Browse Source

unbound: update options for remote-control

Enhance the 'control' option to allow using SSL
to connect to the server. Add the 'extended_stats'
option to match 'extended-statistics: yes.'
Document the 'extended_luci' option; it does not
control Unbound, but changes the LuCI tabs.

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
lilik-openwrt-22.03
Eric Luehrsen 7 years ago
parent
commit
e7f5bbc65e
7 changed files with 145 additions and 46 deletions
  1. +1
    -1
      net/unbound/Makefile
  2. +13
    -2
      net/unbound/files/README.md
  3. +9
    -9
      net/unbound/files/odhcpd.awk
  4. +110
    -26
      net/unbound/files/unbound.sh
  5. +2
    -0
      net/unbound/files/unbound.uci
  6. +5
    -4
      net/unbound/files/unbound_ext.conf
  7. +5
    -4
      net/unbound/files/unbound_srv.conf

+ 1
- 1
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.6.6
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE


+ 13
- 2
net/unbound/files/README.md View File

@ -200,6 +200,13 @@ config unbound
Bytes. Extended DNS is necessary for DNSSEC. However, it can run
into MTU issues. Use this size in bytes to manage drop outs.
option extended_luci '0'
Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
option extended_stats '0'
Boolean. extended statistics are printed from unbound-control.
Keeping track of more statistics takes time.
option hide_binddata '1'
Boolean. If enabled version.server, version.bind, id.server, and
hostname.bind queries are refused.
@ -266,8 +273,12 @@ config unbound
Typical to configure maybe 0~300, but 1800 is the maximum accepted.
option unbound_control '0'
Boolean. Enables unbound-control application access ports. Enabling
this without the unbound-control package installed is robust.
Level. Enables unbound-control application access ports.
0 - No unbound-control Access, or add your own in 'unbound_ext.conf'
1 - Unencrypted Local Host Access
2 - SSL Local Host Access; auto unbound-control-setup if available
3 - SSL Network Access; auto unbound-control-setup if available
4 - SSL Network Access; static key/pem files must already exist
option validator '0'
Boolean. Enable DNSSEC. Unbound names this the "validator" module.


+ 9
- 9
net/unbound/files/odhcpd.awk View File

@ -68,7 +68,7 @@
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN A " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
print ( x "\n" y "\n" ) > hostfile ;
}
else {
@ -91,17 +91,17 @@
# GA or ULA routed addresses only (not LL or MC)
sub( /\/.*/, "", adr ) ;
adr = ( adr slaac ) ;
if ( split( adr, tmp0, ":" ) >= 8 ) {
sub( "::", ":", adr ) ;
if ( split( adr, tmp0, ":" ) >= 8 ) {
sub( "::", ":", adr ) ;
}
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
print ( x "\n" y "\n" ) > hostfile ;
}
else {
@ -124,7 +124,7 @@
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
print ( x "\n" y "\n" ) > hostfile ;
}
else {
@ -135,12 +135,12 @@
print ( x "\n" y ) > hostfile ;
}
}
if (( cdr2 == 128 ) && ( hst != "-" )) {
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr2 "\"" ) ;
y = ( "local-data-ptr: \"" adr2 " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
print ( x "\n" y "\n" ) > hostfile ;
}
else {


+ 110
- 26
net/unbound/files/unbound.sh View File

@ -23,10 +23,10 @@
#
##############################################################################
UNBOUND_B_CONTROL=0
UNBOUND_B_SLAAC6_MAC=0
UNBOUND_B_DNSSEC=0
UNBOUND_B_DNS64=0
UNBOUND_B_EXT_STATS=0
UNBOUND_B_GATE_NAME=0
UNBOUND_B_HIDE_BIND=1
UNBOUND_B_LOCL_BLCK=0
@ -37,6 +37,7 @@ UNBOUND_B_PRIV_BLCK=1
UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0
UNBOUND_D_CONTROL=0
UNBOUND_D_DOMAIN_TYPE=static
UNBOUND_D_DHCP_LINK=none
UNBOUND_D_EXTRA_DNS=0
@ -80,6 +81,11 @@ UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time
UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem
##############################################################################
UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
@ -457,17 +463,54 @@ unbound_mkdir() {
# Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR
chmod 775 $UNBOUND_VARDIR
chmod 664 $UNBOUND_VARDIR/*
chmod 755 $UNBOUND_VARDIR
chmod 644 $UNBOUND_VARDIR/*
if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \
-o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then
# Keys (some) exist already; do not create new ones
chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
$UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
elif [ -x /usr/sbin/unbound-control-setup ] ; then
case "$UNBOUND_D_CONTROL" in
[2-3])
# unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
/usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR
chown -R unbound:unbound $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
$UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
$UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key
cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem
cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key
cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem
;;
esac
fi
}
##############################################################################
unbound_control() {
if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then
if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \
-o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then
# Key files need to be present; if unbound-control-setup was found, then
# they might have been made during unbound_makedir() above.
UNBOUND_D_CONTROL=0
fi
fi
case "$UNBOUND_D_CONTROL" in
1)
{
# Enable remote control tool, but only at local host for security
# You can hand write fancier encrypted access with /etc/..._ext.conf
# Local Host Only Unencrypted Remote Control
echo "remote-control:"
echo " control-enable: yes"
echo " control-use-cert: no"
@ -475,7 +518,42 @@ unbound_control() {
echo " control-interface: ::1"
echo
} >> $UNBOUND_CONFFILE
fi
;;
2)
{
# Local Host Only Encrypted Remote Control
echo "remote-control:"
echo " control-enable: yes"
echo " control-use-cert: yes"
echo " control-interface: 127.0.0.1"
echo " control-interface: ::1"
echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
echo
} >> $UNBOUND_CONFFILE
;;
[3-4])
{
# Network Encrypted Remote Control
# (3) may auto setup and (4) must have static key/pem files
# TODO: add UCI list for interfaces to bind
echo "remote-control:"
echo " control-enable: yes"
echo " control-use-cert: yes"
echo " control-interface: 0.0.0.0"
echo " control-interface: ::0"
echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
echo
} >> $UNBOUND_CONFFILE
;;
esac
{
@ -493,15 +571,14 @@ unbound_conf() {
local cfg="$1"
local rt_mem rt_conn modulestring
# Make fresh conf file
echo > $UNBOUND_CONFFILE
{
# Make fresh conf file
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
echo
} > $UNBOUND_CONFFILE
{
# No threading
echo "server:"
echo " username: unbound"
@ -511,27 +588,33 @@ unbound_conf() {
echo " infra-cache-slabs: 1"
echo " key-cache-slabs: 1"
echo
} >> $UNBOUND_CONFFILE
{
# Interface Wildcard (access contol handled by "option local_service")
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo " outgoing-interface: 0.0.0.0"
echo " outgoing-interface: ::0"
echo
# Logging
echo " verbosity: 1"
echo " statistics-interval: 0"
echo " statistics-cumulative: no"
echo " extended-statistics: no"
echo
} >> $UNBOUND_CONFFILE
{
# Interfaces (access contol "option local_service")
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo " outgoing-interface: 0.0.0.0"
echo " outgoing-interface: ::0"
echo
} >> $UNBOUND_CONFFILE
if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then
{
# Log More
echo " extended-statistics: yes"
echo
} >> $UNBOUND_CONFFILE
else
{
# Log Less
echo " extended-statistics: no"
echo
} >> $UNBOUND_CONFFILE
fi
case "$UNBOUND_D_PROTOCOL" in
@ -930,6 +1013,7 @@ unbound_uci() {
config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
config_get_bool UNBOUND_B_EXT_STATS "$cfg" extended_stats 0
config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
@ -937,7 +1021,6 @@ unbound_uci() {
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
@ -947,6 +1030,7 @@ unbound_uci() {
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
config_get UNBOUND_D_CONTROL "$cfg" unbound_control 0
config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0


+ 2
- 0
net/unbound/files/unbound.uci View File

@ -9,6 +9,8 @@ config unbound
option domain 'lan'
option domain_type 'static'
option edns_size '1280'
option extended_luci '0'
option extended_stats '0'
option hide_binddata '1'
option listen_port '53'
option localservice '1'


+ 5
- 4
net/unbound/files/unbound_ext.conf View File

@ -1,8 +1,9 @@
##############################################################################
# UNBOUND UCI USER ADDED CLAUSES
# Extended user clauses added to the end of the UCI generated 'unbound.conf'
#
# Put your own forward:, view:, stub:, and control: clauses here. This file is
# appended to the end of UCI auto generated 'unbound.conf'. This is done with
# include: statement. Notice, it is outside of the server: clause.
# Put your own forward:, view:, stub:, or remote-control: clauses here. This
# file is appended to the end of 'unbound.conf' with an include: statement.
# Notice that it is not part of the server: clause. Use 'unbound_srv.conf' to
# place custom option statements in the server: clause.
##############################################################################

+ 5
- 4
net/unbound/files/unbound_srv.conf View File

@ -1,8 +1,9 @@
##############################################################################
# UNBOUND UCI USER ADDED SERVER OPTIONS
# User custom options added in the server: clause part of UCI 'unbound.conf'
#
# Put your own choice options here when not covered by UCI. These are all part
# of the server: clause only. Most likely are hardening options or local-zone:
# This is in an include: statement towards the end of the server: cluase.
# Add your own option statements here when they are not covered by UCI. This
# file is placed _inside_ the server: clause with an include: statement. Do
# not start other clauses here, because that would brake the server: clause.
# Use 'unbound_ext.conf' to start new clauses at the end of 'unbound.conf'.
##############################################################################

Loading…
Cancel
Save