2 ##############################################################################
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License version 2 as
6 # published by the Free Software Foundation.
8 # This program is distributed in the hope that it will be useful,
9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # GNU General Public License for more details.
13 # Copyright (C) 2016 Eric Luehrsen
15 ##############################################################################
17 # Unbound is a full featured recursive server with many options. The UCI
18 # provided tries to simplify and bundle options. This should make Unbound
19 # easier to deploy. Even light duty routers may resolve recursively instead of
20 # depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
21 # features as used in base LEDE/OpenWrt. If there is a desire for more
22 # detailed tuning, then manual conf file overrides are also made available.
24 ##############################################################################
41 UB_D_DOMAIN_TYPE=static
48 UB_D_RECURSION=passive
52 UB_IP_DNS64="64:ff9b::/96"
60 UB_TXT_HOSTNAME=thisrouter
62 ##############################################################################
64 # reset as a combo with UB_B_NTP_BOOT and some time stamp files
67 # keep track of assignments during inserted resource records
72 UB_LIST_ZONE_SERVERS=""
75 ##############################################################################
78 . /lib/functions/network.sh
80 . /usr/lib/unbound/defaults.sh
81 . /usr/lib/unbound/dnsmasq.sh
82 . /usr/lib/unbound/iptools.sh
84 ##############################################################################
86 bundle_all_networks() {
88 local ifname ifdashname validip
89 local subnet subnets subnets4 subnets6
91 network_get_subnets subnets4 "$cfg"
92 network_get_subnets6 subnets6 "$cfg"
93 network_get_device ifname "$cfg"
95 ifdashname="${ifname//./-}"
96 subnets="$subnets4 $subnets6"
99 if [ -n "$subnets" ] ; then
100 for subnet in $subnets ; do
101 validip=$( valid_subnet_any $subnet )
104 if [ "$validip" = "ok" ] ; then
105 UB_LIST_NETW_ALL="$UB_LIST_NETW_ALL $ifdashname@$subnet"
111 ##############################################################################
113 bundle_lan_networks() {
115 local ifsubnet ifname ifdashname ignore
117 config_get_bool ignore "$cfg" ignore 0
118 network_get_device ifname "$cfg"
119 ifdashname="${ifname//./-}"
122 if [ "$ignore" -eq 0 -a -n "$ifdashname" -a -n "$UB_LIST_NETW_ALL" ] ; then
123 for ifsubnet in $UB_LIST_NETW_ALL ; do
126 # Special GLA protection for local block; ULA protected as a catagory
127 UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
134 ##############################################################################
136 bundle_wan_networks() {
140 if [ -n "$UB_LIST_NETW_ALL" ] ; then
141 for ifsubnet in $UB_LIST_NETW_ALL ; do
142 case $UB_LIST_NETW_LAN in
144 # If LAN, then not WAN ...
148 UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
155 ##############################################################################
157 bundle_resolv_conf_servers() {
158 local resolvers=$( awk '/nameserver/ { print $2 }' /tmp/resolv.conf.auto )
159 UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $resolvers"
162 ##############################################################################
164 bundle_zone_names() {
165 UB_LIST_ZONE_NAMES="$UB_LIST_ZONE_NAMES $1"
168 ##############################################################################
170 bundle_zone_servers() {
171 UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $1"
174 ##############################################################################
176 bundle_domain_insecure() {
177 UB_LIST_INSECURE="$UB_LIST_INSECURE $1"
180 ##############################################################################
186 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
187 local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
188 local dhcp_dir=$( dirname $dhcp_origin )
191 if [ ! -d "$dhcp_dir" ] ; then
192 # make sure odhcpd has a directory to write (not done itself, yet)
198 if [ -f $UB_RKEY_FILE ] ; then
199 filestuff=$( cat $UB_RKEY_FILE )
203 *"state=2 [ VALID ]"*)
204 # Lets not lose RFC 5011 tracking if we don't have to
205 cp -p $UB_RKEY_FILE $UB_RKEY_FILE.keep
211 # Blind copy /etc/unbound to /var/lib/unbound
213 rm -f $UB_VARDIR/dhcp_*
215 cp -p /etc/unbound/* $UB_VARDIR/
218 if [ ! -f $UB_RHINT_FILE ] ; then
219 if [ -f /usr/share/dns/root.hints ] ; then
220 # Debian-like package dns-root-data
221 cp -p /usr/share/dns/root.hints $UB_RHINT_FILE
223 elif [ "$UB_B_READY" -eq 0 ] ; then
224 logger -t unbound -s "default root hints (built in root-servers.net)"
229 if [ ! -f $UB_RKEY_FILE ] ; then
230 if [ -f /usr/share/dns/root.key ] ; then
231 # Debian-like package dns-root-data
232 cp -p /usr/share/dns/root.key $UB_RKEY_FILE
234 elif [ -x $UB_ANCHOR ] ; then
235 $UB_ANCHOR -a $UB_RKEY_FILE
237 elif [ "$UB_B_READY" -eq 0 ] ; then
238 logger -t unbound -s "default trust anchor (built in root DS record)"
243 if [ -f $UB_RKEY_FILE.keep ] ; then
244 # root.key.keep is reused if newest
245 cp -u $UB_RKEY_FILE.keep $UB_RKEY_FILE
246 rm -f $UB_RKEY_FILE.keep
250 if [ -f $UB_TLS_ETC_FILE ] ; then
251 # copy the cert bundle into jail
252 cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
256 # Ensure access and prepare to jail
257 chown -R unbound:unbound $UB_VARDIR
259 chmod 644 $UB_VARDIR/*
262 if [ -f $UB_CTLKEY_FILE -o -f $UB_CTLPEM_FILE \
263 -o -f $UB_SRVKEY_FILE -o -f $UB_SRVPEM_FILE ] ; then
264 # Keys (some) exist already; do not create new ones
265 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
266 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
268 elif [ -x /usr/sbin/unbound-control-setup ] ; then
269 case "$UB_D_CONTROL" in
271 # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
272 /usr/sbin/unbound-control-setup -d $UB_VARDIR
274 chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
275 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
277 chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
278 $UB_SRVKEY_FILE $UB_SRVPEM_FILE
280 cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key
281 cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem
282 cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key
283 cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem
289 if [ -f "$UB_TIME_FILE" ] ; then
290 # NTP is done so its like you actually had an RTC
294 elif [ "$UB_B_NTP_BOOT" -eq 0 ] ; then
295 # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
296 date -Is > $UB_TIME_FILE
301 # DNSSEC-TIME will not reconcile
307 ##############################################################################
310 echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF
313 if [ "$UB_D_CONTROL" -gt 1 ] ; then
314 if [ ! -f $UB_CTLKEY_FILE -o ! -f $UB_CTLPEM_FILE \
315 -o ! -f $UB_SRVKEY_FILE -o ! -f $UB_SRVPEM_FILE ] ; then
316 # Key files need to be present; if unbound-control-setup was found, then
317 # they might have been made during unbound_makedir() above.
323 case "$UB_D_CONTROL" in
326 # Local Host Only Unencrypted Remote Control
327 echo "remote-control:"
328 echo " control-enable: yes"
329 echo " control-use-cert: no"
330 echo " control-interface: 127.0.0.1"
331 echo " control-interface: ::1"
338 # Local Host Only Encrypted Remote Control
339 echo "remote-control:"
340 echo " control-enable: yes"
341 echo " control-use-cert: yes"
342 echo " control-interface: 127.0.0.1"
343 echo " control-interface: ::1"
344 echo " server-key-file: $UB_SRVKEY_FILE"
345 echo " server-cert-file: $UB_SRVPEM_FILE"
346 echo " control-key-file: $UB_CTLKEY_FILE"
347 echo " control-cert-file: $UB_CTLPEM_FILE"
354 # Network Encrypted Remote Control
355 # (3) may auto setup and (4) must have static key/pem files
356 # TODO: add UCI list for interfaces to bind
357 echo "remote-control:"
358 echo " control-enable: yes"
359 echo " control-use-cert: yes"
360 echo " control-interface: 0.0.0.0"
361 echo " control-interface: ::0"
362 echo " server-key-file: $UB_SRVKEY_FILE"
363 echo " server-cert-file: $UB_SRVPEM_FILE"
364 echo " control-key-file: $UB_CTLKEY_FILE"
365 echo " control-cert-file: $UB_CTLPEM_FILE"
372 ##############################################################################
377 local servers_host=""
378 local zone_sym zone_name zone_type zone_enabled zone_file
379 local tls_upstream fallback
380 local server port tls_port tls_index tls_suffix url_dir
382 if [ ! -f "$UB_ZONE_CONF" ] ; then
383 echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF
387 config_get_bool zone_enabled "$cfg" enabled 0
390 if [ "$zone_enabled" -eq 1 ] ; then
391 # these lists are built for each zone; empty to start
392 UB_LIST_ZONE_NAMES=""
393 UB_LIST_ZONE_SERVERS=""
395 config_get zone_type "$cfg" zone_type ""
396 config_get port "$cfg" port ""
397 config_get tls_index "$cfg" tls_index ""
398 config_get tls_port "$cfg" tls_port 853
399 config_get url_dir "$cfg" url_dir ""
401 config_get_bool resolv_conf "$cfg" resolv_conf 0
402 config_get_bool fallback "$cfg" fallback 1
403 config_get_bool tls_upstream "$cfg" tls_upstream 0
405 config_list_foreach "$cfg" zone_name bundle_zone_names
406 config_list_foreach "$cfg" server bundle_zone_servers
408 # string formating for Unbound syntax
409 tls_suffix="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}"
410 [ "$fallback" -eq 0 ] && fallback=no || fallback=yes
411 [ "$tls_upstream" -eq 0 ] && tls_upstream=no || tls_upstream=yes
414 if [ $resolv_conf -eq 1 ] ; then
415 bundle_resolv_conf_servers
425 if [ -n "$UB_LIST_ZONE_NAMES" \
426 -a \( -n "$url_dir" -o -n "$UB_LIST_ZONE_SERVERS" \) ] ; then
427 for zone_name in $UB_LIST_ZONE_NAMES ; do
428 if [ "$zone_name" = "." ] ; then
434 zone_file=$zone_name.zone
435 zone_file=${zone_file//../.}
440 # generate an auth-zone: with switches for prefetch cache
442 echo " name: $zone_sym"
443 for server in $UB_LIST_ZONE_SERVERS ; do
444 echo " master: $server${port:+@${port}}"
446 if [ -n "$url_dir" ] ; then
447 echo " url: $url_dir$zone_file"
449 echo " fallback-enabled: $fallback"
450 echo " for-downstream: no"
451 echo " for-upstream: yes"
452 echo " zonefile: $zone_file"
460 if [ ! -f $UB_TLS_FWD_FILE -a "$tls_upstream" = "yes" ] ; then
461 logger -p 4 -t unbound -s \
462 "Forward-zone TLS benefits from authentication in package 'ca-bundle'"
466 if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
467 for server in $UB_LIST_ZONE_SERVERS ; do
468 if [ "$( valid_subnet_any $server )" = "not" ] ; then
471 # unique Unbound option for server host name
472 servers_host="$servers_host $server"
476 if [ "$tls_upstream" = "yes" ] ; then
477 servers_host="$servers_host $server${tls_port:+@${tls_port}}"
479 servers_host="$servers_host $server${port:+@${port}}"
486 # unique Unbound option for server address
487 servers_ip="$servers_ip $server"
491 if [ "$tls_upstream" = "yes" ] ; then
492 servers_ip="$servers_ip $server$tls_suffix"
494 servers_ip="$servers_ip $server${port:+@${port}}"
501 for zonename in $UB_LIST_ZONE_NAMES ; do
503 # generate a forward-zone with or without tls
505 echo " name: $zonename"
506 for server in $servers_host ; do
507 echo " forward-host: $server"
509 for server in $servers_ip ; do
510 echo " forward-addr: $server"
512 echo " forward-first: $fallback"
513 echo " forward-tls-upstream: $tls_upstream"
521 if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
522 for zonename in $UB_LIST_ZONE_NAMES ; do
524 # generate a stub-zone: or ensure short cut to authority NS
526 echo " name: $zonename"
527 for server in $UB_LIST_ZONE_SERVERS ; do
528 echo " stub-addr: $server${port:+@${port}}"
530 echo " stub-first: $fallback"
539 ##############################################################################
542 local rt_mem rt_conn rt_buff modulestring domain ifsubnet nsubnet
545 # server: for this whole function
546 echo "# $UB_CORE_CONF generated by UCI $( date -Is )"
548 echo " username: unbound"
549 echo " chroot: $UB_VARDIR"
550 echo " directory: $UB_VARDIR"
551 echo " pidfile: $UB_PIDFILE"
555 if [ -f "$UB_TLS_FWD_FILE" ] ; then
556 # TLS cert bundle for upstream forwarder and https zone files
557 # This is loaded before drop to root, so pull from /etc/ssl
558 echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
562 if [ -f "$UB_RHINT_FILE" ] ; then
563 # Optional hints if found
564 echo " root-hints: $UB_RHINT_FILE" >> $UB_CORE_CONF
568 if [ "$UB_B_DNSSEC" -gt 0 -a -f "$UB_RKEY_FILE" ] ; then
570 echo " auto-trust-anchor-file: $UB_RKEY_FILE"
575 echo >> $UB_CORE_CONF
581 echo " num-threads: 1"
582 echo " msg-cache-slabs: 1"
583 echo " rrset-cache-slabs: 1"
584 echo " infra-cache-slabs: 1"
585 echo " key-cache-slabs: 1"
588 echo " use-syslog: yes"
589 echo " statistics-interval: 0"
590 echo " statistics-cumulative: no"
594 if [ "$UB_D_VERBOSE" -ge 0 -a "$UB_D_VERBOSE" -le 5 ] ; then
595 echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF
599 if [ "$UB_B_EXT_STATS" -gt 0 ] ; then
602 echo " extended-statistics: yes"
609 echo " extended-statistics: no"
615 case "$UB_D_PROTOCOL" in
618 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
619 echo " port: $UB_N_RX_PORT"
620 echo " outgoing-port-permit: 10240-65535"
621 echo " interface: 0.0.0.0"
622 echo " interface: ::0"
623 echo " outgoing-interface: 0.0.0.0"
632 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
633 echo " port: $UB_N_RX_PORT"
634 echo " outgoing-port-permit: 10240-65535"
635 echo " interface: 0.0.0.0"
636 echo " interface: ::0"
637 echo " outgoing-interface: ::0"
646 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
647 echo " port: $UB_N_RX_PORT"
648 echo " outgoing-port-permit: 10240-65535"
649 echo " interface: 0.0.0.0"
650 echo " interface: ::0"
651 echo " outgoing-interface: 0.0.0.0"
652 echo " outgoing-interface: ::0"
655 echo " prefer-ip6: yes"
662 # Interface Wildcard (access contol handled by "option local_service")
663 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
664 echo " port: $UB_N_RX_PORT"
665 echo " outgoing-port-permit: 10240-65535"
666 echo " interface: 0.0.0.0"
667 echo " interface: ::0"
668 echo " outgoing-interface: 0.0.0.0"
669 echo " outgoing-interface: ::0"
677 if [ "$UB_B_READY" -eq 0 ] ; then
678 logger -t unbound -s "default protocol configuration"
683 # outgoing-interface has useful defaults; incoming is localhost though
684 echo " edns-buffer-size: $UB_N_EDNS_SIZE"
685 echo " port: $UB_N_RX_PORT"
686 echo " outgoing-port-permit: 10240-65535"
687 echo " interface: 0.0.0.0"
688 echo " interface: ::0"
696 # Other harding and options for an embedded router
697 echo " harden-short-bufsize: yes"
698 echo " harden-large-queries: yes"
699 echo " harden-glue: yes"
700 echo " harden-below-nxdomain: no"
701 echo " harden-referral-path: no"
702 echo " use-caps-for-id: no"
707 case "$UB_D_RESOURCE" in
708 # Tiny - Unbound's recommended cheap hardware config
709 tiny) rt_mem=1 ; rt_conn=2 ; rt_buff=1 ;;
710 # Small - Half RRCACHE and open ports
711 small) rt_mem=8 ; rt_conn=10 ; rt_buff=2 ;;
712 # Medium - Nearly default but with some added balancintg
713 medium) rt_mem=16 ; rt_conn=20 ; rt_buff=4 ;;
714 # Large - Double medium
715 large) rt_mem=32 ; rt_conn=40 ; rt_buff=4 ;;
716 # Whatever unbound does
717 *) rt_mem=0 ; rt_conn=0 ;;
721 if [ "$rt_mem" -gt 0 ] ; then
723 # Set memory sizing parameters
724 echo " msg-buffer-size: $(($rt_buff*8192))"
725 echo " outgoing-range: $(($rt_conn*64))"
726 echo " num-queries-per-thread: $(($rt_conn*32))"
727 echo " outgoing-num-tcp: $(($rt_conn))"
728 echo " incoming-num-tcp: $(($rt_conn))"
729 echo " rrset-cache-size: $(($rt_mem*256))k"
730 echo " msg-cache-size: $(($rt_mem*128))k"
731 echo " key-cache-size: $(($rt_mem*128))k"
732 echo " neg-cache-size: $(($rt_mem*64))k"
733 echo " infra-cache-numhosts: $(($rt_mem*256))"
737 elif [ "$UB_B_READY" -eq 0 ] ; then
738 logger -t unbound -s "default memory configuration"
742 # Assembly of module-config: options is tricky; order matters
743 modulestring="iterator"
746 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
747 if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then
748 # DNSSEC chicken and egg with getting NTP time
749 echo " val-override-date: -1" >> $UB_CORE_CONF
754 echo " harden-dnssec-stripped: yes"
755 echo " val-clean-additional: yes"
756 echo " ignore-cd-flag: yes"
760 modulestring="validator $modulestring"
764 if [ "$UB_B_DNS64" -gt 0 ] ; then
765 echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF
767 modulestring="dns64 $modulestring"
772 # Print final module string
773 echo " module-config: \"$modulestring\""
778 case "$UB_D_RECURSION" in
781 # Some query privacy but "strict" will break some servers
782 if [ "$UB_B_QRY_MINST" -gt 0 \
783 -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
784 echo " qname-minimisation: yes"
785 echo " qname-minimisation-strict: yes"
786 elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
787 echo " qname-minimisation: yes"
789 echo " qname-minimisation: no"
791 # Use DNSSEC to quickly understand NXDOMAIN ranges
792 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
793 echo " aggressive-nsec: yes"
794 echo " prefetch-key: no"
798 echo " target-fetch-policy: \"0 0 0 0 0\""
805 # Some query privacy but "strict" will break some servers
806 if [ "$UB_B_QRY_MINST" -gt 0 \
807 -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
808 echo " qname-minimisation: yes"
809 echo " qname-minimisation-strict: yes"
810 elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
811 echo " qname-minimisation: yes"
813 echo " qname-minimisation: no"
815 # Use DNSSEC to quickly understand NXDOMAIN ranges
816 if [ "$UB_B_DNSSEC" -gt 0 ] ; then
817 echo " aggressive-nsec: yes"
818 echo " prefetch-key: yes"
820 # Prefetch what can be
821 echo " prefetch: yes"
822 echo " target-fetch-policy: \"3 2 1 0 0\""
828 if [ "$UB_B_READY" -eq 0 ] ; then
829 logger -t unbound -s "default recursion configuration"
836 # Reload records more than 20 hours old
837 # DNSSEC 5 minute bogus cool down before retry
838 # Adaptive infrastructure info kept for 15 minutes
839 echo " cache-min-ttl: $UB_TTL_MIN"
840 echo " cache-max-ttl: 72000"
841 echo " val-bogus-ttl: 300"
842 echo " infra-host-ttl: 900"
847 if [ "$UB_B_HIDE_BIND" -gt 0 ] ; then
849 # Block server id and version DNS TXT records
850 echo " hide-identity: yes"
851 echo " hide-version: yes"
857 if [ "$UB_D_PRIV_BLCK" -gt 0 ] ; then
859 # Remove _upstream_ or global reponses with private addresses.
860 # Unbounds own "local zone" and "forward zone" may still use these.
861 # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
862 echo " private-address: 10.0.0.0/8"
863 echo " private-address: 100.64.0.0/10"
864 echo " private-address: 169.254.0.0/16"
865 echo " private-address: 172.16.0.0/12"
866 echo " private-address: 192.168.0.0/16"
867 echo " private-address: fc00::/7"
868 echo " private-address: fe80::/10"
874 if [ -n "$UB_LIST_NETW_LAN" -a "$UB_D_PRIV_BLCK" -gt 1 ] ; then
876 for ifsubnet in $UB_LIST_NETW_LAN ; do
878 *@[1-9][0-9a-f][0-9a-f][0-9a-f]:*:[0-9a-f]*)
879 # Remove global DNS responses with your local network IP6 GLA
880 echo " private-address: ${ifsubnet#*@}"
889 if [ "$UB_B_LOCL_BLCK" -gt 0 ] ; then
891 # Remove DNS reponses from upstream with loopback IP
892 # Black hole DNS method for ad blocking, so consider...
893 echo " private-address: 127.0.0.0/8"
894 echo " private-address: ::1/128"
900 if [ -n "$UB_LIST_INSECURE" ] ; then
902 for domain in $UB_LIST_INSECURE ; do
903 # Except and accept domains without (DNSSEC); work around broken domains
904 echo " domain-insecure: $domain"
911 if [ "$UB_B_LOCL_SERV" -gt 0 -a -n "$UB_LIST_NETW_ALL" ] ; then
913 for ifsubnet in $UB_LIST_NETW_ALL ; do
914 # Only respond to queries from subnets which have an interface.
915 # Prevent DNS amplification attacks by not responding to the universe.
916 echo " access-control: ${ifsubnet#*@} allow"
918 echo " access-control: 127.0.0.0/8 allow"
919 echo " access-control: ::1/128 allow"
920 echo " access-control: fe80::/10 allow"
926 echo " access-control: 0.0.0.0/0 allow"
927 echo " access-control: ::0/0 allow"
933 ##############################################################################
936 local ifsubnet ifarpa ifaddr ifname iffqdn
937 local ulaprefix hostfqdn name names namerec ptrrec
940 echo "# $UB_HOST_CONF generated by UCI $( date -Is )" > $UB_HOST_CONF
943 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
945 echo "# Local zone is handled by dnsmasq"
949 elif [ -n "$UB_TXT_DOMAIN" \
950 -a \( "$UB_D_WAN_FQDN" -gt 0 -o "$UB_D_LAN_FQDN" -gt 0 \) ] ; then
951 case "$UB_D_DOMAIN_TYPE" in
952 deny|inform_deny|refuse|static)
954 # type static means only this router has your domain
955 echo " domain-insecure: $UB_TXT_DOMAIN"
956 echo " private-domain: $UB_TXT_DOMAIN"
957 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
958 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XSOA\""
959 echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\""
960 echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'"
962 # avoid upstream involvement in RFC6762
963 echo " domain-insecure: local"
964 echo " private-domain: local"
965 echo " local-zone: local $UB_D_DOMAIN_TYPE"
966 echo " local-data: \"local. $UB_XSOA\""
967 echo " local-data: \"local. $UB_XNS\""
968 echo " local-data: 'local. $UB_LTXT'"
974 transparent|typetransparent)
976 # transparent will permit forward-zone: or stub-zone: clauses
977 echo " private-domain: $UB_TXT_DOMAIN"
978 echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
987 # Hostname as TLD works, but not transparent through recursion (singular)
988 echo " domain-insecure: $UB_TXT_HOSTNAME"
989 echo " private-domain: $UB_TXT_HOSTNAME"
990 echo " local-zone: $UB_TXT_HOSTNAME static"
991 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XSOA\""
992 echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XNS\""
993 echo " local-data: '$UB_TXT_HOSTNAME. $UB_XTXT'"
998 if [ -n "$UB_LIST_NETW_WAN" ] ; then
999 for ifsubnet in $UB_LIST_NETW_WAN ; do
1000 ifaddr=${ifsubnet#*@}
1002 ifarpa=$( host_ptr_any "$ifaddr" )
1005 if [ -n "$ifarpa" ] ; then
1006 if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then
1008 # Create a static zone for WAN host record only (singular)
1009 echo " domain-insecure: $ifarpa"
1010 echo " private-address: $ifaddr"
1011 echo " local-zone: $ifarpa static"
1012 echo " local-data: \"$ifarpa. $UB_XSOA\""
1013 echo " local-data: \"$ifarpa. $UB_XNS\""
1014 echo " local-data: '$ifarpa. $UB_MTXT'"
1018 elif [ "$zonetype" -gt 0 ] ; then
1020 echo " local-zone: $ifarpa transparent"
1029 if [ -n "$UB_LIST_NETW_LAN" ] ; then
1030 for ifsubnet in $UB_LIST_NETW_LAN ; do
1031 ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
1034 if [ -n "$ifarpa" ] ; then
1035 if [ "$zonetype" -eq 2 ] ; then
1037 # Do NOT forward queries with your ip6.arpa or in-addr.arpa
1038 echo " domain-insecure: $ifarpa"
1039 echo " local-zone: $ifarpa static"
1040 echo " local-data: \"$ifarpa. $UB_XSOA\""
1041 echo " local-data: \"$ifarpa. $UB_XNS\""
1042 echo " local-data: '$ifarpa. $UB_XTXT'"
1046 elif [ "$zonetype" -eq 1 -a "$UB_D_PRIV_BLCK" -eq 0 ] ; then
1048 echo " local-zone: $ifarpa transparent"
1057 ulaprefix=$( uci_get network.@globals[0].ula_prefix )
1058 ulaprefix=${ulaprefix%%:/*}
1059 hostfqdn="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
1062 if [ -z "$ulaprefix" ] ; then
1063 # Nonsense so this option isn't globbed below
1064 ulaprefix="fdno:such:addr::"
1068 if [ "$UB_LIST_NETW_LAN" -a "$UB_D_LAN_FQDN" -gt 0 ] ; then
1069 for ifsubnet in $UB_LIST_NETW_LAN ; do
1070 ifaddr=${ifsubnet#*@}
1072 ifname=${ifsubnet%@*}
1073 iffqdn="$ifname.$hostfqdn"
1076 if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then
1077 names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1078 ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1079 echo "$ptrrec" >> $UB_HOST_CONF
1081 elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then
1082 names="$hostfqdn $UB_TXT_HOSTNAME"
1083 ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1084 echo "$ptrrec" >> $UB_HOST_CONF
1087 names="$UB_TXT_HOSTNAME"
1088 ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1089 echo "$ptrrec" >> $UB_HOST_CONF
1093 for name in $names ; do
1096 # IP6 ULA only is assigned for OPTION 1
1097 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1098 echo "$namerec" >> $UB_HOST_CONF
1102 namerec=" local-data: \"$name. 300 IN A $ifaddr\""
1103 echo "$namerec" >> $UB_HOST_CONF
1107 if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then
1108 # IP6 GLA is assigned for higher options
1109 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1110 echo "$namerec" >> $UB_HOST_CONF
1115 echo >> $UB_HOST_CONF
1120 if [ -n "$UB_LIST_NETW_WAN" -a "$UB_D_WAN_FQDN" -gt 0 ] ; then
1121 for ifsubnet in $UB_LIST_NETW_WAN ; do
1122 ifaddr=${ifsubnet#*@}
1124 ifname=${ifsubnet%@*}
1125 iffqdn="$ifname.$hostfqdn"
1128 if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then
1129 names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
1130 ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
1131 echo "$ptrrec" >> $UB_HOST_CONF
1133 elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then
1134 names="$hostfqdn $UB_TXT_HOSTNAME"
1135 ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
1136 echo "$ptrrec" >> $UB_HOST_CONF
1139 names="$UB_TXT_HOSTNAME"
1140 ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
1141 echo "$ptrrec" >> $UB_HOST_CONF
1145 for name in $names ; do
1148 # IP6 ULA only is assigned for OPTION 1
1149 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1150 echo "$namerec" >> $UB_HOST_CONF
1154 namerec=" local-data: \"$name. 300 IN A $ifaddr\""
1155 echo "$namerec" >> $UB_HOST_CONF
1159 if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then
1160 # IP6 GLA is assigned for higher options
1161 namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
1162 echo "$namerec" >> $UB_HOST_CONF
1167 echo >> $UB_HOST_CONF
1170 fi # end if uci valid
1173 ##############################################################################
1177 local dnsmasqpath hostnm
1179 hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' )
1180 UB_TXT_HOSTNAME=${hostnm:-thisrouter}
1182 config_get_bool UB_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
1183 config_get_bool UB_B_DNS64 "$cfg" dns64 0
1184 config_get_bool UB_B_EXT_STATS "$cfg" extended_stats 0
1185 config_get_bool UB_B_HIDE_BIND "$cfg" hide_binddata 1
1186 config_get_bool UB_B_LOCL_SERV "$cfg" localservice 1
1187 config_get_bool UB_B_MAN_CONF "$cfg" manual_conf 0
1188 config_get_bool UB_B_QUERY_MIN "$cfg" query_minimize 0
1189 config_get_bool UB_B_QRY_MINST "$cfg" query_min_strict 0
1190 config_get_bool UB_B_AUTH_ROOT "$cfg" prefetch_root 0
1191 config_get_bool UB_B_LOCL_BLCK "$cfg" rebind_localhost 0
1192 config_get_bool UB_B_DNSSEC "$cfg" validator 0
1193 config_get_bool UB_B_NTP_BOOT "$cfg" validator_ntp 1
1195 config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
1197 config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
1198 config_get UB_N_RX_PORT "$cfg" listen_port 53
1199 config_get UB_N_ROOT_AGE "$cfg" root_age 9
1201 config_get UB_D_CONTROL "$cfg" unbound_control 0
1202 config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static
1203 config_get UB_D_DHCP_LINK "$cfg" dhcp_link none
1204 config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0
1205 config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0
1206 config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1
1207 config_get UB_D_PROTOCOL "$cfg" protocol mixed
1208 config_get UB_D_RECURSION "$cfg" recursion passive
1209 config_get UB_D_RESOURCE "$cfg" resource small
1210 config_get UB_D_VERBOSE "$cfg" verbosity 1
1211 config_get UB_D_WAN_FQDN "$cfg" add_wan_fqdn 0
1213 config_get UB_TTL_MIN "$cfg" ttl_min 120
1214 config_get UB_TXT_DOMAIN "$cfg" domain lan
1216 config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
1219 if [ "$UB_D_DHCP_LINK" = "none" ] ; then
1220 config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
1223 if [ "$UB_B_DNSMASQ" -gt 0 ] ; then
1224 UB_D_DHCP_LINK=dnsmasq
1227 if [ "$UB_B_READY" -eq 0 ] ; then
1228 logger -t unbound -s "Please use 'dhcp_link' selector instead"
1234 if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
1235 if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
1238 /etc/init.d/dnsmasq enabled || UB_D_DHCP_LINK=none
1242 if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
1243 logger -t unbound -s "cannot forward to dnsmasq"
1248 if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
1249 if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
1252 /etc/init.d/odhcpd enabled || UB_D_DHCP_LINK=none
1256 if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
1257 logger -t unbound -s "cannot receive records from odhcpd"
1262 if [ "$UB_N_EDNS_SIZE" -lt 512 \
1263 -o 4096 -lt "$UB_N_EDNS_SIZE" ] ; then
1264 logger -t unbound -s "edns_size exceeds range, using default"
1269 if [ "$UB_N_RX_PORT" -ne 53 \
1270 -a \( "$UB_N_RX_PORT" -lt 1024 -o 10240 -lt "$UB_N_RX_PORT" \) ] ; then
1271 logger -t unbound -s "privileged port or in 5 digits, using default"
1276 if [ "$UB_TTL_MIN" -gt 1800 ] ; then
1277 logger -t unbound -s "ttl_min could have had awful side effects, using 300"
1282 ##############################################################################
1286 local adb_files=$( ls $UB_VARDIR/adb_list.* 2>/dev/null )
1288 echo "# $UB_TOTAL_CONF generated by UCI $( date -Is )" > $UB_TOTAL_CONF
1291 if [ -f "$UB_CORE_CONF" ] ; then
1292 # Yes this all looks busy, but it is in TMPFS. Working on separate files
1293 # and piecing together is easier. UCI order is less constrained.
1294 cat $UB_CORE_CONF >> $UB_TOTAL_CONF
1299 if [ -f "$UB_HOST_CONF" ] ; then
1300 # UCI definitions of local host or local subnet
1301 cat $UB_HOST_CONF >> $UB_TOTAL_CONF
1306 if [ -f $UB_SRVMASQ_CONF ] ; then
1307 # UCI found link to dnsmasq
1308 cat $UB_SRVMASQ_CONF >> $UB_TOTAL_CONF
1313 if [ -f "$UB_DHCP_CONF" ] ; then
1315 # Seed DHCP records because dhcp scripts trigger externally
1316 # Incremental Unbound restarts may drop unbound-control records
1317 echo "include: $UB_DHCP_CONF"
1323 if [ -z "$adb_files" \
1324 -o ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
1327 elif /etc/init.d/adblock enabled ; then
1330 # Pull in your selected openwrt/pacakges/net/adblock generated lists
1331 echo "include: $UB_VARDIR/adb_list.*"
1340 if [ -f $UB_SRV_CONF ] ; then
1342 # Pull your own "server:" options here
1343 echo "include: $UB_SRV_CONF"
1349 if [ -f "$UB_ZONE_CONF" ] ; then
1350 # UCI defined forward, stub, and auth zones
1351 cat $UB_ZONE_CONF >> $UB_TOTAL_CONF
1356 if [ -f "$UB_CTRL_CONF" ] ; then
1357 # UCI defined control application connection
1358 cat $UB_CTRL_CONF >> $UB_TOTAL_CONF
1363 if [ -f "$UB_EXTMASQ_CONF" ] ; then
1364 # UCI found link to dnsmasq
1365 cat $UB_EXTMASQ_CONF >> $UB_TOTAL_CONF
1370 if [ -f "$UB_EXT_CONF" ] ; then
1372 # Pull your own extend feature clauses here
1373 echo "include: $UB_EXT_CONF"
1379 ##############################################################################
1382 if [ "$UB_N_RX_PORT" != "53" ] ; then
1385 elif [ -x /etc/init.d/dnsmasq ] \
1386 && /etc/init.d/dnsmasq enabled \
1387 && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
1388 # unbound is configured for port 53, but dnsmasq is enabled and a resolver
1389 # listens on localhost:53, lets assume dnsmasq manages the resolver file.
1391 # really check if dnsmasq runs a local (main) resolver in stead of using
1392 # nslookup that times out when no resolver listens on localhost:53.
1397 # unbound is designated to listen on 127.0.0.1#53,
1398 # set resolver file to local.
1399 rm -f /tmp/resolv.conf
1402 echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )"
1403 echo "nameserver 127.0.0.1"
1404 echo "nameserver ::1"
1405 echo "search $UB_TXT_DOMAIN."
1406 } > /tmp/resolv.conf
1409 ##############################################################################
1413 config_foreach unbound_uci unbound
1417 if [ "$UB_B_MAN_CONF" -eq 0 ] ; then
1418 # iterate zones before we load other UCI
1419 # forward-zone: auth-zone: and stub-zone:
1420 config_foreach unbound_zone zone
1421 # associate potential DNS RR with interfaces
1423 config_foreach bundle_all_networks interface
1425 config_foreach bundle_lan_networks dhcp
1442 ##############################################################################