]> git.ipfire.org Git - ipfire-2.x.git/blob - src/initscripts/system/unbound
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
unbound: Read configuration globally
[ipfire-2.x.git] / src / initscripts / system / unbound
1 #!/bin/sh
2 # Begin $rc_base/init.d/unbound
3
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
6
7 . /etc/sysconfig/rc
8 . ${rc_functions}
9
10 TEST_DOMAIN="ipfire.org"
11
12 # This domain will never validate
13 TEST_DOMAIN_FAIL="dnssec-failed.org"
14
15 # Cache any local zones for 60 seconds
16 LOCAL_TTL=60
17
18 # Load configuration
19 eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
20 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
21
22 ip_address_revptr() {
23 local addr=${1}
24
25 local a1 a2 a3 a4
26 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
27
28 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
29 }
30
31 read_name_servers() {
32 # Read name servers from ISP
33 if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
34 local i
35 for i in 1 2; do
36 echo "$(</var/run/dns${i})"
37 done 2>/dev/null
38 fi
39
40 # Read configured name servers
41 local id address tls_hostname enabled remark
42 while IFS="," read -r id address tls_hostname enabled remark; do
43 [ "${enabled}" != "enabled" ] && continue
44
45 if [ "${PROTO}" = "TLS" ]; then
46 if [ -n "${tls_hostname}" ]; then
47 echo "${address}@853#${tls_hostname}"
48 fi
49 else
50 echo "${address}"
51 fi
52 done < /var/ipfire/dns/servers
53 }
54
55 check_red_has_carrier_and_ip() {
56 # Interface configured ?
57 [ ! -e "/var/ipfire/red/iface" ] && return 0;
58
59 # Interface present ?
60 [ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
61
62 # has carrier ?
63 [ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
64
65 # has ip ?
66 [ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;
67
68 return 1;
69 }
70
71 config_header() {
72 echo "# This file is automatically generated and any changes"
73 echo "# will be overwritten. DO NOT EDIT!"
74 echo
75 }
76
77 own_hostname() {
78 local hostname=$(hostname -f)
79 # 1.1.1.1 is reserved for unused green, skip this
80 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
81 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
82 fi
83
84 local address
85 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
86 [ -n "${address}" ] || continue
87 [ "${address}" = "1.1.1.1" ] && continue
88
89 address=$(ip_address_revptr ${address})
90 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
91 done
92 }
93
94 update_hosts() {
95 local enabled address hostname domainname generateptr
96
97 while IFS="," read -r enabled address hostname domainname generateptr; do
98 [ "${enabled}" = "on" ] || continue
99
100 # Build FQDN
101 local fqdn="${hostname}.${domainname}"
102
103 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
104
105 # Skip reverse resolution if the address equals the GREEN address
106 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
107
108 # Skip reverse resolution if user requested not to do so
109 [ "${generateptr}" = "off" ] && continue
110
111 # Add RDNS
112 address=$(ip_address_revptr ${address})
113 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
114 done < /var/ipfire/main/hosts
115 }
116
117 write_forward_conf() {
118 (
119 config_header
120
121 # Force using TCP for upstream servers only
122 if [ "${PROTO}" = "TCP" ]; then
123 echo "# Force using TCP for upstream servers only"
124 echo "server:"
125 echo " tcp-upstream: yes"
126 echo
127 fi
128
129 local insecure_zones=""
130
131 local enabled zone server servers remark disable_dnssec rest
132 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
133 # Line must be enabled.
134 [ "${enabled}" = "on" ] || continue
135
136 # Zones that end with .local are commonly used for internal
137 # zones and therefore not signed
138 case "${zone}" in
139 *.local)
140 insecure_zones="${insecure_zones} ${zone}"
141 ;;
142 *)
143 if [ "${disable_dnssec}" = "on" ]; then
144 insecure_zones="${insecure_zones} ${zone}"
145 fi
146 ;;
147 esac
148
149 echo "stub-zone:"
150 echo " name: ${zone}"
151 for server in ${servers//|/ }; do
152 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
153 echo " stub-addr: ${server}"
154 else
155 echo " stub-host: ${server}"
156 fi
157 done
158 echo
159
160 # Make all reverse lookup zones transparent
161 case "${zone}" in
162 *.in-addr.arpa)
163 echo "server:"
164 echo " local-zone: \"${zone}\" transparent"
165 echo
166 ;;
167 esac
168 done < /var/ipfire/dnsforward/config
169
170 if [ -n "${insecure_zones}" ]; then
171 echo "server:"
172
173 for zone in ${insecure_zones}; do
174 echo " domain-insecure: ${zone}"
175 done
176 fi
177
178 echo "forward-zone:"
179 echo " name: \".\""
180
181 # Force using TLS only
182 if [ "${PROTO}" = "TLS" ]; then
183 echo " forward-tls-upstream: yes"
184 fi
185
186 # Add upstream name servers
187 local ns
188 for ns in $(read_name_servers); do
189 echo " forward-addr: ${ns}"
190 done
191 ) > /etc/unbound/forward.conf
192 }
193
194 write_tuning_conf() {
195 # https://www.unbound.net/documentation/howto_optimise.html
196
197 # Determine number of online processors
198 local processors=$(getconf _NPROCESSORS_ONLN)
199
200 # Determine number of slabs
201 local slabs=1
202 while [ ${slabs} -lt ${processors} ]; do
203 slabs=$(( ${slabs} * 2 ))
204 done
205
206 # Determine amount of system memory
207 local mem=$(get_memory_amount)
208
209 # In the worst case scenario, unbound can use double the
210 # amount of memory allocated to a cache due to malloc overhead
211
212 # Even larger systems with more than 8GB of RAM
213 if [ ${mem} -ge 8192 ]; then
214 mem=1024
215
216 # Extra large systems with more than 4GB of RAM
217 elif [ ${mem} -ge 4096 ]; then
218 mem=512
219
220 # Large systems with more than 2GB of RAM
221 elif [ ${mem} -ge 2048 ]; then
222 mem=256
223
224 # Medium systems with more than 1GB of RAM
225 elif [ ${mem} -ge 1024 ]; then
226 mem=128
227
228 # Small systems with less than 256MB of RAM
229 elif [ ${mem} -le 256 ]; then
230 mem=16
231
232 # Everything else
233 else
234 mem=64
235 fi
236
237 (
238 config_header
239
240 # We run one thread per processor
241 echo "num-threads: ${processors}"
242 echo "so-reuseport: yes"
243
244 # Adjust number of slabs
245 echo "infra-cache-slabs: ${slabs}"
246 echo "key-cache-slabs: ${slabs}"
247 echo "msg-cache-slabs: ${slabs}"
248 echo "rrset-cache-slabs: ${slabs}"
249
250 # Slice up the cache
251 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
252 echo "msg-cache-size: $(( ${mem} / 4 ))m"
253 echo "key-cache-size: $(( ${mem} / 4 ))m"
254
255 # Increase parallel queries
256 echo "outgoing-range: 8192"
257 echo "num-queries-per-thread: 4096"
258
259 # Use larger send/receive buffers
260 echo "so-sndbuf: 4m"
261 echo "so-rcvbuf: 4m"
262 ) > /etc/unbound/tuning.conf
263 }
264
265 get_memory_amount() {
266 local key val unit
267
268 while read -r key val unit; do
269 case "${key}" in
270 MemTotal:*)
271 # Convert to MB
272 echo "$(( ${val} / 1024 ))"
273 break
274 ;;
275 esac
276 done < /proc/meminfo
277 }
278
279 fix_time_if_dns_fail() {
280 # If DNS still not work try to init ntp with
281 # hardcoded ntp.ipfire.org (81.3.27.46)
282 check_red_has_carrier_and_ip
283 if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
284 host 0.ipfire.pool.ntp.org > /dev/null 2>&1
285 if [ "${?}" != "0" ]; then
286 boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
287 loadproc /usr/local/bin/settime 81.3.27.46
288 fi
289 fi
290 }
291
292 resolve() {
293 local hostname="${1}"
294
295 local answer
296 for answer in $(dig +short A "${hostname}"); do
297 # Filter out non-IP addresses
298 if [[ ! "${answer}" =~ \.$ ]]; then
299 echo "${answer}"
300 fi
301 done
302 }
303
304 update_forwarders() {
305 # DO nothing when we do not use the ISP name servers
306 [ "${USE_ISP_NAMESERVERS}" != "on" ] && return 0
307
308 # Update unbound about the new servers
309 local nameservers=( $(read_name_servers) )
310 if [ -n "${nameservers[*]}" ]; then
311 unbound-control -q forward "${nameservers[@]}"
312 else
313 unbound-control -q forward off
314 fi
315 }
316
317 # Sets up Safe Search for various search engines
318 update_safe_search() {
319 local google_tlds=(
320 google.ad
321 google.ae
322 google.al
323 google.am
324 google.as
325 google.at
326 google.az
327 google.ba
328 google.be
329 google.bf
330 google.bg
331 google.bi
332 google.bj
333 google.bs
334 google.bt
335 google.by
336 google.ca
337 google.cat
338 google.cd
339 google.cf
340 google.cg
341 google.ch
342 google.ci
343 google.cl
344 google.cm
345 google.cn
346 google.co.ao
347 google.co.bw
348 google.co.ck
349 google.co.cr
350 google.co.id
351 google.co.il
352 google.co.in
353 google.co.jp
354 google.co.ke
355 google.co.kr
356 google.co.ls
357 google.com
358 google.co.ma
359 google.com.af
360 google.com.ag
361 google.com.ai
362 google.com.ar
363 google.com.au
364 google.com.bd
365 google.com.bh
366 google.com.bn
367 google.com.bo
368 google.com.br
369 google.com.bz
370 google.com.co
371 google.com.cu
372 google.com.cy
373 google.com.do
374 google.com.ec
375 google.com.eg
376 google.com.et
377 google.com.fj
378 google.com.gh
379 google.com.gi
380 google.com.gt
381 google.com.hk
382 google.com.jm
383 google.com.kh
384 google.com.kw
385 google.com.lb
386 google.com.ly
387 google.com.mm
388 google.com.mt
389 google.com.mx
390 google.com.my
391 google.com.na
392 google.com.nf
393 google.com.ng
394 google.com.ni
395 google.com.np
396 google.com.om
397 google.com.pa
398 google.com.pe
399 google.com.pg
400 google.com.ph
401 google.com.pk
402 google.com.pr
403 google.com.py
404 google.com.qa
405 google.com.sa
406 google.com.sb
407 google.com.sg
408 google.com.sl
409 google.com.sv
410 google.com.tj
411 google.com.tr
412 google.com.tw
413 google.com.ua
414 google.com.uy
415 google.com.vc
416 google.com.vn
417 google.co.mz
418 google.co.nz
419 google.co.th
420 google.co.tz
421 google.co.ug
422 google.co.uk
423 google.co.uz
424 google.co.ve
425 google.co.vi
426 google.co.za
427 google.co.zm
428 google.co.zw
429 google.cv
430 google.cz
431 google.de
432 google.dj
433 google.dk
434 google.dm
435 google.dz
436 google.ee
437 google.es
438 google.fi
439 google.fm
440 google.fr
441 google.ga
442 google.ge
443 google.gg
444 google.gl
445 google.gm
446 google.gp
447 google.gr
448 google.gy
449 google.hn
450 google.hr
451 google.ht
452 google.hu
453 google.ie
454 google.im
455 google.iq
456 google.is
457 google.it
458 google.je
459 google.jo
460 google.kg
461 google.ki
462 google.kz
463 google.la
464 google.li
465 google.lk
466 google.lt
467 google.lu
468 google.lv
469 google.md
470 google.me
471 google.mg
472 google.mk
473 google.ml
474 google.mn
475 google.ms
476 google.mu
477 google.mv
478 google.mw
479 google.ne
480 google.nl
481 google.no
482 google.nr
483 google.nu
484 google.pl
485 google.pn
486 google.ps
487 google.pt
488 google.ro
489 google.rs
490 google.ru
491 google.rw
492 google.sc
493 google.se
494 google.sh
495 google.si
496 google.sk
497 google.sm
498 google.sn
499 google.so
500 google.sr
501 google.st
502 google.td
503 google.tg
504 google.tk
505 google.tl
506 google.tm
507 google.tn
508 google.to
509 google.tt
510 google.vg
511 google.vu
512 google.ws
513 )
514
515 # Cleanup previous settings
516 unbound-control local_zone_remove "bing.com" >/dev/null
517 unbound-control local_zone_remove "duckduckgo.com" >/dev/null
518 unbound-control local_zone_remove "yandex.com" >/dev/null
519 unbound-control local_zone_remove "yandex.ru" >/dev/null
520 unbound-control local_zone_remove "youtube.com" >/dev/null
521
522 local domain
523 for domain in ${google_tlds[@]}; do
524 unbound-control local_zone_remove "${domain}"
525 done >/dev/null
526
527 # Nothing to do if safe search is not enabled
528 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
529 return 0
530 fi
531
532 # Bing
533 unbound-control bing.com transparent >/dev/null
534 for address in $(resolve "strict.bing.com"); do
535 unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
536 done >/dev/null
537
538 # DuckDuckGo
539 unbound-control local_zone duckduckgo.com typetransparent >/dev/null
540 for address in $(resolve "safe.duckduckgo.com"); do
541 unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
542 done >/dev/null
543
544 # Google
545 local addresses="$(resolve "forcesafesearch.google.com")"
546 for domain in ${google_tlds[@]}; do
547 unbound-control local_zone "${domain}" transparent >/dev/null
548 for address in ${addresses}; do
549 unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
550 done >/dev/null
551 done
552
553 # Yandex
554 for domain in yandex.com yandex.ru; do
555 unbound-control local_zone "${domain}" typetransparent >/dev/null
556 for address in $(resolve "familysearch.${domain}"); do
557 unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
558 done >/dev/null
559 done
560
561 # YouTube
562 unbound-control local_zone youtube.com transparent >/dev/null
563 for address in $(resolve "restrictmoderate.youtube.com"); do
564 unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
565 done >/dev/null
566
567 return 0
568 }
569
570 case "$1" in
571 start)
572 # Print a nicer messagen when unbound is already running
573 if pidofproc -s unbound; then
574 statusproc /usr/sbin/unbound
575 exit 0
576 fi
577
578 # Update configuration files
579 write_tuning_conf
580 write_forward_conf
581
582 boot_mesg "Starting Unbound DNS Proxy..."
583 loadproc /usr/sbin/unbound || exit $?
584
585 # Make own hostname resolveable
586 own_hostname
587
588 # Install Safe Search rules when the system is already online
589 if [ -e "/var/ipfire/red/active" ]; then
590 update_safe_search
591 fi
592
593 # Update hosts
594 update_hosts
595
596 fix_time_if_dns_fail
597 ;;
598
599 stop)
600 boot_mesg "Stopping Unbound DNS Proxy..."
601 killproc /usr/sbin/unbound
602 ;;
603
604 restart)
605 $0 stop
606 sleep 1
607 $0 start
608 ;;
609
610 status)
611 statusproc /usr/sbin/unbound
612 ;;
613
614 update-forwarders)
615 update_forwarders
616
617 # Update Safe Search settings
618 update_safe_search
619 ;;
620
621 remove-forwarders)
622 update_forwarders
623 ;;
624
625 resolve)
626 resolve "${2}"
627 ;;
628
629 update-safe-search)
630 update_safe_search
631 ;;
632
633 *)
634 echo "Usage: $0 {start|stop|restart|status|resolve|update-forwarders|remove-forwarders|update-safe-search}"
635 exit 1
636 ;;
637 esac
638
639 # End $rc_base/init.d/unbound
IPFire 2.x development tree