]> git.ipfire.org Git - ipfire-2.x.git/blob - src/initscripts/init.d/unbound
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
unbound: Allow recursion from everywhere
[ipfire-2.x.git] / src / initscripts / init.d / unbound
1 #!/bin/sh
2 # Begin $rc_base/init.d/unbound
3
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
6
7 . /etc/sysconfig/rc
8 . ${rc_functions}
9
10 TEST_DOMAIN="ipfire.org"
11
12 # This domain will never validate
13 TEST_DOMAIN_FAIL="dnssec-failed.org"
14
15 USE_FORWARDERS=1
16
17 # Cache any local zones for 60 seconds
18 LOCAL_TTL=60
19
20 # Load optional configuration
21 [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
22
23 function cidr() {
24 local cidr nbits IFS;
25 IFS=. read -r i1 i2 i3 i4 <<< ${1}
26 IFS=. read -r m1 m2 m3 m4 <<< ${2}
27 cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
28 nbits=0
29 IFS=.
30 for dec in $2 ; do
31 case $dec in
32 255) let nbits+=8;;
33 254) let nbits+=7;;
34 252) let nbits+=6;;
35 248) let nbits+=5;;
36 240) let nbits+=4;;
37 224) let nbits+=3;;
38 192) let nbits+=2;;
39 128) let nbits+=1;;
40 0);;
41 *) echo "Error: $dec is not recognised"; exit 1
42 esac
43 done
44 echo "${cidr}/${nbits}"
45 }
46
47 ip_address_revptr() {
48 local addr=${1}
49
50 local a1 a2 a3 a4
51 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
52
53 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
54 }
55
56 read_name_servers() {
57 local i
58 for i in 1 2; do
59 echo "$(</var/ipfire/red/dns${i})"
60 done | xargs echo
61 }
62
63 config_header() {
64 echo "# This file is automatically generated and any changes"
65 echo "# will be overwritten. DO NOT EDIT!"
66 echo
67 }
68
69 update_forwarders() {
70 if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/active" ]; then
71 local forwarders
72 local broken_forwarders
73
74 local ns
75 for ns in $(read_name_servers); do
76 test_name_server ${ns} &>/dev/null
77 case "$?" in
78 # Only use DNSSEC-validating or DNSSEC-aware name servers
79 0|2)
80 forwarders="${forwarders} ${ns}"
81 ;;
82 *)
83 broken_forwarders="${broken_forwarders} ${ns}"
84 ;;
85 esac
86 done
87
88 # Show warning for any broken upstream name servers
89 if [ -n "${broken_forwarders}" ]; then
90 boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
91 echo_warning
92 fi
93
94 if [ -n "${broken_forwarders}" -a -z "${forwarders}" ]; then
95 boot_mesg "Falling back to recursor mode" ${WARNING}
96 echo_warning
97
98 elif [ -n "${forwarders}" ]; then
99 boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
100 echo_ok
101
102 echo "${forwarders}" > /var/ipfire/red/dns
103 unbound-control -q forward ${forwarders}
104 return 0
105 fi
106 fi
107
108 # If forwarders cannot be used we run in recursor mode
109 echo "local recursor" > /var/ipfire/red/dns
110 unbound-control -q forward off
111 }
112
113 own_hostname() {
114 local hostname=$(hostname -f)
115 # 1.1.1.1 is reserved for unused green, skip this
116 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
117 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
118 fi
119
120 local address
121 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
122 [ -n "${address}" ] || continue
123 [ "${address}" = "1.1.1.1" ] && continue
124
125 address=$(ip_address_revptr ${address})
126 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
127 done
128 }
129
130 update_hosts() {
131 local enabled address hostname domainname
132
133 while IFS="," read -r enabled address hostname domainname; do
134 [ "${enabled}" = "on" ] || continue
135
136 # Build FQDN
137 local fqdn="${hostname}.${domainname}"
138
139 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
140
141 # Skip reverse resolution if the address equals the GREEN address
142 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
143
144 # Add RDNS
145 address=$(ip_address_revptr ${address})
146 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
147 done < /var/ipfire/main/hosts
148 }
149
150 write_forward_conf() {
151 (
152 config_header
153
154 local insecure_zones
155
156 local enabled zone server remark
157 while IFS="," read -r enabled zone server remark; do
158 # Line must be enabled.
159 [ "${enabled}" = "on" ] || continue
160
161 # Zones that end with .local are commonly used for internal
162 # zones and therefore not signed
163 case "${zone}" in
164 *.local)
165 insecure_zones="${insecure_zones} ${zone}"
166 ;;
167 esac
168
169 echo "forward-zone:"
170 echo " name: ${zone}"
171 echo " forward-addr: ${server}"
172 echo
173 done < /var/ipfire/dnsforward/config
174
175 if [ -n "${insecure_zones}" ]; then
176 echo "server:"
177
178 for zone in ${insecure_zones}; do
179 echo " domain-insecure: ${zone}"
180 done
181 fi
182 ) > /etc/unbound/forward.conf
183 }
184
185 write_tuning_conf() {
186 # https://www.unbound.net/documentation/howto_optimise.html
187
188 # Determine number of online processors
189 local processors=$(getconf _NPROCESSORS_ONLN)
190
191 # Determine number of slabs
192 local slabs=1
193 while [ ${slabs} -lt ${processors} ]; do
194 slabs=$(( ${slabs} * 2 ))
195 done
196
197 # Determine amount of system memory
198 local mem=$(get_memory_amount)
199
200 # In the worst case scenario, unbound can use double the
201 # amount of memory allocated to a cache due to malloc overhead
202
203 # Large systems with more than 2GB of RAM
204 if [ ${mem} -ge 2048 ]; then
205 mem=128
206
207 # Small systems with less than 256MB of RAM
208 elif [ ${mem} -le 256 ]; then
209 mem=8
210
211 # Everything else
212 else
213 mem=32
214 fi
215
216 (
217 config_header
218
219 # We run one thread per processor
220 echo "num-threads: ${processors}"
221
222 # Adjust number of slabs
223 echo "infra-cache-slabs: ${slabs}"
224 echo "key-cache-slabs: ${slabs}"
225 echo "msg-cache-slabs: ${slabs}"
226 echo "rrset-cache-slabs: ${slabs}"
227
228 # Slice up the cache
229 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
230 echo "msg-cache-size: $(( ${mem} / 4 ))m"
231 echo "key-cache-size: $(( ${mem} / 4 ))m"
232 ) > /etc/unbound/tuning.conf
233 }
234
235 get_memory_amount() {
236 local key val unit
237
238 while read -r key val unit; do
239 case "${key}" in
240 MemTotal:*)
241 # Convert to MB
242 echo "$(( ${val} / 1024 ))"
243 break
244 ;;
245 esac
246 done < /proc/meminfo
247 }
248
249 test_name_server() {
250 local ns=${1}
251
252 # Return codes:
253 # 0 DNSSEC validating
254 # 1 Error: unreachable, etc.
255 # 2 DNSSEC aware
256 # 3 NOT DNSSEC-aware
257
258 # Exit when the server is not reachable
259 ns_is_online ${ns} || return 1
260
261 # Return 0 if validating
262 ns_is_validating ${ns} && return 0
263
264 local errors
265 for rr in DNSKEY DS RRSIG; do
266 if ! ns_forwards_${rr} ${ns}; then
267 errors="${errors} ${rr}"
268 fi
269 done
270
271 if [ -n "${errors}" ]; then
272 echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
273 return 3
274 fi
275
276 # Is DNSSEC-aware
277 return 2
278 }
279
280 # Sends an A query to the nameserver w/o DNSSEC
281 ns_is_online() {
282 local ns=${1}
283
284 dig @${ns} +nodnssec A ${TEST_DOMAIN} >/dev/null
285 }
286
287 # Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
288 ns_is_validating() {
289 local ns=${1}
290
291 dig @${ns} A ${TEST_DOMAIN_FAIL} | grep -q SERVFAIL
292 }
293
294 # Checks if we can retrieve the DNSKEY for this domain.
295 # dig will print the SOA if nothing was found
296 ns_forwards_DNSKEY() {
297 local ns=${1}
298
299 dig @${ns} DNSKEY ${TEST_DOMAIN} | grep -qv SOA
300 }
301
302 ns_forwards_DS() {
303 local ns=${1}
304
305 dig @${ns} DS ${TEST_DOMAIN} | grep -qv SOA
306 }
307
308 ns_forwards_RRSIG() {
309 local ns=${1}
310
311 dig @${ns} +dnssec A ${TEST_DOMAIN} | grep -q RRSIG
312 }
313
314 ns_supports_tcp() {
315 local ns=${1}
316
317 dig @${ns} +tcp A ${TEST_DOMAIN} >/dev/null || return 1
318 }
319
320 case "$1" in
321 start)
322 # Print a nicer messagen when unbound is already running
323 if pidofproc -s unbound; then
324 statusproc /usr/sbin/unbound
325 exit 0
326 fi
327
328 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
329
330 # Create control keys at first run
331 if [ ! -r "/etc/unbound/unbound_control.key" ]; then
332 unbound-control-setup -d /etc/unbound &>/dev/null
333 fi
334
335 # Update configuration files
336 write_tuning_conf
337 write_forward_conf
338
339 boot_mesg "Starting Unbound DNS Proxy..."
340 loadproc /usr/sbin/unbound || exit $?
341
342 # Make own hostname resolveable
343 own_hostname
344
345 # Update any known forwarding name servers
346 update_forwarders
347
348 # Update hosts
349 update_hosts
350 ;;
351
352 stop)
353 boot_mesg "Stopping Unbound DNS Proxy..."
354 killproc /usr/sbin/unbound
355 ;;
356
357 restart)
358 $0 stop
359 sleep 1
360 $0 start
361 ;;
362
363 status)
364 statusproc /usr/sbin/unbound
365 ;;
366
367 update-forwarders)
368 update_forwarders
369 ;;
370
371 test-name-server)
372 ns=${2}
373
374 test_name_server ${ns}
375 ret=${?}
376
377 case "${ret}" in
378 0)
379 echo "${ns} is validating"
380 ;;
381 2)
382 echo "${ns} is DNSSEC-aware"
383 ;;
384 3)
385 echo "${ns} is NOT DNSSEC-aware"
386 ;;
387 *)
388 echo "Test failed for an unknown reason"
389 ;;
390 esac
391
392 if ns_supports_tcp ${ns}; then
393 echo "${ns} supports TCP fallback"
394 else
395 echo "${ns} does not support TCP fallback"
396 fi
397
398 exit ${ret}
399 ;;
400
401 *)
402 echo "Usage: $0 {start|stop|restart|status|update-forwarders|test-name-server}"
403 exit 1
404 ;;
405 esac
406
407 # End $rc_base/init.d/unbound
IPFire 2.x development tree