]> git.ipfire.org Git - ipfire-2.x.git/blame - src/initscripts/system/unbound
projects / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
unbound: Remove test-name-server command
[ipfire-2.x.git] / src / initscripts / system / unbound
CommitLineData
d0e5f71f
ML		 1#!/bin/sh
2# Begin $rc_base/init.d/unbound
3
4# Description : Unbound DNS resolver boot script for IPfire
5# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
d0e5f71f
ML		 6
7. /etc/sysconfig/rc
8. ${rc_functions}
9
b29c97b1
AF		 10TEST_DOMAIN="ipfire.org"
11
12# This domain will never validate
13TEST_DOMAIN_FAIL="dnssec-failed.org"
14
7ebc0a16 15INSECURE_ZONES=
b8f5eda8 16USE_FORWARDERS=1
661ab153 17ENABLE_SAFE_SEARCH=off
974d8653 18FORCE_TCP=off
dea5f349 19FORCE_TLS=off
d0e5f71f 20
36792be6
MT		 21# Cache any local zones for 60 seconds
22LOCAL_TTL=60
23
b8f5eda8
MT		 24# Load optional configuration
25[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
d0e5f71f 26
974d8653
MT		 27DIG_ARGS=()
28
29if [ "${FORCE_TCP}" = "on" ]; then
30 DIG_ARGS+=( "+tcp" )
31fi
32
f75c279b
AF		 33ip_address_revptr() {
34 local addr=${1}
35
36 local a1 a2 a3 a4
37 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
38
39 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
40}
41
b8f5eda8
MT		 42read_name_servers() {
43 local i
44 for i in 1 2; do
45 echo "$(</var/ipfire/red/dns${i})"
682a6b2d 46 done 2>/dev/null | xargs echo
b8f5eda8
MT		 47}
48
3ec3329d
AF		 49check_red_has_carrier_and_ip() {
50 # Interface configured ?
51 [ ! -e "/var/ipfire/red/iface" ] && return 0;
52
53 # Interface present ?
54 [ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
55
56 # has carrier ?
57 [ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
58
59 # has ip ?
60 [ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;
61
62 return 1;
63}
64
b8f5eda8
MT		 65config_header() {
66 echo "# This file is automatically generated and any changes"
67 echo "# will be overwritten. DO NOT EDIT!"
68 echo
69}
70
71update_forwarders() {
3ec3329d
AF		 72 check_red_has_carrier_and_ip
73 if [ "${USE_FORWARDERS}" = "1" -a "${?}" = "1" ]; then
b29c97b1
AF		 74 local forwarders
75 local broken_forwarders
76
77 local ns
78 for ns in $(read_name_servers); do
79 test_name_server ${ns} &>/dev/null
80 case "$?" in
81 # Only use DNSSEC-validating or DNSSEC-aware name servers
82 0|2)
83 forwarders="${forwarders} ${ns}"
84 ;;
85 *)
86 broken_forwarders="${broken_forwarders} ${ns}"
87 ;;
88 esac
89 done
90
91 # Show warning for any broken upstream name servers
92 if [ -n "${broken_forwarders}" ]; then
93 boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
94 echo_warning
95 fi
b8f5eda8 96
e432689a 97 if [ -n "${forwarders}" ]; then
b29c97b1
AF		 98 boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
99 echo_ok
b8f5eda8 100
e432689a
MT		 101 # Make sure DNSSEC is activated
102 enable_dnssec
103
e24d6112 104 echo "${forwarders}" > /var/ipfire/red/dns
b29c97b1
AF		 105 unbound-control -q forward ${forwarders}
106 return 0
e432689a
MT		 107
108 # In case we have found no working forwarders
109 else
110 # Test if the recursor mode is available
372576e0 111 if can_resolve_root; then
e432689a
MT		 112 # Make sure DNSSEC is activated
113 enable_dnssec
114
115 boot_mesg "Falling back to recursor mode" ${WARNING}
116 echo_warning
117
118 # If not, we set DNSSEC in permissive mode and allow using all recursors
119 elif [ -n "${broken_forwarders}" ]; then
120 disable_dnssec
121
122 boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
123 echo_failure
124
125 echo "${broken_forwarders}" > /var/ipfire/red/dns
126 unbound-control -q forward ${broken_forwarders}
127 return 0
128 fi
b29c97b1 129 fi
b8f5eda8 130 fi
b29c97b1
AF		 131
132 # If forwarders cannot be used we run in recursor mode
e24d6112 133 echo "local recursor" > /var/ipfire/red/dns
b29c97b1 134 unbound-control -q forward off
b8f5eda8
MT		 135}
136
3ec3329d
AF		 137remove_forwarders() {
138 enable_dnssec
139 echo "local recursor" > /var/ipfire/red/dns
140 unbound-control -q forward off
141
142}
143
f75c279b
AF		 144own_hostname() {
145 local hostname=$(hostname -f)
0d7ca700 146 # 1.1.1.1 is reserved for unused green, skip this
f75c279b
AF		 147 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
148 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
149 fi
150
151 local address
152 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
153 [ -n "${address}" ] || continue
154 [ "${address}" = "1.1.1.1" ] && continue
155
156 address=$(ip_address_revptr ${address})
157 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
158 done
159}
160
36792be6 161update_hosts() {
6874a576 162 local enabled address hostname domainname generateptr
36792be6 163
6874a576 164 while IFS="," read -r enabled address hostname domainname generateptr; do
36792be6
MT		 165 [ "${enabled}" = "on" ] || continue
166
167 # Build FQDN
168 local fqdn="${hostname}.${domainname}"
169
170 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
f75c279b 171
868d2a1f
MT		 172 # Skip reverse resolution if the address equals the GREEN address
173 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
174
6874a576
PM		 175 # Skip reverse resolution if user requested not to do so
176 [ "${generateptr}" = "off" ] && continue
177
f75c279b
AF		 178 # Add RDNS
179 address=$(ip_address_revptr ${address})
180 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
36792be6
MT		 181 done < /var/ipfire/main/hosts
182}
183
b8f5eda8
MT		 184write_forward_conf() {
185 (
186 config_header
187
dea5f349
MT		 188 # Force using TLS for upstream servers only
189 if [ "${FORCE_TLS}" = "on" ]; then
190 echo "# Force using TLS for upstream servers only"
191 echo "server:"
192 echo " tls-upstream: yes"
193 echo
194
974d8653 195 # Force using TCP for upstream servers only
dea5f349 196 elif [ "${FORCE_TCP}" = "on" ]; then
974d8653
MT		 197 echo "# Force using TCP for upstream servers only"
198 echo "server:"
199 echo " tcp-upstream: yes"
200 echo
201 fi
202
7ebc0a16 203 local insecure_zones="${INSECURE_ZONES}"
a6dcc5bb 204
1ececb67
MT		 205 local enabled zone server servers remark disable_dnssec rest
206 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
b8f5eda8
MT		 207 # Line must be enabled.
208 [ "${enabled}" = "on" ] || continue
209
a6dcc5bb
MT		 210 # Zones that end with .local are commonly used for internal
211 # zones and therefore not signed
212 case "${zone}" in
213 *.local)
214 insecure_zones="${insecure_zones} ${zone}"
215 ;;
1ececb67
MT		 216 *)
217 if [ "${disable_dnssec}" = "on" ]; then
218 insecure_zones="${insecure_zones} ${zone}"
219 fi
220 ;;
a6dcc5bb
MT		 221 esac
222
15cf79e3
MT		 223 echo "stub-zone:"
224 echo " name: ${zone}"
225 for server in ${servers//|/ }; do
226 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
227 echo " stub-addr: ${server}"
228 else
229 echo " stub-host: ${server}"
230 fi
231 done
232 echo
233
234 # Make all reverse lookup zones transparent
c7e41255
MT		 235 case "${zone}" in
236 *.in-addr.arpa)
c7e41255 237 echo "server:"
9f099932 238 echo " local-zone: \"${zone}\" transparent"
c7e41255
MT		 239 echo
240 ;;
c7e41255 241 esac
b8f5eda8 242 done < /var/ipfire/dnsforward/config
a6dcc5bb
MT		 243
244 if [ -n "${insecure_zones}" ]; then
245 echo "server:"
246
247 for zone in ${insecure_zones}; do
248 echo " domain-insecure: ${zone}"
249 done
250 fi
b8f5eda8
MT		 251 ) > /etc/unbound/forward.conf
252}
253
b658a451
MT		 254write_tuning_conf() {
255 # https://www.unbound.net/documentation/howto_optimise.html
256
257 # Determine number of online processors
258 local processors=$(getconf _NPROCESSORS_ONLN)
259
260 # Determine number of slabs
261 local slabs=1
262 while [ ${slabs} -lt ${processors} ]; do
263 slabs=$(( ${slabs} * 2 ))
264 done
265
266 # Determine amount of system memory
267 local mem=$(get_memory_amount)
268
269 # In the worst case scenario, unbound can use double the
270 # amount of memory allocated to a cache due to malloc overhead
271
4a0d69ca
MT		 272 # Even larger systems with more than 8GB of RAM
273 if [ ${mem} -ge 8192 ]; then
274 mem=1024
275
276 # Extra large systems with more than 4GB of RAM
277 elif [ ${mem} -ge 4096 ]; then
278 mem=512
279
b658a451 280 # Large systems with more than 2GB of RAM
4a0d69ca 281 elif [ ${mem} -ge 2048 ]; then
128db1a3 282 mem=256
b658a451 283
4a0d69ca
MT		 284 # Medium systems with more than 1GB of RAM
285 elif [ ${mem} -ge 1024 ]; then
286 mem=128
287
b658a451
MT		 288 # Small systems with less than 256MB of RAM
289 elif [ ${mem} -le 256 ]; then
128db1a3 290 mem=16
b658a451
MT		 291
292 # Everything else
293 else
128db1a3 294 mem=64
b658a451
MT		 295 fi
296
297 (
298 config_header
299
300 # We run one thread per processor
301 echo "num-threads: ${processors}"
5012e53c 302 echo "so-reuseport: yes"
b658a451
MT		 303
304 # Adjust number of slabs
305 echo "infra-cache-slabs: ${slabs}"
306 echo "key-cache-slabs: ${slabs}"
307 echo "msg-cache-slabs: ${slabs}"
308 echo "rrset-cache-slabs: ${slabs}"
309
310 # Slice up the cache
311 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
312 echo "msg-cache-size: $(( ${mem} / 4 ))m"
313 echo "key-cache-size: $(( ${mem} / 4 ))m"
0a7dca2c
MT		 314
315 # Increase parallel queries
316 echo "outgoing-range: 8192"
317 echo "num-queries-per-thread: 4096"
c20b2009
MT		 318
319 # Use larger send/receive buffers
320 echo "so-sndbuf: 4m"
321 echo "so-rcvbuf: 4m"
b658a451
MT		 322 ) > /etc/unbound/tuning.conf
323}
324
325get_memory_amount() {
326 local key val unit
327
328 while read -r key val unit; do
329 case "${key}" in
330 MemTotal:*)
331 # Convert to MB
332 echo "$(( ${val} / 1024 ))"
333 break
334 ;;
335 esac
336 done < /proc/meminfo
337}
b8f5eda8 338
b29c97b1
AF		 339test_name_server() {
340 local ns=${1}
8f3034d0 341 local args
b29c97b1
AF		 342
343 # Return codes:
344 # 0 DNSSEC validating
345 # 1 Error: unreachable, etc.
346 # 2 DNSSEC aware
347 # 3 NOT DNSSEC-aware
348
349 # Exit when the server is not reachable
350 ns_is_online ${ns} || return 1
351
b29c97b1
AF		 352 local errors
353 for rr in DNSKEY DS RRSIG; do
8f3034d0 354 if ! ns_forwards_${rr} ${ns} ${args}; then
b29c97b1
AF		 355 errors="${errors} ${rr}"
356 fi
357 done
358
359 if [ -n "${errors}" ]; then
360 echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
361 return 3
362 fi
363
8f3034d0 364 if ns_is_validating ${ns} ${args}; then
2aa15dee
MT		 365 # Return 0 if validating
366 return 0
367 else
368 # Is DNSSEC-aware
369 return 2
370 fi
b29c97b1
AF		 371}
372
373# Sends an A query to the nameserver w/o DNSSEC
374ns_is_online() {
375 local ns=${1}
8f3034d0 376 shift
b29c97b1 377
974d8653 378 dig "${DIG_ARGS[@]}" @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
b29c97b1
AF		 379}
380
381# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
382ns_is_validating() {
383 local ns=${1}
8f3034d0 384 shift
b29c97b1 385
974d8653 386 if ! dig "${DIG_ARGS[@]}" @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
438da7e0
PM		 387 return 1
388 else
389 # Determine if NS replies with "ad" data flag if DNSSEC enabled
974d8653 390 dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
438da7e0 391 fi
b29c97b1
AF		 392}
393
394# Checks if we can retrieve the DNSKEY for this domain.
395# dig will print the SOA if nothing was found
396ns_forwards_DNSKEY() {
397 local ns=${1}
8f3034d0 398 shift
b29c97b1 399
974d8653 400 dig "${DIG_ARGS[@]}" @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
b29c97b1
AF		 401}
402
403ns_forwards_DS() {
404 local ns=${1}
8f3034d0 405 shift
b29c97b1 406
974d8653 407 dig "${DIG_ARGS[@]}" @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
b29c97b1
AF		 408}
409
410ns_forwards_RRSIG() {
411 local ns=${1}
8f3034d0 412 shift
b29c97b1 413
974d8653 414 dig "${DIG_ARGS[@]}" @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
b29c97b1
AF		 415}
416
417ns_supports_tcp() {
418 local ns=${1}
8f3034d0
MT		 419 shift
420
974d8653 421 # If TCP is forced we know by now if the server responds to it
cdf373c8 422 if [ "${FORCE_TCP}" = "on" ]; then
974d8653
MT		 423 return 0
424 fi
425
426 dig "${DIG_ARGS[@]}" @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
8f3034d0
MT		 427}
428
e432689a
MT		 429get_root_nameservers() {
430 while read -r hostname ttl record address; do
431 # Searching for A records
432 [ "${record}" = "A" ] || continue
433
434 echo "${address}"
435 done < /etc/unbound/root.hints
436}
437
438can_resolve_root() {
439 local ns
440 for ns in $(get_root_nameservers); do
974d8653 441 if dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA . $@ >/dev/null; then
e432689a
MT		 442 return 0
443 fi
444 done
445
446 # none of the servers was reachable
447 return 1
448}
449
450enable_dnssec() {
451 local status=$(unbound-control get_option val-permissive-mode)
452
183b23b5
MT		 453 # Log DNSSEC status
454 echo "on" > /var/ipfire/red/dnssec-status
455
094a27c8
MT		 456 # Don't do anything if DNSSEC is already activated
457 [ "${status}" = "no" ] && return 0
458
e432689a
MT		 459 # Activate DNSSEC and flush cache with any stale and unvalidated data
460 unbound-control -q set_option val-permissive-mode: no
461 unbound-control -q flush_zone .
462}
463
464disable_dnssec() {
183b23b5
MT		 465 # Log DNSSEC status
466 echo "off" > /var/ipfire/red/dnssec-status
467
e432689a
MT		 468 unbound-control -q set_option val-permissive-mode: yes
469}
470
68fac98a
AF		 471fix_time_if_dns_fail() {
472 # If DNS still not work try to init ntp with
473 # hardcoded ntp.ipfire.org (81.3.27.46)
3ec3329d
AF		 474 check_red_has_carrier_and_ip
475 if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
68fac98a
AF		 476 host 0.ipfire.pool.ntp.org > /dev/null 2>&1
477 if [ "${?}" != "0" ]; then
3eeff87f 478 boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
68fac98a
AF		 479 loadproc /usr/local/bin/settime 81.3.27.46
480 fi
481 fi
482}
483
043e7aa5
MT		 484resolve() {
485 local hostname="${1}"
486
487 local found=0
488 local ns
489 for ns in $(read_name_servers); do
490 local answer
974d8653 491 for answer in $(dig "${DIG_ARGS[@]}" +short "@${ns}" A "${hostname}"); do
043e7aa5
MT		 492 found=1
493
494 # Filter out non-IP addresses
495 if [[ ! "${answer}" =~ \.$ ]]; then
496 echo "${answer}"
497 fi
498 done
499
500 # End loop when we have got something
501 [ ${found} -eq 1 ] && break
502 done
503}
504
661ab153 505# Sets up Safe Search for various search engines
d7190078 506update_safe_search() {
661ab153
MT		 507 local google_tlds=(
508 google.ad
509 google.ae
510 google.al
511 google.am
512 google.as
513 google.at
514 google.az
515 google.ba
516 google.be
517 google.bf
518 google.bg
519 google.bi
520 google.bj
521 google.bs
522 google.bt
523 google.by
524 google.ca
525 google.cat
526 google.cd
527 google.cf
528 google.cg
529 google.ch
530 google.ci
531 google.cl
532 google.cm
533 google.cn
534 google.co.ao
535 google.co.bw
536 google.co.ck
537 google.co.cr
538 google.co.id
539 google.co.il
540 google.co.in
541 google.co.jp
542 google.co.ke
543 google.co.kr
544 google.co.ls
545 google.com
546 google.co.ma
547 google.com.af
548 google.com.ag
549 google.com.ai
550 google.com.ar
551 google.com.au
552 google.com.bd
553 google.com.bh
554 google.com.bn
555 google.com.bo
556 google.com.br
557 google.com.bz
558 google.com.co
559 google.com.cu
560 google.com.cy
561 google.com.do
562 google.com.ec
563 google.com.eg
564 google.com.et
565 google.com.fj
566 google.com.gh
567 google.com.gi
568 google.com.gt
569 google.com.hk
570 google.com.jm
571 google.com.kh
572 google.com.kw
573 google.com.lb
574 google.com.ly
575 google.com.mm
576 google.com.mt
577 google.com.mx
578 google.com.my
579 google.com.na
580 google.com.nf
581 google.com.ng
582 google.com.ni
583 google.com.np
584 google.com.om
585 google.com.pa
586 google.com.pe
587 google.com.pg
588 google.com.ph
589 google.com.pk
590 google.com.pr
591 google.com.py
592 google.com.qa
593 google.com.sa
594 google.com.sb
595 google.com.sg
596 google.com.sl
597 google.com.sv
598 google.com.tj
599 google.com.tr
600 google.com.tw
601 google.com.ua
602 google.com.uy
603 google.com.vc
604 google.com.vn
605 google.co.mz
606 google.co.nz
607 google.co.th
608 google.co.tz
609 google.co.ug
610 google.co.uk
611 google.co.uz
612 google.co.ve
613 google.co.vi
614 google.co.za
615 google.co.zm
616 google.co.zw
617 google.cv
618 google.cz
619 google.de
620 google.dj
621 google.dk
622 google.dm
623 google.dz
624 google.ee
625 google.es
626 google.fi
627 google.fm
628 google.fr
629 google.ga
630 google.ge
631 google.gg
632 google.gl
633 google.gm
634 google.gp
635 google.gr
636 google.gy
637 google.hn
638 google.hr
639 google.ht
640 google.hu
641 google.ie
642 google.im
643 google.iq
644 google.is
645 google.it
646 google.je
647 google.jo
648 google.kg
649 google.ki
650 google.kz
651 google.la
652 google.li
653 google.lk
654 google.lt
655 google.lu
656 google.lv
657 google.md
658 google.me
659 google.mg
660 google.mk
661 google.ml
662 google.mn
663 google.ms
664 google.mu
665 google.mv
666 google.mw
667 google.ne
668 google.nl
669 google.no
670 google.nr
671 google.nu
672 google.pl
673 google.pn
674 google.ps
675 google.pt
676 google.ro
677 google.rs
678 google.ru
679 google.rw
680 google.sc
681 google.se
682 google.sh
683 google.si
684 google.sk
685 google.sm
686 google.sn
687 google.so
688 google.sr
689 google.st
690 google.td
691 google.tg
692 google.tk
693 google.tl
694 google.tm
695 google.tn
696 google.to
697 google.tt
698 google.vg
699 google.vu
700 google.ws
701 )
702
d7190078
MT		 703 # Cleanup previous settings
704 unbound-control local_zone_remove "bing.com" >/dev/null
705 unbound-control local_zone_remove "duckduckgo.com" >/dev/null
706 unbound-control local_zone_remove "yandex.com" >/dev/null
707 unbound-control local_zone_remove "yandex.ru" >/dev/null
708 unbound-control local_zone_remove "youtube.com" >/dev/null
661ab153 709
d7190078
MT		 710 local domain
711 for domain in ${google_tlds[@]}; do
712 unbound-control local_zone_remove "${domain}"
713 done >/dev/null
661ab153 714
d7190078
MT		 715 # Nothing to do if safe search is not enabled
716 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
717 return 0
718 fi
661ab153 719
d7190078
MT		 720 # Bing
721 unbound-control bing.com transparent >/dev/null
722 for address in $(resolve "strict.bing.com"); do
723 unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
724 done >/dev/null
725
726 # DuckDuckGo
727 unbound-control local_zone duckduckgo.com typetransparent >/dev/null
728 for address in $(resolve "safe.duckduckgo.com"); do
729 unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
730 done >/dev/null
731
732 # Google
733 local addresses="$(resolve "forcesafesearch.google.com")"
734 for domain in ${google_tlds[@]}; do
735 unbound-control local_zone "${domain}" transparent >/dev/null
736 for address in ${addresses}; do
737 unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
738 done >/dev/null
739 done
661ab153 740
d7190078
MT		 741 # Yandex
742 for domain in yandex.com yandex.ru; do
743 unbound-control local_zone "${domain}" typetransparent >/dev/null
744 for address in $(resolve "familysearch.${domain}"); do
745 unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
746 done >/dev/null
747 done
661ab153 748
d7190078
MT		 749 # YouTube
750 unbound-control local_zone youtube.com transparent >/dev/null
751 for address in $(resolve "restrictmoderate.youtube.com"); do
752 unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
753 done >/dev/null
f617fd91 754
d7190078 755 return 0
661ab153
MT		 756}
757
d0e5f71f
ML		 758case "$1" in
759 start)
80bc6022
MT		 760 # Print a nicer messagen when unbound is already running
761 if pidofproc -s unbound; then
762 statusproc /usr/sbin/unbound
763 exit 0
764 fi
765
b8f5eda8 766 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
d0e5f71f 767
b8f5eda8 768 # Update configuration files
b658a451 769 write_tuning_conf
b8f5eda8
MT		 770 write_forward_conf
771
772 boot_mesg "Starting Unbound DNS Proxy..."
773 loadproc /usr/sbin/unbound || exit $?
774
f75c279b
AF		 775 # Make own hostname resolveable
776 own_hostname
777
b8f5eda8
MT		 778 # Update any known forwarding name servers
779 update_forwarders
36792be6 780
d7190078
MT		 781 # Install Safe Search rules when the system is already online
782 if [ -e "/var/ipfire/red/active" ]; then
783 update_safe_search
784 fi
785
36792be6
MT		 786 # Update hosts
787 update_hosts
05478072 788
68fac98a 789 fix_time_if_dns_fail
b8f5eda8 790 ;;
d0e5f71f
ML		 791
792 stop)
b8f5eda8
MT		 793 boot_mesg "Stopping Unbound DNS Proxy..."
794 killproc /usr/sbin/unbound
795 ;;
d0e5f71f
ML		 796
797 restart)
b8f5eda8
MT		 798 $0 stop
799 sleep 1
800 $0 start
801 ;;
d0e5f71f
ML		 802
803 status)
b8f5eda8 804 statusproc /usr/sbin/unbound
b8f5eda8
MT		 805 ;;
806
807 update-forwarders)
cd812106
MT		 808 # Do not try updating forwarders when unbound is not running
809 if ! pgrep unbound &>/dev/null; then
810 exit 0
811 fi
812
b8f5eda8 813 update_forwarders
68fac98a 814
391e3390
AF		 815 unbound-control flush_negative > /dev/null
816 unbound-control flush_bogus > /dev/null
817
68fac98a 818 fix_time_if_dns_fail
b8f5eda8 819 ;;
d0e5f71f 820
3ec3329d
AF		 821 remove-forwarders)
822 # Do not try updating forwarders when unbound is not running
823 if ! pgrep unbound &>/dev/null; then
824 exit 0
825 fi
826
827 remove_forwarders
828
829 unbound-control flush_negative > /dev/null
830 unbound-control flush_bogus > /dev/null
831 ;;
832
833
043e7aa5
MT		 834 resolve)
835 resolve "${2}"
836 ;;
837
d7190078
MT		 838 update-safe-search)
839 update_safe_search
840 ;;
841
d0e5f71f 842 *)
94a51c64 843 echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|resolve|update-safe-search}"
b8f5eda8
MT		 844 exit 1
845 ;;
d0e5f71f
ML		 846esac
847
848# End $rc_base/init.d/unbound
IPFire 2.x development tree