]> git.ipfire.org Git - ipfire-2.x.git/blame - src/initscripts/system/unbound
projects / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
unbound: Configure Safe Search dynamically
[ipfire-2.x.git] / src / initscripts / system / unbound
CommitLineData
d0e5f71f
ML		 1#!/bin/sh
2# Begin $rc_base/init.d/unbound
3
4# Description : Unbound DNS resolver boot script for IPfire
5# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
d0e5f71f
ML		 6
7. /etc/sysconfig/rc
8. ${rc_functions}
9
b29c97b1
AF		 10TEST_DOMAIN="ipfire.org"
11
12# This domain will never validate
13TEST_DOMAIN_FAIL="dnssec-failed.org"
14
7ebc0a16 15INSECURE_ZONES=
b8f5eda8 16USE_FORWARDERS=1
661ab153 17ENABLE_SAFE_SEARCH=off
974d8653 18FORCE_TCP=off
d0e5f71f 19
36792be6
MT		 20# Cache any local zones for 60 seconds
21LOCAL_TTL=60
22
b2f96a94
MT		 23# EDNS buffer size
24EDNS_DEFAULT_BUFFER_SIZE=4096
25
b8f5eda8
MT		 26# Load optional configuration
27[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
d0e5f71f 28
974d8653
MT		 29DIG_ARGS=()
30
31if [ "${FORCE_TCP}" = "on" ]; then
32 DIG_ARGS+=( "+tcp" )
33fi
34
f75c279b
AF		 35ip_address_revptr() {
36 local addr=${1}
37
38 local a1 a2 a3 a4
39 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
40
41 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
42}
43
b8f5eda8
MT		 44read_name_servers() {
45 local i
46 for i in 1 2; do
47 echo "$(</var/ipfire/red/dns${i})"
682a6b2d 48 done 2>/dev/null | xargs echo
b8f5eda8
MT		 49}
50
3ec3329d
AF		 51check_red_has_carrier_and_ip() {
52 # Interface configured ?
53 [ ! -e "/var/ipfire/red/iface" ] && return 0;
54
55 # Interface present ?
56 [ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
57
58 # has carrier ?
59 [ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
60
61 # has ip ?
62 [ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;
63
64 return 1;
65}
66
b8f5eda8
MT		 67config_header() {
68 echo "# This file is automatically generated and any changes"
69 echo "# will be overwritten. DO NOT EDIT!"
70 echo
71}
72
73update_forwarders() {
3ec3329d
AF		 74 check_red_has_carrier_and_ip
75 if [ "${USE_FORWARDERS}" = "1" -a "${?}" = "1" ]; then
b29c97b1
AF		 76 local forwarders
77 local broken_forwarders
78
79 local ns
80 for ns in $(read_name_servers); do
81 test_name_server ${ns} &>/dev/null
82 case "$?" in
83 # Only use DNSSEC-validating or DNSSEC-aware name servers
84 0|2)
85 forwarders="${forwarders} ${ns}"
86 ;;
87 *)
88 broken_forwarders="${broken_forwarders} ${ns}"
89 ;;
90 esac
91 done
92
8f3034d0 93 # Determine EDNS buffer size
b2f96a94 94 local new_edns_buffer_size=${EDNS_DEFAULT_BUFFER_SIZE}
8f3034d0 95
b2f96a94
MT		 96 for ns in ${forwarders}; do
97 local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
98 if [ -n "${edns_buffer_size}" ]; then
99 if [ ${edns_buffer_size} -lt ${new_edns_buffer_size} ]; then
100 new_edns_buffer_size=${edns_buffer_size}
8f3034d0 101 fi
b2f96a94
MT		 102 fi
103 done
104
105 if [ ${new_edns_buffer_size} -lt ${EDNS_DEFAULT_BUFFER_SIZE} ]; then
106 boot_mesg "EDNS buffer size reduced to ${new_edns_buffer_size}" ${WARNING}
107 echo_warning
8f3034d0
MT		 108
109 unbound-control -q set_option edns-buffer-size: ${new_edns_buffer_size}
110 fi
111
b29c97b1
AF		 112 # Show warning for any broken upstream name servers
113 if [ -n "${broken_forwarders}" ]; then
114 boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
115 echo_warning
116 fi
b8f5eda8 117
e432689a 118 if [ -n "${forwarders}" ]; then
b29c97b1
AF		 119 boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
120 echo_ok
b8f5eda8 121
e432689a
MT		 122 # Make sure DNSSEC is activated
123 enable_dnssec
124
e24d6112 125 echo "${forwarders}" > /var/ipfire/red/dns
b29c97b1
AF		 126 unbound-control -q forward ${forwarders}
127 return 0
e432689a
MT		 128
129 # In case we have found no working forwarders
130 else
131 # Test if the recursor mode is available
132 if can_resolve_root +bufsize=${new_edns_buffer_size}; then
133 # Make sure DNSSEC is activated
134 enable_dnssec
135
136 boot_mesg "Falling back to recursor mode" ${WARNING}
137 echo_warning
138
139 # If not, we set DNSSEC in permissive mode and allow using all recursors
140 elif [ -n "${broken_forwarders}" ]; then
141 disable_dnssec
142
143 boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
144 echo_failure
145
146 echo "${broken_forwarders}" > /var/ipfire/red/dns
147 unbound-control -q forward ${broken_forwarders}
148 return 0
149 fi
b29c97b1 150 fi
b8f5eda8 151 fi
b29c97b1
AF		 152
153 # If forwarders cannot be used we run in recursor mode
e24d6112 154 echo "local recursor" > /var/ipfire/red/dns
b29c97b1 155 unbound-control -q forward off
b8f5eda8
MT		 156}
157
3ec3329d
AF		 158remove_forwarders() {
159 enable_dnssec
160 echo "local recursor" > /var/ipfire/red/dns
161 unbound-control -q forward off
162
163}
164
f75c279b
AF		 165own_hostname() {
166 local hostname=$(hostname -f)
0d7ca700 167 # 1.1.1.1 is reserved for unused green, skip this
f75c279b
AF		 168 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
169 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
170 fi
171
172 local address
173 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
174 [ -n "${address}" ] || continue
175 [ "${address}" = "1.1.1.1" ] && continue
176
177 address=$(ip_address_revptr ${address})
178 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
179 done
180}
181
36792be6 182update_hosts() {
6874a576 183 local enabled address hostname domainname generateptr
36792be6 184
6874a576 185 while IFS="," read -r enabled address hostname domainname generateptr; do
36792be6
MT		 186 [ "${enabled}" = "on" ] || continue
187
188 # Build FQDN
189 local fqdn="${hostname}.${domainname}"
190
191 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
f75c279b 192
868d2a1f
MT		 193 # Skip reverse resolution if the address equals the GREEN address
194 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
195
6874a576
PM		 196 # Skip reverse resolution if user requested not to do so
197 [ "${generateptr}" = "off" ] && continue
198
f75c279b
AF		 199 # Add RDNS
200 address=$(ip_address_revptr ${address})
201 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
36792be6
MT		 202 done < /var/ipfire/main/hosts
203}
204
b8f5eda8
MT		 205write_forward_conf() {
206 (
207 config_header
208
974d8653
MT		 209 # Force using TCP for upstream servers only
210 if [ "${FORCE_TCP}" = "on" ]; then
211 echo "# Force using TCP for upstream servers only"
212 echo "server:"
213 echo " tcp-upstream: yes"
214 echo
215 fi
216
7ebc0a16 217 local insecure_zones="${INSECURE_ZONES}"
a6dcc5bb 218
1ececb67
MT		 219 local enabled zone server servers remark disable_dnssec rest
220 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
b8f5eda8
MT		 221 # Line must be enabled.
222 [ "${enabled}" = "on" ] || continue
223
a6dcc5bb
MT		 224 # Zones that end with .local are commonly used for internal
225 # zones and therefore not signed
226 case "${zone}" in
227 *.local)
228 insecure_zones="${insecure_zones} ${zone}"
229 ;;
1ececb67
MT		 230 *)
231 if [ "${disable_dnssec}" = "on" ]; then
232 insecure_zones="${insecure_zones} ${zone}"
233 fi
234 ;;
a6dcc5bb
MT		 235 esac
236
c7e41255
MT		 237 # Reverse-lookup zones must be stubs
238 case "${zone}" in
239 *.in-addr.arpa)
240 echo "stub-zone:"
9f099932 241 echo " name: ${zone}"
c9ae511e 242 for server in ${servers//|/ }; do
f33d2897
MT		 243 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
244 echo " stub-addr: ${server}"
245 else
246 echo " stub-host: ${server}"
247 fi
c9ae511e 248 done
c7e41255
MT		 249 echo
250 echo "server:"
9f099932 251 echo " local-zone: \"${zone}\" transparent"
c7e41255
MT		 252 echo
253 ;;
254 *)
255 echo "forward-zone:"
9f099932 256 echo " name: ${zone}"
c9ae511e 257 for server in ${servers//|/ }; do
f33d2897
MT		 258 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
259 echo " forward-addr: ${server}"
260 else
261 echo " forward-host: ${server}"
262 fi
c9ae511e 263 done
c7e41255
MT		 264 echo
265 ;;
266 esac
b8f5eda8 267 done < /var/ipfire/dnsforward/config
a6dcc5bb
MT		 268
269 if [ -n "${insecure_zones}" ]; then
270 echo "server:"
271
272 for zone in ${insecure_zones}; do
273 echo " domain-insecure: ${zone}"
274 done
275 fi
b8f5eda8
MT		 276 ) > /etc/unbound/forward.conf
277}
278
b658a451
MT		 279write_tuning_conf() {
280 # https://www.unbound.net/documentation/howto_optimise.html
281
282 # Determine number of online processors
283 local processors=$(getconf _NPROCESSORS_ONLN)
284
285 # Determine number of slabs
286 local slabs=1
287 while [ ${slabs} -lt ${processors} ]; do
288 slabs=$(( ${slabs} * 2 ))
289 done
290
291 # Determine amount of system memory
292 local mem=$(get_memory_amount)
293
294 # In the worst case scenario, unbound can use double the
295 # amount of memory allocated to a cache due to malloc overhead
296
4a0d69ca
MT		 297 # Even larger systems with more than 8GB of RAM
298 if [ ${mem} -ge 8192 ]; then
299 mem=1024
300
301 # Extra large systems with more than 4GB of RAM
302 elif [ ${mem} -ge 4096 ]; then
303 mem=512
304
b658a451 305 # Large systems with more than 2GB of RAM
4a0d69ca 306 elif [ ${mem} -ge 2048 ]; then
128db1a3 307 mem=256
b658a451 308
4a0d69ca
MT		 309 # Medium systems with more than 1GB of RAM
310 elif [ ${mem} -ge 1024 ]; then
311 mem=128
312
b658a451
MT		 313 # Small systems with less than 256MB of RAM
314 elif [ ${mem} -le 256 ]; then
128db1a3 315 mem=16
b658a451
MT		 316
317 # Everything else
318 else
128db1a3 319 mem=64
b658a451
MT		 320 fi
321
322 (
323 config_header
324
325 # We run one thread per processor
326 echo "num-threads: ${processors}"
5012e53c 327 echo "so-reuseport: yes"
b658a451
MT		 328
329 # Adjust number of slabs
330 echo "infra-cache-slabs: ${slabs}"
331 echo "key-cache-slabs: ${slabs}"
332 echo "msg-cache-slabs: ${slabs}"
333 echo "rrset-cache-slabs: ${slabs}"
334
335 # Slice up the cache
336 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
337 echo "msg-cache-size: $(( ${mem} / 4 ))m"
338 echo "key-cache-size: $(( ${mem} / 4 ))m"
0a7dca2c
MT		 339
340 # Increase parallel queries
341 echo "outgoing-range: 8192"
342 echo "num-queries-per-thread: 4096"
c20b2009
MT		 343
344 # Use larger send/receive buffers
345 echo "so-sndbuf: 4m"
346 echo "so-rcvbuf: 4m"
b658a451
MT		 347 ) > /etc/unbound/tuning.conf
348}
349
350get_memory_amount() {
351 local key val unit
352
353 while read -r key val unit; do
354 case "${key}" in
355 MemTotal:*)
356 # Convert to MB
357 echo "$(( ${val} / 1024 ))"
358 break
359 ;;
360 esac
361 done < /proc/meminfo
362}
b8f5eda8 363
b29c97b1
AF		 364test_name_server() {
365 local ns=${1}
8f3034d0 366 local args
b29c97b1
AF		 367
368 # Return codes:
369 # 0 DNSSEC validating
370 # 1 Error: unreachable, etc.
371 # 2 DNSSEC aware
372 # 3 NOT DNSSEC-aware
373
374 # Exit when the server is not reachable
375 ns_is_online ${ns} || return 1
376
8f3034d0
MT		 377 # Determine the maximum edns buffer size that works
378 local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
379 if [ -n "${edns_buffer_size}" ]; then
380 args="${args} +bufsize=${edns_buffer_size}"
381 fi
382
b29c97b1
AF		 383 local errors
384 for rr in DNSKEY DS RRSIG; do
8f3034d0 385 if ! ns_forwards_${rr} ${ns} ${args}; then
b29c97b1
AF		 386 errors="${errors} ${rr}"
387 fi
388 done
389
390 if [ -n "${errors}" ]; then
391 echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
392 return 3
393 fi
394
8f3034d0 395 if ns_is_validating ${ns} ${args}; then
2aa15dee
MT		 396 # Return 0 if validating
397 return 0
398 else
399 # Is DNSSEC-aware
400 return 2
401 fi
b29c97b1
AF		 402}
403
404# Sends an A query to the nameserver w/o DNSSEC
405ns_is_online() {
406 local ns=${1}
8f3034d0 407 shift
b29c97b1 408
974d8653 409 dig "${DIG_ARGS[@]}" @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
b29c97b1
AF		 410}
411
412# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
413ns_is_validating() {
414 local ns=${1}
8f3034d0 415 shift
b29c97b1 416
974d8653 417 if ! dig "${DIG_ARGS[@]}" @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
438da7e0
PM		 418 return 1
419 else
420 # Determine if NS replies with "ad" data flag if DNSSEC enabled
974d8653 421 dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
438da7e0 422 fi
b29c97b1
AF		 423}
424
425# Checks if we can retrieve the DNSKEY for this domain.
426# dig will print the SOA if nothing was found
427ns_forwards_DNSKEY() {
428 local ns=${1}
8f3034d0 429 shift
b29c97b1 430
974d8653 431 dig "${DIG_ARGS[@]}" @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
b29c97b1
AF		 432}
433
434ns_forwards_DS() {
435 local ns=${1}
8f3034d0 436 shift
b29c97b1 437
974d8653 438 dig "${DIG_ARGS[@]}" @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
b29c97b1
AF		 439}
440
441ns_forwards_RRSIG() {
442 local ns=${1}
8f3034d0 443 shift
b29c97b1 444
974d8653 445 dig "${DIG_ARGS[@]}" @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
b29c97b1
AF		 446}
447
448ns_supports_tcp() {
449 local ns=${1}
8f3034d0
MT		 450 shift
451
974d8653 452 # If TCP is forced we know by now if the server responds to it
cdf373c8 453 if [ "${FORCE_TCP}" = "on" ]; then
974d8653
MT		 454 return 0
455 fi
456
457 dig "${DIG_ARGS[@]}" @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
8f3034d0
MT		 458}
459
460ns_determine_edns_buffer_size() {
461 local ns=${1}
462 shift
463
464 local b
465 for b in 4096 2048 1500 1480 1464 1400 1280 512; do
974d8653 466 if dig "${DIG_ARGS[@]}" @${ns} +dnssec +bufsize=${b} A ${TEST_DOMAIN} $@ >/dev/null; then
8f3034d0
MT		 467 echo "${b}"
468 return 0
469 fi
470 done
b29c97b1 471
8f3034d0 472 return 1
b29c97b1
AF		 473}
474
e432689a
MT		 475get_root_nameservers() {
476 while read -r hostname ttl record address; do
477 # Searching for A records
478 [ "${record}" = "A" ] || continue
479
480 echo "${address}"
481 done < /etc/unbound/root.hints
482}
483
484can_resolve_root() {
485 local ns
486 for ns in $(get_root_nameservers); do
974d8653 487 if dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA . $@ >/dev/null; then
e432689a
MT		 488 return 0
489 fi
490 done
491
492 # none of the servers was reachable
493 return 1
494}
495
496enable_dnssec() {
497 local status=$(unbound-control get_option val-permissive-mode)
498
183b23b5
MT		 499 # Log DNSSEC status
500 echo "on" > /var/ipfire/red/dnssec-status
501
094a27c8
MT		 502 # Don't do anything if DNSSEC is already activated
503 [ "${status}" = "no" ] && return 0
504
e432689a
MT		 505 # Activate DNSSEC and flush cache with any stale and unvalidated data
506 unbound-control -q set_option val-permissive-mode: no
507 unbound-control -q flush_zone .
508}
509
510disable_dnssec() {
183b23b5
MT		 511 # Log DNSSEC status
512 echo "off" > /var/ipfire/red/dnssec-status
513
e432689a
MT		 514 unbound-control -q set_option val-permissive-mode: yes
515}
516
68fac98a
AF		 517fix_time_if_dns_fail() {
518 # If DNS still not work try to init ntp with
519 # hardcoded ntp.ipfire.org (81.3.27.46)
3ec3329d
AF		 520 check_red_has_carrier_and_ip
521 if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
68fac98a
AF		 522 host 0.ipfire.pool.ntp.org > /dev/null 2>&1
523 if [ "${?}" != "0" ]; then
3eeff87f 524 boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
68fac98a
AF		 525 loadproc /usr/local/bin/settime 81.3.27.46
526 fi
527 fi
528}
529
043e7aa5
MT		 530resolve() {
531 local hostname="${1}"
532
533 local found=0
534 local ns
535 for ns in $(read_name_servers); do
536 local answer
974d8653 537 for answer in $(dig "${DIG_ARGS[@]}" +short "@${ns}" A "${hostname}"); do
043e7aa5
MT		 538 found=1
539
540 # Filter out non-IP addresses
541 if [[ ! "${answer}" =~ \.$ ]]; then
542 echo "${answer}"
543 fi
544 done
545
546 # End loop when we have got something
547 [ ${found} -eq 1 ] && break
548 done
549}
550
661ab153 551# Sets up Safe Search for various search engines
d7190078 552update_safe_search() {
661ab153
MT		 553 local google_tlds=(
554 google.ad
555 google.ae
556 google.al
557 google.am
558 google.as
559 google.at
560 google.az
561 google.ba
562 google.be
563 google.bf
564 google.bg
565 google.bi
566 google.bj
567 google.bs
568 google.bt
569 google.by
570 google.ca
571 google.cat
572 google.cd
573 google.cf
574 google.cg
575 google.ch
576 google.ci
577 google.cl
578 google.cm
579 google.cn
580 google.co.ao
581 google.co.bw
582 google.co.ck
583 google.co.cr
584 google.co.id
585 google.co.il
586 google.co.in
587 google.co.jp
588 google.co.ke
589 google.co.kr
590 google.co.ls
591 google.com
592 google.co.ma
593 google.com.af
594 google.com.ag
595 google.com.ai
596 google.com.ar
597 google.com.au
598 google.com.bd
599 google.com.bh
600 google.com.bn
601 google.com.bo
602 google.com.br
603 google.com.bz
604 google.com.co
605 google.com.cu
606 google.com.cy
607 google.com.do
608 google.com.ec
609 google.com.eg
610 google.com.et
611 google.com.fj
612 google.com.gh
613 google.com.gi
614 google.com.gt
615 google.com.hk
616 google.com.jm
617 google.com.kh
618 google.com.kw
619 google.com.lb
620 google.com.ly
621 google.com.mm
622 google.com.mt
623 google.com.mx
624 google.com.my
625 google.com.na
626 google.com.nf
627 google.com.ng
628 google.com.ni
629 google.com.np
630 google.com.om
631 google.com.pa
632 google.com.pe
633 google.com.pg
634 google.com.ph
635 google.com.pk
636 google.com.pr
637 google.com.py
638 google.com.qa
639 google.com.sa
640 google.com.sb
641 google.com.sg
642 google.com.sl
643 google.com.sv
644 google.com.tj
645 google.com.tr
646 google.com.tw
647 google.com.ua
648 google.com.uy
649 google.com.vc
650 google.com.vn
651 google.co.mz
652 google.co.nz
653 google.co.th
654 google.co.tz
655 google.co.ug
656 google.co.uk
657 google.co.uz
658 google.co.ve
659 google.co.vi
660 google.co.za
661 google.co.zm
662 google.co.zw
663 google.cv
664 google.cz
665 google.de
666 google.dj
667 google.dk
668 google.dm
669 google.dz
670 google.ee
671 google.es
672 google.fi
673 google.fm
674 google.fr
675 google.ga
676 google.ge
677 google.gg
678 google.gl
679 google.gm
680 google.gp
681 google.gr
682 google.gy
683 google.hn
684 google.hr
685 google.ht
686 google.hu
687 google.ie
688 google.im
689 google.iq
690 google.is
691 google.it
692 google.je
693 google.jo
694 google.kg
695 google.ki
696 google.kz
697 google.la
698 google.li
699 google.lk
700 google.lt
701 google.lu
702 google.lv
703 google.md
704 google.me
705 google.mg
706 google.mk
707 google.ml
708 google.mn
709 google.ms
710 google.mu
711 google.mv
712 google.mw
713 google.ne
714 google.nl
715 google.no
716 google.nr
717 google.nu
718 google.pl
719 google.pn
720 google.ps
721 google.pt
722 google.ro
723 google.rs
724 google.ru
725 google.rw
726 google.sc
727 google.se
728 google.sh
729 google.si
730 google.sk
731 google.sm
732 google.sn
733 google.so
734 google.sr
735 google.st
736 google.td
737 google.tg
738 google.tk
739 google.tl
740 google.tm
741 google.tn
742 google.to
743 google.tt
744 google.vg
745 google.vu
746 google.ws
747 )
748
d7190078
MT		 749 # Cleanup previous settings
750 unbound-control local_zone_remove "bing.com" >/dev/null
751 unbound-control local_zone_remove "duckduckgo.com" >/dev/null
752 unbound-control local_zone_remove "yandex.com" >/dev/null
753 unbound-control local_zone_remove "yandex.ru" >/dev/null
754 unbound-control local_zone_remove "youtube.com" >/dev/null
661ab153 755
d7190078
MT		 756 local domain
757 for domain in ${google_tlds[@]}; do
758 unbound-control local_zone_remove "${domain}"
759 done >/dev/null
661ab153 760
d7190078
MT		 761 # Nothing to do if safe search is not enabled
762 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
763 return 0
764 fi
661ab153 765
d7190078
MT		 766 # Bing
767 unbound-control bing.com transparent >/dev/null
768 for address in $(resolve "strict.bing.com"); do
769 unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
770 done >/dev/null
771
772 # DuckDuckGo
773 unbound-control local_zone duckduckgo.com typetransparent >/dev/null
774 for address in $(resolve "safe.duckduckgo.com"); do
775 unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
776 done >/dev/null
777
778 # Google
779 local addresses="$(resolve "forcesafesearch.google.com")"
780 for domain in ${google_tlds[@]}; do
781 unbound-control local_zone "${domain}" transparent >/dev/null
782 for address in ${addresses}; do
783 unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
784 done >/dev/null
785 done
661ab153 786
d7190078
MT		 787 # Yandex
788 for domain in yandex.com yandex.ru; do
789 unbound-control local_zone "${domain}" typetransparent >/dev/null
790 for address in $(resolve "familysearch.${domain}"); do
791 unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
792 done >/dev/null
793 done
661ab153 794
d7190078
MT		 795 # YouTube
796 unbound-control local_zone youtube.com transparent >/dev/null
797 for address in $(resolve "restrictmoderate.youtube.com"); do
798 unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
799 done >/dev/null
f617fd91 800
d7190078 801 return 0
661ab153
MT		 802}
803
d0e5f71f
ML		 804case "$1" in
805 start)
80bc6022
MT		 806 # Print a nicer messagen when unbound is already running
807 if pidofproc -s unbound; then
808 statusproc /usr/sbin/unbound
809 exit 0
810 fi
811
b8f5eda8 812 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
d0e5f71f 813
b8f5eda8 814 # Update configuration files
b658a451 815 write_tuning_conf
b8f5eda8
MT		 816 write_forward_conf
817
818 boot_mesg "Starting Unbound DNS Proxy..."
819 loadproc /usr/sbin/unbound || exit $?
820
f75c279b
AF		 821 # Make own hostname resolveable
822 own_hostname
823
b8f5eda8
MT		 824 # Update any known forwarding name servers
825 update_forwarders
36792be6 826
d7190078
MT		 827 # Install Safe Search rules when the system is already online
828 if [ -e "/var/ipfire/red/active" ]; then
829 update_safe_search
830 fi
831
36792be6
MT		 832 # Update hosts
833 update_hosts
05478072 834
68fac98a 835 fix_time_if_dns_fail
b8f5eda8 836 ;;
d0e5f71f
ML		 837
838 stop)
b8f5eda8
MT		 839 boot_mesg "Stopping Unbound DNS Proxy..."
840 killproc /usr/sbin/unbound
841 ;;
d0e5f71f
ML		 842
843 restart)
b8f5eda8
MT		 844 $0 stop
845 sleep 1
846 $0 start
847 ;;
d0e5f71f
ML		 848
849 status)
b8f5eda8 850 statusproc /usr/sbin/unbound
b8f5eda8
MT		 851 ;;
852
853 update-forwarders)
cd812106
MT		 854 # Do not try updating forwarders when unbound is not running
855 if ! pgrep unbound &>/dev/null; then
856 exit 0
857 fi
858
b8f5eda8 859 update_forwarders
68fac98a 860
391e3390
AF		 861 unbound-control flush_negative > /dev/null
862 unbound-control flush_bogus > /dev/null
863
68fac98a 864 fix_time_if_dns_fail
b8f5eda8 865 ;;
d0e5f71f 866
3ec3329d
AF		 867 remove-forwarders)
868 # Do not try updating forwarders when unbound is not running
869 if ! pgrep unbound &>/dev/null; then
870 exit 0
871 fi
872
873 remove_forwarders
874
875 unbound-control flush_negative > /dev/null
876 unbound-control flush_bogus > /dev/null
877 ;;
878
879
b29c97b1
AF		 880 test-name-server)
881 ns=${2}
882
883 test_name_server ${ns}
884 ret=${?}
885
886 case "${ret}" in
887 0)
888 echo "${ns} is validating"
889 ;;
890 2)
891 echo "${ns} is DNSSEC-aware"
892 ;;
893 3)
894 echo "${ns} is NOT DNSSEC-aware"
895 ;;
896 *)
897 echo "Test failed for an unknown reason"
8f3034d0 898 exit ${ret}
b29c97b1
AF		 899 ;;
900 esac
901
902 if ns_supports_tcp ${ns}; then
903 echo "${ns} supports TCP fallback"
904 else
905 echo "${ns} does not support TCP fallback"
906 fi
907
8f3034d0
MT		 908 edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
909 if [ -n "${edns_buffer_size}" ]; then
910 echo "EDNS buffer size for ${ns}: ${edns_buffer_size}"
911 fi
912
b29c97b1
AF		 913 exit ${ret}
914 ;;
915
043e7aa5
MT		 916 resolve)
917 resolve "${2}"
918 ;;
919
d7190078
MT		 920 update-safe-search)
921 update_safe_search
922 ;;
923
d0e5f71f 924 *)
d7190078 925 echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve|update-safe-search}"
b8f5eda8
MT		 926 exit 1
927 ;;
d0e5f71f
ML		 928esac
929
930# End $rc_base/init.d/unbound
IPFire 2.x development tree