You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1388 lines
38 KiB

  1. #!/bin/sh
  2. ##############################################################################
  3. #
  4. # This program is free software; you can redistribute it and/or modify
  5. # it under the terms of the GNU General Public License version 2 as
  6. # published by the Free Software Foundation.
  7. #
  8. # This program is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. # GNU General Public License for more details.
  12. #
  13. # Copyright (C) 2016 Eric Luehrsen
  14. #
  15. ##############################################################################
  16. #
  17. # Unbound is a full featured recursive server with many options. The UCI
  18. # provided tries to simplify and bundle options. This should make Unbound
  19. # easier to deploy. Even light duty routers may resolve recursively instead of
  20. # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
  21. # features as used in base LEDE/OpenWrt. If there is a desire for more
  22. # detailed tuning, then manual conf file overrides are also made available.
  23. #
  24. ##############################################################################
  25. UNBOUND_B_SLAAC6_MAC=0
  26. UNBOUND_B_DNSSEC=0
  27. UNBOUND_B_DNS64=0
  28. UNBOUND_B_EXT_STATS=0
  29. UNBOUND_B_GATE_NAME=0
  30. UNBOUND_B_HIDE_BIND=1
  31. UNBOUND_B_LOCL_BLCK=0
  32. UNBOUND_B_LOCL_SERV=1
  33. UNBOUND_B_MAN_CONF=0
  34. UNBOUND_B_NTP_BOOT=1
  35. UNBOUND_B_QUERY_MIN=0
  36. UNBOUND_B_QRY_MINST=0
  37. UNBOUND_B_AUTH_ROOT=0
  38. UNBOUND_D_CONTROL=0
  39. UNBOUND_D_DOMAIN_TYPE=static
  40. UNBOUND_D_DHCP_LINK=none
  41. UNBOUND_D_EXTRA_DNS=0
  42. UNBOUND_D_LAN_FQDN=0
  43. UNBOUND_D_PRIV_BLCK=1
  44. UNBOUND_D_PROTOCOL=mixed
  45. UNBOUND_D_RESOURCE=small
  46. UNBOUND_D_RECURSION=passive
  47. UNBOUND_D_WAN_FQDN=0
  48. UNBOUND_IP_DNS64="64:ff9b::/96"
  49. UNBOUND_N_EDNS_SIZE=1280
  50. UNBOUND_N_FWD_PORTS=""
  51. UNBOUND_N_RX_PORT=53
  52. UNBOUND_N_ROOT_AGE=9
  53. UNBOUND_TTL_MIN=120
  54. UNBOUND_TXT_DOMAIN=lan
  55. UNBOUND_TXT_FWD_ZONE=""
  56. UNBOUND_TXT_HOSTNAME=thisrouter
  57. UNBOUND_LIST_FORWARD=""
  58. UNBOUND_LIST_INSECURE=""
  59. ##############################################################################
  60. # keep track of assignments during inserted resource records
  61. UNBOUND_LIST_DOMAINS=""
  62. UNBOUND_LIST_IFACE=""
  63. UNBOUND_LIST_PRV_IP6GLA=""
  64. UNBOUND_LIST_LAN_NET=""
  65. # Similar default SOA / NS RR as Unbound uses for private ARPA zones
  66. UNBOUND_XSOA="3600 IN SOA localhost. nobody.invalid. 1 3600 1200 7200 600"
  67. UNBOUND_XNS="3600 IN NS localhost."
  68. ##############################################################################
  69. . /lib/functions.sh
  70. . /lib/functions/network.sh
  71. . /usr/lib/unbound/defaults.sh
  72. . /usr/lib/unbound/dnsmasq.sh
  73. . /usr/lib/unbound/iptools.sh
  74. . /usr/lib/unbound/rootzone.sh
  75. ##############################################################################
  76. create_interface_dns() {
  77. local cfg="$1"
  78. local ipcommand logint ignore ifname ifdashname
  79. local name names address addresses
  80. local ulaprefix if_fqdn host_fqdn
  81. local mode_ptr="$UNBOUND_TXT_HOSTNAME"
  82. local names="$UNBOUND_TXT_HOSTNAME"
  83. # Create local-data: references for this hosts interfaces (router).
  84. config_get logint "$cfg" interface
  85. config_get_bool ignore "$cfg" ignore 0
  86. network_get_device ifname "$cfg"
  87. ifdashname="${ifname//./-}"
  88. ipcommand="ip -o address show $ifname"
  89. addresses=$( $ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}' )
  90. ulaprefix=$( uci_get network.@globals[0].ula_prefix )
  91. host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"
  92. if_fqdn="$ifdashname.$host_fqdn"
  93. if [ -z "$ifdashname" ] ; then
  94. # race conditions at init can rarely cause a blank device return
  95. # the record format is invalid and Unbound won't load the conf file
  96. mode=0
  97. elif [ -n "$UNBOUND_LIST_IFACE" ] ; then
  98. case "$UNBOUND_LIST_IFACE" in
  99. *$ifdashname*)
  100. # repeat such as dual WAN (eth0-1) and WAN6 (eth0-1)
  101. mode=0
  102. ;;
  103. *)
  104. mode=1
  105. ;;
  106. esac
  107. else
  108. mode=1
  109. fi
  110. if [ $mode -gt 0 ] ; then
  111. UNBOUND_LIST_IFACE="$UNBOUND_LIST_IFACE $ifdashname"
  112. if [ -z "${ulaprefix%%:/*}" ] ; then
  113. # Nonsense so this option isn't globbed below
  114. ulaprefix="fdno:such:addr::/48"
  115. fi
  116. if [ "$ignore" -gt 0 ] ; then
  117. mode="$UNBOUND_D_WAN_FQDN"
  118. else
  119. mode="$UNBOUND_D_LAN_FQDN"
  120. fi
  121. fi
  122. if [ "$mode" -gt 1 ] ; then
  123. case "$mode" in
  124. 3)
  125. mode_ptr="$host_fqdn"
  126. names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
  127. ;;
  128. 4)
  129. mode_ptr="$if_fqdn"
  130. names="$if_fqdn $host_fqdn $UNBOUND_TXT_HOSTNAME"
  131. ;;
  132. esac
  133. {
  134. for address in $addresses ; do
  135. case $address in
  136. fe80:*|169.254.*)
  137. echo " # note link address $address"
  138. ;;
  139. [1-9a-f]*:*[0-9a-f])
  140. # GA and ULA IP6 for HOST IN AAA records (ip command is robust)
  141. for name in $names ; do
  142. echo " local-data: \"$name. 120 IN AAAA $address\""
  143. done
  144. echo " local-data-ptr: \"$address 120 $mode_ptr\""
  145. ;;
  146. [1-9]*.*[0-9])
  147. # Old fashioned HOST IN A records
  148. for name in $names ; do
  149. echo " local-data: \"$name. 120 IN A $address\""
  150. done
  151. echo " local-data-ptr: \"$address 120 $mode_ptr\""
  152. ;;
  153. esac
  154. done
  155. echo
  156. } >> $UNBOUND_CONFFILE
  157. elif [ "$mode" -gt 0 ] ; then
  158. {
  159. for address in $addresses ; do
  160. case $address in
  161. fe80:*|169.254.*)
  162. echo " # note link address $address"
  163. ;;
  164. "${ulaprefix%%:/*}"*)
  165. # Only this networks ULA and only hostname
  166. echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
  167. echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
  168. ;;
  169. [1-9]*.*[0-9])
  170. echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""
  171. echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
  172. ;;
  173. esac
  174. done
  175. echo
  176. } >> $UNBOUND_CONFFILE
  177. fi
  178. }
  179. ##############################################################################
  180. create_local_zone() {
  181. local target="$1"
  182. local partial domain found
  183. if [ -n "$UNBOUND_LIST_DOMAINS" ] ; then
  184. for domain in $UNBOUND_LIST_DOMAINS ; do
  185. case $target in
  186. *"${domain}")
  187. found=1
  188. break
  189. ;;
  190. [A-Za-z0-9]*.[A-Za-z0-9]*)
  191. found=0
  192. ;;
  193. *) # no dots
  194. found=1
  195. break
  196. ;;
  197. esac
  198. done
  199. else
  200. found=0
  201. fi
  202. if [ $found -eq 0 ] ; then
  203. # New Zone! Bundle local-zones: by first two name tiers "abcd.tld."
  204. partial=$( echo "$target" | awk -F. '{ j=NF ; i=j-1; print $i"."$j }' )
  205. UNBOUND_LIST_DOMAINS="$UNBOUND_LIST_DOMAINS $partial"
  206. echo " local-zone: $partial transparent" >> $UNBOUND_CONFFILE
  207. fi
  208. }
  209. ##############################################################################
  210. create_host_record() {
  211. local cfg="$1"
  212. local ip name
  213. # basefiles dhcp "domain" clause which means host A, AAAA, and PRT record
  214. config_get ip "$cfg" ip
  215. config_get name "$cfg" name
  216. if [ -n "$name" -a -n "$ip" ] ; then
  217. create_local_zone "$name"
  218. {
  219. case $ip in
  220. fe80:*|169.254.*)
  221. echo " # note link address $ip for host $name"
  222. ;;
  223. [1-9a-f]*:*[0-9a-f])
  224. echo " local-data: \"$name. 120 IN AAAA $ip\""
  225. echo " local-data-ptr: \"$ip 120 $name\""
  226. ;;
  227. [1-9]*.*[0-9])
  228. echo " local-data: \"$name. 120 IN A $ip\""
  229. echo " local-data-ptr: \"$ip 120 $name\""
  230. ;;
  231. esac
  232. } >> $UNBOUND_CONFFILE
  233. fi
  234. }
  235. ##############################################################################
  236. create_mx_record() {
  237. local cfg="$1"
  238. local domain relay pref
  239. # Insert a static MX record
  240. config_get domain "$cfg" domain
  241. config_get relay "$cfg" relay
  242. config_get pref "$cfg" pref 10
  243. if [ -n "$domain" -a -n "$relay" ] ; then
  244. create_local_zone "$domain"
  245. echo " local-data: \"$domain. 120 IN MX $pref $relay.\"" \
  246. >> $UNBOUND_CONFFILE
  247. fi
  248. }
  249. ##############################################################################
  250. create_srv_record() {
  251. local cfg="$1"
  252. local srv target port class weight
  253. # Insert a static SRV record such as SIP server
  254. config_get srv "$cfg" srv
  255. config_get target "$cfg" target
  256. config_get port "$cfg" port
  257. config_get class "$cfg" class 10
  258. config_get weight "$cfg" weight 10
  259. if [ -n "$srv" -a -n "$target" -a -n "$port" ] ; then
  260. create_local_zone "$srv"
  261. echo " local-data: \"$srv. 120 IN SRV $class $weight $port $target.\"" \
  262. >> $UNBOUND_CONFFILE
  263. fi
  264. }
  265. ##############################################################################
  266. create_cname_record() {
  267. local cfg="$1"
  268. local cname target
  269. # Insert static CNAME record
  270. config_get cname "$cfg" cname
  271. config_get target "$cfg" target
  272. if [ -n "$cname" -a -n "$target" ] ; then
  273. create_local_zone "$cname"
  274. echo " local-data: \"$cname. 120 IN CNAME $target.\"" >> $UNBOUND_CONFFILE
  275. fi
  276. }
  277. ##############################################################################
  278. create_access_control() {
  279. local cfg="$1"
  280. local subnets subnets4 subnets6
  281. local validip4 validip6
  282. network_get_subnets subnets4 "$cfg"
  283. network_get_subnets6 subnets6 "$cfg"
  284. subnets="$subnets4 $subnets6"
  285. if [ -n "$subnets" ] ; then
  286. for subnet in $subnets ; do
  287. validip4=$( valid_subnet4 $subnet )
  288. validip6=$( valid_subnet6 $subnet )
  289. if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
  290. # For each "network" UCI add "access-control:" white list for queries
  291. echo " access-control: $subnet allow" >> $UNBOUND_CONFFILE
  292. fi
  293. done
  294. fi
  295. }
  296. ##############################################################################
  297. bundle_domain_forward() {
  298. UNBOUND_LIST_FORWARD="$UNBOUND_LIST_FORWARD $1"
  299. }
  300. ##############################################################################
  301. bundle_domain_insecure() {
  302. UNBOUND_LIST_INSECURE="$UNBOUND_LIST_INSECURE $1"
  303. }
  304. ##############################################################################
  305. bundle_private_interface() {
  306. local ipcommand ifsubnet ifsubnets ifname validip4
  307. network_get_device ifname $1
  308. if [ -n "$ifname" ] ; then
  309. ipcommand="ip -o address show $ifname"
  310. ifsubnets=$( $ipcommand | awk '/inet/{ print $4 }' )
  311. if [ -n "$ifsubnets" ] ; then
  312. for ifsubnet in $ifsubnets ; do
  313. case $ifsubnet in
  314. [1-9][0-9a-f][0-9a-f][0-9a-f]:*[0-9a-f])
  315. # Special GLA protection for local block; ULA protected as a catagory
  316. UNBOUND_LIST_PRV_IP6GLA="$UNBOUND_LIST_PRV_IP6GLA $ifsubnet"
  317. ;;
  318. f[dc][0-9a-f][0-9a-f]:*[0-9a-f])
  319. # Used to configure specific local-zone: data
  320. UNBOUND_LIST_LAN_NET="$UNBOUND_LIST_LAN_NET $ifsubnet"
  321. ;;
  322. *)
  323. validip4=$( valid_subnet4 $ifsubnet )
  324. if [ "$validip4" = "ok" ] ; then
  325. UNBOUND_LIST_LAN_NET="$UNBOUND_LIST_LAN_NET $ifsubnet"
  326. fi
  327. ;;
  328. esac
  329. done
  330. fi
  331. fi
  332. }
  333. ##############################################################################
  334. unbound_mkdir() {
  335. local filestuff
  336. if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
  337. local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
  338. local dhcp_dir=$( dirname $dhcp_origin )
  339. if [ ! -d "$dhcp_dir" ] ; then
  340. # make sure odhcpd has a directory to write (not done itself, yet)
  341. mkdir -p "$dhcp_dir"
  342. fi
  343. fi
  344. if [ -f $UNBOUND_KEYFILE ] ; then
  345. filestuff=$( cat $UNBOUND_KEYFILE )
  346. case "$filestuff" in
  347. *"state=2 [ VALID ]"*)
  348. # Lets not lose RFC 5011 tracking if we don't have to
  349. cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
  350. ;;
  351. esac
  352. fi
  353. # Blind copy /etc/ to /var/lib/
  354. mkdir -p $UNBOUND_VARDIR
  355. rm -f $UNBOUND_VARDIR/dhcp_*
  356. touch $UNBOUND_CONFFILE
  357. touch $UNBOUND_SRV_CONF
  358. touch $UNBOUND_EXT_CONF
  359. cp -p /etc/unbound/* $UNBOUND_VARDIR/
  360. if [ ! -f $UNBOUND_HINTFILE ] ; then
  361. if [ -f /usr/share/dns/root.hints ] ; then
  362. # Debian-like package dns-root-data
  363. cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
  364. elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  365. logger -t unbound -s "default root hints (built in rootservers.net)"
  366. fi
  367. fi
  368. if [ ! -f $UNBOUND_KEYFILE ] ; then
  369. if [ -f /usr/share/dns/root.key ] ; then
  370. # Debian-like package dns-root-data
  371. cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
  372. elif [ -x $UNBOUND_ANCHOR ] ; then
  373. $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
  374. elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  375. logger -t unbound -s "default trust anchor (built in root DS record)"
  376. fi
  377. fi
  378. if [ -f $UNBOUND_KEYFILE.keep ] ; then
  379. # root.key.keep is reused if newest
  380. cp -u $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
  381. rm -f $UNBOUND_KEYFILE.keep
  382. fi
  383. # Ensure access and prepare to jail
  384. chown -R unbound:unbound $UNBOUND_VARDIR
  385. chmod 755 $UNBOUND_VARDIR
  386. chmod 644 $UNBOUND_VARDIR/*
  387. if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \
  388. -o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then
  389. # Keys (some) exist already; do not create new ones
  390. chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
  391. $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
  392. elif [ -x /usr/sbin/unbound-control-setup ] ; then
  393. case "$UNBOUND_D_CONTROL" in
  394. [2-3])
  395. # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
  396. /usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR
  397. chown -R unbound:unbound $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
  398. $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
  399. chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
  400. $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
  401. cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key
  402. cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem
  403. cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key
  404. cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem
  405. ;;
  406. esac
  407. fi
  408. }
  409. ##############################################################################
  410. unbound_control() {
  411. if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then
  412. if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \
  413. -o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then
  414. # Key files need to be present; if unbound-control-setup was found, then
  415. # they might have been made during unbound_makedir() above.
  416. UNBOUND_D_CONTROL=0
  417. fi
  418. fi
  419. case "$UNBOUND_D_CONTROL" in
  420. 1)
  421. {
  422. # Local Host Only Unencrypted Remote Control
  423. echo "remote-control:"
  424. echo " control-enable: yes"
  425. echo " control-use-cert: no"
  426. echo " control-interface: 127.0.0.1"
  427. echo " control-interface: ::1"
  428. echo
  429. } >> $UNBOUND_CONFFILE
  430. ;;
  431. 2)
  432. {
  433. # Local Host Only Encrypted Remote Control
  434. echo "remote-control:"
  435. echo " control-enable: yes"
  436. echo " control-use-cert: yes"
  437. echo " control-interface: 127.0.0.1"
  438. echo " control-interface: ::1"
  439. echo " server-key-file: $UNBOUND_SRVKEY_FILE"
  440. echo " server-cert-file: $UNBOUND_SRVPEM_FILE"
  441. echo " control-key-file: $UNBOUND_CTLKEY_FILE"
  442. echo " control-cert-file: $UNBOUND_CTLPEM_FILE"
  443. echo
  444. } >> $UNBOUND_CONFFILE
  445. ;;
  446. [3-4])
  447. {
  448. # Network Encrypted Remote Control
  449. # (3) may auto setup and (4) must have static key/pem files
  450. # TODO: add UCI list for interfaces to bind
  451. echo "remote-control:"
  452. echo " control-enable: yes"
  453. echo " control-use-cert: yes"
  454. echo " control-interface: 0.0.0.0"
  455. echo " control-interface: ::0"
  456. echo " server-key-file: $UNBOUND_SRVKEY_FILE"
  457. echo " server-cert-file: $UNBOUND_SRVPEM_FILE"
  458. echo " control-key-file: $UNBOUND_CTLKEY_FILE"
  459. echo " control-cert-file: $UNBOUND_CTLPEM_FILE"
  460. echo
  461. } >> $UNBOUND_CONFFILE
  462. ;;
  463. esac
  464. {
  465. # Amend your own extended clauses here like forward zones or disable
  466. # above (local, no encryption) and amend your own remote encrypted control
  467. echo
  468. echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
  469. echo
  470. } >> $UNBOUND_CONFFILE
  471. }
  472. ##############################################################################
  473. unbound_forward() {
  474. local fdomain fresolver resolvers
  475. # Forward selected domains to the upstream (WAN) stub resolver. This may be
  476. # faster or local pool addresses to ISP service login page. This may keep
  477. # internal organization lookups, well, internal to the organization.
  478. if [ -n "$UNBOUND_LIST_FORWARD" ] ; then
  479. resolvers=$( grep nameserver /tmp/resolv.conf.auto | sed "s/nameserver//g" )
  480. if [ -n "$resolvers" ] ; then
  481. for fdomain in $UNBOUND_LIST_FORWARD ; do
  482. {
  483. echo "forward-zone:"
  484. echo " name: $fdomain"
  485. for fresolver in $resolvers ; do
  486. echo " forward-addr: $fresolver"
  487. done
  488. echo
  489. } >> $UNBOUND_CONFFILE
  490. done
  491. fi
  492. fi
  493. }
  494. ##############################################################################
  495. unbound_auth_root() {
  496. local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
  497. local httpserver="http://www.internic.net/domain/"
  498. local authzones="root arpa in-addr.arpa ip6.arpa"
  499. local server zone realzone
  500. # Download or AXFR the root and arpa zones to reduce the work needed at
  501. # top level of recursion. If your users will hit many ccTLD or you have
  502. # tracking logs resolving many PTR, then this can speed things up.
  503. # Total size of text in TMPFS could be about 5MB.
  504. if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
  505. for zone in $authzones ; do
  506. if [ "$zone" = "root" ] ; then
  507. realzone="."
  508. else
  509. realzone=$zone
  510. fi
  511. {
  512. echo "auth-zone:"
  513. echo " name: $realzone"
  514. for server in $axfrservers ; do
  515. echo " master: $server"
  516. done
  517. echo " url: $httpserver$zone.zone"
  518. echo " fallback-enabled: yes"
  519. echo " for-downstream: no"
  520. echo " for-upstream: yes"
  521. echo " zonefile: $zone.zone"
  522. echo
  523. } >> $UNBOUND_CONFFILE
  524. done
  525. fi
  526. }
  527. ##############################################################################
  528. unbound_conf() {
  529. local rt_mem rt_conn modulestring domain ifsubnet
  530. # Make fresh conf file
  531. echo > $UNBOUND_CONFFILE
  532. {
  533. # Make fresh conf file
  534. echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
  535. echo
  536. echo "server:"
  537. echo " username: unbound"
  538. echo " chroot: $UNBOUND_VARDIR"
  539. echo " directory: $UNBOUND_VARDIR"
  540. echo " pidfile: $UNBOUND_PIDFILE"
  541. echo
  542. # No threading
  543. echo " num-threads: 1"
  544. echo " msg-cache-slabs: 1"
  545. echo " rrset-cache-slabs: 1"
  546. echo " infra-cache-slabs: 1"
  547. echo " key-cache-slabs: 1"
  548. echo
  549. # Interface Wildcard (access contol handled by "option local_service")
  550. echo " interface: 0.0.0.0"
  551. echo " interface: ::0"
  552. echo " outgoing-interface: 0.0.0.0"
  553. echo " outgoing-interface: ::0"
  554. echo
  555. # Logging
  556. echo " use-syslog: yes"
  557. echo " verbosity: 1"
  558. echo " statistics-interval: 0"
  559. echo " statistics-cumulative: no"
  560. } >> $UNBOUND_CONFFILE
  561. if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then
  562. {
  563. # Log More
  564. echo " extended-statistics: yes"
  565. echo
  566. } >> $UNBOUND_CONFFILE
  567. else
  568. {
  569. # Log Less
  570. echo " extended-statistics: no"
  571. echo
  572. } >> $UNBOUND_CONFFILE
  573. fi
  574. case "$UNBOUND_D_PROTOCOL" in
  575. ip4_only)
  576. {
  577. echo " do-ip4: yes"
  578. echo " do-ip6: no"
  579. } >> $UNBOUND_CONFFILE
  580. ;;
  581. ip6_only)
  582. {
  583. echo " do-ip4: no"
  584. echo " do-ip6: yes"
  585. } >> $UNBOUND_CONFFILE
  586. ;;
  587. ip6_prefer)
  588. {
  589. echo " do-ip4: yes"
  590. echo " do-ip6: yes"
  591. echo " prefer-ip6: yes"
  592. } >> $UNBOUND_CONFFILE
  593. ;;
  594. mixed)
  595. {
  596. echo " do-ip4: yes"
  597. echo " do-ip6: yes"
  598. } >> $UNBOUND_CONFFILE
  599. ;;
  600. *)
  601. if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  602. logger -t unbound -s "default protocol configuration"
  603. fi
  604. ;;
  605. esac
  606. {
  607. # protocol level tuning
  608. echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
  609. echo " msg-buffer-size: 8192"
  610. echo " port: $UNBOUND_N_RX_PORT"
  611. echo " outgoing-port-permit: 10240-65535"
  612. echo
  613. } >> $UNBOUND_CONFFILE
  614. {
  615. # Other harding and options for an embedded router
  616. echo " harden-short-bufsize: yes"
  617. echo " harden-large-queries: yes"
  618. echo " harden-glue: yes"
  619. echo " harden-below-nxdomain: no"
  620. echo " harden-referral-path: no"
  621. echo " use-caps-for-id: no"
  622. echo
  623. } >> $UNBOUND_CONFFILE
  624. if [ -f "$UNBOUND_HINTFILE" ] ; then
  625. # Optional hints if found
  626. echo " root-hints: $UNBOUND_HINTFILE" >> $UNBOUND_CONFFILE
  627. fi
  628. if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then
  629. {
  630. echo " auto-trust-anchor-file: $UNBOUND_KEYFILE"
  631. echo
  632. } >> $UNBOUND_CONFFILE
  633. else
  634. echo >> $UNBOUND_CONFFILE
  635. fi
  636. case "$UNBOUND_D_RESOURCE" in
  637. # Tiny - Unbound's recommended cheap hardware config
  638. tiny) rt_mem=1 ; rt_conn=1 ;;
  639. # Small - Half RRCACHE and open ports
  640. small) rt_mem=8 ; rt_conn=5 ;;
  641. # Medium - Nearly default but with some added balancintg
  642. medium) rt_mem=16 ; rt_conn=10 ;;
  643. # Large - Double medium
  644. large) rt_mem=32 ; rt_conn=10 ;;
  645. # Whatever unbound does
  646. *) rt_mem=0 ; rt_conn=0 ;;
  647. esac
  648. if [ "$rt_mem" -gt 0 ] ; then
  649. {
  650. # Set memory sizing parameters
  651. echo " outgoing-range: $(($rt_conn*64))"
  652. echo " num-queries-per-thread: $(($rt_conn*32))"
  653. echo " outgoing-num-tcp: $(($rt_conn))"
  654. echo " incoming-num-tcp: $(($rt_conn))"
  655. echo " rrset-cache-size: $(($rt_mem*256))k"
  656. echo " msg-cache-size: $(($rt_mem*128))k"
  657. echo " key-cache-size: $(($rt_mem*128))k"
  658. echo " neg-cache-size: $(($rt_mem*64))k"
  659. echo " infra-cache-numhosts: $(($rt_mem*256))"
  660. echo
  661. } >> $UNBOUND_CONFFILE
  662. elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  663. logger -t unbound -s "default memory configuration"
  664. fi
  665. # Assembly of module-config: options is tricky; order matters
  666. modulestring="iterator"
  667. if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
  668. if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
  669. # DNSSEC chicken and egg with getting NTP time
  670. echo " val-override-date: -1" >> $UNBOUND_CONFFILE
  671. fi
  672. {
  673. echo " harden-dnssec-stripped: yes"
  674. echo " val-clean-additional: yes"
  675. echo " ignore-cd-flag: yes"
  676. } >> $UNBOUND_CONFFILE
  677. modulestring="validator $modulestring"
  678. fi
  679. if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then
  680. echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
  681. modulestring="dns64 $modulestring"
  682. fi
  683. {
  684. # Print final module string
  685. echo " module-config: \"$modulestring\""
  686. echo
  687. } >> $UNBOUND_CONFFILE
  688. case "$UNBOUND_D_RECURSION" in
  689. passive)
  690. {
  691. # Some query privacy but "strict" will break some servers
  692. if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
  693. -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  694. echo " qname-minimisation: yes"
  695. echo " qname-minimisation-strict: yes"
  696. elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  697. echo " qname-minimisation: yes"
  698. else
  699. echo " qname-minimisation: no"
  700. fi
  701. # Use DNSSEC to quickly understand NXDOMAIN ranges
  702. if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
  703. echo " aggressive-nsec: yes"
  704. echo " prefetch-key: no"
  705. fi
  706. # On demand fetching
  707. echo " prefetch: no"
  708. echo " target-fetch-policy: \"0 0 0 0 0\""
  709. echo
  710. } >> $UNBOUND_CONFFILE
  711. ;;
  712. aggressive)
  713. {
  714. # Some query privacy but "strict" will break some servers
  715. if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
  716. -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  717. echo " qname-minimisation: yes"
  718. echo " qname-minimisation-strict: yes"
  719. elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  720. echo " qname-minimisation: yes"
  721. else
  722. echo " qname-minimisation: no"
  723. fi
  724. # Use DNSSEC to quickly understand NXDOMAIN ranges
  725. if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
  726. echo " aggressive-nsec: yes"
  727. echo " prefetch-key: yes"
  728. fi
  729. # Prefetch what can be
  730. echo " prefetch: yes"
  731. echo " target-fetch-policy: \"3 2 1 0 0\""
  732. echo
  733. } >> $UNBOUND_CONFFILE
  734. ;;
  735. *)
  736. if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  737. logger -t unbound -s "default recursion configuration"
  738. fi
  739. ;;
  740. esac
  741. {
  742. # Reload records more than 10 hours old
  743. # DNSSEC 5 minute bogus cool down before retry
  744. # Adaptive infrastructure info kept for 15 minutes
  745. echo " cache-min-ttl: $UNBOUND_TTL_MIN"
  746. echo " cache-max-ttl: 36000"
  747. echo " val-bogus-ttl: 300"
  748. echo " infra-host-ttl: 900"
  749. echo
  750. } >> $UNBOUND_CONFFILE
  751. if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
  752. {
  753. # Block server id and version DNS TXT records
  754. echo " hide-identity: yes"
  755. echo " hide-version: yes"
  756. echo
  757. } >> $UNBOUND_CONFFILE
  758. fi
  759. if [ "$UNBOUND_D_PRIV_BLCK" -gt 0 ] ; then
  760. {
  761. # Remove _upstream_ or global reponses with private addresses.
  762. # Unbounds own "local zone" and "forward zone" may still use these.
  763. # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
  764. echo " private-address: 10.0.0.0/8"
  765. echo " private-address: 100.64.0.0/10"
  766. echo " private-address: 169.254.0.0/16"
  767. echo " private-address: 172.16.0.0/12"
  768. echo " private-address: 192.168.0.0/16"
  769. echo " private-address: fc00::/7"
  770. echo " private-address: fe80::/10"
  771. echo
  772. } >> $UNBOUND_CONFFILE
  773. fi
  774. if [ -n "$UNBOUND_LIST_PRV_IP6GLA" -a "$UNBOUND_D_PRIV_BLCK" -gt 1 ] ; then
  775. for ifsubnet in $UNBOUND_LIST_PRV_IP6GLA ; do
  776. # Remove global DNS responses with your local network IP6 GLA
  777. echo " private-address: $ifsubnet" >> $UNBOUND_CONFFILE
  778. done
  779. echo >> $UNBOUND_CONFFILE
  780. fi
  781. if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
  782. {
  783. # Remove DNS reponses from upstream with loopback IP
  784. # Black hole DNS method for ad blocking, so consider...
  785. echo " private-address: 127.0.0.0/8"
  786. echo " private-address: ::1/128"
  787. echo
  788. } >> $UNBOUND_CONFFILE
  789. fi
  790. if [ -n "$UNBOUND_LIST_INSECURE" ] ; then
  791. for domain in $UNBOUND_LIST_INSECURE ; do
  792. # Except and accept domains without (DNSSEC); work around broken domains
  793. echo " domain-insecure: $domain" >> $UNBOUND_CONFFILE
  794. done
  795. echo >> $UNBOUND_CONFFILE
  796. fi
  797. }
  798. ##############################################################################
  799. unbound_access() {
  800. # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to
  801. # each access-control IP block, and then divert access.
  802. # -- "guest" WIFI will not be allowed to see local zone data
  803. # -- "child" LAN can black whole a list of domains to http~deadpixel
  804. if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
  805. # Only respond to queries from which this device has an interface.
  806. # Prevent DNS amplification attacks by not responding to the universe.
  807. config_load network
  808. config_foreach create_access_control interface
  809. {
  810. echo " access-control: 127.0.0.0/8 allow"
  811. echo " access-control: ::1/128 allow"
  812. echo " access-control: fe80::/10 allow"
  813. echo
  814. } >> $UNBOUND_CONFFILE
  815. else
  816. {
  817. echo " access-control: 0.0.0.0/0 allow"
  818. echo " access-control: ::0/0 allow"
  819. echo
  820. } >> $UNBOUND_CONFFILE
  821. fi
  822. {
  823. # Amend your own "server:" stuff here
  824. echo " include: $UNBOUND_SRV_CONF"
  825. echo
  826. } >> $UNBOUND_CONFFILE
  827. }
  828. ##############################################################################
  829. unbound_adblock() {
  830. # TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team
  831. local adb_enabled adb_file
  832. if [ ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
  833. adb_enabled=0
  834. else
  835. /etc/init.d/adblock enabled && adb_enabled=1 || adb_enabled=0
  836. fi
  837. if [ "$adb_enabled" -gt 0 ] ; then
  838. {
  839. # Pull in your selected openwrt/pacakges/net/adblock generated lists
  840. for adb_file in $UNBOUND_VARDIR/adb_list.* ; do
  841. echo " include: $adb_file"
  842. done
  843. echo
  844. } >> $UNBOUND_CONFFILE
  845. fi
  846. }
  847. ##############################################################################
  848. unbound_hostname() {
  849. local ifsubnet ifarpa
  850. if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
  851. {
  852. # Hostname as TLD works, but not transparent through recursion
  853. echo " domain-insecure: $UNBOUND_TXT_HOSTNAME"
  854. echo " private-domain: $UNBOUND_TXT_HOSTNAME"
  855. echo " local-zone: $UNBOUND_TXT_HOSTNAME static"
  856. echo " local-data: \"$UNBOUND_TXT_HOSTNAME. $UNBOUND_XSOA\""
  857. echo " local-data: \"$UNBOUND_TXT_HOSTNAME. $UNBOUND_XNS\""
  858. echo
  859. } >> $UNBOUND_CONFFILE
  860. case "$UNBOUND_D_DOMAIN_TYPE" in
  861. deny|inform_deny|refuse|static)
  862. if [ -n "$UNBOUND_LIST_PRV_IP6GLA" \
  863. -a "$UNBOUND_D_PRIV_BLCK" -gt 1 ] ; then
  864. for ifsubnet in $UNBOUND_LIST_PRV_IP6GLA ; do
  865. ifarpa=$( domain_ptr_any "$ifsubnet" )
  866. if [ -n "$ifarpa" ] ; then
  867. {
  868. # Do NOT forward queries with your GLA ip6.arpa
  869. echo " domain-insecure: $ifarpa"
  870. echo " local-zone: $ifarpa $UNBOUND_D_DOMAIN_TYPE"
  871. echo " local-data: \"$ifarpa. $UNBOUND_XSOA\""
  872. echo " local-data: \"$ifarpa. $UNBOUND_XNS\""
  873. echo
  874. } >> $UNBOUND_CONFFILE
  875. fi
  876. done
  877. fi
  878. if [ -n "$UNBOUND_LIST_LAN_NET" \
  879. -a "$UNBOUND_D_PRIV_BLCK" -gt 0 ] ; then
  880. for ifsubnet in $UNBOUND_LIST_LAN_NET ; do
  881. ifarpa=$( domain_ptr_any "$ifsubnet" )
  882. if [ -n "$ifarpa" ] ; then
  883. {
  884. # Do NOT forward queries with your ULA ip6.arpa or in-addr.arpa
  885. echo " domain-insecure: $ifarpa"
  886. echo " local-zone: $ifarpa $UNBOUND_D_DOMAIN_TYPE"
  887. echo " local-data: \"$ifarpa. $UNBOUND_XSOA\""
  888. echo " local-data: \"$ifarpa. $UNBOUND_XNS\""
  889. echo
  890. } >> $UNBOUND_CONFFILE
  891. fi
  892. done
  893. fi
  894. {
  895. # avoid upstream involvement in RFC6762
  896. echo " domain-insecure: local"
  897. echo " private-domain: local"
  898. echo " local-zone: local $UNBOUND_D_DOMAIN_TYPE"
  899. echo " local-data: \"local. $UNBOUND_XSOA\""
  900. echo " local-data: \"local. $UNBOUND_XNS\""
  901. echo " local-data: \"local. 3600 IN TXT RFC6762\""
  902. echo
  903. # type static means only this router has your domain
  904. # type transparent will permit forward-zone: or stub-zone: clauses
  905. echo " domain-insecure: $UNBOUND_TXT_DOMAIN"
  906. echo " private-domain: $UNBOUND_TXT_DOMAIN"
  907. echo " local-zone: $UNBOUND_TXT_DOMAIN $UNBOUND_D_DOMAIN_TYPE"
  908. echo " local-data: \"$UNBOUND_TXT_DOMAIN. $UNBOUND_XSOA\""
  909. echo " local-data: \"$UNBOUND_TXT_DOMAIN. $UNBOUND_XNS\""
  910. echo
  911. } >> $UNBOUND_CONFFILE
  912. ;;
  913. *)
  914. # likely transparent domain with fordward-zone: clause to next router
  915. echo " domain-insecure: $UNBOUND_TXT_DOMAIN"
  916. echo " private-domain: $UNBOUND_TXT_DOMAIN"
  917. echo " local-zone: $UNBOUND_TXT_DOMAIN $UNBOUND_D_DOMAIN_TYPE"
  918. echo
  919. ;;
  920. esac
  921. if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
  922. config_load dhcp
  923. config_foreach create_interface_dns dhcp
  924. fi
  925. if [ -f "$UNBOUND_DHCP_CONF" ] ; then
  926. {
  927. # Seed DHCP records because dhcp scripts trigger externally
  928. # Incremental Unbound restarts may drop unbound-control add records
  929. echo " include: $UNBOUND_DHCP_CONF"
  930. echo
  931. } >> $UNBOUND_CONFFILE
  932. fi
  933. fi
  934. }
  935. ##############################################################################
  936. unbound_records() {
  937. if [ "$UNBOUND_D_EXTRA_DNS" -gt 0 ] ; then
  938. # Parasite from the uci.dhcp.domain clauses
  939. config_load dhcp
  940. config_foreach create_host_record domain
  941. fi
  942. if [ "$UNBOUND_D_EXTRA_DNS" -gt 1 ] ; then
  943. config_foreach create_srv_record srvhost
  944. config_foreach create_mx_record mxhost
  945. fi
  946. if [ "$UNBOUND_D_EXTRA_DNS" -gt 2 ] ; then
  947. config_foreach create_cname_record cname
  948. fi
  949. echo >> $UNBOUND_CONFFILE
  950. }
  951. ##############################################################################
  952. unbound_uci() {
  953. local cfg="$1"
  954. local dnsmasqpath hostnm
  955. hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' )
  956. UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter}
  957. config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
  958. config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
  959. config_get_bool UNBOUND_B_EXT_STATS "$cfg" extended_stats 0
  960. config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
  961. config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
  962. config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
  963. config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
  964. config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
  965. config_get_bool UNBOUND_B_AUTH_ROOT "$cfg" prefetch_root 0
  966. config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
  967. config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
  968. config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
  969. config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
  970. config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
  971. config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
  972. config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
  973. config_get UNBOUND_D_CONTROL "$cfg" unbound_control 0
  974. config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
  975. config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
  976. config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0
  977. config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0
  978. config_get UNBOUND_D_PRIV_BLCK "$cfg" rebind_protection 1
  979. config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
  980. config_get UNBOUND_D_RECURSION "$cfg" recursion passive
  981. config_get UNBOUND_D_RESOURCE "$cfg" resource small
  982. config_get UNBOUND_D_WAN_FQDN "$cfg" add_wan_fqdn 0
  983. config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120
  984. config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
  985. config_list_foreach "$cfg" "domain_forward" bundle_domain_forward
  986. config_list_foreach "$cfg" "domain_insecure" bundle_domain_insecure
  987. config_list_foreach "$cfg" "rebind_interface" bundle_private_interface
  988. UNBOUND_LIST_DOMAINS="nowhere $UNBOUND_TXT_DOMAIN"
  989. if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
  990. config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
  991. if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
  992. UNBOUND_D_DHCP_LINK=dnsmasq
  993. if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  994. logger -t unbound -s "Please use 'dhcp_link' selector instead"
  995. fi
  996. fi
  997. fi
  998. if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
  999. if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
  1000. UNBOUND_D_DHCP_LINK=none
  1001. else
  1002. /etc/init.d/dnsmasq enabled || UNBOUND_D_DHCP_LINK=none
  1003. fi
  1004. if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
  1005. logger -t unbound -s "cannot forward to dnsmasq"
  1006. fi
  1007. fi
  1008. if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
  1009. if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
  1010. UNBOUND_D_DHCP_LINK=none
  1011. else
  1012. /etc/init.d/odhcpd enabled || UNBOUND_D_DHCP_LINK=none
  1013. fi
  1014. if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
  1015. logger -t unbound -s "cannot receive records from odhcpd"
  1016. fi
  1017. fi
  1018. if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
  1019. -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
  1020. logger -t unbound -s "edns_size exceeds range, using default"
  1021. UNBOUND_N_EDNS_SIZE=1280
  1022. fi
  1023. if [ "$UNBOUND_N_RX_PORT" -ne 53 ] \
  1024. && [ "$UNBOUND_N_RX_PORT" -lt 1024 -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
  1025. logger -t unbound -s "privileged port or in 5 digits, using default"
  1026. UNBOUND_N_RX_PORT=53
  1027. fi
  1028. if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
  1029. logger -t unbound -s "ttl_min could have had awful side effects, using 300"
  1030. UNBOUND_TTL_MIN=300
  1031. fi
  1032. }
  1033. ##############################################################################
  1034. unbound_resolv_setup() {
  1035. if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
  1036. return
  1037. fi
  1038. if [ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq enabled \
  1039. && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
  1040. # unbound is configured for port 53, but dnsmasq is enabled and a resolver
  1041. # listens on localhost:53, lets assume dnsmasq manages the resolver file.
  1042. # TODO:
  1043. # really check if dnsmasq runs a local (main) resolver in stead of using
  1044. # nslookup that times out when no resolver listens on localhost:53.
  1045. return
  1046. fi
  1047. # unbound is designated to listen on 127.0.0.1#53,
  1048. # set resolver file to local.
  1049. rm -f /tmp/resolv.conf
  1050. {
  1051. echo "# /tmp/resolv.conf generated by Unbound UCI $( date )"
  1052. echo "nameserver 127.0.0.1"
  1053. echo "nameserver ::1"
  1054. echo "search $UNBOUND_TXT_DOMAIN."
  1055. } > /tmp/resolv.conf
  1056. }
  1057. ##############################################################################
  1058. unbound_resolv_teardown() {
  1059. case $( cat /tmp/resolv.conf ) in
  1060. *"generated by Unbound UCI"*)
  1061. # our resolver file, reset to auto resolver file.
  1062. rm -f /tmp/resolv.conf
  1063. ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
  1064. ;;
  1065. esac
  1066. }
  1067. ##############################################################################
  1068. unbound_start() {
  1069. config_load unbound
  1070. config_foreach unbound_uci unbound
  1071. unbound_mkdir
  1072. if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
  1073. unbound_conf
  1074. unbound_access
  1075. unbound_adblock
  1076. if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
  1077. dnsmasq_link
  1078. else
  1079. unbound_hostname
  1080. unbound_records
  1081. fi
  1082. unbound_forward
  1083. unbound_auth_root
  1084. unbound_control
  1085. fi
  1086. unbound_resolv_setup
  1087. }
  1088. ##############################################################################
  1089. unbound_stop() {
  1090. unbound_resolv_teardown
  1091. rootzone_update
  1092. }
  1093. ##############################################################################