+#!/bin/sh
+##############################################################################
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# Copyright (C) 2016 Eric Luehrsen
+#
+##############################################################################
+#
+# Unbound is a full featured recursive server with many options. The UCI
+# provided tries to simplify and bundle options. This should make Unbound
+# easier to deploy. Even light duty routers may resolve recursively instead of
+# depending on a stub with the ISP. The UCI also attempts to replicate dnsmasq
+# features as used in base LEDE/OpenWrt. If there is a desire for more
+# detailed tuning, then manual conf file overrides are also made available.
+#
+##############################################################################
+
+UB_B_SLAAC6_MAC=0
+UB_B_DNSSEC=0
+UB_B_DNS64=0
+UB_B_EXT_STATS=0
+UB_B_GATE_NAME=0
+UB_B_HIDE_BIND=1
+UB_B_LOCL_BLCK=0
+UB_B_LOCL_SERV=1
+UB_B_MAN_CONF=0
+UB_B_NTP_BOOT=1
+UB_B_QUERY_MIN=0
+UB_B_QRY_MINST=0
+UB_B_AUTH_ROOT=0
+
+UB_D_CONTROL=0
+UB_D_DOMAIN_TYPE=static
+UB_D_DHCP_LINK=none
+UB_D_EXTRA_DNS=0
+UB_D_LAN_FQDN=0
+UB_D_PRIV_BLCK=1
+UB_D_PROTOCOL=mixed
+UB_D_RESOURCE=small
+UB_D_RECURSION=passive
+UB_D_VERBOSE=1
+UB_D_WAN_FQDN=0
+
+UB_IP_DNS64="64:ff9b::/96"
+
+UB_N_EDNS_SIZE=1280
+UB_N_RX_PORT=53
+UB_N_ROOT_AGE=9
+
+UB_TTL_MIN=120
+UB_TXT_DOMAIN=lan
+UB_TXT_HOSTNAME=thisrouter
+
+##############################################################################
+
+# reset as a combo with UB_B_NTP_BOOT and some time stamp files
+UB_B_READY=1
+
+# keep track of assignments during inserted resource records
+UB_LIST_NETW_ALL=""
+UB_LIST_NETW_LAN=""
+UB_LIST_NETW_WAN=""
+UB_LIST_INSECURE=""
+UB_LIST_ZONE_SERVERS=""
+UB_LIST_ZONE_NAMES=""
+
+##############################################################################
+
+. /lib/functions.sh
+. /lib/functions/network.sh
+
+. /usr/lib/unbound/defaults.sh
+. /usr/lib/unbound/dnsmasq.sh
+. /usr/lib/unbound/iptools.sh
+
+##############################################################################
+
+bundle_all_networks() {
+ local cfg="$1"
+ local ifname ifdashname validip
+ local subnet subnets subnets4 subnets6
+
+ network_get_subnets subnets4 "$cfg"
+ network_get_subnets6 subnets6 "$cfg"
+ network_get_device ifname "$cfg"
+
+ ifdashname="${ifname//./-}"
+ subnets="$subnets4 $subnets6"
+
+
+ if [ -n "$subnets" ] ; then
+ for subnet in $subnets ; do
+ validip=$( valid_subnet_any $subnet )
+
+
+ if [ "$validip" = "ok" ] ; then
+ UB_LIST_NETW_ALL="$UB_LIST_NETW_ALL $ifdashname@$subnet"
+ fi
+ done
+ fi
+}
+
+##############################################################################
+
+bundle_lan_networks() {
+ local cfg="$1"
+ local ifsubnet ifname ifdashname ignore
+
+ config_get_bool ignore "$cfg" ignore 0
+ network_get_device ifname "$cfg"
+ ifdashname="${ifname//./-}"
+
+
+ if [ "$ignore" -eq 0 -a -n "$ifdashname" -a -n "$UB_LIST_NETW_ALL" ] ; then
+ for ifsubnet in $UB_LIST_NETW_ALL ; do
+ case $ifsubnet in
+ "${ifdashname}"@*)
+ # Special GLA protection for local block; ULA protected as a catagory
+ UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
+ ;;
+ esac
+ done
+ fi
+}
+
+##############################################################################
+
+bundle_wan_networks() {
+ local ifsubnet
+
+
+ if [ -n "$UB_LIST_NETW_ALL" ] ; then
+ for ifsubnet in $UB_LIST_NETW_ALL ; do
+ case $UB_LIST_NETW_LAN in
+ *"${ifsubnet}"*)
+ # If LAN, then not WAN ...
+ ;;
+
+ *)
+ UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
+ ;;
+ esac
+ done
+ fi
+}
+
+##############################################################################
+
+bundle_resolv_conf_servers() {
+ local resolvers=$( awk '/nameserver/ { print $2 }' /tmp/resolv.conf.auto )
+ UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $resolvers"
+}
+
+##############################################################################
+
+bundle_zone_names() {
+ UB_LIST_ZONE_NAMES="$UB_LIST_ZONE_NAMES $1"
+}
+
+##############################################################################
+
+bundle_zone_servers() {
+ UB_LIST_ZONE_SERVERS="$UB_LIST_ZONE_SERVERS $1"
+}
+
+##############################################################################
+
+bundle_domain_insecure() {
+ UB_LIST_INSECURE="$UB_LIST_INSECURE $1"
+}
+
+##############################################################################
+
+unbound_mkdir() {
+ local filestuff
+
+
+ if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
+ local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
+ local dhcp_dir=$( dirname $dhcp_origin )
+
+
+ if [ ! -d "$dhcp_dir" ] ; then
+ # make sure odhcpd has a directory to write (not done itself, yet)
+ mkdir -p "$dhcp_dir"
+ fi
+ fi
+
+
+ if [ -f $UB_RKEY_FILE ] ; then
+ filestuff=$( cat $UB_RKEY_FILE )
+
+
+ case "$filestuff" in
+ *"state=2 [ VALID ]"*)
+ # Lets not lose RFC 5011 tracking if we don't have to
+ cp -p $UB_RKEY_FILE $UB_RKEY_FILE.keep
+ ;;
+ esac
+ fi
+
+
+ # Blind copy /etc/unbound to /var/lib/unbound
+ mkdir -p $UB_VARDIR
+ rm -f $UB_VARDIR/dhcp_*
+ touch $UB_TOTAL_CONF
+ cp -p /etc/unbound/* $UB_VARDIR/
+
+
+ if [ ! -f $UB_RHINT_FILE ] ; then
+ if [ -f /usr/share/dns/root.hints ] ; then
+ # Debian-like package dns-root-data
+ cp -p /usr/share/dns/root.hints $UB_RHINT_FILE
+
+ elif [ "$UB_B_READY" -eq 0 ] ; then
+ logger -t unbound -s "default root hints (built in root-servers.net)"
+ fi
+ fi
+
+
+ if [ ! -f $UB_RKEY_FILE ] ; then
+ if [ -f /usr/share/dns/root.key ] ; then
+ # Debian-like package dns-root-data
+ cp -p /usr/share/dns/root.key $UB_RKEY_FILE
+
+ elif [ -x $UB_ANCHOR ] ; then
+ $UB_ANCHOR -a $UB_RKEY_FILE
+
+ elif [ "$UB_B_READY" -eq 0 ] ; then
+ logger -t unbound -s "default trust anchor (built in root DS record)"
+ fi
+ fi
+
+
+ if [ -f $UB_RKEY_FILE.keep ] ; then
+ # root.key.keep is reused if newest
+ cp -u $UB_RKEY_FILE.keep $UB_RKEY_FILE
+ rm -f $UB_RKEY_FILE.keep
+ fi
+
+
+ if [ -f $UB_TLS_ETC_FILE ] ; then
+ # copy the cert bundle into jail
+ cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
+ fi
+
+
+ # Ensure access and prepare to jail
+ chown -R unbound:unbound $UB_VARDIR
+ chmod 755 $UB_VARDIR
+ chmod 644 $UB_VARDIR/*
+
+
+ if [ -f $UB_CTLKEY_FILE -o -f $UB_CTLPEM_FILE \
+ -o -f $UB_SRVKEY_FILE -o -f $UB_SRVPEM_FILE ] ; then
+ # Keys (some) exist already; do not create new ones
+ chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
+ $UB_SRVKEY_FILE $UB_SRVPEM_FILE
+
+ elif [ -x /usr/sbin/unbound-control-setup ] ; then
+ case "$UB_D_CONTROL" in
+ [2-3])
+ # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
+ /usr/sbin/unbound-control-setup -d $UB_VARDIR
+
+ chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
+ $UB_SRVKEY_FILE $UB_SRVPEM_FILE
+
+ chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
+ $UB_SRVKEY_FILE $UB_SRVPEM_FILE
+
+ cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key
+ cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem
+ cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key
+ cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem
+ ;;
+ esac
+ fi
+
+
+ if [ -f "$UB_TIME_FILE" ] ; then
+ # NTP is done so its like you actually had an RTC
+ UB_B_READY=1
+ UB_B_NTP_BOOT=0
+
+ elif [ "$UB_B_NTP_BOOT" -eq 0 ] ; then
+ # time is considered okay on this device (ignore /etc/hotplug/ntpd/unbound)
+ date -Is > $UB_TIME_FILE
+ UB_B_READY=0
+ UB_B_NTP_BOOT=0
+
+ else
+ # DNSSEC-TIME will not reconcile
+ UB_B_READY=0
+ UB_B_NTP_BOOT=1
+ fi
+}
+
+##############################################################################
+
+unbound_control() {
+ echo "# $UB_CTRL_CONF generated by UCI $( date -Is )" > $UB_CTRL_CONF
+
+
+ if [ "$UB_D_CONTROL" -gt 1 ] ; then
+ if [ ! -f $UB_CTLKEY_FILE -o ! -f $UB_CTLPEM_FILE \
+ -o ! -f $UB_SRVKEY_FILE -o ! -f $UB_SRVPEM_FILE ] ; then
+ # Key files need to be present; if unbound-control-setup was found, then
+ # they might have been made during unbound_makedir() above.
+ UB_D_CONTROL=0
+ fi
+ fi
+
+
+ case "$UB_D_CONTROL" in
+ 1)
+ {
+ # Local Host Only Unencrypted Remote Control
+ echo "remote-control:"
+ echo " control-enable: yes"
+ echo " control-use-cert: no"
+ echo " control-interface: 127.0.0.1"
+ echo " control-interface: ::1"
+ echo
+ } >> $UB_CTRL_CONF
+ ;;
+
+ 2)
+ {
+ # Local Host Only Encrypted Remote Control
+ echo "remote-control:"
+ echo " control-enable: yes"
+ echo " control-use-cert: yes"
+ echo " control-interface: 127.0.0.1"
+ echo " control-interface: ::1"
+ echo " server-key-file: $UB_SRVKEY_FILE"
+ echo " server-cert-file: $UB_SRVPEM_FILE"
+ echo " control-key-file: $UB_CTLKEY_FILE"
+ echo " control-cert-file: $UB_CTLPEM_FILE"
+ echo
+ } >> $UB_CTRL_CONF
+ ;;
+
+ [3-4])
+ {
+ # Network Encrypted Remote Control
+ # (3) may auto setup and (4) must have static key/pem files
+ # TODO: add UCI list for interfaces to bind
+ echo "remote-control:"
+ echo " control-enable: yes"
+ echo " control-use-cert: yes"
+ echo " control-interface: 0.0.0.0"
+ echo " control-interface: ::0"
+ echo " server-key-file: $UB_SRVKEY_FILE"
+ echo " server-cert-file: $UB_SRVPEM_FILE"
+ echo " control-key-file: $UB_CTLKEY_FILE"
+ echo " control-cert-file: $UB_CTLPEM_FILE"
+ echo
+ } >> $UB_CTRL_CONF
+ ;;
+ esac
+}
+
+##############################################################################
+
+unbound_zone() {
+ local cfg=$1
+ local servers_ip=""
+ local servers_host=""
+ local zone_sym zone_name zone_type zone_enabled zone_file
+ local tls_upstream fallback
+ local server port tls_port tls_index tls_suffix url_dir
+
+ if [ ! -f "$UB_ZONE_CONF" ] ; then
+ echo "# $UB_ZONE_CONF generated by UCI $( date -Is )" > $UB_ZONE_CONF
+ fi
+
+
+ config_get_bool zone_enabled "$cfg" enabled 0
+
+
+ if [ "$zone_enabled" -eq 1 ] ; then
+ # these lists are built for each zone; empty to start
+ UB_LIST_ZONE_NAMES=""
+ UB_LIST_ZONE_SERVERS=""
+
+ config_get zone_type "$cfg" zone_type ""
+ config_get port "$cfg" port ""
+ config_get tls_index "$cfg" tls_index ""
+ config_get tls_port "$cfg" tls_port 853
+ config_get url_dir "$cfg" url_dir ""
+
+ config_get_bool resolv_conf "$cfg" resolv_conf 0
+ config_get_bool fallback "$cfg" fallback 1
+ config_get_bool tls_upstream "$cfg" tls_upstream 0
+
+ config_list_foreach "$cfg" zone_name bundle_zone_names
+ config_list_foreach "$cfg" server bundle_zone_servers
+
+ # string formating for Unbound syntax
+ tls_suffix="${tls_port:+@${tls_port}${tls_index:+#${tls_index}}}"
+ [ "$fallback" -eq 0 ] && fallback=no || fallback=yes
+ [ "$tls_upstream" -eq 0 ] && tls_upstream=no || tls_upstream=yes
+
+
+ if [ $resolv_conf -eq 1 ] ; then
+ bundle_resolv_conf_servers
+ fi
+
+ else
+ zone_type=skip
+ fi
+
+
+ case $zone_type in
+ auth_zone)
+ if [ -n "$UB_LIST_ZONE_NAMES" \
+ -a \( -n "$url_dir" -o -n "$UB_LIST_ZONE_SERVERS" \) ] ; then
+ for zone_name in $UB_LIST_ZONE_NAMES ; do
+ if [ "$zone_name" = "." ] ; then
+ zone_sym=.
+ zone_name=root
+ zone_file=root.zone
+ else
+ zone_sym=$zone_name
+ zone_file=$zone_name.zone
+ zone_file=${zone_file//../.}
+ fi
+
+
+ {
+ # generate an auth-zone: with switches for prefetch cache
+ echo "auth-zone:"
+ echo " name: $zone_sym"
+ for server in $UB_LIST_ZONE_SERVERS ; do
+ echo " master: $server${port:+@${port}}"
+ done
+ if [ -n "$url_dir" ] ; then
+ echo " url: $url_dir$zone_file"
+ fi
+ echo " fallback-enabled: $fallback"
+ echo " for-downstream: no"
+ echo " for-upstream: yes"
+ echo " zonefile: $zone_file"
+ echo
+ } >> $UB_ZONE_CONF
+ done
+ fi
+ ;;
+
+ forward_zone)
+ if [ ! -f $UB_TLS_FWD_FILE -a "$tls_upstream" = "yes" ] ; then
+ logger -p 4 -t unbound -s \
+ "Forward-zone TLS benefits from authentication in package 'ca-bundle'"
+ fi
+
+
+ if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
+ for server in $UB_LIST_ZONE_SERVERS ; do
+ if [ "$( valid_subnet_any $server )" = "not" ] ; then
+ case $server in
+ *@[0-9]*)
+ # unique Unbound option for server host name
+ servers_host="$servers_host $server"
+ ;;
+
+ *)
+ if [ "$tls_upstream" = "yes" ] ; then
+ servers_host="$servers_host $server${tls_port:+@${tls_port}}"
+ else
+ servers_host="$servers_host $server${port:+@${port}}"
+ fi
+ esac
+
+ else
+ case $server in
+ *[0-9]@[0-9]*)
+ # unique Unbound option for server address
+ servers_ip="$servers_ip $server"
+ ;;
+
+ *)
+ if [ "$tls_upstream" = "yes" ] ; then
+ servers_ip="$servers_ip $server$tls_suffix"
+ else
+ servers_ip="$servers_ip $server${port:+@${port}}"
+ fi
+ esac
+ fi
+ done
+
+
+ for zonename in $UB_LIST_ZONE_NAMES ; do
+ {
+ # generate a forward-zone with or without tls
+ echo "forward-zone:"
+ echo " name: $zonename"
+ for server in $servers_host ; do
+ echo " forward-host: $server"
+ done
+ for server in $servers_ip ; do
+ echo " forward-addr: $server"
+ done
+ echo " forward-first: $fallback"
+ echo " forward-tls-upstream: $tls_upstream"
+ echo
+ } >> $UB_ZONE_CONF
+ done
+ fi
+ ;;
+
+ stub_zone)
+ if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
+ for zonename in $UB_LIST_ZONE_NAMES ; do
+ {
+ # generate a stub-zone: or ensure short cut to authority NS
+ echo "stub-zone:"
+ echo " name: $zonename"
+ for server in $UB_LIST_ZONE_SERVERS ; do
+ echo " stub-addr: $server${port:+@${port}}"
+ done
+ echo " stub-first: $fallback"
+ echo
+ } >> $UB_ZONE_CONF
+ done
+ fi
+ ;;
+ esac
+}
+
+##############################################################################
+
+unbound_conf() {
+ local rt_mem rt_conn rt_buff modulestring domain ifsubnet nsubnet
+
+ {
+ # server: for this whole function
+ echo "# $UB_CORE_CONF generated by UCI $( date -Is )"
+ echo "server:"
+ echo " username: unbound"
+ echo " chroot: $UB_VARDIR"
+ echo " directory: $UB_VARDIR"
+ echo " pidfile: $UB_PIDFILE"
+ } > $UB_CORE_CONF
+
+
+ if [ -f "$UB_TLS_FWD_FILE" ] ; then
+ # TLS cert bundle for upstream forwarder and https zone files
+ # This is loaded before drop to root, so pull from /etc/ssl
+ echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
+ fi
+
+
+ if [ -f "$UB_RHINT_FILE" ] ; then
+ # Optional hints if found
+ echo " root-hints: $UB_RHINT_FILE" >> $UB_CORE_CONF
+ fi
+
+
+ if [ "$UB_B_DNSSEC" -gt 0 -a -f "$UB_RKEY_FILE" ] ; then
+ {
+ echo " auto-trust-anchor-file: $UB_RKEY_FILE"
+ echo
+ } >> $UB_CORE_CONF
+
+ else
+ echo >> $UB_CORE_CONF
+ fi
+
+
+ {
+ # No threading
+ echo " num-threads: 1"
+ echo " msg-cache-slabs: 1"
+ echo " rrset-cache-slabs: 1"
+ echo " infra-cache-slabs: 1"
+ echo " key-cache-slabs: 1"
+ echo
+ # Logging
+ echo " use-syslog: yes"
+ echo " statistics-interval: 0"
+ echo " statistics-cumulative: no"
+ } >> $UB_CORE_CONF
+
+
+ if [ "$UB_D_VERBOSE" -ge 0 -a "$UB_D_VERBOSE" -le 5 ] ; then
+ echo " verbosity: $UB_D_VERBOSE" >> $UB_CORE_CONF
+ fi
+
+
+ if [ "$UB_B_EXT_STATS" -gt 0 ] ; then
+ {
+ # Log More
+ echo " extended-statistics: yes"
+ echo
+ } >> $UB_CORE_CONF
+
+ else
+ {
+ # Log Less
+ echo " extended-statistics: no"
+ echo
+ } >> $UB_CORE_CONF
+ fi
+
+
+ case "$UB_D_PROTOCOL" in
+ ip4_only)
+ {
+ echo " edns-buffer-size: $UB_N_EDNS_SIZE"
+ echo " port: $UB_N_RX_PORT"
+ echo " outgoing-port-permit: 10240-65535"
+ echo " interface: 0.0.0.0"
+ echo " interface: ::0"
+ echo " outgoing-interface: 0.0.0.0"
+ echo " do-ip4: yes"
+ echo " do-ip6: no"
+ echo
+ } >> $UB_CORE_CONF
+ ;;
+
+ ip6_only)
+ {
+ echo " edns-buffer-size: $UB_N_EDNS_SIZE"
+ echo " port: $UB_N_RX_PORT"
+ echo " outgoing-port-permit: 10240-65535"
+ echo " interface: 0.0.0.0"
+ echo " interface: ::0"
+ echo " outgoing-interface: ::0"
+ echo " do-ip4: no"
+ echo " do-ip6: yes"
+ echo
+ } >> $UB_CORE_CONF
+ ;;
+
+ ip6_prefer)
+ {
+ echo " edns-buffer-size: $UB_N_EDNS_SIZE"
+ echo " port: $UB_N_RX_PORT"
+ echo " outgoing-port-permit: 10240-65535"
+ echo " interface: 0.0.0.0"
+ echo " interface: ::0"
+ echo " outgoing-interface: 0.0.0.0"
+ echo " outgoing-interface: ::0"
+ echo " do-ip4: yes"
+ echo " do-ip6: yes"
+ echo " prefer-ip6: yes"
+ echo
+ } >> $UB_CORE_CONF
+ ;;
+
+ mixed)
+ {
+ # Interface Wildcard (access contol handled by "option local_service")
+ echo " edns-buffer-size: $UB_N_EDNS_SIZE"
+ echo " port: $UB_N_RX_PORT"
+ echo " outgoing-port-permit: 10240-65535"
+ echo " interface: 0.0.0.0"
+ echo " interface: ::0"
+ echo " outgoing-interface: 0.0.0.0"
+ echo " outgoing-interface: ::0"
+ echo " do-ip4: yes"
+ echo " do-ip6: yes"
+ echo
+ } >> $UB_CORE_CONF
+ ;;
+
+ *)
+ if [ "$UB_B_READY" -eq 0 ] ; then
+ logger -t unbound -s "default protocol configuration"
+ fi
+
+
+ {
+ # outgoing-interface has useful defaults; incoming is localhost though
+ echo " edns-buffer-size: $UB_N_EDNS_SIZE"
+ echo " port: $UB_N_RX_PORT"
+ echo " outgoing-port-permit: 10240-65535"
+ echo " interface: 0.0.0.0"
+ echo " interface: ::0"
+ echo
+ } >> $UB_CORE_CONF
+ ;;
+ esac
+
+
+ {
+ # Other harding and options for an embedded router
+ echo " harden-short-bufsize: yes"
+ echo " harden-large-queries: yes"
+ echo " harden-glue: yes"
+ echo " harden-below-nxdomain: no"
+ echo " harden-referral-path: no"
+ echo " use-caps-for-id: no"
+ echo
+ } >> $UB_CORE_CONF
+
+
+ case "$UB_D_RESOURCE" in
+ # Tiny - Unbound's recommended cheap hardware config
+ tiny) rt_mem=1 ; rt_conn=2 ; rt_buff=1 ;;
+ # Small - Half RRCACHE and open ports
+ small) rt_mem=8 ; rt_conn=10 ; rt_buff=2 ;;
+ # Medium - Nearly default but with some added balancintg
+ medium) rt_mem=16 ; rt_conn=20 ; rt_buff=4 ;;
+ # Large - Double medium
+ large) rt_mem=32 ; rt_conn=40 ; rt_buff=4 ;;
+ # Whatever unbound does
+ *) rt_mem=0 ; rt_conn=0 ;;
+ esac
+
+
+ if [ "$rt_mem" -gt 0 ] ; then
+ {
+ # Set memory sizing parameters
+ echo " msg-buffer-size: $(($rt_buff*8192))"
+ echo " outgoing-range: $(($rt_conn*64))"
+ echo " num-queries-per-thread: $(($rt_conn*32))"
+ echo " outgoing-num-tcp: $(($rt_conn))"
+ echo " incoming-num-tcp: $(($rt_conn))"
+ echo " rrset-cache-size: $(($rt_mem*256))k"
+ echo " msg-cache-size: $(($rt_mem*128))k"
+ echo " key-cache-size: $(($rt_mem*128))k"
+ echo " neg-cache-size: $(($rt_mem*64))k"
+ echo " infra-cache-numhosts: $(($rt_mem*256))"
+ echo
+ } >> $UB_CORE_CONF
+
+ elif [ "$UB_B_READY" -eq 0 ] ; then
+ logger -t unbound -s "default memory configuration"
+ fi
+
+
+ # Assembly of module-config: options is tricky; order matters
+ modulestring="iterator"
+
+
+ if [ "$UB_B_DNSSEC" -gt 0 ] ; then
+ if [ "$UB_B_NTP_BOOT" -gt 0 ] ; then
+ # DNSSEC chicken and egg with getting NTP time
+ echo " val-override-date: -1" >> $UB_CORE_CONF
+ fi
+
+
+ {
+ echo " harden-dnssec-stripped: yes"
+ echo " val-clean-additional: yes"
+ echo " ignore-cd-flag: yes"
+ } >> $UB_CORE_CONF
+
+
+ modulestring="validator $modulestring"
+ fi
+
+
+ if [ "$UB_B_DNS64" -gt 0 ] ; then
+ echo " dns64-prefix: $UB_IP_DNS64" >> $UB_CORE_CONF
+
+ modulestring="dns64 $modulestring"
+ fi
+
+
+ {
+ # Print final module string
+ echo " module-config: \"$modulestring\""
+ echo
+ } >> $UB_CORE_CONF
+
+
+ case "$UB_D_RECURSION" in
+ passive)
+ {
+ # Some query privacy but "strict" will break some servers
+ if [ "$UB_B_QRY_MINST" -gt 0 \
+ -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
+ echo " qname-minimisation: yes"
+ echo " qname-minimisation-strict: yes"
+ elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
+ echo " qname-minimisation: yes"
+ else
+ echo " qname-minimisation: no"
+ fi
+ # Use DNSSEC to quickly understand NXDOMAIN ranges
+ if [ "$UB_B_DNSSEC" -gt 0 ] ; then
+ echo " aggressive-nsec: yes"
+ echo " prefetch-key: no"
+ fi
+ # On demand fetching
+ echo " prefetch: no"
+ echo " target-fetch-policy: \"0 0 0 0 0\""
+ echo
+ } >> $UB_CORE_CONF
+ ;;
+
+ aggressive)
+ {
+ # Some query privacy but "strict" will break some servers
+ if [ "$UB_B_QRY_MINST" -gt 0 \
+ -a "$UB_B_QUERY_MIN" -gt 0 ] ; then
+ echo " qname-minimisation: yes"
+ echo " qname-minimisation-strict: yes"
+ elif [ "$UB_B_QUERY_MIN" -gt 0 ] ; then
+ echo " qname-minimisation: yes"
+ else
+ echo " qname-minimisation: no"
+ fi
+ # Use DNSSEC to quickly understand NXDOMAIN ranges
+ if [ "$UB_B_DNSSEC" -gt 0 ] ; then
+ echo " aggressive-nsec: yes"
+ echo " prefetch-key: yes"
+ fi
+ # Prefetch what can be
+ echo " prefetch: yes"
+ echo " target-fetch-policy: \"3 2 1 0 0\""
+ echo
+ } >> $UB_CORE_CONF
+ ;;
+
+ *)
+ if [ "$UB_B_READY" -eq 0 ] ; then
+ logger -t unbound -s "default recursion configuration"
+ fi
+ ;;
+ esac
+
+
+ {
+ # Reload records more than 20 hours old
+ # DNSSEC 5 minute bogus cool down before retry
+ # Adaptive infrastructure info kept for 15 minutes
+ echo " cache-min-ttl: $UB_TTL_MIN"
+ echo " cache-max-ttl: 72000"
+ echo " val-bogus-ttl: 300"
+ echo " infra-host-ttl: 900"
+ echo
+ } >> $UB_CORE_CONF
+
+
+ if [ "$UB_B_HIDE_BIND" -gt 0 ] ; then
+ {
+ # Block server id and version DNS TXT records
+ echo " hide-identity: yes"
+ echo " hide-version: yes"
+ echo
+ } >> $UB_CORE_CONF
+ fi
+
+
+ if [ "$UB_D_PRIV_BLCK" -gt 0 ] ; then
+ {
+ # Remove _upstream_ or global reponses with private addresses.
+ # Unbounds own "local zone" and "forward zone" may still use these.
+ # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
+ echo " private-address: 10.0.0.0/8"
+ echo " private-address: 100.64.0.0/10"
+ echo " private-address: 169.254.0.0/16"
+ echo " private-address: 172.16.0.0/12"
+ echo " private-address: 192.168.0.0/16"
+ echo " private-address: fc00::/7"
+ echo " private-address: fe80::/10"
+ echo
+ } >> $UB_CORE_CONF
+ fi
+
+
+ if [ -n "$UB_LIST_NETW_LAN" -a "$UB_D_PRIV_BLCK" -gt 1 ] ; then
+ {
+ for ifsubnet in $UB_LIST_NETW_LAN ; do
+ case $ifsubnet in
+ *@[1-9][0-9a-f][0-9a-f][0-9a-f]:*:[0-9a-f]*)
+ # Remove global DNS responses with your local network IP6 GLA
+ echo " private-address: ${ifsubnet#*@}"
+ ;;
+ esac
+ done
+ echo
+ } >> $UB_CORE_CONF
+ fi
+
+
+ if [ "$UB_B_LOCL_BLCK" -gt 0 ] ; then
+ {
+ # Remove DNS reponses from upstream with loopback IP
+ # Black hole DNS method for ad blocking, so consider...
+ echo " private-address: 127.0.0.0/8"
+ echo " private-address: ::1/128"
+ echo
+ } >> $UB_CORE_CONF
+ fi
+
+
+ if [ -n "$UB_LIST_INSECURE" ] ; then
+ {
+ for domain in $UB_LIST_INSECURE ; do
+ # Except and accept domains without (DNSSEC); work around broken domains
+ echo " domain-insecure: $domain"
+ done
+ echo
+ } >> $UB_CORE_CONF
+ fi
+
+
+ if [ "$UB_B_LOCL_SERV" -gt 0 -a -n "$UB_LIST_NETW_ALL" ] ; then
+ {
+ for ifsubnet in $UB_LIST_NETW_ALL ; do
+ # Only respond to queries from subnets which have an interface.
+ # Prevent DNS amplification attacks by not responding to the universe.
+ echo " access-control: ${ifsubnet#*@} allow"
+ done
+ echo " access-control: 127.0.0.0/8 allow"
+ echo " access-control: ::1/128 allow"
+ echo " access-control: fe80::/10 allow"
+ echo
+ } >> $UB_CORE_CONF
+
+ else
+ {
+ echo " access-control: 0.0.0.0/0 allow"
+ echo " access-control: ::0/0 allow"
+ echo
+ } >> $UB_CORE_CONF
+ fi
+}
+
+##############################################################################
+
+unbound_hostname() {
+ local ifsubnet ifarpa ifaddr ifname iffqdn
+ local ulaprefix hostfqdn name names namerec ptrrec
+ local zonetype=0
+
+ echo "# $UB_HOST_CONF generated by UCI $( date -Is )" > $UB_HOST_CONF
+
+
+ if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
+ {
+ echo "# Local zone is handled by dnsmasq"
+ echo
+ } >> $UB_HOST_CONF
+
+ elif [ -n "$UB_TXT_DOMAIN" \
+ -a \( "$UB_D_WAN_FQDN" -gt 0 -o "$UB_D_LAN_FQDN" -gt 0 \) ] ; then
+ case "$UB_D_DOMAIN_TYPE" in
+ deny|inform_deny|refuse|static)
+ {
+ # type static means only this router has your domain
+ echo " domain-insecure: $UB_TXT_DOMAIN"
+ echo " private-domain: $UB_TXT_DOMAIN"
+ echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
+ echo " local-data: \"$UB_TXT_DOMAIN. $UB_XSOA\""
+ echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\""
+ echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'"
+ echo
+ # avoid upstream involvement in RFC6762
+ echo " domain-insecure: local"
+ echo " private-domain: local"
+ echo " local-zone: local $UB_D_DOMAIN_TYPE"
+ echo " local-data: \"local. $UB_XSOA\""
+ echo " local-data: \"local. $UB_XNS\""
+ echo " local-data: 'local. $UB_LTXT'"
+ echo
+ } >> $UB_HOST_CONF
+ zonetype=2
+ ;;
+
+ transparent|typetransparent)
+ {
+ # transparent will permit forward-zone: or stub-zone: clauses
+ echo " private-domain: $UB_TXT_DOMAIN"
+ echo " local-zone: $UB_TXT_DOMAIN $UB_D_DOMAIN_TYPE"
+ echo
+ } >> $UB_HOST_CONF
+ zonetype=1
+ ;;
+ esac
+
+
+ {
+ # Hostname as TLD works, but not transparent through recursion (singular)
+ echo " domain-insecure: $UB_TXT_HOSTNAME"
+ echo " private-domain: $UB_TXT_HOSTNAME"
+ echo " local-zone: $UB_TXT_HOSTNAME static"
+ echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XSOA\""
+ echo " local-data: \"$UB_TXT_HOSTNAME. $UB_XNS\""
+ echo " local-data: '$UB_TXT_HOSTNAME. $UB_XTXT'"
+ echo
+ } >> $UB_HOST_CONF
+
+
+ if [ -n "$UB_LIST_NETW_WAN" ] ; then
+ for ifsubnet in $UB_LIST_NETW_WAN ; do
+ ifaddr=${ifsubnet#*@}
+ ifaddr=${ifaddr%/*}
+ ifarpa=$( host_ptr_any "$ifaddr" )
+
+
+ if [ -n "$ifarpa" ] ; then
+ if [ "$UB_D_WAN_FQDN" -gt 0 ] ; then
+ {
+ # Create a static zone for WAN host record only (singular)
+ echo " domain-insecure: $ifarpa"
+ echo " private-address: $ifaddr"
+ echo " local-zone: $ifarpa static"
+ echo " local-data: \"$ifarpa. $UB_XSOA\""
+ echo " local-data: \"$ifarpa. $UB_XNS\""
+ echo " local-data: '$ifarpa. $UB_MTXT'"
+ echo
+ } >> $UB_HOST_CONF
+
+ elif [ "$zonetype" -gt 0 ] ; then
+ {
+ echo " local-zone: $ifarpa transparent"
+ echo
+ } >> $UB_HOST_CONF
+ fi
+ fi
+ done
+ fi
+
+
+ if [ -n "$UB_LIST_NETW_LAN" ] ; then
+ for ifsubnet in $UB_LIST_NETW_LAN ; do
+ ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
+
+
+ if [ -n "$ifarpa" ] ; then
+ if [ "$zonetype" -eq 2 ] ; then
+ {
+ # Do NOT forward queries with your ip6.arpa or in-addr.arpa
+ echo " domain-insecure: $ifarpa"
+ echo " local-zone: $ifarpa static"
+ echo " local-data: \"$ifarpa. $UB_XSOA\""
+ echo " local-data: \"$ifarpa. $UB_XNS\""
+ echo " local-data: '$ifarpa. $UB_XTXT'"
+ echo
+ } >> $UB_HOST_CONF
+
+ elif [ "$zonetype" -eq 1 -a "$UB_D_PRIV_BLCK" -eq 0 ] ; then
+ {
+ echo " local-zone: $ifarpa transparent"
+ echo
+ } >> $UB_HOST_CONF
+ fi
+ fi
+ done
+ fi
+
+
+ ulaprefix=$( uci_get network.@globals[0].ula_prefix )
+ ulaprefix=${ulaprefix%%:/*}
+ hostfqdn="$UB_TXT_HOSTNAME.$UB_TXT_DOMAIN"
+
+
+ if [ -z "$ulaprefix" ] ; then
+ # Nonsense so this option isn't globbed below
+ ulaprefix="fdno:such:addr::"
+ fi
+
+
+ if [ "$UB_LIST_NETW_LAN" -a "$UB_D_LAN_FQDN" -gt 0 ] ; then
+ for ifsubnet in $UB_LIST_NETW_LAN ; do
+ ifaddr=${ifsubnet#*@}
+ ifaddr=${ifaddr%/*}
+ ifname=${ifsubnet%@*}
+ iffqdn="$ifname.$hostfqdn"
+
+
+ if [ "$UB_D_LAN_FQDN" -eq 4 ] ; then
+ names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
+ ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
+ echo "$ptrrec" >> $UB_HOST_CONF
+
+ elif [ "$UB_D_LAN_FQDN" -eq 3 ] ; then
+ names="$hostfqdn $UB_TXT_HOSTNAME"
+ ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
+ echo "$ptrrec" >> $UB_HOST_CONF
+
+ else
+ names="$UB_TXT_HOSTNAME"
+ ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
+ echo "$ptrrec" >> $UB_HOST_CONF
+ fi
+
+
+ for name in $names ; do
+ case $ifaddr in
+ "${ulaprefix}"*)
+ # IP6 ULA only is assigned for OPTION 1
+ namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
+ echo "$namerec" >> $UB_HOST_CONF
+ ;;
+
+ [1-9]*.*[0-9])
+ namerec=" local-data: \"$name. 300 IN A $ifaddr\""
+ echo "$namerec" >> $UB_HOST_CONF
+ ;;
+
+ *)
+ if [ "$UB_D_LAN_FQDN" -gt 1 ] ; then
+ # IP6 GLA is assigned for higher options
+ namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
+ echo "$namerec" >> $UB_HOST_CONF
+ fi
+ ;;
+ esac
+ done
+ echo >> $UB_HOST_CONF
+ done
+ fi
+
+
+ if [ -n "$UB_LIST_NETW_WAN" -a "$UB_D_WAN_FQDN" -gt 0 ] ; then
+ for ifsubnet in $UB_LIST_NETW_WAN ; do
+ ifaddr=${ifsubnet#*@}
+ ifaddr=${ifaddr%/*}
+ ifname=${ifsubnet%@*}
+ iffqdn="$ifname.$hostfqdn"
+
+
+ if [ "$UB_D_WAN_FQDN" -eq 4 ] ; then
+ names="$iffqdn $hostfqdn $UB_TXT_HOSTNAME"
+ ptrrec=" local-data-ptr: \"$ifaddr 300 $iffqdn\""
+ echo "$ptrrec" >> $UB_HOST_CONF
+
+ elif [ "$UB_D_WAN_FQDN" -eq 3 ] ; then
+ names="$hostfqdn $UB_TXT_HOSTNAME"
+ ptrrec=" local-data-ptr: \"$ifaddr 300 $hostfqdn\""
+ echo "$ptrrec" >> $UB_HOST_CONF
+
+ else
+ names="$UB_TXT_HOSTNAME"
+ ptrrec=" local-data-ptr: \"$ifaddr 300 $UB_TXT_HOSTNAME\""
+ echo "$ptrrec" >> $UB_HOST_CONF
+ fi
+
+
+ for name in $names ; do
+ case $ifaddr in
+ "${ulaprefix}"*)
+ # IP6 ULA only is assigned for OPTION 1
+ namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
+ echo "$namerec" >> $UB_HOST_CONF
+ ;;
+
+ [1-9]*.*[0-9])
+ namerec=" local-data: \"$name. 300 IN A $ifaddr\""
+ echo "$namerec" >> $UB_HOST_CONF
+ ;;
+
+ *)
+ if [ "$UB_D_WAN_FQDN" -gt 1 ] ; then
+ # IP6 GLA is assigned for higher options
+ namerec=" local-data: \"$name. 300 IN AAAA $ifaddr\""
+ echo "$namerec" >> $UB_HOST_CONF
+ fi
+ ;;
+ esac
+ done
+ echo >> $UB_HOST_CONF
+ done
+ fi
+ fi # end if uci valid
+}
+
+##############################################################################
+
+unbound_uci() {
+ local cfg="$1"
+ local dnsmasqpath hostnm
+
+ hostnm=$( uci_get system.@system[0].hostname | awk '{print tolower($0)}' )
+ UB_TXT_HOSTNAME=${hostnm:-thisrouter}
+
+ config_get_bool UB_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
+ config_get_bool UB_B_DNS64 "$cfg" dns64 0
+ config_get_bool UB_B_EXT_STATS "$cfg" extended_stats 0
+ config_get_bool UB_B_HIDE_BIND "$cfg" hide_binddata 1
+ config_get_bool UB_B_LOCL_SERV "$cfg" localservice 1
+ config_get_bool UB_B_MAN_CONF "$cfg" manual_conf 0
+ config_get_bool UB_B_QUERY_MIN "$cfg" query_minimize 0
+ config_get_bool UB_B_QRY_MINST "$cfg" query_min_strict 0
+ config_get_bool UB_B_AUTH_ROOT "$cfg" prefetch_root 0
+ config_get_bool UB_B_LOCL_BLCK "$cfg" rebind_localhost 0
+ config_get_bool UB_B_DNSSEC "$cfg" validator 0
+ config_get_bool UB_B_NTP_BOOT "$cfg" validator_ntp 1
+
+ config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
+
+ config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
+ config_get UB_N_RX_PORT "$cfg" listen_port 53
+ config_get UB_N_ROOT_AGE "$cfg" root_age 9
+
+ config_get UB_D_CONTROL "$cfg" unbound_control 0
+ config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static
+ config_get UB_D_DHCP_LINK "$cfg" dhcp_link none
+ config_get UB_D_EXTRA_DNS "$cfg" add_extra_dns 0
+ config_get UB_D_LAN_FQDN "$cfg" add_local_fqdn 0
+ config_get UB_D_PRIV_BLCK "$cfg" rebind_protection 1
+ config_get UB_D_PROTOCOL "$cfg" protocol mixed
+ config_get UB_D_RECURSION "$cfg" recursion passive
+ config_get UB_D_RESOURCE "$cfg" resource small
+ config_get UB_D_VERBOSE "$cfg" verbosity 1
+ config_get UB_D_WAN_FQDN "$cfg" add_wan_fqdn 0
+
+ config_get UB_TTL_MIN "$cfg" ttl_min 120
+ config_get UB_TXT_DOMAIN "$cfg" domain lan
+
+ config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
+
+
+ if [ "$UB_D_DHCP_LINK" = "none" ] ; then
+ config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
+
+
+ if [ "$UB_B_DNSMASQ" -gt 0 ] ; then
+ UB_D_DHCP_LINK=dnsmasq
+
+
+ if [ "$UB_B_READY" -eq 0 ] ; then
+ logger -t unbound -s "Please use 'dhcp_link' selector instead"
+ fi
+ fi
+ fi
+
+
+ if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
+ if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
+ UB_D_DHCP_LINK=none
+ else
+ /etc/init.d/dnsmasq enabled || UB_D_DHCP_LINK=none
+ fi
+
+
+ if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
+ logger -t unbound -s "cannot forward to dnsmasq"
+ fi
+ fi
+
+
+ if [ "$UB_D_DHCP_LINK" = "odhcpd" ] ; then
+ if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
+ UB_D_DHCP_LINK=none
+ else
+ /etc/init.d/odhcpd enabled || UB_D_DHCP_LINK=none
+ fi
+
+
+ if [ "$UB_B_READY" -eq 0 -a "$UB_D_DHCP_LINK" = "none" ] ; then
+ logger -t unbound -s "cannot receive records from odhcpd"
+ fi
+ fi
+
+
+ if [ "$UB_N_EDNS_SIZE" -lt 512 \
+ -o 4096 -lt "$UB_N_EDNS_SIZE" ] ; then
+ logger -t unbound -s "edns_size exceeds range, using default"
+ UB_N_EDNS_SIZE=1280
+ fi
+
+
+ if [ "$UB_N_RX_PORT" -ne 53 \
+ -a \( "$UB_N_RX_PORT" -lt 1024 -o 10240 -lt "$UB_N_RX_PORT" \) ] ; then
+ logger -t unbound -s "privileged port or in 5 digits, using default"
+ UB_N_RX_PORT=53
+ fi
+
+
+ if [ "$UB_TTL_MIN" -gt 1800 ] ; then
+ logger -t unbound -s "ttl_min could have had awful side effects, using 300"
+ UB_TTL_MIN=300
+ fi
+}
+
+##############################################################################
+
+unbound_include() {
+ local adb_enabled
+ local adb_files=$( ls $UB_VARDIR/adb_list.* 2>/dev/null )
+
+ echo "# $UB_TOTAL_CONF generated by UCI $( date -Is )" > $UB_TOTAL_CONF
+
+
+ if [ -f "$UB_CORE_CONF" ] ; then
+ # Yes this all looks busy, but it is in TMPFS. Working on separate files
+ # and piecing together is easier. UCI order is less constrained.
+ cat $UB_CORE_CONF >> $UB_TOTAL_CONF
+ rm $UB_CORE_CONF
+ fi
+
+
+ if [ -f "$UB_HOST_CONF" ] ; then
+ # UCI definitions of local host or local subnet
+ cat $UB_HOST_CONF >> $UB_TOTAL_CONF
+ rm $UB_HOST_CONF
+ fi
+
+
+ if [ -f $UB_SRVMASQ_CONF ] ; then
+ # UCI found link to dnsmasq
+ cat $UB_SRVMASQ_CONF >> $UB_TOTAL_CONF
+ rm $UB_SRVMASQ_CONF
+ fi
+
+
+ if [ -f "$UB_DHCP_CONF" ] ; then
+ {
+ # Seed DHCP records because dhcp scripts trigger externally
+ # Incremental Unbound restarts may drop unbound-control records
+ echo "include: $UB_DHCP_CONF"
+ echo
+ }>> $UB_TOTAL_CONF
+ fi
+
+
+ if [ -z "$adb_files" \
+ -o ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
+ adb_enabled=0
+
+ elif /etc/init.d/adblock enabled ; then
+ adb_enabled=1
+ {
+ # Pull in your selected openwrt/pacakges/net/adblock generated lists
+ echo "include: $UB_VARDIR/adb_list.*"
+ echo
+ } >> $UB_TOTAL_CONF
+
+ else
+ adb_enabled=0
+ fi
+
+
+ if [ -f $UB_SRV_CONF ] ; then
+ {
+ # Pull your own "server:" options here
+ echo "include: $UB_SRV_CONF"
+ echo
+ }>> $UB_TOTAL_CONF
+ fi
+
+
+ if [ -f "$UB_ZONE_CONF" ] ; then
+ # UCI defined forward, stub, and auth zones
+ cat $UB_ZONE_CONF >> $UB_TOTAL_CONF
+ rm $UB_ZONE_CONF
+ fi
+
+
+ if [ -f "$UB_CTRL_CONF" ] ; then
+ # UCI defined control application connection
+ cat $UB_CTRL_CONF >> $UB_TOTAL_CONF
+ rm $UB_CTRL_CONF
+ fi
+
+
+ if [ -f "$UB_EXTMASQ_CONF" ] ; then
+ # UCI found link to dnsmasq
+ cat $UB_EXTMASQ_CONF >> $UB_TOTAL_CONF
+ rm $UB_EXTMASQ_CONF
+ fi
+
+
+ if [ -f "$UB_EXT_CONF" ] ; then
+ {
+ # Pull your own extend feature clauses here
+ echo "include: $UB_EXT_CONF"
+ echo
+ } >> $UB_TOTAL_CONF
+ fi
+}
+
+##############################################################################
+
+resolv_setup() {
+ if [ "$UB_N_RX_PORT" != "53" ] ; then
+ return
+
+ elif [ -x /etc/init.d/dnsmasq ] \
+ && /etc/init.d/dnsmasq enabled \
+ && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
+ # unbound is configured for port 53, but dnsmasq is enabled and a resolver
+ # listens on localhost:53, lets assume dnsmasq manages the resolver file.
+ # TODO:
+ # really check if dnsmasq runs a local (main) resolver in stead of using
+ # nslookup that times out when no resolver listens on localhost:53.
+ return
+ fi
+
+
+ # unbound is designated to listen on 127.0.0.1#53,
+ # set resolver file to local.
+ rm -f /tmp/resolv.conf
+
+ {
+ echo "# /tmp/resolv.conf generated by Unbound UCI $( date -Is )"
+ echo "nameserver 127.0.0.1"
+ echo "nameserver ::1"
+ echo "search $UB_TXT_DOMAIN."
+ } > /tmp/resolv.conf
+}
+
+##############################################################################
+
+unbound_start() {
+ config_load unbound
+ config_foreach unbound_uci unbound
+ unbound_mkdir
+
+
+ if [ "$UB_B_MAN_CONF" -eq 0 ] ; then
+ # iterate zones before we load other UCI
+ # forward-zone: auth-zone: and stub-zone:
+ config_foreach unbound_zone zone
+ # associate potential DNS RR with interfaces
+ config_load network
+ config_foreach bundle_all_networks interface
+ config_load dhcp
+ config_foreach bundle_lan_networks dhcp
+ bundle_wan_networks
+ # server:
+ unbound_conf
+ unbound_hostname
+ # control:
+ unbound_control
+ # dnsmasq
+ dnsmasq_link
+ # merge
+ unbound_include
+ fi
+
+
+ resolv_setup
+}
+
+##############################################################################
+