[people/pmueller/ipfire-2.x.git] / src / initscripts / system / unbound

#!/bin/sh
# Begin $rc_base/init.d/unbound

# Description : Unbound DNS resolver boot script for IPfire
# Author      : Marcel Lorenz <marcel.lorenz@ipfire.org>

. /etc/sysconfig/rc
. ${rc_functions}

# Cache any local zones for 60 seconds
LOCAL_TTL=60

# Load configuration
eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

ip_address_revptr() {
	local addr=${1}

	local a1 a2 a3 a4
	IFS=. read -r a1 a2 a3 a4 <<< ${addr}

	echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
}

read_name_servers() {
	# Read name servers from ISP
	if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
		local i
		for i in 1 2; do
			echo "$(</var/run/dns${i})"
		done 2>/dev/null
	fi

	# Read configured name servers
	local id address tls_hostname enabled remark
	while IFS="," read -r id address tls_hostname enabled remark; do
		[ "${enabled}" != "enabled" ] && continue

		if [ "${PROTO}" = "TLS" ]; then
			if [ -n "${tls_hostname}" ]; then
				echo "${address}@853#${tls_hostname}"
			fi
		else
			echo "${address}"
		fi
	done < /var/ipfire/dns/servers
}

config_header() {
	echo "# This file is automatically generated and any changes"
	echo "# will be overwritten. DO NOT EDIT!"
	echo
}

write_hosts_conf() {
	(
		config_header

		# Make own hostname resolveable
		# 1.1.1.1 is reserved for unused green, skip this
		if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
			echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""
		fi

		local address
		for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
			[ -n "${address}" ] || continue
			[ "${address}" = "1.1.1.1" ] && continue

			address=$(ip_address_revptr ${address})
			echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""
		done

		local enabled address hostname domainname generateptr

		# Find all unique domain names
		while IFS="," read -r enabled address hostname domainname generateptr; do
			[ "${enabled}" = "on" ] || continue

			# Skip empty domainnames
			[ "${domainname}" = "" ] && continue

			echo "local-zone: ${domainname} typetransparent"
		done < /var/ipfire/main/hosts | sort -u

		# Add all hosts
		while IFS="," read -r enabled address hostname domainname generateptr; do
			[ "${enabled}" = "on" ] || continue

			# Build FQDN
			local fqdn="${hostname}.${domainname}"
			echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""

			# Skip reverse resolution if the address equals the GREEN address
			[ "${address}" = "${GREEN_ADDRESS}" ] && continue

			# Skip reverse resolution if user requested not to do so
			[ "${generateptr}" = "off" ] && continue

			# Add RDNS
			address=$(ip_address_revptr ${address})
			echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
		done < /var/ipfire/main/hosts
	) > /etc/unbound/hosts.conf
}

write_forward_conf() {
	(
		config_header

		# Enable strict QNAME minimisation
		if [ "${QNAME_MIN}" = "strict" ]; then
			echo "server:"
			echo "	qname-minimisation-strict: yes"
			echo
		fi

		# Force using TCP for upstream servers only
		if [ "${PROTO}" = "TCP" ]; then
			echo "# Force using TCP for upstream servers only"
			echo "server:"
			echo "	tcp-upstream: yes"
			echo
		fi

		local insecure_zones=""

		local enabled zone server servers remark disable_dnssec rest
		while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
			# Line must be enabled.
			[ "${enabled}" = "on" ] || continue

			# Zones that end with .local are commonly used for internal
			# zones and therefore not signed
			case "${zone}" in
				*.local)
					insecure_zones="${insecure_zones} ${zone}"
					;;
				*)
					if [ "${disable_dnssec}" = "on" ]; then
						insecure_zones="${insecure_zones} ${zone}"
					fi
					;;
			esac

			echo "stub-zone:"
			echo "	name: ${zone}"
			for server in ${servers//|/ }; do
				if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
					echo "	stub-addr: ${server}"
				else
					echo "	stub-host: ${server}"
				fi
			done
			echo

			# Make all reverse lookup zones transparent
			case "${zone}" in
				*.in-addr.arpa)
					echo "server:"
					echo "	local-zone: \"${zone}\" transparent"
					echo
					;;
			esac
		done < /var/ipfire/dnsforward/config

		if [ -n "${insecure_zones}" ]; then
			echo "server:"

			for zone in ${insecure_zones}; do
				echo "	domain-insecure: ${zone}"
			done
		fi

		# Read name servers.
		nameservers=$(read_name_servers)

		# Only write forward zones if any nameservers are configured.
		#
		# Otherwise fall-back into recursor mode.
		if [ -n "${nameservers}" ]; then

			echo "forward-zone:"
			echo "	name: \".\""

			# Force using TLS only
			if [ "${PROTO}" = "TLS" ]; then
				echo "	forward-tls-upstream: yes"
			fi

			# Add upstream name servers
			local ns
			for ns in ${nameservers}; do
				echo "	forward-addr: ${ns}"
			done
		fi

	) > /etc/unbound/forward.conf
}

write_tuning_conf() {
	# https://www.unbound.net/documentation/howto_optimise.html

	# Determine amount of system memory
	local mem=$(get_memory_amount)

	# In the worst case scenario, unbound can use double the
	# amount of memory allocated to a cache due to malloc overhead

	# Even larger systems with more than 8GB of RAM
	if [ ${mem} -ge 8192 ]; then
		mem=1024

	# Extra large systems with more than 4GB of RAM
	elif [ ${mem} -ge 4096 ]; then
		mem=512

	# Large systems with more than 2GB of RAM
	elif [ ${mem} -ge 2048 ]; then
		mem=256

	# Medium systems with more than 1GB of RAM
	elif [ ${mem} -ge 1024 ]; then
		mem=128

	# Small systems with less than 256MB of RAM
	elif [ ${mem} -le 256 ]; then
		mem=16

	# Everything else
	else
		mem=64
	fi

	(
		config_header

		# Slice up the cache
		echo "rrset-cache-size: $(( ${mem} / 2 ))m"
		echo "msg-cache-size: $(( ${mem} / 4 ))m"
		echo "key-cache-size: $(( ${mem} / 4 ))m"

		# Increase parallel queries
		echo "outgoing-range: 8192"
		echo "num-queries-per-thread: 4096"

		# Use larger send/receive buffers
		echo "so-sndbuf: 4m"
		echo "so-rcvbuf: 4m"
	) > /etc/unbound/tuning.conf
}

get_memory_amount() {
	local key val unit

	while read -r key val unit; do
		case "${key}" in
			MemTotal:*)
				# Convert to MB
				echo "$(( ${val} / 1024 ))"
				break
				;;
		esac
	done < /proc/meminfo
}

fix_time_if_dns_fails() {
	# If DNS is working, everything is fine
	if resolve "ping.ipfire.org" &>/dev/null; then
		return 0
	fi

	# Try to sync time with a known time server
	boot_mesg "DNS not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
	loadproc /usr/local/bin/settime 81.3.27.46
}

resolve() {
	local hostname="${1}"
	local found=1

	local answer
	for answer in $(dig +short A "${hostname}"); do
		# Filter out non-IP addresses
		if [[ ! "${answer}" =~ \.$ ]]; then
			found=0
			echo "${answer}"
		fi
	done

	return ${found}
}

# Sets up Safe Search for various search engines
update_safe_search() {
	local google_tlds=(
		google.ad
		google.ae
		google.al
		google.am
		google.as
		google.at
		google.az
		google.ba
		google.be
		google.bf
		google.bg
		google.bi
		google.bj
		google.bs
		google.bt
		google.by
		google.ca
		google.cat
		google.cd
		google.cf
		google.cg
		google.ch
		google.ci
		google.cl
		google.cm
		google.cn
		google.co.ao
		google.co.bw
		google.co.ck
		google.co.cr
		google.co.id
		google.co.il
		google.co.in
		google.co.jp
		google.co.ke
		google.co.kr
		google.co.ls
		google.com
		google.co.ma
		google.com.af
		google.com.ag
		google.com.ai
		google.com.ar
		google.com.au
		google.com.bd
		google.com.bh
		google.com.bn
		google.com.bo
		google.com.br
		google.com.bz
		google.com.co
		google.com.cu
		google.com.cy
		google.com.do
		google.com.ec
		google.com.eg
		google.com.et
		google.com.fj
		google.com.gh
		google.com.gi
		google.com.gt
		google.com.hk
		google.com.jm
		google.com.kh
		google.com.kw
		google.com.lb
		google.com.ly
		google.com.mm
		google.com.mt
		google.com.mx
		google.com.my
		google.com.na
		google.com.nf
		google.com.ng
		google.com.ni
		google.com.np
		google.com.om
		google.com.pa
		google.com.pe
		google.com.pg
		google.com.ph
		google.com.pk
		google.com.pr
		google.com.py
		google.com.qa
		google.com.sa
		google.com.sb
		google.com.sg
		google.com.sl
		google.com.sv
		google.com.tj
		google.com.tr
		google.com.tw
		google.com.ua
		google.com.uy
		google.com.vc
		google.com.vn
		google.co.mz
		google.co.nz
		google.co.th
		google.co.tz
		google.co.ug
		google.co.uk
		google.co.uz
		google.co.ve
		google.co.vi
		google.co.za
		google.co.zm
		google.co.zw
		google.cv
		google.cz
		google.de
		google.dj
		google.dk
		google.dm
		google.dz
		google.ee
		google.es
		google.fi
		google.fm
		google.fr
		google.ga
		google.ge
		google.gg
		google.gl
		google.gm
		google.gp
		google.gr
		google.gy
		google.hn
		google.hr
		google.ht
		google.hu
		google.ie
		google.im
		google.iq
		google.is
		google.it
		google.je
		google.jo
		google.kg
		google.ki
		google.kz
		google.la
		google.li
		google.lk
		google.lt
		google.lu
		google.lv
		google.md
		google.me
		google.mg
		google.mk
		google.ml
		google.mn
		google.ms
		google.mu
		google.mv
		google.mw
		google.ne
		google.nl
		google.no
		google.nr
		google.nu
		google.pl
		google.pn
		google.ps
		google.pt
		google.ro
		google.rs
		google.ru
		google.rw
		google.sc
		google.se
		google.sh
		google.si
		google.sk
		google.sm
		google.sn
		google.so
		google.sr
		google.st
		google.td
		google.tg
		google.tk
		google.tl
		google.tm
		google.tn
		google.to
		google.tt
		google.vg
		google.vu
		google.ws
	)

	# Cleanup previous settings
	unbound-control local_zone_remove "bing.com" >/dev/null
	unbound-control local_zone_remove "duckduckgo.com" >/dev/null
	unbound-control local_zone_remove "yandex.com" >/dev/null
	unbound-control local_zone_remove "yandex.ru" >/dev/null
	unbound-control local_zone_remove "youtube.com" >/dev/null

	local domain
	for domain in ${google_tlds[@]}; do
		unbound-control local_zone_remove "${domain}"
	done >/dev/null

	# Nothing to do if safe search is not enabled
	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
		return 0
	fi

	# Bing
	unbound-control bing.com transparent >/dev/null
	for address in $(resolve "strict.bing.com"); do
		unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	# DuckDuckGo
	unbound-control local_zone duckduckgo.com typetransparent >/dev/null
	for address in $(resolve "safe.duckduckgo.com"); do
		unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	# Google
	local addresses="$(resolve "forcesafesearch.google.com")"
	for domain in ${google_tlds[@]}; do
		unbound-control local_zone "${domain}" transparent >/dev/null
		for address in ${addresses}; do
			unbound-control local_data "www.${domain} ${LOCAL_TTL} IN A ${address}"
		done >/dev/null
	done

	# Yandex
	for domain in yandex.com yandex.ru; do
		unbound-control local_zone "${domain}" typetransparent >/dev/null
		for address in $(resolve "familysearch.${domain}"); do
			unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
		done >/dev/null
	done

	# YouTube
	unbound-control local_zone youtube.com transparent >/dev/null
	for address in $(resolve "restrictmoderate.youtube.com"); do
		unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	return 0
}

case "$1" in
	start)
		# Print a nicer messagen when unbound is already running
		if pidofproc -s unbound; then
			statusproc /usr/sbin/unbound
			exit 0
		fi

		# Update configuration files
		write_tuning_conf
		write_hosts_conf
		write_forward_conf

		boot_mesg "Starting Unbound DNS Proxy..."
		loadproc /usr/sbin/unbound || exit $?

		# Install Safe Search rules when the system is already online
		if [ -e "/var/ipfire/red/active" ]; then
			update_safe_search
		fi
		;;

	stop)
		boot_mesg "Stopping Unbound DNS Proxy..."
		killproc /usr/sbin/unbound
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;
	reload|update-forwarders)
		# Update configuration files
		write_forward_conf
		write_hosts_conf

		# Call unbound-control and perform the reload
		/usr/sbin/unbound-control -q reload

		# Dummy Resolve to wait for unbound
		resolve "ping.ipfire.org" &>/dev/null

		if [ "$1" = "update-forwarders" ]; then
			# Make sure DNS works at this point
			fix_time_if_dns_fails
		fi

		# Update Safe Search rules if the system is online.
		if [ -e "/var/ipfire/red/active" ]; then
			update_safe_search
		fi
		;;

	status)
		statusproc /usr/sbin/unbound
		;;

	resolve)
		resolve "${2}" || exit $?
		;;

	*)
		echo "Usage: $0 {start|stop|restart|reload|status|resolve|update-forwarders}"
		exit 1
		;;
esac

# End $rc_base/init.d/unbound
Commit	Line	Data
d0e5f71f ML	1	#!/bin/sh
	2	# Begin $rc_base/init.d/unbound
	3
	4	# Description : Unbound DNS resolver boot script for IPfire
	5	# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
d0e5f71f ML	6
	7	. /etc/sysconfig/rc
	8	. ${rc_functions}
	9
36792be6 MT	10	# Cache any local zones for 60 seconds
	11	LOCAL_TTL=60
	12
ee90aa98 MT	13	# Load configuration
ee90aa98 MT	14	eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
4b26aac6	15	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
d0e5f71f	16
f75c279b AF	17	ip_address_revptr() {
	18	local addr=${1}
	19
	20	local a1 a2 a3 a4
	21	IFS=. read -r a1 a2 a3 a4 <<< ${addr}
	22
	23	echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
	24	}
	25
b8f5eda8	26	read_name_servers() {
2654c669 MT	27	# Read name servers from ISP
	28	if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
	29	local i
	30	for i in 1 2; do
	31	echo "$(</var/run/dns${i})"
	32	done 2>/dev/null
	33	fi
	34
	35	# Read configured name servers
	36	local id address tls_hostname enabled remark
	37	while IFS="," read -r id address tls_hostname enabled remark; do
	38	[ "${enabled}" != "enabled" ] && continue
	39
	40	if [ "${PROTO}" = "TLS" ]; then
	41	if [ -n "${tls_hostname}" ]; then
	42	echo "${address}@853#${tls_hostname}"
	43	fi
	44	else
	45	echo "${address}"
	46	fi
	47	done < /var/ipfire/dns/servers
b8f5eda8 MT	48	}
	49
	50	config_header() {
	51	echo "# This file is automatically generated and any changes"
	52	echo "# will be overwritten. DO NOT EDIT!"
	53	echo
	54	}
	55
6137797c MT	56	write_hosts_conf() {
	57	(
	58	config_header
f75c279b	59
6137797c MT	60	# Make own hostname resolveable
	61	# 1.1.1.1 is reserved for unused green, skip this
	62	if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
	63	echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""
	64	fi
f59bc0c5	65
6137797c MT	66	local address
	67	for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	68	[ -n "${address}" ] \|\| continue
	69	[ "${address}" = "1.1.1.1" ] && continue
36792be6	70
6137797c MT	71	address=$(ip_address_revptr ${address})
	72	echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""
	73	done
36792be6	74
6137797c	75	local enabled address hostname domainname generateptr
1b6b8d97 MT	76
	77	# Find all unique domain names
	78	while IFS="," read -r enabled address hostname domainname generateptr; do
	79	[ "${enabled}" = "on" ] \|\| continue
	80
5947f92a MT	81	# Skip empty domainnames
	82	[ "${domainname}" = "" ] && continue
	83
1b6b8d97	84	echo "local-zone: ${domainname} typetransparent"
5947f92a	85	done < /var/ipfire/main/hosts \| sort -u
1b6b8d97 MT	86
1b6b8d97 MT	87	# Add all hosts
6137797c MT	88	while IFS="," read -r enabled address hostname domainname generateptr; do
6137797c MT	89	[ "${enabled}" = "on" ] \|\| continue
36792be6	90
6137797c MT	91	# Build FQDN
	92	local fqdn="${hostname}.${domainname}"
	93	echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""
f75c279b	94
6137797c MT	95	# Skip reverse resolution if the address equals the GREEN address
6137797c MT	96	[ "${address}" = "${GREEN_ADDRESS}" ] && continue
868d2a1f	97
6137797c MT	98	# Skip reverse resolution if user requested not to do so
6137797c MT	99	[ "${generateptr}" = "off" ] && continue
6874a576	100
6137797c MT	101	# Add RDNS
	102	address=$(ip_address_revptr ${address})
	103	echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
	104	done < /var/ipfire/main/hosts
	105	) > /etc/unbound/hosts.conf
36792be6 MT	106	}
36792be6 MT	107
b8f5eda8 MT	108	write_forward_conf() {
	109	(
	110	config_header
	111
beebf925 MT	112	# Enable strict QNAME minimisation
	113	if [ "${QNAME_MIN}" = "strict" ]; then
	114	echo "server:"
	115	echo " qname-minimisation-strict: yes"
	116	echo
	117	fi
	118
974d8653	119	# Force using TCP for upstream servers only
ee90aa98	120	if [ "${PROTO}" = "TCP" ]; then
974d8653 MT	121	echo "# Force using TCP for upstream servers only"
	122	echo "server:"
	123	echo " tcp-upstream: yes"
	124	echo
	125	fi
	126
ee90aa98	127	local insecure_zones=""
a6dcc5bb	128
1ececb67 MT	129	local enabled zone server servers remark disable_dnssec rest
1ececb67 MT	130	while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
b8f5eda8 MT	131	# Line must be enabled.
	132	[ "${enabled}" = "on" ] \|\| continue
	133
a6dcc5bb MT	134	# Zones that end with .local are commonly used for internal
	135	# zones and therefore not signed
	136	case "${zone}" in
	137	*.local)
	138	insecure_zones="${insecure_zones} ${zone}"
	139	;;
1ececb67 MT	140	*)
	141	if [ "${disable_dnssec}" = "on" ]; then
	142	insecure_zones="${insecure_zones} ${zone}"
	143	fi
	144	;;
a6dcc5bb MT	145	esac
a6dcc5bb MT	146
15cf79e3 MT	147	echo "stub-zone:"
	148	echo " name: ${zone}"
	149	for server in ${servers//\|/ }; do
	150	if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	151	echo " stub-addr: ${server}"
	152	else
	153	echo " stub-host: ${server}"
	154	fi
	155	done
	156	echo
	157
	158	# Make all reverse lookup zones transparent
c7e41255 MT	159	case "${zone}" in
c7e41255 MT	160	*.in-addr.arpa)
c7e41255	161	echo "server:"
9f099932	162	echo " local-zone: \"${zone}\" transparent"
c7e41255 MT	163	echo
c7e41255 MT	164	;;
c7e41255	165	esac
b8f5eda8	166	done < /var/ipfire/dnsforward/config
a6dcc5bb MT	167
	168	if [ -n "${insecure_zones}" ]; then
	169	echo "server:"
	170
	171	for zone in ${insecure_zones}; do
	172	echo " domain-insecure: ${zone}"
	173	done
	174	fi
50005ad1	175
ab4ef40f SS	176	# Read name servers.
ab4ef40f SS	177	nameservers=$(read_name_servers)
50005ad1	178
ab4ef40f SS	179	# Only write forward zones if any nameservers are configured.
	180	#
	181	# Otherwise fall-back into recursor mode.
	182	if [ -n "${nameservers}" ]; then
	183
	184	echo "forward-zone:"
	185	echo " name: \".\""
	186
	187	# Force using TLS only
	188	if [ "${PROTO}" = "TLS" ]; then
	189	echo " forward-tls-upstream: yes"
	190	fi
	191
	192	# Add upstream name servers
	193	local ns
	194	for ns in ${nameservers}; do
	195	echo " forward-addr: ${ns}"
	196	done
50005ad1 MT	197	fi
50005ad1 MT	198
b8f5eda8 MT	199	) > /etc/unbound/forward.conf
	200	}
	201
b658a451 MT	202	write_tuning_conf() {
	203	# https://www.unbound.net/documentation/howto_optimise.html
	204
b658a451 MT	205	# Determine amount of system memory
	206	local mem=$(get_memory_amount)
	207
	208	# In the worst case scenario, unbound can use double the
	209	# amount of memory allocated to a cache due to malloc overhead
	210
4a0d69ca MT	211	# Even larger systems with more than 8GB of RAM
	212	if [ ${mem} -ge 8192 ]; then
	213	mem=1024
	214
	215	# Extra large systems with more than 4GB of RAM
	216	elif [ ${mem} -ge 4096 ]; then
	217	mem=512
	218
b658a451	219	# Large systems with more than 2GB of RAM
4a0d69ca	220	elif [ ${mem} -ge 2048 ]; then
128db1a3	221	mem=256
b658a451	222
4a0d69ca MT	223	# Medium systems with more than 1GB of RAM
	224	elif [ ${mem} -ge 1024 ]; then
	225	mem=128
	226
b658a451 MT	227	# Small systems with less than 256MB of RAM
b658a451 MT	228	elif [ ${mem} -le 256 ]; then
128db1a3	229	mem=16
b658a451 MT	230
	231	# Everything else
	232	else
128db1a3	233	mem=64
b658a451 MT	234	fi
	235
	236	(
	237	config_header
	238
b658a451 MT	239	# Slice up the cache
	240	echo "rrset-cache-size: $(( ${mem} / 2 ))m"
	241	echo "msg-cache-size: $(( ${mem} / 4 ))m"
	242	echo "key-cache-size: $(( ${mem} / 4 ))m"
0a7dca2c MT	243
	244	# Increase parallel queries
	245	echo "outgoing-range: 8192"
	246	echo "num-queries-per-thread: 4096"
c20b2009 MT	247
	248	# Use larger send/receive buffers
	249	echo "so-sndbuf: 4m"
	250	echo "so-rcvbuf: 4m"
b658a451 MT	251	) > /etc/unbound/tuning.conf
	252	}
	253
	254	get_memory_amount() {
	255	local key val unit
	256
	257	while read -r key val unit; do
	258	case "${key}" in
	259	MemTotal:*)
	260	# Convert to MB
	261	echo "$(( ${val} / 1024 ))"
	262	break
	263	;;
	264	esac
	265	done < /proc/meminfo
	266	}
b8f5eda8	267
a33489a7 MT	268	fix_time_if_dns_fails() {
	269	# If DNS is working, everything is fine
	270	if resolve "ping.ipfire.org" &>/dev/null; then
	271	return 0
68fac98a	272	fi
a33489a7 MT	273
	274	# Try to sync time with a known time server
	275	boot_mesg "DNS not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
	276	loadproc /usr/local/bin/settime 81.3.27.46
68fac98a AF	277	}
68fac98a AF	278
043e7aa5 MT	279	resolve() {
043e7aa5 MT	280	local hostname="${1}"
f5fe5f47	281	local found=1
043e7aa5	282
54898bc6 MT	283	local answer
	284	for answer in $(dig +short A "${hostname}"); do
	285	# Filter out non-IP addresses
	286	if [[ ! "${answer}" =~ \.$ ]]; then
f5fe5f47	287	found=0
54898bc6 MT	288	echo "${answer}"
54898bc6 MT	289	fi
043e7aa5	290	done
f5fe5f47 AF	291
f5fe5f47 AF	292	return ${found}
043e7aa5 MT	293	}
043e7aa5 MT	294
661ab153	295	# Sets up Safe Search for various search engines
d7190078	296	update_safe_search() {
661ab153 MT	297	local google_tlds=(
	298	google.ad
	299	google.ae
	300	google.al
	301	google.am
	302	google.as
	303	google.at
	304	google.az
	305	google.ba
	306	google.be
	307	google.bf
	308	google.bg
	309	google.bi
	310	google.bj
	311	google.bs
	312	google.bt
	313	google.by
	314	google.ca
	315	google.cat
	316	google.cd
	317	google.cf
	318	google.cg
	319	google.ch
	320	google.ci
	321	google.cl
	322	google.cm
	323	google.cn
	324	google.co.ao
	325	google.co.bw
	326	google.co.ck
	327	google.co.cr
	328	google.co.id
	329	google.co.il
	330	google.co.in
	331	google.co.jp
	332	google.co.ke
	333	google.co.kr
	334	google.co.ls
	335	google.com
	336	google.co.ma
	337	google.com.af
	338	google.com.ag
	339	google.com.ai
	340	google.com.ar
	341	google.com.au
	342	google.com.bd
	343	google.com.bh
	344	google.com.bn
	345	google.com.bo
	346	google.com.br
	347	google.com.bz
	348	google.com.co
	349	google.com.cu
	350	google.com.cy
	351	google.com.do
	352	google.com.ec
	353	google.com.eg
	354	google.com.et
	355	google.com.fj
	356	google.com.gh
	357	google.com.gi
	358	google.com.gt
	359	google.com.hk
	360	google.com.jm
361	google.com.kh
362	google.com.kw
363	google.com.lb
364	google.com.ly
365	google.com.mm
366	google.com.mt
367	google.com.mx
368	google.com.my
369	google.com.na
370	google.com.nf
371	google.com.ng
372	google.com.ni
373	google.com.np
374	google.com.om
375	google.com.pa
376	google.com.pe
377	google.com.pg
378	google.com.ph
379	google.com.pk
380	google.com.pr
381	google.com.py
382	google.com.qa
383	google.com.sa
384	google.com.sb
385	google.com.sg
386	google.com.sl
387	google.com.sv
388	google.com.tj
389	google.com.tr
390	google.com.tw
391	google.com.ua
392	google.com.uy
393	google.com.vc
394	google.com.vn
395	google.co.mz
396	google.co.nz
397	google.co.th
398	google.co.tz
399	google.co.ug
400	google.co.uk
401	google.co.uz
402	google.co.ve
403	google.co.vi
404	google.co.za
405	google.co.zm
406	google.co.zw
407	google.cv
408	google.cz
409	google.de
410	google.dj
411	google.dk
412	google.dm
413	google.dz
414	google.ee
415	google.es
416	google.fi
417	google.fm
418	google.fr
419	google.ga
420	google.ge
421	google.gg
422	google.gl
423	google.gm
424	google.gp
425	google.gr
426	google.gy
427	google.hn
428	google.hr
429	google.ht
430	google.hu
431	google.ie
432	google.im
433	google.iq
434	google.is
435	google.it
436	google.je
437	google.jo
438	google.kg
439	google.ki
440	google.kz
441	google.la
442	google.li
443	google.lk
444	google.lt
445	google.lu
446	google.lv
447	google.md
448	google.me
449	google.mg
450	google.mk
451	google.ml
452	google.mn
453	google.ms
454	google.mu
455	google.mv
456	google.mw
457	google.ne
458	google.nl
459	google.no
460	google.nr
461	google.nu
462	google.pl
463	google.pn
464	google.ps
465	google.pt
466	google.ro
467	google.rs
468	google.ru
469	google.rw
470	google.sc
471	google.se
472	google.sh
473	google.si
474	google.sk
475	google.sm
476	google.sn
477	google.so
478	google.sr
479	google.st
480	google.td
481	google.tg
482	google.tk
483	google.tl
484	google.tm
485	google.tn
486	google.to
487	google.tt
488	google.vg
489	google.vu
490	google.ws
491	)
492
d7190078 MT	493	# Cleanup previous settings
	494	unbound-control local_zone_remove "bing.com" >/dev/null
	495	unbound-control local_zone_remove "duckduckgo.com" >/dev/null
	496	unbound-control local_zone_remove "yandex.com" >/dev/null
	497	unbound-control local_zone_remove "yandex.ru" >/dev/null
	498	unbound-control local_zone_remove "youtube.com" >/dev/null
661ab153	499
d7190078 MT	500	local domain
	501	for domain in ${google_tlds[@]}; do
	502	unbound-control local_zone_remove "${domain}"
	503	done >/dev/null
661ab153	504
d7190078 MT	505	# Nothing to do if safe search is not enabled
	506	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
	507	return 0
	508	fi
661ab153	509
d7190078 MT	510	# Bing
	511	unbound-control bing.com transparent >/dev/null
	512	for address in $(resolve "strict.bing.com"); do
	513	unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
	514	done >/dev/null
	515
	516	# DuckDuckGo
	517	unbound-control local_zone duckduckgo.com typetransparent >/dev/null
	518	for address in $(resolve "safe.duckduckgo.com"); do
	519	unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
	520	done >/dev/null
	521
	522	# Google
	523	local addresses="$(resolve "forcesafesearch.google.com")"
	524	for domain in ${google_tlds[@]}; do
	525	unbound-control local_zone "${domain}" transparent >/dev/null
	526	for address in ${addresses}; do
47864e8f	527	unbound-control local_data "www.${domain} ${LOCAL_TTL} IN A ${address}"
d7190078 MT	528	done >/dev/null
d7190078 MT	529	done
661ab153	530
d7190078 MT	531	# Yandex
	532	for domain in yandex.com yandex.ru; do
	533	unbound-control local_zone "${domain}" typetransparent >/dev/null
	534	for address in $(resolve "familysearch.${domain}"); do
	535	unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
	536	done >/dev/null
	537	done
661ab153	538
d7190078 MT	539	# YouTube
	540	unbound-control local_zone youtube.com transparent >/dev/null
	541	for address in $(resolve "restrictmoderate.youtube.com"); do
	542	unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
	543	done >/dev/null
f617fd91	544
d7190078	545	return 0
661ab153 MT	546	}
661ab153 MT	547
d0e5f71f ML	548	case "$1" in
d0e5f71f ML	549	start)
80bc6022 MT	550	# Print a nicer messagen when unbound is already running
	551	if pidofproc -s unbound; then
	552	statusproc /usr/sbin/unbound
	553	exit 0
	554	fi
	555
b8f5eda8	556	# Update configuration files
b658a451	557	write_tuning_conf
6137797c	558	write_hosts_conf
b8f5eda8 MT	559	write_forward_conf
	560
	561	boot_mesg "Starting Unbound DNS Proxy..."
	562	loadproc /usr/sbin/unbound \|\| exit $?
	563
d7190078 MT	564	# Install Safe Search rules when the system is already online
	565	if [ -e "/var/ipfire/red/active" ]; then
	566	update_safe_search
	567	fi
b8f5eda8	568	;;
d0e5f71f ML	569
d0e5f71f ML	570	stop)
b8f5eda8 MT	571	boot_mesg "Stopping Unbound DNS Proxy..."
	572	killproc /usr/sbin/unbound
	573	;;
d0e5f71f ML	574
d0e5f71f ML	575	restart)
b8f5eda8 MT	576	$0 stop
	577	sleep 1
	578	$0 start
	579	;;
3b5131c1	580	reload\|update-forwarders)
0c109477	581	# Update configuration files
0c109477	582	write_forward_conf
6137797c	583	write_hosts_conf
0c109477	584
60557503 AF	585	# Call unbound-control and perform the reload
	586	/usr/sbin/unbound-control -q reload
	587
d98bbcc8 AF	588	# Dummy Resolve to wait for unbound
	589	resolve "ping.ipfire.org" &>/dev/null
	590
	591	if [ "$1" = "update-forwarders" ]; then
	592	# Make sure DNS works at this point
	593	fix_time_if_dns_fails
	594	fi
	595
0c109477 SS	596	# Update Safe Search rules if the system is online.
	597	if [ -e "/var/ipfire/red/active" ]; then
	598	update_safe_search
	599	fi
0c109477	600	;;
d0e5f71f ML	601
d0e5f71f ML	602	status)
b8f5eda8	603	statusproc /usr/sbin/unbound
b8f5eda8 MT	604	;;
b8f5eda8 MT	605
043e7aa5	606	resolve)
f5fe5f47	607	resolve "${2}" \|\| exit $?
043e7aa5 MT	608	;;
043e7aa5 MT	609
d0e5f71f	610	*)
3b5131c1	611	echo "Usage: $0 {start\|stop\|restart\|reload\|status\|resolve\|update-forwarders}"
b8f5eda8 MT	612	exit 1
b8f5eda8 MT	613	;;
d0e5f71f ML	614	esac
	615
	616	# End $rc_base/init.d/unbound