From 416534f95d1f21bc208a4f06c7f6c1b3462aec85 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Thu, 27 Oct 2016 22:01:00 -0400 Subject: [PATCH 1/4] Unbound: Add hotplug/ntp script to request restart -DNSSEC needs time, time needs ntp, or power off RTC -Many consumer routers are cost thrifted without RTC -Conf "val-override-date: -1" disables time inside DNSSEC -Need restart as option is not dynamically switchable -hotplug/ntp is used to set file /var/lib/unbound/unbound.time -UCI will add or remove option depending on flag-like-file Signed-off-by: Eric Luehrsen --- net/unbound/files/unbound.ntpd | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100755 net/unbound/files/unbound.ntpd diff --git a/net/unbound/files/unbound.ntpd b/net/unbound/files/unbound.ntpd new file mode 100755 index 000000000..9244284d8 --- /dev/null +++ b/net/unbound/files/unbound.ntpd @@ -0,0 +1,28 @@ +#!/bin/sh +############################################################################## +# +# Copyright (C) 2016 Eric Luehrsen +# +############################################################################## +# +# "Restart" Unbound on hotplug NTP ready: +# - Only do this the first time when no file exists +# - Some of Unbound conf options to not reload run time +# - Change the enable flag for DNSSEC date-time checking +# +############################################################################## + +# Common file location definitions +. /usr/lib/unbound/unbound.sh + +############################################################################## + +if [ "$ACTION" = stratum -a ! -f "$UNBOUND_TIMEFILE" ] \ + && /etc/init.d/dnsmasq enabled ; then + # + echo "ntpd: $( date )" > $UNBOUND_TIMEFILE + /etc/init.d/unbound restart +fi + +############################################################################## + From 2202548ff0276721017337f6d92ec07a177e5619 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Thu, 27 Oct 2016 22:02:00 -0400 Subject: [PATCH 2/4] Unbound: Add UCI primer files -README.md to describe the UCI in detail -unbound.uci to get you started Signed-off-by: Eric Luehrsen --- net/unbound/files/README.md | 117 ++++++++++++++++++++++++++++++++++ net/unbound/files/unbound.uci | 20 ++++++ 2 files changed, 137 insertions(+) create mode 100644 net/unbound/files/README.md create mode 100644 net/unbound/files/unbound.uci diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md new file mode 100644 index 000000000..a850a65f4 --- /dev/null +++ b/net/unbound/files/README.md @@ -0,0 +1,117 @@ +# Unbound Recursive DNS Server with UCI + +## Unbound Description +Unbound is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.unbound.net/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. + +## Package Overview +Unbound may be useful on consumer grade embedded hardware. It is *intended* to be a recursive resolver only. [NLnet Labs NSD](https://www.nlnetlabs.nl/projects/nsd/) is *intended* for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver, and remove potential issues from forwarding resolvers outside of their control. + +This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level. + +## Work with dnsmasq +Some UCI options will help Unbound and dnsmasq work together in **parallel**. The default DHCP and DNS stub resolver in OpenWrt is dnsmasq, and it will continue to serve this purpose. The following actions will make Unbound the primary DNS server, and make dnsmasq only provide DNS to local DHCP. + +- Set `unbound` UCI `option dnsmasq_link_dns` to true. +- Set other `unbound` UCI options how you wish. +- Set `dnsmasq` UCI `option noresolv` to true. +- Set `dnsmasq` UCI `option resolvfile` to blank single-quotes. +- Set `dnsmasq` UCI `option port` to 1053 or 5353. +- Add to each `dhcp` UCI `list dhcp_option option:dns-server,0.0.0.0` + +Alternatives are mentioned here for completeness. DHCP event scripts which write host records are difficult to formulate for Unbound, NSD, or Bind. These programs sometimes need to be forcefully reloaded with host configuration, and reloads can bust cache. **Serial** configuration between dnsmasq and Unbound can be made on 127.0.0.1 with an off-port like #1053. This may double cache storage and incur unnecessary transfer delay. + +## UCI Options +**/etc/config/unbound**: + + config unbound + Currently only one instance is supported. + + option dnsmasq_gate_name '0' + Boolean. Forward PTR records for interfaces not serving DHCP. + Assume these are WAN. Example dnsmasq option here to provide + logs with a name when your ISP won't link DHCP-DNS. + "dnsmasq.conf: interface-name=way-out.myrouter.lan,eth0.1" + + option dnsmasq_link_dns '0' + Boolean. Master link to dnsmasq. Parse /etc/config/dhcp for dnsmasq + options. Forward domain such as "lan" and PTR records for DHCP + interfaces and their deligated subnets, IP4 and IP6. + + option dnsmasq_only_local '0' + TODO: not yet implemented + Boolean. Restrict link to dnsmasq. DNS only to local host. Obscure + names of other connected hosts on the network. Example: + "drill -x 198.51.100.17 ~ IN PTR way-out.myrouter.lan" + "drill -x 192.168.10.1 ~ IN PTR guest-wifi.myrouter.lan" + "drill -x 192.168.10.201 ~ NODATA" (insted of james-laptop.lan) + + option edns_size '1280' + Extended DNS is necessary for DNSSEC. However, it can run into MTU + issues. Use this size in bytes to manage drop outs. + + option listen_port '53' + Port. Incoming. Where Unbound will listen for queries. + + option localservice '1' + Boolean. Prevent DNS amplification attacks. Only provide access to + Unbound from subnets this machine has interfaces on. + + option manual_conf '0' + Boolean. Skip all this UCI nonsense. Manually edit the + configuration. Make changes to /etc/unbound/unbound.conf. + + option query_minimize '0' + Boolean. Enable a minor privacy option. Query only one name piece + at a time. Don't let each server know the next recursion. + + option rebind_localhost '0' + Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses. + These may used by black hole servers for good purposes like + ad-blocking or parental access control. Obviously these responses + also can be used to for bad purposes. + + option rebind_protection '1' + Boolean. Prevent RFC 1918 Reponses from global DNS. Example a + poisoned reponse within "192.168.0.0/24" could be used to turn a + local browser into an external attack proxy server. + + option recursion 'passive' + Unbound has numerous options for how it recurses. This UCI combines + them into "passive," "aggressive," or Unbound's own "default." + Passive is easy on resources, but slower until cache fills. + + option resource 'small' + Unbound has numerous options for resources. This UCI gives "tiny," + "small," "medium," and "large." Medium is most like the compiled + defaults with a bit of balancing. Tiny is close to the published + memory restricted configuration. Small 1/2 medium, and large 2x. + + option root_age '30' + Days. >90 Disables. Age limit for Unbound root data like root + DNSSEC key. Unbound uses RFC 5011 to manage root key. This could + harm flash ROM. This activity is mapped to "tmpfs," but every so + often it needs to be copied back to flash for the next reboot. + + option ttl_min '120' + Seconds. Minimum TTL in cache. Recursion can be expensive without + cache. A low TTL is normal for server migration. A low TTL can be + abused for snoop-vertising (DNS hit counts; recording query IP). + Typical to configure maybe 0~300, but 1800 is the maximum accepted. + + option unbound_control '0' + Boolean. Enables unbound-control application access ports. Enabling + this without the unbound-control package installed is robust. + + option validator '0' + Boolean. Enable DNSSEC. Unbound names this the "validator" module. + + option validator_ntp '1' + Boolean. Disable DNSSEC time checks at boot. Once NTP confirms + global real time, then DNSSEC is restarted at full strength. Many + embedded devices don't have a real time power off clock. NTP needs + DNS to resolve servers. This works around the chicken-and-egg. + + list domain_insecure + List. Domains or pointers that you wish to skip DNSSEC. Your DHCP + domains and pointers in dnsmasq will get this automatically. + diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci new file mode 100644 index 000000000..02854a838 --- /dev/null +++ b/net/unbound/files/unbound.uci @@ -0,0 +1,20 @@ +config unbound + option dnsmsaq_gate_name '0' + option dnsmasq_link_dns '0' + option dnsmasq_only_local '0' + option edns_size '1280' + option listen_port '53' + option localservice '1' + option manual_conf '0' + option query_minimize '0' + option rebind_localhost '0' + option rebind_protection '1' + option recursion 'passive' + option resource 'small' + option root_age '28' + option ttl_min '120' + option unbound_control '0' + option validator '0' + option validator_ntp '1' + #list domain_insecure '' + From e8efcadcd555894d2ea9d6dedd3bce2f7d7979bb Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Thu, 27 Oct 2016 22:03:00 -0400 Subject: [PATCH 3/4] Unbound: Add files to enable forward link to dnsmasq -dnsmasq really provides nice local DHCP-DNS records -Unbound host records would be clumsy to update -Unbound can be configured to forward to dnsmasq -iptools provided to facilitate PTR records -flexible ipv6 colon notation is a bit complex Signed-off-by: Eric Luehrsen --- net/unbound/files/dnsmasq.sh | 182 +++++++++++++++++++++++++++++++++++ net/unbound/files/iptools.sh | 140 +++++++++++++++++++++++++++ 2 files changed, 322 insertions(+) create mode 100644 net/unbound/files/dnsmasq.sh create mode 100644 net/unbound/files/iptools.sh diff --git a/net/unbound/files/dnsmasq.sh b/net/unbound/files/dnsmasq.sh new file mode 100644 index 000000000..f9eec7d8a --- /dev/null +++ b/net/unbound/files/dnsmasq.sh @@ -0,0 +1,182 @@ +#!/bin/sh +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# Copyright (C) 2016 Eric Luehrsen +# +############################################################################## +# +# This crosses over to the dnsmasq UCI file "dhcp" and parses it for fields +# that will allow Unbound to request local host DNS of dnsmasq. We need to look +# at the interfaces in "dhcp" and get their subnets. The Unbound conf syntax +# makes this a little difficult. First in "server:" we need to create private +# zones for the domain and PTR records. Then we need to create numerous +# "forward:" clauses to forward those zones to dnsmasq. +# +############################################################################## + +create_local_zone() { + local cfg="$1" + local fwd_port fwd_domain + + config_get fwd_domain "$cfg" domain + config_get fwd_port "$cfg" port + + + if [ -n "$fwd_domain" -a -n "$fwd_port" -a ! "$fwd_port" -eq 53 ] ; then + # dnsmasq localhost listening ports (possible multiple instances) + UNBOUND_N_FWD_PORTS="$UNBOUND_N_FWD_PORTS $fwd_port" + UNBOUND_TXT_FWD_ZONE="$UNBOUND_TXT_FWD_ZONE $fwd_domain" + + { + # This creates DOMAIN local privledges + echo " private-domain: \"$fwd_domain\"" + echo " local-zone: \"$fwd_domain.\" transparent" + echo " domain-insecure: \"$fwd_domain\"" + echo + } >> $UNBOUND_CONFFILE + fi +} + +############################################################################## + +create_local_arpa() { + local cfg="$1" + local logint dhcpv4 dhcpv6 ignore + local subnets subnets4 subnets6 + local forward arpa + local validip4 validip6 privateip + + config_get logint "$cfg" interface + config_get dhcpv4 "$cfg" dhcpv4 + config_get dhcpv6 "$cfg" dhcpv6 + config_get_bool ignore "$cfg" ignore 0 + + # Find the list of addresses assigned to a logical interface + # Its typical to have a logical gateway split NAME and NAME6 + network_get_subnets subnets4 "$logint" + network_get_subnets6 subnets6 "$logint" + subnets="$subnets4 $subnets6" + + network_get_subnets subnets4 "${logint}6" + network_get_subnets6 subnets6 "${logint}6" + subnets="$subnets $subnets4 $subnets6" + + + if [ -z "$subnets" ] ; then + forward="" + + elif [ -z "$UNBOUND_N_FWD_PORTS" ] ; then + forward="" + + elif [ "$ignore" -gt 0 ] ; then + if [ "$UNBOUND_B_GATE_NAME" -gt 0 ] ; then + # Only forward the one gateway host. + forward="host" + + else + forward="" + fi + + else + # Forward the entire private subnet. + forward="domain" + fi + + + if [ -n "$forward" ] ; then + for subnet in $subnets ; do + validip4=$( valid_subnet4 $subnet ) + validip6=$( valid_subnet6 $subnet ) + privateip=$( private_subnet $subnet ) + + + if [ "$validip4" = "ok" -a "$dhcpv4" != "disable" ] ; then + if [ "$forward" = "domain" ] ; then + arpa=$( domain_ptr_ip4 "$subnet" ) + else + arpa=$( host_ptr_ip4 "$subnet" ) + fi + + elif [ "$validip6" = "ok" -a "$dhcpv6" != "disable" ] ; then + if [ "$forward" = "domain" ] ; then + arpa=$( domain_ptr_ip6 "$subnet" ) + else + arpa=$( host_ptr_ip6 "$subnet" ) + fi + + else + arpa="" + fi + + + if [ -n "$arpa" ] ; then + if [ "$privateip" = "ok" ] ; then + { + # This creates ARPA local zone privledges + echo " local-zone: \"$arpa.\" transparent" + echo " domain-insecure: \"$arpa\"" + echo + } >> $UNBOUND_CONFFILE + fi + + + UNBOUND_TXT_FWD_ZONE="$UNBOUND_TXT_FWD_ZONE $arpa" + fi + done + fi +} + +############################################################################## + +forward_local_zone() { + if [ -n "$UNBOUND_N_FWD_PORTS" -a -n "$UNBOUND_TXT_FWD_ZONE" ] ; then + for fwd_domain in $UNBOUND_TXT_FWD_ZONE ; do + { + # This is derived of create_local_zone/arpa + # but forward: clauses need to be seperate + echo "forward-zone:" + echo " name: \"$fwd_domain.\"" + + for port in $UNBOUND_N_FWD_PORTS ; do + echo " forward-addr: 127.0.0.1@$port" + done + + echo + } >> $UNBOUND_CONFFILE + done + fi +} + +############################################################################## + +dnsmasq_link() { + #################### + # UCI @ dhcp # + #################### + + + if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then + # Forward to dnsmasq on same host for DHCP lease hosts + echo " do-not-query-localhost: no" >> $UNBOUND_CONFFILE + # Look at dnsmasq settings + config_load dhcp + # Zone for DHCP / SLAAC-PING DOMAIN + config_foreach create_local_zone dnsmasq + # Zone for DHCP / SLAAC-PING ARPA + config_foreach create_local_arpa dhcp + # Now create ALL seperate forward: clauses + forward_local_zone + fi +} + +############################################################################## + diff --git a/net/unbound/files/iptools.sh b/net/unbound/files/iptools.sh new file mode 100644 index 000000000..1725242ec --- /dev/null +++ b/net/unbound/files/iptools.sh @@ -0,0 +1,140 @@ +#!/bin/sh +############################################################################## +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# Copyright (C) 2016 Eric Luehrsen +# +############################################################################## +# +# These are iptools that might be useful in a larger package, if provided +# elsewhere for common use. One example that many may find useful is turning +# flexible IPV6 colon dividers into PTR. Otherwise these are incomplete and +# would need robustness improvements for more generic applications. +# +############################################################################## + +domain_ptr_ip6() { + # Get the nibble rounded /CIDR ...ip6.arpa. + echo "$1" | awk -F: \ + 'BEGIN { OFS = "" ; } + { CIDR = $0 ; + sub(/.*\//,"",CIDR) ; + CIDR = (CIDR / 4) ; + sub(/\/[0-9]+/,"",$0) ; + ct_stop = 9 - NF ; + for(i=1; i<=NF; i++) { + if(length($i) == 0) { + for(j=1; j<=ct_stop; j++) { $i = ($i "0000") ; } } + else { $i = substr(("0000" $i), length($i)+5-4) ; } } ; + y = $0 ; + ct_start = length(y) - 32 + CIDR ; + for(i=ct_start; i>0; i--) { x = (x substr(y,i,1)) ; } ; + gsub(/./,"&\.",x) ; + x = (x "ip6.arpa") ; + print x }' +} + +############################################################################## + +host_ptr_ip6() { + # Get complete host ...ip6.arpa. + echo "$1" | awk -F: \ + 'BEGIN { OFS = "" ; } + { sub(/\/[0-9]+/,"",$0) ; + ct_stop = 9 - NF ; + for(i=1; i<=NF; i++) { + if(length($i) == 0) { + for(j=1; j<=ct_stop; j++) { $i = ($i "0000") ; } } + else { $i = substr(("0000" $i), length($i)+5-4) ; } } ; + y = $0 ; + ct_start = length(y); + for(i=ct_start; i>0; i--) { x = (x substr(y,i,1)) ; } ; + sub(/[0-9]+\//,"",x) ; + gsub(/./,"&\.",x) ; + x = (x "ip6.arpa") ; + print x }' +} + +############################################################################## + +domain_ptr_ip4() { + # Get the byte rounded /CIDR ...in-addr.arpa. + echo "$1" | awk \ + '{ CIDR = $0 ; + sub(/.*\//,"",CIDR) ; + CIDR = (CIDR / 8) ; + dtxt = $0 ; + sub(/\/.*/,"",dtxt) ; + split(dtxt, dtxt, ".") ; + for(i=1; i<=CIDR; i++) { x = (dtxt[i] "." x) ; } + x = (x "in-addr.arpa") ; + print x }' +} + +############################################################################## + +host_ptr_ip4() { + # Get omplete host ...in-addr.arpa. + echo "$1" | awk -F. \ + '{ x = ( $4"."$3"."$2"."$1".in-addr.arpa" ) ; + sub(/\/[0-9]+/,"",x) ; + print x }' +} + +############################################################################## + +valid_subnet6() { + case "$1" in + # GA + [1-9][0-9a-f][0-9a-f][0-9a-f]":"*) echo "ok" ;; + # ULA + f[cd][0-9a-f][0-9a-f]":"*) echo "ok" ;; + # fe80::, ::1, and such + *) echo "not" ;; + esac +} + +############################################################################## + +valid_subnet4() { + case "$1" in + # Link, Local, and Such + 169"."254"."*) echo "not" ;; + 127"."*) echo "not" ;; + 0"."*) echo "not" ;; + 255"."*) echo "not" ;; + # Other Normal + 25[0-4]"."[0-9]*) echo "ok" ;; + 2[0-4][0-9]"."[0-9]*) echo "ok" ;; + 1[0-9][0-9]"."[0-9]*) echo "ok" ;; + [0-9][0-9]"."[0-9]*) echo "ok" ;; + [0-9]"."[0-9]*) echo "ok" ;; + # Not Right + *) echo "not";; + esac +} + +############################################################################## + +private_subnet() { + case "$1" in + 10"."*) echo "ok" ;; + 172"."1[6-9]"."*) echo "ok" ;; + 172"."2[0-9]"."*) echo "ok" ;; + 172"."3[0-1]"."*) echo "ok" ;; + 192"."168"."*) echo "ok" ;; + f[cd][0-9a-f][0-9a-f]":"*) echo "ok" ;; + *) echo "not" ;; + esac +} + +############################################################################## + From c9e5929ff9db0554f4f4b0a043211ffe82e6f5b2 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Thu, 27 Oct 2016 22:04:00 -0400 Subject: [PATCH 4/4] Unbound: Update scripts to build conf file from UCI -unbound.sh implements the majority of requirements in README.md -rootzone.sh reloads a small subset for alternate trigger maintenance -unbound.init sets procd triggers on Unbound and dnsmasq (dhcp) UCI -two part commit squashed with Makefile included Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 11 +- net/unbound/files/rootzone.sh | 59 +++-- net/unbound/files/unbound.init | 8 + net/unbound/files/unbound.sh | 468 +++++++++++++++++++++++++++++++-- 4 files changed, 493 insertions(+), 53 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 62367f758..eb82db766 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.5.10 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE @@ -120,6 +120,7 @@ CONFIGURE_ARGS += \ --with-user=unbound define Package/unbound/conffiles +/etc/config/unbound /etc/unbound/unbound.conf endef @@ -141,13 +142,19 @@ define Package/unbound/install $(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \ $(1)/etc/unbound/unbound.conf $(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DATA) ./files/unbound.uci $(1)/etc/config/unbound $(INSTALL_DIR) $(1)/etc/hotplug.d/iface $(INSTALL_BIN) ./files/unbound.iface $(1)/etc/hotplug.d/iface/25-unbound + $(INSTALL_DIR) $(1)/etc/hotplug.d/ntp + $(INSTALL_BIN) ./files/unbound.ntpd $(1)/etc/hotplug.d/ntp/25-unbound $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound $(INSTALL_DIR) $(1)/usr/lib/unbound - $(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh + $(INSTALL_DATA) ./files/dnsmasq.sh $(1)/usr/lib/unbound/dnsmasq.sh + $(INSTALL_DATA) ./files/iptools.sh $(1)/usr/lib/unbound/iptools.sh $(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh + $(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh endef define Package/unbound-anchor/install diff --git a/net/unbound/files/rootzone.sh b/net/unbound/files/rootzone.sh index fe71f3ef2..143c0560f 100644 --- a/net/unbound/files/rootzone.sh +++ b/net/unbound/files/rootzone.sh @@ -7,9 +7,9 @@ # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. -# +# # Copyright (C) 2016 Eric Luehrsen # ############################################################################## @@ -21,15 +21,20 @@ ############################################################################## rootzone_uci() { - # TODO: Just structure to real UCI coming soon. - echo + local cfg=$1 + + # This will likely be called outside of "start_service()" context + config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 + config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 + config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 30 } ############################################################################## roothints_update() { - # TODO: Maybe this will not be implemented. - echo + # TODO: Might not be implemented. Unbound doesn't natively update hints. + # Unbound philosophy is built in root hints are good for machine life. + return 0 } ############################################################################## @@ -37,34 +42,38 @@ roothints_update() { rootkey_update() { local basekey_date rootkey_date rootkey_age filestuff - # TODO: Just structure to real UCI coming soon. + if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then # Feature disabled return 0 + + elif [ "$UNBOUND_B_NTP_BOOT" -gt 0 -a ! -f "$UNBOUND_TIMEFILE" ] ; then + # We don't have time yet + return 0 fi - - + + if [ -f /etc/unbound/root.key ] ; then basekey_date=$( date -r /etc/unbound/root.key +%s ) - + else # No persistent storage key basekey_date=$( date -d 2000-01-01 +%s ) fi - - + + if [ -f "$UNBOUND_KEYFILE" ] ; then # Unbound maintains it itself rootkey_date=$( date -r $UNBOUND_KEYFILE +%s ) rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) - + elif [ -x "$UNBOUND_ANCHOR" ] ; then # No tmpfs key - use unbound-anchor rootkey_date=$( date -I +%s ) - rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) + rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE - - else + + else # give up rootkey_age=0 fi @@ -72,23 +81,23 @@ rootkey_update() { if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then filestuff=$( cat $UNBOUND_KEYFILE ) - - + + case "$filestuff" in *NOERROR*) # Header comment for drill and dig logger -t unbound -s "root.key updated after $rootkey_age days" cp -p $UNBOUND_KEYFILE /etc/unbound/root.key ;; - + *"state=2 [ VALID ]"*) # Comment inline to key for unbound-anchor logger -t unbound -s "root.key updated after $rootkey_age days" cp -p $UNBOUND_KEYFILE /etc/unbound/root.key ;; - - *) - logger -t unbound -s "root.key still $rootkey_age days old" + + *) + logger -t unbound -s "root.key still $rootkey_age days old" ;; esac fi @@ -97,7 +106,11 @@ rootkey_update() { ############################################################################## rootzone_update() { - rootzone_uci + # Partial UCI fetch for this functional group + config_load unbound + config_foreach rootzone_uci unbound + + # You need root.hints and root.key to boot strap recursion roothints_update rootkey_update } diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init index 119289449..0f5049d0c 100755 --- a/net/unbound/files/unbound.init +++ b/net/unbound/files/unbound.init @@ -36,3 +36,11 @@ stop_service() { ############################################################################## +service_triggers() { + procd_add_reload_trigger "dhcp" + procd_add_reload_trigger "network" + procd_add_reload_trigger "unbound" +} + +############################################################################## + diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 245bd18b2..831210298 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -7,22 +7,41 @@ # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. -# +# # Copyright (C) 2016 Eric Luehrsen # ############################################################################## # -# TODO: This file will build the UCI for Unbound. This iteration only puts -# our default unbound configuration and root.key into /var/lib/unbound. +# This builds the basic UCI components currently supported for Unbound. It is +# intentionally NOT comprehensive and bundles a lot of options. The UCI is to +# be a simpler presentation of the total Unbound conf set. # ############################################################################## -# TODO: Just default definitions versus real UCI coming soon. -UNBOUND_B_MAN_CONF=1 -UNBOUND_B_DNSSEC=1 -UNBOUND_N_ROOT_AGE=7 +UNBOUND_B_CONTROL=0 +UNBOUND_B_DNSMASQ=0 +UNBOUND_B_DNSSEC=0 +UNBOUND_B_GATE_NAME=0 +UNBOUND_B_LOCL_BLCK=0 +UNBOUND_B_LOCL_NAME=0 +UNBOUND_B_LOCL_SERV=1 +UNBOUND_B_MAN_CONF=0 +UNBOUND_B_NTP_BOOT=1 +UNBOUND_B_PRIV_BLCK=1 +UNBOUND_B_QUERY_MIN=0 + +UNBOUND_D_RESOURCE=small +UNBOUND_D_RECURSION=passive + +UNBOUND_TXT_FWD_ZONE="" +UNBOUND_TTL_MIN=120 + +UNBOUND_N_EDNS_SIZE=1280 +UNBOUND_N_FWD_PORTS="" +UNBOUND_N_RX_PORT=53 +UNBOUND_N_ROOT_AGE=28 ############################################################################## @@ -37,6 +56,7 @@ UNBOUND_VARDIR=/var/lib/unbound UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints +UNBOUND_TIMEFILE=$UNBOUND_VARDIR/unbound.time UNBOUND_CHECKFILE=$UNBOUND_VARDIR/unbound.check ############################################################################## @@ -44,38 +64,72 @@ UNBOUND_CHECKFILE=$UNBOUND_VARDIR/unbound.check . /lib/functions.sh . /lib/functions/network.sh +. $UNBOUND_LIBDIR/dnsmasq.sh +. $UNBOUND_LIBDIR/iptools.sh . $UNBOUND_LIBDIR/rootzone.sh ############################################################################## +create_access_control() { + local cfg="$1" + local subnets subnets4 subnets6 + local validip4 validip6 + + network_get_subnets subnets4 "$cfg" + network_get_subnets6 subnets6 "$cfg" + subnets="$subnets4 $subnets6" + + + if [ -n "$subnets" ] ; then + for subnet in $subnets ; do + validip4=$( valid_subnet4 $subnet ) + validip6=$( valid_subnet6 $subnet ) + + + if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then + # For each "network" UCI add "access-control:" white list for queries + echo " access-control: $subnet allow" >> $UNBOUND_CONFFILE + fi + done + fi +} + +############################################################################## + +create_domain_insecure() { + echo " domain-insecure: \"$1\"" >> $UNBOUND_CONFFILE +} + +############################################################################## + unbound_mkdir() { mkdir -p $UNBOUND_VARDIR - - + + if [ -f /etc/unbound/root.hints ] ; then # Your own local copy of root.hints cp -p /etc/unbound/root.hints $UNBOUND_HINTFILE - + elif [ -f /usr/share/dns/root.hints ] ; then # Debian-like package dns-root-data cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE - + else logger -t unbound -s "iterator will use built-in root hints" fi - - + + if [ -f /etc/unbound/root.key ] ; then # Your own local copy of a root.key cp -p /etc/unbound/root.key $UNBOUND_KEYFILE - + elif [ -f /usr/share/dns/root.key ] ; then # Debian-like package dns-root-data cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE - - elif [ -x "$UNBOUND_ANCHOR" ] ; then + + elif [ -x "$UNBOUND_ANCHOR" ] ; then $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE - + else logger -t unbound -s "validator will use built-in trust anchor" fi @@ -84,30 +138,379 @@ unbound_mkdir() { ############################################################################## unbound_conf() { - # TODO: Just structure to real UCI coming soon. - if [ "$UNBOUND_B_MAN_CONF" -gt 0 -a -f /etc/unbound/unbound.conf ] ; then - # You don't want UCI and use your own manual configuration - cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE + local cfg=$1 + local rt_mem rt_conn + + { + # Make fresh conf file + echo "# $UNBOUND_CONFFILE generated by UCI $( date )" + echo + } > $UNBOUND_CONFFILE + + + if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then + { + # Enable remote control tool, but only at local host for security + echo "remote-control:" + echo " control-enable: yes" + echo " control-use-cert: no" + echo " control-interface: 127.0.0.1" + echo " control-interface: ::1" + echo + } >> $UNBOUND_CONFFILE + + else + { + # "control:" clause is seperate before "server:" so we can append + # dnsmasq "server:" parts and "forward:" cluases towards the end. + echo "remote-control:" + echo " control-enable: no" + echo + } >> $UNBOUND_CONFFILE + fi + + + { + # No threading + echo "server:" + echo " username: unbound" + echo " num-threads: 1" + echo " msg-cache-slabs: 1" + echo " rrset-cache-slabs: 1" + echo " infra-cache-slabs: 1" + echo " key-cache-slabs: 1" + echo + } >> $UNBOUND_CONFFILE + + + { + # Logging + echo " verbosity: 1" + echo " statistics-interval: 0" + echo " statistics-cumulative: no" + echo " extended-statistics: no" + echo + } >> $UNBOUND_CONFFILE + + + { + # Interfaces (access contol "option local_service") + echo " interface: 0.0.0.0" + echo " interface: ::0" + echo " outgoing-interface: 0.0.0.0" + echo " outgoing-interface: ::0" + echo + } >> $UNBOUND_CONFFILE + + + { + # protocol level tuning + echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE" + echo " msg-buffer-size: 8192" + echo " port: $UNBOUND_N_RX_PORT" + echo " outgoing-port-permit: 10240-65535" + echo + } >> $UNBOUND_CONFFILE + + + { + # Other harding and options for an embedded router + echo " harden-short-bufsize: yes" + echo " harden-large-queries: yes" + echo " harden-glue: yes" + echo " harden-below-nxdomain: no" + echo " harden-referral-path: no" + echo " use-caps-for-id: no" + echo + } >> $UNBOUND_CONFFILE + + + { + # Default Files + echo " use-syslog: yes" + echo " chroot: \"$UNBOUND_VARDIR\"" + echo " directory: \"$UNBOUND_VARDIR\"" + echo " pidfile: \"$UNBOUND_PIDFILE\"" + } >> $UNBOUND_CONFFILE + + + if [ -f "$UNBOUND_HINTFILE" ] ; then + # Optional hints if found + echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE + fi + + + if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then + { + echo " auto-trust-anchor-file: \"$UNBOUND_KEYFILE\"" + echo + } >> $UNBOUND_CONFFILE + + else + echo >> $UNBOUND_CONFFILE + fi + + + case "$UNBOUND_D_RESOURCE" in + # Tiny - Unbound's recommended cheap hardware config + tiny) rt_mem=1 ; rt_conn=1 ;; + # Small - Half RRCACHE and open ports + small) rt_mem=8 ; rt_conn=5 ;; + # Medium - Nearly default but with some added balancintg + medium) rt_mem=16 ; rt_conn=10 ;; + # Large - Double medium + large) rt_mem=32 ; rt_conn=10 ;; + # Whatever unbound does + *) rt_mem=0 ; rt_conn=0 ;; + esac + + + if [ "$rt_mem" -gt 0 ] ; then + { + # Set memory sizing parameters + echo " outgoing-range: $(($rt_conn*64))" + echo " num-queries-per-thread: $(($rt_conn*32))" + echo " outgoing-num-tcp: $(($rt_conn))" + echo " incoming-num-tcp: $(($rt_conn))" + echo " rrset-cache-size: $(($rt_mem*256))k" + echo " msg-cache-size: $(($rt_mem*128))k" + echo " key-cache-size: $(($rt_mem*128))k" + echo " neg-cache-size: $(($rt_mem*64))k" + echo " infra-cache-numhosts: $(($rt_mem*256))" + echo + } >> $UNBOUND_CONFFILE + + else + logger -t unbound -s "default memory resource consumption" + fi + + + if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then + if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then + # DNSSEC chicken and egg with getting NTP time + echo " val-override-date: -1" >> $UNBOUND_CONFFILE + fi + + + { + # Validation of DNSSEC + echo " module-config: \"validator iterator\"" + echo " harden-dnssec-stripped: yes" + echo " val-clean-additional: yes" + echo " ignore-cd-flag: yes" + echo + } >> $UNBOUND_CONFFILE + + else + { + # Just iteration without DNSSEC + echo " module-config: \"iterator\"" + echo + } >> $UNBOUND_CONFFILE + fi + + + if [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + # Minor improvement on query privacy + echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE + + else + echo " qname-minimisation: no" >> $UNBOUND_CONFFILE + fi + + + case "$UNBOUND_D_RECURSION" in + passive) + { + echo " prefetch: no" + echo " prefetch-key: no" + echo " target-fetch-policy: \"0 0 0 0 0\"" + echo + } >> $UNBOUND_CONFFILE + ;; + + aggressive) + { + echo " prefetch: yes" + echo " prefetch-key: yes" + echo " target-fetch-policy: \"3 2 1 0 0\"" + echo + } >> $UNBOUND_CONFFILE + ;; + + *) + logger -t unbound -s "default recursion configuration" + ;; + esac + + + { + # Reload records more than 10 hours old + # DNSSEC 5 minute bogus cool down before retry + # Adaptive infrastructure info kept for 15 minutes + echo " cache-min-ttl: $UNBOUND_TTL_MIN" + echo " cache-max-ttl: 36000" + echo " val-bogus-ttl: 300" + echo " infra-host-ttl: 900" + echo + } >> $UNBOUND_CONFFILE + + + if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then + { + # Remove DNS reponses from upstream with private IP + echo " private-address: 10.0.0.0/8" + echo " private-address: 169.254.0.0/16" + echo " private-address: 172.16.0.0/12" + echo " private-address: 192.168.0.0/16" + echo " private-address: fc00::/8" + echo " private-address: fd00::/8" + echo " private-address: fe80::/10" + } >> $UNBOUND_CONFFILE + fi + + + if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then + { + # Remove DNS reponses from upstream with loopback IP + # Black hole DNS method for ad blocking, so consider... + echo " private-address: 127.0.0.0/8" + echo " private-address: ::1/128" + echo + } >> $UNBOUND_CONFFILE + + else + echo >> $UNBOUND_CONFFILE + fi + + + # Domain Exceptions + config_list_foreach "$cfg" "domain_insecure" create_domain_insecure + echo >> $UNBOUND_CONFFILE + + + #################### + # UCI @ network # + #################### + + + if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then + # Only respond to queries from which this device has an interface. + # Prevent DNS amplification attacks by not responding to the universe. + config_load network + config_foreach create_access_control interface + + { + echo " access-control: 127.0.0.0/8 allow" + echo " access-control: ::1/128 allow" + echo " access-control: fe80::/10 allow" + echo + } >> $UNBOUND_CONFFILE + + else + { + echo " access-control: 0.0.0.0/0 allow" + echo " access-control: ::0/0 allow" + echo + } >> $UNBOUND_CONFFILE + fi +} + +############################################################################## + +unbound_uci() { + local cfg=$1 + local dnsmasqpath + + #################### + # UCI @ unbound # + #################### + + config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmsaq_gate_name 0 + config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0 + config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0 + config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1 + config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0 + config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0 + config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1 + config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0 + config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0 + config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 + config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 + + config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280 + config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53 + config_get UNBOUND_D_RECURSION "$cfg" recursion passive + config_get UNBOUND_D_RESOURCE "$cfg" resource small + config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7 + config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120 + + + if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then + dnsmasqpath=$( which dnsmasq ) + + + if [ ! -x "$dnsmasqpath" ] ; then + logger -t unbound -s "cannot forward to dnsmasq" + UNBOUND_B_DNSMASQ=0 + fi + fi + + + if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \ + -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then + # exceeds range, back to default + UNBOUND_N_EDNS_SIZE=1280 + fi + + + if [ "$UNBOUND_N_RX_PORT" -lt 1024 \ + -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then + # special port or in 5 digits, back to default + UNBOUND_N_RX_PORT=53 + fi + + + if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then + # that could have had awful side effects + UNBOUND_TTL_MIN=300 + fi + + + if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then + if [ -f /etc/unbound/unbound.conf ] ; then + # You don't want UCI and use your own manual configuration + # or with no base file whatever Unbound defaults are. + cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE + fi + + + # Don't want this being triggered. Maybe we could, but then the + # base conf you provide would need to be just right. + UNBOUND_B_DNSMASQ=0 + + else + unbound_conf $cfg fi } ############################################################################## -unbound_own() { +unbound_own () { # Debug UCI { echo "# $UNBOUND_CHECKFILE generated by UCI $( date )" echo set | grep ^UNBOUND_ } > $UNBOUND_CHECKFILE - - + + if [ ! -f "$UNBOUND_CONFFILE" ] ; then # if somehow this happened touch $UNBOUND_CONFFILE fi - - + + # Ensure Access chown -R unbound:unbound $UNBOUND_VARDIR chmod 775 $UNBOUND_VARDIR @@ -117,8 +520,17 @@ unbound_own() { ############################################################################## unbound_prepare() { + # Make a home for Unbound in /var/lib/unbound unbound_mkdir - unbound_conf + + # Load up the chunks of UCI + config_load unbound + config_foreach unbound_uci unbound + + # Unbound primary DNS, and dnsmasq side service DHCP-DNS (dnsmasq.sh) + dnsmasq_link + + # Unbound needs chroot ownership unbound_own }