]> git.ipfire.org Git - ipfire-2.x.git/blob - src/initscripts/system/unbound
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
[ipfire-2.x.git] / src / initscripts / system / unbound
1 #!/bin/sh
2 # Begin $rc_base/init.d/unbound
3
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
6
7 . /etc/sysconfig/rc
8 . ${rc_functions}
9
10 TEST_DOMAIN="ipfire.org"
11
12 # This domain will never validate
13 TEST_DOMAIN_FAIL="dnssec-failed.org"
14
15 INSECURE_ZONES=
16 USE_FORWARDERS=1
17 ENABLE_SAFE_SEARCH=off
18 FORCE_TCP=off
19
20 # Cache any local zones for 60 seconds
21 LOCAL_TTL=60
22
23 # EDNS buffer size
24 EDNS_DEFAULT_BUFFER_SIZE=4096
25
26 # Load optional configuration
27 [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
28
29 DIG_ARGS=()
30
31 if [ "${FORCE_TCP}" = "on" ]; then
32 DIG_ARGS+=( "+tcp" )
33 fi
34
35 ip_address_revptr() {
36 local addr=${1}
37
38 local a1 a2 a3 a4
39 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
40
41 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
42 }
43
44 read_name_servers() {
45 local i
46 for i in 1 2; do
47 echo "$(</var/ipfire/red/dns${i})"
48 done 2>/dev/null | xargs echo
49 }
50
51 check_red_has_carrier_and_ip() {
52 # Interface configured ?
53 [ ! -e "/var/ipfire/red/iface" ] && return 0;
54
55 # Interface present ?
56 [ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
57
58 # has carrier ?
59 [ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
60
61 # has ip ?
62 [ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;
63
64 return 1;
65 }
66
67 config_header() {
68 echo "# This file is automatically generated and any changes"
69 echo "# will be overwritten. DO NOT EDIT!"
70 echo
71 }
72
73 update_forwarders() {
74 check_red_has_carrier_and_ip
75 if [ "${USE_FORWARDERS}" = "1" -a "${?}" = "1" ]; then
76 local forwarders
77 local broken_forwarders
78
79 local ns
80 for ns in $(read_name_servers); do
81 test_name_server ${ns} &>/dev/null
82 case "$?" in
83 # Only use DNSSEC-validating or DNSSEC-aware name servers
84 0|2)
85 forwarders="${forwarders} ${ns}"
86 ;;
87 *)
88 broken_forwarders="${broken_forwarders} ${ns}"
89 ;;
90 esac
91 done
92
93 # Determine EDNS buffer size
94 local new_edns_buffer_size=${EDNS_DEFAULT_BUFFER_SIZE}
95
96 for ns in ${forwarders}; do
97 local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
98 if [ -n "${edns_buffer_size}" ]; then
99 if [ ${edns_buffer_size} -lt ${new_edns_buffer_size} ]; then
100 new_edns_buffer_size=${edns_buffer_size}
101 fi
102 fi
103 done
104
105 if [ ${new_edns_buffer_size} -lt ${EDNS_DEFAULT_BUFFER_SIZE} ]; then
106 boot_mesg "EDNS buffer size reduced to ${new_edns_buffer_size}" ${WARNING}
107 echo_warning
108
109 unbound-control -q set_option edns-buffer-size: ${new_edns_buffer_size}
110 fi
111
112 # Show warning for any broken upstream name servers
113 if [ -n "${broken_forwarders}" ]; then
114 boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
115 echo_warning
116 fi
117
118 if [ -n "${forwarders}" ]; then
119 boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
120 echo_ok
121
122 # Make sure DNSSEC is activated
123 enable_dnssec
124
125 echo "${forwarders}" > /var/ipfire/red/dns
126 unbound-control -q forward ${forwarders}
127 return 0
128
129 # In case we have found no working forwarders
130 else
131 # Test if the recursor mode is available
132 if can_resolve_root +bufsize=${new_edns_buffer_size}; then
133 # Make sure DNSSEC is activated
134 enable_dnssec
135
136 boot_mesg "Falling back to recursor mode" ${WARNING}
137 echo_warning
138
139 # If not, we set DNSSEC in permissive mode and allow using all recursors
140 elif [ -n "${broken_forwarders}" ]; then
141 disable_dnssec
142
143 boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
144 echo_failure
145
146 echo "${broken_forwarders}" > /var/ipfire/red/dns
147 unbound-control -q forward ${broken_forwarders}
148 return 0
149 fi
150 fi
151 fi
152
153 # If forwarders cannot be used we run in recursor mode
154 echo "local recursor" > /var/ipfire/red/dns
155 unbound-control -q forward off
156 }
157
158 remove_forwarders() {
159 enable_dnssec
160 echo "local recursor" > /var/ipfire/red/dns
161 unbound-control -q forward off
162
163 }
164
165 own_hostname() {
166 local hostname=$(hostname -f)
167 # 1.1.1.1 is reserved for unused green, skip this
168 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
169 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
170 fi
171
172 local address
173 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
174 [ -n "${address}" ] || continue
175 [ "${address}" = "1.1.1.1" ] && continue
176
177 address=$(ip_address_revptr ${address})
178 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
179 done
180 }
181
182 update_hosts() {
183 local enabled address hostname domainname generateptr
184
185 while IFS="," read -r enabled address hostname domainname generateptr; do
186 [ "${enabled}" = "on" ] || continue
187
188 # Build FQDN
189 local fqdn="${hostname}.${domainname}"
190
191 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
192
193 # Skip reverse resolution if the address equals the GREEN address
194 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
195
196 # Skip reverse resolution if user requested not to do so
197 [ "${generateptr}" = "off" ] && continue
198
199 # Add RDNS
200 address=$(ip_address_revptr ${address})
201 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
202 done < /var/ipfire/main/hosts
203 }
204
205 write_forward_conf() {
206 (
207 config_header
208
209 # Force using TCP for upstream servers only
210 if [ "${FORCE_TCP}" = "on" ]; then
211 echo "# Force using TCP for upstream servers only"
212 echo "server:"
213 echo " tcp-upstream: yes"
214 echo
215 fi
216
217 local insecure_zones="${INSECURE_ZONES}"
218
219 local enabled zone server servers remark disable_dnssec rest
220 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
221 # Line must be enabled.
222 [ "${enabled}" = "on" ] || continue
223
224 # Zones that end with .local are commonly used for internal
225 # zones and therefore not signed
226 case "${zone}" in
227 *.local)
228 insecure_zones="${insecure_zones} ${zone}"
229 ;;
230 *)
231 if [ "${disable_dnssec}" = "on" ]; then
232 insecure_zones="${insecure_zones} ${zone}"
233 fi
234 ;;
235 esac
236
237 # Reverse-lookup zones must be stubs
238 case "${zone}" in
239 *.in-addr.arpa)
240 echo "stub-zone:"
241 echo " name: ${zone}"
242 for server in ${servers//|/ }; do
243 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
244 echo " stub-addr: ${server}"
245 else
246 echo " stub-host: ${server}"
247 fi
248 done
249 echo
250 echo "server:"
251 echo " local-zone: \"${zone}\" transparent"
252 echo
253 ;;
254 *)
255 echo "forward-zone:"
256 echo " name: ${zone}"
257 for server in ${servers//|/ }; do
258 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
259 echo " forward-addr: ${server}"
260 else
261 echo " forward-host: ${server}"
262 fi
263 done
264 echo
265 ;;
266 esac
267 done < /var/ipfire/dnsforward/config
268
269 if [ -n "${insecure_zones}" ]; then
270 echo "server:"
271
272 for zone in ${insecure_zones}; do
273 echo " domain-insecure: ${zone}"
274 done
275 fi
276 ) > /etc/unbound/forward.conf
277 }
278
279 write_tuning_conf() {
280 # https://www.unbound.net/documentation/howto_optimise.html
281
282 # Determine number of online processors
283 local processors=$(getconf _NPROCESSORS_ONLN)
284
285 # Determine number of slabs
286 local slabs=1
287 while [ ${slabs} -lt ${processors} ]; do
288 slabs=$(( ${slabs} * 2 ))
289 done
290
291 # Determine amount of system memory
292 local mem=$(get_memory_amount)
293
294 # In the worst case scenario, unbound can use double the
295 # amount of memory allocated to a cache due to malloc overhead
296
297 # Even larger systems with more than 8GB of RAM
298 if [ ${mem} -ge 8192 ]; then
299 mem=1024
300
301 # Extra large systems with more than 4GB of RAM
302 elif [ ${mem} -ge 4096 ]; then
303 mem=512
304
305 # Large systems with more than 2GB of RAM
306 elif [ ${mem} -ge 2048 ]; then
307 mem=256
308
309 # Medium systems with more than 1GB of RAM
310 elif [ ${mem} -ge 1024 ]; then
311 mem=128
312
313 # Small systems with less than 256MB of RAM
314 elif [ ${mem} -le 256 ]; then
315 mem=16
316
317 # Everything else
318 else
319 mem=64
320 fi
321
322 (
323 config_header
324
325 # We run one thread per processor
326 echo "num-threads: ${processors}"
327 echo "so-reuseport: yes"
328
329 # Adjust number of slabs
330 echo "infra-cache-slabs: ${slabs}"
331 echo "key-cache-slabs: ${slabs}"
332 echo "msg-cache-slabs: ${slabs}"
333 echo "rrset-cache-slabs: ${slabs}"
334
335 # Slice up the cache
336 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
337 echo "msg-cache-size: $(( ${mem} / 4 ))m"
338 echo "key-cache-size: $(( ${mem} / 4 ))m"
339
340 # Increase parallel queries
341 echo "outgoing-range: 8192"
342 echo "num-queries-per-thread: 4096"
343
344 # Use larger send/receive buffers
345 echo "so-sndbuf: 4m"
346 echo "so-rcvbuf: 4m"
347 ) > /etc/unbound/tuning.conf
348 }
349
350 get_memory_amount() {
351 local key val unit
352
353 while read -r key val unit; do
354 case "${key}" in
355 MemTotal:*)
356 # Convert to MB
357 echo "$(( ${val} / 1024 ))"
358 break
359 ;;
360 esac
361 done < /proc/meminfo
362 }
363
364 test_name_server() {
365 local ns=${1}
366 local args
367
368 # Return codes:
369 # 0 DNSSEC validating
370 # 1 Error: unreachable, etc.
371 # 2 DNSSEC aware
372 # 3 NOT DNSSEC-aware
373
374 # Exit when the server is not reachable
375 ns_is_online ${ns} || return 1
376
377 # Determine the maximum edns buffer size that works
378 local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
379 if [ -n "${edns_buffer_size}" ]; then
380 args="${args} +bufsize=${edns_buffer_size}"
381 fi
382
383 local errors
384 for rr in DNSKEY DS RRSIG; do
385 if ! ns_forwards_${rr} ${ns} ${args}; then
386 errors="${errors} ${rr}"
387 fi
388 done
389
390 if [ -n "${errors}" ]; then
391 echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
392 return 3
393 fi
394
395 if ns_is_validating ${ns} ${args}; then
396 # Return 0 if validating
397 return 0
398 else
399 # Is DNSSEC-aware
400 return 2
401 fi
402 }
403
404 # Sends an A query to the nameserver w/o DNSSEC
405 ns_is_online() {
406 local ns=${1}
407 shift
408
409 dig "${DIG_ARGS[@]}" @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
410 }
411
412 # Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
413 ns_is_validating() {
414 local ns=${1}
415 shift
416
417 if ! dig "${DIG_ARGS[@]}" @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
418 return 1
419 else
420 # Determine if NS replies with "ad" data flag if DNSSEC enabled
421 dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
422 fi
423 }
424
425 # Checks if we can retrieve the DNSKEY for this domain.
426 # dig will print the SOA if nothing was found
427 ns_forwards_DNSKEY() {
428 local ns=${1}
429 shift
430
431 dig "${DIG_ARGS[@]}" @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
432 }
433
434 ns_forwards_DS() {
435 local ns=${1}
436 shift
437
438 dig "${DIG_ARGS[@]}" @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
439 }
440
441 ns_forwards_RRSIG() {
442 local ns=${1}
443 shift
444
445 dig "${DIG_ARGS[@]}" @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
446 }
447
448 ns_supports_tcp() {
449 local ns=${1}
450 shift
451
452 # If TCP is forced we know by now if the server responds to it
453 if [ "${FORCE_TCP}" = "on" ]; then
454 return 0
455 fi
456
457 dig "${DIG_ARGS[@]}" @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
458 }
459
460 ns_determine_edns_buffer_size() {
461 local ns=${1}
462 shift
463
464 local b
465 for b in 4096 2048 1500 1480 1464 1400 1280 512; do
466 if dig "${DIG_ARGS[@]}" @${ns} +dnssec +bufsize=${b} A ${TEST_DOMAIN} $@ >/dev/null; then
467 echo "${b}"
468 return 0
469 fi
470 done
471
472 return 1
473 }
474
475 get_root_nameservers() {
476 while read -r hostname ttl record address; do
477 # Searching for A records
478 [ "${record}" = "A" ] || continue
479
480 echo "${address}"
481 done < /etc/unbound/root.hints
482 }
483
484 can_resolve_root() {
485 local ns
486 for ns in $(get_root_nameservers); do
487 if dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA . $@ >/dev/null; then
488 return 0
489 fi
490 done
491
492 # none of the servers was reachable
493 return 1
494 }
495
496 enable_dnssec() {
497 local status=$(unbound-control get_option val-permissive-mode)
498
499 # Log DNSSEC status
500 echo "on" > /var/ipfire/red/dnssec-status
501
502 # Don't do anything if DNSSEC is already activated
503 [ "${status}" = "no" ] && return 0
504
505 # Activate DNSSEC and flush cache with any stale and unvalidated data
506 unbound-control -q set_option val-permissive-mode: no
507 unbound-control -q flush_zone .
508 }
509
510 disable_dnssec() {
511 # Log DNSSEC status
512 echo "off" > /var/ipfire/red/dnssec-status
513
514 unbound-control -q set_option val-permissive-mode: yes
515 }
516
517 fix_time_if_dns_fail() {
518 # If DNS still not work try to init ntp with
519 # hardcoded ntp.ipfire.org (81.3.27.46)
520 check_red_has_carrier_and_ip
521 if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
522 host 0.ipfire.pool.ntp.org > /dev/null 2>&1
523 if [ "${?}" != "0" ]; then
524 boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
525 loadproc /usr/local/bin/settime 81.3.27.46
526 fi
527 fi
528 }
529
530 resolve() {
531 local hostname="${1}"
532
533 local found=0
534 local ns
535 for ns in $(read_name_servers); do
536 local answer
537 for answer in $(dig "${DIG_ARGS[@]}" +short "@${ns}" A "${hostname}"); do
538 found=1
539
540 # Filter out non-IP addresses
541 if [[ ! "${answer}" =~ \.$ ]]; then
542 echo "${answer}"
543 fi
544 done
545
546 # End loop when we have got something
547 [ ${found} -eq 1 ] && break
548 done
549 }
550
551 # Sets up Safe Search for various search engines
552 update_safe_search() {
553 local google_tlds=(
554 google.ad
555 google.ae
556 google.al
557 google.am
558 google.as
559 google.at
560 google.az
561 google.ba
562 google.be
563 google.bf
564 google.bg
565 google.bi
566 google.bj
567 google.bs
568 google.bt
569 google.by
570 google.ca
571 google.cat
572 google.cd
573 google.cf
574 google.cg
575 google.ch
576 google.ci
577 google.cl
578 google.cm
579 google.cn
580 google.co.ao
581 google.co.bw
582 google.co.ck
583 google.co.cr
584 google.co.id
585 google.co.il
586 google.co.in
587 google.co.jp
588 google.co.ke
589 google.co.kr
590 google.co.ls
591 google.com
592 google.co.ma
593 google.com.af
594 google.com.ag
595 google.com.ai
596 google.com.ar
597 google.com.au
598 google.com.bd
599 google.com.bh
600 google.com.bn
601 google.com.bo
602 google.com.br
603 google.com.bz
604 google.com.co
605 google.com.cu
606 google.com.cy
607 google.com.do
608 google.com.ec
609 google.com.eg
610 google.com.et
611 google.com.fj
612 google.com.gh
613 google.com.gi
614 google.com.gt
615 google.com.hk
616 google.com.jm
617 google.com.kh
618 google.com.kw
619 google.com.lb
620 google.com.ly
621 google.com.mm
622 google.com.mt
623 google.com.mx
624 google.com.my
625 google.com.na
626 google.com.nf
627 google.com.ng
628 google.com.ni
629 google.com.np
630 google.com.om
631 google.com.pa
632 google.com.pe
633 google.com.pg
634 google.com.ph
635 google.com.pk
636 google.com.pr
637 google.com.py
638 google.com.qa
639 google.com.sa
640 google.com.sb
641 google.com.sg
642 google.com.sl
643 google.com.sv
644 google.com.tj
645 google.com.tr
646 google.com.tw
647 google.com.ua
648 google.com.uy
649 google.com.vc
650 google.com.vn
651 google.co.mz
652 google.co.nz
653 google.co.th
654 google.co.tz
655 google.co.ug
656 google.co.uk
657 google.co.uz
658 google.co.ve
659 google.co.vi
660 google.co.za
661 google.co.zm
662 google.co.zw
663 google.cv
664 google.cz
665 google.de
666 google.dj
667 google.dk
668 google.dm
669 google.dz
670 google.ee
671 google.es
672 google.fi
673 google.fm
674 google.fr
675 google.ga
676 google.ge
677 google.gg
678 google.gl
679 google.gm
680 google.gp
681 google.gr
682 google.gy
683 google.hn
684 google.hr
685 google.ht
686 google.hu
687 google.ie
688 google.im
689 google.iq
690 google.is
691 google.it
692 google.je
693 google.jo
694 google.kg
695 google.ki
696 google.kz
697 google.la
698 google.li
699 google.lk
700 google.lt
701 google.lu
702 google.lv
703 google.md
704 google.me
705 google.mg
706 google.mk
707 google.ml
708 google.mn
709 google.ms
710 google.mu
711 google.mv
712 google.mw
713 google.ne
714 google.nl
715 google.no
716 google.nr
717 google.nu
718 google.pl
719 google.pn
720 google.ps
721 google.pt
722 google.ro
723 google.rs
724 google.ru
725 google.rw
726 google.sc
727 google.se
728 google.sh
729 google.si
730 google.sk
731 google.sm
732 google.sn
733 google.so
734 google.sr
735 google.st
736 google.td
737 google.tg
738 google.tk
739 google.tl
740 google.tm
741 google.tn
742 google.to
743 google.tt
744 google.vg
745 google.vu
746 google.ws
747 )
748
749 # Cleanup previous settings
750 unbound-control local_zone_remove "bing.com" >/dev/null
751 unbound-control local_zone_remove "duckduckgo.com" >/dev/null
752 unbound-control local_zone_remove "yandex.com" >/dev/null
753 unbound-control local_zone_remove "yandex.ru" >/dev/null
754 unbound-control local_zone_remove "youtube.com" >/dev/null
755
756 local domain
757 for domain in ${google_tlds[@]}; do
758 unbound-control local_zone_remove "${domain}"
759 done >/dev/null
760
761 # Nothing to do if safe search is not enabled
762 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
763 return 0
764 fi
765
766 # Bing
767 unbound-control bing.com transparent >/dev/null
768 for address in $(resolve "strict.bing.com"); do
769 unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
770 done >/dev/null
771
772 # DuckDuckGo
773 unbound-control local_zone duckduckgo.com typetransparent >/dev/null
774 for address in $(resolve "safe.duckduckgo.com"); do
775 unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
776 done >/dev/null
777
778 # Google
779 local addresses="$(resolve "forcesafesearch.google.com")"
780 for domain in ${google_tlds[@]}; do
781 unbound-control local_zone "${domain}" transparent >/dev/null
782 for address in ${addresses}; do
783 unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
784 done >/dev/null
785 done
786
787 # Yandex
788 for domain in yandex.com yandex.ru; do
789 unbound-control local_zone "${domain}" typetransparent >/dev/null
790 for address in $(resolve "familysearch.${domain}"); do
791 unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
792 done >/dev/null
793 done
794
795 # YouTube
796 unbound-control local_zone youtube.com transparent >/dev/null
797 for address in $(resolve "restrictmoderate.youtube.com"); do
798 unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
799 done >/dev/null
800
801 return 0
802 }
803
804 case "$1" in
805 start)
806 # Print a nicer messagen when unbound is already running
807 if pidofproc -s unbound; then
808 statusproc /usr/sbin/unbound
809 exit 0
810 fi
811
812 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
813
814 # Update configuration files
815 write_tuning_conf
816 write_forward_conf
817
818 boot_mesg "Starting Unbound DNS Proxy..."
819 loadproc /usr/sbin/unbound || exit $?
820
821 # Make own hostname resolveable
822 own_hostname
823
824 # Update any known forwarding name servers
825 update_forwarders
826
827 # Install Safe Search rules when the system is already online
828 if [ -e "/var/ipfire/red/active" ]; then
829 update_safe_search
830 fi
831
832 # Update hosts
833 update_hosts
834
835 fix_time_if_dns_fail
836 ;;
837
838 stop)
839 boot_mesg "Stopping Unbound DNS Proxy..."
840 killproc /usr/sbin/unbound
841 ;;
842
843 restart)
844 $0 stop
845 sleep 1
846 $0 start
847 ;;
848
849 status)
850 statusproc /usr/sbin/unbound
851 ;;
852
853 update-forwarders)
854 # Do not try updating forwarders when unbound is not running
855 if ! pgrep unbound &>/dev/null; then
856 exit 0
857 fi
858
859 update_forwarders
860
861 unbound-control flush_negative > /dev/null
862 unbound-control flush_bogus > /dev/null
863
864 fix_time_if_dns_fail
865 ;;
866
867 remove-forwarders)
868 # Do not try updating forwarders when unbound is not running
869 if ! pgrep unbound &>/dev/null; then
870 exit 0
871 fi
872
873 remove_forwarders
874
875 unbound-control flush_negative > /dev/null
876 unbound-control flush_bogus > /dev/null
877 ;;
878
879
880 test-name-server)
881 ns=${2}
882
883 test_name_server ${ns}
884 ret=${?}
885
886 case "${ret}" in
887 0)
888 echo "${ns} is validating"
889 ;;
890 2)
891 echo "${ns} is DNSSEC-aware"
892 ;;
893 3)
894 echo "${ns} is NOT DNSSEC-aware"
895 ;;
896 *)
897 echo "Test failed for an unknown reason"
898 exit ${ret}
899 ;;
900 esac
901
902 if ns_supports_tcp ${ns}; then
903 echo "${ns} supports TCP fallback"
904 else
905 echo "${ns} does not support TCP fallback"
906 fi
907
908 edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
909 if [ -n "${edns_buffer_size}" ]; then
910 echo "EDNS buffer size for ${ns}: ${edns_buffer_size}"
911 fi
912
913 exit ${ret}
914 ;;
915
916 resolve)
917 resolve "${2}"
918 ;;
919
920 update-safe-search)
921 update_safe_search
922 ;;
923
924 *)
925 echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve|update-safe-search}"
926 exit 1
927 ;;
928 esac
929
930 # End $rc_base/init.d/unbound
IPFire 2.x development tree