You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

840 lines
22 KiB

  1. #!/bin/sh
  2. ##############################################################################
  3. #
  4. # This program is free software; you can redistribute it and/or modify
  5. # it under the terms of the GNU General Public License version 2 as
  6. # published by the Free Software Foundation.
  7. #
  8. # This program is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. # GNU General Public License for more details.
  12. #
  13. # Copyright (C) 2016 Eric Luehrsen
  14. #
  15. ##############################################################################
  16. #
  17. # This builds the basic UCI components currently supported for Unbound. It is
  18. # intentionally NOT comprehensive and bundles a lot of options. The UCI is to
  19. # be a simpler presentation of the total Unbound conf set.
  20. #
  21. ##############################################################################
  22. UNBOUND_B_CONTROL=0
  23. UNBOUND_B_SLAAC6_MAC=0
  24. UNBOUND_B_DNSSEC=0
  25. UNBOUND_B_DNS64=0
  26. UNBOUND_B_GATE_NAME=0
  27. UNBOUND_B_HIDE_BIND=1
  28. UNBOUND_B_LOCL_BLCK=0
  29. UNBOUND_B_LOCL_SERV=1
  30. UNBOUND_B_MAN_CONF=0
  31. UNBOUND_B_NTP_BOOT=1
  32. UNBOUND_B_PRIV_BLCK=1
  33. UNBOUND_B_QUERY_MIN=0
  34. UNBOUND_B_QRY_MINST=0
  35. UNBOUND_D_DOMAIN_TYPE=static
  36. UNBOUND_D_DHCP_LINK=none
  37. UNBOUND_D_LAN_FQDN=0
  38. UNBOUND_D_PROTOCOL=mixed
  39. UNBOUND_D_RESOURCE=small
  40. UNBOUND_D_RECURSION=passive
  41. UNBOUND_D_WAN_FQDN=0
  42. UNBOUND_IP_DNS64="64:ff9b::/96"
  43. UNBOUND_N_EDNS_SIZE=1280
  44. UNBOUND_N_FWD_PORTS=""
  45. UNBOUND_N_RX_PORT=53
  46. UNBOUND_N_ROOT_AGE=28
  47. UNBOUND_TTL_MIN=120
  48. UNBOUND_TXT_DOMAIN=lan
  49. UNBOUND_TXT_FWD_ZONE=""
  50. UNBOUND_TXT_HOSTNAME=thisrouter
  51. ##############################################################################
  52. UNBOUND_LIBDIR=/usr/lib/unbound
  53. UNBOUND_VARDIR=/var/lib/unbound
  54. UNBOUND_PIDFILE=/var/run/unbound.pid
  55. UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
  56. UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
  57. UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
  58. UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
  59. UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
  60. UNBOUND_TIMEFILE=$UNBOUND_VARDIR/unbound.time
  61. ##############################################################################
  62. UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
  63. UNBOUND_CONTROL=/usr/sbin/unbound-control
  64. UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
  65. ##############################################################################
  66. . /lib/functions.sh
  67. . /lib/functions/network.sh
  68. . $UNBOUND_LIBDIR/dnsmasq.sh
  69. . $UNBOUND_LIBDIR/iptools.sh
  70. . $UNBOUND_LIBDIR/rootzone.sh
  71. ##############################################################################
  72. create_interface_dns() {
  73. local cfg="$1"
  74. local ipcommand logint ignore ifname ifdashname
  75. local name names address addresses
  76. local ulaprefix if_fqdn host_fqdn mode mode_ptr
  77. # Create local-data: references for this hosts interfaces (router).
  78. config_get logint "$cfg" interface
  79. config_get_bool ignore "$cfg" ignore 0
  80. network_get_device ifname "$cfg"
  81. ifdashname="${ifname//./-}"
  82. ipcommand="ip -o address show $ifname"
  83. addresses="$($ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}')"
  84. ulaprefix="$(uci_get network @globals[0] ula_prefix)"
  85. host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"
  86. if_fqdn="$ifdashname.$host_fqdn"
  87. if [ "$ignore" -gt 0 ] ; then
  88. mode="$UNBOUND_D_WAN_FQDN"
  89. else
  90. mode="$UNBOUND_D_LAN_FQDN"
  91. fi
  92. case "$mode" in
  93. 3)
  94. mode_ptr="$host_fqdn"
  95. names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
  96. ;;
  97. 4)
  98. mode_ptr="$if_fqdn"
  99. names="$if_fqdn $host_fqdn $UNBOUND_TXT_HOSTNAME"
  100. ;;
  101. *)
  102. mode_ptr="$UNBOUND_TXT_HOSTNAME"
  103. names="$UNBOUND_TXT_HOSTNAME"
  104. ;;
  105. esac
  106. if [ "$mode" -gt 1 ] ; then
  107. {
  108. for address in $addresses ; do
  109. case $address in
  110. fe80:*|169.254.*)
  111. echo " # note link address $address"
  112. ;;
  113. [1-9a-f]*:*[0-9a-f])
  114. # GA and ULA IP6 for HOST IN AAA records (ip command is robust)
  115. for name in $names ; do
  116. echo " local-data: \"$name. 120 IN AAAA $address\""
  117. done
  118. echo " local-data-ptr: \"$address 120 $mode_ptr\""
  119. ;;
  120. [1-9]*.*[0-9])
  121. # Old fashioned HOST IN A records
  122. for name in $names ; do
  123. echo " local-data: \"$name. 120 IN A $address\""
  124. done
  125. echo " local-data-ptr: \"$address 120 $mode_ptr\""
  126. ;;
  127. esac
  128. done
  129. echo
  130. } >> $UNBOUND_CONFFILE
  131. elif [ "$mode" -gt 0 ] ; then
  132. {
  133. for address in $addresses ; do
  134. case $address in
  135. fe80:*|169.254.*)
  136. echo " # note link address $address"
  137. ;;
  138. "${ulaprefix%%:/*}"*)
  139. # Only this networks ULA and only hostname
  140. echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
  141. echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
  142. ;;
  143. [1-9]*.*[0-9])
  144. echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""
  145. echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
  146. ;;
  147. esac
  148. done
  149. echo
  150. } >> $UNBOUND_CONFFILE
  151. fi
  152. }
  153. ##############################################################################
  154. create_access_control() {
  155. local cfg="$1"
  156. local subnets subnets4 subnets6
  157. local validip4 validip6
  158. network_get_subnets subnets4 "$cfg"
  159. network_get_subnets6 subnets6 "$cfg"
  160. subnets="$subnets4 $subnets6"
  161. if [ -n "$subnets" ] ; then
  162. for subnet in $subnets ; do
  163. validip4=$( valid_subnet4 $subnet )
  164. validip6=$( valid_subnet6 $subnet )
  165. if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
  166. # For each "network" UCI add "access-control:" white list for queries
  167. echo " access-control: $subnet allow" >> $UNBOUND_CONFFILE
  168. fi
  169. done
  170. fi
  171. }
  172. ##############################################################################
  173. create_domain_insecure() {
  174. echo " domain-insecure: \"$1\"" >> $UNBOUND_CONFFILE
  175. }
  176. ##############################################################################
  177. unbound_mkdir() {
  178. local resolvsym=0
  179. local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile )
  180. local dhcp_dir=$( dirname "$dhcp_origin" )
  181. if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
  182. resolvsym=1
  183. else
  184. /etc/init.d/dnsmasq enabled || resolvsym=1
  185. fi
  186. if [ "$resolvsym" -gt 0 ] ; then
  187. rm -f /tmp/resolv.conf
  188. {
  189. # Set resolver file to local but not if /etc/init.d/dnsmasq will do it.
  190. echo "nameserver 127.0.0.1"
  191. echo "nameserver ::1"
  192. echo "search $UNBOUND_TXT_DOMAIN"
  193. } > /tmp/resolv.conf
  194. fi
  195. if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -d "$dhcp_dir" ] ; then
  196. # make sure odhcpd has a directory to write (not done itself, yet)
  197. mkdir -p "$dhcp_dir"
  198. fi
  199. mkdir -p $UNBOUND_VARDIR
  200. rm -f $UNBOUND_VARDIR/dhcp_*
  201. touch $UNBOUND_CONFFILE
  202. touch $UNBOUND_SRV_CONF
  203. touch $UNBOUND_EXT_CONF
  204. cp -p /etc/unbound/* $UNBOUND_VARDIR/
  205. if [ ! -f $UNBOUND_HINTFILE ] ; then
  206. if [ -f /usr/share/dns/root.hints ] ; then
  207. # Debian-like package dns-root-data
  208. cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
  209. else
  210. logger -t unbound -s "iterator will use built-in root hints"
  211. fi
  212. fi
  213. if [ ! -f $UNBOUND_KEYFILE ] ; then
  214. if [ -f /usr/share/dns/root.key ] ; then
  215. # Debian-like package dns-root-data
  216. cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
  217. elif [ -x "$UNBOUND_ANCHOR" ] ; then
  218. $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
  219. else
  220. logger -t unbound -s "validator will use built-in trust anchor"
  221. fi
  222. fi
  223. # Ensure access and prepare to jail
  224. chown -R unbound:unbound $UNBOUND_VARDIR
  225. chmod 775 $UNBOUND_VARDIR
  226. chmod 664 $UNBOUND_VARDIR/*
  227. }
  228. ##############################################################################
  229. unbound_control() {
  230. if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
  231. {
  232. # Enable remote control tool, but only at local host for security
  233. # You can hand write fancier encrypted access with /etc/..._ext.conf
  234. echo "remote-control:"
  235. echo " control-enable: yes"
  236. echo " control-use-cert: no"
  237. echo " control-interface: 127.0.0.1"
  238. echo " control-interface: ::1"
  239. echo
  240. } >> $UNBOUND_CONFFILE
  241. fi
  242. {
  243. # Amend your own extended clauses here like forward zones or disable
  244. # above (local, no encryption) and amend your own remote encrypted control
  245. echo
  246. echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
  247. echo
  248. } >> $UNBOUND_CONFFILE
  249. }
  250. ##############################################################################
  251. unbound_conf() {
  252. local cfg="$1"
  253. local rt_mem rt_conn modulestring
  254. {
  255. # Make fresh conf file
  256. echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
  257. echo
  258. } > $UNBOUND_CONFFILE
  259. {
  260. # No threading
  261. echo "server:"
  262. echo " username: unbound"
  263. echo " num-threads: 1"
  264. echo " msg-cache-slabs: 1"
  265. echo " rrset-cache-slabs: 1"
  266. echo " infra-cache-slabs: 1"
  267. echo " key-cache-slabs: 1"
  268. echo
  269. } >> $UNBOUND_CONFFILE
  270. {
  271. # Logging
  272. echo " verbosity: 1"
  273. echo " statistics-interval: 0"
  274. echo " statistics-cumulative: no"
  275. echo " extended-statistics: no"
  276. echo
  277. } >> $UNBOUND_CONFFILE
  278. {
  279. # Interfaces (access contol "option local_service")
  280. echo " interface: 0.0.0.0"
  281. echo " interface: ::0"
  282. echo " outgoing-interface: 0.0.0.0"
  283. echo " outgoing-interface: ::0"
  284. echo
  285. } >> $UNBOUND_CONFFILE
  286. case "$UNBOUND_D_PROTOCOL" in
  287. ip4_only)
  288. {
  289. echo " do-ip4: yes"
  290. echo " do-ip6: no"
  291. } >> $UNBOUND_CONFFILE
  292. ;;
  293. ip6_only)
  294. {
  295. echo " do-ip4: no"
  296. echo " do-ip6: yes"
  297. } >> $UNBOUND_CONFFILE
  298. ;;
  299. ip6_prefer)
  300. {
  301. echo " do-ip4: yes"
  302. echo " do-ip6: yes"
  303. echo " prefer-ip6: yes"
  304. } >> $UNBOUND_CONFFILE
  305. ;;
  306. *)
  307. {
  308. echo " do-ip4: yes"
  309. echo " do-ip6: yes"
  310. } >> $UNBOUND_CONFFILE
  311. ;;
  312. esac
  313. {
  314. # protocol level tuning
  315. echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
  316. echo " msg-buffer-size: 8192"
  317. echo " port: $UNBOUND_N_RX_PORT"
  318. echo " outgoing-port-permit: 10240-65535"
  319. echo
  320. } >> $UNBOUND_CONFFILE
  321. {
  322. # Other harding and options for an embedded router
  323. echo " harden-short-bufsize: yes"
  324. echo " harden-large-queries: yes"
  325. echo " harden-glue: yes"
  326. echo " harden-below-nxdomain: no"
  327. echo " harden-referral-path: no"
  328. echo " use-caps-for-id: no"
  329. echo
  330. } >> $UNBOUND_CONFFILE
  331. {
  332. # Default Files
  333. echo " use-syslog: yes"
  334. echo " chroot: \"$UNBOUND_VARDIR\""
  335. echo " directory: \"$UNBOUND_VARDIR\""
  336. echo " pidfile: \"$UNBOUND_PIDFILE\""
  337. } >> $UNBOUND_CONFFILE
  338. if [ -f "$UNBOUND_HINTFILE" ] ; then
  339. # Optional hints if found
  340. echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
  341. fi
  342. if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then
  343. {
  344. echo " auto-trust-anchor-file: \"$UNBOUND_KEYFILE\""
  345. echo
  346. } >> $UNBOUND_CONFFILE
  347. else
  348. echo >> $UNBOUND_CONFFILE
  349. fi
  350. case "$UNBOUND_D_RESOURCE" in
  351. # Tiny - Unbound's recommended cheap hardware config
  352. tiny) rt_mem=1 ; rt_conn=1 ;;
  353. # Small - Half RRCACHE and open ports
  354. small) rt_mem=8 ; rt_conn=5 ;;
  355. # Medium - Nearly default but with some added balancintg
  356. medium) rt_mem=16 ; rt_conn=10 ;;
  357. # Large - Double medium
  358. large) rt_mem=32 ; rt_conn=10 ;;
  359. # Whatever unbound does
  360. *) rt_mem=0 ; rt_conn=0 ;;
  361. esac
  362. if [ "$rt_mem" -gt 0 ] ; then
  363. {
  364. # Set memory sizing parameters
  365. echo " outgoing-range: $(($rt_conn*64))"
  366. echo " num-queries-per-thread: $(($rt_conn*32))"
  367. echo " outgoing-num-tcp: $(($rt_conn))"
  368. echo " incoming-num-tcp: $(($rt_conn))"
  369. echo " rrset-cache-size: $(($rt_mem*256))k"
  370. echo " msg-cache-size: $(($rt_mem*128))k"
  371. echo " key-cache-size: $(($rt_mem*128))k"
  372. echo " neg-cache-size: $(($rt_mem*64))k"
  373. echo " infra-cache-numhosts: $(($rt_mem*256))"
  374. echo
  375. } >> $UNBOUND_CONFFILE
  376. else
  377. logger -t unbound -s "default memory resource consumption"
  378. fi
  379. # Assembly of module-config: options is tricky; order matters
  380. modulestring="iterator"
  381. if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
  382. if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
  383. # DNSSEC chicken and egg with getting NTP time
  384. echo " val-override-date: -1" >> $UNBOUND_CONFFILE
  385. fi
  386. {
  387. echo " harden-dnssec-stripped: yes"
  388. echo " val-clean-additional: yes"
  389. echo " ignore-cd-flag: yes"
  390. } >> $UNBOUND_CONFFILE
  391. modulestring="validator $modulestring"
  392. fi
  393. if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then
  394. echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
  395. modulestring="dns64 $modulestring"
  396. fi
  397. {
  398. # Print final module string
  399. echo " module-config: \"$modulestring\""
  400. echo
  401. } >> $UNBOUND_CONFFILE
  402. if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  403. {
  404. # Some query privacy but "strict" will break some name servers
  405. echo " qname-minimisation: yes"
  406. echo " qname-minimisation-strict: yes"
  407. } >> $UNBOUND_CONFFILE
  408. elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  409. # Minor improvement on query privacy
  410. echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
  411. else
  412. echo " qname-minimisation: no" >> $UNBOUND_CONFFILE
  413. fi
  414. case "$UNBOUND_D_RECURSION" in
  415. passive)
  416. {
  417. echo " prefetch: no"
  418. echo " prefetch-key: no"
  419. echo " target-fetch-policy: \"0 0 0 0 0\""
  420. echo
  421. } >> $UNBOUND_CONFFILE
  422. ;;
  423. aggressive)
  424. {
  425. echo " prefetch: yes"
  426. echo " prefetch-key: yes"
  427. echo " target-fetch-policy: \"3 2 1 0 0\""
  428. echo
  429. } >> $UNBOUND_CONFFILE
  430. ;;
  431. *)
  432. logger -t unbound -s "default recursion configuration"
  433. ;;
  434. esac
  435. {
  436. # Reload records more than 10 hours old
  437. # DNSSEC 5 minute bogus cool down before retry
  438. # Adaptive infrastructure info kept for 15 minutes
  439. echo " cache-min-ttl: $UNBOUND_TTL_MIN"
  440. echo " cache-max-ttl: 36000"
  441. echo " val-bogus-ttl: 300"
  442. echo " infra-host-ttl: 900"
  443. echo
  444. } >> $UNBOUND_CONFFILE
  445. if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
  446. {
  447. # Block server id and version DNS TXT records
  448. echo " hide-identity: yes"
  449. echo " hide-version: yes"
  450. echo
  451. } >> $UNBOUND_CONFFILE
  452. fi
  453. if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
  454. {
  455. # Remove _upstream_ or global reponses with private addresses.
  456. # Unbounds own "local zone" and "forward zone" may still use these.
  457. # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
  458. echo " private-address: 10.0.0.0/8"
  459. echo " private-address: 100.64.0.0/10"
  460. echo " private-address: 169.254.0.0/16"
  461. echo " private-address: 172.16.0.0/12"
  462. echo " private-address: 192.168.0.0/16"
  463. echo " private-address: fc00::/8"
  464. echo " private-address: fd00::/8"
  465. echo " private-address: fe80::/10"
  466. } >> $UNBOUND_CONFFILE
  467. fi
  468. if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
  469. {
  470. # Remove DNS reponses from upstream with loopback IP
  471. # Black hole DNS method for ad blocking, so consider...
  472. echo " private-address: 127.0.0.0/8"
  473. echo " private-address: ::1/128"
  474. echo
  475. } >> $UNBOUND_CONFFILE
  476. else
  477. echo >> $UNBOUND_CONFFILE
  478. fi
  479. # Except and accept domains as insecure (DNSSEC); work around broken domains
  480. config_list_foreach "$cfg" "domain_insecure" create_domain_insecure
  481. echo >> $UNBOUND_CONFFILE
  482. }
  483. ##############################################################################
  484. unbound_access() {
  485. # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to
  486. # each access-control IP block, and then divert access.
  487. # -- "guest" WIFI will not be allowed to see local zone data
  488. # -- "child" LAN can black whole a list of domains to http~deadpixel
  489. if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
  490. # Only respond to queries from which this device has an interface.
  491. # Prevent DNS amplification attacks by not responding to the universe.
  492. config_load network
  493. config_foreach create_access_control interface
  494. {
  495. echo " access-control: 127.0.0.0/8 allow"
  496. echo " access-control: ::1/128 allow"
  497. echo " access-control: fe80::/10 allow"
  498. echo
  499. } >> $UNBOUND_CONFFILE
  500. else
  501. {
  502. echo " access-control: 0.0.0.0/0 allow"
  503. echo " access-control: ::0/0 allow"
  504. echo
  505. } >> $UNBOUND_CONFFILE
  506. fi
  507. {
  508. # Amend your own "server:" stuff here
  509. echo
  510. echo "include: $UNBOUND_SRV_CONF"
  511. echo
  512. } >> $UNBOUND_CONFFILE
  513. }
  514. ##############################################################################
  515. unbound_hostname() {
  516. if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
  517. {
  518. # TODO: Unbound 1.6.0 added "tags" and "views" and we could make
  519. # domains by interface to prevent DNS from "guest" to "home"
  520. echo " local-zone: $UNBOUND_TXT_DOMAIN. $UNBOUND_D_DOMAIN_TYPE"
  521. echo " domain-insecure: $UNBOUND_TXT_DOMAIN"
  522. echo " private-domain: $UNBOUND_TXT_DOMAIN"
  523. echo
  524. echo " local-zone: $UNBOUND_TXT_HOSTNAME. $UNBOUND_D_DOMAIN_TYPE"
  525. echo " domain-insecure: $UNBOUND_TXT_HOSTNAME"
  526. echo " private-domain: $UNBOUND_TXT_HOSTNAME"
  527. echo
  528. } >> $UNBOUND_CONFFILE
  529. case "$UNBOUND_D_DOMAIN_TYPE" in
  530. deny|inform_deny|refuse|static)
  531. {
  532. # avoid upstream involvement in RFC6762 like responses (link only)
  533. echo " local-zone: local. $UNBOUND_D_DOMAIN_TYPE"
  534. echo " domain-insecure: local"
  535. echo " private-domain: local"
  536. echo
  537. } >> $UNBOUND_CONFFILE
  538. ;;
  539. esac
  540. if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
  541. config_load dhcp
  542. config_foreach create_interface_dns dhcp
  543. fi
  544. fi
  545. }
  546. ##############################################################################
  547. unbound_uci() {
  548. local cfg="$1"
  549. local dnsmasqpath hostnm
  550. hostnm="$(uci_get system.@system[0].hostname | awk '{print tolower($0)}')"
  551. UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter}
  552. config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
  553. config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
  554. config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
  555. config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
  556. config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
  557. config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
  558. config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
  559. config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
  560. config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
  561. config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
  562. config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
  563. config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
  564. config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
  565. config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
  566. config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
  567. config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7
  568. config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
  569. config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
  570. config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0
  571. config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
  572. config_get UNBOUND_D_RECURSION "$cfg" recursion passive
  573. config_get UNBOUND_D_RESOURCE "$cfg" resource small
  574. config_get UNBOUND_D_WAN_FQDN "$cfg" add_wan_fqdn 0
  575. config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120
  576. config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
  577. if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
  578. config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
  579. if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
  580. UNBOUND_D_DHCP_LINK=dnsmasq
  581. logger -t unbound -s "Please use 'dhcp_link' selector instead"
  582. fi
  583. fi
  584. if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
  585. if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
  586. UNBOUND_D_DHCP_LINK=none
  587. else
  588. /etc/init.d/dnsmasq enabled || UNBOUND_D_DHCP_LINK=none
  589. fi
  590. if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
  591. logger -t unbound -s "cannot forward to dnsmasq"
  592. fi
  593. fi
  594. if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
  595. if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
  596. UNBOUND_D_DHCP_LINK=none
  597. else
  598. /etc/init.d/odhcpd enabled || UNBOUND_D_DHCP_LINK=none
  599. fi
  600. if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
  601. logger -t unbound -s "cannot receive records from odhcpd"
  602. fi
  603. fi
  604. if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
  605. -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
  606. # exceeds range, back to default
  607. UNBOUND_N_EDNS_SIZE=1280
  608. fi
  609. if [ "$UNBOUND_N_RX_PORT" -lt 1024 \
  610. -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
  611. # special port or in 5 digits, back to default
  612. UNBOUND_N_RX_PORT=53
  613. fi
  614. if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
  615. # that could have had awful side effects
  616. UNBOUND_TTL_MIN=300
  617. fi
  618. }
  619. ##############################################################################
  620. unbound_start() {
  621. config_load unbound
  622. config_foreach unbound_uci unbound
  623. unbound_mkdir
  624. if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
  625. unbound_conf
  626. unbound_access
  627. if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
  628. dnsmasq_link
  629. else
  630. unbound_hostname
  631. fi
  632. unbound_control
  633. fi
  634. }
  635. ##############################################################################
  636. unbound_stop() {
  637. local resolvsym=0
  638. rootzone_update
  639. if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
  640. resolvsym=1
  641. else
  642. /etc/init.d/dnsmasq enabled || resolvsym=1
  643. fi
  644. if [ "$resolvsym" -gt 0 ] ; then
  645. # set resolver file to normal, but don't stomp on dnsmasq
  646. rm -f /tmp/resolv.conf
  647. ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
  648. fi
  649. # Unbound has a log dump which takes time; don't overlap a "restart"
  650. sleep 1
  651. }
  652. ##############################################################################