+++ /dev/null
-#
-# Copyright (C) 2006-2014 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=expat
-PKG_VERSION:=2.2.0
-PKG_RELEASE:=1
-
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_MD5SUM:=2f47841c829facb346eb6e3fab5212e2
-PKG_SOURCE_URL:=@SF/expat
-PKG_MAINTAINER:=Steven Barth <cyrus@openwrt.org>
-
-PKG_LICENSE:=MIT
-PKG_LICENSE_FILES:=COPYING
-
-PKG_FIXUP:=autoreconf
-PKG_REMOVE_FILES:=conftools/libtool.m4
-
-PKG_INSTALL:=1
-PKG_BUILD_PARALLEL:=1
-
-include $(INCLUDE_DIR)/host-build.mk
-include $(INCLUDE_DIR)/package.mk
-
-define Package/libexpat
- SECTION:=libs
- CATEGORY:=Libraries
- TITLE:=An XML parsing library
- URL:=http://expat.sourceforge.net/
-endef
-
-define Package/libexpat/description
- A fast, non-validating, stream-oriented XML parsing library.
-endef
-
-TARGET_CFLAGS += $(FPIC)
-
-CONFIGURE_ARGS += \
- --enable-shared \
- --enable-static
-
-define Host/Install
- $(MAKE) -C $(HOST_BUILD_DIR) install
-endef
-
-define Build/InstallDev
- $(INSTALL_DIR) $(1)/usr/include
- $(CP) $(PKG_INSTALL_DIR)/usr/include/expat{,_external}.h $(1)/usr/include/
-
- $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
- $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/expat.pc $(1)/usr/lib/pkgconfig/
-
- $(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libexpat.{a,so*} $(1)/usr/lib/
-endef
-
-define Package/libexpat/install
- $(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libexpat.so.* $(1)/usr/lib/
-endef
-
-$(eval $(call HostBuild))
-$(eval $(call BuildPackage,libexpat))
+++ /dev/null
-#
-# Copyright (C) 2010-2016 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=unbound
-PKG_VERSION:=1.6.1
-PKG_RELEASE:=6
-
-PKG_LICENSE:=BSD-3-Clause
-PKG_LICENSE_FILES:=LICENSE
-PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@hotmail.com>
-
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.unbound.net/downloads
-PKG_HASH:=42df63f743c0fe8424aeafcf003ad4b880b46c14149d696057313f5c1ef51400
-
-PKG_BUILD_DEPENDS:=libexpat
-PKG_BUILD_PARALLEL:=1
-PKG_FIXUP:=autoreconf
-PKG_INSTALL:=1
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/unbound/Default
- TITLE:=Validating Recursive DNS Server
- URL:=http://www.unbound.net/
- DEPENDS:=+libopenssl
-endef
-
-define Package/unbound
- $(call Package/unbound/Default)
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=IP Addresses and Names
- USERID:=unbound=553:unbound=553
- TITLE+= (daemon)
- DEPENDS+= +libunbound
-endef
-
-define Package/unbound/description
- This package contains the Unbound daemon.
-endef
-
-define Package/unbound-anchor
- $(call Package/unbound/Default)
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=IP Addresses and Names
- TITLE+= (DSKEY utility)
- DEPENDS+= +unbound +libexpat
-endef
-
-define Package/unbound-anchor/description
- This package contains the Unbound anchor utility.
-endef
-
-define Package/unbound-control
- $(call Package/unbound/Default)
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=IP Addresses and Names
- TITLE+= (control utility)
- DEPENDS+= +unbound
-endef
-
-define Package/unbound-control/description
- This package contains the Unbound control utility.
-endef
-
-define Package/unbound-control-setup
- $(call Package/unbound/Default)
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=IP Addresses and Names
- TITLE+= (control setup)
- DEPENDS+= +unbound-control +openssl-util
-endef
-
-define Package/unbound-control-setup/description
- This package contains the Unbound control setup utility.
-endef
-
-define Package/unbound-host
- $(call Package/unbound/Default)
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=IP Addresses and Names
- TITLE+= (lookup utility)
- DEPENDS+= +libunbound
-endef
-
-define Package/unbound-host/description
- This package contains the Unbound DNS lookup utility.
-endef
-
-define Package/libunbound
- $(call Package/unbound/Default)
- SECTION:=libs
- CATEGORY:=Libraries
- TITLE+= (library)
- DEPENDS+= +libpthread
-endef
-
-define Package/libunbound/description
- This package contains the Unbound shared library.
-endef
-
-CONFIGURE_ARGS += \
- --disable-dsa \
- --disable-gost \
- --enable-allsymbols \
- --with-libexpat="$(STAGING_DIR)/usr" \
- --with-ssl="$(STAGING_DIR)/usr" \
- --with-pidfile=/var/run/unbound.pid \
- --with-user=unbound
-
-define Package/unbound/conffiles
-/etc/config/unbound
-/etc/unbound/unbound.conf
-/etc/unbound/unbound_ext.conf
-/etc/unbound/unbound_srv.conf
-endef
-
-define Build/InstallDev
- $(INSTALL_DIR) $(1)/usr/include
- $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/include/unbound.h $(1)/usr/include/
- $(INSTALL_DIR) $(1)/usr/lib
- $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libunbound.{so*,a,la} $(1)/usr/lib/
-endef
-
-define Package/unbound/install
- $(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) \
- $(PKG_INSTALL_DIR)/usr/sbin/unbound \
- $(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \
- $(1)/usr/sbin/
- $(INSTALL_DIR) $(1)/etc/unbound
- $(INSTALL_DATA) \
- $(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \
- $(1)/etc/unbound/unbound.conf
- $(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key
- $(INSTALL_DATA) ./files/unbound_ext.conf $(1)/etc/unbound/unbound_ext.conf
- $(INSTALL_DATA) ./files/unbound_srv.conf $(1)/etc/unbound/unbound_srv.conf
- $(INSTALL_DIR) $(1)/etc/config
- $(INSTALL_DATA) ./files/unbound.uci $(1)/etc/config/unbound
- $(INSTALL_DIR) $(1)/etc/hotplug.d/ntp
- $(INSTALL_BIN) ./files/unbound.ntpd $(1)/etc/hotplug.d/ntp/25-unbound
- $(INSTALL_DIR) $(1)/etc/init.d
- $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
- $(INSTALL_DIR) $(1)/usr/lib/unbound
- $(INSTALL_BIN) ./files/odhcpd.sh $(1)/usr/lib/unbound/odhcpd.sh
- $(INSTALL_DATA) ./files/odhcpd.awk $(1)/usr/lib/unbound/odhcpd.awk
- $(INSTALL_DATA) ./files/dnsmasq.sh $(1)/usr/lib/unbound/dnsmasq.sh
- $(INSTALL_DATA) ./files/iptools.sh $(1)/usr/lib/unbound/iptools.sh
- $(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh
- $(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh
-endef
-
-define Package/unbound-anchor/install
- $(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/unbound-anchor $(1)/usr/sbin/
-endef
-
-define Package/unbound-control/install
- $(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/unbound-control $(1)/usr/sbin/
-endef
-
-define Package/unbound-control-setup/install
- $(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/unbound-control-setup $(1)/usr/sbin/
-endef
-
-define Package/unbound-host/install
- $(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/unbound-host $(1)/usr/sbin/
-endef
-
-define Package/libunbound/install
- $(INSTALL_DIR) $(1)/usr/lib
- $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libunbound.so.* $(1)/usr/lib/
-endef
-
-$(eval $(call BuildPackage,unbound))
-$(eval $(call BuildPackage,unbound-anchor))
-$(eval $(call BuildPackage,unbound-control))
-$(eval $(call BuildPackage,unbound-control-setup))
-$(eval $(call BuildPackage,unbound-host))
-$(eval $(call BuildPackage,libunbound))
-
+++ /dev/null
-# Unbound Recursive DNS Server with UCI
-
-## Unbound Description
-[Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
-
-## Package Overview
-Unbound may be useful on consumer grade embedded hardware. It is _intended_ to be a recursive resolver only. [NLnet Labs NSD](https://www.nlnetlabs.nl/projects/nsd/) is _intended_ for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver with 8/64 MB router, and remove potential issues from forwarding resolvers outside of their control.
-
-This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
-
-## HOW TO Adblocking
-The UCI scripts will work with [net/adblock 2.3+](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md), if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound.
-
-## HOW TO Integrate with DHCP
-Some UCI options and scripts help Unbound to work with DHCP servers to load the local DNS. The examples provided here are serial dnsmasq-unbound, parallel dnsmasq-unbound, and unbound scripted with odhcpd.
-
-### Serial dnsmasq
-In this case, dnsmasq is not changed *much* with respect to the default OpenWRT/LEDE configuration. Here dnsmasq is forced to use the local Unbound instance as the lone upstream DNS server, instead of your ISP. This may be the easiest implementation, but performance degradation can occur in high volume networks. dnsmasq and Unbound effectively have the same information in memory, and all transfers are double handled.
-
-**/etc/config/unbound**:
-
-```
-config unbound
- option add_local_fqdn '0'
- option add_wan_fqdn '0'
- option dhcp_link 'none'
- # dnsmasq should not forward your domain to unbound, but if...
- option domain 'yourdomain'
- option domain_type 'refuse'
- option listen_port '1053'
- ...
-```
-
-**/etc/config/dhcp**:
-
-```
-config dnsmasq
- option domain 'yourdomain'
- option noresolv '1'
- option resolvfile '/tmp/resolv.conf.auto'
- option port '53'
- list server '127.0.0.1#1053'
- list server '::1#1053'
- ...
-```
-
-### Parallel dnsmasq
-In this case, Unbound serves your local network directly for all purposes. It will look over to dnsmasq for DHCP-DNS resolution. Unbound is generally accessible on port 53, and dnsmasq is only accessed at 127.0.0.1:1053 by Unbound. Although you can dig/drill/nslookup remotely with the proper directives.
-
-**/etc/config/unbound**:
-
-```
-config unbound
- option dhcp_link 'dnsmasq'
- option listen_port '53'
- ...
-```
-
-**/etc/config/dhcp**:
-
-```
-config dnsmasq
- option domain 'yourdomain'
- option noresolv '1'
- option resolvfile '/tmp/resolv.conf.auto'
- option port '1053'
- ...
-
-config dhcp 'lan'
- # dnsmasq may not issue DNS option if not std. configuration
- list dhcp_option 'option:dns-server,0.0.0.0'
- ...
-```
-
-### Unbound and odhcpd
-You may ask can Unbound replace dnsmasq? You can have DHCP-DNS records with Unbound and odhcpd only. The UCI scripts will allow Unbound to act like dnsmasq. When odhcpd configures each DHCP lease, it will call a script. The script provided with Unbound will read the lease file for DHCP-DNS records. You **must install** `unbound-control`, because the lease records are added and removed without starting, stopping, flushing cache, or re-writing conf files. (_restart overhead can be excessive with even a few mobile devices._)
-
-Don't forget to disable or uninstall dnsmasq when you don't intend to use it. Strange results may occur. If you want to use default dnsmasq+odhcpd and add Unbound on top, then use the dnsmasq-serial or dnsmasq-parallel methods above.
-
-**/etc/config/unbound**:
-
-```
-config unbound
- # name your router in DNS
- option add_local_fqdn '1'
- option add_wan_fqdn '1'
- option dhcp_link 'odhcpd'
- # add SLAAC inferred from DHCPv4
- option dhcp4_slaac6 '1'
- option domain 'lan'
- option domain_type 'static'
- option listen_port '53'
- option rebind_protection '1'
- # install unbound-control and set this
- option unbound_control '1'
- ...
-```
-
-**/etc/config/dhcp**:
-
-```
-config dhcp 'lan'
- option dhcpv4 'server'
- option dhcpv6 'server'
- option interface 'lan'
- option leasetime '12h'
- option ra 'server'
- option ra_management '1'
- # issue your ULA and avoid default [fe80::]
- list dns 'fdxx:xxxx:xxxx::1'
- ...
-
-config odhcpd 'odhcpd'
- option maindhcp '1'
- option leasefile '/var/lib/odhcpd/dhcp.leases'
- # this is where the magic happens
- option leasetrigger '/usr/lib/unbound/odhcpd.sh'
-```
-
-## HOW TO Manual Override
-Yes, there is a UCI to disable the rest of Unbound UCI. However, OpenWrt or LEDE are targeted at embedded machines with flash ROM. The initialization scripts do a few things to protect flash ROM.
-
-### Completely Manual (almost)
-All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, RAM). Edit your manual `/etc/unbound/unbound.conf` to reference this `/var/lib/unbound` location for included files. Note in preparation for a jail, `/var/lib/unbound` is `chown unbound`. Configure for security in`/etc/unbound/unbound.conf` with options `username:unbound` and `chroot:/var/lib/unbound`.
-
-Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider the age UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash).
-
-**/etc/config/unbound**:
-
-```
-config unbound
- option manual_conf '1'
- option root_age '9'
- # end
-```
-
-### Hybrid Manual/UCI
-You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation.
-
-The former will be added to the end of the `server:` clause. The later will be added to the end of the file for extended `forward:` and `view:` clauses. You can also disable unbound-control in the UCI which only allows "localhost" connections unencrypted, and then add an encrypted remote `control:` clause.
-
-## Complete List of UCI Options
-**/etc/config/unbound**:
-
-```
-config unbound
- Currently only one instance is supported.
-
- option add_local_fqdn '0'
- Level. This puts your routers host name in the LAN (local) DNS.
- Each level is more detailed and comprehensive.
- 0 - Disabled
- 1 - Host Name on only the primary address
- 2 - Host Name on all addresses found (except link)
- 3 - FQDN and host name on all addresses (except link)
- 4 - Above and interfaces named <iface>.<hostname>.<domain>
-
- option add_wan_fqdn '0'
- Level. Same as previous option only this applies to the WAN. WAN
- are inferred by a UCI `config dhcp` entry that contains the line
- option ignore '1'.
-
- option dns64 '0'
- Boolean. Enable DNS64 through Unbound in order to bridge networks
- that are IPV6 only and IPV4 only (see RFC6052).
-
- option dns64_prefix '64:ff9b::/96'
- IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64.
- You should use RFC6052 "well known" address, unless you also
- redirect to a proxy or gateway for your NAT64.
-
- option dhcp_link 'none'
- Program Name. Link to one of the supported programs we have scripts
- for. You may also need to install a trigger script in the DHCP
- servers configuration. See HOW TO above.
-
- option dhcp4_slaac6 '0'
- Boolean. Some DHCP servers do this natively (dnsmasq). Otherwise
- the script provided with this package will try to fabricate SLAAC
- IP6 addresses from DHCPv4 MAC records.
-
- option domain 'lan'
- Unbound local-zone: <domain> <type>. This is used to suffix all
- host records, and maintain a local zone. When dnsmasq is dhcp_link
- however, then this option is ignored (dnsmasq does it all).
-
- option domain_type 'static'
- Unbound local-zone: <domain> <type>. This allows you to lock
- down or allow forwarding of your domain, your router host name
- without suffix, and leakage of RFC6762 "local."
-
- option edns_size '1280'
- Bytes. Extended DNS is necessary for DNSSEC. However, it can run
- into MTU issues. Use this size in bytes to manage drop outs.
-
- option hide_binddata '1'
- Boolean. If enabled version.server, version.bind, id.server, and
- hostname.bind queries are refused.
-
- option listen_port '53'
- Port. Incoming. Where Unbound will listen for queries.
-
- option localservice '1'
- Boolean. Prevent DNS amplification attacks. Only provide access to
- Unbound from subnets this machine has interfaces on.
-
- option manual_conf '0'
- Boolean. Skip all this UCI nonsense. Manually edit the
- configuration. Make changes to /etc/unbound/unbound.conf.
-
- option protocol 'mixed'
- Unbound can limit its protocol used for recursive queries.
- Set 'ip4_only' to avoid issues if you do not have native IP6.
- Set 'ip6_prefer' to possibly improve performance as well as
- not consume NAT paths for the client computers.
- Do not use 'ip6_only' unless testing.
-
- option query_minimize '0'
- Boolean. Enable a minor privacy option. Don't let each server know
- the next recursion. Query one piece at a time.
-
- option query_min_strict '0'
- Boolean. Query minimize is best effort and will fall back to normal
- when it must. This option prevents the fall back, but less than
- standard name servers will fail to resolve their domains.
-
- option rebind_localhost '0'
- Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses.
- These may used by black hole servers for good purposes like
- ad-blocking or parental access control. Obviously these responses
- also can be used to for bad purposes.
-
- option rebind_protection '1'
- Boolean. Prevent RFC 1918 Reponses from global DNS. Example a
- poisoned reponse within "192.168.0.0/24" could be used to turn a
- local browser into an external attack proxy server.
-
- option recursion 'passive'
- Unbound has numerous options for how it recurses. This UCI combines
- them into "passive," "aggressive," or Unbound's own "default."
- Passive is easy on resources, but slower until cache fills.
-
- option resource 'small'
- Unbound has numerous options for resources. This UCI gives "tiny,"
- "small," "medium," and "large." Medium is most like the compiled
- defaults with a bit of balancing. Tiny is close to the published
- memory restricted configuration. Small 1/2 medium, and large 2x.
-
- option root_age '9'
- Days. >90 Disables. Age limit for Unbound root data like root
- DNSSEC key. Unbound uses RFC 5011 to manage root key. This could
- harm flash ROM. This activity is mapped to "tmpfs," but every so
- often it needs to be copied back to flash for the next reboot.
-
- option ttl_min '120'
- Seconds. Minimum TTL in cache. Recursion can be expensive without
- cache. A low TTL is normal for server migration. A low TTL can be
- abused for snoop-vertising (DNS hit counts; recording query IP).
- Typical to configure maybe 0~300, but 1800 is the maximum accepted.
-
- option unbound_control '0'
- Boolean. Enables unbound-control application access ports. Enabling
- this without the unbound-control package installed is robust.
-
- option validator '0'
- Boolean. Enable DNSSEC. Unbound names this the "validator" module.
-
- option validator_ntp '1'
- Boolean. Disable DNSSEC time checks at boot. Once NTP confirms
- global real time, then DNSSEC is restarted at full strength. Many
- embedded devices don't have a real time power off clock. NTP needs
- DNS to resolve servers. This works around the chicken-and-egg.
-
- list domain_insecure
- List. Domains or pointers that you wish to skip DNSSEC. Your DHCP
- domains and pointers in dnsmasq will get this automatically.
-```
-
-
+++ /dev/null
-#!/bin/sh
-##############################################################################
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# Copyright (C) 2016 Eric Luehrsen
-#
-##############################################################################
-#
-# This crosses over to the dnsmasq UCI file "dhcp" and parses it for fields
-# that will allow Unbound to request local host DNS of dnsmasq. We need to look
-# at the interfaces in "dhcp" and get their subnets. The Unbound conf syntax
-# makes this a little difficult. First in "server:" we need to create private
-# zones for the domain and PTR records. Then we need to create numerous
-# "forward:" clauses to forward those zones to dnsmasq.
-#
-##############################################################################
-
-dnsmasq_local_zone() {
- local cfg="$1"
- local fwd_port fwd_domain wan_fqdn
-
- # dnsmasq domain and interface assignment settings will control config
- config_get fwd_domain "$cfg" domain
- config_get fwd_port "$cfg" port
- config_get wan_fqdn "$cfg" add_wan_fqdn
-
-
- if [ -n "$wan_fqdn" ] ; then
- UNBOUND_D_WAN_FQDN=$wan_fqdn
- fi
-
-
- if [ -n "$fwd_domain" -a -n "$fwd_port" -a ! "$fwd_port" -eq 53 ] ; then
- # dnsmasq localhost listening ports (possible multiple instances)
- UNBOUND_N_FWD_PORTS="$UNBOUND_N_FWD_PORTS $fwd_port"
- UNBOUND_TXT_FWD_ZONE="$UNBOUND_TXT_FWD_ZONE $fwd_domain"
-
- {
- # This creates DOMAIN local privledges
- echo " private-domain: \"$fwd_domain\""
- echo " local-zone: \"$fwd_domain.\" transparent"
- echo " domain-insecure: \"$fwd_domain\""
- echo
- } >> $UNBOUND_CONFFILE
- fi
-}
-
-##############################################################################
-
-dnsmasq_local_arpa() {
- local cfg="$1"
- local logint dhcpv4 dhcpv6 ignore
- local subnets subnets4 subnets6
- local forward arpa
- local validip4 validip6 privateip
-
- config_get logint "$cfg" interface
- config_get dhcpv4 "$cfg" dhcpv4
- config_get dhcpv6 "$cfg" dhcpv6
- config_get_bool ignore "$cfg" ignore 0
-
- # Find the list of addresses assigned to a logical interface
- # Its typical to have a logical gateway split NAME and NAME6
- network_get_subnets subnets4 "$logint"
- network_get_subnets6 subnets6 "$logint"
- subnets="$subnets4 $subnets6"
-
- network_get_subnets subnets4 "${logint}6"
- network_get_subnets6 subnets6 "${logint}6"
- subnets="$subnets $subnets4 $subnets6"
-
-
- if [ -z "$subnets" ] ; then
- forward=""
-
- elif [ -z "$UNBOUND_N_FWD_PORTS" ] ; then
- forward=""
-
- elif [ "$ignore" -gt 0 ] ; then
- if [ "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
- # Only forward the one gateway host.
- forward="host"
-
- else
- forward=""
- fi
-
- else
- # Forward the entire private subnet.
- forward="domain"
- fi
-
-
- if [ -n "$forward" ] ; then
- for subnet in $subnets ; do
- validip4=$( valid_subnet4 $subnet )
- validip6=$( valid_subnet6 $subnet )
- privateip=$( private_subnet $subnet )
-
-
- if [ "$validip4" = "ok" -a "$dhcpv4" != "disable" ] ; then
- if [ "$forward" = "domain" ] ; then
- arpa=$( domain_ptr_ip4 "$subnet" )
- else
- arpa=$( host_ptr_ip4 "$subnet" )
- fi
-
- elif [ "$validip6" = "ok" -a "$dhcpv6" != "disable" ] ; then
- if [ "$forward" = "domain" ] ; then
- arpa=$( domain_ptr_ip6 "$subnet" )
- else
- arpa=$( host_ptr_ip6 "$subnet" )
- fi
-
- else
- arpa=""
- fi
-
-
- if [ -n "$arpa" ] ; then
- if [ "$privateip" = "ok" ] ; then
- {
- # This creates ARPA local zone privledges
- echo " local-zone: \"$arpa.\" transparent"
- echo " domain-insecure: \"$arpa\""
- echo
- } >> $UNBOUND_CONFFILE
- fi
-
-
- UNBOUND_TXT_FWD_ZONE="$UNBOUND_TXT_FWD_ZONE $arpa"
- fi
- done
- fi
-}
-
-##############################################################################
-
-dnsmasq_forward_zone() {
- if [ -n "$UNBOUND_N_FWD_PORTS" -a -n "$UNBOUND_TXT_FWD_ZONE" ] ; then
- for fwd_domain in $UNBOUND_TXT_FWD_ZONE ; do
- {
- # This is derived of dnsmasq_local_zone/arpa
- # but forward: clauses need to be seperate
- echo "forward-zone:"
- echo " name: \"$fwd_domain.\""
-
- for port in $UNBOUND_N_FWD_PORTS ; do
- echo " forward-addr: 127.0.0.1@$port"
- done
-
- echo
- } >> $UNBOUND_CONFFILE
- done
- fi
-}
-
-##############################################################################
-
-dnsmasq_link() {
- # Forward to dnsmasq on same host for DHCP lease hosts
- echo " do-not-query-localhost: no" >> $UNBOUND_CONFFILE
- # Look at dnsmasq settings
- config_load dhcp
- # Zone for DHCP / SLAAC-PING DOMAIN
- config_foreach dnsmasq_local_zone dnsmasq
- # Zone for DHCP / SLAAC-PING ARPA
- config_foreach dnsmasq_local_arpa dhcp
- # Now create ALL seperate forward: clauses
- dnsmasq_forward_zone
-}
-
-##############################################################################
-
+++ /dev/null
-#!/bin/sh
-##############################################################################
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# Copyright (C) 2016 Eric Luehrsen
-#
-##############################################################################
-#
-# These are iptools that might be useful in a larger package, if provided
-# elsewhere for common use. One example that many may find useful is turning
-# flexible IPV6 colon dividers into PTR. Otherwise these are incomplete and
-# would need robustness improvements for more generic applications.
-#
-##############################################################################
-
-domain_ptr_ip6() {
- # Get the nibble rounded /CIDR ...ip6.arpa.
- echo "$1" | awk -F: \
- 'BEGIN { OFS = "" ; }
- { CIDR = $0 ;
- sub(/.*\//,"",CIDR) ;
- CIDR = (CIDR / 4) ;
- sub(/\/[0-9]+/,"",$0) ;
- ct_stop = 9 - NF ;
- for(i=1; i<=NF; i++) {
- if(length($i) == 0) {
- for(j=1; j<=ct_stop; j++) { $i = ($i "0000") ; } }
- else { $i = substr(("0000" $i), length($i)+5-4) ; } } ;
- y = $0 ;
- ct_start = length(y) - 32 + CIDR ;
- for(i=ct_start; i>0; i--) { x = (x substr(y,i,1)) ; } ;
- gsub(/./,"&\.",x) ;
- x = (x "ip6.arpa") ;
- print x }'
-}
-
-##############################################################################
-
-host_ptr_ip6() {
- # Get complete host ...ip6.arpa.
- echo "$1" | awk -F: \
- 'BEGIN { OFS = "" ; }
- { sub(/\/[0-9]+/,"",$0) ;
- ct_stop = 9 - NF ;
- for(i=1; i<=NF; i++) {
- if(length($i) == 0) {
- for(j=1; j<=ct_stop; j++) { $i = ($i "0000") ; } }
- else { $i = substr(("0000" $i), length($i)+5-4) ; } } ;
- y = $0 ;
- ct_start = length(y);
- for(i=ct_start; i>0; i--) { x = (x substr(y,i,1)) ; } ;
- sub(/[0-9]+\//,"",x) ;
- gsub(/./,"&\.",x) ;
- x = (x "ip6.arpa") ;
- print x }'
-}
-
-##############################################################################
-
-domain_ptr_ip4() {
- # Get the byte rounded /CIDR ...in-addr.arpa.
- echo "$1" | awk \
- '{ CIDR = $0 ;
- sub(/.*\//,"",CIDR) ;
- CIDR = (CIDR / 8) ;
- dtxt = $0 ;
- sub(/\/.*/,"",dtxt) ;
- split(dtxt, dtxt, ".") ;
- for(i=1; i<=CIDR; i++) { x = (dtxt[i] "." x) ; }
- x = (x "in-addr.arpa") ;
- print x }'
-}
-
-##############################################################################
-
-host_ptr_ip4() {
- # Get omplete host ...in-addr.arpa.
- echo "$1" | awk -F. \
- '{ x = ( $4"."$3"."$2"."$1".in-addr.arpa" ) ;
- sub(/\/[0-9]+/,"",x) ;
- print x }'
-}
-
-##############################################################################
-
-valid_subnet6() {
- case "$1" in
- # GA
- [1-9][0-9a-f][0-9a-f][0-9a-f]":"*) echo "ok" ;;
- # ULA
- f[cd][0-9a-f][0-9a-f]":"*) echo "ok" ;;
- # fe80::, ::1, and such
- *) echo "not" ;;
- esac
-}
-
-##############################################################################
-
-valid_subnet4() {
- case "$1" in
- # Link, Local, and Such
- 169"."254"."*) echo "not" ;;
- 127"."*) echo "not" ;;
- 0"."*) echo "not" ;;
- 255"."*) echo "not" ;;
- # Other Normal
- 25[0-4]"."[0-9]*) echo "ok" ;;
- 2[0-4][0-9]"."[0-9]*) echo "ok" ;;
- 1[0-9][0-9]"."[0-9]*) echo "ok" ;;
- [0-9][0-9]"."[0-9]*) echo "ok" ;;
- [0-9]"."[0-9]*) echo "ok" ;;
- # Not Right
- *) echo "not";;
- esac
-}
-
-##############################################################################
-
-private_subnet() {
- case "$1" in
- 10"."*) echo "ok" ;;
- 172"."1[6-9]"."*) echo "ok" ;;
- 172"."2[0-9]"."*) echo "ok" ;;
- 172"."3[0-1]"."*) echo "ok" ;;
- 192"."168"."*) echo "ok" ;;
- f[cd][0-9a-f][0-9a-f]":"*) echo "ok" ;;
- *) echo "not" ;;
- esac
-}
-
-##############################################################################
-
+++ /dev/null
-#!/usr/bin/awk
-##############################################################################
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# Copyright (C) 2016 Eric Luehrsen
-#
-##############################################################################
-#
-# Turn DHCP records into meaningful A, AAAA, and PTR records. Also lift a
-# function from dnsmasq and use DHCPv4 MAC to find IPV6 SLAAC hosts.
-#
-# External Parameters
-# "hostfile" = where this script will cache host DNS data
-# "domain" = text domain suffix
-# "bslaac" = boolean, use DHCPv4 MAC to find GA and ULA IPV6 SLAAC
-# "bisolt" = boolean, format <host>.<network>.<domain>. so you can isolate
-# "bconf" = boolean, write conf file format rather than pipe records
-#
-##############################################################################
-
-/^#/ {
- # We need to pick out DHCP v4 or v6 records
- net = $2 ; id = $3 ; cls = $4 ; hst = $5 ; adr = $9 ; adr2 = $10
- cdr = adr ;
- cdr2 = adr2 ;
- sub( /\/.*/, "", adr ) ;
- sub( /.*\//, "", cdr ) ;
- sub( /\/.*/, "", adr2 ) ;
- sub( /.*\//, "", cdr2 ) ;
-
-
- if ( bisolt == 1 ) {
- # TODO: this might be better with a substituion option,
- # or per DHCP pool do-not-DNS option, but its getting busy here.
- fqdn = net
- fqdn = sub( /\./, "-", fqdn ) ;
- fqdn = tolower( hst "." fqdn "." domain ) ;
- }
-
- else {
- fqdn = tolower( hst "." domain ) ;
- }
-
-
- if ( cls == "ipv4" ) {
- if ( NF == 8 ) {
- # odhcpd errata in field format without host name
- adr = $8 ; hst = "-" ; cdr = adr ;
- sub( /\/.*/, "", adr ) ;
- sub( /.*\//, "", cdr ) ;
- }
-
-
- if (( cdr == 32 ) && ( hst != "-" )) {
- # only for provided hostnames and full /32 assignments
- ptr = adr ; qpr = "" ; split( ptr, ptr, "." ) ;
- slaac = slaac_eui64( id ) ;
-
-
- if ( bconf == 1 ) {
- x = ( "local-data: \"" fqdn ". 120 IN A " adr "\"" ) ;
- y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
- print ( x "\n" y ) > hostfile ;
- }
-
- else {
- for( i=1; i<=4; i++ ) { qpr = ( ptr[i] "." qpr) ; }
- x = ( fqdn ". 120 IN A " adr ) ;
- y = ( qpr "in-addr.arpa. 120 IN PTR " fqdn ) ;
- print ( x "\n" y ) > hostfile ;
- }
-
-
- if (( bslaac == 1 ) && ( slaac != 0 )) {
- # UCI option to discover IPV6 routed SLAAC addresses
- # NOT TODO - ping probe take too long when added in awk-rule loop
- cmd = ( "ip -6 --oneline route show dev " net ) ;
-
-
- while ( ( cmd | getline adr ) > 0 ) {
- if (( substr( adr, 1, 5 ) <= "fd00:" ) \
- && ( index( adr, "via" ) == 0 )) {
- # GA or ULA routed addresses only (not LL or MC)
- sub( /\/.*/, "", adr ) ;
- adr = ( adr slaac ) ;
-
-
- if ( split( adr, tmp0, ":" ) >= 8 ) {
- sub( "::", ":", adr ) ;
- }
-
-
- if ( bconf == 1 ) {
- x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
- y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
- print ( x "\n" y ) > hostfile ;
- }
-
- else {
- qpr = ipv6_ptr( adr ) ;
- x = ( fqdn ". 120 IN AAAA " adr ) ;
- y = ( qpr ". 120 IN PTR " fqdn ) ;
- print ( x "\n" y ) > hostfile ;
- }
- }
- }
-
-
- close( cmd ) ;
- }
- }
- }
-
- else {
- if (( cdr == 128 ) && ( hst != "-" )) {
- if ( bconf == 1 ) {
- x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
- y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
- print ( x "\n" y ) > hostfile ;
- }
-
- else {
- # only for provided hostnames and full /128 assignments
- qpr = ipv6_ptr( adr ) ;
- x = ( fqdn ". 120 IN AAAA " adr ) ;
- y = ( qpr ". 120 IN PTR " fqdn ) ;
- print ( x "\n" y ) > hostfile ;
- }
- }
-
- if (( cdr2 == 128 ) && ( hst != "-" )) {
- if ( bconf == 1 ) {
- x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr2 "\"" ) ;
- y = ( "local-data-ptr: \"" adr2 " 120 " fqdn "\"" ) ;
- print ( x "\n" y ) > hostfile ;
- }
-
- else {
- # odhcp puts GA and ULA on the same line (position 9 and 10)
- qpr2 = ipv6_ptr( adr2 ) ;
- x = ( fqdn ". 120 IN AAAA " adr2 ) ;
- y = ( qpr2 ". 120 IN PTR " fqdn ) ;
- print ( x "\n" y ) > hostfile ;
- }
- }
- }
-}
-
-##############################################################################
-
-function ipv6_ptr( ipv6, arpa, ary, end, i, j, new6, sz, start ) {
- # IPV6 colon flexibility is a challenge when creating [ptr].ip6.arpa.
- sz = split( ipv6, ary, ":" ) ; end = 9 - sz ;
-
-
- for( i=1; i<=sz; i++ ) {
- if( length(ary[i]) == 0 ) {
- for( j=1; j<=end; j++ ) { ary[i] = ( ary[i] "0000" ) ; }
- }
-
- else {
- ary[i] = substr( ( "0000" ary[i] ), length( ary[i] )+5-4 ) ;
- }
- }
-
-
- new6 = ary[1] ;
- for( i = 2; i <= sz; i++ ) { new6 = ( new6 ary[i] ) ; }
- start = length( new6 ) ;
- for( i=start; i>0; i-- ) { arpa = ( arpa substr( new6, i, 1 ) ) ; } ;
- gsub( /./, "&\.", arpa ) ; arpa = ( arpa "ip6.arpa" ) ;
-
- return arpa ;
-}
-
-##############################################################################
-
-function slaac_eui64( mac, ary, glbit, eui64 ) {
- if ( length(mac) >= 12 ) {
- # RFC2373 and use DHCPv4 registered MAC to find SLAAC addresses
- split( mac , ary , "" ) ;
- glbit = ( "0x" ary[2] ) ;
- glbit = sprintf( "%d", glbit ) ;
- glbit = or( glbit, 2 ) ;
- ary[2] = sprintf( "%x", glbit ) ;
- eui64 = ( ary[1] ary[2] ary[3] ary[4] ":" ary[5] ary[6] "ff:fe" ) ;
- eui64 = ( eui64 ary[7] ary[8] ":" ary[9] ary[10] ary[11] ary[12] ) ;
- }
-
- else {
- eui64 = 0 ;
- }
-
-
- return eui64 ;
-}
-
-##############################################################################
-
+++ /dev/null
-#!/bin/sh
-##############################################################################
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# Copyright (C) 2016 Eric Luehrsen
-#
-##############################################################################
-#
-# This script facilitates alternate installation of Unbound+odhcpd and no
-# need for dnsmasq. There are some limitations, but it works and is small.
-# The lease file is parsed to make "zone-data:" and "local-data:" entries.
-#
-# config odhcpd 'odhcpd'
-# option leasetrigger '/usr/lib/unbound/odhcpd.sh'
-#
-##############################################################################
-
-# Common file location definitions
-. /usr/lib/unbound/unbound.sh
-
-##############################################################################
-
-odhcpd_settings() {
- # This trigger is out of normal init context, so we need to read some UCI.
- local cfg="$1"
- config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
- config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
- config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
-}
-
-##############################################################################
-
-odhcpd_zonedata() {
- local dns_ls_add=$UNBOUND_VARDIR/dhcp_dns.add
- local dns_ls_del=$UNBOUND_VARDIR/dhcp_dns.del
- local dhcp_ls_new=$UNBOUND_VARDIR/dhcp_lease.new
- local dhcp_ls_old=$UNBOUND_VARDIR/dhcp_lease.old
- local dhcp_ls_add=$UNBOUND_VARDIR/dhcp_lease.add
- local dhcp_ls_del=$UNBOUND_VARDIR/dhcp_lease.del
- local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile )
-
- config_load unbound
- config_foreach odhcpd_settings unbound
-
-
- if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a -f "$dhcp_origin" ] ; then
- # Capture the lease file which could be changing often
- cat $dhcp_origin | sort > $dhcp_ls_new
- touch $dhcp_ls_old
- sort $dhcp_ls_new $dhcp_ls_old $dhcp_ls_old | uniq -u > $dhcp_ls_add
- sort $dhcp_ls_old $dhcp_ls_new $dhcp_ls_new | uniq -u > $dhcp_ls_del
-
- # Go through the messy business of coding up A, AAAA, and PTR records
- # This static conf will be available if Unbound restarts asynchronously
- awk -v hostfile=$UNBOUND_DHCP_CONF -v domain=$UNBOUND_TXT_DOMAIN \
- -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=1 \
- -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
-
- # Deleting and adding all records into Unbound can be a burden in a
- # high density environment. Use unbound-control incrementally.
- awk -v hostfile=$dns_ls_del -v domain=$UNBOUND_TXT_DOMAIN \
- -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \
- -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_del
-
- awk -v hostfile=$dns_ls_add -v domain=$UNBOUND_TXT_DOMAIN \
- -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \
- -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_add
-
-
- if [ -f "$dns_ls_del" ] ; then
- cat $dns_ls_del | $UNBOUND_CONTROL_CFG local_datas_remove
- fi
-
-
- if [ -f "$dns_ls_add" ] ; then
- cat $dns_ls_add | $UNBOUND_CONTROL_CFG local_datas
- fi
-
-
- # prepare next round
- mv $dhcp_ls_new $dhcp_ls_old
- rm -f $dns_ls_del $dns_ls_add $dhcp_ls_del $dhcp_ls_add
- fi
-}
-
-##############################################################################
-
-odhcpd_zonedata
-
-##############################################################################
-
+++ /dev/null
-. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
-. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
-
+++ /dev/null
-#!/bin/sh
-##############################################################################
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# Copyright (C) 2016 Eric Luehrsen
-#
-##############################################################################
-#
-# This component needs to be used within the unbound.sh as an include. It uses
-# defaults and UCI scope variables defined there. It will copy root.key back
-# to /etc/unbound/ periodically, but avoid ROM flash abuse (UCI option).
-#
-##############################################################################
-
-rootzone_uci() {
- local cfg=$1
-
- # This will likely be called outside of "start_service()" context
- config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
- config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
- config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
-}
-
-##############################################################################
-
-roothints_update() {
- # TODO: Might not be implemented. Unbound doesn't natively update hints.
- # Unbound philosophy is built in root hints are good for machine life.
- return 0
-}
-
-##############################################################################
-
-rootkey_update() {
- local basekey_date rootkey_date rootkey_age filestuff
-
-
- if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then
- # Feature disabled
- return 0
-
- elif [ "$UNBOUND_B_NTP_BOOT" -gt 0 -a ! -f "$UNBOUND_TIMEFILE" ] ; then
- # We don't have time yet
- return 0
- fi
-
-
- if [ -f /etc/unbound/root.key ] ; then
- basekey_date=$( date -r /etc/unbound/root.key +%s )
-
- else
- # No persistent storage key
- basekey_date=$( date -d 2000-01-01 +%s )
- fi
-
-
- if [ -f "$UNBOUND_KEYFILE" ] ; then
- # Unbound maintains it itself
- rootkey_date=$( date -r $UNBOUND_KEYFILE +%s )
- rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
-
- elif [ -x "$UNBOUND_ANCHOR" ] ; then
- # No tmpfs key - use unbound-anchor
- rootkey_date=$( date -I +%s )
- rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
- $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
-
- else
- # give up
- rootkey_age=0
- fi
-
-
- if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then
- filestuff=$( cat $UNBOUND_KEYFILE )
-
-
- case "$filestuff" in
- *NOERROR*)
- # Header comment for drill and dig
- logger -t unbound -s "root.key updated after $rootkey_age days"
- cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
- ;;
-
- *"state=2 [ VALID ]"*)
- # Comment inline to key for unbound-anchor
- logger -t unbound -s "root.key updated after $rootkey_age days"
- cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
- ;;
-
- *)
- logger -t unbound -s "root.key still $rootkey_age days old"
- ;;
- esac
- fi
-}
-
-##############################################################################
-
-rootzone_update() {
- # Partial UCI fetch for this functional group
- config_load unbound
- config_foreach rootzone_uci unbound
-
- # You need root.hints and root.key to boot strap recursion
- roothints_update
- rootkey_update
-}
-
-##############################################################################
-
+++ /dev/null
-#!/bin/sh /etc/rc.common
-##############################################################################
-#
-# Copyright (C) 2016 Michael Hanselmann, Eric Luehrsen
-#
-##############################################################################
-#
-# This init script is just the entry point for Unbound UCI.
-#
-##############################################################################
-
-START=19
-STOP=50
-USE_PROCD=1
-PROG=/usr/sbin/unbound
-
-##############################################################################
-
-. /usr/lib/unbound/unbound.sh
-
-##############################################################################
-
-boot() {
- UNBOUND_BOOT=1
- start "$@"
-}
-
-##############################################################################
-
-start_service() {
- if [ -n "$UNBOUND_BOOT" ] ; then
- # Load procd triggers (rc) and use event IFUP to really start
- return 0
- fi
-
- # complex UCI work
- unbound_start
-
- # standard procd clause
- procd_open_instance
- procd_set_param command $PROG -d -c $UNBOUND_CONFFILE
- procd_set_param respawn
- procd_close_instance
-}
-
-##############################################################################
-
-stop_service() {
- unbound_stop
-
- # Wait! on restart Unbound may take time writing closure stats to syslog
- pidof $PROG && sleep 1
-}
-
-##############################################################################
-
-service_triggers() {
- # use soft reload to prevent continuous stop-start and cache flush
- procd_add_reload_trigger "unbound"
- procd_add_raw_trigger "interface.*.up" 2000 /etc/init.d/unbound reload
-}
-
-##############################################################################
-
+++ /dev/null
-#!/bin/sh
-##############################################################################
-#
-# Copyright (C) 2016 Eric Luehrsen
-#
-##############################################################################
-#
-# "Restart" Unbound on hotplug NTP ready:
-# - Only do this the first time when no file exists
-# - Some of Unbound conf options to not reload run time
-# - Change the enable flag for DNSSEC date-time checking
-#
-##############################################################################
-
-# Common file location definitions
-. /usr/lib/unbound/unbound.sh
-
-##############################################################################
-
-if [ "$ACTION" = stratum -a ! -f "$UNBOUND_TIMEFILE" ] ; then
- echo "ntpd: $( date )" > $UNBOUND_TIMEFILE
- /etc/init.d/unbound enabled && /etc/init.d/unbound restart
- # Yes, hard RESTART. We need to be absolutely sure to enable DNSSEC.
-fi
-
-##############################################################################
-
+++ /dev/null
-#!/bin/sh
-##############################################################################
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# Copyright (C) 2016 Eric Luehrsen
-#
-##############################################################################
-#
-# This builds the basic UCI components currently supported for Unbound. It is
-# intentionally NOT comprehensive and bundles a lot of options. The UCI is to
-# be a simpler presentation of the total Unbound conf set.
-#
-##############################################################################
-
-UNBOUND_B_CONTROL=0
-UNBOUND_B_SLAAC6_MAC=0
-UNBOUND_B_DNSSEC=0
-UNBOUND_B_DNS64=0
-UNBOUND_B_GATE_NAME=0
-UNBOUND_B_HIDE_BIND=1
-UNBOUND_B_LOCL_BLCK=0
-UNBOUND_B_LOCL_SERV=1
-UNBOUND_B_MAN_CONF=0
-UNBOUND_B_NTP_BOOT=1
-UNBOUND_B_PRIV_BLCK=1
-UNBOUND_B_QUERY_MIN=0
-UNBOUND_B_QRY_MINST=0
-
-UNBOUND_D_DOMAIN_TYPE=static
-UNBOUND_D_DHCP_LINK=none
-UNBOUND_D_LAN_FQDN=0
-UNBOUND_D_PROTOCOL=mixed
-UNBOUND_D_RESOURCE=small
-UNBOUND_D_RECURSION=passive
-UNBOUND_D_WAN_FQDN=0
-
-UNBOUND_IP_DNS64="64:ff9b::/96"
-
-UNBOUND_N_EDNS_SIZE=1280
-UNBOUND_N_FWD_PORTS=""
-UNBOUND_N_RX_PORT=53
-UNBOUND_N_ROOT_AGE=9
-
-UNBOUND_TTL_MIN=120
-
-UNBOUND_TXT_DOMAIN=lan
-UNBOUND_TXT_FWD_ZONE=""
-UNBOUND_TXT_HOSTNAME=thisrouter
-
-##############################################################################
-
-UNBOUND_LIBDIR=/usr/lib/unbound
-UNBOUND_VARDIR=/var/lib/unbound
-
-UNBOUND_PIDFILE=/var/run/unbound.pid
-
-UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
-UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
-UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf
-UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
-
-UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
-UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
-UNBOUND_TIMEFILE=$UNBOUND_VARDIR/unbound.time
-
-##############################################################################
-
-UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
-UNBOUND_CONTROL=/usr/sbin/unbound-control
-UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
-
-##############################################################################
-
-. /lib/functions.sh
-. /lib/functions/network.sh
-
-. $UNBOUND_LIBDIR/dnsmasq.sh
-. $UNBOUND_LIBDIR/iptools.sh
-. $UNBOUND_LIBDIR/rootzone.sh
-
-##############################################################################
-
-copy_dash_update() {
- # TODO: remove this function and use builtins when this issues is resovled.
- # Due to OpenWrt/LEDE divergence "cp -u" isn't yet universally available.
- local filetime keeptime
-
-
- if [ -f $UNBOUND_KEYFILE.keep ] ; then
- # root.key.keep is reused if newest
- filetime=$( date -r $UNBOUND_KEYFILE +%s )
- keeptime=$( date -r $UNBOUND_KEYFILE.keep +%s )
-
-
- if [ $keeptime -gt $filetime ] ; then
- cp $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
- fi
-
-
- rm -f $UNBOUND_KEYFILE.keep
- fi
-}
-
-##############################################################################
-
-create_interface_dns() {
- local cfg="$1"
- local ipcommand logint ignore ifname ifdashname
- local name names address addresses
- local ulaprefix if_fqdn host_fqdn mode mode_ptr
-
- # Create local-data: references for this hosts interfaces (router).
- config_get logint "$cfg" interface
- config_get_bool ignore "$cfg" ignore 0
- network_get_device ifname "$cfg"
-
- ifdashname="${ifname//./-}"
- ipcommand="ip -o address show $ifname"
- addresses="$($ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}')"
- ulaprefix="$(uci_get network @globals[0] ula_prefix)"
- host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"
- if_fqdn="$ifdashname.$host_fqdn"
-
-
- if [ -z "${ulaprefix%%:/*}" ] ; then
- # Nonsense so this option isn't globbed below
- ulaprefix="fdno:such:addr::/48"
- fi
-
-
- if [ "$ignore" -gt 0 ] ; then
- mode="$UNBOUND_D_WAN_FQDN"
- else
- mode="$UNBOUND_D_LAN_FQDN"
- fi
-
-
- case "$mode" in
- 3)
- mode_ptr="$host_fqdn"
- names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
- ;;
-
- 4)
- if [ -z "$ifdashname" ] ; then
- # race conditions at init can rarely cause a blank device return
- # the record format is invalid and Unbound won't load the conf file
- mode_ptr="$host_fqdn"
- names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
- else
- mode_ptr="$if_fqdn"
- names="$if_fqdn $host_fqdn $UNBOUND_TXT_HOSTNAME"
- fi
- ;;
-
- *)
- mode_ptr="$UNBOUND_TXT_HOSTNAME"
- names="$UNBOUND_TXT_HOSTNAME"
- ;;
- esac
-
-
- if [ "$mode" -gt 1 ] ; then
- {
- for address in $addresses ; do
- case $address in
- fe80:*|169.254.*)
- echo " # note link address $address"
- ;;
-
- [1-9a-f]*:*[0-9a-f])
- # GA and ULA IP6 for HOST IN AAA records (ip command is robust)
- for name in $names ; do
- echo " local-data: \"$name. 120 IN AAAA $address\""
- done
- echo " local-data-ptr: \"$address 120 $mode_ptr\""
- ;;
-
- [1-9]*.*[0-9])
- # Old fashioned HOST IN A records
- for name in $names ; do
- echo " local-data: \"$name. 120 IN A $address\""
- done
- echo " local-data-ptr: \"$address 120 $mode_ptr\""
- ;;
- esac
- done
- echo
- } >> $UNBOUND_CONFFILE
-
- elif [ "$mode" -gt 0 ] ; then
- {
- for address in $addresses ; do
- case $address in
- fe80:*|169.254.*)
- echo " # note link address $address"
- ;;
-
- "${ulaprefix%%:/*}"*)
- # Only this networks ULA and only hostname
- echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
- echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
- ;;
-
- [1-9]*.*[0-9])
- echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""
- echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
- ;;
- esac
- done
- echo
- } >> $UNBOUND_CONFFILE
- fi
-}
-
-##############################################################################
-
-create_access_control() {
- local cfg="$1"
- local subnets subnets4 subnets6
- local validip4 validip6
-
- network_get_subnets subnets4 "$cfg"
- network_get_subnets6 subnets6 "$cfg"
- subnets="$subnets4 $subnets6"
-
-
- if [ -n "$subnets" ] ; then
- for subnet in $subnets ; do
- validip4=$( valid_subnet4 $subnet )
- validip6=$( valid_subnet6 $subnet )
-
-
- if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
- # For each "network" UCI add "access-control:" white list for queries
- echo " access-control: $subnet allow" >> $UNBOUND_CONFFILE
- fi
- done
- fi
-}
-
-##############################################################################
-
-create_domain_insecure() {
- echo " domain-insecure: \"$1\"" >> $UNBOUND_CONFFILE
-}
-
-##############################################################################
-
-unbound_mkdir() {
- local resolvsym=0
- local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile )
- local dhcp_dir=$( dirname "$dhcp_origin" )
- local filestuff
-
-
- if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
- resolvsym=1
- else
- /etc/init.d/dnsmasq enabled || resolvsym=1
- fi
-
-
- if [ "$resolvsym" -gt 0 ] ; then
- rm -f /tmp/resolv.conf
-
-
- {
- # Set resolver file to local but not if /etc/init.d/dnsmasq will do it.
- echo "nameserver 127.0.0.1"
- echo "nameserver ::1"
- echo "search $UNBOUND_TXT_DOMAIN"
- } > /tmp/resolv.conf
- fi
-
-
- if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -d "$dhcp_dir" ] ; then
- # make sure odhcpd has a directory to write (not done itself, yet)
- mkdir -p "$dhcp_dir"
- fi
-
-
- if [ -f $UNBOUND_KEYFILE ] ; then
- filestuff=$( cat $UNBOUND_KEYFILE )
-
-
- case "$filestuff" in
- *"state=2 [ VALID ]"*)
- # Lets not lose RFC 5011 tracking if we don't have to
- cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
- ;;
- esac
- fi
-
-
- # Blind copy /etc/ to /var/lib/
- mkdir -p $UNBOUND_VARDIR
- rm -f $UNBOUND_VARDIR/dhcp_*
- touch $UNBOUND_CONFFILE
- touch $UNBOUND_SRV_CONF
- touch $UNBOUND_EXT_CONF
- cp -p /etc/unbound/* $UNBOUND_VARDIR/
-
-
- if [ ! -f $UNBOUND_HINTFILE ] ; then
- if [ -f /usr/share/dns/root.hints ] ; then
- # Debian-like package dns-root-data
- cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
-
- elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
- logger -t unbound -s "iterator will use built-in root hints"
- fi
- fi
-
-
- if [ ! -f $UNBOUND_KEYFILE ] ; then
- if [ -f /usr/share/dns/root.key ] ; then
- # Debian-like package dns-root-data
- cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
-
- elif [ -x $UNBOUND_ANCHOR ] ; then
- $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
-
- elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
- logger -t unbound -s "validator will use built-in trust anchor"
- fi
- fi
-
-
- copy_dash_update
-
-
- # Ensure access and prepare to jail
- chown -R unbound:unbound $UNBOUND_VARDIR
- chmod 775 $UNBOUND_VARDIR
- chmod 664 $UNBOUND_VARDIR/*
-}
-
-##############################################################################
-
-unbound_control() {
- if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
- {
- # Enable remote control tool, but only at local host for security
- # You can hand write fancier encrypted access with /etc/..._ext.conf
- echo "remote-control:"
- echo " control-enable: yes"
- echo " control-use-cert: no"
- echo " control-interface: 127.0.0.1"
- echo " control-interface: ::1"
- echo
- } >> $UNBOUND_CONFFILE
- fi
-
-
- {
- # Amend your own extended clauses here like forward zones or disable
- # above (local, no encryption) and amend your own remote encrypted control
- echo
- echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
- echo
- } >> $UNBOUND_CONFFILE
-}
-
-##############################################################################
-
-unbound_conf() {
- local cfg="$1"
- local rt_mem rt_conn modulestring
-
-
- {
- # Make fresh conf file
- echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
- echo
- } > $UNBOUND_CONFFILE
-
-
- {
- # No threading
- echo "server:"
- echo " username: unbound"
- echo " num-threads: 1"
- echo " msg-cache-slabs: 1"
- echo " rrset-cache-slabs: 1"
- echo " infra-cache-slabs: 1"
- echo " key-cache-slabs: 1"
- echo
- } >> $UNBOUND_CONFFILE
-
-
- {
- # Logging
- echo " verbosity: 1"
- echo " statistics-interval: 0"
- echo " statistics-cumulative: no"
- echo " extended-statistics: no"
- echo
- } >> $UNBOUND_CONFFILE
-
-
- {
- # Interfaces (access contol "option local_service")
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo " outgoing-interface: 0.0.0.0"
- echo " outgoing-interface: ::0"
- echo
- } >> $UNBOUND_CONFFILE
-
-
- case "$UNBOUND_D_PROTOCOL" in
- ip4_only)
- {
- echo " do-ip4: yes"
- echo " do-ip6: no"
- } >> $UNBOUND_CONFFILE
- ;;
-
- ip6_only)
- {
- echo " do-ip4: no"
- echo " do-ip6: yes"
- } >> $UNBOUND_CONFFILE
- ;;
-
- ip6_prefer)
- {
- echo " do-ip4: yes"
- echo " do-ip6: yes"
- echo " prefer-ip6: yes"
- } >> $UNBOUND_CONFFILE
- ;;
-
- *)
- {
- echo " do-ip4: yes"
- echo " do-ip6: yes"
- } >> $UNBOUND_CONFFILE
- ;;
- esac
-
-
- {
- # protocol level tuning
- echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
- echo " msg-buffer-size: 8192"
- echo " port: $UNBOUND_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo
- } >> $UNBOUND_CONFFILE
-
-
- {
- # Other harding and options for an embedded router
- echo " harden-short-bufsize: yes"
- echo " harden-large-queries: yes"
- echo " harden-glue: yes"
- echo " harden-below-nxdomain: no"
- echo " harden-referral-path: no"
- echo " use-caps-for-id: no"
- echo
- } >> $UNBOUND_CONFFILE
-
-
- {
- # Default Files
- echo " use-syslog: yes"
- echo " chroot: \"$UNBOUND_VARDIR\""
- echo " directory: \"$UNBOUND_VARDIR\""
- echo " pidfile: \"$UNBOUND_PIDFILE\""
- } >> $UNBOUND_CONFFILE
-
-
- if [ -f "$UNBOUND_HINTFILE" ] ; then
- # Optional hints if found
- echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
- fi
-
-
- if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then
- {
- echo " auto-trust-anchor-file: \"$UNBOUND_KEYFILE\""
- echo
- } >> $UNBOUND_CONFFILE
-
- else
- echo >> $UNBOUND_CONFFILE
- fi
-
-
- case "$UNBOUND_D_RESOURCE" in
- # Tiny - Unbound's recommended cheap hardware config
- tiny) rt_mem=1 ; rt_conn=1 ;;
- # Small - Half RRCACHE and open ports
- small) rt_mem=8 ; rt_conn=5 ;;
- # Medium - Nearly default but with some added balancintg
- medium) rt_mem=16 ; rt_conn=10 ;;
- # Large - Double medium
- large) rt_mem=32 ; rt_conn=10 ;;
- # Whatever unbound does
- *) rt_mem=0 ; rt_conn=0 ;;
- esac
-
-
- if [ "$rt_mem" -gt 0 ] ; then
- {
- # Set memory sizing parameters
- echo " outgoing-range: $(($rt_conn*64))"
- echo " num-queries-per-thread: $(($rt_conn*32))"
- echo " outgoing-num-tcp: $(($rt_conn))"
- echo " incoming-num-tcp: $(($rt_conn))"
- echo " rrset-cache-size: $(($rt_mem*256))k"
- echo " msg-cache-size: $(($rt_mem*128))k"
- echo " key-cache-size: $(($rt_mem*128))k"
- echo " neg-cache-size: $(($rt_mem*64))k"
- echo " infra-cache-numhosts: $(($rt_mem*256))"
- echo
- } >> $UNBOUND_CONFFILE
-
- elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
- logger -t unbound -s "default memory resource consumption"
- fi
-
- # Assembly of module-config: options is tricky; order matters
- modulestring="iterator"
-
-
- if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
- if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
- # DNSSEC chicken and egg with getting NTP time
- echo " val-override-date: -1" >> $UNBOUND_CONFFILE
- fi
-
-
- {
- echo " harden-dnssec-stripped: yes"
- echo " val-clean-additional: yes"
- echo " ignore-cd-flag: yes"
- } >> $UNBOUND_CONFFILE
-
-
- modulestring="validator $modulestring"
- fi
-
-
- if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then
- echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
-
- modulestring="dns64 $modulestring"
- fi
-
-
- {
- # Print final module string
- echo " module-config: \"$modulestring\""
- echo
- } >> $UNBOUND_CONFFILE
-
-
- if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
- {
- # Some query privacy but "strict" will break some name servers
- echo " qname-minimisation: yes"
- echo " qname-minimisation-strict: yes"
- } >> $UNBOUND_CONFFILE
-
- elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
- # Minor improvement on query privacy
- echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
-
- else
- echo " qname-minimisation: no" >> $UNBOUND_CONFFILE
- fi
-
-
- case "$UNBOUND_D_RECURSION" in
- passive)
- {
- echo " prefetch: no"
- echo " prefetch-key: no"
- echo " target-fetch-policy: \"0 0 0 0 0\""
- echo
- } >> $UNBOUND_CONFFILE
- ;;
-
- aggressive)
- {
- echo " prefetch: yes"
- echo " prefetch-key: yes"
- echo " target-fetch-policy: \"3 2 1 0 0\""
- echo
- } >> $UNBOUND_CONFFILE
- ;;
-
- *)
- if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
- logger -t unbound -s "default recursion configuration"
- fi
- ;;
- esac
-
-
- {
- # Reload records more than 10 hours old
- # DNSSEC 5 minute bogus cool down before retry
- # Adaptive infrastructure info kept for 15 minutes
- echo " cache-min-ttl: $UNBOUND_TTL_MIN"
- echo " cache-max-ttl: 36000"
- echo " val-bogus-ttl: 300"
- echo " infra-host-ttl: 900"
- echo
- } >> $UNBOUND_CONFFILE
-
-
- if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
- {
- # Block server id and version DNS TXT records
- echo " hide-identity: yes"
- echo " hide-version: yes"
- echo
- } >> $UNBOUND_CONFFILE
- fi
-
-
- if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
- {
- # Remove _upstream_ or global reponses with private addresses.
- # Unbounds own "local zone" and "forward zone" may still use these.
- # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
- echo " private-address: 10.0.0.0/8"
- echo " private-address: 100.64.0.0/10"
- echo " private-address: 169.254.0.0/16"
- echo " private-address: 172.16.0.0/12"
- echo " private-address: 192.168.0.0/16"
- echo " private-address: fc00::/8"
- echo " private-address: fd00::/8"
- echo " private-address: fe80::/10"
- } >> $UNBOUND_CONFFILE
- fi
-
-
- if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
- {
- # Remove DNS reponses from upstream with loopback IP
- # Black hole DNS method for ad blocking, so consider...
- echo " private-address: 127.0.0.0/8"
- echo " private-address: ::1/128"
- echo
- } >> $UNBOUND_CONFFILE
-
- else
- echo >> $UNBOUND_CONFFILE
- fi
-
-
- # Except and accept domains as insecure (DNSSEC); work around broken domains
- config_list_foreach "$cfg" "domain_insecure" create_domain_insecure
- echo >> $UNBOUND_CONFFILE
-}
-
-##############################################################################
-
-unbound_access() {
- # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to
- # each access-control IP block, and then divert access.
- # -- "guest" WIFI will not be allowed to see local zone data
- # -- "child" LAN can black whole a list of domains to http~deadpixel
-
-
- if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
- # Only respond to queries from which this device has an interface.
- # Prevent DNS amplification attacks by not responding to the universe.
- config_load network
- config_foreach create_access_control interface
-
-
- {
- echo " access-control: 127.0.0.0/8 allow"
- echo " access-control: ::1/128 allow"
- echo " access-control: fe80::/10 allow"
- echo
- } >> $UNBOUND_CONFFILE
-
- else
- {
- echo " access-control: 0.0.0.0/0 allow"
- echo " access-control: ::0/0 allow"
- echo
- } >> $UNBOUND_CONFFILE
- fi
-
-
- {
- # Amend your own "server:" stuff here
- echo " include: $UNBOUND_SRV_CONF"
- echo
- } >> $UNBOUND_CONFFILE
-}
-
-##############################################################################
-
-unbound_adblock() {
- # TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team
- local adb_enabled adb_file
-
- if [ ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
- adb_enabled=0
- else
- /etc/init.d/adblock enabled && adb_enabled=1 || adb_enabled=0
- fi
-
-
- if [ "$adb_enabled" -gt 0 ] ; then
- {
- # Pull in your selected openwrt/pacakges/net/adblock generated lists
- for adb_file in $UNBOUND_VARDIR/adb_list.* ; do
- echo " include: $adb_file"
- done
- echo
- } >> $UNBOUND_CONFFILE
- fi
-}
-
-##############################################################################
-
-unbound_hostname() {
- if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
- {
- # TODO: Unbound 1.6.0 added "tags" and "views" and we could make
- # domains by interface to prevent DNS from "guest" to "home"
- echo " local-zone: $UNBOUND_TXT_DOMAIN. $UNBOUND_D_DOMAIN_TYPE"
- echo " domain-insecure: $UNBOUND_TXT_DOMAIN"
- echo " private-domain: $UNBOUND_TXT_DOMAIN"
- echo
- echo " local-zone: $UNBOUND_TXT_HOSTNAME. $UNBOUND_D_DOMAIN_TYPE"
- echo " domain-insecure: $UNBOUND_TXT_HOSTNAME"
- echo " private-domain: $UNBOUND_TXT_HOSTNAME"
- echo
- } >> $UNBOUND_CONFFILE
-
-
- case "$UNBOUND_D_DOMAIN_TYPE" in
- deny|inform_deny|refuse|static)
- {
- # avoid upstream involvement in RFC6762 like responses (link only)
- echo " local-zone: local. $UNBOUND_D_DOMAIN_TYPE"
- echo " domain-insecure: local"
- echo " private-domain: local"
- echo
- } >> $UNBOUND_CONFFILE
- ;;
- esac
-
-
- if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
- config_load dhcp
- config_foreach create_interface_dns dhcp
- fi
-
-
- if [ -f "$UNBOUND_DHCP_CONF" ] ; then
- {
- # Seed DHCP records because dhcp scripts trigger externally
- # Incremental Unbound restarts may drop unbound-control add records
- echo " include: $UNBOUND_DHCP_CONF"
- echo
- } >> $UNBOUND_CONFFILE
- fi
- fi
-}
-
-##############################################################################
-
-unbound_uci() {
- local cfg="$1"
- local dnsmasqpath hostnm
-
- hostnm="$(uci_get system.@system[0].hostname | awk '{print tolower($0)}')"
- UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter}
-
- config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
- config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
- config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
- config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
- config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
- config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
- config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
- config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
- config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
- config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
- config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
- config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
-
- config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
-
- config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
- config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
- config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
-
- config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
- config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
- config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0
- config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
- config_get UNBOUND_D_RECURSION "$cfg" recursion passive
- config_get UNBOUND_D_RESOURCE "$cfg" resource small
- config_get UNBOUND_D_WAN_FQDN "$cfg" add_wan_fqdn 0
-
- config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120
- config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
-
-
- if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
- config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
-
-
- if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
- UNBOUND_D_DHCP_LINK=dnsmasq
-
-
- if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
- logger -t unbound -s "Please use 'dhcp_link' selector instead"
- fi
- fi
- fi
-
-
- if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
- if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
- UNBOUND_D_DHCP_LINK=none
- else
- /etc/init.d/dnsmasq enabled || UNBOUND_D_DHCP_LINK=none
- fi
-
-
- if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
- logger -t unbound -s "cannot forward to dnsmasq"
- fi
- fi
-
-
- if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
- if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
- UNBOUND_D_DHCP_LINK=none
- else
- /etc/init.d/odhcpd enabled || UNBOUND_D_DHCP_LINK=none
- fi
-
-
- if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
- logger -t unbound -s "cannot receive records from odhcpd"
- fi
- fi
-
-
- if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
- -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
- # exceeds range, back to default
- UNBOUND_N_EDNS_SIZE=1280
- fi
-
-
- if [ "$UNBOUND_N_RX_PORT" -lt 1024 \
- -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
- # special port or in 5 digits, back to default
- UNBOUND_N_RX_PORT=53
- fi
-
-
- if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
- # that could have had awful side effects
- UNBOUND_TTL_MIN=300
- fi
-}
-
-##############################################################################
-
-unbound_start() {
- config_load unbound
- config_foreach unbound_uci unbound
- unbound_mkdir
-
-
- if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
- unbound_conf
- unbound_access
- unbound_adblock
-
- if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
- dnsmasq_link
- else
- unbound_hostname
- fi
-
- unbound_control
- fi
-}
-
-##############################################################################
-
-unbound_stop() {
- local resolvsym=0
-
- rootzone_update
-
-
- if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
- resolvsym=1
- else
- /etc/init.d/dnsmasq enabled || resolvsym=1
- fi
-
-
- if [ "$resolvsym" -gt 0 ] ; then
- # set resolver file to normal, but don't stomp on dnsmasq
- rm -f /tmp/resolv.conf
- ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
- fi
-}
-
-##############################################################################
-
+++ /dev/null
-config unbound
- option add_local_fqdn '1'
- option add_wan_fqdn '0'
- option dhcp_link 'none'
- option dhcp4_slaac6 '0'
- option dns64 '0'
- option dns64_prefix '64:ff9b::/96'
- option domain 'lan'
- option domain_type 'static'
- option edns_size '1280'
- option hide_binddata '1'
- option listen_port '53'
- option localservice '1'
- option manual_conf '0'
- option protocol 'mixed'
- option query_minimize '0'
- option query_min_strict '0'
- option rebind_localhost '0'
- option rebind_protection '1'
- option recursion 'passive'
- option resource 'small'
- option root_age '9'
- option ttl_min '120'
- option unbound_control '0'
- option validator '0'
- option validator_ntp '1'
- #list domain_insecure ''
-
+++ /dev/null
-##############################################################################
-# UNBOUND UCI USER ADDED CLAUSES
-#
-# Put your own forward:, view:, stub:, and control: clauses here. This file is
-# appended to the end of UCI auto generated 'unbound.conf'. This is done with
-# include: statement. Notice, it is outside of the server: clause.
-##############################################################################
-
+++ /dev/null
-##############################################################################
-# UNBOUND UCI USER ADDED SERVER OPTIONS
-#
-# Put your own choice options here when not covered by UCI. These are all part
-# of the server: clause only. Most likely are hardening options or local-zone:
-# This is in an include: statement towards the end of the server: cluase.
-##############################################################################
-
+++ /dev/null
-diff --git a/doc/example.conf.in b/doc/example.conf.in
-index 83e7c5c..3ea2b28 100644
---- a/doc/example.conf.in
-+++ b/doc/example.conf.in
-@@ -1,9 +1,10 @@
--#
--# Example configuration file.
--#
--# See unbound.conf(5) man page, version 1.6.1.
--#
--# this is a comment.
-+##############################################################################
-+# MEMORY CONTROL EXAMPLE
-+# In the example config settings below memory usage is reduced. Some ser-
-+# vice levels are lower, notable very large data and a high TCP load are
-+# no longer supported ... are exceptional for the DNS.
-+# (http://unbound.net/documentation/unbound.conf.html)
-+##############################################################################
-
- #Use this to include other text into the file.
- #include: "otherfile.conf"
-@@ -12,9 +13,71 @@
- server:
- # whitespace is not necessary, but looks cleaner.
-
-- # verbosity number, 0 is least verbose. 1 is default.
-+ # verbosity 1 is default
- verbosity: 1
-
-+ # Self jail Unbound with user "unbound" to /var/lib/unbound
-+ # The script /etc/init.d/unbound will setup the location
-+ username: "unbound"
-+ directory: "/var/lib/unbound"
-+ chroot: "/var/lib/unbound"
-+
-+ # The pid file is created before privleges drop so no concern
-+ pidfile: "/var/run/unbound.pid"
-+
-+ # no threads and no memory slabs for threads
-+ num-threads: 1
-+ msg-cache-slabs: 1
-+ rrset-cache-slabs: 1
-+ infra-cache-slabs: 1
-+ key-cache-slabs: 1
-+
-+ # don't be picky about interfaces but consider your firewall
-+ interface: 0.0.0.0
-+ interface: ::0
-+ access-control: 0.0.0.0/0 allow
-+ access-control: ::0/0 allow
-+
-+ # this limits TCP service but uses less buffers
-+ outgoing-num-tcp: 1
-+ incoming-num-tcp: 1
-+
-+ # use somewhat higher port numbers versus possible NAT issue
-+ outgoing-port-permit: "10240-65335"
-+
-+ # uses less memory but less performance
-+ outgoing-range: 60
-+ num-queries-per-thread: 30
-+
-+ # exclude large responses
-+ msg-buffer-size: 8192
-+
-+ # tiny memory cache
-+ infra-cache-numhosts: 200
-+ msg-cache-size: 100k
-+ rrset-cache-size: 100k
-+ key-cache-size: 100k
-+ neg-cache-size: 10k
-+
-+ # gentle on recursion
-+ target-fetch-policy: "2 1 0 0 0 0"
-+ harden-large-queries: yes
-+ harden-short-bufsize: yes
-+
-+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
-+ # -anchor-file:" The init script will copy root key to /var/lib/unbound.
-+ # See package documentation for crontab entry to copy RFC5011 results back.
-+ #module-config: "validator iterator"
-+ #auto-trust-anchor-file: "/var/lib/unbound/root.key"
-+
-+ # DNSSEC needs real time to validate signatures. If your device does not
-+ # have power off clock (reboot), then you may need this work around.
-+ #domain-insecure: "pool.ntp.org"
-+
-+##############################################################################
-+# Resume Stock example.conf.in
-+##############################################################################
-+
- # print statistics to the log (for every thread) every N seconds.
- # Set to "" or 0 to disable. Default is disabled.
- # statistics-interval: 0