From e81529596df88eae272c00bf8ac69b15e19a5bd5 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Sat, 4 Jul 2020 13:55:40 -0400 Subject: [PATCH] unbound: improve startup and dhcp script robustness - prevent rapid overlap in DHCP script updates - check and allow localhost forwards with specific applications - add option for rate limiting inbound queries - change UCI list to table format with Unbound conf references Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 2 +- net/unbound/files/README.md | 333 +++++++-------------------------- net/unbound/files/defaults.sh | 1 - net/unbound/files/dnsmasq.sh | 27 +-- net/unbound/files/iptools.sh | 14 +- net/unbound/files/odhcpd.sh | 46 +++-- net/unbound/files/stopping.sh | 4 +- net/unbound/files/unbound.init | 5 +- net/unbound/files/unbound.sh | 328 +++++++++++++++++--------------- net/unbound/files/unbound.uci | 3 + 10 files changed, 313 insertions(+), 450 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 12f0e3a8f..a14a84498 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.10.1 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nlnetlabs.nl/downloads/unbound diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index ca9692e0b..712923e57 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -8,7 +8,7 @@ OpenWrt default build uses [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/docs/d Unbound may be useful on consumer grade embedded hardware. It is fully DNSSEC and TLS capable. It is _intended_ to be a recursive resolver only. NLnet Labs [NSD](https://www.nlnetlabs.nl/projects/nsd/) is _intended_ for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver with 8/64 MB router, and remove potential issues from forwarding resolvers outside of their control. -This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and works at the raw "unbound.conf" level. +This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and works at the raw `unbound.conf` level. ## HOW TO: Ad Blocking The UCI scripts will work with [net/adblock](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md), if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound. @@ -18,18 +18,18 @@ A few tweaks may be needed to enhance the realiability and effectiveness. Ad Blo **/etc/config/firewall**: ``` config rule - option name 'Block-Public-DNS' - option enabled '1' - option src 'lan' option dest 'wan' option dest_port '53 853 5353' - option proto 'tcpudp' + option enabled '1' option family 'any' + option name 'Block-Public-DNS' + option proto 'tcpudp' + option src 'lan' option target 'REJECT' ``` ## HOW TO: Integrate with DHCP -Some UCI options and scripts help Unbound to work with DHCP servers to load the local DNS. The examples provided here are serial dnsmasq-unbound, parallel dnsmasq-unbound, and unbound scripted with odhcpd. +Some UCI options and scripts help Unbound to work with DHCP servers to load the local DNS. The examples provided here are serial dnsmasq with unbound, parallel dnsmasq with unbound, and unbound scripted with odhcpd. ### Serial dnsmasq In this case, dnsmasq is not changed *much* with respect to the default [OpenWrt](https://openwrt.org/docs/guide-user/base-system/dns_configuration) configuration. Here dnsmasq is forced to use the local Unbound instance as the lone upstream DNS server, instead of your ISP. This may be the easiest implementation, but performance degradation can occur in high volume networks. Unbound and dnsmasq effectively have the same information in memory, and all transfers are double handled. @@ -52,22 +52,22 @@ config unbound config dnsmasq option domain 'yourdomain' option noresolv '1' - option resolvfile '/tmp/resolv.conf.auto' option port '53' + option resolvfile '/tmp/resolv.conf.auto' list server '127.0.0.1#1053' list server '::1#1053' ... ``` ### Parallel dnsmasq -In this case, Unbound serves your local network directly for all purposes. It will look over to dnsmasq for DHCP-DNS resolution. Unbound is generally accessible on port 53, and dnsmasq is only accessed at 127.0.0.1:1053 by Unbound. Although you can dig/drill/nslookup remotely with the proper directives. +In this case, Unbound serves your local network directly for all purposes. It will look over to dnsmasq for DHCP-DNS resolution. Unbound is generally accessible on port 53, and dnsmasq is only accessed at `127.0.0.1#1053` by Unbound. Although you can dig/drill/nslookup remotely with the proper directives. **/etc/config/unbound**: ``` config unbound # likely you want to match domain option between Unbound and dnsmasq - option domain 'yourdomain' option dhcp_link 'dnsmasq' + option domain 'yourdomain' option listen_port '53' ... ``` @@ -77,8 +77,8 @@ config unbound config dnsmasq option domain 'yourdomain' option noresolv '1' - option resolvfile '/tmp/resolv.conf.auto' option port '1053' + option resolvfile '/tmp/resolv.conf.auto' ... config dhcp 'lan' @@ -125,10 +125,10 @@ config dhcp 'lan' ... config odhcpd 'odhcpd' - option maindhcp '1' option leasefile '/var/lib/odhcpd/dhcp.leases' # this is where the magic happens option leasetrigger '/usr/lib/unbound/odhcpd.sh' + option maindhcp '1' ``` ## HOW TO: Manual Override @@ -160,10 +160,10 @@ Unbound has the ability to AXFR a whole zone from an authoritative server to pre config zone option enabled '1' option fallback '1' - option url_dir 'https://asset-management.it.example.com/zones/' - option zone_type 'auth_zone' list server 'ns1.it.example.com' list server 'ns2.it.example.com' + option url_dir 'https://asset-management.it.example.com/zones/' + option zone_type 'auth_zone' list zone_name 'example.com' ``` @@ -181,13 +181,13 @@ config zone option tls_index 'dns.example.net' option tls_port '853' option tls_upstream '1' - option zone_type 'forward_zone' # these servers assume a common TLS port/index list server '192.0.2.53' list server '2001:db8::53' # this alternate server is fully specified inline list server '192.0.2.153@443#dns.alternate.example.org' list zone_name '.' + option zone_type 'forward_zone' ``` ## Optional Compile Switches @@ -195,254 +195,59 @@ Unbound can be changed by toggling switches within `make menuconfig` Libraries/N Note: if you use python, then you will need to manual configure and you cannot use chroot. The scripts are not yet enhanced enough to set up the directory binding. -## Complete List of UCI Options -**/etc/config/unbound**: -``` -config unbound - Currently only one instance is supported. - - option add_extra_dns '0' - Level. Execute traditional DNS overrides found in `/etc/config/dhcp`. - Optional so you may use other Unbound conf or redirect to NSD instance. - 0 - Ignore `/etc/config/dhcp` - 1 - Use only 'domain' clause (host records) - 2 - Use 'domain', 'mxhost', and 'srvhost' clauses - 3 - Use all of 'domain', 'mxhost', 'srvhost', and 'cname' clauses - - option add_local_fqdn '0' - Level. This puts your routers host name in the LAN (local) DNS. - Each level is more detailed and comprehensive. - 0 - Disabled - 1 - Host Name on only the primary address - 2 - Host Name on all addresses found (except link) - 3 - FQDN and host name on all addresses (except link) - 4 - Above and interfaces named .. - - option add_wan_fqdn '0' - Level. Same as previous option only this applies to the WAN. WAN are - inferred by a UCI `config dhcp` entry that contains the 'option ignore 1'. - - option dns_assist 'none' - Program Name. Use DNS helpers found on local host and match to their UCI. - Only program 'ipset-dns' is supported so far. NSD and Bind might be useful - but they don't have UCI to parse. - - option dns64 '0' - Boolean. Enable DNS64 through Unbound in order to bridge networks that are - IPV6 only and IPV4 only (see RFC6052). - - option dns64_prefix '64:ff9b::/96' - IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64. You - should use RFC6052 "well known" address, unless you also redirect to a proxy - or gateway for your NAT64. - - option dhcp_link 'none' - Program Name. Link to one of the supported programs we have scripts - for. You may also need to install a trigger script in the DHCP - servers configuration. See HOW TO above. - - option dhcp4_slaac6 '0' - Boolean. Some DHCP servers do this natively (dnsmasq). Otherwise - the script provided with this package will try to fabricate SLAAC - IP6 addresses from DHCPv4 MAC records. - - option domain 'lan' - Unbound local-zone: . This is used to suffix all - host records, and maintain a local zone. When dnsmasq is dhcp_link - however, then this option is ignored (dnsmasq does it all). - - option domain_type 'static' - Unbound local-zone: . This allows you to lock - down or allow forwarding of the local zone. Notable types: - static - typical single router setup much like OpenWrt dnsmasq default - refuse - to answer overtly with DNS code REFUSED - deny - to drop queries for the local zone - transparent - to use your manually added forward-zone: or stub-zone: clause - - option edns_size '1280' - Bytes. Extended DNS is necessary for DNSSEC. However, it can run - into MTU issues. Use this size in bytes to manage drop outs. - - option extended_stats '0' - Boolean. extended statistics are printed from unbound-control. - Keeping track of more statistics takes time. - - option hide_binddata '1' - Boolean. If enabled version.server, version.bind, id.server, and - hostname.bind queries are refused. - - option interface_auto '1' - Boolean. If enabled DNS replies will have the same source address as - the request was sent to. - - option listen_port '53' - Port. Incoming. Where Unbound will listen for queries. - - option localservice '1' - Boolean. Prevent DNS amplification attacks. Only provide access to - Unbound from subnets this machine has interfaces on. - - option manual_conf '0' - Boolean. Skip all this UCI nonsense. Manually edit the - configuration. Make changes to /etc/unbound/unbound.conf. - - option num_threads '1' - Count. Enable multithreading with the "heavy traffic" variant. Base variant - spins each as whole proces and is not efficient. Two threads may be used, - but they use one shared cache slab. More edges into an industrial setup, - and UCI simplificaitons may not be appropriate. - - option protocol 'mixed' - Unbound can limit its protocol used for recursive queries. - ip4_only - old fashioned IPv4 upstream and downstream - ip6_only - test environment only; could cauase problems - ip6_local - upstream IPv4 only and local network IPv4 and IPv6 - ip6_prefer - both IPv4 and IPv6 but try IPv6 first - mixed - both IPv4 and IPv6 - default - Unbound built-in defaults - - option query_minimize '0' - Boolean. Enable a minor privacy option. Don't let each server know the next - recursion. Query one piece at a time. - - option query_min_strict '0' - Boolean. Query minimize is best effort and will fall back to normal when it - must. This option prevents the fall back, but less than standard name - servers will fail to resolve their domains. - - option rebind_localhost '0' - Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses. These may - used by black hole servers for good purposes like ad-blocking or parental - access control. Obviously these responses may be used to for bad purposes. - - option rebind_protection '1' - Level. Block your local address responses from global DNS. A poisoned - reponse within "192.168.0.0/24" or "fd00::/8" could turn a local browser - into an external attack proxy server. IP6 GLA may be vulnerable also. - 0 - Off - 1 - Only RFC 1918 and 4193 responses blocked - 2 - Plus GLA /64 on designated interface(s) - 3 - Plus DHCP-PD range passed down interfaces (not implemented) - - option recursion 'passive' - Unbound has many options for recrusion but UCI is bundled for simplicity. - passive - slower until cache fills but kind on CPU load - default - Unbound built-in defaults - aggressive - uses prefetching to handle more requests quickly - - option resource 'small' - Unbound has many options for resources but UCI is bundled for simplicity. - tiny - similar to published memory restricted configuration - small - about half of medium - medium - similar to default, but fixed for consistency - default - Unbound built-in defaults - large - about double of medium - - option root_age '9' - Days. >90 Disables. Age limit for Unbound root data like root DNSSEC key. - Unbound uses RFC 5011 to manage root key. This could harm flash ROM. This - activity is mapped to "tmpfs," but every so often it needs to be copied back - to flash for the next reboot. - - option ttl_min '120' - Seconds. Minimum TTL in cache. Recursion can be expensive without cache. A - low TTL is normal for server migration. A low TTL can be abused for snoop- - vertising (DNS hit counts; recording query IP). Typical to configure maybe - 0~300, but 1800 is the maximum accepted. - - option unbound_control '0' - Level. Enables unbound-control application access ports. - 0 - No unbound-control Access, or add your own in 'unbound_ext.conf' - 1 - Unencrypted Local Host Access - 2 - SSL Local Host Access; auto unbound-control-setup if available - 3 - SSL Network Access; auto unbound-control-setup if available - 4 - SSL Network Access; static key/pem files must already exist - - option validator '0' - Boolean. Enable DNSSEC. Unbound names this the "validator" module. - - option validator_ntp '1' - Boolean. Disable DNSSEC time checks at boot. Once NTP confirms global real - time, then DNSSEC is restarted at full strength. Many embedded devices don't - have a real time power off clock. NTP needs DNS to resolve servers. This - works around the chicken-and-egg. - - option verbosity '1' - Level. Sets Unbounds logging intensity. - - list domain_insecure 'ntp.somewhere.org' - Domain. Domains that you wish to skip DNSSEC. It is one way around NTP - chicken and egg. Your DHCP servered domains are automatically included. - - list trigger_interface 'lan' 'wan' - Interface (logical). This option is a work around for netifd/procd - interaction with WAN DHCPv6. Minor RA or DHCP changes in IP6 can cause - netifd to execute procd interface reload. Limit Unbound procd triggers to - LAN and WAN (IP4 only) to prevent restart @2-3 minutes. - - -config zone - Create Unbounds forward-zone:, stub-zone:, or auth-zone: clauses - - option enabled 1 - Boolean. Enable the zone clause. - - option fallback 1 - Boolean. Permit normal recursion when the narrowly selected servers in this - zone are unresponsive or return empty responses. Disable, if there are - security concerns (forward only internal to organization). - - option port 53 - Port. Servers are contact on this port for plain DNS operations. - - option resolv_conf 0 - Boolean. Use "resolv.conf" as it was filled by the DHCP client. This can be - used to forward zones within your ISP (mail.example.net) or that have co- - located services (streamed-movies.example.com). Recursion may not yield the - most local result, but forwarding may instead. - - option tls_index (n/a) - Domain. Name TLS certificates are signed for (dns.example.net). If this - option is ommitted, then Unbound will make connections but not validate. - - option tls_port 853 - Port. Servers are contact on this port for DNS over TLS operations. - - option tls_upstream 0 - Boolean. Use TLS to contact the zone server. - - option url_dir - String. http or https path, directory part only, to the zone file for - auth_zone type only. Files "${zone_name}.zone" are expect in this path. - - option zone_type (n/a) - State. Required field or the clause is effectively disabled. Check Unbound - documentation for clarity (unbound-conf). - auth_zone - prefetch whole zones from authoritative server (ICANN) - forward_zone - forward queries in these domains to the listed servers - stub_zone - force recursion of these domains to the listed servers - - list server (n/a) - IP. Every zone must have one server. Stub and forward require IP to prevent - chicken and egg (due to UCI simplicity). Authoritative prefetch may use a - server name. - - list zone_name - Domain. Every zone must represent some part of the DNS tree. It can be all - of it "." or you internal organization domain "example.com." Within each - zone clause all zone names will be matched to all servers. -``` - -## Replaced Options - config unbound / option prefetch_root - List the domains in a zone with type auth_zone and fill in the server or url - fields. Root zones are ready but disabled in default install UCI. - - config unbound / list domain_forward - List the domains in a zone with type forward_zone and enable the - resolv_conf option. - - config unbound / list rebind_interface - Enable rebind_protection at 2 and all DHCP interfaces are also protected for - IPV6 GLA (parallel to subnets in add_local_fqdn). +## Complete UCI +### config unbound +One instance is supported currently. +| UCI | Default | Units | Description | Unbound | +| --- | ------- | ----- | ----------- | ------- | +| add_extra_dns | 0 | level | Read OpenWrt traditional options for `dnsmasq`.
`0`: Disabled
`1`: Use only domain
`2`: Use domain, mxhost, and srvhost
`3`: Use all cname, domain, mxhost, and srvhost | local-data: | +| add_local_fqdn | 0 | level | Each level puts a more detailed router entry within the LAN DNS (except link).
`0`: Disabled
`1`: Host name on the primary address
`2`: Host name on all addresses
`3`: FQDN and host name on all addresses
`4`: FQDN defined by "iface.hostname.domain" | local-zone: local-data: | +| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as inferred by `config dhcp` with `option ignore 1`. | local-zone: local-data: | +| dns64 | 0 | boolean | Enable DNS64 RFC6052 to bridge IPv4 and IPv6 networks. | module: dns64 | +| dns64_prefix | 64:ff9b::/96 | subnet | DNS64 RFC6052 IPv4 in IPv6 well known prefix. | dns64-prefix: | +| dhcp_link | none | program | Link to a DHCP server with supported scripts. See HOW TO above. | local-zone: local-data: forward-zone: | +| dhcp4_slaac6 | 0 | boolean | Infer SLAAC IE64 IPv6 addresses from DHCPv4 MAC in DHCP link scripts. | - | +| domain | lan | domain | This will suffix DHCP host records and be the default search domain. | local-zone: | +| domain_insecure | (empty) | domain | **List** domains that you wish to skip DNSSEC. It is one way around NTP chicken and egg. Your DHCP domains are automatically included. | domain-insecure: | +| domain_type | static | state | This allows you to lock down or allow forwarding of the local zone.
`static`: no forwarding like dnsmasq default
`refuse`: answer overtly with REFUSED
`deny`: covertly drop all queries
`transparent`: may continue forwarding or recusion | local-zone: | +| edns_size | 1280 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: | +| extended_stats | 0 | boolean | Extended statistics are stored in Unbound memory for report by `unbound-control`. | extended-statistics: | +| hide_binddata | 1 | boolean | Refuse possible attack queries like version.server, version.bind, id.server, and hostname.bind. | hide-identity: hide-version: | +| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. | interface-automatic: | +| listen_port | 53 | port | Inbound port where Unbound will listen for queries. | port: | +| localservice | 1 | boolean | Prevent DNS amplification attacks. Only answer to subnets this machine has interfaces on. | access-control: | +| manual_conf | 0 | boolean | Skip all this UCI nonsense. Manually edit the configuration in `/etc/unbound/unbound.conf`. | - | +| num_threads | 1 | threads | Enable multithreading. Two are supported with only one cache slab. More becomes an industrial setup, and UCI simplificaitons may not be appropriate. | num-threads: | +| protocol | mixed | state | Limit Unbound protocols for recursion or forwarding.
`ip4_only`: old fashioned IPv4 upstream and downstream
`ip6_only`: test environment only; could cauase problems
`ip6_local`: upstream IPv4 only and local network IPv4 and IPv6
`ip6_prefer`: both IPv4 and IPv6 but try IPv6 first
`mixed`: both IPv4 and IPv6
`default`: built-in defaults | do-ip4: do-ip6: prefer-ip6: interface: | +| query_minimize | 0 | boolean | Enable a minor privacy option. Query one domain piece at a time (dot separator). | qname-minimisation: | +| query_min_strict | 0 | boolean | Query minimize may fall back to normal. This prevents the fall back, but non-standard name servers will fail. | qname-minimisation-strict: | +| rate_limit | 0 | query/s | Limit the total number of queries and queries per client by half that. Disabled by setting 0. | ratelimit: ip-ratelimit: | +| rebind_localhost | 0 | boolean | Prevent loopback addresses `127.0.0.0/8` or `::1` in upstream responses. They could be a good black hole server or a spring board attack. | private-address: | +| rebind_protection | 1 | level | Prevent your local addresses from being allowed in upstream responses. They could be a spring board attack.
`0`: Disabled
`1`: Only RFC 1918 and 4193 responses blocked
`2`: Above plus GLA /64 on machine
`3`: Above plus DHCP-PD passed down (not implemented) | private-address: | +| recursion | passive | state | Unbound has many options for recrusion but UCI is bundled for simplicity.
`passive`: slower until cache fills but kind on CPU load
`default`: built-in defaults
`aggressive`: uses prefetching to handle more requests quickly | (many) | +| resource | small | state | Unbound has many options for memory resources but UCI is bundled for simplicity.
`tiny`: similar to published memory restricted configuration
`small`: about half of medium
`medium`: similar to default
`default`: built-in defaults
`large`: about double of medium | \*-cache-size: | +| root_age | 9 | day | >90 Disables. Age limit for root data like root DNSSEC key. Scripts will copy from `tmps` to flash ROM with this limit to save write life. | - | +| trigger_interface | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - | +| ttl_min | 120 | second | Minimum TTL in cache to avoid abused low TTL for snoop-vertising and non-standard load balancing. Typical to configure maybe 0~300 but 1800 is the maximum accepted. | cache-min-ttl: | +| unbound_control | 0 | level | Enables `unbound-control` application access ports.
`0`: None else add your own in unbound_ext.conf
`1`: Unencrypted Local Host Access
`2`: SSL Local Host Access w/ auto unbound-control-setup
`3`: SSL Network Access w/ auto unbound-control-setup
`4`: SSL Network Access; static key/pem files must already exist | unbound-control: ... (clause) | +| validator | 0 | boolean | Enable DNSSEC validator module. | module: validator | +| validator_ntp | 1 | boolean | Disable DNSSEC time checks at boot and restart when NTP locks in time. DNSSEC requires time validation and this breaks the chicken and egg. | - | +| verbosity | 1 | level | Logging inensity. | verbosity: | + +### config zone +Confingure any mix of Unbound `forward-zone:`, `stub-zone:`, or `auth-zone:` clauses. These sections are more compact than Unbound and will unroll into Unbound's configuration syntax. +| UCI | Default | Units | Description | Unbound | +| --- | ------- | ----- | ----------- | ------- | +| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, ipset-dns, and nsd. | forward-addr: | +| enabled | 0 | boolean | turn zone on or off without deleting it | - | +| fallback | 1 | boolean | Allow this zone to fall through to other zones or recursion. | forward-first: | +| port | 53 | port | Target server's target port for plain DNS operations. | (auto 192.0.2.53 \#53) +| resolv_conf | 0 | boolean | Use resolv.conf servers as it was filled by the DHCP client. For example your ISP services (mail.example.net) or co-located services (streamed-movies.example.com). | - | +| server | (empty) | address domain | Required **list** to target servers. Full form is accepted but not required `192.0.2.53#53@dns.exmple.net`. Stub zones must use an IP address. | master: forward-host: forward-addr: stub-addr: | +| tls_index | (empty) | domain | TLS certifiicated signature index. If ommitted, Unbound encrypts but does not validate. | (auto 192.0.2.53 \#853 \@dns.example.net) | +| tls_port | 853 | port | Target server's target port for TLS DNS operations. | (auto 192.0.2.53 \#853) | +| tls_upstream | 0 | boolean | Use TLS to contact the zone server. | forward-tls-upstream: | +| url_dir | (empty) | string | Directory only path by http or https to get authoritative zone files. | url: | +| zone_name | (empty) | domain | Required **list** to select domains subject to this zone section. You can forward the root `.` zone or just your organizaiton `example.com.` | name: | +| zone_type | (empty) | state | Required option to create an Unbound zone clause.
`auth_zone`: prefetch whole zones from authoritative server
`forward_zone`: forward queries by domain name (like dnsmasq)
`stub_zone`: direct authoritative lookup by domain name | auth-zone: forward-zone: stub-zone: ... (clauses) | diff --git a/net/unbound/files/defaults.sh b/net/unbound/files/defaults.sh index ffbd00336..c26511941 100644 --- a/net/unbound/files/defaults.sh +++ b/net/unbound/files/defaults.sh @@ -26,7 +26,6 @@ UB_HOST_CONF=$UB_VARDIR/host.conf.tmp UB_DHCP_CONF=$UB_VARDIR/dhcp.conf UB_ZONE_CONF=$UB_VARDIR/zone.conf.tmp UB_CTRL_CONF=$UB_VARDIR/ctrl.conf.tmp -UB_ASSIST_CONF=$UB_VARDIR/assist.conf.tmp UB_SRVMASQ_CONF=$UB_VARDIR/dnsmasq_srv.conf.tmp UB_EXTMASQ_CONF=$UB_VARDIR/dnsmasq_ext.conf.tmp UB_SRV_CONF=$UB_VARDIR/unbound_srv.conf diff --git a/net/unbound/files/dnsmasq.sh b/net/unbound/files/dnsmasq.sh index 54e4e85e6..6dcbaecd8 100644 --- a/net/unbound/files/dnsmasq.sh +++ b/net/unbound/files/dnsmasq.sh @@ -173,7 +173,7 @@ dnsmasq_local_zone() { if [ -n "$fwd_domain" ] && [ -n "$fwd_port" ] \ - && [ ! "${fwd_port:-53}" -eq 53 ] ; then + && [ ! ${fwd_port:-53} -eq 53 ] ; then # dnsmasq localhost listening ports (possible multiple instances) DM_LIST_FWD_PORTS="$DM_LIST_FWD_PORTS $fwd_port" DM_LIST_FWD_ZONES="$DM_LIST_FWD_ZONES $fwd_domain" @@ -194,7 +194,7 @@ dnsmasq_local_arpa() { fi - if [ -n "$UB_LIST_NETW_WAN" ] && [ "$DM_D_WAN_FQDN" -gt 0 ] ; then + if [ -n "$UB_LIST_NETW_WAN" ] && [ $DM_D_WAN_FQDN -gt 0 ] ; then for ifsubnet in $UB_LIST_NETW_WAN ; do ifarpa=$( domain_ptr_any "${ifsubnet#*@}" ) DM_LIST_FWD_ZONES="$DM_LIST_FWD_ZONES $ifarpa" @@ -208,20 +208,20 @@ dnsmasq_inactive() { local record - if [ "$UB_D_EXTRA_DNS" -gt 0 ] ; then + if [ $UB_D_EXTRA_DNS -gt 0 ] ; then # Parasite from the uci.dhcp.domain clauses DM_LIST_KNOWN_ZONES="$DM_LIST_KNOWN_ZONES $UB_TXT_DOMAIN" config_load dhcp config_foreach create_host_record domain - if [ "$UB_D_EXTRA_DNS" -gt 1 ] ; then + if [ $UB_D_EXTRA_DNS -gt 1 ] ; then config_foreach create_srv_record srvhost config_foreach create_mx_record mxhost fi - if [ "$UB_D_EXTRA_DNS" -gt 2 ] ; then + if [ $UB_D_EXTRA_DNS -gt 2 ] ; then config_foreach create_cname_record cname fi @@ -262,12 +262,17 @@ dnsmasq_active() { if [ -n "$DM_LIST_FWD_PORTS" ] && [ -n "$DM_LIST_FWD_ZONES" ] ; then - { - # Forward to dnsmasq on same host for DHCP lease hosts - echo "# $UB_SRVMASQ_CONF generated by UCI $( date -Is )" - echo " do-not-query-localhost: no" - echo - } > $UB_SRVMASQ_CONF + if [ $UB_B_DNS_ASSIST -lt 1 ] ; then + { + # Forward to dnsmasq on same host for DHCP lease hosts + echo "# $UB_SRVMASQ_CONF generated by UCI $( date -Is )" + echo " do-not-query-localhost: no" + echo + } > $UB_SRVMASQ_CONF + + else + echo > $UB_SRVMASQ_CONF + fi echo "# $UB_EXTMASQ_CONF generated by UCI $( date -Is )" > $UB_EXTMASQ_CONF diff --git a/net/unbound/files/iptools.sh b/net/unbound/files/iptools.sh index 346e4e59d..f25265d0f 100644 --- a/net/unbound/files/iptools.sh +++ b/net/unbound/files/iptools.sh @@ -82,7 +82,7 @@ domain_ptr_ip4() { ############################################################################## host_ptr_ip4() { - # Get omplete host ...in-addr.arpa. + # Get complete host ...in-addr.arpa. echo "$1" | awk -F. \ '{ x = ( $4"."$3"."$2"."$1".in-addr.arpa" ) ; sub(/\/[0-9]+/,"",x) ; @@ -136,6 +136,7 @@ valid_subnet_any() { echo "not" fi } + ############################################################################## private_subnet() { @@ -152,6 +153,17 @@ private_subnet() { ############################################################################## +local_subnet() { + # local subnet 2nd place is limited to one digit to improve the filter + case "$1" in + 127"."[0-9]"."[0-9]*) echo "ok" ;; + ::1) echo "ok" ;; + *) echo "not" ;; + esac +} + +############################################################################## + domain_ptr_any() { local subnet=$1 local arpa validip4 validip6 diff --git a/net/unbound/files/odhcpd.sh b/net/unbound/files/odhcpd.sh index ecfba9ebb..e4d4e318f 100644 --- a/net/unbound/files/odhcpd.sh +++ b/net/unbound/files/odhcpd.sh @@ -37,30 +37,39 @@ odhcpd_zonedata() { if [ -f "$UB_TOTAL_CONF" ] && [ -f "$dhcp_origin" ] \ && [ "$dhcp_link" = "odhcpd" ] && [ -n "$dhcp_domain" ] ; then - local longconf dateconf + local longconf dateconf dateoldf local dns_ls_add=$UB_VARDIR/dhcp_dns.add local dns_ls_del=$UB_VARDIR/dhcp_dns.del local dns_ls_new=$UB_VARDIR/dhcp_dns.new local dns_ls_old=$UB_VARDIR/dhcp_dns.old local dhcp_ls_new=$UB_VARDIR/dhcp_lease.new - # Capture the lease file which could be changing often - sort $dhcp_origin > $dhcp_ls_new - if [ ! -f $UB_DHCP_CONF ] || [ ! -f $dns_ls_old ] ; then # no old files laying around + touch $dns_ls_old + sort $dhcp_origin > $dhcp_ls_new longconf=freshstart else # incremental at high load or full refresh about each 5 minutes dateconf=$(( $( date +%s ) - $( date -r $UB_DHCP_CONF +%s ) )) + dateoldf=$(( $( date +%s ) - $( date -r $dns_ls_old +%s ) )) if [ $dateconf -gt 300 ] ; then + touch $dns_ls_old + sort $dhcp_origin > $dhcp_ls_new longconf=longtime - else + + elif [ $dateoldf -gt 3 ] ; then + touch $dns_ls_old + sort $dhcp_origin > $dhcp_ls_new longconf=increment + + else + # odhcpd is rapidly updating leases a race condition could occur + longconf=skip fi fi @@ -74,6 +83,8 @@ odhcpd_zonedata() { cp $dns_ls_new $dns_ls_add cp $dns_ls_new $dns_ls_old + cat $dns_ls_add | $UB_CONTROL_CFG local_datas + rm -f $dns_ls_new $dns_ls_del $dns_ls_add $dhcp_ls_new ;; longtime) @@ -85,9 +96,12 @@ odhcpd_zonedata() { awk '{ print $1 }' $dns_ls_old | sort | uniq > $dns_ls_del cp $dns_ls_new $dns_ls_add cp $dns_ls_new $dns_ls_old + cat $dns_ls_del | $UB_CONTROL_CFG local_datas_remove + cat $dns_ls_add | $UB_CONTROL_CFG local_datas + rm -f $dns_ls_new $dns_ls_del $dns_ls_add $dhcp_ls_new ;; - *) + increment) # incremental add and prepare the old list for delete later # unbound-control can be slow so high DHCP rates cannot run a full list awk -v conffile=$UB_DHCP_CONF -v pipefile=$dns_ls_new \ @@ -97,22 +111,14 @@ odhcpd_zonedata() { sort $dns_ls_new $dns_ls_old $dns_ls_old | uniq -u > $dns_ls_add sort $dns_ls_new $dns_ls_old | uniq > $dns_ls_old - ;; - esac - - - if [ -f "$dns_ls_del" ] ; then - cat $dns_ls_del | $UB_CONTROL_CFG local_datas_remove - fi - - - if [ -f "$dns_ls_add" ] ; then cat $dns_ls_add | $UB_CONTROL_CFG local_datas - fi - + rm -f $dns_ls_new $dns_ls_del $dns_ls_add $dhcp_ls_new + ;; - # prepare next round - rm -f $dns_ls_new $dns_ls_del $dns_ls_add $dhcp_ls_new + *) + echo "do nothing" >/dev/null + ;; + esac fi } diff --git a/net/unbound/files/stopping.sh b/net/unbound/files/stopping.sh index cf0ce0561..826a40ac6 100644 --- a/net/unbound/files/stopping.sh +++ b/net/unbound/files/stopping.sh @@ -43,7 +43,7 @@ rootkey_update() { [ -z "$dnssec_age" ] && dnssec_age=9 - if [ "$dnssec_age" -gt 90 ] || [ "$dnssec" -lt 1 ] ; then + if [ $dnssec_age -gt 90 ] || [ $dnssec -lt 1 ] ; then # Feature disabled return 0 @@ -79,7 +79,7 @@ rootkey_update() { fi - if [ "$rootkey_age" -gt "$dnssec_age" ] ; then + if [ $rootkey_age -gt $dnssec_age ] ; then filestuff=$( cat $UB_RKEY_FILE ) diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init index 2f2df1483..fa94a3b35 100755 --- a/net/unbound/files/unbound.init +++ b/net/unbound/files/unbound.init @@ -67,14 +67,13 @@ service_triggers() { procd_add_raw_trigger "interface.*.up" 3000 /etc/init.d/unbound restart elif [ -n "$triggers" ] ; then - procd_add_reload_trigger "unbound" "dhcp" - - for trigger in $triggers ; do # User selected triggers to restart at any other time procd_add_reload_interface_trigger "$trigger" done + procd_add_reload_trigger "unbound" "dhcp" + else procd_add_reload_trigger "unbound" "dhcp" fi diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 71bb2fd9f..788aa5dd9 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -23,25 +23,25 @@ # ############################################################################## -UB_B_SLAAC6_MAC=0 +UB_B_AUTH_ROOT=0 +UB_B_DNS_ASSIST=0 UB_B_DNSSEC=0 UB_B_DNS64=0 UB_B_EXT_STATS=0 UB_B_GATE_NAME=0 UB_B_HIDE_BIND=1 +UB_B_IF_AUTO=1 UB_B_LOCL_BLCK=0 UB_B_LOCL_SERV=1 UB_B_MAN_CONF=0 UB_B_NTP_BOOT=1 UB_B_QUERY_MIN=0 UB_B_QRY_MINST=0 -UB_B_AUTH_ROOT=0 -UB_B_IF_AUTO=1 +UB_B_SLAAC6_MAC=0 UB_D_CONTROL=0 UB_D_DOMAIN_TYPE=static UB_D_DHCP_LINK=none -UB_D_DNS_ASSIST=none UB_D_EXTRA_DNS=0 UB_D_LAN_FQDN=0 UB_D_PRIV_BLCK=1 @@ -57,6 +57,7 @@ UB_N_EDNS_SIZE=1280 UB_N_RX_PORT=53 UB_N_ROOT_AGE=9 UB_N_THREADS=1 +UB_N_RATE_LMT=0 UB_TTL_MIN=120 UB_TXT_DOMAIN=lan @@ -123,7 +124,7 @@ bundle_lan_networks() { ifdashname="${ifname//./-}" - if [ "$ignore" -eq 0 ] && [ -n "$ifdashname" ] \ + if [ $ignore -eq 0 ] && [ -n "$ifdashname" ] \ && [ -n "$UB_LIST_NETW_ALL" ] ; then for ifsubnet in $UB_LIST_NETW_ALL ; do case $ifsubnet in @@ -225,7 +226,7 @@ unbound_mkdir() { # Debian-like package dns-root-data cp -p /usr/share/dns/root.hints $UB_RHINT_FILE - elif [ "$UB_B_READY" -eq 0 ] ; then + elif [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default root hints (built in root-servers.net)" fi fi @@ -239,7 +240,7 @@ unbound_mkdir() { elif [ -x $UB_ANCHOR ] ; then $UB_ANCHOR -a $UB_RKEY_FILE - elif [ "$UB_B_READY" -eq 0 ] ; then + elif [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default trust anchor (built in root DS record)" fi fi @@ -296,7 +297,7 @@ unbound_mkdir() { UB_B_READY=1 UB_B_NTP_BOOT=0 - elif [ "$UB_B_NTP_BOOT" -eq 0 ] ; then + elif [ $UB_B_NTP_BOOT -eq 0 ] ; then # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound) date -Is > $UB_TIME_FILE UB_B_READY=0 @@ -315,7 +316,7 @@ unbound_control() { echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF - if [ "$UB_D_CONTROL" -gt 1 ] ; then + if [ $UB_D_CONTROL -gt 1 ] ; then if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \ || [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then # Key files need to be present; if unbound-control-setup was found, then @@ -376,44 +377,13 @@ unbound_control() { ############################################################################## -unbound_assistant() { - local port=53000 - - case "$UB_D_DNS_ASSIST" in - ipset-dns) - port=$( uci_get ipset-dns.@ipset-dns[0].port ) - - if [ ! -f "$UB_ASSIST_CONF" ] \ - && [ $port -gt 0 ] && [ $port -lt 65535 ] ; then - { - echo "# $UB_ASSIST_CONF generated by UCI $( date -Is )" - echo "forward-zone:" - echo " name: ." - echo " forward-addr: 127.0.0.1@$port" - echo " forward-first: no" - } > $UB_ASSIST_CONF - fi - ;; - - nsd) - echo "# Sorry, NSD does not have UCI to read and link." >> $UB_ASSIST_CONF - ;; - - bind) - echo "# Sorry, Bind does not have UCI to read and link." >> $UB_ASSIST_CONF - ;; - esac -} - -############################################################################## - unbound_zone() { local cfg=$1 local servers_ip="" local servers_host="" local zone_sym zone_name zone_type zone_enabled zone_file local tls_upstream fallback - local server port tls_port tls_index tls_suffix url_dir + local server port tls_port tls_index tls_suffix url_dir dns_ast if [ ! -f "$UB_ZONE_CONF" ] ; then echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF @@ -423,7 +393,7 @@ unbound_zone() { config_get_bool zone_enabled "$cfg" enabled 0 - if [ "$zone_enabled" -eq 1 ] ; then + if [ $zone_enabled -eq 1 ] ; then # these lists are built for each zone; empty to start UB_LIST_ZONE_NAMES="" UB_LIST_ZONE_SERVERS="" @@ -433,6 +403,7 @@ unbound_zone() { config_get tls_index "$cfg" tls_index "" config_get tls_port "$cfg" tls_port 853 config_get url_dir "$cfg" url_dir "" + config_get dns_ast "$cfg" dns_assist none config_get_bool resolv_conf "$cfg" resolv_conf 0 config_get_bool fallback "$cfg" fallback 1 @@ -443,8 +414,8 @@ unbound_zone() { # string formating for Unbound syntax tls_suffix="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}" - [ "$fallback" -eq 0 ] && fallback=no || fallback=yes - [ "$tls_upstream" -eq 0 ] && tls_upstream=no || tls_upstream=yes + [ $fallback -eq 0 ] && fallback=no || fallback=yes + [ $tls_upstream -eq 0 ] && tls_upstream=no || tls_upstream=yes if [ $resolv_conf -eq 1 ] ; then @@ -456,9 +427,70 @@ unbound_zone() { fi + case "$dns_ast" in + bind) + if [ -x /usr/sbin/bind ] && [ -x /etc/init.d/bind ] ; then + if /etc/init.d/bind enabled ; then + dns_ast=1 + else + dns_ast=0 + fi + else + dns_ast=0 + fi + ;; + + dnsmasq) + if [ -x /usr/sbin/dnsmasq ] && [ -x /etc/init.d/dnsmasq ] ; then + if /etc/init.d/dnsmasq enabled ; then + dns_ast=1 + else + dns_ast=0 + fi + else + dns_ast=0 + fi + ;; + + ipset-dns) + if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then + if /etc/init.d/ipset-dns enabled ; then + dns_ast=1 + else + dns_ast=0 + fi + else + dns_ast=0 + fi + ;; + + nsd) + if [ -x /usr/sbin/nsd ] && [ -x /etc/init.d/nsd ] ; then + if /etc/init.d/nsd enabled ; then + dns_ast=1 + else + dns_ast=0 + fi + else + dns_ast=0 + fi + ;; + + *) + # Prevent a soft-brick event through local forwarding loops. Declare your + # assistant program and this will check to be sure it is there. + dns_ast=0 + esac + + + if [ $dns_ast -gt 0 ] ; then + UB_B_DNS_ASSIST=1 + fi + + case $zone_type in auth_zone) - if [ "$UB_B_NTP_BOOT" -eq 0 ] && [ -n "$UB_LIST_ZONE_NAMES" ] \ + if [ $UB_B_NTP_BOOT -eq 0 ] && [ -n "$UB_LIST_ZONE_NAMES" ] \ && { [ -n "$url_dir" ] || [ -n "$UB_LIST_ZONE_SERVERS" ] ; } ; then # Note AXFR may have large downloads. If NTP restart is configured, # then this can cause procd to force a process kill. @@ -503,18 +535,20 @@ unbound_zone() { if [ -n "$UB_LIST_ZONE_NAMES" ] && [ -n "$UB_LIST_ZONE_SERVERS" ] ; then for server in $UB_LIST_ZONE_SERVERS ; do - if [ "$( valid_subnet_any $server )" = "not" ] ; then + if [ "$( valid_subnet_any $server )" = "ok" ] \ + || { [ "$( local_subnet $server )" = "ok" ] \ + && [ $dns_ast -gt 0 ] ; } ; then case $server in *@[0-9]*|*#[A-Za-z0-9]*) - # unique Unbound option for server host name - servers_host="$servers_host $server" + # unique Unbound option for server address + servers_ip="$servers_ip $server" ;; *) if [ "$tls_upstream" = "yes" ] ; then - servers_host="$servers_host $server${tls_port:+@${tls_port}}" + servers_ip="$servers_ip $server$tls_suffix" else - servers_host="$servers_host $server${port:+@${port}}" + servers_ip="$servers_ip $server${port:+@${port}}" fi ;; esac @@ -522,15 +556,15 @@ unbound_zone() { else case $server in *@[0-9]*|*#[A-Za-z0-9]*) - # unique Unbound option for server address - servers_ip="$servers_ip $server" + # unique Unbound option for server host name + servers_host="$servers_host $server" ;; *) if [ "$tls_upstream" = "yes" ] ; then - servers_ip="$servers_ip $server$tls_suffix" + servers_host="$servers_host $server${tls_port:+@${tls_port}}" else - servers_ip="$servers_ip $server${port:+@${port}}" + servers_host="$servers_host $server${port:+@${port}}" fi ;; esac @@ -573,6 +607,13 @@ unbound_zone() { done fi ;; + + *) + { + echo " # Special zone $zonename was not enabled or had UCI conflicts." + echo + } >> $UB_ZONE_CONF + ;; esac } @@ -605,7 +646,7 @@ unbound_conf() { fi - if [ "$UB_B_DNSSEC" -gt 0 ] && [ -f "$UB_RKEY_FILE" ] ; then + if [ $UB_B_DNSSEC -gt 0 ] && [ -f "$UB_RKEY_FILE" ] ; then { echo " auto-trust-anchor-file: $UB_RKEY_FILE" echo @@ -616,7 +657,7 @@ unbound_conf() { fi - if [ "$UB_N_THREADS" -gt 1 ] \ + if [ $UB_N_THREADS -gt 1 ] \ && $PROG -V | grep -q "Linked libs:.*libevent" ; then # heavy variant using "threads" may need substantial resources echo " num-threads: 2" >> $UB_CORE_CONF @@ -632,6 +673,8 @@ unbound_conf() { echo " rrset-cache-slabs: 1" echo " infra-cache-slabs: 1" echo " key-cache-slabs: 1" + echo " ratelimit-slabs: 1" + echo " ip-ratelimit-slabs: 1" echo # Logging echo " use-syslog: yes" @@ -640,12 +683,12 @@ unbound_conf() { } >> $UB_CORE_CONF - if [ "$UB_D_VERBOSE" -ge 0 ] && [ "$UB_D_VERBOSE" -le 5 ] ; then + if [ $UB_D_VERBOSE -ge 0 ] && [ $UB_D_VERBOSE -le 5 ] ; then echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF fi - if [ "$UB_B_EXT_STATS" -gt 0 ] ; then + if [ $UB_B_EXT_STATS -gt 0 ] ; then { # Log More echo " extended-statistics: yes" @@ -661,16 +704,14 @@ unbound_conf() { fi - if [ "$UB_B_IF_AUTO" -gt 0 ] ; then + if [ $UB_B_IF_AUTO -gt 0 ] ; then echo " interface-automatic: yes" >> $UB_CORE_CONF fi - case "$UB_D_DNS_ASSIST" in - bind|ipset-dns|nsd) + if [ $UB_B_DNS_ASSIST -gt 0 ] ; then echo " do-not-query-localhost: no" >> $UB_CORE_CONF - ;; - esac + fi case "$UB_D_PROTOCOL" in @@ -747,7 +788,7 @@ unbound_conf() { ;; *) - if [ "$UB_B_READY" -eq 0 ] ; then + if [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default protocol configuration" fi @@ -767,19 +808,19 @@ unbound_conf() { case "$UB_D_RESOURCE" in # Tiny - Unbound's recommended cheap hardware config - tiny) rt_mem=1 ; rt_conn=2 ; rt_buff=1 ;; + tiny) rt_mem=1 ; rt_conn=5 ; rt_buff=1 ;; # Small - Half RRCACHE and open ports small) rt_mem=8 ; rt_conn=10 ; rt_buff=2 ;; # Medium - Nearly default but with some added balancintg - medium) rt_mem=16 ; rt_conn=15 ; rt_buff=4 ;; + medium) rt_mem=16 ; rt_conn=20 ; rt_buff=4 ;; # Large - Double medium - large) rt_mem=32 ; rt_conn=20 ; rt_buff=4 ;; + large) rt_mem=32 ; rt_conn=50 ; rt_buff=4 ;; # Whatever unbound does *) rt_mem=0 ; rt_conn=0 ;; esac - if [ "$rt_mem" -gt 0 ] ; then + if [ $rt_mem -gt 0 ] ; then { # Other harding and options for an embedded router echo " harden-short-bufsize: yes" @@ -795,13 +836,16 @@ unbound_conf() { echo " incoming-num-tcp: $(($rt_conn))" echo " rrset-cache-size: $(($rt_mem*256))k" echo " msg-cache-size: $(($rt_mem*128))k" + echo " stream-wait-size: $(($rt_mem*128))k" echo " key-cache-size: $(($rt_mem*128))k" - echo " neg-cache-size: $(($rt_mem*64))k" + echo " neg-cache-size: $(($rt_mem*32))k" + echo " ratelimit-size: $(($rt_mem*32))k" + echo " ip-ratelimit-size: $(($rt_mem*32))k" echo " infra-cache-numhosts: $(($rt_mem*256))" echo } >> $UB_CORE_CONF - elif [ "$UB_B_READY" -eq 0 ] ; then + elif [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default memory configuration" fi @@ -818,8 +862,8 @@ unbound_conf() { esac - if [ "$UB_B_DNSSEC" -gt 0 ] ; then - if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then + if [ $UB_B_DNSSEC -gt 0 ] ; then + if [ $UB_B_NTP_BOOT -gt 0 ] ; then # DNSSEC chicken and egg with getting NTP time echo " val-override-date: -1" >> $UB_CORE_CONF fi @@ -843,7 +887,7 @@ unbound_conf() { esac - if [ "$UB_B_DNS64" -gt 0 ] ; then + if [ $UB_B_DNS64 -gt 0 ] ; then echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF modulestring="dns64 $modulestring" @@ -861,16 +905,16 @@ unbound_conf() { passive) { # Some query privacy but "strict" will break some servers - if [ "$UB_B_QRY_MINST" -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then + if [ $UB_B_QRY_MINST -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then echo " qname-minimisation: yes" echo " qname-minimisation-strict: yes" - elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then + elif [ $UB_B_QUERY_MIN -gt 0 ] ; then echo " qname-minimisation: yes" else echo " qname-minimisation: no" fi # Use DNSSEC to quickly understand NXDOMAIN ranges - if [ "$UB_B_DNSSEC" -gt 0 ] ; then + if [ $UB_B_DNSSEC -gt 0 ] ; then echo " aggressive-nsec: yes" echo " prefetch-key: no" fi @@ -884,16 +928,16 @@ unbound_conf() { aggressive) { # Some query privacy but "strict" will break some servers - if [ "$UB_B_QRY_MINST" -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then + if [ $UB_B_QRY_MINST -gt 0 ] && [ $UB_B_QUERY_MIN -gt 0 ] ; then echo " qname-minimisation: yes" echo " qname-minimisation-strict: yes" - elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then + elif [ $UB_B_QUERY_MIN -gt 0 ] ; then echo " qname-minimisation: yes" else echo " qname-minimisation: no" fi # Use DNSSEC to quickly understand NXDOMAIN ranges - if [ "$UB_B_DNSSEC" -gt 0 ] ; then + if [ $UB_B_DNSSEC -gt 0 ] ; then echo " aggressive-nsec: yes" echo " prefetch-key: yes" fi @@ -905,13 +949,24 @@ unbound_conf() { ;; *) - if [ "$UB_B_READY" -eq 0 ] ; then + if [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default recursion configuration" fi ;; esac + if [ 10 -lt $UB_N_RATE_LMT ] && [ $UB_N_RATE_LMT -lt 100000 ] ; then + { + # Protect the server from query floods which is helpful on weaker CPU + # Per client rate limit is half the maximum to leave head room open + echo " ratelimit: $UB_N_RATE_LMT" + echo " ip-ratelimit: $(($UB_N_RATE_LMT/2))" + echo + } >> $UB_CORE_CONF + fi + + { # Reload records more than 20 hours old # DNSSEC 5 minute bogus cool down before retry @@ -924,7 +979,7 @@ unbound_conf() { } >> $UB_CORE_CONF - if [ "$UB_B_HIDE_BIND" -gt 0 ] ; then + if [ $UB_B_HIDE_BIND -gt 0 ] ; then { # Block server id and version DNS TXT records echo " hide-identity: yes" @@ -934,7 +989,7 @@ unbound_conf() { fi - if [ "$UB_D_PRIV_BLCK" -gt 0 ] ; then + if [ $UB_D_PRIV_BLCK -gt 0 ] ; then { # Remove _upstream_ or global reponses with private addresses. # Unbounds own "local zone" and "forward zone" may still use these. @@ -951,7 +1006,7 @@ unbound_conf() { fi - if [ -n "$UB_LIST_NETW_LAN" ] && [ "$UB_D_PRIV_BLCK" -gt 1 ] ; then + if [ -n "$UB_LIST_NETW_LAN" ] && [ $UB_D_PRIV_BLCK -gt 1 ] ; then { for ifsubnet in $UB_LIST_NETW_LAN ; do case $ifsubnet in @@ -966,7 +1021,7 @@ unbound_conf() { fi - if [ "$UB_B_LOCL_BLCK" -gt 0 ] ; then + if [ $UB_B_LOCL_BLCK -gt 0 ] ; then { # Remove DNS reponses from upstream with loopback IP # Black hole DNS method for ad blocking, so consider... @@ -988,7 +1043,7 @@ unbound_conf() { fi - if [ "$UB_B_LOCL_SERV" -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then + if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then { for ifsubnet in $UB_LIST_NETW_ALL ; do # Only respond to queries from subnets which have an interface. @@ -1027,7 +1082,7 @@ unbound_hostname() { } >> $UB_HOST_CONF elif [ -n "$UB_TXT_DOMAIN" ] \ - && { [ "$UB_D_WAN_FQDN" -gt 0 ] || [ "$UB_D_LAN_FQDN" -gt 0 ] ; } ; then + && { [ $UB_D_WAN_FQDN -gt 0 ] || [ $UB_D_LAN_FQDN -gt 0 ] ; } ; then case "$UB_D_DOMAIN_TYPE" in deny|inform_deny|refuse|static) { @@ -1080,7 +1135,7 @@ unbound_hostname() { if [ -n "$ifarpa" ] ; then - if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then + if [ $UB_D_WAN_FQDN -gt 0 ] ; then { # Create a static zone for WAN host record only (singular) echo " domain-insecure: $ifarpa" @@ -1092,7 +1147,7 @@ unbound_hostname() { echo } >> $UB_HOST_CONF - elif [ "$zonetype" -gt 0 ] ; then + elif [ $zonetype -gt 0 ] ; then { echo " local-zone: $ifarpa transparent" echo @@ -1109,7 +1164,7 @@ unbound_hostname() { if [ -n "$ifarpa" ] ; then - if [ "$zonetype" -eq 2 ] ; then + if [ $zonetype -eq 2 ] ; then { # Do NOT forward queries with your ip6.arpa or in-addr.arpa echo " domain-insecure: $ifarpa" @@ -1120,7 +1175,7 @@ unbound_hostname() { echo } >> $UB_HOST_CONF - elif [ "$zonetype" -eq 1 ] && [ "$UB_D_PRIV_BLCK" -eq 0 ] ; then + elif [ $zonetype -eq 1 ] && [ $UB_D_PRIV_BLCK -eq 0 ] ; then { echo " local-zone: $ifarpa transparent" echo @@ -1142,7 +1197,7 @@ unbound_hostname() { fi - if [ "$UB_LIST_NETW_LAN" ] && [ "$UB_D_LAN_FQDN" -gt 0 ] ; then + if [ "$UB_LIST_NETW_LAN" ] && [ $UB_D_LAN_FQDN -gt 0 ] ; then for ifsubnet in $UB_LIST_NETW_LAN ; do ifaddr=${ifsubnet#*@} ifaddr=${ifaddr%/*} @@ -1150,12 +1205,12 @@ unbound_hostname() { iffqdn="$ifname.$hostfqdn" - if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then + if [ $UB_D_LAN_FQDN -eq 4 ] ; then names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME" ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\"" echo "$ptrrec" >> $UB_HOST_CONF - elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then + elif [ $UB_D_LAN_FQDN -eq 3 ] ; then names="$hostfqdn $UB_TXT_HOSTNAME" ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\"" echo "$ptrrec" >> $UB_HOST_CONF @@ -1181,7 +1236,7 @@ unbound_hostname() { ;; *) - if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then + if [ $UB_D_LAN_FQDN -gt 1 ] ; then # IP6 GLA is assigned for higher options namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\"" echo "$namerec" >> $UB_HOST_CONF @@ -1194,7 +1249,7 @@ unbound_hostname() { fi - if [ -n "$UB_LIST_NETW_WAN" ] && [ "$UB_D_WAN_FQDN" -gt 0 ] ; then + if [ -n "$UB_LIST_NETW_WAN" ] && [ $UB_D_WAN_FQDN -gt 0 ] ; then for ifsubnet in $UB_LIST_NETW_WAN ; do ifaddr=${ifsubnet#*@} ifaddr=${ifaddr%/*} @@ -1202,12 +1257,12 @@ unbound_hostname() { iffqdn="$ifname.$hostfqdn" - if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then + if [ $UB_D_WAN_FQDN -eq 4 ] ; then names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME" ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\"" echo "$ptrrec" >> $UB_HOST_CONF - elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then + elif [ $UB_D_WAN_FQDN -eq 3 ] ; then names="$hostfqdn $UB_TXT_HOSTNAME" ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\"" echo "$ptrrec" >> $UB_HOST_CONF @@ -1233,7 +1288,7 @@ unbound_hostname() { ;; *) - if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then + if [ $UB_D_WAN_FQDN -gt 1 ] ; then # IP6 GLA is assigned for higher options namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\"" echo "$namerec" >> $UB_HOST_CONF @@ -1276,11 +1331,11 @@ unbound_uci() { config_get UB_N_RX_PORT "$cfg" listen_port 53 config_get UB_N_ROOT_AGE "$cfg" root_age 9 config_get UB_N_THREADS "$cfg" num_threads 1 + config_get UB_N_RATE_LMT "$cfg" rate_limit 0 config_get UB_D_CONTROL "$cfg" unbound_control 0 config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static config_get UB_D_DHCP_LINK "$cfg" dhcp_link none - config_get UB_D_DNS_ASSIST "$cfg" dns_assist none config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0 config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0 config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1 @@ -1300,27 +1355,17 @@ unbound_uci() { config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0 - if [ "$UB_B_DNSMASQ" -gt 0 ] ; then + if [ $UB_B_DNSMASQ -gt 0 ] ; then UB_D_DHCP_LINK=dnsmasq - if [ "$UB_B_READY" -eq 0 ] ; then + if [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "Please use 'dhcp_link' selector instead" fi fi fi - if [ "$UB_D_DNS_ASSIST" = "none" ] ; then - UB_D_DNS_ASSIST=none - - elif [ ! -x /usr/sbin/bind ] || [ ! -x /etc/init.d/bind ] \ - || [ ! -x /usr/sbin/nsd ] || [ ! -x /etc/init.d/nsd ] \ - || [ ! -x /usr/sbin/ipset-dns ] || [ ! -x /etc/init.d/ipset-dns ] ; then - UB_D_DNS_ASSIST=none - fi - - if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then if [ ! -x /usr/sbin/dnsmasq ] || [ ! -x /etc/init.d/dnsmasq ] ; then UB_D_DHCP_LINK=none @@ -1329,7 +1374,7 @@ unbound_uci() { fi - if [ "$UB_B_READY" -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then + if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then logger -t unbound -s "cannot forward to dnsmasq" fi fi @@ -1343,26 +1388,26 @@ unbound_uci() { fi - if [ "$UB_B_READY" -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then + if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then logger -t unbound -s "cannot receive records from odhcpd" fi fi - if [ "$UB_N_EDNS_SIZE" -lt 512 ] || [ 4096 -lt "$UB_N_EDNS_SIZE" ] ; then + if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then logger -t unbound -s "edns_size exceeds range, using default" UB_N_EDNS_SIZE=1280 fi - if [ "$UB_N_RX_PORT" -ne 53 ] \ - && { [ "$UB_N_RX_PORT" -lt 1024 ] || [ 10240 -lt "$UB_N_RX_PORT" ] ; } ; then + if [ $UB_N_RX_PORT -ne 53 ] \ + && { [ $UB_N_RX_PORT -lt 1024 ] || [ 10240 -lt $UB_N_RX_PORT ] ; } ; then logger -t unbound -s "privileged port or in 5 digits, using default" UB_N_RX_PORT=53 fi - if [ "$UB_TTL_MIN" -gt 1800 ] ; then + if [ $UB_TTL_MIN -gt 1800 ] ; then logger -t unbound -s "ttl_min could have had awful side effects, using 300" UB_TTL_MIN=300 fi @@ -1405,7 +1450,7 @@ unbound_include() { # Incremental Unbound restarts may drop unbound-control records echo "include: $UB_DHCP_CONF" echo - }>> $UB_TOTAL_CONF + } >> $UB_TOTAL_CONF fi @@ -1431,7 +1476,7 @@ unbound_include() { # Pull your own "server:" options here echo "include: $UB_SRV_CONF" echo - }>> $UB_TOTAL_CONF + } >> $UB_TOTAL_CONF fi @@ -1456,13 +1501,6 @@ unbound_include() { fi - if [ -f "$UB_ASSIST_CONF" ] ; then - # UCI found link to DNS helpers - cat $UB_ASSIST_CONF >> $UB_TOTAL_CONF - rm $UB_ASSIST_CONF - fi - - if [ -f "$UB_EXT_CONF" ] ; then { # Pull your own extend feature clauses here @@ -1476,30 +1514,28 @@ unbound_include() { resolv_setup() { if [ "$UB_N_RX_PORT" != "53" ] ; then - return + # unbound is not the default on target resolver + echo "do nothing" >/dev/null elif [ -x /etc/init.d/dnsmasq ] \ && /etc/init.d/dnsmasq enabled \ && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then - # unbound is configured for port 53, but dnsmasq is enabled and a resolver - # listens on localhost:53, lets assume dnsmasq manages the resolver file. - # TODO: - # really check if dnsmasq runs a local (main) resolver in stead of using - # nslookup that times out when no resolver listens on localhost:53. - return - fi - + # unbound is configured for port 53, but dnsmasq is enabled, and a resolver + # is already listening on port 53. Let dnsmasq manage resolve.conf. + # This also works to prevent clobbering while changing UCI. + echo "do nothing" >/dev/null - # unbound is designated to listen on 127.0.0.1#53, - # set resolver file to local. - rm -f /tmp/resolv.conf + else + # unbound listens on 127.0.0.1#53 so set resolver file to local. + rm -f /tmp/resolv.conf - { - echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )" - echo "nameserver 127.0.0.1" - echo "nameserver ::1" - echo "search $UB_TXT_DOMAIN." - } > /tmp/resolv.conf + { + echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )" + echo "nameserver 127.0.0.1" + echo "nameserver ::1" + echo "search $UB_TXT_DOMAIN." + } > /tmp/resolv.conf + fi } ############################################################################## @@ -1510,7 +1546,7 @@ unbound_start() { unbound_mkdir - if [ "$UB_B_MAN_CONF" -eq 0 ] ; then + if [ $UB_B_MAN_CONF -eq 0 ] ; then # iterate zones before we load other UCI # forward-zone: auth-zone: and stub-zone: config_foreach unbound_zone zone @@ -1525,8 +1561,6 @@ unbound_start() { unbound_hostname # control: unbound_control - # assistants - unbound_assistant # dnsmasq dnsmasq_link # merge diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index 12809b95d..f796a5802 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -19,6 +19,7 @@ config unbound option protocol 'default' option query_minimize '0' option query_min_strict '0' + option rate_limit '0' option rebind_localhost '0' option rebind_protection '1' option recursion 'default' @@ -34,6 +35,7 @@ config unbound #list domain_insecure 'ntp.example.com' config zone + # cache the root zone all at once to speed up recursion option enabled '0' option fallback '1' option url_dir 'https://www.internic.net/domain/' @@ -46,6 +48,7 @@ config zone list zone_name 'ip6.arpa.' config zone + # forward ISP account management to DHCP announced DNS servers option enabled '0' option fallback '1' option resolv_conf '1'