2 # Begin $rc_base/init.d/unbound
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
10 TEST_DOMAIN
="ipfire.org"
12 # This domain will never validate
13 TEST_DOMAIN_FAIL
="dnssec-failed.org"
15 # Cache any local zones for 60 seconds
19 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/dns
/settings
)
20 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/ethernet
/settings
)
26 IFS
=.
read -r a1 a2 a3 a4
<<< ${addr}
28 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
32 # Read name servers from ISP
33 if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
36 echo "$(</var/run/dns${i})"
40 # Read configured name servers
41 local id address tls_hostname enabled remark
42 while IFS
="," read -r id address tls_hostname enabled remark
; do
43 [ "${enabled}" != "enabled" ] && continue
45 if [ "${PROTO}" = "TLS" ]; then
46 if [ -n "${tls_hostname}" ]; then
47 echo "${address}@853#${tls_hostname}"
52 done < /var
/ipfire
/dns
/servers
56 echo "# This file is automatically generated and any changes"
57 echo "# will be overwritten. DO NOT EDIT!"
62 local hostname
=$
(hostname
-f)
63 # 1.1.1.1 is reserved for unused green, skip this
64 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
65 unbound-control
-q local_data
"${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
69 for address
in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
70 [ -n "${address}" ] ||
continue
71 [ "${address}" = "1.1.1.1" ] && continue
73 address
=$
(ip_address_revptr
${address})
74 unbound-control
-q local_data
"${address} ${LOCAL_TTL} IN PTR ${hostname}"
79 local enabled address hostname domainname generateptr
81 while IFS
="," read -r enabled address hostname domainname generateptr
; do
82 [ "${enabled}" = "on" ] ||
continue
85 local fqdn
="${hostname}.${domainname}"
87 unbound-control
-q local_data
"${fqdn} ${LOCAL_TTL} IN A ${address}"
89 # Skip reverse resolution if the address equals the GREEN address
90 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
92 # Skip reverse resolution if user requested not to do so
93 [ "${generateptr}" = "off" ] && continue
96 address
=$
(ip_address_revptr
${address})
97 unbound-control
-q local_data
"${address} ${LOCAL_TTL} IN PTR ${fqdn}"
98 done < /var
/ipfire
/main
/hosts
101 write_forward_conf
() {
105 # Enable strict QNAME minimisation
106 if [ "${QNAME_MIN}" = "strict" ]; then
108 echo " qname-minimisation-strict: yes"
112 # Force using TCP for upstream servers only
113 if [ "${PROTO}" = "TCP" ]; then
114 echo "# Force using TCP for upstream servers only"
116 echo " tcp-upstream: yes"
120 local insecure_zones
=""
122 local enabled zone server servers remark disable_dnssec rest
123 while IFS
="," read -r enabled zone servers remark disable_dnssec rest
; do
124 # Line must be enabled.
125 [ "${enabled}" = "on" ] ||
continue
127 # Zones that end with .local are commonly used for internal
128 # zones and therefore not signed
131 insecure_zones
="${insecure_zones} ${zone}"
134 if [ "${disable_dnssec}" = "on" ]; then
135 insecure_zones
="${insecure_zones} ${zone}"
141 echo " name: ${zone}"
142 for server
in ${servers//|/ }; do
143 if [[ ${server} =~ ^
[0-9]+\.
[0-9]+\.
[0-9]+\.
[0-9]+$
]]; then
144 echo " stub-addr: ${server}"
146 echo " stub-host: ${server}"
151 # Make all reverse lookup zones transparent
155 echo " local-zone: \"${zone}\" transparent"
159 done < /var
/ipfire
/dnsforward
/config
161 if [ -n "${insecure_zones}" ]; then
164 for zone
in ${insecure_zones}; do
165 echo " domain-insecure: ${zone}"
172 # Force using TLS only
173 if [ "${PROTO}" = "TLS" ]; then
174 echo " forward-tls-upstream: yes"
177 # Add upstream name servers
179 for ns
in $
(read_name_servers
); do
180 echo " forward-addr: ${ns}"
182 ) > /etc
/unbound
/forward.conf
185 write_tuning_conf
() {
186 # https://www.unbound.net/documentation/howto_optimise.html
188 # Determine number of online processors
189 local processors
=$
(getconf _NPROCESSORS_ONLN
)
191 # Determine number of slabs
193 while [ ${slabs} -lt ${processors} ]; do
194 slabs
=$
(( ${slabs} * 2 ))
197 # Determine amount of system memory
198 local mem
=$
(get_memory_amount
)
200 # In the worst case scenario, unbound can use double the
201 # amount of memory allocated to a cache due to malloc overhead
203 # Even larger systems with more than 8GB of RAM
204 if [ ${mem} -ge 8192 ]; then
207 # Extra large systems with more than 4GB of RAM
208 elif [ ${mem} -ge 4096 ]; then
211 # Large systems with more than 2GB of RAM
212 elif [ ${mem} -ge 2048 ]; then
215 # Medium systems with more than 1GB of RAM
216 elif [ ${mem} -ge 1024 ]; then
219 # Small systems with less than 256MB of RAM
220 elif [ ${mem} -le 256 ]; then
231 # We run one thread per processor
232 echo "num-threads: ${processors}"
233 echo "so-reuseport: yes"
235 # Adjust number of slabs
236 echo "infra-cache-slabs: ${slabs}"
237 echo "key-cache-slabs: ${slabs}"
238 echo "msg-cache-slabs: ${slabs}"
239 echo "rrset-cache-slabs: ${slabs}"
242 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
243 echo "msg-cache-size: $(( ${mem} / 4 ))m"
244 echo "key-cache-size: $(( ${mem} / 4 ))m"
246 # Increase parallel queries
247 echo "outgoing-range: 8192"
248 echo "num-queries-per-thread: 4096"
250 # Use larger send/receive buffers
253 ) > /etc
/unbound
/tuning.conf
256 get_memory_amount
() {
259 while read -r key val unit
; do
263 echo "$(( ${val} / 1024 ))"
270 fix_time_if_dns_fails
() {
271 # If DNS is working, everything is fine
272 if resolve
"ping.ipfire.org" &>/dev
/null
; then
276 # Try to sync time with a known time server
277 boot_mesg
"DNS not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
278 loadproc
/usr
/local
/bin
/settime
81.3.27.46
282 local hostname
="${1}"
285 for answer
in $
(dig +short A
"${hostname}"); do
286 # Filter out non-IP addresses
287 if [[ ! "${answer}" =~ \.$
]]; then
293 update_forwarders
() {
294 # Do nothing when we do not use the ISP name servers
295 [ "${USE_ISP_NAMESERVERS}" != "on" ] && return 0
297 # We cannot update anything when using TLS
298 # Unbound will then try to connect to the servers using UDP on port 853
299 [ "${PROTO}" = "TLS" ] && return 0
301 # Update unbound about the new servers
302 local nameservers
=( $
(read_name_servers
) )
303 if [ -n "${nameservers[*]}" ]; then
304 unbound-control
-q forward
"${nameservers[@]}"
306 unbound-control
-q forward off
310 # Sets up Safe Search for various search engines
311 update_safe_search
() {
508 # Cleanup previous settings
509 unbound-control local_zone_remove
"bing.com" >/dev
/null
510 unbound-control local_zone_remove
"duckduckgo.com" >/dev
/null
511 unbound-control local_zone_remove
"yandex.com" >/dev
/null
512 unbound-control local_zone_remove
"yandex.ru" >/dev
/null
513 unbound-control local_zone_remove
"youtube.com" >/dev
/null
516 for domain
in ${google_tlds[@]}; do
517 unbound-control local_zone_remove
"${domain}"
520 # Nothing to do if safe search is not enabled
521 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
526 unbound-control bing.com transparent
>/dev
/null
527 for address
in $
(resolve
"strict.bing.com"); do
528 unbound-control local_data
"www.bing.com ${LOCAL_TTL} IN A ${address}"
532 unbound-control local_zone duckduckgo.com typetransparent
>/dev
/null
533 for address
in $
(resolve
"safe.duckduckgo.com"); do
534 unbound-control local_data
"duckduckgo.com ${LOCAL_TTL} IN A ${address}"
538 local addresses
="$(resolve "forcesafesearch.google.com
")"
539 for domain
in ${google_tlds[@]}; do
540 unbound-control local_zone
"${domain}" transparent
>/dev
/null
541 for address
in ${addresses}; do
542 unbound-control local_data
: "www.${domain} ${LOCAL_TTL} IN A ${address}"
547 for domain
in yandex.com yandex.ru
; do
548 unbound-control local_zone
"${domain}" typetransparent
>/dev
/null
549 for address
in $
(resolve
"familysearch.${domain}"); do
550 unbound-control local_data
"${domain} ${LOCAL_TTL} IN A ${address}"
555 unbound-control local_zone youtube.com transparent
>/dev
/null
556 for address
in $
(resolve
"restrictmoderate.youtube.com"); do
557 unbound-control local_data
"www.youtube.com ${LOCAL_TTL} IN A ${address}"
565 # Print a nicer messagen when unbound is already running
566 if pidofproc
-s unbound
; then
567 statusproc
/usr
/sbin
/unbound
571 # Update configuration files
575 boot_mesg
"Starting Unbound DNS Proxy..."
576 loadproc
/usr
/sbin
/unbound ||
exit $?
578 # Make own hostname resolveable
581 # Install Safe Search rules when the system is already online
582 if [ -e "/var/ipfire/red/active" ]; then
591 boot_mesg
"Stopping Unbound DNS Proxy..."
592 killproc
/usr
/sbin
/unbound
601 # Update configuration files
605 # Update Safe Search rules if the system is online.
606 if [ -e "/var/ipfire/red/active" ]; then
613 # Call unbound-control and perform the reload
614 /usr
/sbin
/unbound-control
-q reload
618 statusproc
/usr
/sbin
/unbound
624 # Make sure DNS works at this point
625 fix_time_if_dns_fails
627 # Update Safe Search settings
644 echo "Usage: $0 {start|stop|restart|reload|status|resolve|update-forwarders|remove-forwarders|update-safe-search}"
649 # End $rc_base/init.d/unbound