You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1449 lines
40 KiB

  1. #!/bin/sh
  2. ##############################################################################
  3. #
  4. # This program is free software; you can redistribute it and/or modify
  5. # it under the terms of the GNU General Public License version 2 as
  6. # published by the Free Software Foundation.
  7. #
  8. # This program is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. # GNU General Public License for more details.
  12. #
  13. # Copyright (C) 2016 Eric Luehrsen
  14. #
  15. ##############################################################################
  16. #
  17. # Unbound is a full featured recursive server with many options. The UCI
  18. # provided tries to simplify and bundle options. This should make Unbound
  19. # easier to deploy. Even light duty routers may resolve recursively instead of
  20. # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
  21. # features as used in base LEDE/OpenWrt. If there is a desire for more
  22. # detailed tuning, then manual conf file overrides are also made available.
  23. #
  24. ##############################################################################
  25. UB_B_SLAAC6_MAC=0
  26. UB_B_DNSSEC=0
  27. UB_B_DNS64=0
  28. UB_B_EXT_STATS=0
  29. UB_B_GATE_NAME=0
  30. UB_B_HIDE_BIND=1
  31. UB_B_LOCL_BLCK=0
  32. UB_B_LOCL_SERV=1
  33. UB_B_MAN_CONF=0
  34. UB_B_NTP_BOOT=1
  35. UB_B_QUERY_MIN=0
  36. UB_B_QRY_MINST=0
  37. UB_B_AUTH_ROOT=0
  38. UB_D_CONTROL=0
  39. UB_D_DOMAIN_TYPE=static
  40. UB_D_DHCP_LINK=none
  41. UB_D_EXTRA_DNS=0
  42. UB_D_LAN_FQDN=0
  43. UB_D_PRIV_BLCK=1
  44. UB_D_PROTOCOL=mixed
  45. UB_D_RESOURCE=small
  46. UB_D_RECURSION=passive
  47. UB_D_VERBOSE=1
  48. UB_D_WAN_FQDN=0
  49. UB_IP_DNS64="64:ff9b::/96"
  50. UB_N_EDNS_SIZE=1280
  51. UB_N_RX_PORT=53
  52. UB_N_ROOT_AGE=9
  53. UB_TTL_MIN=120
  54. UB_TXT_DOMAIN=lan
  55. UB_TXT_HOSTNAME=thisrouter
  56. ##############################################################################
  57. # reset as a combo with UB_B_NTP_BOOT and some time stamp files
  58. UB_B_READY=1
  59. # keep track of assignments during inserted resource records
  60. UB_LIST_NETW_ALL=""
  61. UB_LIST_NETW_LAN=""
  62. UB_LIST_NETW_WAN=""
  63. UB_LIST_INSECURE=""
  64. UB_LIST_ZONE_SERVERS=""
  65. UB_LIST_ZONE_NAMES=""
  66. ##############################################################################
  67. . /lib/functions.sh
  68. . /lib/functions/network.sh
  69. . /usr/lib/unbound/defaults.sh
  70. . /usr/lib/unbound/dnsmasq.sh
  71. . /usr/lib/unbound/iptools.sh
  72. ##############################################################################
  73. bundle_all_networks() {
  74. local cfg="$1"
  75. local ifname ifdashname validip
  76. local subnet subnets subnets4 subnets6
  77. network_get_subnets subnets4 "$cfg"
  78. network_get_subnets6 subnets6 "$cfg"
  79. network_get_device ifname "$cfg"
  80. ifdashname="${ifname//./-}"
  81. subnets="$subnets4 $subnets6"
  82. if [ -n "$subnets" ] ; then
  83. for subnet in $subnets ; do
  84. validip=$( valid_subnet_any $subnet )
  85. if [ "$validip" = "ok" ] ; then
  86. UB_LIST_NETW_ALL="$UB_LIST_NETW_ALL $ifdashname@$subnet"
  87. fi
  88. done
  89. fi
  90. }
  91. ##############################################################################
  92. bundle_lan_networks() {
  93. local cfg="$1"
  94. local ifsubnet ifname ifdashname ignore
  95. config_get_bool ignore "$cfg" ignore 0
  96. network_get_device ifname "$cfg"
  97. ifdashname="${ifname//./-}"
  98. if [ "$ignore" -eq 0 -a -n "$ifdashname" -a -n "$UB_LIST_NETW_ALL" ] ; then
  99. for ifsubnet in $UB_LIST_NETW_ALL ; do
  100. case $ifsubnet in
  101. "${ifdashname}"@*)
  102. # Special GLA protection for local block; ULA protected as a catagory
  103. UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
  104. ;;
  105. esac
  106. done
  107. fi
  108. }
  109. ##############################################################################
  110. bundle_wan_networks() {
  111. local ifsubnet
  112. if [ -n "$UB_LIST_NETW_ALL" ] ; then
  113. for ifsubnet in $UB_LIST_NETW_ALL ; do
  114. case $UB_LIST_NETW_LAN in
  115. *"${ifsubnet}"*)
  116. # If LAN, then not WAN ...
  117. ;;
  118. *)
  119. UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
  120. ;;
  121. esac
  122. done
  123. fi
  124. }
  125. ##############################################################################
  126. bundle_resolv_conf_servers() {
  127. local resolvers=$( awk '/nameserver/ { print $2 }' /tmp/resolv.conf.auto )
  128. UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $resolvers"
  129. }
  130. ##############################################################################
  131. bundle_zone_names() {
  132. UB_LIST_ZONE_NAMES="$UB_LIST_ZONE_NAMES $1"
  133. }
  134. ##############################################################################
  135. bundle_zone_servers() {
  136. UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $1"
  137. }
  138. ##############################################################################
  139. bundle_domain_insecure() {
  140. UB_LIST_INSECURE="$UB_LIST_INSECURE $1"
  141. }
  142. ##############################################################################
  143. unbound_mkdir() {
  144. local filestuff
  145. if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
  146. local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
  147. local dhcp_dir=$( dirname $dhcp_origin )
  148. if [ ! -d "$dhcp_dir" ] ; then
  149. # make sure odhcpd has a directory to write (not done itself, yet)
  150. mkdir -p "$dhcp_dir"
  151. fi
  152. fi
  153. if [ -f $UB_RKEY_FILE ] ; then
  154. filestuff=$( cat $UB_RKEY_FILE )
  155. case "$filestuff" in
  156. *"state=2 [ VALID ]"*)
  157. # Lets not lose RFC 5011 tracking if we don't have to
  158. cp -p $UB_RKEY_FILE $UB_RKEY_FILE.keep
  159. ;;
  160. esac
  161. fi
  162. # Blind copy /etc/unbound to /var/lib/unbound
  163. mkdir -p $UB_VARDIR
  164. rm -f $UB_VARDIR/dhcp_*
  165. touch $UB_TOTAL_CONF
  166. cp -p /etc/unbound/* $UB_VARDIR/
  167. if [ ! -f $UB_RHINT_FILE ] ; then
  168. if [ -f /usr/share/dns/root.hints ] ; then
  169. # Debian-like package dns-root-data
  170. cp -p /usr/share/dns/root.hints $UB_RHINT_FILE
  171. elif [ "$UB_B_READY" -eq 0 ] ; then
  172. logger -t unbound -s "default root hints (built in root-servers.net)"
  173. fi
  174. fi
  175. if [ ! -f $UB_RKEY_FILE ] ; then
  176. if [ -f /usr/share/dns/root.key ] ; then
  177. # Debian-like package dns-root-data
  178. cp -p /usr/share/dns/root.key $UB_RKEY_FILE
  179. elif [ -x $UB_ANCHOR ] ; then
  180. $UB_ANCHOR -a $UB_RKEY_FILE
  181. elif [ "$UB_B_READY" -eq 0 ] ; then
  182. logger -t unbound -s "default trust anchor (built in root DS record)"
  183. fi
  184. fi
  185. if [ -f $UB_RKEY_FILE.keep ] ; then
  186. # root.key.keep is reused if newest
  187. cp -u $UB_RKEY_FILE.keep $UB_RKEY_FILE
  188. rm -f $UB_RKEY_FILE.keep
  189. fi
  190. if [ -f $UB_TLS_ETC_FILE ] ; then
  191. # copy the cert bundle into jail
  192. cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
  193. fi
  194. # Ensure access and prepare to jail
  195. chown -R unbound:unbound $UB_VARDIR
  196. chmod 755 $UB_VARDIR
  197. chmod 644 $UB_VARDIR/*
  198. if [ -f $UB_CTLKEY_FILE -o -f $UB_CTLPEM_FILE \
  199. -o -f $UB_SRVKEY_FILE -o -f $UB_SRVPEM_FILE ] ; then
  200. # Keys (some) exist already; do not create new ones
  201. chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
  202. $UB_SRVKEY_FILE $UB_SRVPEM_FILE
  203. elif [ -x /usr/sbin/unbound-control-setup ] ; then
  204. case "$UB_D_CONTROL" in
  205. [2-3])
  206. # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
  207. /usr/sbin/unbound-control-setup -d $UB_VARDIR
  208. chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
  209. $UB_SRVKEY_FILE $UB_SRVPEM_FILE
  210. chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
  211. $UB_SRVKEY_FILE $UB_SRVPEM_FILE
  212. cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key
  213. cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem
  214. cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key
  215. cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem
  216. ;;
  217. esac
  218. fi
  219. if [ -f "$UB_TIME_FILE" ] ; then
  220. # NTP is done so its like you actually had an RTC
  221. UB_B_READY=1
  222. UB_B_NTP_BOOT=0
  223. elif [ "$UB_B_NTP_BOOT" -eq 0 ] ; then
  224. # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
  225. date -Is > $UB_TIME_FILE
  226. UB_B_READY=0
  227. UB_B_NTP_BOOT=0
  228. else
  229. # DNSSEC-TIME will not reconcile
  230. UB_B_READY=0
  231. UB_B_NTP_BOOT=1
  232. fi
  233. }
  234. ##############################################################################
  235. unbound_control() {
  236. echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF
  237. if [ "$UB_D_CONTROL" -gt 1 ] ; then
  238. if [ ! -f $UB_CTLKEY_FILE -o ! -f $UB_CTLPEM_FILE \
  239. -o ! -f $UB_SRVKEY_FILE -o ! -f $UB_SRVPEM_FILE ] ; then
  240. # Key files need to be present; if unbound-control-setup was found, then
  241. # they might have been made during unbound_makedir() above.
  242. UB_D_CONTROL=0
  243. fi
  244. fi
  245. case "$UB_D_CONTROL" in
  246. 1)
  247. {
  248. # Local Host Only Unencrypted Remote Control
  249. echo "remote-control:"
  250. echo " control-enable: yes"
  251. echo " control-use-cert: no"
  252. echo " control-interface: 127.0.0.1"
  253. echo " control-interface: ::1"
  254. echo
  255. } >> $UB_CTRL_CONF
  256. ;;
  257. 2)
  258. {
  259. # Local Host Only Encrypted Remote Control
  260. echo "remote-control:"
  261. echo " control-enable: yes"
  262. echo " control-use-cert: yes"
  263. echo " control-interface: 127.0.0.1"
  264. echo " control-interface: ::1"
  265. echo " server-key-file: $UB_SRVKEY_FILE"
  266. echo " server-cert-file: $UB_SRVPEM_FILE"
  267. echo " control-key-file: $UB_CTLKEY_FILE"
  268. echo " control-cert-file: $UB_CTLPEM_FILE"
  269. echo
  270. } >> $UB_CTRL_CONF
  271. ;;
  272. [3-4])
  273. {
  274. # Network Encrypted Remote Control
  275. # (3) may auto setup and (4) must have static key/pem files
  276. # TODO: add UCI list for interfaces to bind
  277. echo "remote-control:"
  278. echo " control-enable: yes"
  279. echo " control-use-cert: yes"
  280. echo " control-interface: 0.0.0.0"
  281. echo " control-interface: ::0"
  282. echo " server-key-file: $UB_SRVKEY_FILE"
  283. echo " server-cert-file: $UB_SRVPEM_FILE"
  284. echo " control-key-file: $UB_CTLKEY_FILE"
  285. echo " control-cert-file: $UB_CTLPEM_FILE"
  286. echo
  287. } >> $UB_CTRL_CONF
  288. ;;
  289. esac
  290. }
  291. ##############################################################################
  292. unbound_zone() {
  293. local cfg=$1
  294. local servers_ip=""
  295. local servers_host=""
  296. local zone_sym zone_name zone_type zone_enabled zone_file
  297. local tls_upstream fallback
  298. local server port tls_port tls_index tls_suffix url_dir
  299. if [ ! -f "$UB_ZONE_CONF" ] ; then
  300. echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF
  301. fi
  302. config_get_bool zone_enabled "$cfg" enabled 0
  303. if [ "$zone_enabled" -eq 1 ] ; then
  304. # these lists are built for each zone; empty to start
  305. UB_LIST_ZONE_NAMES=""
  306. UB_LIST_ZONE_SERVERS=""
  307. config_get zone_type "$cfg" zone_type ""
  308. config_get port "$cfg" port ""
  309. config_get tls_index "$cfg" tls_index ""
  310. config_get tls_port "$cfg" tls_port 853
  311. config_get url_dir "$cfg" url_dir ""
  312. config_get_bool resolv_conf "$cfg" resolv_conf 0
  313. config_get_bool fallback "$cfg" fallback 1
  314. config_get_bool tls_upstream "$cfg" tls_upstream 0
  315. config_list_foreach "$cfg" zone_name bundle_zone_names
  316. config_list_foreach "$cfg" server bundle_zone_servers
  317. # string formating for Unbound syntax
  318. tls_suffix="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}"
  319. [ "$fallback" -eq 0 ] && fallback=no || fallback=yes
  320. [ "$tls_upstream" -eq 0 ] && tls_upstream=no || tls_upstream=yes
  321. if [ $resolv_conf -eq 1 ] ; then
  322. bundle_resolv_conf_servers
  323. fi
  324. else
  325. zone_type=skip
  326. fi
  327. case $zone_type in
  328. auth_zone)
  329. if [ -n "$UB_LIST_ZONE_NAMES" \
  330. -a \( -n "$url_dir" -o -n "$UB_LIST_ZONE_SERVERS" \) ] ; then
  331. for zone_name in $UB_LIST_ZONE_NAMES ; do
  332. if [ "$zone_name" = "." ] ; then
  333. zone_sym=.
  334. zone_name=root
  335. zone_file=root.zone
  336. else
  337. zone_sym=$zone_name
  338. zone_file=$zone_name.zone
  339. zone_file=${zone_file//../.}
  340. fi
  341. {
  342. # generate an auth-zone: with switches for prefetch cache
  343. echo "auth-zone:"
  344. echo " name: $zone_sym"
  345. for server in $UB_LIST_ZONE_SERVERS ; do
  346. echo " master: $server${port:+@${port}}"
  347. done
  348. if [ -n "$url_dir" ] ; then
  349. echo " url: $url_dir$zone_file"
  350. fi
  351. echo " fallback-enabled: $fallback"
  352. echo " for-downstream: no"
  353. echo " for-upstream: yes"
  354. echo " zonefile: $zone_file"
  355. echo
  356. } >> $UB_ZONE_CONF
  357. done
  358. fi
  359. ;;
  360. forward_zone)
  361. if [ ! -f $UB_TLS_FWD_FILE -a "$tls_upstream" = "yes" ] ; then
  362. logger -p 4 -t unbound -s \
  363. "Forward-zone TLS benefits from authentication in package 'ca-bundle'"
  364. fi
  365. if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
  366. for server in $UB_LIST_ZONE_SERVERS ; do
  367. if [ "$( valid_subnet_any $server )" = "not" ] ; then
  368. case $server in
  369. *@[0-9]*)
  370. # unique Unbound option for server host name
  371. servers_host="$servers_host $server"
  372. ;;
  373. *)
  374. if [ "$tls_upstream" = "yes" ] ; then
  375. servers_host="$servers_host $server${tls_port:+@${tls_port}}"
  376. else
  377. servers_host="$servers_host $server${port:+@${port}}"
  378. fi
  379. esac
  380. else
  381. case $server in
  382. *[0-9]@[0-9]*)
  383. # unique Unbound option for server address
  384. servers_ip="$servers_ip $server"
  385. ;;
  386. *)
  387. if [ "$tls_upstream" = "yes" ] ; then
  388. servers_ip="$servers_ip $server$tls_suffix"
  389. else
  390. servers_ip="$servers_ip $server${port:+@${port}}"
  391. fi
  392. esac
  393. fi
  394. done
  395. for zonename in $UB_LIST_ZONE_NAMES ; do
  396. {
  397. # generate a forward-zone with or without tls
  398. echo "forward-zone:"
  399. echo " name: $zonename"
  400. for server in $servers_host ; do
  401. echo " forward-host: $server"
  402. done
  403. for server in $servers_ip ; do
  404. echo " forward-addr: $server"
  405. done
  406. echo " forward-first: $fallback"
  407. echo " forward-tls-upstream: $tls_upstream"
  408. echo
  409. } >> $UB_ZONE_CONF
  410. done
  411. fi
  412. ;;
  413. stub_zone)
  414. if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
  415. for zonename in $UB_LIST_ZONE_NAMES ; do
  416. {
  417. # generate a stub-zone: or ensure short cut to authority NS
  418. echo "stub-zone:"
  419. echo " name: $zonename"
  420. for server in $UB_LIST_ZONE_SERVERS ; do
  421. echo " stub-addr: $server${port:+@${port}}"
  422. done
  423. echo " stub-first: $fallback"
  424. echo
  425. } >> $UB_ZONE_CONF
  426. done
  427. fi
  428. ;;
  429. esac
  430. }
  431. ##############################################################################
  432. unbound_conf() {
  433. local rt_mem rt_conn rt_buff modulestring domain ifsubnet nsubnet
  434. {
  435. # server: for this whole function
  436. echo "# $UB_CORE_CONF generated by UCI $( date -Is )"
  437. echo "server:"
  438. echo " username: unbound"
  439. echo " chroot: $UB_VARDIR"
  440. echo " directory: $UB_VARDIR"
  441. echo " pidfile: $UB_PIDFILE"
  442. } > $UB_CORE_CONF
  443. if [ -f "$UB_TLS_FWD_FILE" ] ; then
  444. # TLS cert bundle for upstream forwarder and https zone files
  445. # This is loaded before drop to root, so pull from /etc/ssl
  446. echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
  447. fi
  448. if [ -f "$UB_RHINT_FILE" ] ; then
  449. # Optional hints if found
  450. echo " root-hints: $UB_RHINT_FILE" >> $UB_CORE_CONF
  451. fi
  452. if [ "$UB_B_DNSSEC" -gt 0 -a -f "$UB_RKEY_FILE" ] ; then
  453. {
  454. echo " auto-trust-anchor-file: $UB_RKEY_FILE"
  455. echo
  456. } >> $UB_CORE_CONF
  457. else
  458. echo >> $UB_CORE_CONF
  459. fi
  460. {
  461. # No threading
  462. echo " num-threads: 1"
  463. echo " msg-cache-slabs: 1"
  464. echo " rrset-cache-slabs: 1"
  465. echo " infra-cache-slabs: 1"
  466. echo " key-cache-slabs: 1"
  467. echo
  468. # Logging
  469. echo " use-syslog: yes"
  470. echo " statistics-interval: 0"
  471. echo " statistics-cumulative: no"
  472. } >> $UB_CORE_CONF
  473. if [ "$UB_D_VERBOSE" -ge 0 -a "$UB_D_VERBOSE" -le 5 ] ; then
  474. echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF
  475. fi
  476. if [ "$UB_B_EXT_STATS" -gt 0 ] ; then
  477. {
  478. # Log More
  479. echo " extended-statistics: yes"
  480. echo
  481. } >> $UB_CORE_CONF
  482. else
  483. {
  484. # Log Less
  485. echo " extended-statistics: no"
  486. echo
  487. } >> $UB_CORE_CONF
  488. fi
  489. case "$UB_D_PROTOCOL" in
  490. ip4_only)
  491. {
  492. echo " edns-buffer-size: $UB_N_EDNS_SIZE"
  493. echo " port: $UB_N_RX_PORT"
  494. echo " outgoing-port-permit: 10240-65535"
  495. echo " interface: 0.0.0.0"
  496. echo " outgoing-interface: 0.0.0.0"
  497. echo " do-ip4: yes"
  498. echo " do-ip6: no"
  499. echo
  500. } >> $UB_CORE_CONF
  501. ;;
  502. ip6_only)
  503. {
  504. echo " edns-buffer-size: $UB_N_EDNS_SIZE"
  505. echo " port: $UB_N_RX_PORT"
  506. echo " outgoing-port-permit: 10240-65535"
  507. echo " interface: ::0"
  508. echo " outgoing-interface: ::0"
  509. echo " do-ip4: no"
  510. echo " do-ip6: yes"
  511. echo
  512. } >> $UB_CORE_CONF
  513. ;;
  514. ip6_local)
  515. {
  516. echo " edns-buffer-size: $UB_N_EDNS_SIZE"
  517. echo " port: $UB_N_RX_PORT"
  518. echo " outgoing-port-permit: 10240-65535"
  519. echo " interface: 0.0.0.0"
  520. echo " interface: ::0"
  521. echo " outgoing-interface: 0.0.0.0"
  522. echo " do-ip4: yes"
  523. echo " do-ip6: yes"
  524. echo
  525. } >> $UB_CORE_CONF
  526. ;;
  527. ip6_prefer)
  528. {
  529. echo " edns-buffer-size: $UB_N_EDNS_SIZE"
  530. echo " port: $UB_N_RX_PORT"
  531. echo " outgoing-port-permit: 10240-65535"
  532. echo " interface: 0.0.0.0"
  533. echo " interface: ::0"
  534. echo " outgoing-interface: 0.0.0.0"
  535. echo " outgoing-interface: ::0"
  536. echo " do-ip4: yes"
  537. echo " do-ip6: yes"
  538. echo " prefer-ip6: yes"
  539. echo
  540. } >> $UB_CORE_CONF
  541. ;;
  542. mixed)
  543. {
  544. # Interface Wildcard (access contol handled by "option local_service")
  545. echo " edns-buffer-size: $UB_N_EDNS_SIZE"
  546. echo " port: $UB_N_RX_PORT"
  547. echo " outgoing-port-permit: 10240-65535"
  548. echo " interface: 0.0.0.0"
  549. echo " interface: ::0"
  550. echo " outgoing-interface: 0.0.0.0"
  551. echo " outgoing-interface: ::0"
  552. echo " do-ip4: yes"
  553. echo " do-ip6: yes"
  554. echo
  555. } >> $UB_CORE_CONF
  556. ;;
  557. *)
  558. if [ "$UB_B_READY" -eq 0 ] ; then
  559. logger -t unbound -s "default protocol configuration"
  560. fi
  561. {
  562. # outgoing-interface has useful defaults; incoming is localhost though
  563. echo " edns-buffer-size: $UB_N_EDNS_SIZE"
  564. echo " port: $UB_N_RX_PORT"
  565. echo " outgoing-port-permit: 10240-65535"
  566. echo " interface: 0.0.0.0"
  567. echo " interface: ::0"
  568. echo
  569. } >> $UB_CORE_CONF
  570. ;;
  571. esac
  572. case "$UB_D_RESOURCE" in
  573. # Tiny - Unbound's recommended cheap hardware config
  574. tiny) rt_mem=1 ; rt_conn=2 ; rt_buff=1 ;;
  575. # Small - Half RRCACHE and open ports
  576. small) rt_mem=8 ; rt_conn=10 ; rt_buff=2 ;;
  577. # Medium - Nearly default but with some added balancintg
  578. medium) rt_mem=16 ; rt_conn=15 ; rt_buff=4 ;;
  579. # Large - Double medium
  580. large) rt_mem=32 ; rt_conn=20 ; rt_buff=4 ;;
  581. # Whatever unbound does
  582. *) rt_mem=0 ; rt_conn=0 ;;
  583. esac
  584. if [ "$rt_mem" -gt 0 ] ; then
  585. {
  586. # Other harding and options for an embedded router
  587. echo " harden-short-bufsize: yes"
  588. echo " harden-large-queries: yes"
  589. echo " harden-glue: yes"
  590. echo " use-caps-for-id: no"
  591. echo
  592. # Set memory sizing parameters
  593. echo " msg-buffer-size: $(($rt_buff*8192))"
  594. echo " outgoing-range: $(($rt_conn*32))"
  595. echo " num-queries-per-thread: $(($rt_conn*16))"
  596. echo " outgoing-num-tcp: $(($rt_conn))"
  597. echo " incoming-num-tcp: $(($rt_conn))"
  598. echo " rrset-cache-size: $(($rt_mem*256))k"
  599. echo " msg-cache-size: $(($rt_mem*128))k"
  600. echo " key-cache-size: $(($rt_mem*128))k"
  601. echo " neg-cache-size: $(($rt_mem*64))k"
  602. echo " infra-cache-numhosts: $(($rt_mem*256))"
  603. echo
  604. } >> $UB_CORE_CONF
  605. elif [ "$UB_B_READY" -eq 0 ] ; then
  606. logger -t unbound -s "default memory configuration"
  607. fi
  608. # Assembly of module-config: options is tricky; order matters
  609. modulestring="iterator"
  610. if [ "$UB_B_DNSSEC" -gt 0 ] ; then
  611. if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then
  612. # DNSSEC chicken and egg with getting NTP time
  613. echo " val-override-date: -1" >> $UB_CORE_CONF
  614. fi
  615. {
  616. echo " harden-dnssec-stripped: yes"
  617. echo " val-clean-additional: yes"
  618. echo " ignore-cd-flag: yes"
  619. } >> $UB_CORE_CONF
  620. modulestring="validator $modulestring"
  621. fi
  622. if [ "$UB_B_DNS64" -gt 0 ] ; then
  623. echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF
  624. modulestring="dns64 $modulestring"
  625. fi
  626. {
  627. # Print final module string
  628. echo " module-config: \"$modulestring\""
  629. echo
  630. } >> $UB_CORE_CONF
  631. case "$UB_D_RECURSION" in
  632. passive)
  633. {
  634. # Some query privacy but "strict" will break some servers
  635. if [ "$UB_B_QRY_MINST" -gt 0 \
  636. -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
  637. echo " qname-minimisation: yes"
  638. echo " qname-minimisation-strict: yes"
  639. elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
  640. echo " qname-minimisation: yes"
  641. else
  642. echo " qname-minimisation: no"
  643. fi
  644. # Use DNSSEC to quickly understand NXDOMAIN ranges
  645. if [ "$UB_B_DNSSEC" -gt 0 ] ; then
  646. echo " aggressive-nsec: yes"
  647. echo " prefetch-key: no"
  648. fi
  649. # On demand fetching
  650. echo " prefetch: no"
  651. echo " target-fetch-policy: \"0 0 0 0 0\""
  652. echo
  653. } >> $UB_CORE_CONF
  654. ;;
  655. aggressive)
  656. {
  657. # Some query privacy but "strict" will break some servers
  658. if [ "$UB_B_QRY_MINST" -gt 0 \
  659. -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
  660. echo " qname-minimisation: yes"
  661. echo " qname-minimisation-strict: yes"
  662. elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
  663. echo " qname-minimisation: yes"
  664. else
  665. echo " qname-minimisation: no"
  666. fi
  667. # Use DNSSEC to quickly understand NXDOMAIN ranges
  668. if [ "$UB_B_DNSSEC" -gt 0 ] ; then
  669. echo " aggressive-nsec: yes"
  670. echo " prefetch-key: yes"
  671. fi
  672. # Prefetch what can be
  673. echo " prefetch: yes"
  674. echo " target-fetch-policy: \"3 2 1 0 0\""
  675. echo
  676. } >> $UB_CORE_CONF
  677. ;;
  678. *)
  679. if [ "$UB_B_READY" -eq 0 ] ; then
  680. logger -t unbound -s "default recursion configuration"
  681. fi
  682. ;;
  683. esac
  684. {
  685. # Reload records more than 20 hours old
  686. # DNSSEC 5 minute bogus cool down before retry
  687. # Adaptive infrastructure info kept for 15 minutes
  688. echo " cache-min-ttl: $UB_TTL_MIN"
  689. echo " cache-max-ttl: 72000"
  690. echo " val-bogus-ttl: 300"
  691. echo " infra-host-ttl: 900"
  692. echo
  693. } >> $UB_CORE_CONF
  694. if [ "$UB_B_HIDE_BIND" -gt 0 ] ; then
  695. {
  696. # Block server id and version DNS TXT records
  697. echo " hide-identity: yes"
  698. echo " hide-version: yes"
  699. echo
  700. } >> $UB_CORE_CONF
  701. fi
  702. if [ "$UB_D_PRIV_BLCK" -gt 0 ] ; then
  703. {
  704. # Remove _upstream_ or global reponses with private addresses.
  705. # Unbounds own "local zone" and "forward zone" may still use these.
  706. # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
  707. echo " private-address: 10.0.0.0/8"
  708. echo " private-address: 100.64.0.0/10"
  709. echo " private-address: 169.254.0.0/16"
  710. echo " private-address: 172.16.0.0/12"
  711. echo " private-address: 192.168.0.0/16"
  712. echo " private-address: fc00::/7"
  713. echo " private-address: fe80::/10"
  714. echo
  715. } >> $UB_CORE_CONF
  716. fi
  717. if [ -n "$UB_LIST_NETW_LAN" -a "$UB_D_PRIV_BLCK" -gt 1 ] ; then
  718. {
  719. for ifsubnet in $UB_LIST_NETW_LAN ; do
  720. case $ifsubnet in
  721. *@[1-9][0-9a-f][0-9a-f][0-9a-f]:*:[0-9a-f]*)
  722. # Remove global DNS responses with your local network IP6 GLA
  723. echo " private-address: ${ifsubnet#*@}"
  724. ;;
  725. esac
  726. done
  727. echo
  728. } >> $UB_CORE_CONF
  729. fi
  730. if [ "$UB_B_LOCL_BLCK" -gt 0 ] ; then
  731. {
  732. # Remove DNS reponses from upstream with loopback IP
  733. # Black hole DNS method for ad blocking, so consider...
  734. echo " private-address: 127.0.0.0/8"
  735. echo " private-address: ::1/128"
  736. echo
  737. } >> $UB_CORE_CONF
  738. fi
  739. if [ -n "$UB_LIST_INSECURE" ] ; then
  740. {
  741. for domain in $UB_LIST_INSECURE ; do
  742. # Except and accept domains without (DNSSEC); work around broken domains
  743. echo " domain-insecure: $domain"
  744. done
  745. echo
  746. } >> $UB_CORE_CONF
  747. fi
  748. if [ "$UB_B_LOCL_SERV" -gt 0 -a -n "$UB_LIST_NETW_ALL" ] ; then
  749. {
  750. for ifsubnet in $UB_LIST_NETW_ALL ; do
  751. # Only respond to queries from subnets which have an interface.
  752. # Prevent DNS amplification attacks by not responding to the universe.
  753. echo " access-control: ${ifsubnet#*@} allow"
  754. done
  755. echo " access-control: 127.0.0.0/8 allow"
  756. echo " access-control: ::1/128 allow"
  757. echo " access-control: fe80::/10 allow"
  758. echo
  759. } >> $UB_CORE_CONF
  760. else
  761. {
  762. echo " access-control: 0.0.0.0/0 allow"
  763. echo " access-control: ::0/0 allow"
  764. echo
  765. } >> $UB_CORE_CONF
  766. fi
  767. }
  768. ##############################################################################
  769. unbound_hostname() {
  770. local ifsubnet ifarpa ifaddr ifname iffqdn
  771. local ulaprefix hostfqdn name names namerec ptrrec
  772. local zonetype=0
  773. echo "# $UB_HOST_CONF generated by UCI $( date -Is )" > $UB_HOST_CONF
  774. if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
  775. {
  776. echo "# Local zone is handled by dnsmasq"
  777. echo
  778. } >> $UB_HOST_CONF
  779. elif [ -n "$UB_TXT_DOMAIN" \
  780. -a \( "$UB_D_WAN_FQDN" -gt 0 -o "$UB_D_LAN_FQDN" -gt 0 \) ] ; then
  781. case "$UB_D_DOMAIN_TYPE" in
  782. deny|inform_deny|refuse|static)
  783. {
  784. # type static means only this router has your domain
  785. echo " domain-insecure: $UB_TXT_DOMAIN"
  786. echo " private-domain: $UB_TXT_DOMAIN"
  787. echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
  788. echo " local-data: \"$UB_TXT_DOMAIN. $UB_XSOA\""
  789. echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\""
  790. echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'"
  791. echo
  792. # avoid upstream involvement in RFC6762
  793. echo " domain-insecure: local"
  794. echo " private-domain: local"
  795. echo " local-zone: local $UB_D_DOMAIN_TYPE"
  796. echo " local-data: \"local. $UB_XSOA\""
  797. echo " local-data: \"local. $UB_XNS\""
  798. echo " local-data: 'local. $UB_LTXT'"
  799. echo
  800. } >> $UB_HOST_CONF
  801. zonetype=2
  802. ;;
  803. transparent|typetransparent)
  804. {
  805. # transparent will permit forward-zone: or stub-zone: clauses
  806. echo " private-domain: $UB_TXT_DOMAIN"
  807. echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
  808. echo
  809. } >> $UB_HOST_CONF
  810. zonetype=1
  811. ;;
  812. esac
  813. {
  814. # Hostname as TLD works, but not transparent through recursion (singular)
  815. echo " domain-insecure: $UB_TXT_HOSTNAME"
  816. echo " private-domain: $UB_TXT_HOSTNAME"
  817. echo " local-zone: $UB_TXT_HOSTNAME static"
  818. echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XSOA\""
  819. echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XNS\""
  820. echo " local-data: '$UB_TXT_HOSTNAME. $UB_XTXT'"
  821. echo
  822. } >> $UB_HOST_CONF
  823. if [ -n "$UB_LIST_NETW_WAN" ] ; then
  824. for ifsubnet in $UB_LIST_NETW_WAN ; do
  825. ifaddr=${ifsubnet#*@}
  826. ifaddr=${ifaddr%/*}
  827. ifarpa=$( host_ptr_any "$ifaddr" )
  828. if [ -n "$ifarpa" ] ; then
  829. if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then
  830. {
  831. # Create a static zone for WAN host record only (singular)
  832. echo " domain-insecure: $ifarpa"
  833. echo " private-address: $ifaddr"
  834. echo " local-zone: $ifarpa static"
  835. echo " local-data: \"$ifarpa. $UB_XSOA\""
  836. echo " local-data: \"$ifarpa. $UB_XNS\""
  837. echo " local-data: '$ifarpa. $UB_MTXT'"
  838. echo
  839. } >> $UB_HOST_CONF
  840. elif [ "$zonetype" -gt 0 ] ; then
  841. {
  842. echo " local-zone: $ifarpa transparent"
  843. echo
  844. } >> $UB_HOST_CONF
  845. fi
  846. fi
  847. done
  848. fi
  849. if [ -n "$UB_LIST_NETW_LAN" ] ; then
  850. for ifsubnet in $UB_LIST_NETW_LAN ; do
  851. ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
  852. if [ -n "$ifarpa" ] ; then
  853. if [ "$zonetype" -eq 2 ] ; then
  854. {
  855. # Do NOT forward queries with your ip6.arpa or in-addr.arpa
  856. echo " domain-insecure: $ifarpa"
  857. echo " local-zone: $ifarpa static"
  858. echo " local-data: \"$ifarpa. $UB_XSOA\""
  859. echo " local-data: \"$ifarpa. $UB_XNS\""
  860. echo " local-data: '$ifarpa. $UB_XTXT'"
  861. echo
  862. } >> $UB_HOST_CONF
  863. elif [ "$zonetype" -eq 1 -a "$UB_D_PRIV_BLCK" -eq 0 ] ; then
  864. {
  865. echo " local-zone: $ifarpa transparent"
  866. echo
  867. } >> $UB_HOST_CONF
  868. fi
  869. fi
  870. done
  871. fi
  872. ulaprefix=$( uci_get network.@globals[0].ula_prefix )
  873. ulaprefix=${ulaprefix%%:/*}
  874. hostfqdn="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
  875. if [ -z "$ulaprefix" ] ; then
  876. # Nonsense so this option isn't globbed below
  877. ulaprefix="fdno:such:addr::"
  878. fi
  879. if [ "$UB_LIST_NETW_LAN" -a "$UB_D_LAN_FQDN" -gt 0 ] ; then
  880. for ifsubnet in $UB_LIST_NETW_LAN ; do
  881. ifaddr=${ifsubnet#*@}
  882. ifaddr=${ifaddr%/*}
  883. ifname=${ifsubnet%@*}
  884. iffqdn="$ifname.$hostfqdn"
  885. if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then
  886. names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
  887. ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
  888. echo "$ptrrec" >> $UB_HOST_CONF
  889. elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then
  890. names="$hostfqdn $UB_TXT_HOSTNAME"
  891. ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
  892. echo "$ptrrec" >> $UB_HOST_CONF
  893. else
  894. names="$UB_TXT_HOSTNAME"
  895. ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
  896. echo "$ptrrec" >> $UB_HOST_CONF
  897. fi
  898. for name in $names ; do
  899. case $ifaddr in
  900. "${ulaprefix}"*)
  901. # IP6 ULA only is assigned for OPTION 1
  902. namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
  903. echo "$namerec" >> $UB_HOST_CONF
  904. ;;
  905. [1-9]*.*[0-9])
  906. namerec=" local-data: \"$name. 300 IN A $ifaddr\""
  907. echo "$namerec" >> $UB_HOST_CONF
  908. ;;
  909. *)
  910. if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then
  911. # IP6 GLA is assigned for higher options
  912. namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
  913. echo "$namerec" >> $UB_HOST_CONF
  914. fi
  915. ;;
  916. esac
  917. done
  918. echo >> $UB_HOST_CONF
  919. done
  920. fi
  921. if [ -n "$UB_LIST_NETW_WAN" -a "$UB_D_WAN_FQDN" -gt 0 ] ; then
  922. for ifsubnet in $UB_LIST_NETW_WAN ; do
  923. ifaddr=${ifsubnet#*@}
  924. ifaddr=${ifaddr%/*}
  925. ifname=${ifsubnet%@*}
  926. iffqdn="$ifname.$hostfqdn"
  927. if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then
  928. names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
  929. ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
  930. echo "$ptrrec" >> $UB_HOST_CONF
  931. elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then
  932. names="$hostfqdn $UB_TXT_HOSTNAME"
  933. ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
  934. echo "$ptrrec" >> $UB_HOST_CONF
  935. else
  936. names="$UB_TXT_HOSTNAME"
  937. ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
  938. echo "$ptrrec" >> $UB_HOST_CONF
  939. fi
  940. for name in $names ; do
  941. case $ifaddr in
  942. "${ulaprefix}"*)
  943. # IP6 ULA only is assigned for OPTION 1
  944. namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
  945. echo "$namerec" >> $UB_HOST_CONF
  946. ;;
  947. [1-9]*.*[0-9])
  948. namerec=" local-data: \"$name. 300 IN A $ifaddr\""
  949. echo "$namerec" >> $UB_HOST_CONF
  950. ;;
  951. *)
  952. if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then
  953. # IP6 GLA is assigned for higher options
  954. namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
  955. echo "$namerec" >> $UB_HOST_CONF
  956. fi
  957. ;;
  958. esac
  959. done
  960. echo >> $UB_HOST_CONF
  961. done
  962. fi
  963. fi # end if uci valid
  964. }
  965. ##############################################################################
  966. unbound_uci() {
  967. local cfg="$1"
  968. local dnsmasqpath hostnm
  969. hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' )
  970. UB_TXT_HOSTNAME=${hostnm:-thisrouter}
  971. config_get_bool UB_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
  972. config_get_bool UB_B_DNS64 "$cfg" dns64 0
  973. config_get_bool UB_B_EXT_STATS "$cfg" extended_stats 0
  974. config_get_bool UB_B_HIDE_BIND "$cfg" hide_binddata 1
  975. config_get_bool UB_B_LOCL_SERV "$cfg" localservice 1
  976. config_get_bool UB_B_MAN_CONF "$cfg" manual_conf 0
  977. config_get_bool UB_B_QUERY_MIN "$cfg" query_minimize 0
  978. config_get_bool UB_B_QRY_MINST "$cfg" query_min_strict 0
  979. config_get_bool UB_B_AUTH_ROOT "$cfg" prefetch_root 0
  980. config_get_bool UB_B_LOCL_BLCK "$cfg" rebind_localhost 0
  981. config_get_bool UB_B_DNSSEC "$cfg" validator 0
  982. config_get_bool UB_B_NTP_BOOT "$cfg" validator_ntp 1
  983. config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
  984. config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
  985. config_get UB_N_RX_PORT "$cfg" listen_port 53
  986. config_get UB_N_ROOT_AGE "$cfg" root_age 9
  987. config_get UB_D_CONTROL "$cfg" unbound_control 0
  988. config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static
  989. config_get UB_D_DHCP_LINK "$cfg" dhcp_link none
  990. config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0
  991. config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0
  992. config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1
  993. config_get UB_D_PROTOCOL "$cfg" protocol mixed
  994. config_get UB_D_RECURSION "$cfg" recursion passive
  995. config_get UB_D_RESOURCE "$cfg" resource small
  996. config_get UB_D_VERBOSE "$cfg" verbosity 1
  997. config_get UB_D_WAN_FQDN "$cfg" add_wan_fqdn 0
  998. config_get UB_TTL_MIN "$cfg" ttl_min 120
  999. config_get UB_TXT_DOMAIN "$cfg" domain lan
  1000. config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
  1001. if [ "$UB_D_DHCP_LINK" = "none" ] ; then
  1002. config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
  1003. if [ "$UB_B_DNSMASQ" -gt 0 ] ; then
  1004. UB_D_DHCP_LINK=dnsmasq
  1005. if [ "$UB_B_READY" -eq 0 ] ; then
  1006. logger -t unbound -s "Please use 'dhcp_link' selector instead"
  1007. fi
  1008. fi
  1009. fi
  1010. if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
  1011. if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
  1012. UB_D_DHCP_LINK=none
  1013. else
  1014. /etc/init.d/dnsmasq enabled || UB_D_DHCP_LINK=none
  1015. fi
  1016. if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
  1017. logger -t unbound -s "cannot forward to dnsmasq"
  1018. fi
  1019. fi
  1020. if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
  1021. if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
  1022. UB_D_DHCP_LINK=none
  1023. else
  1024. /etc/init.d/odhcpd enabled || UB_D_DHCP_LINK=none
  1025. fi
  1026. if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
  1027. logger -t unbound -s "cannot receive records from odhcpd"
  1028. fi
  1029. fi
  1030. if [ "$UB_N_EDNS_SIZE" -lt 512 \
  1031. -o 4096 -lt "$UB_N_EDNS_SIZE" ] ; then
  1032. logger -t unbound -s "edns_size exceeds range, using default"
  1033. UB_N_EDNS_SIZE=1280
  1034. fi
  1035. if [ "$UB_N_RX_PORT" -ne 53 \
  1036. -a \( "$UB_N_RX_PORT" -lt 1024 -o 10240 -lt "$UB_N_RX_PORT" \) ] ; then
  1037. logger -t unbound -s "privileged port or in 5 digits, using default"
  1038. UB_N_RX_PORT=53
  1039. fi
  1040. if [ "$UB_TTL_MIN" -gt 1800 ] ; then
  1041. logger -t unbound -s "ttl_min could have had awful side effects, using 300"
  1042. UB_TTL_MIN=300
  1043. fi
  1044. }
  1045. ##############################################################################
  1046. unbound_include() {
  1047. local adb_enabled
  1048. local adb_files=$( ls $UB_VARDIR/adb_list.* 2>/dev/null )
  1049. echo "# $UB_TOTAL_CONF generated by UCI $( date -Is )" > $UB_TOTAL_CONF
  1050. if [ -f "$UB_CORE_CONF" ] ; then
  1051. # Yes this all looks busy, but it is in TMPFS. Working on separate files
  1052. # and piecing together is easier. UCI order is less constrained.
  1053. cat $UB_CORE_CONF >> $UB_TOTAL_CONF
  1054. rm $UB_CORE_CONF
  1055. fi
  1056. if [ -f "$UB_HOST_CONF" ] ; then
  1057. # UCI definitions of local host or local subnet
  1058. cat $UB_HOST_CONF >> $UB_TOTAL_CONF
  1059. rm $UB_HOST_CONF
  1060. fi
  1061. if [ -f $UB_SRVMASQ_CONF ] ; then
  1062. # UCI found link to dnsmasq
  1063. cat $UB_SRVMASQ_CONF >> $UB_TOTAL_CONF
  1064. rm $UB_SRVMASQ_CONF
  1065. fi
  1066. if [ -f "$UB_DHCP_CONF" ] ; then
  1067. {
  1068. # Seed DHCP records because dhcp scripts trigger externally
  1069. # Incremental Unbound restarts may drop unbound-control records
  1070. echo "include: $UB_DHCP_CONF"
  1071. echo
  1072. }>> $UB_TOTAL_CONF
  1073. fi
  1074. if [ -z "$adb_files" \
  1075. -o ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
  1076. adb_enabled=0
  1077. elif /etc/init.d/adblock enabled ; then
  1078. adb_enabled=1
  1079. {
  1080. # Pull in your selected openwrt/pacakges/net/adblock generated lists
  1081. echo "include: $UB_VARDIR/adb_list.*"
  1082. echo
  1083. } >> $UB_TOTAL_CONF
  1084. else
  1085. adb_enabled=0
  1086. fi
  1087. if [ -f $UB_SRV_CONF ] ; then
  1088. {
  1089. # Pull your own "server:" options here
  1090. echo "include: $UB_SRV_CONF"
  1091. echo
  1092. }>> $UB_TOTAL_CONF
  1093. fi
  1094. if [ -f "$UB_ZONE_CONF" ] ; then
  1095. # UCI defined forward, stub, and auth zones
  1096. cat $UB_ZONE_CONF >> $UB_TOTAL_CONF
  1097. rm $UB_ZONE_CONF
  1098. fi
  1099. if [ -f "$UB_CTRL_CONF" ] ; then
  1100. # UCI defined control application connection
  1101. cat $UB_CTRL_CONF >> $UB_TOTAL_CONF
  1102. rm $UB_CTRL_CONF
  1103. fi
  1104. if [ -f "$UB_EXTMASQ_CONF" ] ; then
  1105. # UCI found link to dnsmasq
  1106. cat $UB_EXTMASQ_CONF >> $UB_TOTAL_CONF
  1107. rm $UB_EXTMASQ_CONF
  1108. fi
  1109. if [ -f "$UB_EXT_CONF" ] ; then
  1110. {
  1111. # Pull your own extend feature clauses here
  1112. echo "include: $UB_EXT_CONF"
  1113. echo
  1114. } >> $UB_TOTAL_CONF
  1115. fi
  1116. }
  1117. ##############################################################################
  1118. resolv_setup() {
  1119. if [ "$UB_N_RX_PORT" != "53" ] ; then
  1120. return
  1121. elif [ -x /etc/init.d/dnsmasq ] \
  1122. && /etc/init.d/dnsmasq enabled \
  1123. && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
  1124. # unbound is configured for port 53, but dnsmasq is enabled and a resolver
  1125. # listens on localhost:53, lets assume dnsmasq manages the resolver file.
  1126. # TODO:
  1127. # really check if dnsmasq runs a local (main) resolver in stead of using
  1128. # nslookup that times out when no resolver listens on localhost:53.
  1129. return
  1130. fi
  1131. # unbound is designated to listen on 127.0.0.1#53,
  1132. # set resolver file to local.
  1133. rm -f /tmp/resolv.conf
  1134. {
  1135. echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )"
  1136. echo "nameserver 127.0.0.1"
  1137. echo "nameserver ::1"
  1138. echo "search $UB_TXT_DOMAIN."
  1139. } > /tmp/resolv.conf
  1140. }
  1141. ##############################################################################
  1142. unbound_start() {
  1143. config_load unbound
  1144. config_foreach unbound_uci unbound
  1145. unbound_mkdir
  1146. if [ "$UB_B_MAN_CONF" -eq 0 ] ; then
  1147. # iterate zones before we load other UCI
  1148. # forward-zone: auth-zone: and stub-zone:
  1149. config_foreach unbound_zone zone
  1150. # associate potential DNS RR with interfaces
  1151. config_load network
  1152. config_foreach bundle_all_networks interface
  1153. config_load dhcp
  1154. config_foreach bundle_lan_networks dhcp
  1155. bundle_wan_networks
  1156. # server:
  1157. unbound_conf
  1158. unbound_hostname
  1159. # control:
  1160. unbound_control
  1161. # dnsmasq
  1162. dnsmasq_link
  1163. # merge
  1164. unbound_include
  1165. fi
  1166. resolv_setup
  1167. }
  1168. ##############################################################################