LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

unbound: clean up interface interpretation in UCI 

DNS flag day 2020, software should reflect the minimum EDNS 1232 bytes.
Added iface_wan and iface_lan to control internal DNS assignemnts and
to control what is local service ACL. Interface wild cards are not
explicitly set so that they can be customized in extended conf.

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
lilik-openwrt-22.03
Eric Luehrsen 4 years ago
parent
2680dc239a
commit
658c27ea97
10 changed files with 193 additions and 116 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +8
    -5
      net/unbound/files/README.md
  2. +8
    -5
      net/unbound/files/defaults.sh
  3. +3
    -0
      net/unbound/files/dnsmasq.sh
  4. +7
    -0
      net/unbound/files/iptools.sh
  5. +7
    -0
      net/unbound/files/odhcpd.sh
  6. +3
    -0
      net/unbound/files/stopping.sh
  7. +7
    -3
      net/unbound/files/unbound.init
  8. +4
    -2
      net/unbound/files/unbound.ntpd
  9. +115
    -95
      net/unbound/files/unbound.sh
  10. +31
    -6
      net/unbound/files/unbound.uci

+ 8
- 5
net/unbound/files/README.md View File

@ -1,4 +1,5 @@
# Unbound Recursive DNS Server with UCI # Unbound Recursive DNS Server with UCI
<!-- markdownlint-disable -->
## Unbound Description ## Unbound Description
[Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. [Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
@ -202,7 +203,7 @@ One instance is supported currently.
| --- | ------- | ----- | ----------- | ------- | | --- | ------- | ----- | ----------- | ------- |
| add_extra_dns | 0 | level | Read OpenWrt traditional options for `dnsmasq`.<br>`0`: Disabled<br>`1`: Use only domain<br>`2`: Use domain, mxhost, and srvhost<br>`3`: Use all cname, domain, mxhost, and srvhost | local-data: | | add_extra_dns | 0 | level | Read OpenWrt traditional options for `dnsmasq`.<br>`0`: Disabled<br>`1`: Use only domain<br>`2`: Use domain, mxhost, and srvhost<br>`3`: Use all cname, domain, mxhost, and srvhost | local-data: |
| add_local_fqdn | 0 | level | Each level puts a more detailed router entry within the LAN DNS (except link).<br>`0`: Disabled<br>`1`: Host name on the primary address<br>`2`: Host name on all addresses<br>`3`: FQDN and host name on all addresses<br>`4`: FQDN defined by "iface.hostname.domain" | local-zone: local-data: | | add_local_fqdn | 0 | level | Each level puts a more detailed router entry within the LAN DNS (except link).<br>`0`: Disabled<br>`1`: Host name on the primary address<br>`2`: Host name on all addresses<br>`3`: FQDN and host name on all addresses<br>`4`: FQDN defined by "iface.hostname.domain" | local-zone: local-data: |
| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as inferred by `config dhcp` with `option ignore 1`. | local-zone: local-data: |
| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as listed in `iface_wan` | local-zone: local-data: |
| dns64 | 0 | boolean | Enable DNS64 RFC6052 to bridge IPv4 and IPv6 networks. | module: dns64 | | dns64 | 0 | boolean | Enable DNS64 RFC6052 to bridge IPv4 and IPv6 networks. | module: dns64 |
| dns64_prefix | 64:ff9b::/96 | subnet | DNS64 RFC6052 IPv4 in IPv6 well known prefix. | dns64-prefix: | | dns64_prefix | 64:ff9b::/96 | subnet | DNS64 RFC6052 IPv4 in IPv6 well known prefix. | dns64-prefix: |
| dhcp_link | none | program | Link to a DHCP server with supported scripts. See HOW TO above. | local-zone: local-data: forward-zone: | | dhcp_link | none | program | Link to a DHCP server with supported scripts. See HOW TO above. | local-zone: local-data: forward-zone: |
@ -210,10 +211,13 @@ One instance is supported currently.
| domain | lan | domain | This will suffix DHCP host records and be the default search domain. | local-zone: | | domain | lan | domain | This will suffix DHCP host records and be the default search domain. | local-zone: |
| domain_insecure | (empty) | domain | **List** domains that you wish to skip DNSSEC. It is one way around NTP chicken and egg. Your DHCP domains are automatically included. | domain-insecure: | | domain_insecure | (empty) | domain | **List** domains that you wish to skip DNSSEC. It is one way around NTP chicken and egg. Your DHCP domains are automatically included. | domain-insecure: |
| domain_type | static | state | This allows you to lock down or allow forwarding of the local zone.<br>`static`: no forwarding like dnsmasq default<br>`refuse`: answer overtly with REFUSED<br>`deny`: covertly drop all queries<br>`transparent`: may continue forwarding or recusion | local-zone: | | domain_type | static | state | This allows you to lock down or allow forwarding of the local zone.<br>`static`: no forwarding like dnsmasq default<br>`refuse`: answer overtly with REFUSED<br>`deny`: covertly drop all queries<br>`transparent`: may continue forwarding or recusion | local-zone: |
| edns_size | 1280 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: |
| edns_size | 1232 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: |
| extended_stats | 0 | boolean | Extended statistics are stored in Unbound memory for report by `unbound-control`. | extended-statistics: | | extended_stats | 0 | boolean | Extended statistics are stored in Unbound memory for report by `unbound-control`. | extended-statistics: |
| hide_binddata | 1 | boolean | Refuse possible attack queries like version.server, version.bind, id.server, and hostname.bind. | hide-identity: hide-version: | | hide_binddata | 1 | boolean | Refuse possible attack queries like version.server, version.bind, id.server, and hostname.bind. | hide-identity: hide-version: |
| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. | interface-automatic: |
| iface_lan | lan | interface | **List** to add interafaces you wish to consider to be LAN beyond those served by DHCP | interface: access-control: |
| iface_trig | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - |
| iface_wan | wan | interface | **List** interafaces you wish to consider to be WAN for masked local zone purposes | interface-outgoing: |
| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. This also binds Unboud to the wild card address. | interface-automatic: |
| listen_port | 53 | port | Inbound port where Unbound will listen for queries. | port: | | listen_port | 53 | port | Inbound port where Unbound will listen for queries. | port: |
| localservice | 1 | boolean | Prevent DNS amplification attacks. Only answer to subnets this machine has interfaces on. | access-control: | | localservice | 1 | boolean | Prevent DNS amplification attacks. Only answer to subnets this machine has interfaces on. | access-control: |
| manual_conf | 0 | boolean | Skip all this UCI nonsense. Manually edit the configuration in `/etc/unbound/unbound.conf`. | - | | manual_conf | 0 | boolean | Skip all this UCI nonsense. Manually edit the configuration in `/etc/unbound/unbound.conf`. | - |
@ -227,7 +231,6 @@ One instance is supported currently.
| recursion | passive | state | Unbound has many options for recrusion but UCI is bundled for simplicity.<br>`passive`: slower until cache fills but kind on CPU load<br>`default`: built-in defaults<br>`aggressive`: uses prefetching to handle more requests quickly | (many) | | recursion | passive | state | Unbound has many options for recrusion but UCI is bundled for simplicity.<br>`passive`: slower until cache fills but kind on CPU load<br>`default`: built-in defaults<br>`aggressive`: uses prefetching to handle more requests quickly | (many) |
| resource | small | state | Unbound has many options for memory resources but UCI is bundled for simplicity.<br>`tiny`: similar to published memory restricted configuration<br>`small`: about half of medium<br>`medium`: similar to default<br>`default`: built-in defaults<br>`large`: about double of medium | \*-cache-size: | | resource | small | state | Unbound has many options for memory resources but UCI is bundled for simplicity.<br>`tiny`: similar to published memory restricted configuration<br>`small`: about half of medium<br>`medium`: similar to default<br>`default`: built-in defaults<br>`large`: about double of medium | \*-cache-size: |
| root_age | 9 | day | >90 Disables. Age limit for root data like root DNSSEC key. Scripts will copy from `tmps` to flash ROM with this limit to save write life. | - | | root_age | 9 | day | >90 Disables. Age limit for root data like root DNSSEC key. Scripts will copy from `tmps` to flash ROM with this limit to save write life. | - |
| trigger_interface | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - |
| ttl_min | 120 | second | Minimum TTL in cache to avoid abused low TTL for snoop-vertising and non-standard load balancing. Typical to configure maybe 0~300 but 1800 is the maximum accepted. | cache-min-ttl: | | ttl_min | 120 | second | Minimum TTL in cache to avoid abused low TTL for snoop-vertising and non-standard load balancing. Typical to configure maybe 0~300 but 1800 is the maximum accepted. | cache-min-ttl: |
| unbound_control | 0 | level | Enables `unbound-control` application access ports.<br>`0`: None else add your own in unbound_ext.conf<br>`1`: Unencrypted Local Host Access<br>`2`: SSL Local Host Access w/ auto unbound-control-setup<br>`3`: SSL Network Access w/ auto unbound-control-setup<br>`4`: SSL Network Access; static key/pem files must already exist | unbound-control: ... (clause) | | unbound_control | 0 | level | Enables `unbound-control` application access ports.<br>`0`: None else add your own in unbound_ext.conf<br>`1`: Unencrypted Local Host Access<br>`2`: SSL Local Host Access w/ auto unbound-control-setup<br>`3`: SSL Network Access w/ auto unbound-control-setup<br>`4`: SSL Network Access; static key/pem files must already exist | unbound-control: ... (clause) |
| validator | 0 | boolean | Enable DNSSEC validator module. | module: validator | | validator | 0 | boolean | Enable DNSSEC validator module. | module: validator |
@ -238,7 +241,7 @@ One instance is supported currently.
Confingure any mix of Unbound `forward-zone:`, `stub-zone:`, or `auth-zone:` clauses. These sections are more compact than Unbound and will unroll into Unbound's configuration syntax. Confingure any mix of Unbound `forward-zone:`, `stub-zone:`, or `auth-zone:` clauses. These sections are more compact than Unbound and will unroll into Unbound's configuration syntax.
| UCI | Default | Units | Description | Unbound | | UCI | Default | Units | Description | Unbound |
| --- | ------- | ----- | ----------- | ------- | | --- | ------- | ----- | ----------- | ------- |
| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, ipset-dns, and nsd. | forward-addr: |
| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, http-proxy-dns, ipset-dns, and nsd. | forward-addr: |
| enabled | 0 | boolean | turn zone on or off without deleting it | - | | enabled | 0 | boolean | turn zone on or off without deleting it | - |
| fallback | 1 | boolean | Allow this zone to fall through to other zones or recursion. | forward-first: | | fallback | 1 | boolean | Allow this zone to fall through to other zones or recursion. | forward-first: |
| port | 53 | port | Target server's target port for plain DNS operations. | (auto 192.0.2.53 \#53) | port | 53 | port | Target server's target port for plain DNS operations. | (auto 192.0.2.53 \#53)


+ 8
- 5
net/unbound/files/defaults.sh View File

@ -14,7 +14,11 @@
# #
############################################################################## ##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
# where are we? # where are we?
UB_ETCDIR=/etc/unbound
UB_LIBDIR=/usr/lib/unbound UB_LIBDIR=/usr/lib/unbound
UB_VARDIR=/var/lib/unbound UB_VARDIR=/var/lib/unbound
UB_PIDFILE=/var/run/unbound.pid UB_PIDFILE=/var/run/unbound.pid
@ -40,7 +44,6 @@ UB_RESOLV_AUTO=/tmp/resolv.conf.d/resolv.conf.auto
# TLS keys # TLS keys
UB_TLS_KEY_FILE="TLS server UCI not implemented" UB_TLS_KEY_FILE="TLS server UCI not implemented"
UB_TLS_PEM_FILE="TLS server UCI not implemented" UB_TLS_PEM_FILE="TLS server UCI not implemented"
UB_TLS_FWD_FILE=$UB_VARDIR/ca-certificates.crt
UB_TLS_ETC_FILE=/etc/ssl/certs/ca-certificates.crt UB_TLS_ETC_FILE=/etc/ssl/certs/ca-certificates.crt
# start files # start files
@ -50,10 +53,10 @@ UB_TIME_FILE=$UB_VARDIR/hotplug.time
UB_SKIP_FILE=$UB_VARDIR/skip.time UB_SKIP_FILE=$UB_VARDIR/skip.time
# control app keys # control app keys
UB_CTLKEY_FILE=$UB_VARDIR/unbound_control.key
UB_CTLPEM_FILE=$UB_VARDIR/unbound_control.pem
UB_SRVKEY_FILE=$UB_VARDIR/unbound_server.key
UB_SRVPEM_FILE=$UB_VARDIR/unbound_server.pem
UB_CTLKEY_FILE=$UB_ETCDIR/unbound_control.key
UB_CTLPEM_FILE=$UB_ETCDIR/unbound_control.pem
UB_SRVKEY_FILE=$UB_ETCDIR/unbound_server.key
UB_SRVPEM_FILE=$UB_ETCDIR/unbound_server.pem
# similar default SOA / NS RR as Unbound uses for private ARPA zones # similar default SOA / NS RR as Unbound uses for private ARPA zones
UB_XSER=$(( $( date +%s ) / 60 )) UB_XSER=$(( $( date +%s ) / 60 ))


+ 3
- 0
net/unbound/files/dnsmasq.sh View File

@ -23,6 +23,9 @@
# #
############################################################################## ##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
DM_D_WAN_FQDN=0 DM_D_WAN_FQDN=0
DM_LIST_KNOWN_ZONES="invalid" DM_LIST_KNOWN_ZONES="invalid"


+ 7
- 0
net/unbound/files/iptools.sh View File

@ -21,6 +21,13 @@
# #
############################################################################## ##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
UB_IPTOOLS_BLANK=
##############################################################################
domain_ptr_ip6() { domain_ptr_ip6() {
# Get the nibble rounded /CIDR ...ip6.arpa. # Get the nibble rounded /CIDR ...ip6.arpa.
echo "$1" | awk -F: \ echo "$1" | awk -F: \


+ 7
- 0
net/unbound/files/odhcpd.sh View File

@ -23,6 +23,13 @@
# #
############################################################################## ##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
UB_ODHCPD_BLANK=
##############################################################################
odhcpd_zonedata() { odhcpd_zonedata() {
. /lib/functions.sh . /lib/functions.sh
. /usr/lib/unbound/defaults.sh . /usr/lib/unbound/defaults.sh


+ 3
- 0
net/unbound/files/stopping.sh View File

@ -19,6 +19,9 @@
# #
############################################################################## ##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
. /usr/lib/unbound/defaults.sh . /usr/lib/unbound/defaults.sh
############################################################################## ##############################################################################


+ 7
- 3
net/unbound/files/unbound.init View File

@ -9,6 +9,9 @@
# #
############################################################################## ##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
START=19 START=19
STOP=50 STOP=50
USE_PROCD=1 USE_PROCD=1
@ -54,9 +57,10 @@ stop_service() {
############################################################################## ##############################################################################
service_triggers() { service_triggers() {
local legacy=$( uci_get unbound.@unbound[0].trigger )
local triggers=$( uci_get unbound.@unbound[0].trigger_interface )
local trigger="$triggers $legacy"
local legacy1=$( uci_get unbound.@unbound[0].trigger )
local legacy2=$( uci_get unbound.@unbound[0].trigger_interface )
local legacy3=$( uci_get unbound.@unbound[0].iface_trig )
local triggers="$legacy1 $legacy2 $legacy3"
. /usr/lib/unbound/defaults.sh . /usr/lib/unbound/defaults.sh


+ 4
- 2
net/unbound/files/unbound.ntpd View File

@ -12,12 +12,14 @@
# #
############################################################################## ##############################################################################
# Common file location definitions
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
. /usr/lib/unbound/defaults.sh . /usr/lib/unbound/defaults.sh
############################################################################## ##############################################################################
if [ ! -f "$UB_TIME_FILE" -a "$ACTION" = stratum ] ; then
if [ ! -f "$UB_TIME_FILE" ] && [ "$ACTION" = stratum ] ; then
date -Is > $UB_TIME_FILE date -Is > $UB_TIME_FILE
/etc/init.d/unbound enabled && /etc/init.d/unbound restart /etc/init.d/unbound enabled && /etc/init.d/unbound restart
# Yes, hard RESTART. We need to be absolutely sure to enable DNSSEC. # Yes, hard RESTART. We need to be absolutely sure to enable DNSSEC.


+ 115
- 95
net/unbound/files/unbound.sh View File

@ -23,6 +23,9 @@
# #
############################################################################## ##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
UB_B_AUTH_ROOT=0 UB_B_AUTH_ROOT=0
UB_B_DNS_ASSIST=0 UB_B_DNS_ASSIST=0
UB_B_DNSSEC=0 UB_B_DNSSEC=0
@ -53,7 +56,7 @@ UB_D_WAN_FQDN=0
UB_IP_DNS64="64:ff9b::/96" UB_IP_DNS64="64:ff9b::/96"
UB_N_EDNS_SIZE=1280
UB_N_EDNS_SIZE=1232
UB_N_RX_PORT=53 UB_N_RX_PORT=53
UB_N_ROOT_AGE=9 UB_N_ROOT_AGE=9
UB_N_THREADS=1 UB_N_THREADS=1
@ -114,7 +117,7 @@ bundle_all_networks() {
############################################################################## ##############################################################################
bundle_lan_networks() {
bundle_dhcp_networks() {
local cfg="$1" local cfg="$1"
local interface ifsubnet ifname ifdashname ignore local interface ifsubnet ifname ifdashname ignore
@ -139,19 +142,50 @@ bundle_lan_networks() {
############################################################################## ##############################################################################
bundle_lan_networks() {
local interface="$1"
local ifsubnet ifname ifdashname
network_get_device ifname "$interface"
ifdashname="${ifname//./-}"
if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
for ifsubnet in $UB_LIST_NETW_ALL ; do
case $ifsubnet in
"${ifdashname}"@*)
# Special GLA protection for local block; ULA protected default
UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
;;
esac
done
fi
}
##############################################################################
bundle_wan_networks() { bundle_wan_networks() {
local ifsubnet
local interface="$1"
local ifsubnet ifname ifdashname
network_get_device ifname "$interface"
ifdashname="${ifname//./-}"
if [ -n "$UB_LIST_NETW_ALL" ] ; then
if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
for ifsubnet in $UB_LIST_NETW_ALL ; do for ifsubnet in $UB_LIST_NETW_ALL ; do
case $UB_LIST_NETW_LAN in case $UB_LIST_NETW_LAN in
*"${ifsubnet}"*) *"${ifsubnet}"*)
# If LAN, then not WAN ...
# If LAN, then not WAN ... scripts might become complex
;; ;;
*) *)
UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
case $ifsubnet in
"${ifdashname}"@*)
# Special GLA protection for local block; ULA protected default
UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
;;
esac
;; ;;
esac esac
done done
@ -218,7 +252,8 @@ unbound_mkdir() {
mkdir -p $UB_VARDIR mkdir -p $UB_VARDIR
rm -f $UB_VARDIR/dhcp_* rm -f $UB_VARDIR/dhcp_*
touch $UB_TOTAL_CONF touch $UB_TOTAL_CONF
cp -p /etc/unbound/* $UB_VARDIR/
cp -p $UB_ETCDIR/*.conf $UB_VARDIR/
cp -p $UB_ETCDIR/root.* $UB_VARDIR/
if [ ! -f $UB_RHINT_FILE ] ; then if [ ! -f $UB_RHINT_FILE ] ; then
@ -253,42 +288,28 @@ unbound_mkdir() {
fi fi
if [ -f $UB_TLS_ETC_FILE ] ; then
# copy the cert bundle into jail
cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
fi
# Ensure access and prepare to jail # Ensure access and prepare to jail
chown -R unbound:unbound $UB_VARDIR chown -R unbound:unbound $UB_VARDIR
chmod 755 $UB_VARDIR chmod 755 $UB_VARDIR
chmod 644 $UB_VARDIR/* chmod 644 $UB_VARDIR/*
if [ -f $UB_CTLKEY_FILE ] || [ -f $UB_CTLPEM_FILE ] \
|| [ -f $UB_SRVKEY_FILE ] || [ -f $UB_SRVPEM_FILE ] ; then
# Keys (some) exist already; do not create new ones
chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
$UB_SRVKEY_FILE $UB_SRVPEM_FILE
elif [ -x /usr/sbin/unbound-control-setup ] ; then
case "$UB_D_CONTROL" in
[2-3])
# unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
/usr/sbin/unbound-control-setup -d $UB_VARDIR
chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
$UB_SRVKEY_FILE $UB_SRVPEM_FILE
if [ -x /usr/sbin/unbound-control-setup ] ; then
if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \
|| [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then
case "$UB_D_CONTROL" in
[2-3])
# unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
/usr/sbin/unbound-control-setup -d $UB_ETCDIR
chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
$UB_SRVKEY_FILE $UB_SRVPEM_FILE
chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
$UB_SRVKEY_FILE $UB_SRVPEM_FILE
cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key
cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem
cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key
cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem
;;
esac
chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
$UB_SRVKEY_FILE $UB_SRVPEM_FILE
;;
esac
fi
fi fi
@ -452,6 +473,19 @@ unbound_zone() {
fi fi
;; ;;
htpps-dns-proxy)
if [ -x /usr/sbin/https-dns-proxy ] \
&& [ -x /etc/init.d/https-dns-proxy ] ; then
if /etc/init.d/https-dns-proxy ; then
dns_ast=1
else
dns_ast=0
fi
else
dns_ast=0
fi
;;
ipset-dns) ipset-dns)
if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then
if /etc/init.d/ipset-dns enabled ; then if /etc/init.d/ipset-dns enabled ; then
@ -476,10 +510,17 @@ unbound_zone() {
fi fi
;; ;;
unprotected-loop)
# Soft brick risk. The server you are looking to connect to may be offline
# and cause loop error: procd, sysupgrade, package order, and other issues.
dns_ast=1
;;
*) *)
# Prevent a soft-brick event through local forwarding loops. Declare your
# assistant program and this will check to be sure it is there.
# Unbound has a local forward blocking option, default on, instead of loop
# detection. If it is released, then it may be a soft brick risk.
dns_ast=0 dns_ast=0
;;
esac esac
@ -527,7 +568,7 @@ unbound_zone() {
;; ;;
forward_zone) forward_zone)
if [ ! -f $UB_TLS_FWD_FILE ] && [ "$tls_upstream" = "yes" ] ; then
if [ ! -f $UB_TLS_ETC_FILE ] && [ "$tls_upstream" = "yes" ] ; then
logger -p 4 -t unbound -s \ logger -p 4 -t unbound -s \
"Forward-zone TLS benefits from authentication in package 'ca-bundle'" "Forward-zone TLS benefits from authentication in package 'ca-bundle'"
fi fi
@ -555,6 +596,11 @@ unbound_zone() {
else else
case $server in case $server in
127.*|::0*)
# soft brick loop back risk see DNS assist above
echo "do nothing" >/dev/null
;;
*@[0-9]*|*#[A-Za-z0-9]*) *@[0-9]*|*#[A-Za-z0-9]*)
# unique Unbound option for server host name # unique Unbound option for server host name
servers_host="$servers_host $server" servers_host="$servers_host $server"
@ -633,10 +679,10 @@ unbound_conf() {
} > $UB_CORE_CONF } > $UB_CORE_CONF
if [ -f "$UB_TLS_FWD_FILE" ] ; then
if [ -f "$UB_TLS_ETC_FILE" ] ; then
# TLS cert bundle for upstream forwarder and https zone files # TLS cert bundle for upstream forwarder and https zone files
# This is loaded before drop to root, so pull from /etc/ssl # This is loaded before drop to root, so pull from /etc/ssl
echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
echo " tls-cert-bundle: $UB_TLS_ETC_FILE" >> $UB_CORE_CONF
fi fi
@ -690,14 +736,14 @@ unbound_conf() {
if [ $UB_B_EXT_STATS -gt 0 ] ; then if [ $UB_B_EXT_STATS -gt 0 ] ; then
{ {
# Log More
# store more data in memory for unbound-control to report
echo " extended-statistics: yes" echo " extended-statistics: yes"
echo echo
} >> $UB_CORE_CONF } >> $UB_CORE_CONF
else else
{ {
# Log Less
# store Less
echo " extended-statistics: no" echo " extended-statistics: no"
echo echo
} >> $UB_CORE_CONF } >> $UB_CORE_CONF
@ -714,14 +760,17 @@ unbound_conf() {
fi fi
{
# avoid interference with SPI/NAT on both reserved and common server ports
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
} >> $UB_CORE_CONF
case "$UB_D_PROTOCOL" in case "$UB_D_PROTOCOL" in
ip4_only) ip4_only)
{ {
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: 0.0.0.0"
echo " outgoing-interface: 0.0.0.0"
echo " do-ip4: yes" echo " do-ip4: yes"
echo " do-ip6: no" echo " do-ip6: no"
echo echo
@ -730,42 +779,29 @@ unbound_conf() {
ip6_only) ip6_only)
{ {
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: ::0"
echo " outgoing-interface: ::0"
echo " do-ip4: no" echo " do-ip4: no"
echo " do-ip6: yes" echo " do-ip6: yes"
echo echo
} >> $UB_CORE_CONF } >> $UB_CORE_CONF
;; ;;
ip6_local)
ip6_local)
{ {
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo " outgoing-interface: 0.0.0.0"
# answer your local IPv6 network but avoid broken ISP IPv6
echo " do-ip4: yes" echo " do-ip4: yes"
echo " do-ip6: yes" echo " do-ip6: yes"
echo " prefer-ip4: yes"
echo " prefer-ip6: no"
echo echo
} >> $UB_CORE_CONF } >> $UB_CORE_CONF
;; ;;
ip6_prefer) ip6_prefer)
{ {
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo " outgoing-interface: 0.0.0.0"
echo " outgoing-interface: ::0"
# RFC compliant dual stack
echo " do-ip4: yes" echo " do-ip4: yes"
echo " do-ip6: yes" echo " do-ip6: yes"
echo " prefer-ip4: no"
echo " prefer-ip6: yes" echo " prefer-ip6: yes"
echo echo
} >> $UB_CORE_CONF } >> $UB_CORE_CONF
@ -773,14 +809,6 @@ unbound_conf() {
mixed) mixed)
{ {
# Interface Wildcard (access contol handled by "option local_service")
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo " outgoing-interface: 0.0.0.0"
echo " outgoing-interface: ::0"
echo " do-ip4: yes" echo " do-ip4: yes"
echo " do-ip6: yes" echo " do-ip6: yes"
echo echo
@ -791,17 +819,6 @@ unbound_conf() {
if [ $UB_B_READY -eq 0 ] ; then if [ $UB_B_READY -eq 0 ] ; then
logger -t unbound -s "default protocol configuration" logger -t unbound -s "default protocol configuration"
fi fi
{
# outgoing-interface has useful defaults; incoming is localhost though
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo
} >> $UB_CORE_CONF
;; ;;
esac esac
@ -1043,9 +1060,9 @@ unbound_conf() {
fi fi
if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_LAN" ] ; then
{ {
for ifsubnet in $UB_LIST_NETW_ALL ; do
for ifsubnet in $UB_LIST_NETW_LAN ; do
# Only respond to queries from subnets which have an interface. # Only respond to queries from subnets which have an interface.
# Prevent DNS amplification attacks by not responding to the universe. # Prevent DNS amplification attacks by not responding to the universe.
echo " access-control: ${ifsubnet#*@} allow" echo " access-control: ${ifsubnet#*@} allow"
@ -1327,7 +1344,7 @@ unbound_uci() {
config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96" config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
config_get UB_N_EDNS_SIZE "$cfg" edns_size 1232
config_get UB_N_RX_PORT "$cfg" listen_port 53 config_get UB_N_RX_PORT "$cfg" listen_port 53
config_get UB_N_ROOT_AGE "$cfg" root_age 9 config_get UB_N_ROOT_AGE "$cfg" root_age 9
config_get UB_N_THREADS "$cfg" num_threads 1 config_get UB_N_THREADS "$cfg" num_threads 1
@ -1348,8 +1365,9 @@ unbound_uci() {
config_get UB_TTL_MIN "$cfg" ttl_min 120 config_get UB_TTL_MIN "$cfg" ttl_min 120
config_get UB_TXT_DOMAIN "$cfg" domain lan config_get UB_TXT_DOMAIN "$cfg" domain lan
config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
config_list_foreach "$cfg" iface_lan bundle_lan_networks
config_list_foreach "$cfg" iface_wan bundle_wan_networks
if [ "$UB_D_DHCP_LINK" = "none" ] ; then if [ "$UB_D_DHCP_LINK" = "none" ] ; then
config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0 config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
@ -1396,7 +1414,7 @@ unbound_uci() {
if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then
logger -t unbound -s "edns_size exceeds range, using default" logger -t unbound -s "edns_size exceeds range, using default"
UB_N_EDNS_SIZE=1280
UB_N_EDNS_SIZE=1232
fi fi
@ -1541,6 +1559,11 @@ resolv_setup() {
############################################################################## ##############################################################################
unbound_start() { unbound_start() {
# get interface subnets together
config_load network
config_foreach bundle_all_networks interface
# read Unbound UCI but pick through it later
config_load unbound config_load unbound
config_foreach unbound_uci unbound config_foreach unbound_uci unbound
unbound_mkdir unbound_mkdir
@ -1551,11 +1574,8 @@ unbound_start() {
# forward-zone: auth-zone: and stub-zone: # forward-zone: auth-zone: and stub-zone:
config_foreach unbound_zone zone config_foreach unbound_zone zone
# associate potential DNS RR with interfaces # associate potential DNS RR with interfaces
config_load network
config_foreach bundle_all_networks interface
config_load dhcp config_load dhcp
config_foreach bundle_lan_networks dhcp
bundle_wan_networks
config_foreach bundle_dhcp_networks dhcp
# server: # server:
unbound_conf unbound_conf
unbound_hostname unbound_hostname


+ 31
- 6
net/unbound/files/unbound.uci View File

@ -1,4 +1,4 @@
config unbound
config unbound 'ub_main'
option add_extra_dns '0' option add_extra_dns '0'
option add_local_fqdn '1' option add_local_fqdn '1'
option add_wan_fqdn '0' option add_wan_fqdn '0'
@ -8,7 +8,7 @@ config unbound
option dns64_prefix '64:ff9b::/96' option dns64_prefix '64:ff9b::/96'
option domain 'lan' option domain 'lan'
option domain_type 'static' option domain_type 'static'
option edns_size '1280'
option edns_size '1232'
option extended_stats '0' option extended_stats '0'
option hide_binddata '1' option hide_binddata '1'
option interface_auto '1' option interface_auto '1'
@ -30,11 +30,12 @@ config unbound
option validator '0' option validator '0'
option validator_ntp '1' option validator_ntp '1'
option verbosity '1' option verbosity '1'
list trigger_interface 'lan'
list trigger_interface 'wan'
list iface_trig 'lan'
list iface_trig 'wan'
list iface_wan 'wan'
#list domain_insecure 'ntp.example.com' #list domain_insecure 'ntp.example.com'
config zone
config zone 'auth_icann'
# cache the root zone all at once to speed up recursion # cache the root zone all at once to speed up recursion
option enabled '0' option enabled '0'
option fallback '1' option fallback '1'
@ -47,7 +48,7 @@ config zone
list zone_name 'in-addr.arpa.' list zone_name 'in-addr.arpa.'
list zone_name 'ip6.arpa.' list zone_name 'ip6.arpa.'
config zone
config zone 'fwd_isp'
# forward ISP account management to DHCP announced DNS servers # forward ISP account management to DHCP announced DNS servers
option enabled '0' option enabled '0'
option fallback '1' option fallback '1'
@ -56,3 +57,27 @@ config zone
list zone_name 'isp-bill.example.com.' list zone_name 'isp-bill.example.com.'
list zone_name 'isp-mail.example.net.' list zone_name 'isp-mail.example.net.'
config zone 'fwd_google'
option enabled '0'
option fallback '1'
option tls_index 'dns.google'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '8.8.4.4'
list server '8.8.8.8'
list server '2001:4860:4860::8844'
list server '2001:4860:4860::8888'
list zone_name '.'
config zone 'fwd_cloudflare'
option enabled '0'
option fallback '1'
option tls_index 'cloudflare-dns.com'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '1.1.1.1'
list server '1.0.0.1'
list server '2606:4700:4700::1111'
list server '2606:4700:4700::1001'
list zone_name '.'

Write Preview
Loading…
Cancel
Save