openwrt-mirror/packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-24 10:38:21 +04:00
Code Issues Packages Projects Releases Wiki Activity

unbound: improve startup and dhcp script robustness

Browse Source 
- prevent rapid overlap in DHCP script updates
- check and allow localhost forwards with specific applications
- add option for rate limiting inbound queries
- change UCI list to table format with Unbound conf references

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
This commit is contained in:
Eric Luehrsen
2020-07-04 13:55:40 -04:00
parent 147a5f7e31
commit e81529596d
10 changed files with 321 additions and 458 deletions
Download Patch File Download Diff File Expand all files Collapse all files

346
net/unbound/files/unbound.sh
View File

@@ -23,25 +23,25 @@
#
##############################################################################
UB_B_SLAAC6_MAC=0
UB_B_AUTH_ROOT=0
UB_B_DNS_ASSIST=0
UB_B_DNSSEC=0
UB_B_DNS64=0
UB_B_EXT_STATS=0
UB_B_GATE_NAME=0
UB_B_HIDE_BIND=1
UB_B_IF_AUTO=1
UB_B_LOCL_BLCK=0
UB_B_LOCL_SERV=1
UB_B_MAN_CONF=0
UB_B_NTP_BOOT=1
UB_B_QUERY_MIN=0
UB_B_QRY_MINST=0
UB_B_AUTH_ROOT=0
UB_B_IF_AUTO=1
UB_B_SLAAC6_MAC=0
UB_D_CONTROL=0
UB_D_DOMAIN_TYPE=static
UB_D_DHCP_LINK=none
UB_D_DNS_ASSIST=none
UB_D_EXTRA_DNS=0
UB_D_LAN_FQDN=0
UB_D_PRIV_BLCK=1
@@ -57,6 +57,7 @@ UB_N_EDNS_SIZE=1280
UB_N_RX_PORT=53
UB_N_ROOT_AGE=9
UB_N_THREADS=1
UB_N_RATE_LMT=0
UB_TTL_MIN=120
UB_TXT_DOMAIN=lan
@@ -123,7 +124,7 @@ bundle_lan_networks() {
ifdashname="${ifname//./-}"
if [ "$ignore" -eq 0 ] && [ -n "$ifdashname" ] \
if [ $ignore -eq 0 ] && [ -n "$ifdashname" ] \
&& [ -n "$UB_LIST_NETW_ALL" ] ; then
for ifsubnet in $UB_LIST_NETW_ALL ; do
case $ifsubnet in
@@ -225,7 +226,7 @@ unbound_mkdir() {
# Debian-like package dns-root-data
cp -p /usr/share/dns/root.hints $UB_RHINT_FILE
elif [ "$UB_B_READY" -eq 0 ] ; then
elif [ $UB_B_READY -eq 0 ] ; then
logger -t unbound -s "default root hints (built in root-servers.net)"
fi
fi
@@ -239,7 +240,7 @@ unbound_mkdir() {
elif [ -x $UB_ANCHOR ] ; then
$UB_ANCHOR -a $UB_RKEY_FILE
elif [ "$UB_B_READY" -eq 0 ] ; then
elif [ $UB_B_READY -eq 0 ] ; then
logger -t unbound -s "default trust anchor (built in root DS record)"
fi
fi
@@ -296,7 +297,7 @@ unbound_mkdir() {
UB_B_READY=1
UB_B_NTP_BOOT=0
elif [ "$UB_B_NTP_BOOT" -eq 0 ] ; then
elif [ $UB_B_NTP_BOOT -eq 0 ] ; then
# time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
date -Is > $UB_TIME_FILE
UB_B_READY=0
@@ -315,7 +316,7 @@ unbound_control() {
echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF
if [ "$UB_D_CONTROL" -gt 1 ] ; then
if [ $UB_D_CONTROL -gt 1 ] ; then
if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \
|| [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then
# Key files need to be present; if unbound-control-setup was found, then
@@ -376,44 +377,13 @@ unbound_control() {
##############################################################################
unbound_assistant() {
local port=53000
case "$UB_D_DNS_ASSIST" in
ipset-dns)
port=$( uci_get ipset-dns.@ipset-dns[0].port )
if [ ! -f "$UB_ASSIST_CONF" ] \
&& [ $port -gt 0 ] && [ $port -lt 65535 ] ; then
{
echo "# $UB_ASSIST_CONF generated by UCI $( date -Is )"
echo "forward-zone:"
echo " name: ."
echo " forward-addr: 127.0.0.1@$port"
echo " forward-first: no"
} > $UB_ASSIST_CONF
fi
;;
nsd)
echo "# Sorry, NSD does not have UCI to read and link." >> $UB_ASSIST_CONF
;;
bind)
echo "# Sorry, Bind does not have UCI to read and link." >> $UB_ASSIST_CONF
;;
esac
}
##############################################################################
unbound_zone() {
local cfg=$1
local servers_ip=""
local servers_host=""
local zone_sym zone_name zone_type zone_enabled zone_file
local tls_upstream fallback
local server port tls_port tls_index tls_suffix url_dir
local server port tls_port tls_index tls_suffix url_dir dns_ast
if [ ! -f "$UB_ZONE_CONF" ] ; then
echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF
@@ -423,7 +393,7 @@ unbound_zone() {
config_get_bool zone_enabled "$cfg" enabled 0
if [ "$zone_enabled" -eq 1 ] ; then
if [ $zone_enabled -eq 1 ] ; then
# these lists are built for each zone; empty to start
UB_LIST_ZONE_NAMES=""
UB_LIST_ZONE_SERVERS=""
@@ -433,6 +403,7 @@ unbound_zone() {
config_get tls_index "$cfg" tls_index ""
config_get tls_port "$cfg" tls_port 853
config_get url_dir "$cfg" url_dir ""
config_get dns_ast "$cfg" dns_assist none
config_get_bool resolv_conf "$cfg" resolv_conf 0
config_get_bool fallback "$cfg" fallback 1
@@ -443,8 +414,8 @@ unbound_zone() {
# string formating for Unbound syntax
tls_suffix="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}"
[ "$fallback" -eq 0 ] && fallback=no || fallback=yes
[ "$tls_upstream" -eq 0 ] && tls_upstream=no || tls_upstream=yes
[ $fallback -eq 0 ] && fallback=no || fallback=yes
[ $tls_upstream -eq 0 ] && tls_upstream=no || tls_upstream=yes
if [ $resolv_conf -eq 1 ] ; then
@@ -456,9 +427,70 @@ unbound_zone() {
fi
case "$dns_ast" in
bind)
if [ -x /usr/sbin/bind ] && [ -x /etc/init.d/bind ] ; then
if /etc/init.d/bind enabled ; then
dns_ast=1
else
dns_ast=0
fi
else
dns_ast=0
fi
;;
dnsmasq)
if [ -x /usr/sbin/dnsmasq ] && [ -x /etc/init.d/dnsmasq ] ; then
if /etc/init.d/dnsmasq enabled ; then
dns_ast=1
else
dns_ast=0
fi
else
dns_ast=0
fi
;;
ipset-dns)
if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then
if /etc/init.d/ipset-dns enabled ; then
dns_ast=1
else
dns_ast=0
fi
else
dns_ast=0
fi
;;
nsd)
if [ -x /usr/sbin/nsd ] && [ -x /etc/init.d/nsd ] ; then
if /etc/init.d/nsd enabled ; then
dns_ast=1
else
dns_ast=0
fi
else
dns_ast=0
fi
;;
*)
# Prevent a soft-brick event through local forwarding loops. Declare your
# assistant program and this will check to be sure it is there.
dns_ast=0
esac
if [ $dns_ast -gt 0 ] ; then
UB_B_DNS_ASSIST=1
fi
case $zone_type in
auth_zone)
if [ "$UB_B_NTP_BOOT" -eq 0 ] && [ -n "$UB_LIST_ZONE_NAMES" ] \
if [ $UB_B_NTP_BOOT -eq 0 ] && [ -n "$UB_LIST_ZONE_NAMES" ] \
&& { [ -n "$url_dir" ] || [ -n "$UB_LIST_ZONE_SERVERS" ] ; } ; then
# Note AXFR may have large downloads. If NTP restart is configured,
# then this can cause procd to force a process kill.
@@ -503,23 +535,9 @@ unbound_zone() {
if [ -n "$UB_LIST_ZONE_NAMES" ] && [ -n "$UB_LIST_ZONE_SERVERS" ] ; then
for server in $UB_LIST_ZONE_SERVERS ; do
if [ "$( valid_subnet_any $server )" = "not" ] ; then
case $server in
*@[0-9]*|*#[A-Za-z0-9]*)
# unique Unbound option for server host name
servers_host="$servers_host $server"
;;
*)
if [ "$tls_upstream" = "yes" ] ; then
servers_host="$servers_host $server${tls_port:+@${tls_port}}"
else
servers_host="$servers_host $server${port:+@${port}}"
fi
;;
esac
else
if [ "$( valid_subnet_any $server )" = "ok" ] \
|| { [ "$( local_subnet $server )" = "ok" ] \
&& [ $dns_ast -gt 0 ] ; } ; then
case $server in
*@[0-9]*|*#[A-Za-z0-9]*)
# unique Unbound option for server address
@@ -534,6 +552,22 @@ unbound_zone() {
fi
;;
esac
else
case $server in
*@[0-9]*|*#[A-Za-z0-9]*)
# unique Unbound option for server host name
servers_host="$servers_host $server"
;;
*)
if [ "$tls_upstream" = "yes" ] ; then
servers_host="$servers_host $server${tls_port:+@${tls_port}}"
else
servers_host="$servers_host $server${port:+@${port}}"
fi
;;
esac
fi
done
@@ -573,6 +607,13 @@ unbound_zone() {
done
fi
;;
*)
{
echo " # Special zone $zonename was not enabled or had UCI conflicts."
echo
} >> $UB_ZONE_CONF
;;
esac
}
@@ -605,7 +646,7 @@ unbound_conf() {
fi
if [ "$UB_B_DNSSEC" -gt 0 ] && [ -f "$UB_RKEY_FILE" ] ; then
if [ $UB_B_DNSSEC -gt 0 ] && [ -f "$UB_RKEY_FILE" ] ; then
{
echo " auto-trust-anchor-file: $UB_RKEY_FILE"
echo
@@ -616,7 +657,7 @@ unbound_conf() {
fi
if [ "$UB_N_THREADS" -gt 1 ] \
if [ $UB_N_THREADS -gt 1 ] \
&& $PROG -V | grep -q "Linked libs:.*libevent" ; then
# heavy variant using "threads" may need substantial resources
echo " num-threads: 2" >> $UB_CORE_CONF
@@ -632,6 +673,8 @@ unbound_conf() {
echo " rrset-cache-slabs: 1"
echo " infra-cache-slabs: 1"
echo " key-cache-slabs: 1"
echo " ratelimit-slabs: 1"
echo " ip-ratelimit-slabs: 1"
echo
# Logging
echo " use-syslog: yes"
@@ -640,12 +683,12 @@ unbound_conf() {
} >> $UB_CORE_CONF
if [ "$UB_D_VERBOSE" -ge 0 ] && [ "$UB_D_VERBOSE" -le 5 ] ; then
if [ $UB_D_VERBOSE -ge 0 ] && [ $UB_D_VERBOSE -le 5 ] ; then
echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF
fi
if [ "$UB_B_EXT_STATS" -gt 0 ] ; then
if [ $UB_B_EXT_STATS -gt 0 ] ; then
{
# Log More
echo " extended-statistics: yes"
@@ -661,16 +704,14 @@ unbound_conf() {
fi
if [ "$UB_B_IF_AUTO" -gt 0 ] ; then
if [ $UB_B_IF_AUTO -gt 0 ] ; then
echo " interface-automatic: yes" >> $UB_CORE_CONF
fi
case "$UB_D_DNS_ASSIST" in
bind|ipset-dns|nsd)
if [ $UB_B_DNS_ASSIST -gt 0 ] ; then
echo " do-not-query-localhost: no" >> $UB_CORE_CONF
;;
esac
fi
case "$UB_D_PROTOCOL" in
@@ -747,7 +788,7 @@ unbound_conf() {
;;
*)
if [ "$UB_B_READY" -eq 0 ] ; then
if [ $UB_B_READY -eq 0 ] ; then
logger -t unbound -s "default protocol configuration"
fi
@@ -767,19 +808,19 @@ unbound_conf() {
case "$UB_D_RESOURCE" in
# Tiny - Unbound's recommended cheap hardware config
tiny) rt_mem=1 ; rt_conn=2 ; rt_buff=1 ;;
tiny) rt_mem=1 ; rt_conn=5 ; rt_buff=1 ;;
# Small - Half RRCACHE and open ports
small) rt_mem=8 ; rt_conn=10 ; rt_buff=2 ;;
# Medium - Nearly default but with some added balancintg
medium) rt_mem=16 ; rt_conn=15 ; rt_buff=4 ;;
medium) rt_mem=16 ; rt_conn=20 ; rt_buff=4 ;;
# Large - Double medium
large) rt_mem=32 ; rt_conn=20 ; rt_buff=4 ;;
large) rt_mem=32 ; rt_conn=50 ; rt_buff=4 ;;
# Whatever unbound does
*) rt_mem=0 ; rt_conn=0 ;;
esac
if [ "$rt_mem" -gt 0 ] ; then
if [ $rt_mem -gt 0 ] ; then
{
# Other harding and options for an embedded router
echo " harden-short-bufsize: yes"
@@ -795,13 +836,16 @@ unbound_conf() {
echo " incoming-num-tcp: $(($rt_conn))"
echo " rrset-cache-size: $(($rt_mem*256))k"
echo " msg-cache-size: $(($rt_mem*128))k"
echo " stream-wait-size: $(($rt_mem*128))k"
echo " key-cache-size: $(($rt_mem*128))k"
echo " neg-cache-size: $(($rt_mem*64))k"
echo " neg-cache-size: $(($rt_mem*32))k"
echo " ratelimit-size: $(($rt_mem*32))k"
echo " ip-ratelimit-size: $(($rt_mem*32))k"
echo " infra-cache-numhosts: $(($rt_mem*256))"
echo
} >> $UB_CORE_CONF
elif [ "$UB_B_READY" -eq 0 ] ; then
elif [ $UB_B_READY -eq 0 ] ; then
logger -t unbound -s "default memory configuration"
fi
@@ -818,8 +862,8 @@ unbound_conf() {
esac
if [ "$UB_B_DNSSEC" -gt 0 ] ; then
if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then
if [ $UB_B_DNSSEC -gt 0 ] ; then
if [ $UB_B_NTP_BOOT -gt 0 ] ; then
# DNSSEC chicken and egg with getting NTP time
echo " val-override-date: -1" >> $UB_CORE_CONF
fi
@@ -843,7 +887,7 @@ unbound_conf() {
esac
if [ "$UB_B_DNS64" -gt 0 ] ; then
if [ $UB_B_DNS64 -gt 0 ] ; then
echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF
modulestring="dns64 $modulestring"
@@ -861,16 +905,16 @@ unbound_conf() {
passive)
{
# Some query privacy but "strict" will break some servers
if [ "$UB_B_QRY_MINST" -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
if [ $UB_B_QRY_MINST -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
echo " qname-minimisation: yes"
echo " qname-minimisation-strict: yes"
elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
elif [ $UB_B_QUERY_MIN -gt 0 ] ; then
echo " qname-minimisation: yes"
else
echo " qname-minimisation: no"
fi
# Use DNSSEC to quickly understand NXDOMAIN ranges
if [ "$UB_B_DNSSEC" -gt 0 ] ; then
if [ $UB_B_DNSSEC -gt 0 ] ; then
echo " aggressive-nsec: yes"
echo " prefetch-key: no"
fi
@@ -884,16 +928,16 @@ unbound_conf() {
aggressive)
{
# Some query privacy but "strict" will break some servers
if [ "$UB_B_QRY_MINST" -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
if [ $UB_B_QRY_MINST -gt 0 ] && [ $UB_B_QUERY_MIN -gt 0 ] ; then
echo " qname-minimisation: yes"
echo " qname-minimisation-strict: yes"
elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
elif [ $UB_B_QUERY_MIN -gt 0 ] ; then
echo " qname-minimisation: yes"
else
echo " qname-minimisation: no"
fi
# Use DNSSEC to quickly understand NXDOMAIN ranges
if [ "$UB_B_DNSSEC" -gt 0 ] ; then
if [ $UB_B_DNSSEC -gt 0 ] ; then
echo " aggressive-nsec: yes"
echo " prefetch-key: yes"
fi
@@ -905,13 +949,24 @@ unbound_conf() {
;;
*)
if [ "$UB_B_READY" -eq 0 ] ; then
if [ $UB_B_READY -eq 0 ] ; then
logger -t unbound -s "default recursion configuration"
fi
;;
esac
if [ 10 -lt $UB_N_RATE_LMT ] && [ $UB_N_RATE_LMT -lt 100000 ] ; then
{
# Protect the server from query floods which is helpful on weaker CPU
# Per client rate limit is half the maximum to leave head room open
echo " ratelimit: $UB_N_RATE_LMT"
echo " ip-ratelimit: $(($UB_N_RATE_LMT/2))"
echo
} >> $UB_CORE_CONF
fi
{
# Reload records more than 20 hours old
# DNSSEC 5 minute bogus cool down before retry
@@ -924,7 +979,7 @@ unbound_conf() {
} >> $UB_CORE_CONF
if [ "$UB_B_HIDE_BIND" -gt 0 ] ; then
if [ $UB_B_HIDE_BIND -gt 0 ] ; then
{
# Block server id and version DNS TXT records
echo " hide-identity: yes"
@@ -934,7 +989,7 @@ unbound_conf() {
fi
if [ "$UB_D_PRIV_BLCK" -gt 0 ] ; then
if [ $UB_D_PRIV_BLCK -gt 0 ] ; then
{
# Remove _upstream_ or global reponses with private addresses.
# Unbounds own "local zone" and "forward zone" may still use these.
@@ -951,7 +1006,7 @@ unbound_conf() {
fi
if [ -n "$UB_LIST_NETW_LAN" ] && [ "$UB_D_PRIV_BLCK" -gt 1 ] ; then
if [ -n "$UB_LIST_NETW_LAN" ] && [ $UB_D_PRIV_BLCK -gt 1 ] ; then
{
for ifsubnet in $UB_LIST_NETW_LAN ; do
case $ifsubnet in
@@ -966,7 +1021,7 @@ unbound_conf() {
fi
if [ "$UB_B_LOCL_BLCK" -gt 0 ] ; then
if [ $UB_B_LOCL_BLCK -gt 0 ] ; then
{
# Remove DNS reponses from upstream with loopback IP
# Black hole DNS method for ad blocking, so consider...
@@ -988,7 +1043,7 @@ unbound_conf() {
fi
if [ "$UB_B_LOCL_SERV" -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
{
for ifsubnet in $UB_LIST_NETW_ALL ; do
# Only respond to queries from subnets which have an interface.
@@ -1027,7 +1082,7 @@ unbound_hostname() {
} >> $UB_HOST_CONF
elif [ -n "$UB_TXT_DOMAIN" ] \
&& { [ "$UB_D_WAN_FQDN" -gt 0 ] || [ "$UB_D_LAN_FQDN" -gt 0 ] ; } ; then
&& { [ $UB_D_WAN_FQDN -gt 0 ] || [ $UB_D_LAN_FQDN -gt 0 ] ; } ; then
case "$UB_D_DOMAIN_TYPE" in
deny|inform_deny|refuse|static)
{
@@ -1080,7 +1135,7 @@ unbound_hostname() {
if [ -n "$ifarpa" ] ; then
if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then
if [ $UB_D_WAN_FQDN -gt 0 ] ; then
{
# Create a static zone for WAN host record only (singular)
echo " domain-insecure: $ifarpa"
@@ -1092,7 +1147,7 @@ unbound_hostname() {
echo
} >> $UB_HOST_CONF
elif [ "$zonetype" -gt 0 ] ; then
elif [ $zonetype -gt 0 ] ; then
{
echo " local-zone: $ifarpa transparent"
echo
@@ -1109,7 +1164,7 @@ unbound_hostname() {
if [ -n "$ifarpa" ] ; then
if [ "$zonetype" -eq 2 ] ; then
if [ $zonetype -eq 2 ] ; then
{
# Do NOT forward queries with your ip6.arpa or in-addr.arpa
echo " domain-insecure: $ifarpa"
@@ -1120,7 +1175,7 @@ unbound_hostname() {
echo
} >> $UB_HOST_CONF
elif [ "$zonetype" -eq 1 ] && [ "$UB_D_PRIV_BLCK" -eq 0 ] ; then
elif [ $zonetype -eq 1 ] && [ $UB_D_PRIV_BLCK -eq 0 ] ; then
{
echo " local-zone: $ifarpa transparent"
echo
@@ -1142,7 +1197,7 @@ unbound_hostname() {
fi
if [ "$UB_LIST_NETW_LAN" ] && [ "$UB_D_LAN_FQDN" -gt 0 ] ; then
if [ "$UB_LIST_NETW_LAN" ] && [ $UB_D_LAN_FQDN -gt 0 ] ; then
for ifsubnet in $UB_LIST_NETW_LAN ; do
ifaddr=${ifsubnet#*@}
ifaddr=${ifaddr%/*}
@@ -1150,12 +1205,12 @@ unbound_hostname() {
iffqdn="$ifname.$hostfqdn"
if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then
if [ $UB_D_LAN_FQDN -eq 4 ] ; then
names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then
elif [ $UB_D_LAN_FQDN -eq 3 ] ; then
names="$hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
@@ -1181,7 +1236,7 @@ unbound_hostname() {
;;
*)
if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then
if [ $UB_D_LAN_FQDN -gt 1 ] ; then
# IP6 GLA is assigned for higher options
namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
@@ -1194,7 +1249,7 @@ unbound_hostname() {
fi
if [ -n "$UB_LIST_NETW_WAN" ] && [ "$UB_D_WAN_FQDN" -gt 0 ] ; then
if [ -n "$UB_LIST_NETW_WAN" ] && [ $UB_D_WAN_FQDN -gt 0 ] ; then
for ifsubnet in $UB_LIST_NETW_WAN ; do
ifaddr=${ifsubnet#*@}
ifaddr=${ifaddr%/*}
@@ -1202,12 +1257,12 @@ unbound_hostname() {
iffqdn="$ifname.$hostfqdn"
if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then
if [ $UB_D_WAN_FQDN -eq 4 ] ; then
names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then
elif [ $UB_D_WAN_FQDN -eq 3 ] ; then
names="$hostfqdn $UB_TXT_HOSTNAME"
ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
echo "$ptrrec" >> $UB_HOST_CONF
@@ -1233,7 +1288,7 @@ unbound_hostname() {
;;
*)
if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then
if [ $UB_D_WAN_FQDN -gt 1 ] ; then
# IP6 GLA is assigned for higher options
namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
echo "$namerec" >> $UB_HOST_CONF
@@ -1276,11 +1331,11 @@ unbound_uci() {
config_get UB_N_RX_PORT "$cfg" listen_port 53
config_get UB_N_ROOT_AGE "$cfg" root_age 9
config_get UB_N_THREADS "$cfg" num_threads 1
config_get UB_N_RATE_LMT "$cfg" rate_limit 0
config_get UB_D_CONTROL "$cfg" unbound_control 0
config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static
config_get UB_D_DHCP_LINK "$cfg" dhcp_link none
config_get UB_D_DNS_ASSIST "$cfg" dns_assist none
config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0
config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0
config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1
@@ -1300,27 +1355,17 @@ unbound_uci() {
config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
if [ "$UB_B_DNSMASQ" -gt 0 ] ; then
if [ $UB_B_DNSMASQ -gt 0 ] ; then
UB_D_DHCP_LINK=dnsmasq
if [ "$UB_B_READY" -eq 0 ] ; then
if [ $UB_B_READY -eq 0 ] ; then
logger -t unbound -s "Please use 'dhcp_link' selector instead"
fi
fi
fi
if [ "$UB_D_DNS_ASSIST" = "none" ] ; then
UB_D_DNS_ASSIST=none
elif [ ! -x /usr/sbin/bind ] || [ ! -x /etc/init.d/bind ] \
|| [ ! -x /usr/sbin/nsd ] || [ ! -x /etc/init.d/nsd ] \
|| [ ! -x /usr/sbin/ipset-dns ] || [ ! -x /etc/init.d/ipset-dns ] ; then
UB_D_DNS_ASSIST=none
fi
if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
if [ ! -x /usr/sbin/dnsmasq ] || [ ! -x /etc/init.d/dnsmasq ] ; then
UB_D_DHCP_LINK=none
@@ -1329,7 +1374,7 @@ unbound_uci() {
fi
if [ "$UB_B_READY" -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then
if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then
logger -t unbound -s "cannot forward to dnsmasq"
fi
fi
@@ -1343,26 +1388,26 @@ unbound_uci() {
fi
if [ "$UB_B_READY" -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then
if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then
logger -t unbound -s "cannot receive records from odhcpd"
fi
fi
if [ "$UB_N_EDNS_SIZE" -lt 512 ] || [ 4096 -lt "$UB_N_EDNS_SIZE" ] ; then
if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then
logger -t unbound -s "edns_size exceeds range, using default"
UB_N_EDNS_SIZE=1280
fi
if [ "$UB_N_RX_PORT" -ne 53 ] \
&& { [ "$UB_N_RX_PORT" -lt 1024 ] || [ 10240 -lt "$UB_N_RX_PORT" ] ; } ; then
if [ $UB_N_RX_PORT -ne 53 ] \
&& { [ $UB_N_RX_PORT -lt 1024 ] || [ 10240 -lt $UB_N_RX_PORT ] ; } ; then
logger -t unbound -s "privileged port or in 5 digits, using default"
UB_N_RX_PORT=53
fi
if [ "$UB_TTL_MIN" -gt 1800 ] ; then
if [ $UB_TTL_MIN -gt 1800 ] ; then
logger -t unbound -s "ttl_min could have had awful side effects, using 300"
UB_TTL_MIN=300
fi
@@ -1405,7 +1450,7 @@ unbound_include() {
# Incremental Unbound restarts may drop unbound-control records
echo "include: $UB_DHCP_CONF"
echo
}>> $UB_TOTAL_CONF
} >> $UB_TOTAL_CONF
fi
@@ -1431,7 +1476,7 @@ unbound_include() {
# Pull your own "server:" options here
echo "include: $UB_SRV_CONF"
echo
}>> $UB_TOTAL_CONF
} >> $UB_TOTAL_CONF
fi
@@ -1456,13 +1501,6 @@ unbound_include() {
fi
if [ -f "$UB_ASSIST_CONF" ] ; then
# UCI found link to DNS helpers
cat $UB_ASSIST_CONF >> $UB_TOTAL_CONF
rm $UB_ASSIST_CONF
fi
if [ -f "$UB_EXT_CONF" ] ; then
{
# Pull your own extend feature clauses here
@@ -1476,30 +1514,28 @@ unbound_include() {
resolv_setup() {
if [ "$UB_N_RX_PORT" != "53" ] ; then
return
# unbound is not the default on target resolver
echo "do nothing" >/dev/null
elif [ -x /etc/init.d/dnsmasq ] \
&& /etc/init.d/dnsmasq enabled \
&& nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
# unbound is configured for port 53, but dnsmasq is enabled and a resolver
# listens on localhost:53, lets assume dnsmasq manages the resolver file.
# TODO:
# really check if dnsmasq runs a local (main) resolver in stead of using
# nslookup that times out when no resolver listens on localhost:53.
return
# unbound is configured for port 53, but dnsmasq is enabled, and a resolver
# is already listening on port 53. Let dnsmasq manage resolve.conf.
# This also works to prevent clobbering while changing UCI.
echo "do nothing" >/dev/null
else
# unbound listens on 127.0.0.1#53 so set resolver file to local.
rm -f /tmp/resolv.conf
{
echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )"
echo "nameserver 127.0.0.1"
echo "nameserver ::1"
echo "search $UB_TXT_DOMAIN."
} > /tmp/resolv.conf
fi
# unbound is designated to listen on 127.0.0.1#53,
# set resolver file to local.
rm -f /tmp/resolv.conf
{
echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )"
echo "nameserver 127.0.0.1"
echo "nameserver ::1"
echo "search $UB_TXT_DOMAIN."
} > /tmp/resolv.conf
}
##############################################################################
@@ -1510,7 +1546,7 @@ unbound_start() {
unbound_mkdir
if [ "$UB_B_MAN_CONF" -eq 0 ] ; then
if [ $UB_B_MAN_CONF -eq 0 ] ; then
# iterate zones before we load other UCI
# forward-zone: auth-zone: and stub-zone:
config_foreach unbound_zone zone
@@ -1525,8 +1561,6 @@ unbound_start() {
unbound_hostname
# control:
unbound_control
# assistants
unbound_assistant
# dnsmasq
dnsmasq_link
# merge