You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1597 lines
43 KiB

  1. #!/bin/sh
  2. ##############################################################################
  3. #
  4. # This program is free software; you can redistribute it and/or modify
  5. # it under the terms of the GNU General Public License version 2 as
  6. # published by the Free Software Foundation.
  7. #
  8. # This program is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. # GNU General Public License for more details.
  12. #
  13. # Copyright (C) 2016 Eric Luehrsen
  14. #
  15. ##############################################################################
  16. #
  17. # Unbound is a full featured recursive server with many options. The UCI
  18. # provided tries to simplify and bundle options. This should make Unbound
  19. # easier to deploy. Even light duty routers may resolve recursively instead of
  20. # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
  21. # features as used in base LEDE/OpenWrt. If there is a desire for more
  22. # detailed tuning, then manual conf file overrides are also made available.
  23. #
  24. ##############################################################################
  25. # while useful (sh)ellcheck is pedantic and noisy
  26. # shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
  27. UB_B_AUTH_ROOT=0
  28. UB_B_DNS_ASSIST=0
  29. UB_B_DNSSEC=0
  30. UB_B_DNS64=0
  31. UB_B_EXT_STATS=0
  32. UB_B_GATE_NAME=0
  33. UB_B_HIDE_BIND=1
  34. UB_B_IF_AUTO=1
  35. UB_B_LOCL_BLCK=0
  36. UB_B_LOCL_SERV=1
  37. UB_B_MAN_CONF=0
  38. UB_B_NTP_BOOT=1
  39. UB_B_QUERY_MIN=0
  40. UB_B_QRY_MINST=0
  41. UB_B_SLAAC6_MAC=0
  42. UB_D_CONTROL=0
  43. UB_D_DOMAIN_TYPE=static
  44. UB_D_DHCP_LINK=none
  45. UB_D_EXTRA_DNS=0
  46. UB_D_LAN_FQDN=0
  47. UB_D_PRIV_BLCK=1
  48. UB_D_PROTOCOL=mixed
  49. UB_D_RESOURCE=small
  50. UB_D_RECURSION=passive
  51. UB_D_VERBOSE=1
  52. UB_D_WAN_FQDN=0
  53. UB_IP_DNS64="64:ff9b::/96"
  54. UB_N_EDNS_SIZE=1232
  55. UB_N_RX_PORT=53
  56. UB_N_ROOT_AGE=9
  57. UB_N_THREADS=1
  58. UB_N_RATE_LMT=0
  59. UB_TTL_MIN=120
  60. UB_TXT_DOMAIN=lan
  61. UB_TXT_HOSTNAME=thisrouter
  62. ##############################################################################
  63. # reset as a combo with UB_B_NTP_BOOT and some time stamp files
  64. UB_B_READY=1
  65. # keep track of assignments during inserted resource records
  66. UB_LIST_NETW_ALL=""
  67. UB_LIST_NETW_LAN=""
  68. UB_LIST_NETW_WAN=""
  69. UB_LIST_INSECURE=""
  70. UB_LIST_ZONE_SERVERS=""
  71. UB_LIST_ZONE_NAMES=""
  72. ##############################################################################
  73. . /lib/functions.sh
  74. . /lib/functions/network.sh
  75. . /usr/lib/unbound/defaults.sh
  76. . /usr/lib/unbound/dnsmasq.sh
  77. . /usr/lib/unbound/iptools.sh
  78. ##############################################################################
  79. bundle_all_networks() {
  80. local cfg="$1"
  81. local ifname ifdashname validip
  82. local subnet subnets subnets4 subnets6
  83. network_get_subnets subnets4 "$cfg"
  84. network_get_subnets6 subnets6 "$cfg"
  85. network_get_device ifname "$cfg"
  86. ifdashname="${ifname//./-}"
  87. subnets="$subnets4 $subnets6"
  88. if [ -n "$subnets" ] ; then
  89. for subnet in $subnets ; do
  90. validip=$( valid_subnet_any $subnet )
  91. if [ "$validip" = "ok" ] ; then
  92. UB_LIST_NETW_ALL="$UB_LIST_NETW_ALL $ifdashname@$subnet"
  93. fi
  94. done
  95. fi
  96. }
  97. ##############################################################################
  98. bundle_dhcp_networks() {
  99. local cfg="$1"
  100. local interface ifsubnet ifname ifdashname ignore
  101. config_get_bool ignore "$cfg" ignore 0
  102. config_get interface "$cfg" interface ""
  103. network_get_device ifname "$interface"
  104. ifdashname="${ifname//./-}"
  105. if [ $ignore -eq 0 ] && [ -n "$ifdashname" ] \
  106. && [ -n "$UB_LIST_NETW_ALL" ] ; then
  107. for ifsubnet in $UB_LIST_NETW_ALL ; do
  108. case $ifsubnet in
  109. "${ifdashname}"@*)
  110. # Special GLA protection for local block; ULA protected default
  111. UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
  112. ;;
  113. esac
  114. done
  115. fi
  116. }
  117. ##############################################################################
  118. bundle_lan_networks() {
  119. local interface="$1"
  120. local ifsubnet ifname ifdashname
  121. network_get_device ifname "$interface"
  122. ifdashname="${ifname//./-}"
  123. if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
  124. for ifsubnet in $UB_LIST_NETW_ALL ; do
  125. case $ifsubnet in
  126. "${ifdashname}"@*)
  127. # Special GLA protection for local block; ULA protected default
  128. UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
  129. ;;
  130. esac
  131. done
  132. fi
  133. }
  134. ##############################################################################
  135. bundle_wan_networks() {
  136. local interface="$1"
  137. local ifsubnet ifname ifdashname
  138. network_get_device ifname "$interface"
  139. ifdashname="${ifname//./-}"
  140. if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
  141. for ifsubnet in $UB_LIST_NETW_ALL ; do
  142. case $UB_LIST_NETW_LAN in
  143. *"${ifsubnet}"*)
  144. # If LAN, then not WAN ... scripts might become complex
  145. ;;
  146. *)
  147. case $ifsubnet in
  148. "${ifdashname}"@*)
  149. # Special GLA protection for local block; ULA protected default
  150. UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
  151. ;;
  152. esac
  153. ;;
  154. esac
  155. done
  156. fi
  157. }
  158. ##############################################################################
  159. bundle_resolv_conf_servers() {
  160. local resolvers=$( awk '/nameserver/ { print $2 }' $UB_RESOLV_AUTO )
  161. UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $resolvers"
  162. }
  163. ##############################################################################
  164. bundle_zone_names() {
  165. UB_LIST_ZONE_NAMES="$UB_LIST_ZONE_NAMES $1"
  166. }
  167. ##############################################################################
  168. bundle_zone_servers() {
  169. UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $1"
  170. }
  171. ##############################################################################
  172. bundle_domain_insecure() {
  173. UB_LIST_INSECURE="$UB_LIST_INSECURE $1"
  174. }
  175. ##############################################################################
  176. unbound_mkdir() {
  177. local filestuff
  178. if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
  179. local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
  180. local dhcp_dir=$( dirname $dhcp_origin )
  181. if [ ! -d "$dhcp_dir" ] ; then
  182. # make sure odhcpd has a directory to write (not done itself, yet)
  183. mkdir -p "$dhcp_dir"
  184. fi
  185. fi
  186. if [ -f $UB_RKEY_FILE ] ; then
  187. filestuff=$( cat $UB_RKEY_FILE )
  188. case "$filestuff" in
  189. *"state=2 [ VALID ]"*)
  190. # Lets not lose RFC 5011 tracking if we don't have to
  191. cp -p $UB_RKEY_FILE $UB_RKEY_FILE.keep
  192. ;;
  193. esac
  194. fi
  195. # Blind copy /etc/unbound to /var/lib/unbound
  196. mkdir -p $UB_VARDIR
  197. rm -f $UB_VARDIR/dhcp_*
  198. touch $UB_TOTAL_CONF
  199. cp -p $UB_ETCDIR/*.conf $UB_VARDIR/
  200. cp -p $UB_ETCDIR/root.* $UB_VARDIR/
  201. if [ ! -f $UB_RHINT_FILE ] ; then
  202. if [ -f /usr/share/dns/root.hints ] ; then
  203. # Debian-like package dns-root-data
  204. cp -p /usr/share/dns/root.hints $UB_RHINT_FILE
  205. elif [ $UB_B_READY -eq 0 ] ; then
  206. logger -t unbound -s "default root hints (built in root-servers.net)"
  207. fi
  208. fi
  209. if [ ! -f $UB_RKEY_FILE ] ; then
  210. if [ -f /usr/share/dns/root.key ] ; then
  211. # Debian-like package dns-root-data
  212. cp -p /usr/share/dns/root.key $UB_RKEY_FILE
  213. elif [ -x $UB_ANCHOR ] ; then
  214. $UB_ANCHOR -a $UB_RKEY_FILE
  215. elif [ $UB_B_READY -eq 0 ] ; then
  216. logger -t unbound -s "default trust anchor (built in root DS record)"
  217. fi
  218. fi
  219. if [ -f $UB_RKEY_FILE.keep ] ; then
  220. # root.key.keep is reused if newest
  221. cp -u $UB_RKEY_FILE.keep $UB_RKEY_FILE
  222. rm -f $UB_RKEY_FILE.keep
  223. fi
  224. # Ensure access and prepare to jail
  225. chown -R unbound:unbound $UB_VARDIR
  226. chmod 755 $UB_VARDIR
  227. chmod 644 $UB_VARDIR/*
  228. if [ -x /usr/sbin/unbound-control-setup ] ; then
  229. if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \
  230. || [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then
  231. case "$UB_D_CONTROL" in
  232. [2-3])
  233. # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
  234. /usr/sbin/unbound-control-setup -d $UB_ETCDIR
  235. chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
  236. $UB_SRVKEY_FILE $UB_SRVPEM_FILE
  237. chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
  238. $UB_SRVKEY_FILE $UB_SRVPEM_FILE
  239. ;;
  240. esac
  241. fi
  242. fi
  243. if [ -f "$UB_TIME_FILE" ] ; then
  244. # NTP is done so its like you actually had an RTC
  245. UB_B_READY=1
  246. UB_B_NTP_BOOT=0
  247. elif [ $UB_B_NTP_BOOT -eq 0 ] ; then
  248. # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
  249. date -Is > $UB_TIME_FILE
  250. UB_B_READY=0
  251. UB_B_NTP_BOOT=0
  252. else
  253. # DNSSEC-TIME will not reconcile
  254. UB_B_READY=0
  255. UB_B_NTP_BOOT=1
  256. fi
  257. }
  258. ##############################################################################
  259. unbound_control() {
  260. echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF
  261. if [ $UB_D_CONTROL -gt 1 ] ; then
  262. if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \
  263. || [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then
  264. # Key files need to be present; if unbound-control-setup was found, then
  265. # they might have been made during unbound_makedir() above.
  266. UB_D_CONTROL=0
  267. fi
  268. fi
  269. case "$UB_D_CONTROL" in
  270. 1)
  271. {
  272. # Local Host Only Unencrypted Remote Control
  273. echo "remote-control:"
  274. echo " control-enable: yes"
  275. echo " control-use-cert: no"
  276. echo " control-interface: 127.0.0.1"
  277. echo " control-interface: ::1"
  278. echo
  279. } >> $UB_CTRL_CONF
  280. ;;
  281. 2)
  282. {
  283. # Local Host Only Encrypted Remote Control
  284. echo "remote-control:"
  285. echo " control-enable: yes"
  286. echo " control-use-cert: yes"
  287. echo " control-interface: 127.0.0.1"
  288. echo " control-interface: ::1"
  289. echo " server-key-file: $UB_SRVKEY_FILE"
  290. echo " server-cert-file: $UB_SRVPEM_FILE"
  291. echo " control-key-file: $UB_CTLKEY_FILE"
  292. echo " control-cert-file: $UB_CTLPEM_FILE"
  293. echo
  294. } >> $UB_CTRL_CONF
  295. ;;
  296. [3-4])
  297. {
  298. # Network Encrypted Remote Control
  299. # (3) may auto setup and (4) must have static key/pem files
  300. # TODO: add UCI list for interfaces to bind
  301. echo "remote-control:"
  302. echo " control-enable: yes"
  303. echo " control-use-cert: yes"
  304. echo " control-interface: 0.0.0.0"
  305. echo " control-interface: ::0"
  306. echo " server-key-file: $UB_SRVKEY_FILE"
  307. echo " server-cert-file: $UB_SRVPEM_FILE"
  308. echo " control-key-file: $UB_CTLKEY_FILE"
  309. echo " control-cert-file: $UB_CTLPEM_FILE"
  310. echo
  311. } >> $UB_CTRL_CONF
  312. ;;
  313. esac
  314. }
  315. ##############################################################################
  316. unbound_zone() {
  317. local cfg=$1
  318. local servers_ip=""
  319. local servers_host=""
  320. local zone_sym zone_name zone_type zone_enabled zone_file
  321. local tls_upstream fallback
  322. local server port tls_port tls_index tls_suffix url_dir dns_ast
  323. if [ ! -f "$UB_ZONE_CONF" ] ; then
  324. echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF
  325. fi
  326. config_get_bool zone_enabled "$cfg" enabled 0
  327. if [ $zone_enabled -eq 1 ] ; then
  328. # these lists are built for each zone; empty to start
  329. UB_LIST_ZONE_NAMES=""
  330. UB_LIST_ZONE_SERVERS=""
  331. config_get zone_type "$cfg" zone_type ""
  332. config_get port "$cfg" port ""
  333. config_get tls_index "$cfg" tls_index ""
  334. config_get tls_port "$cfg" tls_port 853
  335. config_get url_dir "$cfg" url_dir ""
  336. config_get dns_ast "$cfg" dns_assist none
  337. config_get_bool resolv_conf "$cfg" resolv_conf 0
  338. config_get_bool fallback "$cfg" fallback 1
  339. config_get_bool tls_upstream "$cfg" tls_upstream 0
  340. config_list_foreach "$cfg" zone_name bundle_zone_names
  341. config_list_foreach "$cfg" server bundle_zone_servers
  342. # string formating for Unbound syntax
  343. tls_suffix="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}"
  344. [ $fallback -eq 0 ] && fallback=no || fallback=yes
  345. [ $tls_upstream -eq 0 ] && tls_upstream=no || tls_upstream=yes
  346. if [ $resolv_conf -eq 1 ] ; then
  347. bundle_resolv_conf_servers
  348. fi
  349. else
  350. zone_type=skip
  351. fi
  352. case "$dns_ast" in
  353. bind)
  354. if [ -x /usr/sbin/bind ] && [ -x /etc/init.d/bind ] ; then
  355. if /etc/init.d/bind enabled ; then
  356. dns_ast=1
  357. else
  358. dns_ast=0
  359. fi
  360. else
  361. dns_ast=0
  362. fi
  363. ;;
  364. dnsmasq)
  365. if [ -x /usr/sbin/dnsmasq ] && [ -x /etc/init.d/dnsmasq ] ; then
  366. if /etc/init.d/dnsmasq enabled ; then
  367. dns_ast=1
  368. else
  369. dns_ast=0
  370. fi
  371. else
  372. dns_ast=0
  373. fi
  374. ;;
  375. htpps-dns-proxy | https-dns-proxy)
  376. if [ -x /usr/sbin/https-dns-proxy ] \
  377. && [ -x /etc/init.d/https-dns-proxy ] ; then
  378. if /etc/init.d/https-dns-proxy ; then
  379. dns_ast=1
  380. else
  381. dns_ast=0
  382. fi
  383. else
  384. dns_ast=0
  385. fi
  386. ;;
  387. ipset-dns)
  388. if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then
  389. if /etc/init.d/ipset-dns enabled ; then
  390. dns_ast=1
  391. else
  392. dns_ast=0
  393. fi
  394. else
  395. dns_ast=0
  396. fi
  397. ;;
  398. nsd)
  399. if [ -x /usr/sbin/nsd ] && [ -x /etc/init.d/nsd ] ; then
  400. if /etc/init.d/nsd enabled ; then
  401. dns_ast=1
  402. else
  403. dns_ast=0
  404. fi
  405. else
  406. dns_ast=0
  407. fi
  408. ;;
  409. unprotected-loop)
  410. # Soft brick risk. The server you are looking to connect to may be offline
  411. # and cause loop error: procd, sysupgrade, package order, and other issues.
  412. dns_ast=1
  413. ;;
  414. *)
  415. # Unbound has a local forward blocking option, default on, instead of loop
  416. # detection. If it is released, then it may be a soft brick risk.
  417. dns_ast=0
  418. ;;
  419. esac
  420. if [ $dns_ast -gt 0 ] ; then
  421. UB_B_DNS_ASSIST=1
  422. fi
  423. case $zone_type in
  424. auth_zone)
  425. if [ $UB_B_NTP_BOOT -eq 0 ] && [ -n "$UB_LIST_ZONE_NAMES" ] \
  426. && { [ -n "$url_dir" ] || [ -n "$UB_LIST_ZONE_SERVERS" ] ; } ; then
  427. # Note AXFR may have large downloads. If NTP restart is configured,
  428. # then this can cause procd to force a process kill.
  429. for zone_name in $UB_LIST_ZONE_NAMES ; do
  430. if [ "$zone_name" = "." ] ; then
  431. zone_sym=.
  432. zone_name=root
  433. zone_file=root.zone
  434. else
  435. zone_sym=$zone_name
  436. zone_file=$zone_name.zone
  437. zone_file=${zone_file//../.}
  438. fi
  439. {
  440. # generate an auth-zone: with switches for prefetch cache
  441. echo "auth-zone:"
  442. echo " name: $zone_sym"
  443. for server in $UB_LIST_ZONE_SERVERS ; do
  444. echo " master: $server${port:+@${port}}"
  445. done
  446. if [ -n "$url_dir" ] ; then
  447. echo " url: $url_dir$zone_file"
  448. fi
  449. echo " fallback-enabled: $fallback"
  450. echo " for-downstream: no"
  451. echo " for-upstream: yes"
  452. echo " zonefile: $zone_file"
  453. echo
  454. } >> $UB_ZONE_CONF
  455. done
  456. fi
  457. ;;
  458. forward_zone)
  459. if [ ! -f $UB_TLS_ETC_FILE ] && [ "$tls_upstream" = "yes" ] ; then
  460. logger -p 4 -t unbound -s \
  461. "Forward-zone TLS benefits from authentication in package 'ca-bundle'"
  462. fi
  463. if [ -n "$UB_LIST_ZONE_NAMES" ] && [ -n "$UB_LIST_ZONE_SERVERS" ] ; then
  464. for server in $UB_LIST_ZONE_SERVERS ; do
  465. if [ "$( valid_subnet_any $server )" = "ok" ] \
  466. || { [ "$( local_subnet $server )" = "ok" ] \
  467. && [ $dns_ast -gt 0 ] ; } ; then
  468. case $server in
  469. *@[0-9]*|*#[A-Za-z0-9]*)
  470. # unique Unbound option for server address
  471. servers_ip="$servers_ip $server"
  472. ;;
  473. *)
  474. if [ "$tls_upstream" = "yes" ] ; then
  475. servers_ip="$servers_ip $server$tls_suffix"
  476. else
  477. servers_ip="$servers_ip $server${port:+@${port}}"
  478. fi
  479. ;;
  480. esac
  481. else
  482. case $server in
  483. 127.*|::0*)
  484. # soft brick loop back risk see DNS assist above
  485. echo "do nothing" >/dev/null
  486. ;;
  487. *@[0-9]*|*#[A-Za-z0-9]*)
  488. # unique Unbound option for server host name
  489. servers_host="$servers_host $server"
  490. ;;
  491. *)
  492. if [ "$tls_upstream" = "yes" ] ; then
  493. servers_host="$servers_host $server${tls_port:+@${tls_port}}"
  494. else
  495. servers_host="$servers_host $server${port:+@${port}}"
  496. fi
  497. ;;
  498. esac
  499. fi
  500. done
  501. for zonename in $UB_LIST_ZONE_NAMES ; do
  502. {
  503. # generate a forward-zone with or without tls
  504. echo "forward-zone:"
  505. echo " name: $zonename"
  506. for server in $servers_host ; do
  507. echo " forward-host: $server"
  508. done
  509. for server in $servers_ip ; do
  510. echo " forward-addr: $server"
  511. done
  512. echo " forward-first: $fallback"
  513. echo " forward-tls-upstream: $tls_upstream"
  514. echo
  515. } >> $UB_ZONE_CONF
  516. done
  517. fi
  518. ;;
  519. stub_zone)
  520. if [ -n "$UB_LIST_ZONE_NAMES" ] && [ -n "$UB_LIST_ZONE_SERVERS" ] ; then
  521. for zonename in $UB_LIST_ZONE_NAMES ; do
  522. {
  523. # generate a stub-zone: or ensure short cut to authority NS
  524. echo "stub-zone:"
  525. echo " name: $zonename"
  526. for server in $UB_LIST_ZONE_SERVERS ; do
  527. echo " stub-addr: $server${port:+@${port}}"
  528. done
  529. echo " stub-first: $fallback"
  530. echo
  531. } >> $UB_ZONE_CONF
  532. done
  533. fi
  534. ;;
  535. *)
  536. {
  537. echo " # Special zone $zonename was not enabled or had UCI conflicts."
  538. echo
  539. } >> $UB_ZONE_CONF
  540. ;;
  541. esac
  542. }
  543. ##############################################################################
  544. unbound_conf() {
  545. local rt_mem rt_conn rt_buff modulestring domain ifsubnet moduleopts
  546. {
  547. # server: for this whole function
  548. echo "# $UB_CORE_CONF generated by UCI $( date -Is )"
  549. echo "server:"
  550. echo " username: unbound"
  551. echo " chroot: $UB_VARDIR"
  552. echo " directory: $UB_VARDIR"
  553. echo " pidfile: $UB_PIDFILE"
  554. } > $UB_CORE_CONF
  555. if [ -f "$UB_TLS_ETC_FILE" ] ; then
  556. # TLS cert bundle for upstream forwarder and https zone files
  557. # This is loaded before drop to root, so pull from /etc/ssl
  558. echo " tls-cert-bundle: $UB_TLS_ETC_FILE" >> $UB_CORE_CONF
  559. fi
  560. if [ -f "$UB_RHINT_FILE" ] ; then
  561. # Optional hints if found
  562. echo " root-hints: $UB_RHINT_FILE" >> $UB_CORE_CONF
  563. fi
  564. if [ $UB_B_DNSSEC -gt 0 ] && [ -f "$UB_RKEY_FILE" ] ; then
  565. {
  566. echo " auto-trust-anchor-file: $UB_RKEY_FILE"
  567. echo
  568. } >> $UB_CORE_CONF
  569. else
  570. echo >> $UB_CORE_CONF
  571. fi
  572. if [ $UB_N_THREADS -gt 1 ] \
  573. && $PROG -V | grep -q "Linked libs:.*libevent" ; then
  574. # heavy variant using "threads" may need substantial resources
  575. echo " num-threads: 2" >> $UB_CORE_CONF
  576. else
  577. # light variant with one "process" is much more efficient with light traffic
  578. echo " num-threads: 1" >> $UB_CORE_CONF
  579. fi
  580. {
  581. # Limited threading (2) with one shared slab
  582. echo " msg-cache-slabs: 1"
  583. echo " rrset-cache-slabs: 1"
  584. echo " infra-cache-slabs: 1"
  585. echo " key-cache-slabs: 1"
  586. echo " ratelimit-slabs: 1"
  587. echo " ip-ratelimit-slabs: 1"
  588. echo
  589. # Logging
  590. echo " use-syslog: yes"
  591. echo " statistics-interval: 0"
  592. echo " statistics-cumulative: no"
  593. } >> $UB_CORE_CONF
  594. if [ $UB_D_VERBOSE -ge 0 ] && [ $UB_D_VERBOSE -le 5 ] ; then
  595. echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF
  596. fi
  597. if [ $UB_B_EXT_STATS -gt 0 ] ; then
  598. {
  599. # store more data in memory for unbound-control to report
  600. echo " extended-statistics: yes"
  601. echo
  602. } >> $UB_CORE_CONF
  603. else
  604. {
  605. # store Less
  606. echo " extended-statistics: no"
  607. echo
  608. } >> $UB_CORE_CONF
  609. fi
  610. if [ $UB_B_IF_AUTO -gt 0 ] ; then
  611. echo " interface-automatic: yes" >> $UB_CORE_CONF
  612. fi
  613. if [ $UB_B_DNS_ASSIST -gt 0 ] ; then
  614. echo " do-not-query-localhost: no" >> $UB_CORE_CONF
  615. fi
  616. {
  617. # avoid interference with SPI/NAT on both reserved and common server ports
  618. echo " edns-buffer-size: $UB_N_EDNS_SIZE"
  619. echo " port: $UB_N_RX_PORT"
  620. echo " outgoing-port-permit: 10240-65535"
  621. } >> $UB_CORE_CONF
  622. case "$UB_D_PROTOCOL" in
  623. ip4_only)
  624. {
  625. echo " do-ip4: yes"
  626. echo " do-ip6: no"
  627. echo
  628. } >> $UB_CORE_CONF
  629. ;;
  630. ip6_only)
  631. {
  632. echo " do-ip4: no"
  633. echo " do-ip6: yes"
  634. echo
  635. } >> $UB_CORE_CONF
  636. ;;
  637. ip6_local)
  638. {
  639. # answer your local IPv6 network but avoid broken ISP IPv6
  640. echo " do-ip4: yes"
  641. echo " do-ip6: yes"
  642. echo " prefer-ip4: yes"
  643. echo " prefer-ip6: no"
  644. echo
  645. } >> $UB_CORE_CONF
  646. ;;
  647. ip6_prefer)
  648. {
  649. # RFC compliant dual stack
  650. echo " do-ip4: yes"
  651. echo " do-ip6: yes"
  652. echo " prefer-ip4: no"
  653. echo " prefer-ip6: yes"
  654. echo
  655. } >> $UB_CORE_CONF
  656. ;;
  657. mixed)
  658. {
  659. echo " do-ip4: yes"
  660. echo " do-ip6: yes"
  661. echo
  662. } >> $UB_CORE_CONF
  663. ;;
  664. *)
  665. if [ $UB_B_READY -eq 0 ] ; then
  666. logger -t unbound -s "default protocol configuration"
  667. fi
  668. ;;
  669. esac
  670. case "$UB_D_RESOURCE" in
  671. # Tiny - Unbound's recommended cheap hardware config
  672. tiny) rt_mem=1 ; rt_conn=5 ; rt_buff=1 ;;
  673. # Small - Half RRCACHE and open ports
  674. small) rt_mem=8 ; rt_conn=10 ; rt_buff=2 ;;
  675. # Medium - Nearly default but with some added balancintg
  676. medium) rt_mem=16 ; rt_conn=20 ; rt_buff=4 ;;
  677. # Large - Double medium
  678. large) rt_mem=32 ; rt_conn=50 ; rt_buff=4 ;;
  679. # Whatever unbound does
  680. *) rt_mem=0 ; rt_conn=0 ;;
  681. esac
  682. if [ $rt_mem -gt 0 ] ; then
  683. {
  684. # Other harding and options for an embedded router
  685. echo " harden-short-bufsize: yes"
  686. echo " harden-large-queries: yes"
  687. echo " harden-glue: yes"
  688. echo " use-caps-for-id: no"
  689. echo
  690. # Set memory sizing parameters
  691. echo " msg-buffer-size: $(($rt_buff*8192))"
  692. echo " outgoing-range: $(($rt_conn*32))"
  693. echo " num-queries-per-thread: $(($rt_conn*16))"
  694. echo " outgoing-num-tcp: $(($rt_conn))"
  695. echo " incoming-num-tcp: $(($rt_conn))"
  696. echo " rrset-cache-size: $(($rt_mem*256))k"
  697. echo " msg-cache-size: $(($rt_mem*128))k"
  698. echo " stream-wait-size: $(($rt_mem*128))k"
  699. echo " key-cache-size: $(($rt_mem*128))k"
  700. echo " neg-cache-size: $(($rt_mem*32))k"
  701. echo " ratelimit-size: $(($rt_mem*32))k"
  702. echo " ip-ratelimit-size: $(($rt_mem*32))k"
  703. echo " infra-cache-numhosts: $(($rt_mem*256))"
  704. echo
  705. } >> $UB_CORE_CONF
  706. elif [ $UB_B_READY -eq 0 ] ; then
  707. logger -t unbound -s "default memory configuration"
  708. fi
  709. # Assembly of module-config: options is tricky; order matters
  710. moduleopts="$( /usr/sbin/unbound -V )"
  711. modulestring="iterator"
  712. case $moduleopts in
  713. *with-python*)
  714. modulestring="python $modulestring"
  715. ;;
  716. esac
  717. if [ $UB_B_DNSSEC -gt 0 ] ; then
  718. if [ $UB_B_NTP_BOOT -gt 0 ] ; then
  719. # DNSSEC chicken and egg with getting NTP time
  720. echo " val-override-date: -1" >> $UB_CORE_CONF
  721. fi
  722. {
  723. echo " harden-dnssec-stripped: yes"
  724. echo " val-clean-additional: yes"
  725. echo " ignore-cd-flag: yes"
  726. } >> $UB_CORE_CONF
  727. modulestring="validator $modulestring"
  728. fi
  729. case $moduleopts in
  730. *enable-subnet*)
  731. modulestring="subnetcache $modulestring"
  732. ;;
  733. esac
  734. if [ $UB_B_DNS64 -gt 0 ] ; then
  735. echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF
  736. modulestring="dns64 $modulestring"
  737. fi
  738. {
  739. # Print final module string
  740. echo " module-config: \"$modulestring\""
  741. echo
  742. } >> $UB_CORE_CONF
  743. case "$UB_D_RECURSION" in
  744. passive)
  745. {
  746. # Some query privacy but "strict" will break some servers
  747. if [ $UB_B_QRY_MINST -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
  748. echo " qname-minimisation: yes"
  749. echo " qname-minimisation-strict: yes"
  750. elif [ $UB_B_QUERY_MIN -gt 0 ] ; then
  751. echo " qname-minimisation: yes"
  752. else
  753. echo " qname-minimisation: no"
  754. fi
  755. # Use DNSSEC to quickly understand NXDOMAIN ranges
  756. if [ $UB_B_DNSSEC -gt 0 ] ; then
  757. echo " aggressive-nsec: yes"
  758. echo " prefetch-key: no"
  759. fi
  760. # On demand fetching
  761. echo " prefetch: no"
  762. echo " target-fetch-policy: \"0 0 0 0 0\""
  763. echo
  764. } >> $UB_CORE_CONF
  765. ;;
  766. aggressive)
  767. {
  768. # Some query privacy but "strict" will break some servers
  769. if [ $UB_B_QRY_MINST -gt 0 ] && [ $UB_B_QUERY_MIN -gt 0 ] ; then
  770. echo " qname-minimisation: yes"
  771. echo " qname-minimisation-strict: yes"
  772. elif [ $UB_B_QUERY_MIN -gt 0 ] ; then
  773. echo " qname-minimisation: yes"
  774. else
  775. echo " qname-minimisation: no"
  776. fi
  777. # Use DNSSEC to quickly understand NXDOMAIN ranges
  778. if [ $UB_B_DNSSEC -gt 0 ] ; then
  779. echo " aggressive-nsec: yes"
  780. echo " prefetch-key: yes"
  781. fi
  782. # Prefetch what can be
  783. echo " prefetch: yes"
  784. echo " target-fetch-policy: \"3 2 1 0 0\""
  785. echo
  786. } >> $UB_CORE_CONF
  787. ;;
  788. *)
  789. if [ $UB_B_READY -eq 0 ] ; then
  790. logger -t unbound -s "default recursion configuration"
  791. fi
  792. ;;
  793. esac
  794. if [ 10 -lt $UB_N_RATE_LMT ] && [ $UB_N_RATE_LMT -lt 100000 ] ; then
  795. {
  796. # Protect the server from query floods which is helpful on weaker CPU
  797. # Per client rate limit is half the maximum to leave head room open
  798. echo " ratelimit: $UB_N_RATE_LMT"
  799. echo " ip-ratelimit: $(($UB_N_RATE_LMT/2))"
  800. echo
  801. } >> $UB_CORE_CONF
  802. fi
  803. {
  804. # Reload records more than 20 hours old
  805. # DNSSEC 5 minute bogus cool down before retry
  806. # Adaptive infrastructure info kept for 15 minutes
  807. echo " cache-min-ttl: $UB_TTL_MIN"
  808. echo " cache-max-ttl: 72000"
  809. echo " cache-max-negative-ttl: $UB_NEG_TTL_MAX"
  810. echo " val-bogus-ttl: 300"
  811. echo " infra-host-ttl: 900"
  812. echo
  813. } >> $UB_CORE_CONF
  814. if [ $UB_B_HIDE_BIND -gt 0 ] ; then
  815. {
  816. # Block server id and version DNS TXT records
  817. echo " hide-identity: yes"
  818. echo " hide-version: yes"
  819. echo
  820. } >> $UB_CORE_CONF
  821. fi
  822. if [ $UB_D_PRIV_BLCK -gt 0 ] ; then
  823. {
  824. # Remove _upstream_ or global reponses with private addresses.
  825. # Unbounds own "local zone" and "forward zone" may still use these.
  826. # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
  827. echo " private-address: 10.0.0.0/8"
  828. echo " private-address: 100.64.0.0/10"
  829. echo " private-address: 169.254.0.0/16"
  830. echo " private-address: 172.16.0.0/12"
  831. echo " private-address: 192.168.0.0/16"
  832. echo " private-address: fc00::/7"
  833. echo " private-address: fe80::/10"
  834. echo
  835. } >> $UB_CORE_CONF
  836. fi
  837. if [ -n "$UB_LIST_NETW_LAN" ] && [ $UB_D_PRIV_BLCK -gt 1 ] ; then
  838. {
  839. for ifsubnet in $UB_LIST_NETW_LAN ; do
  840. case $ifsubnet in
  841. *@[1-9][0-9a-f][0-9a-f][0-9a-f]:*:[0-9a-f]*)
  842. # Remove global DNS responses with your local network IP6 GLA
  843. echo " private-address: ${ifsubnet#*@}"
  844. ;;
  845. esac
  846. done
  847. echo
  848. } >> $UB_CORE_CONF
  849. fi
  850. if [ $UB_B_LOCL_BLCK -gt 0 ] ; then
  851. {
  852. # Remove DNS reponses from upstream with loopback IP
  853. # Black hole DNS method for ad blocking, so consider...
  854. echo " private-address: 127.0.0.0/8"
  855. echo " private-address: ::1/128"
  856. echo
  857. } >> $UB_CORE_CONF
  858. fi
  859. if [ -n "$UB_LIST_INSECURE" ] ; then
  860. {
  861. for domain in $UB_LIST_INSECURE ; do
  862. # Except and accept domains without (DNSSEC); work around broken domains
  863. echo " domain-insecure: $domain"
  864. done
  865. echo
  866. } >> $UB_CORE_CONF
  867. fi
  868. if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_LAN" ] ; then
  869. {
  870. for ifsubnet in $UB_LIST_NETW_LAN ; do
  871. # Only respond to queries from subnets which have an interface.
  872. # Prevent DNS amplification attacks by not responding to the universe.
  873. echo " access-control: ${ifsubnet#*@} allow"
  874. done
  875. echo " access-control: 127.0.0.0/8 allow"
  876. echo " access-control: ::1/128 allow"
  877. echo " access-control: fe80::/10 allow"
  878. echo
  879. } >> $UB_CORE_CONF
  880. else
  881. {
  882. echo " access-control: 0.0.0.0/0 allow"
  883. echo " access-control: ::0/0 allow"
  884. echo
  885. } >> $UB_CORE_CONF
  886. fi
  887. }
  888. ##############################################################################
  889. unbound_hostname() {
  890. local ifsubnet ifarpa ifaddr ifname iffqdn
  891. local ulaprefix hostfqdn name names namerec ptrrec
  892. local zonetype=0
  893. echo "# $UB_HOST_CONF generated by UCI $( date -Is )" > $UB_HOST_CONF
  894. if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
  895. {
  896. echo "# Local zone is handled by dnsmasq"
  897. echo
  898. } >> $UB_HOST_CONF
  899. elif [ -n "$UB_TXT_DOMAIN" ] \
  900. && { [ $UB_D_WAN_FQDN -gt 0 ] || [ $UB_D_LAN_FQDN -gt 0 ] ; } ; then
  901. case "$UB_D_DOMAIN_TYPE" in
  902. deny|inform_deny|refuse|static)
  903. {
  904. # type static means only this router has your domain
  905. echo " domain-insecure: $UB_TXT_DOMAIN"
  906. echo " private-domain: $UB_TXT_DOMAIN"
  907. echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
  908. echo " local-data: \"$UB_TXT_DOMAIN. $UB_XSOA\""
  909. echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\""
  910. echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'"
  911. echo
  912. if [ "$UB_TXT_DOMAIN" != "local" ] ; then
  913. # avoid involvement in RFC6762, unless it is the local zone name
  914. echo " local-zone: local always_nxdomain"
  915. echo
  916. fi
  917. } >> $UB_HOST_CONF
  918. zonetype=2
  919. ;;
  920. inform|transparent|typetransparent)
  921. {
  922. # transparent will permit forward-zone: or stub-zone: clauses
  923. echo " private-domain: $UB_TXT_DOMAIN"
  924. echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
  925. echo
  926. } >> $UB_HOST_CONF
  927. zonetype=1
  928. ;;
  929. esac
  930. {
  931. # Hostname as TLD works, but not transparent through recursion (singular)
  932. echo " domain-insecure: $UB_TXT_HOSTNAME"
  933. echo " private-domain: $UB_TXT_HOSTNAME"
  934. echo " local-zone: $UB_TXT_HOSTNAME static"
  935. echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XSOA\""
  936. echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XNS\""
  937. echo " local-data: '$UB_TXT_HOSTNAME. $UB_XTXT'"
  938. echo
  939. } >> $UB_HOST_CONF
  940. if [ -n "$UB_LIST_NETW_WAN" ] ; then
  941. for ifsubnet in $UB_LIST_NETW_WAN ; do
  942. ifaddr=${ifsubnet#*@}
  943. ifaddr=${ifaddr%/*}
  944. ifarpa=$( host_ptr_any "$ifaddr" )
  945. if [ -n "$ifarpa" ] ; then
  946. if [ $UB_D_WAN_FQDN -gt 0 ] ; then
  947. {
  948. # Create a static zone for WAN host record only (singular)
  949. echo " domain-insecure: $ifarpa"
  950. echo " private-address: $ifaddr"
  951. echo " local-zone: $ifarpa static"
  952. echo " local-data: \"$ifarpa. $UB_XSOA\""
  953. echo " local-data: \"$ifarpa. $UB_XNS\""
  954. echo " local-data: '$ifarpa. $UB_MTXT'"
  955. echo
  956. } >> $UB_HOST_CONF
  957. elif [ $zonetype -gt 0 ] ; then
  958. {
  959. echo " local-zone: $ifarpa transparent"
  960. echo
  961. } >> $UB_HOST_CONF
  962. fi
  963. fi
  964. done
  965. fi
  966. if [ -n "$UB_LIST_NETW_LAN" ] ; then
  967. for ifsubnet in $UB_LIST_NETW_LAN ; do
  968. ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
  969. if [ -n "$ifarpa" ] ; then
  970. if [ $zonetype -eq 2 ] ; then
  971. {
  972. # Do NOT forward queries with your ip6.arpa or in-addr.arpa
  973. echo " domain-insecure: $ifarpa"
  974. echo " local-zone: $ifarpa static"
  975. echo " local-data: \"$ifarpa. $UB_XSOA\""
  976. echo " local-data: \"$ifarpa. $UB_XNS\""
  977. echo " local-data: '$ifarpa. $UB_XTXT'"
  978. echo
  979. } >> $UB_HOST_CONF
  980. elif [ $zonetype -eq 1 ] && [ $UB_D_PRIV_BLCK -eq 0 ] ; then
  981. {
  982. echo " local-zone: $ifarpa transparent"
  983. echo
  984. } >> $UB_HOST_CONF
  985. fi
  986. fi
  987. done
  988. fi
  989. ulaprefix=$( uci_get network.@globals[0].ula_prefix )
  990. ulaprefix=${ulaprefix%%:/*}
  991. hostfqdn="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
  992. if [ -z "$ulaprefix" ] ; then
  993. # Nonsense so this option isn't globbed below
  994. ulaprefix="fdno:such:addr::"
  995. fi
  996. if [ "$UB_LIST_NETW_LAN" ] && [ $UB_D_LAN_FQDN -gt 0 ] ; then
  997. for ifsubnet in $UB_LIST_NETW_LAN ; do
  998. ifaddr=${ifsubnet#*@}
  999. ifaddr=${ifaddr%/*}
  1000. ifname=${ifsubnet%@*}
  1001. iffqdn="$ifname.$hostfqdn"
  1002. if [ $UB_D_LAN_FQDN -eq 4 ] ; then
  1003. names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
  1004. ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
  1005. echo "$ptrrec" >> $UB_HOST_CONF
  1006. elif [ $UB_D_LAN_FQDN -eq 3 ] ; then
  1007. names="$hostfqdn $UB_TXT_HOSTNAME"
  1008. ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
  1009. echo "$ptrrec" >> $UB_HOST_CONF
  1010. else
  1011. names="$UB_TXT_HOSTNAME"
  1012. ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
  1013. echo "$ptrrec" >> $UB_HOST_CONF
  1014. fi
  1015. for name in $names ; do
  1016. case $ifaddr in
  1017. "${ulaprefix}"*)
  1018. # IP6 ULA only is assigned for OPTION 1
  1019. namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
  1020. echo "$namerec" >> $UB_HOST_CONF
  1021. ;;
  1022. [1-9]*.*[0-9])
  1023. namerec=" local-data: \"$name. 300 IN A $ifaddr\""
  1024. echo "$namerec" >> $UB_HOST_CONF
  1025. ;;
  1026. *)
  1027. if [ $UB_D_LAN_FQDN -gt 1 ] ; then
  1028. # IP6 GLA is assigned for higher options
  1029. namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
  1030. echo "$namerec" >> $UB_HOST_CONF
  1031. fi
  1032. ;;
  1033. esac
  1034. done
  1035. echo >> $UB_HOST_CONF
  1036. done
  1037. fi
  1038. if [ -n "$UB_LIST_NETW_WAN" ] && [ $UB_D_WAN_FQDN -gt 0 ] ; then
  1039. for ifsubnet in $UB_LIST_NETW_WAN ; do
  1040. ifaddr=${ifsubnet#*@}
  1041. ifaddr=${ifaddr%/*}
  1042. ifname=${ifsubnet%@*}
  1043. iffqdn="$ifname.$hostfqdn"
  1044. if [ $UB_D_WAN_FQDN -eq 4 ] ; then
  1045. names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
  1046. ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
  1047. echo "$ptrrec" >> $UB_HOST_CONF
  1048. elif [ $UB_D_WAN_FQDN -eq 3 ] ; then
  1049. names="$hostfqdn $UB_TXT_HOSTNAME"
  1050. ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
  1051. echo "$ptrrec" >> $UB_HOST_CONF
  1052. else
  1053. names="$UB_TXT_HOSTNAME"
  1054. ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
  1055. echo "$ptrrec" >> $UB_HOST_CONF
  1056. fi
  1057. for name in $names ; do
  1058. case $ifaddr in
  1059. "${ulaprefix}"*)
  1060. # IP6 ULA only is assigned for OPTION 1
  1061. namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
  1062. echo "$namerec" >> $UB_HOST_CONF
  1063. ;;
  1064. [1-9]*.*[0-9])
  1065. namerec=" local-data: \"$name. 300 IN A $ifaddr\""
  1066. echo "$namerec" >> $UB_HOST_CONF
  1067. ;;
  1068. *)
  1069. if [ $UB_D_WAN_FQDN -gt 1 ] ; then
  1070. # IP6 GLA is assigned for higher options
  1071. namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
  1072. echo "$namerec" >> $UB_HOST_CONF
  1073. fi
  1074. ;;
  1075. esac
  1076. done
  1077. echo >> $UB_HOST_CONF
  1078. done
  1079. fi
  1080. fi # end if uci valid
  1081. }
  1082. ##############################################################################
  1083. unbound_uci() {
  1084. local cfg="$1"
  1085. local hostnm
  1086. hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' )
  1087. UB_TXT_HOSTNAME=${hostnm:-thisrouter}
  1088. config_get_bool UB_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
  1089. config_get_bool UB_B_DNS64 "$cfg" dns64 0
  1090. config_get_bool UB_B_EXT_STATS "$cfg" extended_stats 0
  1091. config_get_bool UB_B_HIDE_BIND "$cfg" hide_binddata 1
  1092. config_get_bool UB_B_LOCL_SERV "$cfg" localservice 1
  1093. config_get_bool UB_B_MAN_CONF "$cfg" manual_conf 0
  1094. config_get_bool UB_B_QUERY_MIN "$cfg" query_minimize 0
  1095. config_get_bool UB_B_QRY_MINST "$cfg" query_min_strict 0
  1096. config_get_bool UB_B_AUTH_ROOT "$cfg" prefetch_root 0
  1097. config_get_bool UB_B_LOCL_BLCK "$cfg" rebind_localhost 0
  1098. config_get_bool UB_B_DNSSEC "$cfg" validator 0
  1099. config_get_bool UB_B_NTP_BOOT "$cfg" validator_ntp 1
  1100. config_get_bool UB_B_IF_AUTO "$cfg" interface_auto 1
  1101. config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
  1102. config_get UB_N_EDNS_SIZE "$cfg" edns_size 1232
  1103. config_get UB_N_RX_PORT "$cfg" listen_port 53
  1104. config_get UB_N_ROOT_AGE "$cfg" root_age 9
  1105. config_get UB_N_THREADS "$cfg" num_threads 1
  1106. config_get UB_N_RATE_LMT "$cfg" rate_limit 0
  1107. config_get UB_D_CONTROL "$cfg" unbound_control 0
  1108. config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static
  1109. config_get UB_D_DHCP_LINK "$cfg" dhcp_link none
  1110. config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0
  1111. config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0
  1112. config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1
  1113. config_get UB_D_PROTOCOL "$cfg" protocol mixed
  1114. config_get UB_D_RECURSION "$cfg" recursion passive
  1115. config_get UB_D_RESOURCE "$cfg" resource small
  1116. config_get UB_D_VERBOSE "$cfg" verbosity 1
  1117. config_get UB_D_WAN_FQDN "$cfg" add_wan_fqdn 0
  1118. config_get UB_TTL_MIN "$cfg" ttl_min 120
  1119. config_get UB_TXT_DOMAIN "$cfg" domain lan
  1120. config_get UB_NEG_TTL_MAX "$cfg" ttl_neg_max 1000
  1121. config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
  1122. config_list_foreach "$cfg" iface_lan bundle_lan_networks
  1123. config_list_foreach "$cfg" iface_wan bundle_wan_networks
  1124. if [ "$UB_D_DHCP_LINK" = "none" ] ; then
  1125. config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
  1126. if [ $UB_B_DNSMASQ -gt 0 ] ; then
  1127. UB_D_DHCP_LINK=dnsmasq
  1128. if [ $UB_B_READY -eq 0 ] ; then
  1129. logger -t unbound -s "Please use 'dhcp_link' selector instead"
  1130. fi
  1131. fi
  1132. fi
  1133. if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
  1134. if [ ! -x /usr/sbin/dnsmasq ] || [ ! -x /etc/init.d/dnsmasq ] ; then
  1135. UB_D_DHCP_LINK=none
  1136. else
  1137. /etc/init.d/dnsmasq enabled || UB_D_DHCP_LINK=none
  1138. fi
  1139. if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then
  1140. logger -t unbound -s "cannot forward to dnsmasq"
  1141. fi
  1142. fi
  1143. if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
  1144. if [ ! -x /usr/sbin/odhcpd ] || [ ! -x /etc/init.d/odhcpd ] ; then
  1145. UB_D_DHCP_LINK=none
  1146. else
  1147. /etc/init.d/odhcpd enabled || UB_D_DHCP_LINK=none
  1148. fi
  1149. if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then
  1150. logger -t unbound -s "cannot receive records from odhcpd"
  1151. fi
  1152. fi
  1153. if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then
  1154. logger -t unbound -s "edns_size exceeds range, using default"
  1155. UB_N_EDNS_SIZE=1232
  1156. fi
  1157. if [ $UB_N_RX_PORT -ne 53 ] \
  1158. && { [ $UB_N_RX_PORT -lt 1024 ] || [ 10240 -lt $UB_N_RX_PORT ] ; } ; then
  1159. logger -t unbound -s "privileged port or in 5 digits, using default"
  1160. UB_N_RX_PORT=53
  1161. fi
  1162. if [ $UB_TTL_MIN -gt 1800 ] ; then
  1163. logger -t unbound -s "ttl_min could have had awful side effects, using 300"
  1164. UB_TTL_MIN=300
  1165. fi
  1166. }
  1167. ##############################################################################
  1168. unbound_include() {
  1169. local adb_enabled
  1170. local adb_files=$( ls $UB_VARDIR/adb_list.* 2>/dev/null )
  1171. echo "# $UB_TOTAL_CONF generated by UCI $( date -Is )" > $UB_TOTAL_CONF
  1172. if [ -f "$UB_CORE_CONF" ] ; then
  1173. # Yes this all looks busy, but it is in TMPFS. Working on separate files
  1174. # and piecing together is easier. UCI order is less constrained.
  1175. cat $UB_CORE_CONF >> $UB_TOTAL_CONF
  1176. rm $UB_CORE_CONF
  1177. fi
  1178. if [ -f "$UB_HOST_CONF" ] ; then
  1179. # UCI definitions of local host or local subnet
  1180. cat $UB_HOST_CONF >> $UB_TOTAL_CONF
  1181. rm $UB_HOST_CONF
  1182. fi
  1183. if [ -f $UB_SRVMASQ_CONF ] ; then
  1184. # UCI found link to dnsmasq
  1185. cat $UB_SRVMASQ_CONF >> $UB_TOTAL_CONF
  1186. rm $UB_SRVMASQ_CONF
  1187. fi
  1188. if [ -f "$UB_DHCP_CONF" ] ; then
  1189. {
  1190. # Seed DHCP records because dhcp scripts trigger externally
  1191. # Incremental Unbound restarts may drop unbound-control records
  1192. echo "include: $UB_DHCP_CONF"
  1193. echo
  1194. } >> $UB_TOTAL_CONF
  1195. fi
  1196. if [ -z "$adb_files" ] || [ ! -x /usr/bin/adblock.sh ] \
  1197. || [ ! -x /etc/init.d/adblock ] ; then
  1198. adb_enabled=0
  1199. elif /etc/init.d/adblock enabled ; then
  1200. adb_enabled=1
  1201. {
  1202. # Pull in your selected openwrt/pacakges/net/adblock generated lists
  1203. echo "include: $UB_VARDIR/adb_list.*"
  1204. echo
  1205. } >> $UB_TOTAL_CONF
  1206. else
  1207. adb_enabled=0
  1208. fi
  1209. if [ -f $UB_SRV_CONF ] ; then
  1210. {
  1211. # Pull your own "server:" options here
  1212. echo "include: $UB_SRV_CONF"
  1213. echo
  1214. } >> $UB_TOTAL_CONF
  1215. fi
  1216. if [ -f "$UB_ZONE_CONF" ] ; then
  1217. # UCI defined forward, stub, and auth zones
  1218. cat $UB_ZONE_CONF >> $UB_TOTAL_CONF
  1219. rm $UB_ZONE_CONF
  1220. fi
  1221. if [ -f "$UB_CTRL_CONF" ] ; then
  1222. # UCI defined control application connection
  1223. cat $UB_CTRL_CONF >> $UB_TOTAL_CONF
  1224. rm $UB_CTRL_CONF
  1225. fi
  1226. if [ -f "$UB_EXTMASQ_CONF" ] ; then
  1227. # UCI found link to dnsmasq
  1228. cat $UB_EXTMASQ_CONF >> $UB_TOTAL_CONF
  1229. rm $UB_EXTMASQ_CONF
  1230. fi
  1231. if [ -f "$UB_EXT_CONF" ] ; then
  1232. {
  1233. # Pull your own extend feature clauses here
  1234. echo "include: $UB_EXT_CONF"
  1235. echo
  1236. } >> $UB_TOTAL_CONF
  1237. fi
  1238. }
  1239. ##############################################################################
  1240. resolv_setup() {
  1241. if [ "$UB_N_RX_PORT" != "53" ] ; then
  1242. # unbound is not the default on target resolver
  1243. echo "do nothing" >/dev/null
  1244. elif [ -x /etc/init.d/dnsmasq ] \
  1245. && /etc/init.d/dnsmasq enabled \
  1246. && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
  1247. # unbound is configured for port 53, but dnsmasq is enabled, and a resolver
  1248. # is already listening on port 53. Let dnsmasq manage resolve.conf.
  1249. # This also works to prevent clobbering while changing UCI.
  1250. echo "do nothing" >/dev/null
  1251. else
  1252. # unbound listens on 127.0.0.1#53 so set resolver file to local.
  1253. rm -f $UB_RESOLV_CONF
  1254. {
  1255. echo "# $UB_RESOLV_CONF generated by Unbound UCI $( date -Is )"
  1256. echo "nameserver 127.0.0.1"
  1257. echo "nameserver ::1"
  1258. echo "search $UB_TXT_DOMAIN."
  1259. } > $UB_RESOLV_CONF
  1260. fi
  1261. }
  1262. ##############################################################################
  1263. unbound_start() {
  1264. # get interface subnets together
  1265. config_load network
  1266. config_foreach bundle_all_networks interface
  1267. # read Unbound UCI but pick through it later
  1268. config_load unbound
  1269. config_foreach unbound_uci unbound
  1270. unbound_mkdir
  1271. if [ $UB_B_MAN_CONF -eq 0 ] ; then
  1272. # iterate zones before we load other UCI
  1273. # forward-zone: auth-zone: and stub-zone:
  1274. config_foreach unbound_zone zone
  1275. # associate potential DNS RR with interfaces
  1276. config_load dhcp
  1277. config_foreach bundle_dhcp_networks dhcp
  1278. # server:
  1279. unbound_conf
  1280. unbound_hostname
  1281. # control:
  1282. unbound_control
  1283. # dnsmasq
  1284. dnsmasq_link
  1285. # merge
  1286. unbound_include
  1287. fi
  1288. resolv_setup
  1289. }
  1290. ##############################################################################