From e7f5bbc65e7d8d8de2c7987016b3e324856a3d7b Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Mon, 18 Sep 2017 00:12:02 -0400 Subject: [PATCH] unbound: update options for remote-control Enhance the 'control' option to allow using SSL to connect to the server. Add the 'extended_stats' option to match 'extended-statistics: yes.' Document the 'extended_luci' option; it does not control Unbound, but changes the LuCI tabs. Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 2 +- net/unbound/files/README.md | 15 +++- net/unbound/files/odhcpd.awk | 18 ++-- net/unbound/files/unbound.sh | 136 +++++++++++++++++++++++------ net/unbound/files/unbound.uci | 2 + net/unbound/files/unbound_ext.conf | 9 +- net/unbound/files/unbound_srv.conf | 9 +- 7 files changed, 145 insertions(+), 46 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 20639fe40c..8cdf46f567 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.6.6 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index db0f5974f4..f8bb320246 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -200,6 +200,13 @@ config unbound Bytes. Extended DNS is necessary for DNSSEC. However, it can run into MTU issues. Use this size in bytes to manage drop outs. + option extended_luci '0' + Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration. + + option extended_stats '0' + Boolean. extended statistics are printed from unbound-control. + Keeping track of more statistics takes time. + option hide_binddata '1' Boolean. If enabled version.server, version.bind, id.server, and hostname.bind queries are refused. @@ -266,8 +273,12 @@ config unbound Typical to configure maybe 0~300, but 1800 is the maximum accepted. option unbound_control '0' - Boolean. Enables unbound-control application access ports. Enabling - this without the unbound-control package installed is robust. + Level. Enables unbound-control application access ports. + 0 - No unbound-control Access, or add your own in 'unbound_ext.conf' + 1 - Unencrypted Local Host Access + 2 - SSL Local Host Access; auto unbound-control-setup if available + 3 - SSL Network Access; auto unbound-control-setup if available + 4 - SSL Network Access; static key/pem files must already exist option validator '0' Boolean. Enable DNSSEC. Unbound names this the "validator" module. diff --git a/net/unbound/files/odhcpd.awk b/net/unbound/files/odhcpd.awk index 160950884e..58f28d29a7 100644 --- a/net/unbound/files/odhcpd.awk +++ b/net/unbound/files/odhcpd.awk @@ -68,7 +68,7 @@ if ( bconf == 1 ) { x = ( "local-data: \"" fqdn ". 120 IN A " adr "\"" ) ; y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ; - print ( x "\n" y ) > hostfile ; + print ( x "\n" y "\n" ) > hostfile ; } else { @@ -91,17 +91,17 @@ # GA or ULA routed addresses only (not LL or MC) sub( /\/.*/, "", adr ) ; adr = ( adr slaac ) ; - - - if ( split( adr, tmp0, ":" ) >= 8 ) { - sub( "::", ":", adr ) ; + + + if ( split( adr, tmp0, ":" ) >= 8 ) { + sub( "::", ":", adr ) ; } if ( bconf == 1 ) { x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ; y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ; - print ( x "\n" y ) > hostfile ; + print ( x "\n" y "\n" ) > hostfile ; } else { @@ -124,7 +124,7 @@ if ( bconf == 1 ) { x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ; y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ; - print ( x "\n" y ) > hostfile ; + print ( x "\n" y "\n" ) > hostfile ; } else { @@ -135,12 +135,12 @@ print ( x "\n" y ) > hostfile ; } } - + if (( cdr2 == 128 ) && ( hst != "-" )) { if ( bconf == 1 ) { x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr2 "\"" ) ; y = ( "local-data-ptr: \"" adr2 " 120 " fqdn "\"" ) ; - print ( x "\n" y ) > hostfile ; + print ( x "\n" y "\n" ) > hostfile ; } else { diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 7defd8db47..e0a1e52540 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -23,10 +23,10 @@ # ############################################################################## -UNBOUND_B_CONTROL=0 UNBOUND_B_SLAAC6_MAC=0 UNBOUND_B_DNSSEC=0 UNBOUND_B_DNS64=0 +UNBOUND_B_EXT_STATS=0 UNBOUND_B_GATE_NAME=0 UNBOUND_B_HIDE_BIND=1 UNBOUND_B_LOCL_BLCK=0 @@ -37,6 +37,7 @@ UNBOUND_B_PRIV_BLCK=1 UNBOUND_B_QUERY_MIN=0 UNBOUND_B_QRY_MINST=0 +UNBOUND_D_CONTROL=0 UNBOUND_D_DOMAIN_TYPE=static UNBOUND_D_DHCP_LINK=none UNBOUND_D_EXTRA_DNS=0 @@ -80,6 +81,11 @@ UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time +UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key +UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem +UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key +UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem + ############################################################################## UNBOUND_ANCHOR=/usr/sbin/unbound-anchor @@ -457,17 +463,54 @@ unbound_mkdir() { # Ensure access and prepare to jail chown -R unbound:unbound $UNBOUND_VARDIR - chmod 775 $UNBOUND_VARDIR - chmod 664 $UNBOUND_VARDIR/* + chmod 755 $UNBOUND_VARDIR + chmod 644 $UNBOUND_VARDIR/* + + + if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \ + -o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then + # Keys (some) exist already; do not create new ones + chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \ + $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE + + elif [ -x /usr/sbin/unbound-control-setup ] ; then + case "$UNBOUND_D_CONTROL" in + [2-3]) + # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static" + /usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR + + chown -R unbound:unbound $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \ + $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE + + chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \ + $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE + + cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key + cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem + cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key + cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem + ;; + esac + fi } ############################################################################## unbound_control() { - if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then + if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then + if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \ + -o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then + # Key files need to be present; if unbound-control-setup was found, then + # they might have been made during unbound_makedir() above. + UNBOUND_D_CONTROL=0 + fi + fi + + + case "$UNBOUND_D_CONTROL" in + 1) { - # Enable remote control tool, but only at local host for security - # You can hand write fancier encrypted access with /etc/..._ext.conf + # Local Host Only Unencrypted Remote Control echo "remote-control:" echo " control-enable: yes" echo " control-use-cert: no" @@ -475,7 +518,42 @@ unbound_control() { echo " control-interface: ::1" echo } >> $UNBOUND_CONFFILE - fi + ;; + + 2) + { + # Local Host Only Encrypted Remote Control + echo "remote-control:" + echo " control-enable: yes" + echo " control-use-cert: yes" + echo " control-interface: 127.0.0.1" + echo " control-interface: ::1" + echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\"" + echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\"" + echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\"" + echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\"" + echo + } >> $UNBOUND_CONFFILE + ;; + + [3-4]) + { + # Network Encrypted Remote Control + # (3) may auto setup and (4) must have static key/pem files + # TODO: add UCI list for interfaces to bind + echo "remote-control:" + echo " control-enable: yes" + echo " control-use-cert: yes" + echo " control-interface: 0.0.0.0" + echo " control-interface: ::0" + echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\"" + echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\"" + echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\"" + echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\"" + echo + } >> $UNBOUND_CONFFILE + ;; + esac { @@ -493,15 +571,14 @@ unbound_conf() { local cfg="$1" local rt_mem rt_conn modulestring + # Make fresh conf file + echo > $UNBOUND_CONFFILE + { # Make fresh conf file echo "# $UNBOUND_CONFFILE generated by UCI $( date )" echo - } > $UNBOUND_CONFFILE - - - { # No threading echo "server:" echo " username: unbound" @@ -511,27 +588,33 @@ unbound_conf() { echo " infra-cache-slabs: 1" echo " key-cache-slabs: 1" echo - } >> $UNBOUND_CONFFILE - - - { + # Interface Wildcard (access contol handled by "option local_service") + echo " interface: 0.0.0.0" + echo " interface: ::0" + echo " outgoing-interface: 0.0.0.0" + echo " outgoing-interface: ::0" + echo # Logging echo " verbosity: 1" echo " statistics-interval: 0" echo " statistics-cumulative: no" - echo " extended-statistics: no" - echo } >> $UNBOUND_CONFFILE - { - # Interfaces (access contol "option local_service") - echo " interface: 0.0.0.0" - echo " interface: ::0" - echo " outgoing-interface: 0.0.0.0" - echo " outgoing-interface: ::0" - echo - } >> $UNBOUND_CONFFILE + if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then + { + # Log More + echo " extended-statistics: yes" + echo + } >> $UNBOUND_CONFFILE + + else + { + # Log Less + echo " extended-statistics: no" + echo + } >> $UNBOUND_CONFFILE + fi case "$UNBOUND_D_PROTOCOL" in @@ -930,6 +1013,7 @@ unbound_uci() { config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0 config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0 + config_get_bool UNBOUND_B_EXT_STATS "$cfg" extended_stats 0 config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1 config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1 config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0 @@ -937,7 +1021,6 @@ unbound_uci() { config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0 config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1 config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0 - config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0 config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 @@ -947,6 +1030,7 @@ unbound_uci() { config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53 config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9 + config_get UNBOUND_D_CONTROL "$cfg" unbound_control 0 config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0 diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index 45022f4080..aef5c1378f 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -9,6 +9,8 @@ config unbound option domain 'lan' option domain_type 'static' option edns_size '1280' + option extended_luci '0' + option extended_stats '0' option hide_binddata '1' option listen_port '53' option localservice '1' diff --git a/net/unbound/files/unbound_ext.conf b/net/unbound/files/unbound_ext.conf index 5a4398bf0e..a44213b6a1 100644 --- a/net/unbound/files/unbound_ext.conf +++ b/net/unbound/files/unbound_ext.conf @@ -1,8 +1,9 @@ ############################################################################## -# UNBOUND UCI USER ADDED CLAUSES +# Extended user clauses added to the end of the UCI generated 'unbound.conf' # -# Put your own forward:, view:, stub:, and control: clauses here. This file is -# appended to the end of UCI auto generated 'unbound.conf'. This is done with -# include: statement. Notice, it is outside of the server: clause. +# Put your own forward:, view:, stub:, or remote-control: clauses here. This +# file is appended to the end of 'unbound.conf' with an include: statement. +# Notice that it is not part of the server: clause. Use 'unbound_srv.conf' to +# place custom option statements in the server: clause. ############################################################################## diff --git a/net/unbound/files/unbound_srv.conf b/net/unbound/files/unbound_srv.conf index 01ba54414d..03eb48abcd 100644 --- a/net/unbound/files/unbound_srv.conf +++ b/net/unbound/files/unbound_srv.conf @@ -1,8 +1,9 @@ ############################################################################## -# UNBOUND UCI USER ADDED SERVER OPTIONS +# User custom options added in the server: clause part of UCI 'unbound.conf' # -# Put your own choice options here when not covered by UCI. These are all part -# of the server: clause only. Most likely are hardening options or local-zone: -# This is in an include: statement towards the end of the server: cluase. +# Add your own option statements here when they are not covered by UCI. This +# file is placed _inside_ the server: clause with an include: statement. Do +# not start other clauses here, because that would brake the server: clause. +# Use 'unbound_ext.conf' to start new clauses at the end of 'unbound.conf'. ############################################################################## -- 2.30.2