You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1303 lines
35 KiB

  1. #!/bin/sh
  2. ##############################################################################
  3. #
  4. # This program is free software; you can redistribute it and/or modify
  5. # it under the terms of the GNU General Public License version 2 as
  6. # published by the Free Software Foundation.
  7. #
  8. # This program is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. # GNU General Public License for more details.
  12. #
  13. # Copyright (C) 2016 Eric Luehrsen
  14. #
  15. ##############################################################################
  16. #
  17. # Unbound is a full featured recursive server with many options. The UCI
  18. # provided tries to simplify and bundle options. This should make Unbound
  19. # easier to deploy. Even light duty routers may resolve recursively instead of
  20. # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
  21. # features as used in base LEDE/OpenWrt. If there is a desire for more
  22. # detailed tuning, then manual conf file overrides are also made available.
  23. #
  24. ##############################################################################
  25. UNBOUND_B_SLAAC6_MAC=0
  26. UNBOUND_B_DNSSEC=0
  27. UNBOUND_B_DNS64=0
  28. UNBOUND_B_EXT_STATS=0
  29. UNBOUND_B_GATE_NAME=0
  30. UNBOUND_B_HIDE_BIND=1
  31. UNBOUND_B_LOCL_BLCK=0
  32. UNBOUND_B_LOCL_SERV=1
  33. UNBOUND_B_MAN_CONF=0
  34. UNBOUND_B_NTP_BOOT=1
  35. UNBOUND_B_QUERY_MIN=0
  36. UNBOUND_B_QRY_MINST=0
  37. UNBOUND_B_AUTH_ROOT=0
  38. UNBOUND_D_CONTROL=0
  39. UNBOUND_D_DOMAIN_TYPE=static
  40. UNBOUND_D_DHCP_LINK=none
  41. UNBOUND_D_EXTRA_DNS=0
  42. UNBOUND_D_LAN_FQDN=0
  43. UNBOUND_D_PRIV_BLCK=1
  44. UNBOUND_D_PROTOCOL=mixed
  45. UNBOUND_D_RESOURCE=small
  46. UNBOUND_D_RECURSION=passive
  47. UNBOUND_D_WAN_FQDN=0
  48. UNBOUND_IP_DNS64="64:ff9b::/96"
  49. UNBOUND_N_EDNS_SIZE=1280
  50. UNBOUND_N_FWD_PORTS=""
  51. UNBOUND_N_RX_PORT=53
  52. UNBOUND_N_ROOT_AGE=9
  53. UNBOUND_TTL_MIN=120
  54. UNBOUND_TXT_DOMAIN=lan
  55. UNBOUND_TXT_FWD_ZONE=""
  56. UNBOUND_TXT_HOSTNAME=thisrouter
  57. UNBOUND_LIST_FORWARD=""
  58. UNBOUND_LIST_INSECURE=""
  59. UNBOUND_LIST_PRV_SUBNET=""
  60. ##############################################################################
  61. # keep track of local-domain: assignments during inserted resource records
  62. UNBOUND_LIST_DOMAINS=""
  63. ##############################################################################
  64. . /lib/functions.sh
  65. . /lib/functions/network.sh
  66. . /usr/lib/unbound/defaults.sh
  67. . /usr/lib/unbound/dnsmasq.sh
  68. . /usr/lib/unbound/iptools.sh
  69. . /usr/lib/unbound/rootzone.sh
  70. ##############################################################################
  71. copy_dash_update() {
  72. # TODO: remove this function and use builtins when this issues is resovled.
  73. # Due to OpenWrt/LEDE divergence "cp -u" isn't yet universally available.
  74. local filetime keeptime
  75. if [ -f $UNBOUND_KEYFILE.keep ] ; then
  76. # root.key.keep is reused if newest
  77. filetime=$( date -r $UNBOUND_KEYFILE +%s )
  78. keeptime=$( date -r $UNBOUND_KEYFILE.keep +%s )
  79. if [ $keeptime -gt $filetime ] ; then
  80. cp $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
  81. fi
  82. rm -f $UNBOUND_KEYFILE.keep
  83. fi
  84. }
  85. ##############################################################################
  86. create_interface_dns() {
  87. local cfg="$1"
  88. local ipcommand logint ignore ifname ifdashname
  89. local name names address addresses
  90. local ulaprefix if_fqdn host_fqdn mode mode_ptr
  91. # Create local-data: references for this hosts interfaces (router).
  92. config_get logint "$cfg" interface
  93. config_get_bool ignore "$cfg" ignore 0
  94. network_get_device ifname "$cfg"
  95. ifdashname="${ifname//./-}"
  96. ipcommand="ip -o address show $ifname"
  97. addresses=$( $ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}' )
  98. ulaprefix=$( uci_get network.@globals[0].ula_prefix )
  99. host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"
  100. if_fqdn="$ifdashname.$host_fqdn"
  101. if [ -z "${ulaprefix%%:/*}" ] ; then
  102. # Nonsense so this option isn't globbed below
  103. ulaprefix="fdno:such:addr::/48"
  104. fi
  105. if [ "$ignore" -gt 0 ] ; then
  106. mode="$UNBOUND_D_WAN_FQDN"
  107. else
  108. mode="$UNBOUND_D_LAN_FQDN"
  109. fi
  110. case "$mode" in
  111. 3)
  112. mode_ptr="$host_fqdn"
  113. names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
  114. ;;
  115. 4)
  116. if [ -z "$ifdashname" ] ; then
  117. # race conditions at init can rarely cause a blank device return
  118. # the record format is invalid and Unbound won't load the conf file
  119. mode_ptr="$host_fqdn"
  120. names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
  121. else
  122. mode_ptr="$if_fqdn"
  123. names="$if_fqdn $host_fqdn $UNBOUND_TXT_HOSTNAME"
  124. fi
  125. ;;
  126. *)
  127. mode_ptr="$UNBOUND_TXT_HOSTNAME"
  128. names="$UNBOUND_TXT_HOSTNAME"
  129. ;;
  130. esac
  131. if [ "$mode" -gt 1 ] ; then
  132. {
  133. for address in $addresses ; do
  134. case $address in
  135. fe80:*|169.254.*)
  136. echo " # note link address $address"
  137. ;;
  138. [1-9a-f]*:*[0-9a-f])
  139. # GA and ULA IP6 for HOST IN AAA records (ip command is robust)
  140. for name in $names ; do
  141. echo " local-data: \"$name. 120 IN AAAA $address\""
  142. done
  143. echo " local-data-ptr: \"$address 120 $mode_ptr\""
  144. ;;
  145. [1-9]*.*[0-9])
  146. # Old fashioned HOST IN A records
  147. for name in $names ; do
  148. echo " local-data: \"$name. 120 IN A $address\""
  149. done
  150. echo " local-data-ptr: \"$address 120 $mode_ptr\""
  151. ;;
  152. esac
  153. done
  154. echo
  155. } >> $UNBOUND_CONFFILE
  156. elif [ "$mode" -gt 0 ] ; then
  157. {
  158. for address in $addresses ; do
  159. case $address in
  160. fe80:*|169.254.*)
  161. echo " # note link address $address"
  162. ;;
  163. "${ulaprefix%%:/*}"*)
  164. # Only this networks ULA and only hostname
  165. echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
  166. echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
  167. ;;
  168. [1-9]*.*[0-9])
  169. echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""
  170. echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
  171. ;;
  172. esac
  173. done
  174. echo
  175. } >> $UNBOUND_CONFFILE
  176. fi
  177. }
  178. ##############################################################################
  179. create_local_zone() {
  180. local target="$1"
  181. local partial domain found
  182. if [ -n "$UNBOUND_LIST_DOMAINS" ] ; then
  183. for domain in $UNBOUND_LIST_DOMAINS ; do
  184. case $target in
  185. *"${domain}")
  186. found=1
  187. break
  188. ;;
  189. [A-Za-z0-9]*.[A-Za-z0-9]*)
  190. found=0
  191. ;;
  192. *) # no dots
  193. found=1
  194. break
  195. ;;
  196. esac
  197. done
  198. else
  199. found=0
  200. fi
  201. if [ $found -eq 0 ] ; then
  202. # New Zone! Bundle local-zones: by first two name tiers "abcd.tld."
  203. partial=$( echo "$target" | awk -F. '{ j=NF ; i=j-1; print $i"."$j }' )
  204. UNBOUND_LIST_DOMAINS="$UNBOUND_LIST_DOMAINS $partial"
  205. echo " local-zone: $partial. transparent" >> $UNBOUND_CONFFILE
  206. fi
  207. }
  208. ##############################################################################
  209. create_host_record() {
  210. local cfg="$1"
  211. local ip name
  212. # basefiles dhcp "domain" clause which means host A, AAAA, and PRT record
  213. config_get ip "$cfg" ip
  214. config_get name "$cfg" name
  215. if [ -n "$name" -a -n "$ip" ] ; then
  216. create_local_zone "$name"
  217. {
  218. case $ip in
  219. fe80:*|169.254.*)
  220. echo " # note link address $ip for host $name"
  221. ;;
  222. [1-9a-f]*:*[0-9a-f])
  223. echo " local-data: \"$name. 120 IN AAAA $ip\""
  224. echo " local-data-ptr: \"$ip 120 $name\""
  225. ;;
  226. [1-9]*.*[0-9])
  227. echo " local-data: \"$name. 120 IN A $ip\""
  228. echo " local-data-ptr: \"$ip 120 $name\""
  229. ;;
  230. esac
  231. } >> $UNBOUND_CONFFILE
  232. fi
  233. }
  234. ##############################################################################
  235. create_mx_record() {
  236. local cfg="$1"
  237. local domain relay pref
  238. # Insert a static MX record
  239. config_get domain "$cfg" domain
  240. config_get relay "$cfg" relay
  241. config_get pref "$cfg" pref 10
  242. if [ -n "$domain" -a -n "$relay" ] ; then
  243. create_local_zone "$domain"
  244. echo " local-data: \"$domain. 120 IN MX $pref $relay.\"" \
  245. >> $UNBOUND_CONFFILE
  246. fi
  247. }
  248. ##############################################################################
  249. create_srv_record() {
  250. local cfg="$1"
  251. local srv target port class weight
  252. # Insert a static SRV record such as SIP server
  253. config_get srv "$cfg" srv
  254. config_get target "$cfg" target
  255. config_get port "$cfg" port
  256. config_get class "$cfg" class 10
  257. config_get weight "$cfg" weight 10
  258. if [ -n "$srv" -a -n "$target" -a -n "$port" ] ; then
  259. create_local_zone "$srv"
  260. echo " local-data: \"$srv. 120 IN SRV $class $weight $port $target.\"" \
  261. >> $UNBOUND_CONFFILE
  262. fi
  263. }
  264. ##############################################################################
  265. create_cname_record() {
  266. local cfg="$1"
  267. local cname target
  268. # Insert static CNAME record
  269. config_get cname "$cfg" cname
  270. config_get target "$cfg" target
  271. if [ -n "$cname" -a -n "$target" ] ; then
  272. create_local_zone "$cname"
  273. echo " local-data: \"$cname. 120 IN CNAME $target.\"" >> $UNBOUND_CONFFILE
  274. fi
  275. }
  276. ##############################################################################
  277. create_access_control() {
  278. local cfg="$1"
  279. local subnets subnets4 subnets6
  280. local validip4 validip6
  281. network_get_subnets subnets4 "$cfg"
  282. network_get_subnets6 subnets6 "$cfg"
  283. subnets="$subnets4 $subnets6"
  284. if [ -n "$subnets" ] ; then
  285. for subnet in $subnets ; do
  286. validip4=$( valid_subnet4 $subnet )
  287. validip6=$( valid_subnet6 $subnet )
  288. if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
  289. # For each "network" UCI add "access-control:" white list for queries
  290. echo " access-control: $subnet allow" >> $UNBOUND_CONFFILE
  291. fi
  292. done
  293. fi
  294. }
  295. ##############################################################################
  296. bundle_domain_forward() {
  297. UNBOUND_LIST_FORWARD="$UNBOUND_LIST_FORWARD $1"
  298. }
  299. ##############################################################################
  300. bundle_domain_insecure() {
  301. UNBOUND_LIST_INSECURE="$UNBOUND_LIST_INSECURE $1"
  302. }
  303. ##############################################################################
  304. bundle_private_interface() {
  305. local ipcommand ifsubnet ifsubnets ifname
  306. network_get_device ifname $1
  307. if [ -n "$ifname" ] ; then
  308. ipcommand="ip -6 -o address show $ifname"
  309. ifsubnets=$( $ipcommand | awk '/inet6/{ print $4 }' )
  310. if [ -n "$ifsubnets" ] ; then
  311. for ifsubnet in $ifsubnets ; do
  312. case $ifsubnet in
  313. [1-9]*:*[0-9a-f])
  314. # Special GLA protection for local block; ULA protected as a catagory
  315. UNBOUND_LIST_PRV_SUBNET="$UNBOUND_LIST_PRV_SUBNET $ifsubnet" ;;
  316. esac
  317. done
  318. fi
  319. fi
  320. }
  321. ##############################################################################
  322. unbound_mkdir() {
  323. local filestuff
  324. if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
  325. local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
  326. local dhcp_dir=$( dirname $dhcp_origin )
  327. if [ ! -d "$dhcp_dir" ] ; then
  328. # make sure odhcpd has a directory to write (not done itself, yet)
  329. mkdir -p "$dhcp_dir"
  330. fi
  331. fi
  332. if [ -f $UNBOUND_KEYFILE ] ; then
  333. filestuff=$( cat $UNBOUND_KEYFILE )
  334. case "$filestuff" in
  335. *"state=2 [ VALID ]"*)
  336. # Lets not lose RFC 5011 tracking if we don't have to
  337. cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
  338. ;;
  339. esac
  340. fi
  341. # Blind copy /etc/ to /var/lib/
  342. mkdir -p $UNBOUND_VARDIR
  343. rm -f $UNBOUND_VARDIR/dhcp_*
  344. touch $UNBOUND_CONFFILE
  345. touch $UNBOUND_SRV_CONF
  346. touch $UNBOUND_EXT_CONF
  347. cp -p /etc/unbound/* $UNBOUND_VARDIR/
  348. if [ ! -f $UNBOUND_HINTFILE ] ; then
  349. if [ -f /usr/share/dns/root.hints ] ; then
  350. # Debian-like package dns-root-data
  351. cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
  352. elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  353. logger -t unbound -s "default root hints (built in rootservers.net)"
  354. fi
  355. fi
  356. if [ ! -f $UNBOUND_KEYFILE ] ; then
  357. if [ -f /usr/share/dns/root.key ] ; then
  358. # Debian-like package dns-root-data
  359. cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
  360. elif [ -x $UNBOUND_ANCHOR ] ; then
  361. $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
  362. elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  363. logger -t unbound -s "default trust anchor (built in root DS record)"
  364. fi
  365. fi
  366. copy_dash_update
  367. # Ensure access and prepare to jail
  368. chown -R unbound:unbound $UNBOUND_VARDIR
  369. chmod 755 $UNBOUND_VARDIR
  370. chmod 644 $UNBOUND_VARDIR/*
  371. if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \
  372. -o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then
  373. # Keys (some) exist already; do not create new ones
  374. chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
  375. $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
  376. elif [ -x /usr/sbin/unbound-control-setup ] ; then
  377. case "$UNBOUND_D_CONTROL" in
  378. [2-3])
  379. # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
  380. /usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR
  381. chown -R unbound:unbound $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
  382. $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
  383. chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
  384. $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
  385. cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key
  386. cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem
  387. cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key
  388. cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem
  389. ;;
  390. esac
  391. fi
  392. }
  393. ##############################################################################
  394. unbound_control() {
  395. if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then
  396. if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \
  397. -o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then
  398. # Key files need to be present; if unbound-control-setup was found, then
  399. # they might have been made during unbound_makedir() above.
  400. UNBOUND_D_CONTROL=0
  401. fi
  402. fi
  403. case "$UNBOUND_D_CONTROL" in
  404. 1)
  405. {
  406. # Local Host Only Unencrypted Remote Control
  407. echo "remote-control:"
  408. echo " control-enable: yes"
  409. echo " control-use-cert: no"
  410. echo " control-interface: 127.0.0.1"
  411. echo " control-interface: ::1"
  412. echo
  413. } >> $UNBOUND_CONFFILE
  414. ;;
  415. 2)
  416. {
  417. # Local Host Only Encrypted Remote Control
  418. echo "remote-control:"
  419. echo " control-enable: yes"
  420. echo " control-use-cert: yes"
  421. echo " control-interface: 127.0.0.1"
  422. echo " control-interface: ::1"
  423. echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
  424. echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
  425. echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
  426. echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
  427. echo
  428. } >> $UNBOUND_CONFFILE
  429. ;;
  430. [3-4])
  431. {
  432. # Network Encrypted Remote Control
  433. # (3) may auto setup and (4) must have static key/pem files
  434. # TODO: add UCI list for interfaces to bind
  435. echo "remote-control:"
  436. echo " control-enable: yes"
  437. echo " control-use-cert: yes"
  438. echo " control-interface: 0.0.0.0"
  439. echo " control-interface: ::0"
  440. echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
  441. echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
  442. echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
  443. echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
  444. echo
  445. } >> $UNBOUND_CONFFILE
  446. ;;
  447. esac
  448. {
  449. # Amend your own extended clauses here like forward zones or disable
  450. # above (local, no encryption) and amend your own remote encrypted control
  451. echo
  452. echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
  453. echo
  454. } >> $UNBOUND_CONFFILE
  455. }
  456. ##############################################################################
  457. unbound_forward() {
  458. local fdomain fresolver resolvers
  459. # Forward selected domains to the upstream (WAN) stub resolver. This may be
  460. # faster or local pool addresses to ISP service login page. This may keep
  461. # internal organization lookups, well, internal to the organization.
  462. if [ -n "$UNBOUND_LIST_FORWARD" ] ; then
  463. resolvers=$( grep nameserver /tmp/resolv.conf.auto | sed "s/nameserver//g" )
  464. if [ -n "$resolvers" ] ; then
  465. for fdomain in $UNBOUND_LIST_FORWARD ; do
  466. {
  467. echo "forward-zone:"
  468. echo " name: \"$fdomain.\""
  469. for fresolver in $resolvers ; do
  470. echo " forward-addr: $fresolver"
  471. done
  472. echo
  473. } >> $UNBOUND_CONFFILE
  474. done
  475. fi
  476. fi
  477. }
  478. ##############################################################################
  479. unbound_auth_root() {
  480. local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
  481. local httpserver="http://www.internic.net/domain/"
  482. local authzones="root arpa in-addr.arpa ip6.arpa"
  483. local server zone realzone
  484. # Download or AXFR the root and arpa zones to reduce the work needed at
  485. # top level of recursion. If your users will hit many ccTLD or you have
  486. # tracking logs resolving many PTR, then this can speed things up.
  487. # Total size of text in TMPFS could be about 5MB.
  488. if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
  489. for zone in $authzones ; do
  490. if [ "$zone" = "root" ] ; then
  491. realzone="."
  492. else
  493. realzone=$zone
  494. fi
  495. {
  496. echo "auth-zone:"
  497. echo " name: \"$realzone\""
  498. for server in $axfrservers ; do
  499. echo " master: \"$server\""
  500. done
  501. echo " url: \"$httpserver$zone.zone\""
  502. echo " fallback-enabled: yes"
  503. echo " for-downstream: no"
  504. echo " for-upstream: yes"
  505. echo " zonefile: \"$zone.zone\""
  506. echo
  507. } >> $UNBOUND_CONFFILE
  508. done
  509. fi
  510. }
  511. ##############################################################################
  512. unbound_conf() {
  513. local rt_mem rt_conn modulestring domain ifsubnet
  514. # Make fresh conf file
  515. echo > $UNBOUND_CONFFILE
  516. {
  517. # Make fresh conf file
  518. echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
  519. echo
  520. echo "server:"
  521. echo " username: unbound"
  522. echo " chroot: \"$UNBOUND_VARDIR\""
  523. echo " directory: \"$UNBOUND_VARDIR\""
  524. echo " pidfile: \"$UNBOUND_PIDFILE\""
  525. echo
  526. # No threading
  527. echo " num-threads: 1"
  528. echo " msg-cache-slabs: 1"
  529. echo " rrset-cache-slabs: 1"
  530. echo " infra-cache-slabs: 1"
  531. echo " key-cache-slabs: 1"
  532. echo
  533. # Interface Wildcard (access contol handled by "option local_service")
  534. echo " interface: 0.0.0.0"
  535. echo " interface: ::0"
  536. echo " outgoing-interface: 0.0.0.0"
  537. echo " outgoing-interface: ::0"
  538. echo
  539. # Logging
  540. echo " use-syslog: yes"
  541. echo " verbosity: 1"
  542. echo " statistics-interval: 0"
  543. echo " statistics-cumulative: no"
  544. } >> $UNBOUND_CONFFILE
  545. if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then
  546. {
  547. # Log More
  548. echo " extended-statistics: yes"
  549. echo
  550. } >> $UNBOUND_CONFFILE
  551. else
  552. {
  553. # Log Less
  554. echo " extended-statistics: no"
  555. echo
  556. } >> $UNBOUND_CONFFILE
  557. fi
  558. case "$UNBOUND_D_PROTOCOL" in
  559. ip4_only)
  560. {
  561. echo " do-ip4: yes"
  562. echo " do-ip6: no"
  563. } >> $UNBOUND_CONFFILE
  564. ;;
  565. ip6_only)
  566. {
  567. echo " do-ip4: no"
  568. echo " do-ip6: yes"
  569. } >> $UNBOUND_CONFFILE
  570. ;;
  571. ip6_prefer)
  572. {
  573. echo " do-ip4: yes"
  574. echo " do-ip6: yes"
  575. echo " prefer-ip6: yes"
  576. } >> $UNBOUND_CONFFILE
  577. ;;
  578. mixed)
  579. {
  580. echo " do-ip4: yes"
  581. echo " do-ip6: yes"
  582. } >> $UNBOUND_CONFFILE
  583. ;;
  584. *)
  585. if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  586. logger -t unbound -s "default protocol configuration"
  587. fi
  588. ;;
  589. esac
  590. {
  591. # protocol level tuning
  592. echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
  593. echo " msg-buffer-size: 8192"
  594. echo " port: $UNBOUND_N_RX_PORT"
  595. echo " outgoing-port-permit: 10240-65535"
  596. echo
  597. } >> $UNBOUND_CONFFILE
  598. {
  599. # Other harding and options for an embedded router
  600. echo " harden-short-bufsize: yes"
  601. echo " harden-large-queries: yes"
  602. echo " harden-glue: yes"
  603. echo " harden-below-nxdomain: no"
  604. echo " harden-referral-path: no"
  605. echo " use-caps-for-id: no"
  606. echo
  607. } >> $UNBOUND_CONFFILE
  608. if [ -f "$UNBOUND_HINTFILE" ] ; then
  609. # Optional hints if found
  610. echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
  611. fi
  612. if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then
  613. {
  614. echo " auto-trust-anchor-file: \"$UNBOUND_KEYFILE\""
  615. echo
  616. } >> $UNBOUND_CONFFILE
  617. else
  618. echo >> $UNBOUND_CONFFILE
  619. fi
  620. case "$UNBOUND_D_RESOURCE" in
  621. # Tiny - Unbound's recommended cheap hardware config
  622. tiny) rt_mem=1 ; rt_conn=1 ;;
  623. # Small - Half RRCACHE and open ports
  624. small) rt_mem=8 ; rt_conn=5 ;;
  625. # Medium - Nearly default but with some added balancintg
  626. medium) rt_mem=16 ; rt_conn=10 ;;
  627. # Large - Double medium
  628. large) rt_mem=32 ; rt_conn=10 ;;
  629. # Whatever unbound does
  630. *) rt_mem=0 ; rt_conn=0 ;;
  631. esac
  632. if [ "$rt_mem" -gt 0 ] ; then
  633. {
  634. # Set memory sizing parameters
  635. echo " outgoing-range: $(($rt_conn*64))"
  636. echo " num-queries-per-thread: $(($rt_conn*32))"
  637. echo " outgoing-num-tcp: $(($rt_conn))"
  638. echo " incoming-num-tcp: $(($rt_conn))"
  639. echo " rrset-cache-size: $(($rt_mem*256))k"
  640. echo " msg-cache-size: $(($rt_mem*128))k"
  641. echo " key-cache-size: $(($rt_mem*128))k"
  642. echo " neg-cache-size: $(($rt_mem*64))k"
  643. echo " infra-cache-numhosts: $(($rt_mem*256))"
  644. echo
  645. } >> $UNBOUND_CONFFILE
  646. elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  647. logger -t unbound -s "default memory configuration"
  648. fi
  649. # Assembly of module-config: options is tricky; order matters
  650. modulestring="iterator"
  651. if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
  652. if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
  653. # DNSSEC chicken and egg with getting NTP time
  654. echo " val-override-date: -1" >> $UNBOUND_CONFFILE
  655. fi
  656. {
  657. echo " harden-dnssec-stripped: yes"
  658. echo " val-clean-additional: yes"
  659. echo " ignore-cd-flag: yes"
  660. } >> $UNBOUND_CONFFILE
  661. modulestring="validator $modulestring"
  662. fi
  663. if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then
  664. echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
  665. modulestring="dns64 $modulestring"
  666. fi
  667. {
  668. # Print final module string
  669. echo " module-config: \"$modulestring\""
  670. echo
  671. } >> $UNBOUND_CONFFILE
  672. case "$UNBOUND_D_RECURSION" in
  673. passive)
  674. {
  675. # Some query privacy but "strict" will break some servers
  676. if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
  677. -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  678. echo " qname-minimisation: yes"
  679. echo " qname-minimisation-strict: yes"
  680. elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  681. echo " qname-minimisation: yes"
  682. else
  683. echo " qname-minimisation: no"
  684. fi
  685. # Use DNSSEC to quickly understand NXDOMAIN ranges
  686. if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
  687. echo " aggressive-nsec: yes"
  688. echo " prefetch-key: no"
  689. fi
  690. # On demand fetching
  691. echo " prefetch: no"
  692. echo " target-fetch-policy: \"0 0 0 0 0\""
  693. echo
  694. } >> $UNBOUND_CONFFILE
  695. ;;
  696. aggressive)
  697. {
  698. # Some query privacy but "strict" will break some servers
  699. if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
  700. -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  701. echo " qname-minimisation: yes"
  702. echo " qname-minimisation-strict: yes"
  703. elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  704. echo " qname-minimisation: yes"
  705. else
  706. echo " qname-minimisation: no"
  707. fi
  708. # Use DNSSEC to quickly understand NXDOMAIN ranges
  709. if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
  710. echo " aggressive-nsec: yes"
  711. echo " prefetch-key: yes"
  712. fi
  713. # Prefetch what can be
  714. echo " prefetch: yes"
  715. echo " target-fetch-policy: \"3 2 1 0 0\""
  716. echo
  717. } >> $UNBOUND_CONFFILE
  718. ;;
  719. *)
  720. if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  721. logger -t unbound -s "default recursion configuration"
  722. fi
  723. ;;
  724. esac
  725. {
  726. # Reload records more than 10 hours old
  727. # DNSSEC 5 minute bogus cool down before retry
  728. # Adaptive infrastructure info kept for 15 minutes
  729. echo " cache-min-ttl: $UNBOUND_TTL_MIN"
  730. echo " cache-max-ttl: 36000"
  731. echo " val-bogus-ttl: 300"
  732. echo " infra-host-ttl: 900"
  733. echo
  734. } >> $UNBOUND_CONFFILE
  735. if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
  736. {
  737. # Block server id and version DNS TXT records
  738. echo " hide-identity: yes"
  739. echo " hide-version: yes"
  740. echo
  741. } >> $UNBOUND_CONFFILE
  742. fi
  743. if [ "$UNBOUND_D_PRIV_BLCK" -gt 0 ] ; then
  744. {
  745. # Remove _upstream_ or global reponses with private addresses.
  746. # Unbounds own "local zone" and "forward zone" may still use these.
  747. # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
  748. echo " private-address: 10.0.0.0/8"
  749. echo " private-address: 100.64.0.0/10"
  750. echo " private-address: 169.254.0.0/16"
  751. echo " private-address: 172.16.0.0/12"
  752. echo " private-address: 192.168.0.0/16"
  753. echo " private-address: fc00::/7"
  754. echo " private-address: fe80::/10"
  755. echo
  756. } >> $UNBOUND_CONFFILE
  757. fi
  758. if [ -n "$UNBOUND_LIST_PRV_SUBNET" -a "$UNBOUND_D_PRIV_BLCK" -gt 1 ] ; then
  759. for ifsubnet in $UNBOUND_LIST_PRV_SUBNET ; do
  760. # Remove global DNS responses with your local network IP6 GLA
  761. echo " private-address: $ifsubnet" >> $UNBOUND_CONFFILE
  762. done
  763. echo >> $UNBOUND_CONFFILE
  764. fi
  765. if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
  766. {
  767. # Remove DNS reponses from upstream with loopback IP
  768. # Black hole DNS method for ad blocking, so consider...
  769. echo " private-address: 127.0.0.0/8"
  770. echo " private-address: ::1/128"
  771. echo
  772. } >> $UNBOUND_CONFFILE
  773. fi
  774. if [ -n "$UNBOUND_LIST_INSECURE" ] ; then
  775. for domain in $UNBOUND_LIST_INSECURE ; do
  776. # Except and accept domains without (DNSSEC); work around broken domains
  777. echo " domain-insecure: \"$domain\"" >> $UNBOUND_CONFFILE
  778. done
  779. echo >> $UNBOUND_CONFFILE
  780. fi
  781. }
  782. ##############################################################################
  783. unbound_access() {
  784. # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to
  785. # each access-control IP block, and then divert access.
  786. # -- "guest" WIFI will not be allowed to see local zone data
  787. # -- "child" LAN can black whole a list of domains to http~deadpixel
  788. if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
  789. # Only respond to queries from which this device has an interface.
  790. # Prevent DNS amplification attacks by not responding to the universe.
  791. config_load network
  792. config_foreach create_access_control interface
  793. {
  794. echo " access-control: 127.0.0.0/8 allow"
  795. echo " access-control: ::1/128 allow"
  796. echo " access-control: fe80::/10 allow"
  797. echo
  798. } >> $UNBOUND_CONFFILE
  799. else
  800. {
  801. echo " access-control: 0.0.0.0/0 allow"
  802. echo " access-control: ::0/0 allow"
  803. echo
  804. } >> $UNBOUND_CONFFILE
  805. fi
  806. {
  807. # Amend your own "server:" stuff here
  808. echo " include: $UNBOUND_SRV_CONF"
  809. echo
  810. } >> $UNBOUND_CONFFILE
  811. }
  812. ##############################################################################
  813. unbound_adblock() {
  814. # TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team
  815. local adb_enabled adb_file
  816. if [ ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
  817. adb_enabled=0
  818. else
  819. /etc/init.d/adblock enabled && adb_enabled=1 || adb_enabled=0
  820. fi
  821. if [ "$adb_enabled" -gt 0 ] ; then
  822. {
  823. # Pull in your selected openwrt/pacakges/net/adblock generated lists
  824. for adb_file in $UNBOUND_VARDIR/adb_list.* ; do
  825. echo " include: $adb_file"
  826. done
  827. echo
  828. } >> $UNBOUND_CONFFILE
  829. fi
  830. }
  831. ##############################################################################
  832. unbound_hostname() {
  833. if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
  834. {
  835. # TODO: Unbound 1.6.0 added "tags" and "views" and we could make
  836. # domains by interface to prevent DNS from "guest" to "home"
  837. echo " local-zone: $UNBOUND_TXT_DOMAIN. $UNBOUND_D_DOMAIN_TYPE"
  838. echo " domain-insecure: $UNBOUND_TXT_DOMAIN"
  839. echo " private-domain: $UNBOUND_TXT_DOMAIN"
  840. echo
  841. echo " local-zone: $UNBOUND_TXT_HOSTNAME. $UNBOUND_D_DOMAIN_TYPE"
  842. echo " domain-insecure: $UNBOUND_TXT_HOSTNAME"
  843. echo " private-domain: $UNBOUND_TXT_HOSTNAME"
  844. echo
  845. } >> $UNBOUND_CONFFILE
  846. case "$UNBOUND_D_DOMAIN_TYPE" in
  847. deny|inform_deny|refuse|static)
  848. {
  849. # avoid upstream involvement in RFC6762 like responses (link only)
  850. echo " local-zone: local. $UNBOUND_D_DOMAIN_TYPE"
  851. echo " domain-insecure: local"
  852. echo " private-domain: local"
  853. echo
  854. } >> $UNBOUND_CONFFILE
  855. ;;
  856. esac
  857. if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
  858. config_load dhcp
  859. config_foreach create_interface_dns dhcp
  860. fi
  861. if [ -f "$UNBOUND_DHCP_CONF" ] ; then
  862. {
  863. # Seed DHCP records because dhcp scripts trigger externally
  864. # Incremental Unbound restarts may drop unbound-control add records
  865. echo " include: $UNBOUND_DHCP_CONF"
  866. echo
  867. } >> $UNBOUND_CONFFILE
  868. fi
  869. fi
  870. }
  871. ##############################################################################
  872. unbound_records() {
  873. if [ "$UNBOUND_D_EXTRA_DNS" -gt 0 ] ; then
  874. # Parasite from the uci.dhcp.domain clauses
  875. config_load dhcp
  876. config_foreach create_host_record domain
  877. fi
  878. if [ "$UNBOUND_D_EXTRA_DNS" -gt 1 ] ; then
  879. config_foreach create_srv_record srvhost
  880. config_foreach create_mx_record mxhost
  881. fi
  882. if [ "$UNBOUND_D_EXTRA_DNS" -gt 2 ] ; then
  883. config_foreach create_cname_record cname
  884. fi
  885. echo >> $UNBOUND_CONFFILE
  886. }
  887. ##############################################################################
  888. unbound_uci() {
  889. local cfg="$1"
  890. local dnsmasqpath hostnm
  891. hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' )
  892. UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter}
  893. config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
  894. config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
  895. config_get_bool UNBOUND_B_EXT_STATS "$cfg" extended_stats 0
  896. config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
  897. config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
  898. config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
  899. config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
  900. config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
  901. config_get_bool UNBOUND_B_AUTH_ROOT "$cfg" prefetch_root 0
  902. config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
  903. config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
  904. config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
  905. config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
  906. config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
  907. config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
  908. config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
  909. config_get UNBOUND_D_CONTROL "$cfg" unbound_control 0
  910. config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
  911. config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
  912. config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0
  913. config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0
  914. config_get UNBOUND_D_PRIV_BLCK "$cfg" rebind_protection 1
  915. config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
  916. config_get UNBOUND_D_RECURSION "$cfg" recursion passive
  917. config_get UNBOUND_D_RESOURCE "$cfg" resource small
  918. config_get UNBOUND_D_WAN_FQDN "$cfg" add_wan_fqdn 0
  919. config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120
  920. config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
  921. config_list_foreach "$cfg" "domain_forward" bundle_domain_forward
  922. config_list_foreach "$cfg" "domain_insecure" bundle_domain_insecure
  923. config_list_foreach "$cfg" "rebind_interface" bundle_private_interface
  924. UNBOUND_LIST_DOMAINS="nowhere $UNBOUND_TXT_DOMAIN"
  925. if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
  926. config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
  927. if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
  928. UNBOUND_D_DHCP_LINK=dnsmasq
  929. if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  930. logger -t unbound -s "Please use 'dhcp_link' selector instead"
  931. fi
  932. fi
  933. fi
  934. if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
  935. if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
  936. UNBOUND_D_DHCP_LINK=none
  937. else
  938. /etc/init.d/dnsmasq enabled || UNBOUND_D_DHCP_LINK=none
  939. fi
  940. if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
  941. logger -t unbound -s "cannot forward to dnsmasq"
  942. fi
  943. fi
  944. if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
  945. if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
  946. UNBOUND_D_DHCP_LINK=none
  947. else
  948. /etc/init.d/odhcpd enabled || UNBOUND_D_DHCP_LINK=none
  949. fi
  950. if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
  951. logger -t unbound -s "cannot receive records from odhcpd"
  952. fi
  953. fi
  954. if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
  955. -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
  956. logger -t unbound -s "edns_size exceeds range, using default"
  957. UNBOUND_N_EDNS_SIZE=1280
  958. fi
  959. if [ "$UNBOUND_N_RX_PORT" -ne 53 ] \
  960. && [ "$UNBOUND_N_RX_PORT" -lt 1024 -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
  961. logger -t unbound -s "privileged port or in 5 digits, using default"
  962. UNBOUND_N_RX_PORT=53
  963. fi
  964. if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
  965. logger -t unbound -s "ttl_min could have had awful side effects, using 300"
  966. UNBOUND_TTL_MIN=300
  967. fi
  968. }
  969. ##############################################################################
  970. unbound_resolv_setup() {
  971. if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
  972. return
  973. fi
  974. if [ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq enabled \
  975. && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
  976. # unbound is configured for port 53, but dnsmasq is enabled and a resolver
  977. # listens on localhost:53, lets assume dnsmasq manages the resolver file.
  978. # TODO:
  979. # really check if dnsmasq runs a local (main) resolver in stead of using
  980. # nslookup that times out when no resolver listens on localhost:53.
  981. return
  982. fi
  983. # unbound is designated to listen on 127.0.0.1#53,
  984. # set resolver file to local.
  985. rm -f /tmp/resolv.conf
  986. {
  987. echo "# /tmp/resolv.conf generated by Unbound UCI $( date )"
  988. echo "nameserver 127.0.0.1"
  989. echo "nameserver ::1"
  990. echo "search $UNBOUND_TXT_DOMAIN."
  991. } > /tmp/resolv.conf
  992. }
  993. ##############################################################################
  994. unbound_resolv_teardown() {
  995. case $( cat /tmp/resolv.conf ) in
  996. *"generated by Unbound UCI"*)
  997. # our resolver file, reset to auto resolver file.
  998. rm -f /tmp/resolv.conf
  999. ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
  1000. ;;
  1001. esac
  1002. }
  1003. ##############################################################################
  1004. unbound_start() {
  1005. config_load unbound
  1006. config_foreach unbound_uci unbound
  1007. unbound_mkdir
  1008. if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
  1009. unbound_conf
  1010. unbound_access
  1011. unbound_adblock
  1012. if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
  1013. dnsmasq_link
  1014. else
  1015. unbound_hostname
  1016. unbound_records
  1017. fi
  1018. unbound_forward
  1019. unbound_auth_root
  1020. unbound_control
  1021. fi
  1022. unbound_resolv_setup
  1023. }
  1024. ##############################################################################
  1025. unbound_stop() {
  1026. unbound_resolv_teardown
  1027. rootzone_update
  1028. }
  1029. ##############################################################################