|
|
@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0 |
|
|
|
UNBOUND_B_NTP_BOOT=1 |
|
|
|
UNBOUND_B_QUERY_MIN=0 |
|
|
|
UNBOUND_B_QRY_MINST=0 |
|
|
|
UNBOUND_B_AUTH_ROOT=0 |
|
|
|
|
|
|
|
UNBOUND_D_CONTROL=0 |
|
|
|
UNBOUND_D_DOMAIN_TYPE=static |
|
|
@ -449,7 +450,7 @@ unbound_mkdir() { |
|
|
|
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE |
|
|
|
|
|
|
|
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then |
|
|
|
logger -t unbound -s "iterator will use built-in root hints" |
|
|
|
logger -t unbound -s "default root hints (built in rootservers.net)" |
|
|
|
fi |
|
|
|
fi |
|
|
|
|
|
|
@ -463,7 +464,7 @@ unbound_mkdir() { |
|
|
|
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE |
|
|
|
|
|
|
|
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then |
|
|
|
logger -t unbound -s "validator will use built-in trust anchor" |
|
|
|
logger -t unbound -s "default trust anchor (built in root DS record)" |
|
|
|
fi |
|
|
|
fi |
|
|
|
|
|
|
@ -605,6 +606,45 @@ unbound_forward() { |
|
|
|
|
|
|
|
############################################################################## |
|
|
|
|
|
|
|
unbound_auth_root() { |
|
|
|
local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org" |
|
|
|
local httpserver="http://www.internic.net/domain/" |
|
|
|
local authzones="root arpa in-addr.arpa ip6.arpa" |
|
|
|
local server zone realzone |
|
|
|
# Download or AXFR the root and arpa zones to reduce the work needed at |
|
|
|
# top level of recursion. If your users will hit many ccTLD or you have |
|
|
|
# tracking logs resolving many PTR, then this can speed things up. |
|
|
|
# Total size of text in TMPFS could be about 5MB. |
|
|
|
|
|
|
|
|
|
|
|
if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then |
|
|
|
for zone in $authzones ; do |
|
|
|
if [ "$zone" = "root" ] ; then |
|
|
|
realzone="." |
|
|
|
else |
|
|
|
realzone=$zone |
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
{ |
|
|
|
echo "auth-zone:" |
|
|
|
echo " name: \"$realzone\"" |
|
|
|
for server in $axfrservers ; do |
|
|
|
echo " master: \"$server\"" |
|
|
|
done |
|
|
|
echo " url: \"$httpserver$zone.zone\"" |
|
|
|
echo " fallback-enabled: yes" |
|
|
|
echo " for-downstream: no" |
|
|
|
echo " for-upstream: yes" |
|
|
|
echo " zonefile: \"$zone.zone\"" |
|
|
|
echo |
|
|
|
} >> $UNBOUND_CONFFILE |
|
|
|
done |
|
|
|
fi |
|
|
|
} |
|
|
|
|
|
|
|
############################################################################## |
|
|
|
|
|
|
|
unbound_conf() { |
|
|
|
local rt_mem rt_conn modulestring domain ifsubnet |
|
|
|
|
|
|
@ -616,9 +656,13 @@ unbound_conf() { |
|
|
|
# Make fresh conf file |
|
|
|
echo "# $UNBOUND_CONFFILE generated by UCI $( date )" |
|
|
|
echo |
|
|
|
# No threading |
|
|
|
echo "server:" |
|
|
|
echo " username: unbound" |
|
|
|
echo " chroot: \"$UNBOUND_VARDIR\"" |
|
|
|
echo " directory: \"$UNBOUND_VARDIR\"" |
|
|
|
echo " pidfile: \"$UNBOUND_PIDFILE\"" |
|
|
|
echo |
|
|
|
# No threading |
|
|
|
echo " num-threads: 1" |
|
|
|
echo " msg-cache-slabs: 1" |
|
|
|
echo " rrset-cache-slabs: 1" |
|
|
@ -632,6 +676,7 @@ unbound_conf() { |
|
|
|
echo " outgoing-interface: ::0" |
|
|
|
echo |
|
|
|
# Logging |
|
|
|
echo " use-syslog: yes" |
|
|
|
echo " verbosity: 1" |
|
|
|
echo " statistics-interval: 0" |
|
|
|
echo " statistics-cumulative: no" |
|
|
@ -677,12 +722,18 @@ unbound_conf() { |
|
|
|
} >> $UNBOUND_CONFFILE |
|
|
|
;; |
|
|
|
|
|
|
|
*) |
|
|
|
mixed) |
|
|
|
{ |
|
|
|
echo " do-ip4: yes" |
|
|
|
echo " do-ip6: yes" |
|
|
|
} >> $UNBOUND_CONFFILE |
|
|
|
;; |
|
|
|
|
|
|
|
*) |
|
|
|
if [ ! -f "$UNBOUND_TIMEFILE" ] ; then |
|
|
|
logger -t unbound -s "default protocol configuration" |
|
|
|
fi |
|
|
|
;; |
|
|
|
esac |
|
|
|
|
|
|
|
|
|
|
@ -708,15 +759,6 @@ unbound_conf() { |
|
|
|
} >> $UNBOUND_CONFFILE |
|
|
|
|
|
|
|
|
|
|
|
{ |
|
|
|
# Default Files |
|
|
|
echo " use-syslog: yes" |
|
|
|
echo " chroot: \"$UNBOUND_VARDIR\"" |
|
|
|
echo " directory: \"$UNBOUND_VARDIR\"" |
|
|
|
echo " pidfile: \"$UNBOUND_PIDFILE\"" |
|
|
|
} >> $UNBOUND_CONFFILE |
|
|
|
|
|
|
|
|
|
|
|
if [ -f "$UNBOUND_HINTFILE" ] ; then |
|
|
|
# Optional hints if found |
|
|
|
echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE |
|
|
@ -764,7 +806,7 @@ unbound_conf() { |
|
|
|
} >> $UNBOUND_CONFFILE |
|
|
|
|
|
|
|
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then |
|
|
|
logger -t unbound -s "default memory resource consumption" |
|
|
|
logger -t unbound -s "default memory configuration" |
|
|
|
fi |
|
|
|
|
|
|
|
# Assembly of module-config: options is tricky; order matters |
|
|
@ -803,27 +845,26 @@ unbound_conf() { |
|
|
|
} >> $UNBOUND_CONFFILE |
|
|
|
|
|
|
|
|
|
|
|
if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then |
|
|
|
{ |
|
|
|
# Some query privacy but "strict" will break some name servers |
|
|
|
echo " qname-minimisation: yes" |
|
|
|
echo " qname-minimisation-strict: yes" |
|
|
|
} >> $UNBOUND_CONFFILE |
|
|
|
|
|
|
|
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then |
|
|
|
# Minor improvement on query privacy |
|
|
|
echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE |
|
|
|
|
|
|
|
else |
|
|
|
echo " qname-minimisation: no" >> $UNBOUND_CONFFILE |
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
case "$UNBOUND_D_RECURSION" in |
|
|
|
passive) |
|
|
|
{ |
|
|
|
# Some query privacy but "strict" will break some servers |
|
|
|
if [ "$UNBOUND_B_QRY_MINST" -gt 0 \ |
|
|
|
-a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then |
|
|
|
echo " qname-minimisation: yes" |
|
|
|
echo " qname-minimisation-strict: yes" |
|
|
|
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then |
|
|
|
echo " qname-minimisation: yes" |
|
|
|
else |
|
|
|
echo " qname-minimisation: no" |
|
|
|
fi |
|
|
|
# Use DNSSEC to quickly understand NXDOMAIN ranges |
|
|
|
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then |
|
|
|
echo " aggressive-nsec: yes" |
|
|
|
echo " prefetch-key: no" |
|
|
|
fi |
|
|
|
# On demand fetching |
|
|
|
echo " prefetch: no" |
|
|
|
echo " prefetch-key: no" |
|
|
|
echo " target-fetch-policy: \"0 0 0 0 0\"" |
|
|
|
echo |
|
|
|
} >> $UNBOUND_CONFFILE |
|
|
@ -831,8 +872,23 @@ unbound_conf() { |
|
|
|
|
|
|
|
aggressive) |
|
|
|
{ |
|
|
|
# Some query privacy but "strict" will break some servers |
|
|
|
if [ "$UNBOUND_B_QRY_MINST" -gt 0 \ |
|
|
|
-a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then |
|
|
|
echo " qname-minimisation: yes" |
|
|
|
echo " qname-minimisation-strict: yes" |
|
|
|
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then |
|
|
|
echo " qname-minimisation: yes" |
|
|
|
else |
|
|
|
echo " qname-minimisation: no" |
|
|
|
fi |
|
|
|
# Use DNSSEC to quickly understand NXDOMAIN ranges |
|
|
|
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then |
|
|
|
echo " aggressive-nsec: yes" |
|
|
|
echo " prefetch-key: yes" |
|
|
|
fi |
|
|
|
# Prefetch what can be |
|
|
|
echo " prefetch: yes" |
|
|
|
echo " prefetch-key: yes" |
|
|
|
echo " target-fetch-policy: \"3 2 1 0 0\"" |
|
|
|
echo |
|
|
|
} >> $UNBOUND_CONFFILE |
|
|
@ -1070,6 +1126,7 @@ unbound_uci() { |
|
|
|
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0 |
|
|
|
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0 |
|
|
|
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0 |
|
|
|
config_get_bool UNBOUND_B_AUTH_ROOT "$cfg" prefetch_root 0 |
|
|
|
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0 |
|
|
|
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 |
|
|
|
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 |
|
|
@ -1165,7 +1222,7 @@ unbound_uci() { |
|
|
|
|
|
|
|
############################################################################## |
|
|
|
|
|
|
|
_resolv_setup() { |
|
|
|
unbound_resolv_setup() { |
|
|
|
if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then |
|
|
|
return |
|
|
|
fi |
|
|
@ -1194,7 +1251,7 @@ _resolv_setup() { |
|
|
|
|
|
|
|
############################################################################## |
|
|
|
|
|
|
|
_resolv_teardown() { |
|
|
|
unbound_resolv_teardown() { |
|
|
|
case $( cat /tmp/resolv.conf ) in |
|
|
|
*"generated by Unbound UCI"*) |
|
|
|
# our resolver file, reset to auto resolver file. |
|
|
@ -1209,8 +1266,6 @@ _resolv_teardown() { |
|
|
|
unbound_start() { |
|
|
|
config_load unbound |
|
|
|
config_foreach unbound_uci unbound |
|
|
|
|
|
|
|
|
|
|
|
unbound_mkdir |
|
|
|
|
|
|
|
|
|
|
@ -1229,19 +1284,18 @@ unbound_start() { |
|
|
|
|
|
|
|
|
|
|
|
unbound_forward |
|
|
|
unbound_auth_root |
|
|
|
unbound_control |
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
_resolv_setup |
|
|
|
unbound_resolv_setup |
|
|
|
} |
|
|
|
|
|
|
|
############################################################################## |
|
|
|
|
|
|
|
unbound_stop() { |
|
|
|
_resolv_teardown |
|
|
|
|
|
|
|
|
|
|
|
unbound_resolv_teardown |
|
|
|
rootzone_update |
|
|
|
} |
|
|
|
|
|
|
|