]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/initscripts/system/unbound
projects / people / pmueller / ipfire-2.x.git / blob
? search:


d195fd3256dc695cef32dd36615ff99a78359c8f
[people/pmueller/ipfire-2.x.git] / src / initscripts / system / unbound
1 #!/bin/sh
2 # Begin $rc_base/init.d/unbound
3
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
6
7 . /etc/sysconfig/rc
8 . ${rc_functions}
9
10 TEST_DOMAIN="ipfire.org"
11
12 # This domain will never validate
13 TEST_DOMAIN_FAIL="dnssec-failed.org"
14
15 INSECURE_ZONES=
16 USE_FORWARDERS=1
17 ENABLE_SAFE_SEARCH=off
18 FORCE_TCP=off
19
20 # Cache any local zones for 60 seconds
21 LOCAL_TTL=60
22
23 # EDNS buffer size
24 EDNS_DEFAULT_BUFFER_SIZE=4096
25
26 # Load optional configuration
27 [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
28
29 DIG_ARGS=()
30
31 if [ "${FORCE_TCP}" = "on" ]; then
32 DIG_ARGS+=( "+tcp" )
33 fi
34
35 ip_address_revptr() {
36 local addr=${1}
37
38 local a1 a2 a3 a4
39 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
40
41 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
42 }
43
44 read_name_servers() {
45 local i
46 for i in 1 2; do
47 echo "$(</var/ipfire/red/dns${i})"
48 done 2>/dev/null | xargs echo
49 }
50
51 check_red_has_carrier_and_ip() {
52 # Interface configured ?
53 [ ! -e "/var/ipfire/red/iface" ] && return 0;
54
55 # Interface present ?
56 [ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
57
58 # has carrier ?
59 [ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
60
61 # has ip ?
62 [ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;
63
64 return 1;
65 }
66
67 config_header() {
68 echo "# This file is automatically generated and any changes"
69 echo "# will be overwritten. DO NOT EDIT!"
70 echo
71 }
72
73 update_forwarders() {
74 check_red_has_carrier_and_ip
75 if [ "${USE_FORWARDERS}" = "1" -a "${?}" = "1" ]; then
76 local forwarders
77 local broken_forwarders
78
79 local ns
80 for ns in $(read_name_servers); do
81 test_name_server ${ns} &>/dev/null
82 case "$?" in
83 # Only use DNSSEC-validating or DNSSEC-aware name servers
84 0|2)
85 forwarders="${forwarders} ${ns}"
86 ;;
87 *)
88 broken_forwarders="${broken_forwarders} ${ns}"
89 ;;
90 esac
91 done
92
93 # Determine EDNS buffer size
94 local new_edns_buffer_size=${EDNS_DEFAULT_BUFFER_SIZE}
95
96 for ns in ${forwarders}; do
97 local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
98 if [ -n "${edns_buffer_size}" ]; then
99 if [ ${edns_buffer_size} -lt ${new_edns_buffer_size} ]; then
100 new_edns_buffer_size=${edns_buffer_size}
101 fi
102 fi
103 done
104
105 if [ ${new_edns_buffer_size} -lt ${EDNS_DEFAULT_BUFFER_SIZE} ]; then
106 boot_mesg "EDNS buffer size reduced to ${new_edns_buffer_size}" ${WARNING}
107 echo_warning
108
109 unbound-control -q set_option edns-buffer-size: ${new_edns_buffer_size}
110 fi
111
112 # Show warning for any broken upstream name servers
113 if [ -n "${broken_forwarders}" ]; then
114 boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
115 echo_warning
116 fi
117
118 if [ -n "${forwarders}" ]; then
119 boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
120 echo_ok
121
122 # Make sure DNSSEC is activated
123 enable_dnssec
124
125 echo "${forwarders}" > /var/ipfire/red/dns
126 unbound-control -q forward ${forwarders}
127 return 0
128
129 # In case we have found no working forwarders
130 else
131 # Test if the recursor mode is available
132 if can_resolve_root +bufsize=${new_edns_buffer_size}; then
133 # Make sure DNSSEC is activated
134 enable_dnssec
135
136 boot_mesg "Falling back to recursor mode" ${WARNING}
137 echo_warning
138
139 # If not, we set DNSSEC in permissive mode and allow using all recursors
140 elif [ -n "${broken_forwarders}" ]; then
141 disable_dnssec
142
143 boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
144 echo_failure
145
146 echo "${broken_forwarders}" > /var/ipfire/red/dns
147 unbound-control -q forward ${broken_forwarders}
148 return 0
149 fi
150 fi
151 fi
152
153 # If forwarders cannot be used we run in recursor mode
154 echo "local recursor" > /var/ipfire/red/dns
155 unbound-control -q forward off
156 }
157
158 remove_forwarders() {
159 enable_dnssec
160 echo "local recursor" > /var/ipfire/red/dns
161 unbound-control -q forward off
162
163 }
164
165 own_hostname() {
166 local hostname=$(hostname -f)
167 # 1.1.1.1 is reserved for unused green, skip this
168 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
169 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
170 fi
171
172 local address
173 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
174 [ -n "${address}" ] || continue
175 [ "${address}" = "1.1.1.1" ] && continue
176
177 address=$(ip_address_revptr ${address})
178 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
179 done
180 }
181
182 update_hosts() {
183 local enabled address hostname domainname generateptr
184
185 while IFS="," read -r enabled address hostname domainname generateptr; do
186 [ "${enabled}" = "on" ] || continue
187
188 # Build FQDN
189 local fqdn="${hostname}.${domainname}"
190
191 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
192
193 # Skip reverse resolution if the address equals the GREEN address
194 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
195
196 # Skip reverse resolution if user requested not to do so
197 [ "${generateptr}" = "off" ] && continue
198
199 # Add RDNS
200 address=$(ip_address_revptr ${address})
201 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
202 done < /var/ipfire/main/hosts
203 }
204
205 write_forward_conf() {
206 (
207 config_header
208
209 # Force using TCP for upstream servers only
210 if [ "${FORCE_TCP}" = "on" ]; then
211 echo "# Force using TCP for upstream servers only"
212 echo "server:"
213 echo " tcp-upstream: yes"
214 echo
215 fi
216
217 local insecure_zones="${INSECURE_ZONES}"
218
219 local enabled zone server servers remark disable_dnssec rest
220 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
221 # Line must be enabled.
222 [ "${enabled}" = "on" ] || continue
223
224 # Zones that end with .local are commonly used for internal
225 # zones and therefore not signed
226 case "${zone}" in
227 *.local)
228 insecure_zones="${insecure_zones} ${zone}"
229 ;;
230 *)
231 if [ "${disable_dnssec}" = "on" ]; then
232 insecure_zones="${insecure_zones} ${zone}"
233 fi
234 ;;
235 esac
236
237 # Reverse-lookup zones must be stubs
238 case "${zone}" in
239 *.in-addr.arpa)
240 echo "stub-zone:"
241 echo " name: ${zone}"
242 for server in ${servers//|/ }; do
243 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
244 echo " stub-addr: ${server}"
245 else
246 echo " stub-host: ${server}"
247 fi
248 done
249 echo
250 echo "server:"
251 echo " local-zone: \"${zone}\" transparent"
252 echo
253 ;;
254 *)
255 echo "forward-zone:"
256 echo " name: ${zone}"
257 for server in ${servers//|/ }; do
258 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
259 echo " forward-addr: ${server}"
260 else
261 echo " forward-host: ${server}"
262 fi
263 done
264 echo
265 ;;
266 esac
267 done < /var/ipfire/dnsforward/config
268
269 if [ -n "${insecure_zones}" ]; then
270 echo "server:"
271
272 for zone in ${insecure_zones}; do
273 echo " domain-insecure: ${zone}"
274 done
275 fi
276 ) > /etc/unbound/forward.conf
277 }
278
279 write_tuning_conf() {
280 # https://www.unbound.net/documentation/howto_optimise.html
281
282 # Determine number of online processors
283 local processors=$(getconf _NPROCESSORS_ONLN)
284
285 # Determine number of slabs
286 local slabs=1
287 while [ ${slabs} -lt ${processors} ]; do
288 slabs=$(( ${slabs} * 2 ))
289 done
290
291 # Determine amount of system memory
292 local mem=$(get_memory_amount)
293
294 # In the worst case scenario, unbound can use double the
295 # amount of memory allocated to a cache due to malloc overhead
296
297 # Even larger systems with more than 8GB of RAM
298 if [ ${mem} -ge 8192 ]; then
299 mem=1024
300
301 # Extra large systems with more than 4GB of RAM
302 elif [ ${mem} -ge 4096 ]; then
303 mem=512
304
305 # Large systems with more than 2GB of RAM
306 elif [ ${mem} -ge 2048 ]; then
307 mem=256
308
309 # Medium systems with more than 1GB of RAM
310 elif [ ${mem} -ge 1024 ]; then
311 mem=128
312
313 # Small systems with less than 256MB of RAM
314 elif [ ${mem} -le 256 ]; then
315 mem=16
316
317 # Everything else
318 else
319 mem=64
320 fi
321
322 (
323 config_header
324
325 # We run one thread per processor
326 echo "num-threads: ${processors}"
327 echo "so-reuseport: yes"
328
329 # Adjust number of slabs
330 echo "infra-cache-slabs: ${slabs}"
331 echo "key-cache-slabs: ${slabs}"
332 echo "msg-cache-slabs: ${slabs}"
333 echo "rrset-cache-slabs: ${slabs}"
334
335 # Slice up the cache
336 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
337 echo "msg-cache-size: $(( ${mem} / 4 ))m"
338 echo "key-cache-size: $(( ${mem} / 4 ))m"
339
340 # Increase parallel queries
341 echo "outgoing-range: 8192"
342 echo "num-queries-per-thread: 4096"
343
344 # Use larger send/receive buffers
345 echo "so-sndbuf: 4m"
346 echo "so-rcvbuf: 4m"
347 ) > /etc/unbound/tuning.conf
348 }
349
350 get_memory_amount() {
351 local key val unit
352
353 while read -r key val unit; do
354 case "${key}" in
355 MemTotal:*)
356 # Convert to MB
357 echo "$(( ${val} / 1024 ))"
358 break
359 ;;
360 esac
361 done < /proc/meminfo
362 }
363
364 test_name_server() {
365 local ns=${1}
366 local args
367
368 # Return codes:
369 # 0 DNSSEC validating
370 # 1 Error: unreachable, etc.
371 # 2 DNSSEC aware
372 # 3 NOT DNSSEC-aware
373
374 # Exit when the server is not reachable
375 ns_is_online ${ns} || return 1
376
377 # Determine the maximum edns buffer size that works
378 local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
379 if [ -n "${edns_buffer_size}" ]; then
380 args="${args} +bufsize=${edns_buffer_size}"
381 fi
382
383 local errors
384 for rr in DNSKEY DS RRSIG; do
385 if ! ns_forwards_${rr} ${ns} ${args}; then
386 errors="${errors} ${rr}"
387 fi
388 done
389
390 if [ -n "${errors}" ]; then
391 echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
392 return 3
393 fi
394
395 if ns_is_validating ${ns} ${args}; then
396 # Return 0 if validating
397 return 0
398 else
399 # Is DNSSEC-aware
400 return 2
401 fi
402 }
403
404 # Sends an A query to the nameserver w/o DNSSEC
405 ns_is_online() {
406 local ns=${1}
407 shift
408
409 dig "${DIG_ARGS[@]}" @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
410 }
411
412 # Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
413 ns_is_validating() {
414 local ns=${1}
415 shift
416
417 if ! dig "${DIG_ARGS[@]}" @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
418 return 1
419 else
420 # Determine if NS replies with "ad" data flag if DNSSEC enabled
421 dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
422 fi
423 }
424
425 # Checks if we can retrieve the DNSKEY for this domain.
426 # dig will print the SOA if nothing was found
427 ns_forwards_DNSKEY() {
428 local ns=${1}
429 shift
430
431 dig "${DIG_ARGS[@]}" @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
432 }
433
434 ns_forwards_DS() {
435 local ns=${1}
436 shift
437
438 dig "${DIG_ARGS[@]}" @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
439 }
440
441 ns_forwards_RRSIG() {
442 local ns=${1}
443 shift
444
445 dig "${DIG_ARGS[@]}" @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
446 }
447
448 ns_supports_tcp() {
449 local ns=${1}
450 shift
451
452 # If TCP is forced we know by now if the server responds to it
453 if [ "${FORCE_TCP}" = "on" ]; then
454 return 0
455 fi
456
457 dig "${DIG_ARGS[@]}" @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
458 }
459
460 ns_determine_edns_buffer_size() {
461 local ns=${1}
462 shift
463
464 local b
465 for b in 4096 2048 1500 1480 1464 1400 1280 512; do
466 if dig "${DIG_ARGS[@]}" @${ns} +dnssec +bufsize=${b} A ${TEST_DOMAIN} $@ >/dev/null; then
467 echo "${b}"
468 return 0
469 fi
470 done
471
472 return 1
473 }
474
475 get_root_nameservers() {
476 while read -r hostname ttl record address; do
477 # Searching for A records
478 [ "${record}" = "A" ] || continue
479
480 echo "${address}"
481 done < /etc/unbound/root.hints
482 }
483
484 can_resolve_root() {
485 local ns
486 for ns in $(get_root_nameservers); do
487 if dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA . $@ >/dev/null; then
488 return 0
489 fi
490 done
491
492 # none of the servers was reachable
493 return 1
494 }
495
496 enable_dnssec() {
497 local status=$(unbound-control get_option val-permissive-mode)
498
499 # Log DNSSEC status
500 echo "on" > /var/ipfire/red/dnssec-status
501
502 # Don't do anything if DNSSEC is already activated
503 [ "${status}" = "no" ] && return 0
504
505 # Activate DNSSEC and flush cache with any stale and unvalidated data
506 unbound-control -q set_option val-permissive-mode: no
507 unbound-control -q flush_zone .
508 }
509
510 disable_dnssec() {
511 # Log DNSSEC status
512 echo "off" > /var/ipfire/red/dnssec-status
513
514 unbound-control -q set_option val-permissive-mode: yes
515 }
516
517 fix_time_if_dns_fail() {
518 # If DNS still not work try to init ntp with
519 # hardcoded ntp.ipfire.org (81.3.27.46)
520 check_red_has_carrier_and_ip
521 if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
522 host 0.ipfire.pool.ntp.org > /dev/null 2>&1
523 if [ "${?}" != "0" ]; then
524 boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
525 loadproc /usr/local/bin/settime 81.3.27.46
526 fi
527 fi
528 }
529
530 resolve() {
531 local hostname="${1}"
532
533 local found=0
534 local ns
535 for ns in $(read_name_servers); do
536 local answer
537 for answer in $(dig "${DIG_ARGS[@]}" +short "@${ns}" A "${hostname}"); do
538 found=1
539
540 # Filter out non-IP addresses
541 if [[ ! "${answer}" =~ \.$ ]]; then
542 echo "${answer}"
543 fi
544 done
545
546 # End loop when we have got something
547 [ ${found} -eq 1 ] && break
548 done
549 }
550
551 # Sets up Safe Search for various search engines
552 write_safe_search_conf() {
553 local google_tlds=(
554 google.ad
555 google.ae
556 google.al
557 google.am
558 google.as
559 google.at
560 google.az
561 google.ba
562 google.be
563 google.bf
564 google.bg
565 google.bi
566 google.bj
567 google.bs
568 google.bt
569 google.by
570 google.ca
571 google.cat
572 google.cd
573 google.cf
574 google.cg
575 google.ch
576 google.ci
577 google.cl
578 google.cm
579 google.cn
580 google.co.ao
581 google.co.bw
582 google.co.ck
583 google.co.cr
584 google.co.id
585 google.co.il
586 google.co.in
587 google.co.jp
588 google.co.ke
589 google.co.kr
590 google.co.ls
591 google.com
592 google.co.ma
593 google.com.af
594 google.com.ag
595 google.com.ai
596 google.com.ar
597 google.com.au
598 google.com.bd
599 google.com.bh
600 google.com.bn
601 google.com.bo
602 google.com.br
603 google.com.bz
604 google.com.co
605 google.com.cu
606 google.com.cy
607 google.com.do
608 google.com.ec
609 google.com.eg
610 google.com.et
611 google.com.fj
612 google.com.gh
613 google.com.gi
614 google.com.gt
615 google.com.hk
616 google.com.jm
617 google.com.kh
618 google.com.kw
619 google.com.lb
620 google.com.ly
621 google.com.mm
622 google.com.mt
623 google.com.mx
624 google.com.my
625 google.com.na
626 google.com.nf
627 google.com.ng
628 google.com.ni
629 google.com.np
630 google.com.om
631 google.com.pa
632 google.com.pe
633 google.com.pg
634 google.com.ph
635 google.com.pk
636 google.com.pr
637 google.com.py
638 google.com.qa
639 google.com.sa
640 google.com.sb
641 google.com.sg
642 google.com.sl
643 google.com.sv
644 google.com.tj
645 google.com.tr
646 google.com.tw
647 google.com.ua
648 google.com.uy
649 google.com.vc
650 google.com.vn
651 google.co.mz
652 google.co.nz
653 google.co.th
654 google.co.tz
655 google.co.ug
656 google.co.uk
657 google.co.uz
658 google.co.ve
659 google.co.vi
660 google.co.za
661 google.co.zm
662 google.co.zw
663 google.cv
664 google.cz
665 google.de
666 google.dj
667 google.dk
668 google.dm
669 google.dz
670 google.ee
671 google.es
672 google.fi
673 google.fm
674 google.fr
675 google.ga
676 google.ge
677 google.gg
678 google.gl
679 google.gm
680 google.gp
681 google.gr
682 google.gy
683 google.hn
684 google.hr
685 google.ht
686 google.hu
687 google.ie
688 google.im
689 google.iq
690 google.is
691 google.it
692 google.je
693 google.jo
694 google.kg
695 google.ki
696 google.kz
697 google.la
698 google.li
699 google.lk
700 google.lt
701 google.lu
702 google.lv
703 google.md
704 google.me
705 google.mg
706 google.mk
707 google.ml
708 google.mn
709 google.ms
710 google.mu
711 google.mv
712 google.mw
713 google.ne
714 google.nl
715 google.no
716 google.nr
717 google.nu
718 google.pl
719 google.pn
720 google.ps
721 google.pt
722 google.ro
723 google.rs
724 google.ru
725 google.rw
726 google.sc
727 google.se
728 google.sh
729 google.si
730 google.sk
731 google.sm
732 google.sn
733 google.so
734 google.sr
735 google.st
736 google.td
737 google.tg
738 google.tk
739 google.tl
740 google.tm
741 google.tn
742 google.to
743 google.tt
744 google.vg
745 google.vu
746 google.ws
747 )
748
749 (
750 # Nothing to do if safe search is not enabled
751 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
752 exit 0
753 fi
754
755 # This all belongs into the server: section
756 echo "server:"
757
758 # Bing
759 echo " local-zone: bing.com transparent"
760 for address in $(resolve "strict.bing.com"); do
761 echo " local-data: \"www.bing.com ${LOCAL_TTL} IN A ${address}\""
762 done
763
764 # DuckDuckGo
765 echo " local-zone: duckduckgo.com typetransparent"
766 for address in $(resolve "safe.duckduckgo.com"); do
767 echo " local-data: \"duckduckgo.com ${LOCAL_TTL} IN A ${address}\""
768 done
769
770 # Google
771 addresses="$(resolve "forcesafesearch.google.com")"
772 local domain
773 for domain in ${google_tlds[@]}; do
774 echo " local-zone: ${domain} transparent"
775 for address in ${addresses}; do
776 echo " local-data: \"www.${domain} ${LOCAL_TTL} IN A ${address}\""
777 done
778 done
779
780 # Yandex
781 for domain in yandex.com yandex.ru; do
782 echo " local-zone: ${domain} typetransparent"
783 for address in $(resolve "familysearch.${domain}"); do
784 echo " local-data: \"${domain} ${LOCAL_TTL} IN A ${address}\""
785 done
786 done
787
788 # YouTube
789 echo " local-zone: youtube.com transparent"
790 for address in $(resolve "restrictmoderate.youtube.com"); do
791 echo " local-data: \"www.youtube.com ${LOCAL_TTL} IN A ${address}\""
792 done
793 ) > /etc/unbound/safe-search.conf
794 }
795
796 case "$1" in
797 start)
798 # Print a nicer messagen when unbound is already running
799 if pidofproc -s unbound; then
800 statusproc /usr/sbin/unbound
801 exit 0
802 fi
803
804 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
805
806 # Update configuration files
807 write_tuning_conf
808 write_forward_conf
809 write_safe_search_conf
810
811 boot_mesg "Starting Unbound DNS Proxy..."
812 loadproc /usr/sbin/unbound || exit $?
813
814 # Make own hostname resolveable
815 own_hostname
816
817 # Update any known forwarding name servers
818 update_forwarders
819
820 # Update hosts
821 update_hosts
822
823 fix_time_if_dns_fail
824 ;;
825
826 stop)
827 boot_mesg "Stopping Unbound DNS Proxy..."
828 killproc /usr/sbin/unbound
829 ;;
830
831 restart)
832 $0 stop
833 sleep 1
834 $0 start
835 ;;
836
837 status)
838 statusproc /usr/sbin/unbound
839 ;;
840
841 update-forwarders)
842 # Do not try updating forwarders when unbound is not running
843 if ! pgrep unbound &>/dev/null; then
844 exit 0
845 fi
846
847 update_forwarders
848
849 unbound-control flush_negative > /dev/null
850 unbound-control flush_bogus > /dev/null
851
852 fix_time_if_dns_fail
853 ;;
854
855 remove-forwarders)
856 # Do not try updating forwarders when unbound is not running
857 if ! pgrep unbound &>/dev/null; then
858 exit 0
859 fi
860
861 remove_forwarders
862
863 unbound-control flush_negative > /dev/null
864 unbound-control flush_bogus > /dev/null
865 ;;
866
867
868 test-name-server)
869 ns=${2}
870
871 test_name_server ${ns}
872 ret=${?}
873
874 case "${ret}" in
875 0)
876 echo "${ns} is validating"
877 ;;
878 2)
879 echo "${ns} is DNSSEC-aware"
880 ;;
881 3)
882 echo "${ns} is NOT DNSSEC-aware"
883 ;;
884 *)
885 echo "Test failed for an unknown reason"
886 exit ${ret}
887 ;;
888 esac
889
890 if ns_supports_tcp ${ns}; then
891 echo "${ns} supports TCP fallback"
892 else
893 echo "${ns} does not support TCP fallback"
894 fi
895
896 edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
897 if [ -n "${edns_buffer_size}" ]; then
898 echo "EDNS buffer size for ${ns}: ${edns_buffer_size}"
899 fi
900
901 exit ${ret}
902 ;;
903
904 resolve)
905 resolve "${2}"
906 ;;
907
908 *)
909 echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve}"
910 exit 1
911 ;;
912 esac
913
914 # End $rc_base/init.d/unbound
Peter's tree of IPFire 2.x