]> git.ipfire.org Git - ipfire-2.x.git/blob - src/initscripts/system/unbound
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
unbound: Drop live checks
[ipfire-2.x.git] / src / initscripts / system / unbound
1 #!/bin/sh
2 # Begin $rc_base/init.d/unbound
3
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
6
7 . /etc/sysconfig/rc
8 . ${rc_functions}
9
10 TEST_DOMAIN="ipfire.org"
11
12 # This domain will never validate
13 TEST_DOMAIN_FAIL="dnssec-failed.org"
14
15 # Cache any local zones for 60 seconds
16 LOCAL_TTL=60
17
18 # Load configuration
19 eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
20
21 DIG_ARGS=()
22
23 if [ "${PROTO}" = "TCP" ]; then
24 DIG_ARGS+=( "+tcp" )
25 fi
26
27 ip_address_revptr() {
28 local addr=${1}
29
30 local a1 a2 a3 a4
31 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
32
33 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
34 }
35
36 read_name_servers() {
37 local i
38 for i in 1 2; do
39 echo "$(</var/ipfire/red/dns${i})"
40 done 2>/dev/null | xargs echo
41 }
42
43 check_red_has_carrier_and_ip() {
44 # Interface configured ?
45 [ ! -e "/var/ipfire/red/iface" ] && return 0;
46
47 # Interface present ?
48 [ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
49
50 # has carrier ?
51 [ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
52
53 # has ip ?
54 [ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;
55
56 return 1;
57 }
58
59 config_header() {
60 echo "# This file is automatically generated and any changes"
61 echo "# will be overwritten. DO NOT EDIT!"
62 echo
63 }
64
65 own_hostname() {
66 local hostname=$(hostname -f)
67 # 1.1.1.1 is reserved for unused green, skip this
68 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
69 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
70 fi
71
72 local address
73 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
74 [ -n "${address}" ] || continue
75 [ "${address}" = "1.1.1.1" ] && continue
76
77 address=$(ip_address_revptr ${address})
78 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
79 done
80 }
81
82 update_hosts() {
83 local enabled address hostname domainname generateptr
84
85 while IFS="," read -r enabled address hostname domainname generateptr; do
86 [ "${enabled}" = "on" ] || continue
87
88 # Build FQDN
89 local fqdn="${hostname}.${domainname}"
90
91 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
92
93 # Skip reverse resolution if the address equals the GREEN address
94 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
95
96 # Skip reverse resolution if user requested not to do so
97 [ "${generateptr}" = "off" ] && continue
98
99 # Add RDNS
100 address=$(ip_address_revptr ${address})
101 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
102 done < /var/ipfire/main/hosts
103 }
104
105 write_forward_conf() {
106 (
107 config_header
108
109 # Force using TCP for upstream servers only
110 if [ "${PROTO}" = "TCP" ]; then
111 echo "# Force using TCP for upstream servers only"
112 echo "server:"
113 echo " tcp-upstream: yes"
114 echo
115 fi
116
117 local insecure_zones=""
118
119 local enabled zone server servers remark disable_dnssec rest
120 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
121 # Line must be enabled.
122 [ "${enabled}" = "on" ] || continue
123
124 # Zones that end with .local are commonly used for internal
125 # zones and therefore not signed
126 case "${zone}" in
127 *.local)
128 insecure_zones="${insecure_zones} ${zone}"
129 ;;
130 *)
131 if [ "${disable_dnssec}" = "on" ]; then
132 insecure_zones="${insecure_zones} ${zone}"
133 fi
134 ;;
135 esac
136
137 echo "stub-zone:"
138 echo " name: ${zone}"
139 for server in ${servers//|/ }; do
140 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
141 echo " stub-addr: ${server}"
142 else
143 echo " stub-host: ${server}"
144 fi
145 done
146 echo
147
148 # Make all reverse lookup zones transparent
149 case "${zone}" in
150 *.in-addr.arpa)
151 echo "server:"
152 echo " local-zone: \"${zone}\" transparent"
153 echo
154 ;;
155 esac
156 done < /var/ipfire/dnsforward/config
157
158 if [ -n "${insecure_zones}" ]; then
159 echo "server:"
160
161 for zone in ${insecure_zones}; do
162 echo " domain-insecure: ${zone}"
163 done
164 fi
165
166 echo "forward-zone:"
167 echo " name: \".\""
168
169 # Force using TLS only
170 if [ "${PROTO}" = "TLS" ]; then
171 echo " forward-tls-upstream: yes"
172 fi
173
174 # Add upstream name servers
175 local id address tls_hostname enabled remark
176 while IFS="," read -r id address tls_hostname enabled remark; do
177 # Skip disabled servers
178 [ "${enabled}" != "enabled" ] && continue
179
180 # Set DNS server
181 if [ "${PROTO}" = "TLS" ]; then
182 if [ -n "${tls_hostname}" ]; then
183 echo " forward-addr: ${address}@853#${tls_hostname}"
184 fi
185 else
186 echo " forward-addr: ${address}"
187 fi
188 done < /var/ipfire/dns/servers
189 ) > /etc/unbound/forward.conf
190 }
191
192 write_tuning_conf() {
193 # https://www.unbound.net/documentation/howto_optimise.html
194
195 # Determine number of online processors
196 local processors=$(getconf _NPROCESSORS_ONLN)
197
198 # Determine number of slabs
199 local slabs=1
200 while [ ${slabs} -lt ${processors} ]; do
201 slabs=$(( ${slabs} * 2 ))
202 done
203
204 # Determine amount of system memory
205 local mem=$(get_memory_amount)
206
207 # In the worst case scenario, unbound can use double the
208 # amount of memory allocated to a cache due to malloc overhead
209
210 # Even larger systems with more than 8GB of RAM
211 if [ ${mem} -ge 8192 ]; then
212 mem=1024
213
214 # Extra large systems with more than 4GB of RAM
215 elif [ ${mem} -ge 4096 ]; then
216 mem=512
217
218 # Large systems with more than 2GB of RAM
219 elif [ ${mem} -ge 2048 ]; then
220 mem=256
221
222 # Medium systems with more than 1GB of RAM
223 elif [ ${mem} -ge 1024 ]; then
224 mem=128
225
226 # Small systems with less than 256MB of RAM
227 elif [ ${mem} -le 256 ]; then
228 mem=16
229
230 # Everything else
231 else
232 mem=64
233 fi
234
235 (
236 config_header
237
238 # We run one thread per processor
239 echo "num-threads: ${processors}"
240 echo "so-reuseport: yes"
241
242 # Adjust number of slabs
243 echo "infra-cache-slabs: ${slabs}"
244 echo "key-cache-slabs: ${slabs}"
245 echo "msg-cache-slabs: ${slabs}"
246 echo "rrset-cache-slabs: ${slabs}"
247
248 # Slice up the cache
249 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
250 echo "msg-cache-size: $(( ${mem} / 4 ))m"
251 echo "key-cache-size: $(( ${mem} / 4 ))m"
252
253 # Increase parallel queries
254 echo "outgoing-range: 8192"
255 echo "num-queries-per-thread: 4096"
256
257 # Use larger send/receive buffers
258 echo "so-sndbuf: 4m"
259 echo "so-rcvbuf: 4m"
260 ) > /etc/unbound/tuning.conf
261 }
262
263 get_memory_amount() {
264 local key val unit
265
266 while read -r key val unit; do
267 case "${key}" in
268 MemTotal:*)
269 # Convert to MB
270 echo "$(( ${val} / 1024 ))"
271 break
272 ;;
273 esac
274 done < /proc/meminfo
275 }
276
277 fix_time_if_dns_fail() {
278 # If DNS still not work try to init ntp with
279 # hardcoded ntp.ipfire.org (81.3.27.46)
280 check_red_has_carrier_and_ip
281 if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
282 host 0.ipfire.pool.ntp.org > /dev/null 2>&1
283 if [ "${?}" != "0" ]; then
284 boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
285 loadproc /usr/local/bin/settime 81.3.27.46
286 fi
287 fi
288 }
289
290 resolve() {
291 local hostname="${1}"
292
293 local found=0
294 local ns
295 for ns in $(read_name_servers); do
296 local answer
297 for answer in $(dig "${DIG_ARGS[@]}" +short "@${ns}" A "${hostname}"); do
298 found=1
299
300 # Filter out non-IP addresses
301 if [[ ! "${answer}" =~ \.$ ]]; then
302 echo "${answer}"
303 fi
304 done
305
306 # End loop when we have got something
307 [ ${found} -eq 1 ] && break
308 done
309 }
310
311 # Sets up Safe Search for various search engines
312 update_safe_search() {
313 local google_tlds=(
314 google.ad
315 google.ae
316 google.al
317 google.am
318 google.as
319 google.at
320 google.az
321 google.ba
322 google.be
323 google.bf
324 google.bg
325 google.bi
326 google.bj
327 google.bs
328 google.bt
329 google.by
330 google.ca
331 google.cat
332 google.cd
333 google.cf
334 google.cg
335 google.ch
336 google.ci
337 google.cl
338 google.cm
339 google.cn
340 google.co.ao
341 google.co.bw
342 google.co.ck
343 google.co.cr
344 google.co.id
345 google.co.il
346 google.co.in
347 google.co.jp
348 google.co.ke
349 google.co.kr
350 google.co.ls
351 google.com
352 google.co.ma
353 google.com.af
354 google.com.ag
355 google.com.ai
356 google.com.ar
357 google.com.au
358 google.com.bd
359 google.com.bh
360 google.com.bn
361 google.com.bo
362 google.com.br
363 google.com.bz
364 google.com.co
365 google.com.cu
366 google.com.cy
367 google.com.do
368 google.com.ec
369 google.com.eg
370 google.com.et
371 google.com.fj
372 google.com.gh
373 google.com.gi
374 google.com.gt
375 google.com.hk
376 google.com.jm
377 google.com.kh
378 google.com.kw
379 google.com.lb
380 google.com.ly
381 google.com.mm
382 google.com.mt
383 google.com.mx
384 google.com.my
385 google.com.na
386 google.com.nf
387 google.com.ng
388 google.com.ni
389 google.com.np
390 google.com.om
391 google.com.pa
392 google.com.pe
393 google.com.pg
394 google.com.ph
395 google.com.pk
396 google.com.pr
397 google.com.py
398 google.com.qa
399 google.com.sa
400 google.com.sb
401 google.com.sg
402 google.com.sl
403 google.com.sv
404 google.com.tj
405 google.com.tr
406 google.com.tw
407 google.com.ua
408 google.com.uy
409 google.com.vc
410 google.com.vn
411 google.co.mz
412 google.co.nz
413 google.co.th
414 google.co.tz
415 google.co.ug
416 google.co.uk
417 google.co.uz
418 google.co.ve
419 google.co.vi
420 google.co.za
421 google.co.zm
422 google.co.zw
423 google.cv
424 google.cz
425 google.de
426 google.dj
427 google.dk
428 google.dm
429 google.dz
430 google.ee
431 google.es
432 google.fi
433 google.fm
434 google.fr
435 google.ga
436 google.ge
437 google.gg
438 google.gl
439 google.gm
440 google.gp
441 google.gr
442 google.gy
443 google.hn
444 google.hr
445 google.ht
446 google.hu
447 google.ie
448 google.im
449 google.iq
450 google.is
451 google.it
452 google.je
453 google.jo
454 google.kg
455 google.ki
456 google.kz
457 google.la
458 google.li
459 google.lk
460 google.lt
461 google.lu
462 google.lv
463 google.md
464 google.me
465 google.mg
466 google.mk
467 google.ml
468 google.mn
469 google.ms
470 google.mu
471 google.mv
472 google.mw
473 google.ne
474 google.nl
475 google.no
476 google.nr
477 google.nu
478 google.pl
479 google.pn
480 google.ps
481 google.pt
482 google.ro
483 google.rs
484 google.ru
485 google.rw
486 google.sc
487 google.se
488 google.sh
489 google.si
490 google.sk
491 google.sm
492 google.sn
493 google.so
494 google.sr
495 google.st
496 google.td
497 google.tg
498 google.tk
499 google.tl
500 google.tm
501 google.tn
502 google.to
503 google.tt
504 google.vg
505 google.vu
506 google.ws
507 )
508
509 # Cleanup previous settings
510 unbound-control local_zone_remove "bing.com" >/dev/null
511 unbound-control local_zone_remove "duckduckgo.com" >/dev/null
512 unbound-control local_zone_remove "yandex.com" >/dev/null
513 unbound-control local_zone_remove "yandex.ru" >/dev/null
514 unbound-control local_zone_remove "youtube.com" >/dev/null
515
516 local domain
517 for domain in ${google_tlds[@]}; do
518 unbound-control local_zone_remove "${domain}"
519 done >/dev/null
520
521 # Nothing to do if safe search is not enabled
522 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
523 return 0
524 fi
525
526 # Bing
527 unbound-control bing.com transparent >/dev/null
528 for address in $(resolve "strict.bing.com"); do
529 unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
530 done >/dev/null
531
532 # DuckDuckGo
533 unbound-control local_zone duckduckgo.com typetransparent >/dev/null
534 for address in $(resolve "safe.duckduckgo.com"); do
535 unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
536 done >/dev/null
537
538 # Google
539 local addresses="$(resolve "forcesafesearch.google.com")"
540 for domain in ${google_tlds[@]}; do
541 unbound-control local_zone "${domain}" transparent >/dev/null
542 for address in ${addresses}; do
543 unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
544 done >/dev/null
545 done
546
547 # Yandex
548 for domain in yandex.com yandex.ru; do
549 unbound-control local_zone "${domain}" typetransparent >/dev/null
550 for address in $(resolve "familysearch.${domain}"); do
551 unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
552 done >/dev/null
553 done
554
555 # YouTube
556 unbound-control local_zone youtube.com transparent >/dev/null
557 for address in $(resolve "restrictmoderate.youtube.com"); do
558 unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
559 done >/dev/null
560
561 return 0
562 }
563
564 case "$1" in
565 start)
566 # Print a nicer messagen when unbound is already running
567 if pidofproc -s unbound; then
568 statusproc /usr/sbin/unbound
569 exit 0
570 fi
571
572 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
573
574 # Update configuration files
575 write_tuning_conf
576 write_forward_conf
577
578 boot_mesg "Starting Unbound DNS Proxy..."
579 loadproc /usr/sbin/unbound || exit $?
580
581 # Make own hostname resolveable
582 own_hostname
583
584 # Install Safe Search rules when the system is already online
585 if [ -e "/var/ipfire/red/active" ]; then
586 update_safe_search
587 fi
588
589 # Update hosts
590 update_hosts
591
592 fix_time_if_dns_fail
593 ;;
594
595 stop)
596 boot_mesg "Stopping Unbound DNS Proxy..."
597 killproc /usr/sbin/unbound
598 ;;
599
600 restart)
601 $0 stop
602 sleep 1
603 $0 start
604 ;;
605
606 status)
607 statusproc /usr/sbin/unbound
608 ;;
609
610 update-forwarders)
611 : # XXX must set ISP name servers if necessary
612 ;;
613
614 remove-forwarders)
615 : # XXX must remove ISP name servers
616 ;;
617
618 resolve)
619 resolve "${2}"
620 ;;
621
622 update-safe-search)
623 update_safe_search
624 ;;
625
626 *)
627 echo "Usage: $0 {start|stop|restart|status|resolve|update-forwarders|remove-forwarders|update-safe-search}"
628 exit 1
629 ;;
630 esac
631
632 # End $rc_base/init.d/unbound
IPFire 2.x development tree