LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

unbound: update options for remote-control 

Enhance the 'control' option to allow using SSL
to connect to the server. Add the 'extended_stats'
option to match 'extended-statistics: yes.'
Document the 'extended_luci' option; it does not
control Unbound, but changes the LuCI tabs.

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
lilik-openwrt-22.03
Eric Luehrsen 7 years ago
parent
d61a16ca11
commit
e7f5bbc65e
7 changed files with 145 additions and 46 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      net/unbound/Makefile
  2. +13
    -2
      net/unbound/files/README.md
  3. +9
    -9
      net/unbound/files/odhcpd.awk
  4. +110
    -26
      net/unbound/files/unbound.sh
  5. +2
    -0
      net/unbound/files/unbound.uci
  6. +5
    -4
      net/unbound/files/unbound_ext.conf
  7. +5
    -4
      net/unbound/files/unbound_srv.conf

+ 1
- 1
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound PKG_NAME:=unbound
PKG_VERSION:=1.6.6 PKG_VERSION:=1.6.6
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE PKG_LICENSE_FILES:=LICENSE


+ 13
- 2
net/unbound/files/README.md View File

@ -200,6 +200,13 @@ config unbound
Bytes. Extended DNS is necessary for DNSSEC. However, it can run Bytes. Extended DNS is necessary for DNSSEC. However, it can run
into MTU issues. Use this size in bytes to manage drop outs. into MTU issues. Use this size in bytes to manage drop outs.
option extended_luci '0'
Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
option extended_stats '0'
Boolean. extended statistics are printed from unbound-control.
Keeping track of more statistics takes time.
option hide_binddata '1' option hide_binddata '1'
Boolean. If enabled version.server, version.bind, id.server, and Boolean. If enabled version.server, version.bind, id.server, and
hostname.bind queries are refused. hostname.bind queries are refused.
@ -266,8 +273,12 @@ config unbound
Typical to configure maybe 0~300, but 1800 is the maximum accepted. Typical to configure maybe 0~300, but 1800 is the maximum accepted.
option unbound_control '0' option unbound_control '0'
Boolean. Enables unbound-control application access ports. Enabling
this without the unbound-control package installed is robust.
Level. Enables unbound-control application access ports.
0 - No unbound-control Access, or add your own in 'unbound_ext.conf'
1 - Unencrypted Local Host Access
2 - SSL Local Host Access; auto unbound-control-setup if available
3 - SSL Network Access; auto unbound-control-setup if available
4 - SSL Network Access; static key/pem files must already exist
option validator '0' option validator '0'
Boolean. Enable DNSSEC. Unbound names this the "validator" module. Boolean. Enable DNSSEC. Unbound names this the "validator" module.


+ 9
- 9
net/unbound/files/odhcpd.awk View File

@ -68,7 +68,7 @@
if ( bconf == 1 ) { if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN A " adr "\"" ) ; x = ( "local-data: \"" fqdn ". 120 IN A " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ; y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
print ( x "\n" y "\n" ) > hostfile ;
} }
else { else {
@ -91,17 +91,17 @@
# GA or ULA routed addresses only (not LL or MC) # GA or ULA routed addresses only (not LL or MC)
sub( /\/.*/, "", adr ) ; sub( /\/.*/, "", adr ) ;
adr = ( adr slaac ) ; adr = ( adr slaac ) ;
if ( split( adr, tmp0, ":" ) >= 8 ) {
sub( "::", ":", adr ) ;
if ( split( adr, tmp0, ":" ) >= 8 ) {
sub( "::", ":", adr ) ;
} }
if ( bconf == 1 ) { if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ; x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ; y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
print ( x "\n" y "\n" ) > hostfile ;
} }
else { else {
@ -124,7 +124,7 @@
if ( bconf == 1 ) { if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ; x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ; y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
print ( x "\n" y "\n" ) > hostfile ;
} }
else { else {
@ -135,12 +135,12 @@
print ( x "\n" y ) > hostfile ; print ( x "\n" y ) > hostfile ;
} }
} }
if (( cdr2 == 128 ) && ( hst != "-" )) { if (( cdr2 == 128 ) && ( hst != "-" )) {
if ( bconf == 1 ) { if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr2 "\"" ) ; x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr2 "\"" ) ;
y = ( "local-data-ptr: \"" adr2 " 120 " fqdn "\"" ) ; y = ( "local-data-ptr: \"" adr2 " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
print ( x "\n" y "\n" ) > hostfile ;
} }
else { else {


+ 110
- 26
net/unbound/files/unbound.sh View File

@ -23,10 +23,10 @@
# #
############################################################################## ##############################################################################
UNBOUND_B_CONTROL=0
UNBOUND_B_SLAAC6_MAC=0 UNBOUND_B_SLAAC6_MAC=0
UNBOUND_B_DNSSEC=0 UNBOUND_B_DNSSEC=0
UNBOUND_B_DNS64=0 UNBOUND_B_DNS64=0
UNBOUND_B_EXT_STATS=0
UNBOUND_B_GATE_NAME=0 UNBOUND_B_GATE_NAME=0
UNBOUND_B_HIDE_BIND=1 UNBOUND_B_HIDE_BIND=1
UNBOUND_B_LOCL_BLCK=0 UNBOUND_B_LOCL_BLCK=0
@ -37,6 +37,7 @@ UNBOUND_B_PRIV_BLCK=1
UNBOUND_B_QUERY_MIN=0 UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0 UNBOUND_B_QRY_MINST=0
UNBOUND_D_CONTROL=0
UNBOUND_D_DOMAIN_TYPE=static UNBOUND_D_DOMAIN_TYPE=static
UNBOUND_D_DHCP_LINK=none UNBOUND_D_DHCP_LINK=none
UNBOUND_D_EXTRA_DNS=0 UNBOUND_D_EXTRA_DNS=0
@ -80,6 +81,11 @@ UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time
UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem
############################################################################## ##############################################################################
UNBOUND_ANCHOR=/usr/sbin/unbound-anchor UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
@ -457,17 +463,54 @@ unbound_mkdir() {
# Ensure access and prepare to jail # Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR chown -R unbound:unbound $UNBOUND_VARDIR
chmod 775 $UNBOUND_VARDIR
chmod 664 $UNBOUND_VARDIR/*
chmod 755 $UNBOUND_VARDIR
chmod 644 $UNBOUND_VARDIR/*
if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \
-o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then
# Keys (some) exist already; do not create new ones
chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
$UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
elif [ -x /usr/sbin/unbound-control-setup ] ; then
case "$UNBOUND_D_CONTROL" in
[2-3])
# unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
/usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR
chown -R unbound:unbound $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
$UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
$UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key
cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem
cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key
cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem
;;
esac
fi
} }
############################################################################## ##############################################################################
unbound_control() { unbound_control() {
if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then
if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \
-o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then
# Key files need to be present; if unbound-control-setup was found, then
# they might have been made during unbound_makedir() above.
UNBOUND_D_CONTROL=0
fi
fi
case "$UNBOUND_D_CONTROL" in
1)
{ {
# Enable remote control tool, but only at local host for security
# You can hand write fancier encrypted access with /etc/..._ext.conf
# Local Host Only Unencrypted Remote Control
echo "remote-control:" echo "remote-control:"
echo " control-enable: yes" echo " control-enable: yes"
echo " control-use-cert: no" echo " control-use-cert: no"
@ -475,7 +518,42 @@ unbound_control() {
echo " control-interface: ::1" echo " control-interface: ::1"
echo echo
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
fi
;;
2)
{
# Local Host Only Encrypted Remote Control
echo "remote-control:"
echo " control-enable: yes"
echo " control-use-cert: yes"
echo " control-interface: 127.0.0.1"
echo " control-interface: ::1"
echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
echo
} >> $UNBOUND_CONFFILE
;;
[3-4])
{
# Network Encrypted Remote Control
# (3) may auto setup and (4) must have static key/pem files
# TODO: add UCI list for interfaces to bind
echo "remote-control:"
echo " control-enable: yes"
echo " control-use-cert: yes"
echo " control-interface: 0.0.0.0"
echo " control-interface: ::0"
echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
echo
} >> $UNBOUND_CONFFILE
;;
esac
{ {
@ -493,15 +571,14 @@ unbound_conf() {
local cfg="$1" local cfg="$1"
local rt_mem rt_conn modulestring local rt_mem rt_conn modulestring
# Make fresh conf file
echo > $UNBOUND_CONFFILE
{ {
# Make fresh conf file # Make fresh conf file
echo "# $UNBOUND_CONFFILE generated by UCI $( date )" echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
echo echo
} > $UNBOUND_CONFFILE
{
# No threading # No threading
echo "server:" echo "server:"
echo " username: unbound" echo " username: unbound"
@ -511,27 +588,33 @@ unbound_conf() {
echo " infra-cache-slabs: 1" echo " infra-cache-slabs: 1"
echo " key-cache-slabs: 1" echo " key-cache-slabs: 1"
echo echo
} >> $UNBOUND_CONFFILE
{
# Interface Wildcard (access contol handled by "option local_service")
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo " outgoing-interface: 0.0.0.0"
echo " outgoing-interface: ::0"
echo
# Logging # Logging
echo " verbosity: 1" echo " verbosity: 1"
echo " statistics-interval: 0" echo " statistics-interval: 0"
echo " statistics-cumulative: no" echo " statistics-cumulative: no"
echo " extended-statistics: no"
echo
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
{
# Interfaces (access contol "option local_service")
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo " outgoing-interface: 0.0.0.0"
echo " outgoing-interface: ::0"
echo
} >> $UNBOUND_CONFFILE
if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then
{
# Log More
echo " extended-statistics: yes"
echo
} >> $UNBOUND_CONFFILE
else
{
# Log Less
echo " extended-statistics: no"
echo
} >> $UNBOUND_CONFFILE
fi
case "$UNBOUND_D_PROTOCOL" in case "$UNBOUND_D_PROTOCOL" in
@ -930,6 +1013,7 @@ unbound_uci() {
config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0 config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0 config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
config_get_bool UNBOUND_B_EXT_STATS "$cfg" extended_stats 0
config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1 config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1 config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0 config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
@ -937,7 +1021,6 @@ unbound_uci() {
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0 config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1 config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0 config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
@ -947,6 +1030,7 @@ unbound_uci() {
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53 config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9 config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
config_get UNBOUND_D_CONTROL "$cfg" unbound_control 0
config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0 config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0


+ 2
- 0
net/unbound/files/unbound.uci View File

@ -9,6 +9,8 @@ config unbound
option domain 'lan' option domain 'lan'
option domain_type 'static' option domain_type 'static'
option edns_size '1280' option edns_size '1280'
option extended_luci '0'
option extended_stats '0'
option hide_binddata '1' option hide_binddata '1'
option listen_port '53' option listen_port '53'
option localservice '1' option localservice '1'


+ 5
- 4
net/unbound/files/unbound_ext.conf View File

@ -1,8 +1,9 @@
############################################################################## ##############################################################################
# UNBOUND UCI USER ADDED CLAUSES
# Extended user clauses added to the end of the UCI generated 'unbound.conf'
# #
# Put your own forward:, view:, stub:, and control: clauses here. This file is
# appended to the end of UCI auto generated 'unbound.conf'. This is done with
# include: statement. Notice, it is outside of the server: clause.
# Put your own forward:, view:, stub:, or remote-control: clauses here. This
# file is appended to the end of 'unbound.conf' with an include: statement.
# Notice that it is not part of the server: clause. Use 'unbound_srv.conf' to
# place custom option statements in the server: clause.
############################################################################## ##############################################################################

+ 5
- 4
net/unbound/files/unbound_srv.conf View File

@ -1,8 +1,9 @@
############################################################################## ##############################################################################
# UNBOUND UCI USER ADDED SERVER OPTIONS
# User custom options added in the server: clause part of UCI 'unbound.conf'
# #
# Put your own choice options here when not covered by UCI. These are all part
# of the server: clause only. Most likely are hardening options or local-zone:
# This is in an include: statement towards the end of the server: cluase.
# Add your own option statements here when they are not covered by UCI. This
# file is placed _inside_ the server: clause with an include: statement. Do
# not start other clauses here, because that would brake the server: clause.
# Use 'unbound_ext.conf' to start new clauses at the end of 'unbound.conf'.
############################################################################## ##############################################################################

Write Preview
Loading…
Cancel
Save