#!/bin/sh ############################################################################## # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # Copyright (C) 2016 Eric Luehrsen # ############################################################################## # # Unbound is a full featured recursive server with many options. The UCI # provided tries to simplify and bundle options. This should make Unbound # easier to deploy. Even light duty routers may resolve recursively instead of # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq # features as used in base LEDE/OpenWrt. If there is a desire for more # detailed tuning, then manual conf file overrides are also made available. # ############################################################################## UNBOUND_B_SLAAC6_MAC=0 UNBOUND_B_DNSSEC=0 UNBOUND_B_DNS64=0 UNBOUND_B_EXT_STATS=0 UNBOUND_B_GATE_NAME=0 UNBOUND_B_HIDE_BIND=1 UNBOUND_B_LOCL_BLCK=0 UNBOUND_B_LOCL_SERV=1 UNBOUND_B_MAN_CONF=0 UNBOUND_B_NTP_BOOT=1 UNBOUND_B_QUERY_MIN=0 UNBOUND_B_QRY_MINST=0 UNBOUND_B_AUTH_ROOT=0 UNBOUND_D_CONTROL=0 UNBOUND_D_DOMAIN_TYPE=static UNBOUND_D_DHCP_LINK=none UNBOUND_D_EXTRA_DNS=0 UNBOUND_D_LAN_FQDN=0 UNBOUND_D_PRIV_BLCK=1 UNBOUND_D_PROTOCOL=mixed UNBOUND_D_RESOURCE=small UNBOUND_D_RECURSION=passive UNBOUND_D_WAN_FQDN=0 UNBOUND_IP_DNS64="64:ff9b::/96" UNBOUND_N_EDNS_SIZE=1280 UNBOUND_N_FWD_PORTS="" UNBOUND_N_RX_PORT=53 UNBOUND_N_ROOT_AGE=9 UNBOUND_TTL_MIN=120 UNBOUND_TXT_DOMAIN=lan UNBOUND_TXT_FWD_ZONE="" UNBOUND_TXT_HOSTNAME=thisrouter UNBOUND_LIST_FORWARD="" UNBOUND_LIST_INSECURE="" ############################################################################## # keep track of assignments during inserted resource records UNBOUND_LIST_DOMAINS="" UNBOUND_LIST_IFACE="" UNBOUND_LIST_PRV_IP6GLA="" UNBOUND_LIST_LAN_NET="" # Similar default SOA / NS RR as Unbound uses for private ARPA zones UNBOUND_XSOA="3600 IN SOA localhost. nobody.invalid. 1 3600 1200 7200 600" UNBOUND_XNS="3600 IN NS localhost." ############################################################################## . /lib/functions.sh . /lib/functions/network.sh . /usr/lib/unbound/defaults.sh . /usr/lib/unbound/dnsmasq.sh . /usr/lib/unbound/iptools.sh . /usr/lib/unbound/rootzone.sh ############################################################################## create_interface_dns() { local cfg="$1" local ipcommand logint ignore ifname ifdashname local name names address addresses local ulaprefix if_fqdn host_fqdn local mode_ptr="$UNBOUND_TXT_HOSTNAME" local names="$UNBOUND_TXT_HOSTNAME" # Create local-data: references for this hosts interfaces (router). config_get logint "$cfg" interface config_get_bool ignore "$cfg" ignore 0 network_get_device ifname "$cfg" ifdashname="${ifname//./-}" ipcommand="ip -o address show $ifname" addresses=$( $ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}' ) ulaprefix=$( uci_get network.@globals[0].ula_prefix ) host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN" if_fqdn="$ifdashname.$host_fqdn" if [ -z "$ifdashname" ] ; then # race conditions at init can rarely cause a blank device return # the record format is invalid and Unbound won't load the conf file mode=0 elif [ -n "$UNBOUND_LIST_IFACE" ] ; then case "$UNBOUND_LIST_IFACE" in *$ifdashname*) # repeat such as dual WAN (eth0-1) and WAN6 (eth0-1) mode=0 ;; *) mode=1 ;; esac else mode=1 fi if [ $mode -gt 0 ] ; then UNBOUND_LIST_IFACE="$UNBOUND_LIST_IFACE $ifdashname" if [ -z "${ulaprefix%%:/*}" ] ; then # Nonsense so this option isn't globbed below ulaprefix="fdno:such:addr::/48" fi if [ "$ignore" -gt 0 ] ; then mode="$UNBOUND_D_WAN_FQDN" else mode="$UNBOUND_D_LAN_FQDN" fi fi if [ "$mode" -gt 1 ] ; then case "$mode" in 3) mode_ptr="$host_fqdn" names="$host_fqdn $UNBOUND_TXT_HOSTNAME" ;; 4) mode_ptr="$if_fqdn" names="$if_fqdn $host_fqdn $UNBOUND_TXT_HOSTNAME" ;; esac { for address in $addresses ; do case $address in fe80:*|169.254.*) echo " # note link address $address" ;; [1-9a-f]*:*[0-9a-f]) # GA and ULA IP6 for HOST IN AAA records (ip command is robust) for name in $names ; do echo " local-data: \"$name. 120 IN AAAA $address\"" done echo " local-data-ptr: \"$address 120 $mode_ptr\"" ;; [1-9]*.*[0-9]) # Old fashioned HOST IN A records for name in $names ; do echo " local-data: \"$name. 120 IN A $address\"" done echo " local-data-ptr: \"$address 120 $mode_ptr\"" ;; esac done echo } >> $UNBOUND_CONFFILE elif [ "$mode" -gt 0 ] ; then { for address in $addresses ; do case $address in fe80:*|169.254.*) echo " # note link address $address" ;; "${ulaprefix%%:/*}"*) # Only this networks ULA and only hostname echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\"" echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\"" ;; [1-9]*.*[0-9]) echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\"" echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\"" ;; esac done echo } >> $UNBOUND_CONFFILE fi } ############################################################################## create_local_zone() { local target="$1" local partial domain found if [ -n "$UNBOUND_LIST_DOMAINS" ] ; then for domain in $UNBOUND_LIST_DOMAINS ; do case $target in *"${domain}") found=1 break ;; [A-Za-z0-9]*.[A-Za-z0-9]*) found=0 ;; *) # no dots found=1 break ;; esac done else found=0 fi if [ $found -eq 0 ] ; then # New Zone! Bundle local-zones: by first two name tiers "abcd.tld." partial=$( echo "$target" | awk -F. '{ j=NF ; i=j-1; print $i"."$j }' ) UNBOUND_LIST_DOMAINS="$UNBOUND_LIST_DOMAINS $partial" echo " local-zone: $partial transparent" >> $UNBOUND_CONFFILE fi } ############################################################################## create_host_record() { local cfg="$1" local ip name # basefiles dhcp "domain" clause which means host A, AAAA, and PRT record config_get ip "$cfg" ip config_get name "$cfg" name if [ -n "$name" -a -n "$ip" ] ; then create_local_zone "$name" { case $ip in fe80:*|169.254.*) echo " # note link address $ip for host $name" ;; [1-9a-f]*:*[0-9a-f]) echo " local-data: \"$name. 120 IN AAAA $ip\"" echo " local-data-ptr: \"$ip 120 $name\"" ;; [1-9]*.*[0-9]) echo " local-data: \"$name. 120 IN A $ip\"" echo " local-data-ptr: \"$ip 120 $name\"" ;; esac } >> $UNBOUND_CONFFILE fi } ############################################################################## create_mx_record() { local cfg="$1" local domain relay pref # Insert a static MX record config_get domain "$cfg" domain config_get relay "$cfg" relay config_get pref "$cfg" pref 10 if [ -n "$domain" -a -n "$relay" ] ; then create_local_zone "$domain" echo " local-data: \"$domain. 120 IN MX $pref $relay.\"" \ >> $UNBOUND_CONFFILE fi } ############################################################################## create_srv_record() { local cfg="$1" local srv target port class weight # Insert a static SRV record such as SIP server config_get srv "$cfg" srv config_get target "$cfg" target config_get port "$cfg" port config_get class "$cfg" class 10 config_get weight "$cfg" weight 10 if [ -n "$srv" -a -n "$target" -a -n "$port" ] ; then create_local_zone "$srv" echo " local-data: \"$srv. 120 IN SRV $class $weight $port $target.\"" \ >> $UNBOUND_CONFFILE fi } ############################################################################## create_cname_record() { local cfg="$1" local cname target # Insert static CNAME record config_get cname "$cfg" cname config_get target "$cfg" target if [ -n "$cname" -a -n "$target" ] ; then create_local_zone "$cname" echo " local-data: \"$cname. 120 IN CNAME $target.\"" >> $UNBOUND_CONFFILE fi } ############################################################################## create_access_control() { local cfg="$1" local subnets subnets4 subnets6 local validip4 validip6 network_get_subnets subnets4 "$cfg" network_get_subnets6 subnets6 "$cfg" subnets="$subnets4 $subnets6" if [ -n "$subnets" ] ; then for subnet in $subnets ; do validip4=$( valid_subnet4 $subnet ) validip6=$( valid_subnet6 $subnet ) if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then # For each "network" UCI add "access-control:" white list for queries echo " access-control: $subnet allow" >> $UNBOUND_CONFFILE fi done fi } ############################################################################## bundle_domain_forward() { UNBOUND_LIST_FORWARD="$UNBOUND_LIST_FORWARD $1" } ############################################################################## bundle_domain_insecure() { UNBOUND_LIST_INSECURE="$UNBOUND_LIST_INSECURE $1" } ############################################################################## bundle_private_interface() { local ipcommand ifsubnet ifsubnets ifname validip4 network_get_device ifname $1 if [ -n "$ifname" ] ; then ipcommand="ip -o address show $ifname" ifsubnets=$( $ipcommand | awk '/inet/{ print $4 }' ) if [ -n "$ifsubnets" ] ; then for ifsubnet in $ifsubnets ; do case $ifsubnet in [1-9][0-9a-f][0-9a-f][0-9a-f]:*[0-9a-f]) # Special GLA protection for local block; ULA protected as a catagory UNBOUND_LIST_PRV_IP6GLA="$UNBOUND_LIST_PRV_IP6GLA $ifsubnet" ;; f[dc][0-9a-f][0-9a-f]:*[0-9a-f]) # Used to configure specific local-zone: data UNBOUND_LIST_LAN_NET="$UNBOUND_LIST_LAN_NET $ifsubnet" ;; *) validip4=$( valid_subnet4 $ifsubnet ) if [ "$validip4" = "ok" ] ; then UNBOUND_LIST_LAN_NET="$UNBOUND_LIST_LAN_NET $ifsubnet" fi ;; esac done fi fi } ############################################################################## unbound_mkdir() { local filestuff if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile ) local dhcp_dir=$( dirname $dhcp_origin ) if [ ! -d "$dhcp_dir" ] ; then # make sure odhcpd has a directory to write (not done itself, yet) mkdir -p "$dhcp_dir" fi fi if [ -f $UNBOUND_KEYFILE ] ; then filestuff=$( cat $UNBOUND_KEYFILE ) case "$filestuff" in *"state=2 [ VALID ]"*) # Lets not lose RFC 5011 tracking if we don't have to cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep ;; esac fi # Blind copy /etc/ to /var/lib/ mkdir -p $UNBOUND_VARDIR rm -f $UNBOUND_VARDIR/dhcp_* touch $UNBOUND_CONFFILE touch $UNBOUND_SRV_CONF touch $UNBOUND_EXT_CONF cp -p /etc/unbound/* $UNBOUND_VARDIR/ if [ ! -f $UNBOUND_HINTFILE ] ; then if [ -f /usr/share/dns/root.hints ] ; then # Debian-like package dns-root-data cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then logger -t unbound -s "default root hints (built in rootservers.net)" fi fi if [ ! -f $UNBOUND_KEYFILE ] ; then if [ -f /usr/share/dns/root.key ] ; then # Debian-like package dns-root-data cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE elif [ -x $UNBOUND_ANCHOR ] ; then $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then logger -t unbound -s "default trust anchor (built in root DS record)" fi fi if [ -f $UNBOUND_KEYFILE.keep ] ; then # root.key.keep is reused if newest cp -u $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE rm -f $UNBOUND_KEYFILE.keep fi # Ensure access and prepare to jail chown -R unbound:unbound $UNBOUND_VARDIR chmod 755 $UNBOUND_VARDIR chmod 644 $UNBOUND_VARDIR/* if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \ -o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then # Keys (some) exist already; do not create new ones chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE elif [ -x /usr/sbin/unbound-control-setup ] ; then case "$UNBOUND_D_CONTROL" in [2-3]) # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static" /usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR chown -R unbound:unbound $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem ;; esac fi } ############################################################################## unbound_control() { if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \ -o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then # Key files need to be present; if unbound-control-setup was found, then # they might have been made during unbound_makedir() above. UNBOUND_D_CONTROL=0 fi fi case "$UNBOUND_D_CONTROL" in 1) { # Local Host Only Unencrypted Remote Control echo "remote-control:" echo " control-enable: yes" echo " control-use-cert: no" echo " control-interface: 127.0.0.1" echo " control-interface: ::1" echo } >> $UNBOUND_CONFFILE ;; 2) { # Local Host Only Encrypted Remote Control echo "remote-control:" echo " control-enable: yes" echo " control-use-cert: yes" echo " control-interface: 127.0.0.1" echo " control-interface: ::1" echo " server-key-file: $UNBOUND_SRVKEY_FILE" echo " server-cert-file: $UNBOUND_SRVPEM_FILE" echo " control-key-file: $UNBOUND_CTLKEY_FILE" echo " control-cert-file: $UNBOUND_CTLPEM_FILE" echo } >> $UNBOUND_CONFFILE ;; [3-4]) { # Network Encrypted Remote Control # (3) may auto setup and (4) must have static key/pem files # TODO: add UCI list for interfaces to bind echo "remote-control:" echo " control-enable: yes" echo " control-use-cert: yes" echo " control-interface: 0.0.0.0" echo " control-interface: ::0" echo " server-key-file: $UNBOUND_SRVKEY_FILE" echo " server-cert-file: $UNBOUND_SRVPEM_FILE" echo " control-key-file: $UNBOUND_CTLKEY_FILE" echo " control-cert-file: $UNBOUND_CTLPEM_FILE" echo } >> $UNBOUND_CONFFILE ;; esac { # Amend your own extended clauses here like forward zones or disable # above (local, no encryption) and amend your own remote encrypted control echo echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE echo } >> $UNBOUND_CONFFILE } ############################################################################## unbound_forward() { local fdomain fresolver resolvers # Forward selected domains to the upstream (WAN) stub resolver. This may be # faster or local pool addresses to ISP service login page. This may keep # internal organization lookups, well, internal to the organization. if [ -n "$UNBOUND_LIST_FORWARD" ] ; then resolvers=$( grep nameserver /tmp/resolv.conf.auto | sed "s/nameserver//g" ) if [ -n "$resolvers" ] ; then for fdomain in $UNBOUND_LIST_FORWARD ; do { echo "forward-zone:" echo " name: $fdomain" for fresolver in $resolvers ; do echo " forward-addr: $fresolver" done echo } >> $UNBOUND_CONFFILE done fi fi } ############################################################################## unbound_auth_root() { local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org" local httpserver="http://www.internic.net/domain/" local authzones="root arpa in-addr.arpa ip6.arpa" local server zone realzone # Download or AXFR the root and arpa zones to reduce the work needed at # top level of recursion. If your users will hit many ccTLD or you have # tracking logs resolving many PTR, then this can speed things up. # Total size of text in TMPFS could be about 5MB. if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then for zone in $authzones ; do if [ "$zone" = "root" ] ; then realzone="." else realzone=$zone fi { echo "auth-zone:" echo " name: $realzone" for server in $axfrservers ; do echo " master: $server" done echo " url: $httpserver$zone.zone" echo " fallback-enabled: yes" echo " for-downstream: no" echo " for-upstream: yes" echo " zonefile: $zone.zone" echo } >> $UNBOUND_CONFFILE done fi } ############################################################################## unbound_conf() { local rt_mem rt_conn modulestring domain ifsubnet # Make fresh conf file echo > $UNBOUND_CONFFILE { # Make fresh conf file echo "# $UNBOUND_CONFFILE generated by UCI $( date )" echo echo "server:" echo " username: unbound" echo " chroot: $UNBOUND_VARDIR" echo " directory: $UNBOUND_VARDIR" echo " pidfile: $UNBOUND_PIDFILE" echo # No threading echo " num-threads: 1" echo " msg-cache-slabs: 1" echo " rrset-cache-slabs: 1" echo " infra-cache-slabs: 1" echo " key-cache-slabs: 1" echo # Interface Wildcard (access contol handled by "option local_service") echo " interface: 0.0.0.0" echo " interface: ::0" echo " outgoing-interface: 0.0.0.0" echo " outgoing-interface: ::0" echo # Logging echo " use-syslog: yes" echo " verbosity: 1" echo " statistics-interval: 0" echo " statistics-cumulative: no" } >> $UNBOUND_CONFFILE if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then { # Log More echo " extended-statistics: yes" echo } >> $UNBOUND_CONFFILE else { # Log Less echo " extended-statistics: no" echo } >> $UNBOUND_CONFFILE fi case "$UNBOUND_D_PROTOCOL" in ip4_only) { echo " do-ip4: yes" echo " do-ip6: no" } >> $UNBOUND_CONFFILE ;; ip6_only) { echo " do-ip4: no" echo " do-ip6: yes" } >> $UNBOUND_CONFFILE ;; ip6_prefer) { echo " do-ip4: yes" echo " do-ip6: yes" echo " prefer-ip6: yes" } >> $UNBOUND_CONFFILE ;; mixed) { echo " do-ip4: yes" echo " do-ip6: yes" } >> $UNBOUND_CONFFILE ;; *) if [ ! -f "$UNBOUND_TIMEFILE" ] ; then logger -t unbound -s "default protocol configuration" fi ;; esac { # protocol level tuning echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE" echo " msg-buffer-size: 8192" echo " port: $UNBOUND_N_RX_PORT" echo " outgoing-port-permit: 10240-65535" echo } >> $UNBOUND_CONFFILE { # Other harding and options for an embedded router echo " harden-short-bufsize: yes" echo " harden-large-queries: yes" echo " harden-glue: yes" echo " harden-below-nxdomain: no" echo " harden-referral-path: no" echo " use-caps-for-id: no" echo } >> $UNBOUND_CONFFILE if [ -f "$UNBOUND_HINTFILE" ] ; then # Optional hints if found echo " root-hints: $UNBOUND_HINTFILE" >> $UNBOUND_CONFFILE fi if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then { echo " auto-trust-anchor-file: $UNBOUND_KEYFILE" echo } >> $UNBOUND_CONFFILE else echo >> $UNBOUND_CONFFILE fi case "$UNBOUND_D_RESOURCE" in # Tiny - Unbound's recommended cheap hardware config tiny) rt_mem=1 ; rt_conn=1 ;; # Small - Half RRCACHE and open ports small) rt_mem=8 ; rt_conn=5 ;; # Medium - Nearly default but with some added balancintg medium) rt_mem=16 ; rt_conn=10 ;; # Large - Double medium large) rt_mem=32 ; rt_conn=10 ;; # Whatever unbound does *) rt_mem=0 ; rt_conn=0 ;; esac if [ "$rt_mem" -gt 0 ] ; then { # Set memory sizing parameters echo " outgoing-range: $(($rt_conn*64))" echo " num-queries-per-thread: $(($rt_conn*32))" echo " outgoing-num-tcp: $(($rt_conn))" echo " incoming-num-tcp: $(($rt_conn))" echo " rrset-cache-size: $(($rt_mem*256))k" echo " msg-cache-size: $(($rt_mem*128))k" echo " key-cache-size: $(($rt_mem*128))k" echo " neg-cache-size: $(($rt_mem*64))k" echo " infra-cache-numhosts: $(($rt_mem*256))" echo } >> $UNBOUND_CONFFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then logger -t unbound -s "default memory configuration" fi # Assembly of module-config: options is tricky; order matters modulestring="iterator" if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then # DNSSEC chicken and egg with getting NTP time echo " val-override-date: -1" >> $UNBOUND_CONFFILE fi { echo " harden-dnssec-stripped: yes" echo " val-clean-additional: yes" echo " ignore-cd-flag: yes" } >> $UNBOUND_CONFFILE modulestring="validator $modulestring" fi if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE modulestring="dns64 $modulestring" fi { # Print final module string echo " module-config: \"$modulestring\"" echo } >> $UNBOUND_CONFFILE case "$UNBOUND_D_RECURSION" in passive) { # Some query privacy but "strict" will break some servers if [ "$UNBOUND_B_QRY_MINST" -gt 0 \ -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then echo " qname-minimisation: yes" echo " qname-minimisation-strict: yes" elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then echo " qname-minimisation: yes" else echo " qname-minimisation: no" fi # Use DNSSEC to quickly understand NXDOMAIN ranges if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then echo " aggressive-nsec: yes" echo " prefetch-key: no" fi # On demand fetching echo " prefetch: no" echo " target-fetch-policy: \"0 0 0 0 0\"" echo } >> $UNBOUND_CONFFILE ;; aggressive) { # Some query privacy but "strict" will break some servers if [ "$UNBOUND_B_QRY_MINST" -gt 0 \ -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then echo " qname-minimisation: yes" echo " qname-minimisation-strict: yes" elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then echo " qname-minimisation: yes" else echo " qname-minimisation: no" fi # Use DNSSEC to quickly understand NXDOMAIN ranges if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then echo " aggressive-nsec: yes" echo " prefetch-key: yes" fi # Prefetch what can be echo " prefetch: yes" echo " target-fetch-policy: \"3 2 1 0 0\"" echo } >> $UNBOUND_CONFFILE ;; *) if [ ! -f "$UNBOUND_TIMEFILE" ] ; then logger -t unbound -s "default recursion configuration" fi ;; esac { # Reload records more than 10 hours old # DNSSEC 5 minute bogus cool down before retry # Adaptive infrastructure info kept for 15 minutes echo " cache-min-ttl: $UNBOUND_TTL_MIN" echo " cache-max-ttl: 36000" echo " val-bogus-ttl: 300" echo " infra-host-ttl: 900" echo } >> $UNBOUND_CONFFILE if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then { # Block server id and version DNS TXT records echo " hide-identity: yes" echo " hide-version: yes" echo } >> $UNBOUND_CONFFILE fi if [ "$UNBOUND_D_PRIV_BLCK" -gt 0 ] ; then { # Remove _upstream_ or global reponses with private addresses. # Unbounds own "local zone" and "forward zone" may still use these. # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890 echo " private-address: 10.0.0.0/8" echo " private-address: 100.64.0.0/10" echo " private-address: 169.254.0.0/16" echo " private-address: 172.16.0.0/12" echo " private-address: 192.168.0.0/16" echo " private-address: fc00::/7" echo " private-address: fe80::/10" echo } >> $UNBOUND_CONFFILE fi if [ -n "$UNBOUND_LIST_PRV_IP6GLA" -a "$UNBOUND_D_PRIV_BLCK" -gt 1 ] ; then for ifsubnet in $UNBOUND_LIST_PRV_IP6GLA ; do # Remove global DNS responses with your local network IP6 GLA echo " private-address: $ifsubnet" >> $UNBOUND_CONFFILE done echo >> $UNBOUND_CONFFILE fi if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then { # Remove DNS reponses from upstream with loopback IP # Black hole DNS method for ad blocking, so consider... echo " private-address: 127.0.0.0/8" echo " private-address: ::1/128" echo } >> $UNBOUND_CONFFILE fi if [ -n "$UNBOUND_LIST_INSECURE" ] ; then for domain in $UNBOUND_LIST_INSECURE ; do # Except and accept domains without (DNSSEC); work around broken domains echo " domain-insecure: $domain" >> $UNBOUND_CONFFILE done echo >> $UNBOUND_CONFFILE fi } ############################################################################## unbound_access() { # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to # each access-control IP block, and then divert access. # -- "guest" WIFI will not be allowed to see local zone data # -- "child" LAN can black whole a list of domains to http~deadpixel if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then # Only respond to queries from which this device has an interface. # Prevent DNS amplification attacks by not responding to the universe. config_load network config_foreach create_access_control interface { echo " access-control: 127.0.0.0/8 allow" echo " access-control: ::1/128 allow" echo " access-control: fe80::/10 allow" echo } >> $UNBOUND_CONFFILE else { echo " access-control: 0.0.0.0/0 allow" echo " access-control: ::0/0 allow" echo } >> $UNBOUND_CONFFILE fi { # Amend your own "server:" stuff here echo " include: $UNBOUND_SRV_CONF" echo } >> $UNBOUND_CONFFILE } ############################################################################## unbound_adblock() { # TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team local adb_enabled adb_file if [ ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then adb_enabled=0 else /etc/init.d/adblock enabled && adb_enabled=1 || adb_enabled=0 fi if [ "$adb_enabled" -gt 0 ] ; then { # Pull in your selected openwrt/pacakges/net/adblock generated lists for adb_file in $UNBOUND_VARDIR/adb_list.* ; do echo " include: $adb_file" done echo } >> $UNBOUND_CONFFILE fi } ############################################################################## unbound_hostname() { local ifsubnet ifarpa if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then { # Hostname as TLD works, but not transparent through recursion echo " domain-insecure: $UNBOUND_TXT_HOSTNAME" echo " private-domain: $UNBOUND_TXT_HOSTNAME" echo " local-zone: $UNBOUND_TXT_HOSTNAME static" echo " local-data: \"$UNBOUND_TXT_HOSTNAME. $UNBOUND_XSOA\"" echo " local-data: \"$UNBOUND_TXT_HOSTNAME. $UNBOUND_XNS\"" echo } >> $UNBOUND_CONFFILE case "$UNBOUND_D_DOMAIN_TYPE" in deny|inform_deny|refuse|static) if [ -n "$UNBOUND_LIST_PRV_IP6GLA" \ -a "$UNBOUND_D_PRIV_BLCK" -gt 1 ] ; then for ifsubnet in $UNBOUND_LIST_PRV_IP6GLA ; do ifarpa=$( domain_ptr_any "$ifsubnet" ) if [ -n "$ifarpa" ] ; then { # Do NOT forward queries with your GLA ip6.arpa echo " domain-insecure: $ifarpa" echo " local-zone: $ifarpa $UNBOUND_D_DOMAIN_TYPE" echo " local-data: \"$ifarpa. $UNBOUND_XSOA\"" echo " local-data: \"$ifarpa. $UNBOUND_XNS\"" echo } >> $UNBOUND_CONFFILE fi done fi if [ -n "$UNBOUND_LIST_LAN_NET" \ -a "$UNBOUND_D_PRIV_BLCK" -gt 0 ] ; then for ifsubnet in $UNBOUND_LIST_LAN_NET ; do ifarpa=$( domain_ptr_any "$ifsubnet" ) if [ -n "$ifarpa" ] ; then { # Do NOT forward queries with your ULA ip6.arpa or in-addr.arpa echo " domain-insecure: $ifarpa" echo " local-zone: $ifarpa $UNBOUND_D_DOMAIN_TYPE" echo " local-data: \"$ifarpa. $UNBOUND_XSOA\"" echo " local-data: \"$ifarpa. $UNBOUND_XNS\"" echo } >> $UNBOUND_CONFFILE fi done fi { # avoid upstream involvement in RFC6762 echo " domain-insecure: local" echo " private-domain: local" echo " local-zone: local $UNBOUND_D_DOMAIN_TYPE" echo " local-data: \"local. $UNBOUND_XSOA\"" echo " local-data: \"local. $UNBOUND_XNS\"" echo " local-data: \"local. 3600 IN TXT RFC6762\"" echo # type static means only this router has your domain # type transparent will permit forward-zone: or stub-zone: clauses echo " domain-insecure: $UNBOUND_TXT_DOMAIN" echo " private-domain: $UNBOUND_TXT_DOMAIN" echo " local-zone: $UNBOUND_TXT_DOMAIN $UNBOUND_D_DOMAIN_TYPE" echo " local-data: \"$UNBOUND_TXT_DOMAIN. $UNBOUND_XSOA\"" echo " local-data: \"$UNBOUND_TXT_DOMAIN. $UNBOUND_XNS\"" echo } >> $UNBOUND_CONFFILE ;; *) # likely transparent domain with fordward-zone: clause to next router echo " domain-insecure: $UNBOUND_TXT_DOMAIN" echo " private-domain: $UNBOUND_TXT_DOMAIN" echo " local-zone: $UNBOUND_TXT_DOMAIN $UNBOUND_D_DOMAIN_TYPE" echo ;; esac if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then config_load dhcp config_foreach create_interface_dns dhcp fi if [ -f "$UNBOUND_DHCP_CONF" ] ; then { # Seed DHCP records because dhcp scripts trigger externally # Incremental Unbound restarts may drop unbound-control add records echo " include: $UNBOUND_DHCP_CONF" echo } >> $UNBOUND_CONFFILE fi fi } ############################################################################## unbound_records() { if [ "$UNBOUND_D_EXTRA_DNS" -gt 0 ] ; then # Parasite from the uci.dhcp.domain clauses config_load dhcp config_foreach create_host_record domain fi if [ "$UNBOUND_D_EXTRA_DNS" -gt 1 ] ; then config_foreach create_srv_record srvhost config_foreach create_mx_record mxhost fi if [ "$UNBOUND_D_EXTRA_DNS" -gt 2 ] ; then config_foreach create_cname_record cname fi echo >> $UNBOUND_CONFFILE } ############################################################################## unbound_uci() { local cfg="$1" local dnsmasqpath hostnm hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' ) UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter} config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0 config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0 config_get_bool UNBOUND_B_EXT_STATS "$cfg" extended_stats 0 config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1 config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1 config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0 config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0 config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0 config_get_bool UNBOUND_B_AUTH_ROOT "$cfg" prefetch_root 0 config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0 config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96" config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280 config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53 config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9 config_get UNBOUND_D_CONTROL "$cfg" unbound_control 0 config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0 config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0 config_get UNBOUND_D_PRIV_BLCK "$cfg" rebind_protection 1 config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed config_get UNBOUND_D_RECURSION "$cfg" recursion passive config_get UNBOUND_D_RESOURCE "$cfg" resource small config_get UNBOUND_D_WAN_FQDN "$cfg" add_wan_fqdn 0 config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120 config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan config_list_foreach "$cfg" "domain_forward" bundle_domain_forward config_list_foreach "$cfg" "domain_insecure" bundle_domain_insecure config_list_foreach "$cfg" "rebind_interface" bundle_private_interface UNBOUND_LIST_DOMAINS="nowhere $UNBOUND_TXT_DOMAIN" if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0 if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then UNBOUND_D_DHCP_LINK=dnsmasq if [ ! -f "$UNBOUND_TIMEFILE" ] ; then logger -t unbound -s "Please use 'dhcp_link' selector instead" fi fi fi if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then UNBOUND_D_DHCP_LINK=none else /etc/init.d/dnsmasq enabled || UNBOUND_D_DHCP_LINK=none fi if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then logger -t unbound -s "cannot forward to dnsmasq" fi fi if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then UNBOUND_D_DHCP_LINK=none else /etc/init.d/odhcpd enabled || UNBOUND_D_DHCP_LINK=none fi if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then logger -t unbound -s "cannot receive records from odhcpd" fi fi if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \ -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then logger -t unbound -s "edns_size exceeds range, using default" UNBOUND_N_EDNS_SIZE=1280 fi if [ "$UNBOUND_N_RX_PORT" -ne 53 ] \ && [ "$UNBOUND_N_RX_PORT" -lt 1024 -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then logger -t unbound -s "privileged port or in 5 digits, using default" UNBOUND_N_RX_PORT=53 fi if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then logger -t unbound -s "ttl_min could have had awful side effects, using 300" UNBOUND_TTL_MIN=300 fi } ############################################################################## unbound_resolv_setup() { if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then return fi if [ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq enabled \ && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then # unbound is configured for port 53, but dnsmasq is enabled and a resolver # listens on localhost:53, lets assume dnsmasq manages the resolver file. # TODO: # really check if dnsmasq runs a local (main) resolver in stead of using # nslookup that times out when no resolver listens on localhost:53. return fi # unbound is designated to listen on 127.0.0.1#53, # set resolver file to local. rm -f /tmp/resolv.conf { echo "# /tmp/resolv.conf generated by Unbound UCI $( date )" echo "nameserver 127.0.0.1" echo "nameserver ::1" echo "search $UNBOUND_TXT_DOMAIN." } > /tmp/resolv.conf } ############################################################################## unbound_resolv_teardown() { case $( cat /tmp/resolv.conf ) in *"generated by Unbound UCI"*) # our resolver file, reset to auto resolver file. rm -f /tmp/resolv.conf ln -s /tmp/resolv.conf.auto /tmp/resolv.conf ;; esac } ############################################################################## unbound_start() { config_load unbound config_foreach unbound_uci unbound unbound_mkdir if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then unbound_conf unbound_access unbound_adblock if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then dnsmasq_link else unbound_hostname unbound_records fi unbound_forward unbound_auth_root unbound_control fi unbound_resolv_setup } ############################################################################## unbound_stop() { unbound_resolv_teardown rootzone_update } ##############################################################################