+ unbound_access
+ if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
+ dnsmasq_link
+ else
+ unbound_hostname
+ fi
- # Ensure access and prepare to jail
- chown -R unbound:unbound $UNBOUND_VARDIR
- chmod 775 $UNBOUND_VARDIR
- chmod 664 $UNBOUND_VARDIR/*
+ unbound_control
+ fi
}
##############################################################################
-unbound_prepare() {
- # Make a home for Unbound in /var/lib/unbound
- unbound_mkdir
+unbound_stop() {
+ local resolvsym=0
- # Load up the chunks of UCI
- config_load unbound
- config_foreach unbound_uci unbound
+ rootzone_update
+
+
+ if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
+ resolvsym=1
+ else
+ /etc/init.d/dnsmasq enabled || resolvsym=1
+ fi
+
+
+ if [ "$resolvsym" -gt 0 ] ; then
+ # set resolver file to normal, but don't stomp on dnsmasq
+ rm -f /tmp/resolv.conf
+ ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
+ fi
- # Unbound primary DNS, and dnsmasq side service DHCP-DNS (dnsmasq.sh)
- dnsmasq_link
- # Unbound needs chroot ownership
- unbound_own
+ # Unbound has a log dump which takes time; don't overlap a "restart"
+ sleep 1
}
##############################################################################
config unbound
+ option add_local_fqdn '1'
+ option add_wan_fqdn '0'
+ option dhcp_link 'none'
+ option dhcp4_slaac6 '0'
option dns64 '0'
option dns64_prefix '64:ff9b::/96'
- option dnsmasq_gate_name '0'
- option dnsmasq_link_dns '0'
- option dnsmasq_only_local '0'
+ option domain 'lan'
+ option domain_type 'static'
option edns_size '1280'
option hide_binddata '1'
option listen_port '53'
--- /dev/null
+##############################################################################
+# UNBOUND UCI USER ADDED CLAUSES
+#
+# Put your own forward:, view:, stub:, and control: clauses here. This file is
+# appended to the end of UCI auto generated 'unbound.conf'. This is done with
+# include: statement. Notice, it is outside of the server: clause.
+##############################################################################
+
--- /dev/null
+##############################################################################
+# UNBOUND UCI USER ADDED SERVER OPTIONS
+#
+# Put your own choice options here when not covered by UCI. These are all part
+# of the server: clause only. Most likely are hardening options or local-zone:
+# This is in an include: statement towards the end of the server: cluase.
+##############################################################################
+
projects / feed / packages.git / commitdiff