You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1249 lines
33 KiB

  1. #!/bin/sh
  2. ##############################################################################
  3. #
  4. # This program is free software; you can redistribute it and/or modify
  5. # it under the terms of the GNU General Public License version 2 as
  6. # published by the Free Software Foundation.
  7. #
  8. # This program is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. # GNU General Public License for more details.
  12. #
  13. # Copyright (C) 2016 Eric Luehrsen
  14. #
  15. ##############################################################################
  16. #
  17. # Unbound is a full featured recursive server with many options. The UCI
  18. # provided tries to simplify and bundle options. This should make Unbound
  19. # easier to deploy. Even light duty routers may resolve recursively instead of
  20. # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
  21. # features as used in base LEDE/OpenWrt. If there is a desire for more
  22. # detailed tuning, then manual conf file overrides are also made available.
  23. #
  24. ##############################################################################
  25. UNBOUND_B_SLAAC6_MAC=0
  26. UNBOUND_B_DNSSEC=0
  27. UNBOUND_B_DNS64=0
  28. UNBOUND_B_EXT_STATS=0
  29. UNBOUND_B_GATE_NAME=0
  30. UNBOUND_B_HIDE_BIND=1
  31. UNBOUND_B_LOCL_BLCK=0
  32. UNBOUND_B_LOCL_SERV=1
  33. UNBOUND_B_MAN_CONF=0
  34. UNBOUND_B_NTP_BOOT=1
  35. UNBOUND_B_QUERY_MIN=0
  36. UNBOUND_B_QRY_MINST=0
  37. UNBOUND_D_CONTROL=0
  38. UNBOUND_D_DOMAIN_TYPE=static
  39. UNBOUND_D_DHCP_LINK=none
  40. UNBOUND_D_EXTRA_DNS=0
  41. UNBOUND_D_LAN_FQDN=0
  42. UNBOUND_D_PRIV_BLCK=1
  43. UNBOUND_D_PROTOCOL=mixed
  44. UNBOUND_D_RESOURCE=small
  45. UNBOUND_D_RECURSION=passive
  46. UNBOUND_D_WAN_FQDN=0
  47. UNBOUND_IP_DNS64="64:ff9b::/96"
  48. UNBOUND_N_EDNS_SIZE=1280
  49. UNBOUND_N_FWD_PORTS=""
  50. UNBOUND_N_RX_PORT=53
  51. UNBOUND_N_ROOT_AGE=9
  52. UNBOUND_TTL_MIN=120
  53. UNBOUND_TXT_DOMAIN=lan
  54. UNBOUND_TXT_FWD_ZONE=""
  55. UNBOUND_TXT_HOSTNAME=thisrouter
  56. UNBOUND_LIST_FORWARD=""
  57. UNBOUND_LIST_INSECURE=""
  58. UNBOUND_LIST_PRV_SUBNET=""
  59. ##############################################################################
  60. # keep track of local-domain: assignments during inserted resource records
  61. UNBOUND_LIST_DOMAINS=""
  62. ##############################################################################
  63. . /lib/functions.sh
  64. . /lib/functions/network.sh
  65. . /usr/lib/unbound/defaults.sh
  66. . /usr/lib/unbound/dnsmasq.sh
  67. . /usr/lib/unbound/iptools.sh
  68. . /usr/lib/unbound/rootzone.sh
  69. ##############################################################################
  70. copy_dash_update() {
  71. # TODO: remove this function and use builtins when this issues is resovled.
  72. # Due to OpenWrt/LEDE divergence "cp -u" isn't yet universally available.
  73. local filetime keeptime
  74. if [ -f $UNBOUND_KEYFILE.keep ] ; then
  75. # root.key.keep is reused if newest
  76. filetime=$( date -r $UNBOUND_KEYFILE +%s )
  77. keeptime=$( date -r $UNBOUND_KEYFILE.keep +%s )
  78. if [ $keeptime -gt $filetime ] ; then
  79. cp $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
  80. fi
  81. rm -f $UNBOUND_KEYFILE.keep
  82. fi
  83. }
  84. ##############################################################################
  85. create_interface_dns() {
  86. local cfg="$1"
  87. local ipcommand logint ignore ifname ifdashname
  88. local name names address addresses
  89. local ulaprefix if_fqdn host_fqdn mode mode_ptr
  90. # Create local-data: references for this hosts interfaces (router).
  91. config_get logint "$cfg" interface
  92. config_get_bool ignore "$cfg" ignore 0
  93. network_get_device ifname "$cfg"
  94. ifdashname="${ifname//./-}"
  95. ipcommand="ip -o address show $ifname"
  96. addresses=$( $ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}' )
  97. ulaprefix=$( uci_get network.@globals[0].ula_prefix )
  98. host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"
  99. if_fqdn="$ifdashname.$host_fqdn"
  100. if [ -z "${ulaprefix%%:/*}" ] ; then
  101. # Nonsense so this option isn't globbed below
  102. ulaprefix="fdno:such:addr::/48"
  103. fi
  104. if [ "$ignore" -gt 0 ] ; then
  105. mode="$UNBOUND_D_WAN_FQDN"
  106. else
  107. mode="$UNBOUND_D_LAN_FQDN"
  108. fi
  109. case "$mode" in
  110. 3)
  111. mode_ptr="$host_fqdn"
  112. names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
  113. ;;
  114. 4)
  115. if [ -z "$ifdashname" ] ; then
  116. # race conditions at init can rarely cause a blank device return
  117. # the record format is invalid and Unbound won't load the conf file
  118. mode_ptr="$host_fqdn"
  119. names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
  120. else
  121. mode_ptr="$if_fqdn"
  122. names="$if_fqdn $host_fqdn $UNBOUND_TXT_HOSTNAME"
  123. fi
  124. ;;
  125. *)
  126. mode_ptr="$UNBOUND_TXT_HOSTNAME"
  127. names="$UNBOUND_TXT_HOSTNAME"
  128. ;;
  129. esac
  130. if [ "$mode" -gt 1 ] ; then
  131. {
  132. for address in $addresses ; do
  133. case $address in
  134. fe80:*|169.254.*)
  135. echo " # note link address $address"
  136. ;;
  137. [1-9a-f]*:*[0-9a-f])
  138. # GA and ULA IP6 for HOST IN AAA records (ip command is robust)
  139. for name in $names ; do
  140. echo " local-data: \"$name. 120 IN AAAA $address\""
  141. done
  142. echo " local-data-ptr: \"$address 120 $mode_ptr\""
  143. ;;
  144. [1-9]*.*[0-9])
  145. # Old fashioned HOST IN A records
  146. for name in $names ; do
  147. echo " local-data: \"$name. 120 IN A $address\""
  148. done
  149. echo " local-data-ptr: \"$address 120 $mode_ptr\""
  150. ;;
  151. esac
  152. done
  153. echo
  154. } >> $UNBOUND_CONFFILE
  155. elif [ "$mode" -gt 0 ] ; then
  156. {
  157. for address in $addresses ; do
  158. case $address in
  159. fe80:*|169.254.*)
  160. echo " # note link address $address"
  161. ;;
  162. "${ulaprefix%%:/*}"*)
  163. # Only this networks ULA and only hostname
  164. echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
  165. echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
  166. ;;
  167. [1-9]*.*[0-9])
  168. echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""
  169. echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
  170. ;;
  171. esac
  172. done
  173. echo
  174. } >> $UNBOUND_CONFFILE
  175. fi
  176. }
  177. ##############################################################################
  178. create_local_zone() {
  179. local target="$1"
  180. local partial domain found
  181. if [ -n "$UNBOUND_LIST_DOMAINS" ] ; then
  182. for domain in $UNBOUND_LIST_DOMAINS ; do
  183. case $target in
  184. *"${domain}")
  185. found=1
  186. break
  187. ;;
  188. [A-Za-z0-9]*.[A-Za-z0-9]*)
  189. found=0
  190. ;;
  191. *) # no dots
  192. found=1
  193. break
  194. ;;
  195. esac
  196. done
  197. else
  198. found=0
  199. fi
  200. if [ $found -eq 0 ] ; then
  201. # New Zone! Bundle local-zones: by first two name tiers "abcd.tld."
  202. partial=$( echo "$target" | awk -F. '{ j=NF ; i=j-1; print $i"."$j }' )
  203. UNBOUND_LIST_DOMAINS="$UNBOUND_LIST_DOMAINS $partial"
  204. echo " local-zone: $partial. transparent" >> $UNBOUND_CONFFILE
  205. fi
  206. }
  207. ##############################################################################
  208. create_host_record() {
  209. local cfg="$1"
  210. local ip name
  211. # basefiles dhcp "domain" clause which means host A, AAAA, and PRT record
  212. config_get ip "$cfg" ip
  213. config_get name "$cfg" name
  214. if [ -n "$name" -a -n "$ip" ] ; then
  215. create_local_zone "$name"
  216. {
  217. case $ip in
  218. fe80:*|169.254.*)
  219. echo " # note link address $ip for host $name"
  220. ;;
  221. [1-9a-f]*:*[0-9a-f])
  222. echo " local-data: \"$name. 120 IN AAAA $ip\""
  223. echo " local-data-ptr: \"$ip 120 $name\""
  224. ;;
  225. [1-9]*.*[0-9])
  226. echo " local-data: \"$name. 120 IN A $ip\""
  227. echo " local-data-ptr: \"$ip 120 $name\""
  228. ;;
  229. esac
  230. } >> $UNBOUND_CONFFILE
  231. fi
  232. }
  233. ##############################################################################
  234. create_mx_record() {
  235. local cfg="$1"
  236. local domain relay pref
  237. # Insert a static MX record
  238. config_get domain "$cfg" domain
  239. config_get relay "$cfg" relay
  240. config_get pref "$cfg" pref 10
  241. if [ -n "$domain" -a -n "$relay" ] ; then
  242. create_local_zone "$domain"
  243. echo " local-data: \"$domain. 120 IN MX $pref $relay.\"" \
  244. >> $UNBOUND_CONFFILE
  245. fi
  246. }
  247. ##############################################################################
  248. create_srv_record() {
  249. local cfg="$1"
  250. local srv target port class weight
  251. # Insert a static SRV record such as SIP server
  252. config_get srv "$cfg" srv
  253. config_get target "$cfg" target
  254. config_get port "$cfg" port
  255. config_get class "$cfg" class 10
  256. config_get weight "$cfg" weight 10
  257. if [ -n "$srv" -a -n "$target" -a -n "$port" ] ; then
  258. create_local_zone "$srv"
  259. echo " local-data: \"$srv. 120 IN SRV $class $weight $port $target.\"" \
  260. >> $UNBOUND_CONFFILE
  261. fi
  262. }
  263. ##############################################################################
  264. create_cname_record() {
  265. local cfg="$1"
  266. local cname target
  267. # Insert static CNAME record
  268. config_get cname "$cfg" cname
  269. config_get target "$cfg" target
  270. if [ -n "$cname" -a -n "$target" ] ; then
  271. create_local_zone "$cname"
  272. echo " local-data: \"$cname. 120 IN CNAME $target.\"" >> $UNBOUND_CONFFILE
  273. fi
  274. }
  275. ##############################################################################
  276. create_access_control() {
  277. local cfg="$1"
  278. local subnets subnets4 subnets6
  279. local validip4 validip6
  280. network_get_subnets subnets4 "$cfg"
  281. network_get_subnets6 subnets6 "$cfg"
  282. subnets="$subnets4 $subnets6"
  283. if [ -n "$subnets" ] ; then
  284. for subnet in $subnets ; do
  285. validip4=$( valid_subnet4 $subnet )
  286. validip6=$( valid_subnet6 $subnet )
  287. if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
  288. # For each "network" UCI add "access-control:" white list for queries
  289. echo " access-control: $subnet allow" >> $UNBOUND_CONFFILE
  290. fi
  291. done
  292. fi
  293. }
  294. ##############################################################################
  295. bundle_domain_forward() {
  296. UNBOUND_LIST_FORWARD="$UNBOUND_LIST_FORWARD $1"
  297. }
  298. ##############################################################################
  299. bundle_domain_insecure() {
  300. UNBOUND_LIST_INSECURE="$UNBOUND_LIST_INSECURE $1"
  301. }
  302. ##############################################################################
  303. bundle_private_interface() {
  304. local ipcommand ifsubnet ifsubnets ifname
  305. network_get_device ifname $1
  306. if [ -n "$ifname" ] ; then
  307. ipcommand="ip -6 -o address show $ifname"
  308. ifsubnets=$( $ipcommand | awk '/inet6/{ print $4 }' )
  309. if [ -n "$ifsubnets" ] ; then
  310. for ifsubnet in $ifsubnets ; do
  311. case $ifsubnet in
  312. [1-9]*:*[0-9a-f])
  313. # Special GLA protection for local block; ULA protected as a catagory
  314. UNBOUND_LIST_PRV_SUBNET="$UNBOUND_LIST_PRV_SUBNET $ifsubnet" ;;
  315. esac
  316. done
  317. fi
  318. fi
  319. }
  320. ##############################################################################
  321. unbound_mkdir() {
  322. local filestuff
  323. if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
  324. local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
  325. local dhcp_dir=$( dirname $dhcp_origin )
  326. if [ ! -d "$dhcp_dir" ] ; then
  327. # make sure odhcpd has a directory to write (not done itself, yet)
  328. mkdir -p "$dhcp_dir"
  329. fi
  330. fi
  331. if [ -f $UNBOUND_KEYFILE ] ; then
  332. filestuff=$( cat $UNBOUND_KEYFILE )
  333. case "$filestuff" in
  334. *"state=2 [ VALID ]"*)
  335. # Lets not lose RFC 5011 tracking if we don't have to
  336. cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
  337. ;;
  338. esac
  339. fi
  340. # Blind copy /etc/ to /var/lib/
  341. mkdir -p $UNBOUND_VARDIR
  342. rm -f $UNBOUND_VARDIR/dhcp_*
  343. touch $UNBOUND_CONFFILE
  344. touch $UNBOUND_SRV_CONF
  345. touch $UNBOUND_EXT_CONF
  346. cp -p /etc/unbound/* $UNBOUND_VARDIR/
  347. if [ ! -f $UNBOUND_HINTFILE ] ; then
  348. if [ -f /usr/share/dns/root.hints ] ; then
  349. # Debian-like package dns-root-data
  350. cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
  351. elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  352. logger -t unbound -s "iterator will use built-in root hints"
  353. fi
  354. fi
  355. if [ ! -f $UNBOUND_KEYFILE ] ; then
  356. if [ -f /usr/share/dns/root.key ] ; then
  357. # Debian-like package dns-root-data
  358. cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
  359. elif [ -x $UNBOUND_ANCHOR ] ; then
  360. $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
  361. elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  362. logger -t unbound -s "validator will use built-in trust anchor"
  363. fi
  364. fi
  365. copy_dash_update
  366. # Ensure access and prepare to jail
  367. chown -R unbound:unbound $UNBOUND_VARDIR
  368. chmod 755 $UNBOUND_VARDIR
  369. chmod 644 $UNBOUND_VARDIR/*
  370. if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \
  371. -o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then
  372. # Keys (some) exist already; do not create new ones
  373. chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
  374. $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
  375. elif [ -x /usr/sbin/unbound-control-setup ] ; then
  376. case "$UNBOUND_D_CONTROL" in
  377. [2-3])
  378. # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
  379. /usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR
  380. chown -R unbound:unbound $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
  381. $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
  382. chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
  383. $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
  384. cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key
  385. cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem
  386. cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key
  387. cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem
  388. ;;
  389. esac
  390. fi
  391. }
  392. ##############################################################################
  393. unbound_control() {
  394. if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then
  395. if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \
  396. -o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then
  397. # Key files need to be present; if unbound-control-setup was found, then
  398. # they might have been made during unbound_makedir() above.
  399. UNBOUND_D_CONTROL=0
  400. fi
  401. fi
  402. case "$UNBOUND_D_CONTROL" in
  403. 1)
  404. {
  405. # Local Host Only Unencrypted Remote Control
  406. echo "remote-control:"
  407. echo " control-enable: yes"
  408. echo " control-use-cert: no"
  409. echo " control-interface: 127.0.0.1"
  410. echo " control-interface: ::1"
  411. echo
  412. } >> $UNBOUND_CONFFILE
  413. ;;
  414. 2)
  415. {
  416. # Local Host Only Encrypted Remote Control
  417. echo "remote-control:"
  418. echo " control-enable: yes"
  419. echo " control-use-cert: yes"
  420. echo " control-interface: 127.0.0.1"
  421. echo " control-interface: ::1"
  422. echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
  423. echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
  424. echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
  425. echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
  426. echo
  427. } >> $UNBOUND_CONFFILE
  428. ;;
  429. [3-4])
  430. {
  431. # Network Encrypted Remote Control
  432. # (3) may auto setup and (4) must have static key/pem files
  433. # TODO: add UCI list for interfaces to bind
  434. echo "remote-control:"
  435. echo " control-enable: yes"
  436. echo " control-use-cert: yes"
  437. echo " control-interface: 0.0.0.0"
  438. echo " control-interface: ::0"
  439. echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
  440. echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
  441. echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
  442. echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
  443. echo
  444. } >> $UNBOUND_CONFFILE
  445. ;;
  446. esac
  447. {
  448. # Amend your own extended clauses here like forward zones or disable
  449. # above (local, no encryption) and amend your own remote encrypted control
  450. echo
  451. echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
  452. echo
  453. } >> $UNBOUND_CONFFILE
  454. }
  455. ##############################################################################
  456. unbound_forward() {
  457. local fdomain fresolver resolvers
  458. # Forward selected domains to the upstream (WAN) stub resolver. This may be
  459. # faster or local pool addresses to ISP service login page. This may keep
  460. # internal organization lookups, well, internal to the organization.
  461. if [ -n "$UNBOUND_LIST_FORWARD" ] ; then
  462. resolvers=$( grep nameserver /tmp/resolv.conf.auto | sed "s/nameserver//g" )
  463. if [ -n "$resolvers" ] ; then
  464. for fdomain in $UNBOUND_LIST_FORWARD ; do
  465. {
  466. echo "forward-zone:"
  467. echo " name: \"$fdomain.\""
  468. for fresolver in $resolvers ; do
  469. echo " forward-addr: $fresolver"
  470. done
  471. echo
  472. } >> $UNBOUND_CONFFILE
  473. done
  474. fi
  475. fi
  476. }
  477. ##############################################################################
  478. unbound_conf() {
  479. local rt_mem rt_conn modulestring domain ifsubnet
  480. # Make fresh conf file
  481. echo > $UNBOUND_CONFFILE
  482. {
  483. # Make fresh conf file
  484. echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
  485. echo
  486. # No threading
  487. echo "server:"
  488. echo " username: unbound"
  489. echo " num-threads: 1"
  490. echo " msg-cache-slabs: 1"
  491. echo " rrset-cache-slabs: 1"
  492. echo " infra-cache-slabs: 1"
  493. echo " key-cache-slabs: 1"
  494. echo
  495. # Interface Wildcard (access contol handled by "option local_service")
  496. echo " interface: 0.0.0.0"
  497. echo " interface: ::0"
  498. echo " outgoing-interface: 0.0.0.0"
  499. echo " outgoing-interface: ::0"
  500. echo
  501. # Logging
  502. echo " verbosity: 1"
  503. echo " statistics-interval: 0"
  504. echo " statistics-cumulative: no"
  505. } >> $UNBOUND_CONFFILE
  506. if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then
  507. {
  508. # Log More
  509. echo " extended-statistics: yes"
  510. echo
  511. } >> $UNBOUND_CONFFILE
  512. else
  513. {
  514. # Log Less
  515. echo " extended-statistics: no"
  516. echo
  517. } >> $UNBOUND_CONFFILE
  518. fi
  519. case "$UNBOUND_D_PROTOCOL" in
  520. ip4_only)
  521. {
  522. echo " do-ip4: yes"
  523. echo " do-ip6: no"
  524. } >> $UNBOUND_CONFFILE
  525. ;;
  526. ip6_only)
  527. {
  528. echo " do-ip4: no"
  529. echo " do-ip6: yes"
  530. } >> $UNBOUND_CONFFILE
  531. ;;
  532. ip6_prefer)
  533. {
  534. echo " do-ip4: yes"
  535. echo " do-ip6: yes"
  536. echo " prefer-ip6: yes"
  537. } >> $UNBOUND_CONFFILE
  538. ;;
  539. *)
  540. {
  541. echo " do-ip4: yes"
  542. echo " do-ip6: yes"
  543. } >> $UNBOUND_CONFFILE
  544. ;;
  545. esac
  546. {
  547. # protocol level tuning
  548. echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
  549. echo " msg-buffer-size: 8192"
  550. echo " port: $UNBOUND_N_RX_PORT"
  551. echo " outgoing-port-permit: 10240-65535"
  552. echo
  553. } >> $UNBOUND_CONFFILE
  554. {
  555. # Other harding and options for an embedded router
  556. echo " harden-short-bufsize: yes"
  557. echo " harden-large-queries: yes"
  558. echo " harden-glue: yes"
  559. echo " harden-below-nxdomain: no"
  560. echo " harden-referral-path: no"
  561. echo " use-caps-for-id: no"
  562. echo
  563. } >> $UNBOUND_CONFFILE
  564. {
  565. # Default Files
  566. echo " use-syslog: yes"
  567. echo " chroot: \"$UNBOUND_VARDIR\""
  568. echo " directory: \"$UNBOUND_VARDIR\""
  569. echo " pidfile: \"$UNBOUND_PIDFILE\""
  570. } >> $UNBOUND_CONFFILE
  571. if [ -f "$UNBOUND_HINTFILE" ] ; then
  572. # Optional hints if found
  573. echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
  574. fi
  575. if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then
  576. {
  577. echo " auto-trust-anchor-file: \"$UNBOUND_KEYFILE\""
  578. echo
  579. } >> $UNBOUND_CONFFILE
  580. else
  581. echo >> $UNBOUND_CONFFILE
  582. fi
  583. case "$UNBOUND_D_RESOURCE" in
  584. # Tiny - Unbound's recommended cheap hardware config
  585. tiny) rt_mem=1 ; rt_conn=1 ;;
  586. # Small - Half RRCACHE and open ports
  587. small) rt_mem=8 ; rt_conn=5 ;;
  588. # Medium - Nearly default but with some added balancintg
  589. medium) rt_mem=16 ; rt_conn=10 ;;
  590. # Large - Double medium
  591. large) rt_mem=32 ; rt_conn=10 ;;
  592. # Whatever unbound does
  593. *) rt_mem=0 ; rt_conn=0 ;;
  594. esac
  595. if [ "$rt_mem" -gt 0 ] ; then
  596. {
  597. # Set memory sizing parameters
  598. echo " outgoing-range: $(($rt_conn*64))"
  599. echo " num-queries-per-thread: $(($rt_conn*32))"
  600. echo " outgoing-num-tcp: $(($rt_conn))"
  601. echo " incoming-num-tcp: $(($rt_conn))"
  602. echo " rrset-cache-size: $(($rt_mem*256))k"
  603. echo " msg-cache-size: $(($rt_mem*128))k"
  604. echo " key-cache-size: $(($rt_mem*128))k"
  605. echo " neg-cache-size: $(($rt_mem*64))k"
  606. echo " infra-cache-numhosts: $(($rt_mem*256))"
  607. echo
  608. } >> $UNBOUND_CONFFILE
  609. elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  610. logger -t unbound -s "default memory resource consumption"
  611. fi
  612. # Assembly of module-config: options is tricky; order matters
  613. modulestring="iterator"
  614. if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
  615. if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
  616. # DNSSEC chicken and egg with getting NTP time
  617. echo " val-override-date: -1" >> $UNBOUND_CONFFILE
  618. fi
  619. {
  620. echo " harden-dnssec-stripped: yes"
  621. echo " val-clean-additional: yes"
  622. echo " ignore-cd-flag: yes"
  623. } >> $UNBOUND_CONFFILE
  624. modulestring="validator $modulestring"
  625. fi
  626. if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then
  627. echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
  628. modulestring="dns64 $modulestring"
  629. fi
  630. {
  631. # Print final module string
  632. echo " module-config: \"$modulestring\""
  633. echo
  634. } >> $UNBOUND_CONFFILE
  635. if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  636. {
  637. # Some query privacy but "strict" will break some name servers
  638. echo " qname-minimisation: yes"
  639. echo " qname-minimisation-strict: yes"
  640. } >> $UNBOUND_CONFFILE
  641. elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
  642. # Minor improvement on query privacy
  643. echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
  644. else
  645. echo " qname-minimisation: no" >> $UNBOUND_CONFFILE
  646. fi
  647. case "$UNBOUND_D_RECURSION" in
  648. passive)
  649. {
  650. echo " prefetch: no"
  651. echo " prefetch-key: no"
  652. echo " target-fetch-policy: \"0 0 0 0 0\""
  653. echo
  654. } >> $UNBOUND_CONFFILE
  655. ;;
  656. aggressive)
  657. {
  658. echo " prefetch: yes"
  659. echo " prefetch-key: yes"
  660. echo " target-fetch-policy: \"3 2 1 0 0\""
  661. echo
  662. } >> $UNBOUND_CONFFILE
  663. ;;
  664. *)
  665. if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  666. logger -t unbound -s "default recursion configuration"
  667. fi
  668. ;;
  669. esac
  670. {
  671. # Reload records more than 10 hours old
  672. # DNSSEC 5 minute bogus cool down before retry
  673. # Adaptive infrastructure info kept for 15 minutes
  674. echo " cache-min-ttl: $UNBOUND_TTL_MIN"
  675. echo " cache-max-ttl: 36000"
  676. echo " val-bogus-ttl: 300"
  677. echo " infra-host-ttl: 900"
  678. echo
  679. } >> $UNBOUND_CONFFILE
  680. if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
  681. {
  682. # Block server id and version DNS TXT records
  683. echo " hide-identity: yes"
  684. echo " hide-version: yes"
  685. echo
  686. } >> $UNBOUND_CONFFILE
  687. fi
  688. if [ "$UNBOUND_D_PRIV_BLCK" -gt 0 ] ; then
  689. {
  690. # Remove _upstream_ or global reponses with private addresses.
  691. # Unbounds own "local zone" and "forward zone" may still use these.
  692. # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
  693. echo " private-address: 10.0.0.0/8"
  694. echo " private-address: 100.64.0.0/10"
  695. echo " private-address: 169.254.0.0/16"
  696. echo " private-address: 172.16.0.0/12"
  697. echo " private-address: 192.168.0.0/16"
  698. echo " private-address: fc00::/7"
  699. echo " private-address: fe80::/10"
  700. echo
  701. } >> $UNBOUND_CONFFILE
  702. fi
  703. if [ -n "$UNBOUND_LIST_PRV_SUBNET" -a "$UNBOUND_D_PRIV_BLCK" -gt 1 ] ; then
  704. for ifsubnet in $UNBOUND_LIST_PRV_SUBNET ; do
  705. # Remove global DNS responses with your local network IP6 GLA
  706. echo " private-address: $ifsubnet" >> $UNBOUND_CONFFILE
  707. done
  708. echo >> $UNBOUND_CONFFILE
  709. fi
  710. if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
  711. {
  712. # Remove DNS reponses from upstream with loopback IP
  713. # Black hole DNS method for ad blocking, so consider...
  714. echo " private-address: 127.0.0.0/8"
  715. echo " private-address: ::1/128"
  716. echo
  717. } >> $UNBOUND_CONFFILE
  718. fi
  719. if [ -n "$UNBOUND_LIST_INSECURE" ] ; then
  720. for domain in $UNBOUND_LIST_INSECURE ; do
  721. # Except and accept domains without (DNSSEC); work around broken domains
  722. echo " domain-insecure: \"$domain\"" >> $UNBOUND_CONFFILE
  723. done
  724. echo >> $UNBOUND_CONFFILE
  725. fi
  726. }
  727. ##############################################################################
  728. unbound_access() {
  729. # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to
  730. # each access-control IP block, and then divert access.
  731. # -- "guest" WIFI will not be allowed to see local zone data
  732. # -- "child" LAN can black whole a list of domains to http~deadpixel
  733. if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
  734. # Only respond to queries from which this device has an interface.
  735. # Prevent DNS amplification attacks by not responding to the universe.
  736. config_load network
  737. config_foreach create_access_control interface
  738. {
  739. echo " access-control: 127.0.0.0/8 allow"
  740. echo " access-control: ::1/128 allow"
  741. echo " access-control: fe80::/10 allow"
  742. echo
  743. } >> $UNBOUND_CONFFILE
  744. else
  745. {
  746. echo " access-control: 0.0.0.0/0 allow"
  747. echo " access-control: ::0/0 allow"
  748. echo
  749. } >> $UNBOUND_CONFFILE
  750. fi
  751. {
  752. # Amend your own "server:" stuff here
  753. echo " include: $UNBOUND_SRV_CONF"
  754. echo
  755. } >> $UNBOUND_CONFFILE
  756. }
  757. ##############################################################################
  758. unbound_adblock() {
  759. # TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team
  760. local adb_enabled adb_file
  761. if [ ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
  762. adb_enabled=0
  763. else
  764. /etc/init.d/adblock enabled && adb_enabled=1 || adb_enabled=0
  765. fi
  766. if [ "$adb_enabled" -gt 0 ] ; then
  767. {
  768. # Pull in your selected openwrt/pacakges/net/adblock generated lists
  769. for adb_file in $UNBOUND_VARDIR/adb_list.* ; do
  770. echo " include: $adb_file"
  771. done
  772. echo
  773. } >> $UNBOUND_CONFFILE
  774. fi
  775. }
  776. ##############################################################################
  777. unbound_hostname() {
  778. if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
  779. {
  780. # TODO: Unbound 1.6.0 added "tags" and "views" and we could make
  781. # domains by interface to prevent DNS from "guest" to "home"
  782. echo " local-zone: $UNBOUND_TXT_DOMAIN. $UNBOUND_D_DOMAIN_TYPE"
  783. echo " domain-insecure: $UNBOUND_TXT_DOMAIN"
  784. echo " private-domain: $UNBOUND_TXT_DOMAIN"
  785. echo
  786. echo " local-zone: $UNBOUND_TXT_HOSTNAME. $UNBOUND_D_DOMAIN_TYPE"
  787. echo " domain-insecure: $UNBOUND_TXT_HOSTNAME"
  788. echo " private-domain: $UNBOUND_TXT_HOSTNAME"
  789. echo
  790. } >> $UNBOUND_CONFFILE
  791. case "$UNBOUND_D_DOMAIN_TYPE" in
  792. deny|inform_deny|refuse|static)
  793. {
  794. # avoid upstream involvement in RFC6762 like responses (link only)
  795. echo " local-zone: local. $UNBOUND_D_DOMAIN_TYPE"
  796. echo " domain-insecure: local"
  797. echo " private-domain: local"
  798. echo
  799. } >> $UNBOUND_CONFFILE
  800. ;;
  801. esac
  802. if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
  803. config_load dhcp
  804. config_foreach create_interface_dns dhcp
  805. fi
  806. if [ -f "$UNBOUND_DHCP_CONF" ] ; then
  807. {
  808. # Seed DHCP records because dhcp scripts trigger externally
  809. # Incremental Unbound restarts may drop unbound-control add records
  810. echo " include: $UNBOUND_DHCP_CONF"
  811. echo
  812. } >> $UNBOUND_CONFFILE
  813. fi
  814. fi
  815. }
  816. ##############################################################################
  817. unbound_records() {
  818. if [ "$UNBOUND_D_EXTRA_DNS" -gt 0 ] ; then
  819. # Parasite from the uci.dhcp.domain clauses
  820. config_load dhcp
  821. config_foreach create_host_record domain
  822. fi
  823. if [ "$UNBOUND_D_EXTRA_DNS" -gt 1 ] ; then
  824. config_foreach create_srv_record srvhost
  825. config_foreach create_mx_record mxhost
  826. fi
  827. if [ "$UNBOUND_D_EXTRA_DNS" -gt 2 ] ; then
  828. config_foreach create_cname_record cname
  829. fi
  830. echo >> $UNBOUND_CONFFILE
  831. }
  832. ##############################################################################
  833. unbound_uci() {
  834. local cfg="$1"
  835. local dnsmasqpath hostnm
  836. hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' )
  837. UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter}
  838. config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
  839. config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
  840. config_get_bool UNBOUND_B_EXT_STATS "$cfg" extended_stats 0
  841. config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
  842. config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
  843. config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
  844. config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
  845. config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
  846. config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
  847. config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
  848. config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
  849. config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
  850. config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
  851. config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
  852. config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
  853. config_get UNBOUND_D_CONTROL "$cfg" unbound_control 0
  854. config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
  855. config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
  856. config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0
  857. config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0
  858. config_get UNBOUND_D_PRIV_BLCK "$cfg" rebind_protection 1
  859. config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
  860. config_get UNBOUND_D_RECURSION "$cfg" recursion passive
  861. config_get UNBOUND_D_RESOURCE "$cfg" resource small
  862. config_get UNBOUND_D_WAN_FQDN "$cfg" add_wan_fqdn 0
  863. config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120
  864. config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
  865. config_list_foreach "$cfg" "domain_forward" bundle_domain_forward
  866. config_list_foreach "$cfg" "domain_insecure" bundle_domain_insecure
  867. config_list_foreach "$cfg" "rebind_interface" bundle_private_interface
  868. UNBOUND_LIST_DOMAINS="nowhere $UNBOUND_TXT_DOMAIN"
  869. if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
  870. config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
  871. if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
  872. UNBOUND_D_DHCP_LINK=dnsmasq
  873. if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
  874. logger -t unbound -s "Please use 'dhcp_link' selector instead"
  875. fi
  876. fi
  877. fi
  878. if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
  879. if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
  880. UNBOUND_D_DHCP_LINK=none
  881. else
  882. /etc/init.d/dnsmasq enabled || UNBOUND_D_DHCP_LINK=none
  883. fi
  884. if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
  885. logger -t unbound -s "cannot forward to dnsmasq"
  886. fi
  887. fi
  888. if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
  889. if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
  890. UNBOUND_D_DHCP_LINK=none
  891. else
  892. /etc/init.d/odhcpd enabled || UNBOUND_D_DHCP_LINK=none
  893. fi
  894. if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
  895. logger -t unbound -s "cannot receive records from odhcpd"
  896. fi
  897. fi
  898. if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
  899. -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
  900. logger -t unbound -s "edns_size exceeds range, using default"
  901. UNBOUND_N_EDNS_SIZE=1280
  902. fi
  903. if [ "$UNBOUND_N_RX_PORT" -ne 53 ] \
  904. && [ "$UNBOUND_N_RX_PORT" -lt 1024 -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
  905. logger -t unbound -s "privileged port or in 5 digits, using default"
  906. UNBOUND_N_RX_PORT=53
  907. fi
  908. if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
  909. logger -t unbound -s "ttl_min could have had awful side effects, using 300"
  910. UNBOUND_TTL_MIN=300
  911. fi
  912. }
  913. ##############################################################################
  914. _resolv_setup() {
  915. if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
  916. return
  917. fi
  918. if [ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq enabled \
  919. && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
  920. # unbound is configured for port 53, but dnsmasq is enabled and a resolver
  921. # listens on localhost:53, lets assume dnsmasq manages the resolver file.
  922. # TODO:
  923. # really check if dnsmasq runs a local (main) resolver in stead of using
  924. # nslookup that times out when no resolver listens on localhost:53.
  925. return
  926. fi
  927. # unbound is designated to listen on 127.0.0.1#53,
  928. # set resolver file to local.
  929. rm -f /tmp/resolv.conf
  930. {
  931. echo "# /tmp/resolv.conf generated by Unbound UCI $( date )"
  932. echo "nameserver 127.0.0.1"
  933. echo "nameserver ::1"
  934. echo "search $UNBOUND_TXT_DOMAIN."
  935. } > /tmp/resolv.conf
  936. }
  937. ##############################################################################
  938. _resolv_teardown() {
  939. case $( cat /tmp/resolv.conf ) in
  940. *"generated by Unbound UCI"*)
  941. # our resolver file, reset to auto resolver file.
  942. rm -f /tmp/resolv.conf
  943. ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
  944. ;;
  945. esac
  946. }
  947. ##############################################################################
  948. unbound_start() {
  949. config_load unbound
  950. config_foreach unbound_uci unbound
  951. unbound_mkdir
  952. if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
  953. unbound_conf
  954. unbound_access
  955. unbound_adblock
  956. if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
  957. dnsmasq_link
  958. else
  959. unbound_hostname
  960. unbound_records
  961. fi
  962. unbound_forward
  963. unbound_control
  964. fi
  965. _resolv_setup
  966. }
  967. ##############################################################################
  968. unbound_stop() {
  969. _resolv_teardown
  970. rootzone_update
  971. }
  972. ##############################################################################