Browse Source

unbound: add domain resolution control options

- Add domain_forward to permit designated domains to forward instead
  of recurse as listed in resolve.conf.auto from DHCP WAN client
- Update rebind_protection and add rebind_interface to protect IP6
  GLA locally just like RFC 1918 protection
- Rename trigger to trigger_interface with backwards compatability
- Update odhcpd script for efficiency handling many clients

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
lilik-openwrt-22.03
Eric Luehrsen 7 years ago
parent
commit
8b616efb10
9 changed files with 229 additions and 116 deletions
  1. +4
    -3
      net/unbound/Makefile
  2. +21
    -8
      net/unbound/files/README.md
  3. +43
    -0
      net/unbound/files/defaults.sh
  4. +1
    -1
      net/unbound/files/odhcpd.awk
  5. +53
    -36
      net/unbound/files/odhcpd.sh
  6. +9
    -22
      net/unbound/files/rootzone.sh
  7. +4
    -1
      net/unbound/files/unbound.init
  8. +89
    -42
      net/unbound/files/unbound.sh
  9. +5
    -3
      net/unbound/files/unbound.uci

+ 4
- 3
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound PKG_NAME:=unbound
PKG_VERSION:=1.7.0 PKG_VERSION:=1.7.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE PKG_LICENSE_FILES:=LICENSE
@ -152,10 +152,11 @@ define Package/unbound/install
$(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
$(INSTALL_DIR) $(1)/usr/lib/unbound $(INSTALL_DIR) $(1)/usr/lib/unbound
$(INSTALL_BIN) ./files/odhcpd.sh $(1)/usr/lib/unbound/odhcpd.sh
$(INSTALL_DATA) ./files/odhcpd.awk $(1)/usr/lib/unbound/odhcpd.awk
$(INSTALL_DATA) ./files/defaults.sh $(1)/usr/lib/unbound/defaults.sh
$(INSTALL_DATA) ./files/dnsmasq.sh $(1)/usr/lib/unbound/dnsmasq.sh $(INSTALL_DATA) ./files/dnsmasq.sh $(1)/usr/lib/unbound/dnsmasq.sh
$(INSTALL_DATA) ./files/iptools.sh $(1)/usr/lib/unbound/iptools.sh $(INSTALL_DATA) ./files/iptools.sh $(1)/usr/lib/unbound/iptools.sh
$(INSTALL_BIN) ./files/odhcpd.sh $(1)/usr/lib/unbound/odhcpd.sh
$(INSTALL_DATA) ./files/odhcpd.awk $(1)/usr/lib/unbound/odhcpd.awk
$(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh $(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh
$(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh $(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh
endef endef


+ 21
- 8
net/unbound/files/README.md View File

@ -6,7 +6,7 @@
## Package Overview ## Package Overview
Unbound may be useful on consumer grade embedded hardware. It is _intended_ to be a recursive resolver only. [NLnet Labs NSD](https://www.nlnetlabs.nl/projects/nsd/) is _intended_ for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver with 8/64 MB router, and remove potential issues from forwarding resolvers outside of their control. Unbound may be useful on consumer grade embedded hardware. It is _intended_ to be a recursive resolver only. [NLnet Labs NSD](https://www.nlnetlabs.nl/projects/nsd/) is _intended_ for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver with 8/64 MB router, and remove potential issues from forwarding resolvers outside of their control.
This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and works at the raw "unbound.conf" level.
## HOW TO Adblocking ## HOW TO Adblocking
The UCI scripts will work with [net/adblock 2.3+](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md), if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound. The UCI scripts will work with [net/adblock 2.3+](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md), if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound.
@ -245,9 +245,13 @@ config unbound
also can be used to for bad purposes. also can be used to for bad purposes.
option rebind_protection '1' option rebind_protection '1'
Boolean. Prevent RFC 1918 Reponses from global DNS. Example a
poisoned reponse within "192.168.0.0/24" could be used to turn a
local browser into an external attack proxy server.
Level. Block your local address responses from global DNS. A poisoned
reponse within "192.168.0.0/24" or "fd00::/8" could turn a local browser
into an external attack proxy server. IP6 GLA may be vulnerable also.
0 - Off
1 - Only RFC 1918 and 4193 responses blocked
2 - Plus GLA /64 on designated interface(s)
3 - Plus DHCP-PD range passed down interfaces (not implemented)
option recursion 'passive' option recursion 'passive'
Unbound has numerous options for how it recurses. This UCI combines Unbound has numerous options for how it recurses. This UCI combines
@ -289,11 +293,20 @@ config unbound
embedded devices don't have a real time power off clock. NTP needs embedded devices don't have a real time power off clock. NTP needs
DNS to resolve servers. This works around the chicken-and-egg. DNS to resolve servers. This works around the chicken-and-egg.
list domain_insecure 'www.example.com'
Domain. Domains that you wish to skip DNSSEC. Your DHCP
domains and pointers will get this automatically.
list domain_forward 'mail.my-isp.com'
Domain. Do not recurse, but rather forward the domains to given DNS
servers found in resolve.conf.auto from WAN DHCP client. This may
provide better access to mirror servers in 'your neigborhood.' This
may be useful in keeping local organization lookups on local subnets.
list trigger 'lan' 'wan'
list domain_insecure 'ntp.somewhere.org'
Domain. Domains that you wish to skip DNSSEC. It is one way around NTP
chicken and egg. Your DHCP servered domains are automatically included.
list rebind_interface 'lan'
Interface (logical). Works with 'rebind_protection' options 2 and 3.
list trigger_interface 'lan' 'wan'
Interface (logical). This option is a work around for netifd/procd Interface (logical). This option is a work around for netifd/procd
interaction with WAN DHCPv6. Minor RA or DHCP changes in IP6 can interaction with WAN DHCPv6. Minor RA or DHCP changes in IP6 can
cause netifd to execute procd interface reload. Limit Unbound procd cause netifd to execute procd interface reload. Limit Unbound procd


+ 43
- 0
net/unbound/files/defaults.sh View File

@ -0,0 +1,43 @@
#!/bin/sh
##############################################################################
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Copyright (C) 2016 Eric Luehrsen
#
##############################################################################
UNBOUND_LIBDIR=/usr/lib/unbound
UNBOUND_VARDIR=/var/lib/unbound
UNBOUND_PIDFILE=/var/run/unbound.pid
UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf
UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time
UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem
##############################################################################
UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
UNBOUND_CONTROL=/usr/sbin/unbound-control
UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
##############################################################################

+ 1
- 1
net/unbound/files/odhcpd.awk View File

@ -86,7 +86,7 @@
while ( ( cmd | getline adr ) > 0 ) { while ( ( cmd | getline adr ) > 0 ) {
if (( substr( adr, 1, 5 ) <= "fd00:" ) \
if (( substr( adr, 1, 5 ) <= "fdff:" ) \
&& ( index( adr, "anycast" ) == 0 ) \ && ( index( adr, "anycast" ) == 0 ) \
&& ( index( adr, "via" ) == 0 )) { && ( index( adr, "via" ) == 0 )) {
# GA or ULA routed addresses only (not LL or MC) # GA or ULA routed addresses only (not LL or MC)


+ 53
- 36
net/unbound/files/odhcpd.sh View File

@ -23,56 +23,73 @@
# #
############################################################################## ##############################################################################
# Common file location definitions
. /usr/lib/unbound/unbound.sh
##############################################################################
odhcpd_settings() {
# This trigger is out of normal init context, so we need to read some UCI.
local cfg="$1"
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
}
. /lib/functions.sh
. /usr/lib/unbound/defaults.sh
############################################################################## ##############################################################################
odhcpd_zonedata() { odhcpd_zonedata() {
local longconf dateconf
local dns_ls_add=$UNBOUND_VARDIR/dhcp_dns.add local dns_ls_add=$UNBOUND_VARDIR/dhcp_dns.add
local dns_ls_del=$UNBOUND_VARDIR/dhcp_dns.del local dns_ls_del=$UNBOUND_VARDIR/dhcp_dns.del
local dhcp_ls_new=$UNBOUND_VARDIR/dhcp_lease.new local dhcp_ls_new=$UNBOUND_VARDIR/dhcp_lease.new
local dhcp_ls_old=$UNBOUND_VARDIR/dhcp_lease.old local dhcp_ls_old=$UNBOUND_VARDIR/dhcp_lease.old
local dhcp_ls_add=$UNBOUND_VARDIR/dhcp_lease.add local dhcp_ls_add=$UNBOUND_VARDIR/dhcp_lease.add
local dhcp_ls_del=$UNBOUND_VARDIR/dhcp_lease.del local dhcp_ls_del=$UNBOUND_VARDIR/dhcp_lease.del
local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
config_load unbound
config_foreach odhcpd_settings unbound
local dhcp_link=$( uci_get unbound.@unbound[0].dhcp_link )
local dhcp4_slaac6=$( uci_get unbound.@unbound[0].dhcp4_slaac6 )
local dhcp_domain=$( uci_get unbound.@unbound[0].domain )
local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a -f "$dhcp_origin" ] ; then
if [ "$dhcp_link" = "odhcpd" -a -f "$dhcp_origin" ] ; then
# Capture the lease file which could be changing often # Capture the lease file which could be changing often
cat $dhcp_origin | sort > $dhcp_ls_new
touch $dhcp_ls_old
sort $dhcp_ls_new $dhcp_ls_old $dhcp_ls_old | uniq -u > $dhcp_ls_add
sort $dhcp_ls_old $dhcp_ls_new $dhcp_ls_new | uniq -u > $dhcp_ls_del
# Go through the messy business of coding up A, AAAA, and PTR records
# This static conf will be available if Unbound restarts asynchronously
awk -v hostfile=$UNBOUND_DHCP_CONF -v domain=$UNBOUND_TXT_DOMAIN \
-v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=1 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
# Deleting and adding all records into Unbound can be a burden in a
# high density environment. Use unbound-control incrementally.
awk -v hostfile=$dns_ls_del -v domain=$UNBOUND_TXT_DOMAIN \
-v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_del
awk -v hostfile=$dns_ls_add -v domain=$UNBOUND_TXT_DOMAIN \
-v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_add
sort $dhcp_origin > $dhcp_ls_new
if [ ! -f $UNBOUND_DHCP_CONF -o ! -f $dhcp_ls_old ] ; then
longconf=2
else
dateconf=$(( $( date +%s ) - $( date -r $UNBOUND_DHCP_CONF +%s ) ))
if [ $dateconf > 150 ] ; then
longconf=1
else
longconf=0
fi
fi
if [ $longconf -gt 0 ] ; then
# Go through the messy business of coding up A, AAAA, and PTR records
# This static conf will be available if Unbound restarts asynchronously
awk -v hostfile=$UNBOUND_DHCP_CONF -v domain=$dhcp_domain \
-v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=1 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
fi
if [ $longconf -lt 2 ] ; then
# Deleting and adding all records into Unbound can be a burden in a
# high density environment. Use unbound-control incrementally.
sort $dhcp_ls_old $dhcp_ls_new $dhcp_ls_new | uniq -u > $dhcp_ls_del
awk -v hostfile=$dns_ls_del -v domain=$dhcp_domain \
-v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=0 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_del
sort $dhcp_ls_new $dhcp_ls_old $dhcp_ls_old | uniq -u > $dhcp_ls_add
awk -v hostfile=$dns_ls_add -v domain=$dhcp_domain \
-v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=0 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_add
else
awk -v hostfile=$dns_ls_add -v domain=$dhcp_domain \
-v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=0 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
fi
if [ -f "$dns_ls_del" ] ; then if [ -f "$dns_ls_del" ] ; then


+ 9
- 22
net/unbound/files/rootzone.sh View File

@ -14,23 +14,11 @@
# #
############################################################################## ##############################################################################
# #
# This component needs to be used within the unbound.sh as an include. It uses
# defaults and UCI scope variables defined there. It will copy root.key back
# to /etc/unbound/ periodically, but avoid ROM flash abuse (UCI option).
# This component will copy root.key back to /etc/unbound/ periodically, but
# avoid ROM flash abuse (UCI option).
# #
############################################################################## ##############################################################################
rootzone_uci() {
local cfg=$1
# This will likely be called outside of "start_service()" context
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
}
##############################################################################
roothints_update() { roothints_update() {
# TODO: Might not be implemented. Unbound doesn't natively update hints. # TODO: Might not be implemented. Unbound doesn't natively update hints.
# Unbound philosophy is built in root hints are good for machine life. # Unbound philosophy is built in root hints are good for machine life.
@ -42,12 +30,16 @@ roothints_update() {
rootkey_update() { rootkey_update() {
local basekey_date rootkey_date rootkey_age filestuff local basekey_date rootkey_date rootkey_age filestuff
local dnssec=$( uci_get unbound.@unbound[0].validator )
local dnssec_ntp=$( uci_get unbound.@unbound[0].validator_ntp )
local dnssec_age=$( uci_get unbound.@unbound[0].root_age )
if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then
if [ "$dnssec_age" -gt 90 -o "$dnssec" -lt 1 ] ; then
# Feature disabled # Feature disabled
return 0 return 0
elif [ "$UNBOUND_B_NTP_BOOT" -gt 0 -a ! -f "$UNBOUND_TIMEFILE" ] ; then
elif [ "$dnssec_ntp" -gt 0 -a ! -f "$UNBOUND_TIMEFILE" ] ; then
# We don't have time yet # We don't have time yet
return 0 return 0
fi fi
@ -79,7 +71,7 @@ rootkey_update() {
fi fi
if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then
if [ "$rootkey_age" -gt "$dnssec_age" ] ; then
filestuff=$( cat $UNBOUND_KEYFILE ) filestuff=$( cat $UNBOUND_KEYFILE )
@ -106,11 +98,6 @@ rootkey_update() {
############################################################################## ##############################################################################
rootzone_update() { rootzone_update() {
# Partial UCI fetch for this functional group
config_load unbound
config_foreach rootzone_uci unbound
# You need root.hints and root.key to boot strap recursion
roothints_update roothints_update
rootkey_update rootkey_update
} }


+ 4
- 1
net/unbound/files/unbound.init View File

@ -56,11 +56,14 @@ stop_service() {
service_triggers() { service_triggers() {
local trigger local trigger
local triggers=$( uci_get unbound.@unbound[0].trigger )
local legacy=$( uci_get unbound.@unbound[0].trigger )
local triggers=$( uci_get unbound.@unbound[0].trigger_interface )
triggers="$triggers $legacy"
PROCD_RELOAD_DELAY=2000 PROCD_RELOAD_DELAY=2000
procd_add_reload_trigger "unbound" procd_add_reload_trigger "unbound"
if [ -n "$triggers" ] ; then if [ -n "$triggers" ] ; then
for trigger in $triggers ; do for trigger in $triggers ; do
# due to some netifd/procd interactions with IP6, limit interfaces # due to some netifd/procd interactions with IP6, limit interfaces


+ 89
- 42
net/unbound/files/unbound.sh View File

@ -33,7 +33,6 @@ UNBOUND_B_LOCL_BLCK=0
UNBOUND_B_LOCL_SERV=1 UNBOUND_B_LOCL_SERV=1
UNBOUND_B_MAN_CONF=0 UNBOUND_B_MAN_CONF=0
UNBOUND_B_NTP_BOOT=1 UNBOUND_B_NTP_BOOT=1
UNBOUND_B_PRIV_BLCK=1
UNBOUND_B_QUERY_MIN=0 UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0 UNBOUND_B_QRY_MINST=0
@ -42,6 +41,7 @@ UNBOUND_D_DOMAIN_TYPE=static
UNBOUND_D_DHCP_LINK=none UNBOUND_D_DHCP_LINK=none
UNBOUND_D_EXTRA_DNS=0 UNBOUND_D_EXTRA_DNS=0
UNBOUND_D_LAN_FQDN=0 UNBOUND_D_LAN_FQDN=0
UNBOUND_D_PRIV_BLCK=1
UNBOUND_D_PROTOCOL=mixed UNBOUND_D_PROTOCOL=mixed
UNBOUND_D_RESOURCE=small UNBOUND_D_RESOURCE=small
UNBOUND_D_RECURSION=passive UNBOUND_D_RECURSION=passive
@ -60,7 +60,9 @@ UNBOUND_TXT_DOMAIN=lan
UNBOUND_TXT_FWD_ZONE="" UNBOUND_TXT_FWD_ZONE=""
UNBOUND_TXT_HOSTNAME=thisrouter UNBOUND_TXT_HOSTNAME=thisrouter
UNBOUND_LIST_FORWARD=""
UNBOUND_LIST_INSECURE="" UNBOUND_LIST_INSECURE=""
UNBOUND_LIST_PRV_SUBNET=""
############################################################################## ##############################################################################
@ -69,39 +71,13 @@ UNBOUND_LIST_DOMAINS=""
############################################################################## ##############################################################################
UNBOUND_LIBDIR=/usr/lib/unbound
UNBOUND_VARDIR=/var/lib/unbound
UNBOUND_PIDFILE=/var/run/unbound.pid
UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf
UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time
UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem
##############################################################################
UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
UNBOUND_CONTROL=/usr/sbin/unbound-control
UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
##############################################################################
. /lib/functions.sh . /lib/functions.sh
. /lib/functions/network.sh . /lib/functions/network.sh
. $UNBOUND_LIBDIR/dnsmasq.sh
. $UNBOUND_LIBDIR/iptools.sh
. $UNBOUND_LIBDIR/rootzone.sh
. /usr/lib/unbound/defaults.sh
. /usr/lib/unbound/dnsmasq.sh
. /usr/lib/unbound/iptools.sh
. /usr/lib/unbound/rootzone.sh
############################################################################## ##############################################################################
@ -395,12 +371,42 @@ create_access_control() {
############################################################################## ##############################################################################
create_domain_insecure() {
bundle_domain_forward() {
UNBOUND_LIST_FORWARD="$UNBOUND_LIST_FORWARD $1"
}
##############################################################################
bundle_domain_insecure() {
UNBOUND_LIST_INSECURE="$UNBOUND_LIST_INSECURE $1" UNBOUND_LIST_INSECURE="$UNBOUND_LIST_INSECURE $1"
} }
############################################################################## ##############################################################################
bundle_private_interface() {
local ipcommand ifsubnet ifsubnets ifname
network_get_device ifname $1
if [ -n "$ifname" ] ; then
ipcommand="ip -6 -o address show $ifname"
ifsubnets=$( $ipcommand | awk '/inet6/{ print $4 }' )
if [ -n "$ifsubnets" ] ; then
for ifsubnet in $ifsubnets ; do
case $ifsubnet in
[1-9]*:*[0-9a-f])
# Special GLA protection for local block; ULA protected as a catagory
UNBOUND_LIST_PRV_SUBNET="$UNBOUND_LIST_PRV_SUBNET $ifsubnet" ;;
esac
done
fi
fi
}
##############################################################################
unbound_mkdir() { unbound_mkdir() {
local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile ) local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
local dhcp_dir=$( dirname $dhcp_origin ) local dhcp_dir=$( dirname $dhcp_origin )
@ -569,8 +575,36 @@ unbound_control() {
############################################################################## ##############################################################################
unbound_forward() {
local fdomain fresolver resolvers
# Forward selected domains to the upstream (WAN) stub resolver. This may be
# faster or local pool addresses to ISP service login page. This may keep
# internal organization lookups, well, internal to the organization.
if [ -n "$UNBOUND_LIST_FORWARD" ] ; then
resolvers=$( grep nameserver /tmp/resolv.conf.auto | sed "s/nameserver//g" )
if [ -n "$resolvers" ] ; then
for fdomain in $UNBOUND_LIST_FORWARD ; do
{
echo "forward-zone:"
echo " name: \"$fdomain.\""
for fresolver in $resolvers ; do
echo " forward-addr: $fresolver"
done
echo
} >> $UNBOUND_CONFFILE
done
fi
fi
}
##############################################################################
unbound_conf() { unbound_conf() {
local rt_mem rt_conn modulestring domain
local rt_mem rt_conn modulestring domain ifsubnet
# Make fresh conf file # Make fresh conf file
echo > $UNBOUND_CONFFILE echo > $UNBOUND_CONFFILE
@ -832,7 +866,7 @@ unbound_conf() {
fi fi
if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
if [ "$UNBOUND_D_PRIV_BLCK" -gt 0 ] ; then
{ {
# Remove _upstream_ or global reponses with private addresses. # Remove _upstream_ or global reponses with private addresses.
# Unbounds own "local zone" and "forward zone" may still use these. # Unbounds own "local zone" and "forward zone" may still use these.
@ -842,13 +876,24 @@ unbound_conf() {
echo " private-address: 169.254.0.0/16" echo " private-address: 169.254.0.0/16"
echo " private-address: 172.16.0.0/12" echo " private-address: 172.16.0.0/12"
echo " private-address: 192.168.0.0/16" echo " private-address: 192.168.0.0/16"
echo " private-address: fc00::/8"
echo " private-address: fd00::/8"
echo " private-address: fc00::/7"
echo " private-address: fe80::/10" echo " private-address: fe80::/10"
echo
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
fi fi
if [ -n "$UNBOUND_LIST_PRV_SUBNET" -a "$UNBOUND_D_PRIV_BLCK" -gt 1 ] ; then
for ifsubnet in $UNBOUND_LIST_PRV_SUBNET ; do
# Remove global DNS responses with your local network IP6 GLA
echo " private-address: $ifsubnet" >> $UNBOUND_CONFFILE
done
echo >> $UNBOUND_CONFFILE
fi
if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
{ {
# Remove DNS reponses from upstream with loopback IP # Remove DNS reponses from upstream with loopback IP
@ -857,9 +902,6 @@ unbound_conf() {
echo " private-address: ::1/128" echo " private-address: ::1/128"
echo echo
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
else
echo >> $UNBOUND_CONFFILE
fi fi
@ -1026,7 +1068,6 @@ unbound_uci() {
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0 config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0 config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0 config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0 config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
@ -1042,6 +1083,7 @@ unbound_uci() {
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0 config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0
config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0 config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0
config_get UNBOUND_D_PRIV_BLCK "$cfg" rebind_protection 1
config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
config_get UNBOUND_D_RECURSION "$cfg" recursion passive config_get UNBOUND_D_RECURSION "$cfg" recursion passive
config_get UNBOUND_D_RESOURCE "$cfg" resource small config_get UNBOUND_D_RESOURCE "$cfg" resource small
@ -1050,7 +1092,9 @@ unbound_uci() {
config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120 config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120
config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
config_list_foreach "$cfg" "domain_insecure" create_domain_insecure
config_list_foreach "$cfg" "domain_forward" bundle_domain_forward
config_list_foreach "$cfg" "domain_insecure" bundle_domain_insecure
config_list_foreach "$cfg" "rebind_interface" bundle_private_interface
UNBOUND_LIST_DOMAINS="nowhere $UNBOUND_TXT_DOMAIN" UNBOUND_LIST_DOMAINS="nowhere $UNBOUND_TXT_DOMAIN"
@ -1137,11 +1181,12 @@ _resolv_setup() {
# unbound is designated to listen on 127.0.0.1#53, # unbound is designated to listen on 127.0.0.1#53,
# set resolver file to local. # set resolver file to local.
rm -f /tmp/resolv.conf rm -f /tmp/resolv.conf
{ {
echo "# /tmp/resolv.conf generated by Unbound UCI $( date )" echo "# /tmp/resolv.conf generated by Unbound UCI $( date )"
echo "nameserver 127.0.0.1" echo "nameserver 127.0.0.1"
echo "nameserver ::1" echo "nameserver ::1"
echo "search $UNBOUND_TXT_DOMAIN"
echo "search $UNBOUND_TXT_DOMAIN."
} > /tmp/resolv.conf } > /tmp/resolv.conf
} }
@ -1180,6 +1225,8 @@ unbound_start() {
unbound_records unbound_records
fi fi
unbound_forward
unbound_control unbound_control
fi fi


+ 5
- 3
net/unbound/files/unbound.uci View File

@ -27,7 +27,9 @@ config unbound
option unbound_control '0' option unbound_control '0'
option validator '0' option validator '0'
option validator_ntp '1' option validator_ntp '1'
list trigger 'lan'
list trigger 'wan'
#list domain_insecure 'www.example.com'
list trigger_interface 'lan'
list trigger_interface 'wan'
#list rebind_interface 'lan'
#list domain_insecure 'ntp.example.com'
#list domain_forward 'mail.example.com'

Loading…
Cancel
Save