LILiK
/
openwrt-packages-dist

#!/bin/sh
################################################################################ This program is free software; you can redistribute it and/or modify# it under the terms of the GNU General Public License version 2 as# published by the Free Software Foundation.## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.## Copyright (C) 2016 Eric Luehrsen################################################################################# This builds the basic UCI components currently supported for Unbound. It is# intentionally NOT comprehensive and bundles a lot of options. The UCI is to# be a simpler presentation of the total Unbound conf set.###############################################################################
UNBOUND_B_CONTROL=0UNBOUND_B_DNSMASQ=0UNBOUND_B_DNSSEC=0UNBOUND_B_DNS64=0UNBOUND_B_GATE_NAME=0UNBOUND_B_HIDE_BIND=1UNBOUND_B_LOCL_BLCK=0UNBOUND_B_LOCL_NAME=0UNBOUND_B_LOCL_SERV=1UNBOUND_B_MAN_CONF=0UNBOUND_B_NTP_BOOT=1UNBOUND_B_PRIV_BLCK=1UNBOUND_B_QUERY_MIN=0UNBOUND_B_QRY_MINST=0
UNBOUND_IP_DNS64="64:ff9b::/96"
UNBOUND_D_RESOURCE=smallUNBOUND_D_RECURSION=passiveUNBOUND_D_PROTOCOL=mixed
UNBOUND_TXT_FWD_ZONE=""UNBOUND_TTL_MIN=120
UNBOUND_N_EDNS_SIZE=1280UNBOUND_N_FWD_PORTS=""UNBOUND_N_RX_PORT=53UNBOUND_N_ROOT_AGE=28
##############################################################################
UNBOUND_ANCHOR=/usr/bin/unbound-anchorUNBOUND_CONTROL=/usr/bin/unbound-control
UNBOUND_LIBDIR=/usr/lib/unbound
UNBOUND_PIDFILE=/var/run/unbound.pid
UNBOUND_VARDIR=/var/lib/unboundUNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.confUNBOUND_KEYFILE=$UNBOUND_VARDIR/root.keyUNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hintsUNBOUND_TIMEFILE=$UNBOUND_VARDIR/unbound.timeUNBOUND_CHECKFILE=$UNBOUND_VARDIR/unbound.check
##############################################################################
. /lib/functions.sh. /lib/functions/network.sh
. $UNBOUND_LIBDIR/dnsmasq.sh. $UNBOUND_LIBDIR/iptools.sh. $UNBOUND_LIBDIR/rootzone.sh
##############################################################################
create_access_control() {  local cfg="$1"  local subnets subnets4 subnets6  local validip4 validip6
  network_get_subnets  subnets4 "$cfg"  network_get_subnets6 subnets6 "$cfg"  subnets="$subnets4 $subnets6"

  if [ -n "$subnets" ] ; then    for subnet in $subnets ; do      validip4=$( valid_subnet4 $subnet )      validip6=$( valid_subnet6 $subnet )

      if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then        # For each "network" UCI add "access-control:" white list for queries        echo "  access-control: $subnet allow" >> $UNBOUND_CONFFILE      fi    done  fi}
##############################################################################
create_domain_insecure() {  echo "  domain-insecure: \"$1\"" >> $UNBOUND_CONFFILE}
##############################################################################
unbound_mkdir() {  mkdir -p $UNBOUND_VARDIR  touch $UNBOUND_CONFFILE

  if [ -f /etc/unbound/root.hints ] ; then    # Your own local copy of root.hints    cp -p /etc/unbound/root.hints $UNBOUND_HINTFILE
  elif [ -f /usr/share/dns/root.hints ] ; then    # Debian-like package dns-root-data    cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
  else    logger -t unbound -s "iterator will use built-in root hints"  fi

  if [ -f /etc/unbound/root.key ] ; then    # Your own local copy of a root.key    cp -p /etc/unbound/root.key $UNBOUND_KEYFILE
  elif [ -f /usr/share/dns/root.key ] ; then    # Debian-like package dns-root-data    cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
  elif [ -x "$UNBOUND_ANCHOR" ] ; then    $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
  else    logger -t unbound -s "validator will use built-in trust anchor"  fi}
##############################################################################
unbound_conf() {  local cfg=$1  local rt_mem rt_conn modulestring
  {    # Make fresh conf file    echo "# $UNBOUND_CONFFILE generated by UCI $( date )"    echo  } > $UNBOUND_CONFFILE

  if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then    {      # Enable remote control tool, but only at local host for security      echo "remote-control:"      echo "  control-enable: yes"      echo "  control-use-cert: no"      echo "  control-interface: 127.0.0.1"      echo "  control-interface: ::1"      echo    } >> $UNBOUND_CONFFILE
  else    {      # "control:" clause is seperate before "server:" so we can append      # dnsmasq "server:" parts and "forward:" cluases towards the end.      echo "remote-control:"      echo "  control-enable: no"      echo    } >> $UNBOUND_CONFFILE  fi

  {    # No threading    echo "server:"    echo "  username: unbound"    echo "  num-threads: 1"    echo "  msg-cache-slabs: 1"    echo "  rrset-cache-slabs: 1"    echo "  infra-cache-slabs: 1"    echo "  key-cache-slabs: 1"    echo  } >> $UNBOUND_CONFFILE

  {    # Logging    echo "  verbosity: 1"    echo "  statistics-interval: 0"    echo "  statistics-cumulative: no"    echo "  extended-statistics: no"    echo  } >> $UNBOUND_CONFFILE

  {    # Interfaces (access contol "option local_service")    echo "  interface: 0.0.0.0"    echo "  interface: ::0"    echo "  outgoing-interface: 0.0.0.0"    echo "  outgoing-interface: ::0"    echo  } >> $UNBOUND_CONFFILE

  case "$UNBOUND_D_PROTOCOL" in    ip4_only)      {        echo "  do-ip4: yes"        echo "  do-ip6: no"      } >> $UNBOUND_CONFFILE      ;;
    ip6_only)      {        echo "  do-ip4: no"        echo "  do-ip6: yes"      } >> $UNBOUND_CONFFILE      ;;
    ip6_prefer)      {        echo "  do-ip4: yes"        echo "  do-ip6: yes"        echo "  prefer-ip6: yes"      } >> $UNBOUND_CONFFILE      ;;
    *)      {        echo "  do-ip4: yes"        echo "  do-ip6: yes"      } >> $UNBOUND_CONFFILE      ;;  esac

  {    # protocol level tuning    echo "  edns-buffer-size: $UNBOUND_N_EDNS_SIZE"    echo "  msg-buffer-size: 8192"    echo "  port: $UNBOUND_N_RX_PORT"    echo "  outgoing-port-permit: 10240-65535"    echo  } >> $UNBOUND_CONFFILE

  {    # Other harding and options for an embedded router    echo "  harden-short-bufsize: yes"    echo "  harden-large-queries: yes"    echo "  harden-glue: yes"    echo "  harden-below-nxdomain: no"    echo "  harden-referral-path: no"    echo "  use-caps-for-id: no"    echo  } >> $UNBOUND_CONFFILE

  {    # Default Files    echo "  use-syslog: yes"    echo "  chroot: \"$UNBOUND_VARDIR\""    echo "  directory: \"$UNBOUND_VARDIR\""    echo "  pidfile: \"$UNBOUND_PIDFILE\""  } >> $UNBOUND_CONFFILE

  if [ -f "$UNBOUND_HINTFILE" ] ; then    # Optional hints if found    echo "  root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE  fi

  if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then    {      echo "  auto-trust-anchor-file: \"$UNBOUND_KEYFILE\""      echo    } >> $UNBOUND_CONFFILE
  else    echo >> $UNBOUND_CONFFILE  fi

  case "$UNBOUND_D_RESOURCE" in    # Tiny - Unbound's recommended cheap hardware config    tiny)   rt_mem=1  ; rt_conn=1 ;;    # Small - Half RRCACHE and open ports    small)  rt_mem=8  ; rt_conn=5 ;;    # Medium - Nearly default but with some added balancintg    medium) rt_mem=16 ; rt_conn=10 ;;    # Large - Double medium    large)  rt_mem=32 ; rt_conn=10 ;;    # Whatever unbound does    *) rt_mem=0 ; rt_conn=0 ;;  esac

  if [ "$rt_mem" -gt 0 ] ; then    {      # Set memory sizing parameters      echo "  outgoing-range: $(($rt_conn*64))"      echo "  num-queries-per-thread: $(($rt_conn*32))"      echo "  outgoing-num-tcp: $(($rt_conn))"      echo "  incoming-num-tcp: $(($rt_conn))"      echo "  rrset-cache-size: $(($rt_mem*256))k"      echo "  msg-cache-size: $(($rt_mem*128))k"      echo "  key-cache-size: $(($rt_mem*128))k"      echo "  neg-cache-size: $(($rt_mem*64))k"      echo "  infra-cache-numhosts: $(($rt_mem*256))"      echo    } >> $UNBOUND_CONFFILE
  else    logger -t unbound -s "default memory resource consumption"  fi
  # Assembly of module-config: options is tricky; order matters  modulestring="iterator"

  if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then    if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then      # DNSSEC chicken and egg with getting NTP time      echo "  val-override-date: -1" >> $UNBOUND_CONFFILE    fi

    {      echo "  harden-dnssec-stripped: yes"      echo "  val-clean-additional: yes"      echo "  ignore-cd-flag: yes"    } >> $UNBOUND_CONFFILE

    modulestring="validator $modulestring"  fi

  if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then    echo "  dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
    modulestring="dns64 $modulestring"  fi

  {    # Print final module string    echo "  module-config: \"$modulestring\""    echo  }  >> $UNBOUND_CONFFILE

  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then    {      # Some query privacy but "strict" will break some name servers      echo "  qname-minimisation: yes"      echo "  qname-minimisation-strict: yes"    } >> $UNBOUND_CONFFILE
  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then    # Minor improvement on query privacy    echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
  else    echo "  qname-minimisation: no" >> $UNBOUND_CONFFILE  fi

  case "$UNBOUND_D_RECURSION" in    passive)      {        echo "  prefetch: no"        echo "  prefetch-key: no"        echo "  target-fetch-policy: \"0 0 0 0 0\""        echo      } >> $UNBOUND_CONFFILE      ;;
    aggressive)      {        echo "  prefetch: yes"        echo "  prefetch-key: yes"        echo "  target-fetch-policy: \"3 2 1 0 0\""        echo      } >> $UNBOUND_CONFFILE      ;;
    *)      logger -t unbound -s "default recursion configuration"      ;;  esac

  {    # Reload records more than 10 hours old    # DNSSEC 5 minute bogus cool down before retry    # Adaptive infrastructure info kept for 15 minutes    echo "  cache-min-ttl: $UNBOUND_TTL_MIN"    echo "  cache-max-ttl: 36000"    echo "  val-bogus-ttl: 300"    echo "  infra-host-ttl: 900"    echo  } >> $UNBOUND_CONFFILE

  if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then    {      # Block server id and version DNS TXT records      echo "  hide-identity: yes"      echo "  hide-version: yes"      echo    } >> $UNBOUND_CONFFILE  fi

  if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then    {      # Remove _upstream_ or global reponses with private addresses.      # Unbounds own "local zone" and "forward zone" may still use these.      # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890      echo "  private-address: 10.0.0.0/8"      echo "  private-address: 100.64.0.0/10"      echo "  private-address: 169.254.0.0/16"      echo "  private-address: 172.16.0.0/12"      echo "  private-address: 192.168.0.0/16"      echo "  private-address: fc00::/8"      echo "  private-address: fd00::/8"      echo "  private-address: fe80::/10"    } >> $UNBOUND_CONFFILE  fi

  if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then    {      # Remove DNS reponses from upstream with loopback IP      # Black hole DNS method for ad blocking, so consider...      echo "  private-address: 127.0.0.0/8"      echo "  private-address: ::1/128"      echo    } >> $UNBOUND_CONFFILE
  else    echo >> $UNBOUND_CONFFILE  fi

  # Domain Exceptions  config_list_foreach "$cfg" "domain_insecure" create_domain_insecure  echo >> $UNBOUND_CONFFILE

  ####################  # UCI @ network    #  ####################

  if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then    # Only respond to queries from which this device has an interface.    # Prevent DNS amplification attacks by not responding to the universe.    config_load network    config_foreach create_access_control interface
    {      echo "  access-control: 127.0.0.0/8 allow"      echo "  access-control: ::1/128 allow"      echo "  access-control: fe80::/10 allow"      echo    } >> $UNBOUND_CONFFILE
  else    {      echo "  access-control: 0.0.0.0/0 allow"      echo "  access-control: ::0/0 allow"      echo    } >> $UNBOUND_CONFFILE  fi}
##############################################################################
unbound_uci() {  local cfg=$1  local dnsmasqpath
  ####################  # UCI @ unbound    #  ####################
  config_get_bool UNBOUND_B_DNS64     "$cfg" dns64 0  config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmasq_gate_name 0  config_get_bool UNBOUND_B_DNSMASQ   "$cfg" dnsmasq_link_dns 0  config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1  config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0  config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1  config_get_bool UNBOUND_B_MAN_CONF  "$cfg" manual_conf 0  config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0  config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0  config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1  config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0  config_get_bool UNBOUND_B_CONTROL   "$cfg" unbound_control 0  config_get_bool UNBOUND_B_DNSSEC    "$cfg" validator  0  config_get_bool UNBOUND_B_NTP_BOOT  "$cfg" validator_ntp 1
  config_get UNBOUND_IP_DNS64    "$cfg" dns64_prefix "64:ff9b::/96"
  config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280  config_get UNBOUND_N_RX_PORT   "$cfg" listen_port 53  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 7
  config_get UNBOUND_D_PROTOCOL  "$cfg" protocol mixed  config_get UNBOUND_D_RECURSION "$cfg" recursion passive  config_get UNBOUND_D_RESOURCE  "$cfg" resource small
  config_get UNBOUND_TTL_MIN     "$cfg" ttl_min 120

  if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then    dnsmasqpath=$( which dnsmasq )

    if [ ! -x "$dnsmasqpath" ] ; then      logger -t unbound -s "cannot forward to dnsmasq"      UNBOUND_B_DNSMASQ=0    fi  fi

  if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
    -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then    # exceeds range, back to default    UNBOUND_N_EDNS_SIZE=1280  fi

  if [ "$UNBOUND_N_RX_PORT" -lt 1024 \
    -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then    # special port or in 5 digits, back to default    UNBOUND_N_RX_PORT=53  fi

  if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then    # that could have had awful side effects    UNBOUND_TTL_MIN=300  fi

  if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then    # Don't want this being triggered. Maybe we could, but then the    # base conf you provide would need to be just right.    UNBOUND_B_DNSMASQ=0
  else    unbound_conf $cfg  fi}
##############################################################################
unbound_own () {  # Debug UCI  {    echo "# $UNBOUND_CHECKFILE generated by UCI $( date )"    echo    set | grep ^UNBOUND_  } > $UNBOUND_CHECKFILE

  if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then    # You are doing your own thing, so just copy /etc/ to /var/    cp -p /etc/unbound/* $UNBOUND_VARDIR/  fi

  # Ensure access and prepare to jail  chown -R unbound:unbound $UNBOUND_VARDIR  chmod 775 $UNBOUND_VARDIR  chmod 664 $UNBOUND_VARDIR/*}
##############################################################################
unbound_prepare() {  # Make a home for Unbound in /var/lib/unbound  unbound_mkdir
  # Load up the chunks of UCI  config_load unbound  config_foreach unbound_uci unbound
  # Unbound primary DNS, and dnsmasq side service DHCP-DNS (dnsmasq.sh)  dnsmasq_link
  # Unbound needs chroot ownership  unbound_own}
##############################################################################