diff options
Diffstat (limited to 'net/unbound/files/unbound.sh')
| -rw-r--r-- | net/unbound/files/unbound.sh | 328 |
1 files changed, 181 insertions, 147 deletions
diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 71bb2fd9f..788aa5dd9 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -23,25 +23,25 @@ # ############################################################################## -UB_B_SLAAC6_MAC=0 +UB_B_AUTH_ROOT=0 +UB_B_DNS_ASSIST=0 UB_B_DNSSEC=0 UB_B_DNS64=0 UB_B_EXT_STATS=0 UB_B_GATE_NAME=0 UB_B_HIDE_BIND=1 +UB_B_IF_AUTO=1 UB_B_LOCL_BLCK=0 UB_B_LOCL_SERV=1 UB_B_MAN_CONF=0 UB_B_NTP_BOOT=1 UB_B_QUERY_MIN=0 UB_B_QRY_MINST=0 -UB_B_AUTH_ROOT=0 -UB_B_IF_AUTO=1 +UB_B_SLAAC6_MAC=0 UB_D_CONTROL=0 UB_D_DOMAIN_TYPE=static UB_D_DHCP_LINK=none -UB_D_DNS_ASSIST=none UB_D_EXTRA_DNS=0 UB_D_LAN_FQDN=0 UB_D_PRIV_BLCK=1 @@ -57,6 +57,7 @@ UB_N_EDNS_SIZE=1280 UB_N_RX_PORT=53 UB_N_ROOT_AGE=9 UB_N_THREADS=1 +UB_N_RATE_LMT=0 UB_TTL_MIN=120 UB_TXT_DOMAIN=lan @@ -123,7 +124,7 @@ bundle_lan_networks() { ifdashname="${ifname//./-}" - if [ "$ignore" -eq 0 ] && [ -n "$ifdashname" ] \ + if [ $ignore -eq 0 ] && [ -n "$ifdashname" ] \ && [ -n "$UB_LIST_NETW_ALL" ] ; then for ifsubnet in $UB_LIST_NETW_ALL ; do case $ifsubnet in @@ -225,7 +226,7 @@ unbound_mkdir() { # Debian-like package dns-root-data cp -p /usr/share/dns/root.hints $UB_RHINT_FILE - elif [ "$UB_B_READY" -eq 0 ] ; then + elif [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default root hints (built in root-servers.net)" fi fi @@ -239,7 +240,7 @@ unbound_mkdir() { elif [ -x $UB_ANCHOR ] ; then $UB_ANCHOR -a $UB_RKEY_FILE - elif [ "$UB_B_READY" -eq 0 ] ; then + elif [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default trust anchor (built in root DS record)" fi fi @@ -296,7 +297,7 @@ unbound_mkdir() { UB_B_READY=1 UB_B_NTP_BOOT=0 - elif [ "$UB_B_NTP_BOOT" -eq 0 ] ; then + elif [ $UB_B_NTP_BOOT -eq 0 ] ; then # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound) date -Is > $UB_TIME_FILE UB_B_READY=0 @@ -315,7 +316,7 @@ unbound_control() { echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF - if [ "$UB_D_CONTROL" -gt 1 ] ; then + if [ $UB_D_CONTROL -gt 1 ] ; then if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \ || [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then # Key files need to be present; if unbound-control-setup was found, then @@ -376,44 +377,13 @@ unbound_control() { ############################################################################## -unbound_assistant() { - local port=53000 - - case "$UB_D_DNS_ASSIST" in - ipset-dns) - port=$( uci_get ipset-dns.@ipset-dns[0].port ) - - if [ ! -f "$UB_ASSIST_CONF" ] \ - && [ $port -gt 0 ] && [ $port -lt 65535 ] ; then - { - echo "# $UB_ASSIST_CONF generated by UCI $( date -Is )" - echo "forward-zone:" - echo " name: ." - echo " forward-addr: 127.0.0.1@$port" - echo " forward-first: no" - } > $UB_ASSIST_CONF - fi - ;; - - nsd) - echo "# Sorry, NSD does not have UCI to read and link." >> $UB_ASSIST_CONF - ;; - - bind) - echo "# Sorry, Bind does not have UCI to read and link." >> $UB_ASSIST_CONF - ;; - esac -} - -############################################################################## - unbound_zone() { local cfg=$1 local servers_ip="" local servers_host="" local zone_sym zone_name zone_type zone_enabled zone_file local tls_upstream fallback - local server port tls_port tls_index tls_suffix url_dir + local server port tls_port tls_index tls_suffix url_dir dns_ast if [ ! -f "$UB_ZONE_CONF" ] ; then echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF @@ -423,7 +393,7 @@ unbound_zone() { config_get_bool zone_enabled "$cfg" enabled 0 - if [ "$zone_enabled" -eq 1 ] ; then + if [ $zone_enabled -eq 1 ] ; then # these lists are built for each zone; empty to start UB_LIST_ZONE_NAMES="" UB_LIST_ZONE_SERVERS="" @@ -433,6 +403,7 @@ unbound_zone() { config_get tls_index "$cfg" tls_index "" config_get tls_port "$cfg" tls_port 853 config_get url_dir "$cfg" url_dir "" + config_get dns_ast "$cfg" dns_assist none config_get_bool resolv_conf "$cfg" resolv_conf 0 config_get_bool fallback "$cfg" fallback 1 @@ -443,8 +414,8 @@ unbound_zone() { # string formating for Unbound syntax tls_suffix="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}" - [ "$fallback" -eq 0 ] && fallback=no || fallback=yes - [ "$tls_upstream" -eq 0 ] && tls_upstream=no || tls_upstream=yes + [ $fallback -eq 0 ] && fallback=no || fallback=yes + [ $tls_upstream -eq 0 ] && tls_upstream=no || tls_upstream=yes if [ $resolv_conf -eq 1 ] ; then @@ -456,9 +427,70 @@ unbound_zone() { fi + case "$dns_ast" in + bind) + if [ -x /usr/sbin/bind ] && [ -x /etc/init.d/bind ] ; then + if /etc/init.d/bind enabled ; then + dns_ast=1 + else + dns_ast=0 + fi + else + dns_ast=0 + fi + ;; + + dnsmasq) + if [ -x /usr/sbin/dnsmasq ] && [ -x /etc/init.d/dnsmasq ] ; then + if /etc/init.d/dnsmasq enabled ; then + dns_ast=1 + else + dns_ast=0 + fi + else + dns_ast=0 + fi + ;; + + ipset-dns) + if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then + if /etc/init.d/ipset-dns enabled ; then + dns_ast=1 + else + dns_ast=0 + fi + else + dns_ast=0 + fi + ;; + + nsd) + if [ -x /usr/sbin/nsd ] && [ -x /etc/init.d/nsd ] ; then + if /etc/init.d/nsd enabled ; then + dns_ast=1 + else + dns_ast=0 + fi + else + dns_ast=0 + fi + ;; + + *) + # Prevent a soft-brick event through local forwarding loops. Declare your + # assistant program and this will check to be sure it is there. + dns_ast=0 + esac + + + if [ $dns_ast -gt 0 ] ; then + UB_B_DNS_ASSIST=1 + fi + + case $zone_type in auth_zone) - if [ "$UB_B_NTP_BOOT" -eq 0 ] && [ -n "$UB_LIST_ZONE_NAMES" ] \ + if [ $UB_B_NTP_BOOT -eq 0 ] && [ -n "$UB_LIST_ZONE_NAMES" ] \ && { [ -n "$url_dir" ] || [ -n "$UB_LIST_ZONE_SERVERS" ] ; } ; then # Note AXFR may have large downloads. If NTP restart is configured, # then this can cause procd to force a process kill. @@ -503,18 +535,20 @@ unbound_zone() { if [ -n "$UB_LIST_ZONE_NAMES" ] && [ -n "$UB_LIST_ZONE_SERVERS" ] ; then for server in $UB_LIST_ZONE_SERVERS ; do - if [ "$( valid_subnet_any $server )" = "not" ] ; then + if [ "$( valid_subnet_any $server )" = "ok" ] \ + || { [ "$( local_subnet $server )" = "ok" ] \ + && [ $dns_ast -gt 0 ] ; } ; then case $server in *@[0-9]*|*#[A-Za-z0-9]*) - # unique Unbound option for server host name - servers_host="$servers_host $server" + # unique Unbound option for server address + servers_ip="$servers_ip $server" ;; *) if [ "$tls_upstream" = "yes" ] ; then - servers_host="$servers_host $server${tls_port:+@${tls_port}}" + servers_ip="$servers_ip $server$tls_suffix" else - servers_host="$servers_host $server${port:+@${port}}" + servers_ip="$servers_ip $server${port:+@${port}}" fi ;; esac @@ -522,15 +556,15 @@ unbound_zone() { else case $server in *@[0-9]*|*#[A-Za-z0-9]*) - # unique Unbound option for server address - servers_ip="$servers_ip $server" + # unique Unbound option for server host name + servers_host="$servers_host $server" ;; *) if [ "$tls_upstream" = "yes" ] ; then - servers_ip="$servers_ip $server$tls_suffix" + servers_host="$servers_host $server${tls_port:+@${tls_port}}" else - servers_ip="$servers_ip $server${port:+@${port}}" + servers_host="$servers_host $server${port:+@${port}}" fi ;; esac @@ -573,6 +607,13 @@ unbound_zone() { done fi ;; + + *) + { + echo " # Special zone $zonename was not enabled or had UCI conflicts." + echo + } >> $UB_ZONE_CONF + ;; esac } @@ -605,7 +646,7 @@ unbound_conf() { fi - if [ "$UB_B_DNSSEC" -gt 0 ] && [ -f "$UB_RKEY_FILE" ] ; then + if [ $UB_B_DNSSEC -gt 0 ] && [ -f "$UB_RKEY_FILE" ] ; then { echo " auto-trust-anchor-file: $UB_RKEY_FILE" echo @@ -616,7 +657,7 @@ unbound_conf() { fi - if [ "$UB_N_THREADS" -gt 1 ] \ + if [ $UB_N_THREADS -gt 1 ] \ && $PROG -V | grep -q "Linked libs:.*libevent" ; then # heavy variant using "threads" may need substantial resources echo " num-threads: 2" >> $UB_CORE_CONF @@ -632,6 +673,8 @@ unbound_conf() { echo " rrset-cache-slabs: 1" echo " infra-cache-slabs: 1" echo " key-cache-slabs: 1" + echo " ratelimit-slabs: 1" + echo " ip-ratelimit-slabs: 1" echo # Logging echo " use-syslog: yes" @@ -640,12 +683,12 @@ unbound_conf() { } >> $UB_CORE_CONF - if [ "$UB_D_VERBOSE" -ge 0 ] && [ "$UB_D_VERBOSE" -le 5 ] ; then + if [ $UB_D_VERBOSE -ge 0 ] && [ $UB_D_VERBOSE -le 5 ] ; then echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF fi - if [ "$UB_B_EXT_STATS" -gt 0 ] ; then + if [ $UB_B_EXT_STATS -gt 0 ] ; then { # Log More echo " extended-statistics: yes" @@ -661,16 +704,14 @@ unbound_conf() { fi - if [ "$UB_B_IF_AUTO" -gt 0 ] ; then + if [ $UB_B_IF_AUTO -gt 0 ] ; then echo " interface-automatic: yes" >> $UB_CORE_CONF fi - case "$UB_D_DNS_ASSIST" in - bind|ipset-dns|nsd) + if [ $UB_B_DNS_ASSIST -gt 0 ] ; then echo " do-not-query-localhost: no" >> $UB_CORE_CONF - ;; - esac + fi case "$UB_D_PROTOCOL" in @@ -747,7 +788,7 @@ unbound_conf() { ;; *) - if [ "$UB_B_READY" -eq 0 ] ; then + if [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default protocol configuration" fi @@ -767,19 +808,19 @@ unbound_conf() { case "$UB_D_RESOURCE" in # Tiny - Unbound's recommended cheap hardware config - tiny) rt_mem=1 ; rt_conn=2 ; rt_buff=1 ;; + tiny) rt_mem=1 ; rt_conn=5 ; rt_buff=1 ;; # Small - Half RRCACHE and open ports small) rt_mem=8 ; rt_conn=10 ; rt_buff=2 ;; # Medium - Nearly default but with some added balancintg - medium) rt_mem=16 ; rt_conn=15 ; rt_buff=4 ;; + medium) rt_mem=16 ; rt_conn=20 ; rt_buff=4 ;; # Large - Double medium - large) rt_mem=32 ; rt_conn=20 ; rt_buff=4 ;; + large) rt_mem=32 ; rt_conn=50 ; rt_buff=4 ;; # Whatever unbound does *) rt_mem=0 ; rt_conn=0 ;; esac - if [ "$rt_mem" -gt 0 ] ; then + if [ $rt_mem -gt 0 ] ; then { # Other harding and options for an embedded router echo " harden-short-bufsize: yes" @@ -795,13 +836,16 @@ unbound_conf() { echo " incoming-num-tcp: $(($rt_conn))" echo " rrset-cache-size: $(($rt_mem*256))k" echo " msg-cache-size: $(($rt_mem*128))k" + echo " stream-wait-size: $(($rt_mem*128))k" echo " key-cache-size: $(($rt_mem*128))k" - echo " neg-cache-size: $(($rt_mem*64))k" + echo " neg-cache-size: $(($rt_mem*32))k" + echo " ratelimit-size: $(($rt_mem*32))k" + echo " ip-ratelimit-size: $(($rt_mem*32))k" echo " infra-cache-numhosts: $(($rt_mem*256))" echo } >> $UB_CORE_CONF - elif [ "$UB_B_READY" -eq 0 ] ; then + elif [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default memory configuration" fi @@ -818,8 +862,8 @@ unbound_conf() { esac - if [ "$UB_B_DNSSEC" -gt 0 ] ; then - if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then + if [ $UB_B_DNSSEC -gt 0 ] ; then + if [ $UB_B_NTP_BOOT -gt 0 ] ; then # DNSSEC chicken and egg with getting NTP time echo " val-override-date: -1" >> $UB_CORE_CONF fi @@ -843,7 +887,7 @@ unbound_conf() { esac - if [ "$UB_B_DNS64" -gt 0 ] ; then + if [ $UB_B_DNS64 -gt 0 ] ; then echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF modulestring="dns64 $modulestring" @@ -861,16 +905,16 @@ unbound_conf() { passive) { # Some query privacy but "strict" will break some servers - if [ "$UB_B_QRY_MINST" -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then + if [ $UB_B_QRY_MINST -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then echo " qname-minimisation: yes" echo " qname-minimisation-strict: yes" - elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then + elif [ $UB_B_QUERY_MIN -gt 0 ] ; then echo " qname-minimisation: yes" else echo " qname-minimisation: no" fi # Use DNSSEC to quickly understand NXDOMAIN ranges - if [ "$UB_B_DNSSEC" -gt 0 ] ; then + if [ $UB_B_DNSSEC -gt 0 ] ; then echo " aggressive-nsec: yes" echo " prefetch-key: no" fi @@ -884,16 +928,16 @@ unbound_conf() { aggressive) { # Some query privacy but "strict" will break some servers - if [ "$UB_B_QRY_MINST" -gt 0 ] && [ "$UB_B_QUERY_MIN" -gt 0 ] ; then + if [ $UB_B_QRY_MINST -gt 0 ] && [ $UB_B_QUERY_MIN -gt 0 ] ; then echo " qname-minimisation: yes" echo " qname-minimisation-strict: yes" - elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then + elif [ $UB_B_QUERY_MIN -gt 0 ] ; then echo " qname-minimisation: yes" else echo " qname-minimisation: no" fi # Use DNSSEC to quickly understand NXDOMAIN ranges - if [ "$UB_B_DNSSEC" -gt 0 ] ; then + if [ $UB_B_DNSSEC -gt 0 ] ; then echo " aggressive-nsec: yes" echo " prefetch-key: yes" fi @@ -905,13 +949,24 @@ unbound_conf() { ;; *) - if [ "$UB_B_READY" -eq 0 ] ; then + if [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default recursion configuration" fi ;; esac + if [ 10 -lt $UB_N_RATE_LMT ] && [ $UB_N_RATE_LMT -lt 100000 ] ; then + { + # Protect the server from query floods which is helpful on weaker CPU + # Per client rate limit is half the maximum to leave head room open + echo " ratelimit: $UB_N_RATE_LMT" + echo " ip-ratelimit: $(($UB_N_RATE_LMT/2))" + echo + } >> $UB_CORE_CONF + fi + + { # Reload records more than 20 hours old # DNSSEC 5 minute bogus cool down before retry @@ -924,7 +979,7 @@ unbound_conf() { } >> $UB_CORE_CONF - if [ "$UB_B_HIDE_BIND" -gt 0 ] ; then + if [ $UB_B_HIDE_BIND -gt 0 ] ; then { # Block server id and version DNS TXT records echo " hide-identity: yes" @@ -934,7 +989,7 @@ unbound_conf() { fi - if [ "$UB_D_PRIV_BLCK" -gt 0 ] ; then + if [ $UB_D_PRIV_BLCK -gt 0 ] ; then { # Remove _upstream_ or global reponses with private addresses. # Unbounds own "local zone" and "forward zone" may still use these. @@ -951,7 +1006,7 @@ unbound_conf() { fi - if [ -n "$UB_LIST_NETW_LAN" ] && [ "$UB_D_PRIV_BLCK" -gt 1 ] ; then + if [ -n "$UB_LIST_NETW_LAN" ] && [ $UB_D_PRIV_BLCK -gt 1 ] ; then { for ifsubnet in $UB_LIST_NETW_LAN ; do case $ifsubnet in @@ -966,7 +1021,7 @@ unbound_conf() { fi - if [ "$UB_B_LOCL_BLCK" -gt 0 ] ; then + if [ $UB_B_LOCL_BLCK -gt 0 ] ; then { # Remove DNS reponses from upstream with loopback IP # Black hole DNS method for ad blocking, so consider... @@ -988,7 +1043,7 @@ unbound_conf() { fi - if [ "$UB_B_LOCL_SERV" -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then + if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then { for ifsubnet in $UB_LIST_NETW_ALL ; do # Only respond to queries from subnets which have an interface. @@ -1027,7 +1082,7 @@ unbound_hostname() { } >> $UB_HOST_CONF elif [ -n "$UB_TXT_DOMAIN" ] \ - && { [ "$UB_D_WAN_FQDN" -gt 0 ] || [ "$UB_D_LAN_FQDN" -gt 0 ] ; } ; then + && { [ $UB_D_WAN_FQDN -gt 0 ] || [ $UB_D_LAN_FQDN -gt 0 ] ; } ; then case "$UB_D_DOMAIN_TYPE" in deny|inform_deny|refuse|static) { @@ -1080,7 +1135,7 @@ unbound_hostname() { if [ -n "$ifarpa" ] ; then - if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then + if [ $UB_D_WAN_FQDN -gt 0 ] ; then { # Create a static zone for WAN host record only (singular) echo " domain-insecure: $ifarpa" @@ -1092,7 +1147,7 @@ unbound_hostname() { echo } >> $UB_HOST_CONF - elif [ "$zonetype" -gt 0 ] ; then + elif [ $zonetype -gt 0 ] ; then { echo " local-zone: $ifarpa transparent" echo @@ -1109,7 +1164,7 @@ unbound_hostname() { if [ -n "$ifarpa" ] ; then - if [ "$zonetype" -eq 2 ] ; then + if [ $zonetype -eq 2 ] ; then { # Do NOT forward queries with your ip6.arpa or in-addr.arpa echo " domain-insecure: $ifarpa" @@ -1120,7 +1175,7 @@ unbound_hostname() { echo } >> $UB_HOST_CONF - elif [ "$zonetype" -eq 1 ] && [ "$UB_D_PRIV_BLCK" -eq 0 ] ; then + elif [ $zonetype -eq 1 ] && [ $UB_D_PRIV_BLCK -eq 0 ] ; then { echo " local-zone: $ifarpa transparent" echo @@ -1142,7 +1197,7 @@ unbound_hostname() { fi - if [ "$UB_LIST_NETW_LAN" ] && [ "$UB_D_LAN_FQDN" -gt 0 ] ; then + if [ "$UB_LIST_NETW_LAN" ] && [ $UB_D_LAN_FQDN -gt 0 ] ; then for ifsubnet in $UB_LIST_NETW_LAN ; do ifaddr=${ifsubnet#*@} ifaddr=${ifaddr%/*} @@ -1150,12 +1205,12 @@ unbound_hostname() { iffqdn="$ifname.$hostfqdn" - if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then + if [ $UB_D_LAN_FQDN -eq 4 ] ; then names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME" ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\"" echo "$ptrrec" >> $UB_HOST_CONF - elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then + elif [ $UB_D_LAN_FQDN -eq 3 ] ; then names="$hostfqdn $UB_TXT_HOSTNAME" ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\"" echo "$ptrrec" >> $UB_HOST_CONF @@ -1181,7 +1236,7 @@ unbound_hostname() { ;; *) - if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then + if [ $UB_D_LAN_FQDN -gt 1 ] ; then # IP6 GLA is assigned for higher options namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\"" echo "$namerec" >> $UB_HOST_CONF @@ -1194,7 +1249,7 @@ unbound_hostname() { fi - if [ -n "$UB_LIST_NETW_WAN" ] && [ "$UB_D_WAN_FQDN" -gt 0 ] ; then + if [ -n "$UB_LIST_NETW_WAN" ] && [ $UB_D_WAN_FQDN -gt 0 ] ; then for ifsubnet in $UB_LIST_NETW_WAN ; do ifaddr=${ifsubnet#*@} ifaddr=${ifaddr%/*} @@ -1202,12 +1257,12 @@ unbound_hostname() { iffqdn="$ifname.$hostfqdn" - if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then + if [ $UB_D_WAN_FQDN -eq 4 ] ; then names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME" ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\"" echo "$ptrrec" >> $UB_HOST_CONF - elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then + elif [ $UB_D_WAN_FQDN -eq 3 ] ; then names="$hostfqdn $UB_TXT_HOSTNAME" ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\"" echo "$ptrrec" >> $UB_HOST_CONF @@ -1233,7 +1288,7 @@ unbound_hostname() { ;; *) - if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then + if [ $UB_D_WAN_FQDN -gt 1 ] ; then # IP6 GLA is assigned for higher options namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\"" echo "$namerec" >> $UB_HOST_CONF @@ -1276,11 +1331,11 @@ unbound_uci() { config_get UB_N_RX_PORT "$cfg" listen_port 53 config_get UB_N_ROOT_AGE "$cfg" root_age 9 config_get UB_N_THREADS "$cfg" num_threads 1 + config_get UB_N_RATE_LMT "$cfg" rate_limit 0 config_get UB_D_CONTROL "$cfg" unbound_control 0 config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static config_get UB_D_DHCP_LINK "$cfg" dhcp_link none - config_get UB_D_DNS_ASSIST "$cfg" dns_assist none config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0 config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0 config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1 @@ -1300,27 +1355,17 @@ unbound_uci() { config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0 - if [ "$UB_B_DNSMASQ" -gt 0 ] ; then + if [ $UB_B_DNSMASQ -gt 0 ] ; then UB_D_DHCP_LINK=dnsmasq - if [ "$UB_B_READY" -eq 0 ] ; then + if [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "Please use 'dhcp_link' selector instead" fi fi fi - if [ "$UB_D_DNS_ASSIST" = "none" ] ; then - UB_D_DNS_ASSIST=none - - elif [ ! -x /usr/sbin/bind ] || [ ! -x /etc/init.d/bind ] \ - || [ ! -x /usr/sbin/nsd ] || [ ! -x /etc/init.d/nsd ] \ - || [ ! -x /usr/sbin/ipset-dns ] || [ ! -x /etc/init.d/ipset-dns ] ; then - UB_D_DNS_ASSIST=none - fi - - if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then if [ ! -x /usr/sbin/dnsmasq ] || [ ! -x /etc/init.d/dnsmasq ] ; then UB_D_DHCP_LINK=none @@ -1329,7 +1374,7 @@ unbound_uci() { fi - if [ "$UB_B_READY" -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then + if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then logger -t unbound -s "cannot forward to dnsmasq" fi fi @@ -1343,26 +1388,26 @@ unbound_uci() { fi - if [ "$UB_B_READY" -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then + if [ $UB_B_READY -eq 0 ] && [ "$UB_D_DHCP_LINK" = "none" ] ; then logger -t unbound -s "cannot receive records from odhcpd" fi fi - if [ "$UB_N_EDNS_SIZE" -lt 512 ] || [ 4096 -lt "$UB_N_EDNS_SIZE" ] ; then + if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then logger -t unbound -s "edns_size exceeds range, using default" UB_N_EDNS_SIZE=1280 fi - if [ "$UB_N_RX_PORT" -ne 53 ] \ - && { [ "$UB_N_RX_PORT" -lt 1024 ] || [ 10240 -lt "$UB_N_RX_PORT" ] ; } ; then + if [ $UB_N_RX_PORT -ne 53 ] \ + && { [ $UB_N_RX_PORT -lt 1024 ] || [ 10240 -lt $UB_N_RX_PORT ] ; } ; then logger -t unbound -s "privileged port or in 5 digits, using default" UB_N_RX_PORT=53 fi - if [ "$UB_TTL_MIN" -gt 1800 ] ; then + if [ $UB_TTL_MIN -gt 1800 ] ; then logger -t unbound -s "ttl_min could have had awful side effects, using 300" UB_TTL_MIN=300 fi @@ -1405,7 +1450,7 @@ unbound_include() { # Incremental Unbound restarts may drop unbound-control records echo "include: $UB_DHCP_CONF" echo - }>> $UB_TOTAL_CONF + } >> $UB_TOTAL_CONF fi @@ -1431,7 +1476,7 @@ unbound_include() { # Pull your own "server:" options here echo "include: $UB_SRV_CONF" echo - }>> $UB_TOTAL_CONF + } >> $UB_TOTAL_CONF fi @@ -1456,13 +1501,6 @@ unbound_include() { fi - if [ -f "$UB_ASSIST_CONF" ] ; then - # UCI found link to DNS helpers - cat $UB_ASSIST_CONF >> $UB_TOTAL_CONF - rm $UB_ASSIST_CONF - fi - - if [ -f "$UB_EXT_CONF" ] ; then { # Pull your own extend feature clauses here @@ -1476,30 +1514,28 @@ unbound_include() { resolv_setup() { if [ "$UB_N_RX_PORT" != "53" ] ; then - return + # unbound is not the default on target resolver + echo "do nothing" >/dev/null elif [ -x /etc/init.d/dnsmasq ] \ && /etc/init.d/dnsmasq enabled \ && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then - # unbound is configured for port 53, but dnsmasq is enabled and a resolver - # listens on localhost:53, lets assume dnsmasq manages the resolver file. - # TODO: - # really check if dnsmasq runs a local (main) resolver in stead of using - # nslookup that times out when no resolver listens on localhost:53. - return - fi - + # unbound is configured for port 53, but dnsmasq is enabled, and a resolver + # is already listening on port 53. Let dnsmasq manage resolve.conf. + # This also works to prevent clobbering while changing UCI. + echo "do nothing" >/dev/null - # unbound is designated to listen on 127.0.0.1#53, - # set resolver file to local. - rm -f /tmp/resolv.conf + else + # unbound listens on 127.0.0.1#53 so set resolver file to local. + rm -f /tmp/resolv.conf - { - echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )" - echo "nameserver 127.0.0.1" - echo "nameserver ::1" - echo "search $UB_TXT_DOMAIN." - } > /tmp/resolv.conf + { + echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )" + echo "nameserver 127.0.0.1" + echo "nameserver ::1" + echo "search $UB_TXT_DOMAIN." + } > /tmp/resolv.conf + fi } ############################################################################## @@ -1510,7 +1546,7 @@ unbound_start() { unbound_mkdir - if [ "$UB_B_MAN_CONF" -eq 0 ] ; then + if [ $UB_B_MAN_CONF -eq 0 ] ; then # iterate zones before we load other UCI # forward-zone: auth-zone: and stub-zone: config_foreach unbound_zone zone @@ -1525,8 +1561,6 @@ unbound_start() { unbound_hostname # control: unbound_control - # assistants - unbound_assistant # dnsmasq dnsmasq_link # merge |