From b8f5eda86b6d1c7270e858214a96e5eded18876a Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 6 Aug 2016 19:20:27 +0100 Subject: [PATCH] unbound: Rewrite configuration and initscript Signed-off-by: Michael Tremer --- config/rootfiles/packages/unbound | 12 +- config/unbound/forward.conf | 6 - config/unbound/unbound.conf | 116 ++++++--------- lfs/unbound | 15 +- src/initscripts/init.d/unbound | 234 ++++++++++++++---------------- 5 files changed, 165 insertions(+), 218 deletions(-) delete mode 100644 config/unbound/forward.conf diff --git a/config/rootfiles/packages/unbound b/config/rootfiles/packages/unbound index f8d2e48fff..94eeba777e 100644 --- a/config/rootfiles/packages/unbound +++ b/config/rootfiles/packages/unbound @@ -1,25 +1,17 @@ etc/rc.d/init.d/unbound #etc/unbound -#etc/unbound/blocklists +etc/unbound/dhcp-leases.conf etc/unbound/forward.conf etc/unbound/icannbundle.pem +etc/unbound/local.d etc/unbound/root.hints etc/unbound/root.key etc/unbound/unbound.conf -etc/unbound/unbound_org.conf -usr/bin/unbound-host #usr/include/unbound.h #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.2 usr/lib/libunbound.so.2.4.1 -#usr/lib/python2.7/site-packages/_unbound.la -usr/lib/python2.7/site-packages/_unbound.so -usr/lib/python2.7/site-packages/daemonize.py -usr/lib/python2.7/site-packages/dhcpd.py -usr/lib/python2.7/site-packages/params.py -usr/lib/python2.7/site-packages/unbound.py -usr/lib/python2.7/site-packages/watcherdhcpd.py usr/sbin/unbound usr/sbin/unbound-anchor usr/sbin/unbound-checkconf diff --git a/config/unbound/forward.conf b/config/unbound/forward.conf deleted file mode 100644 index 5784f9f257..0000000000 --- a/config/unbound/forward.conf +++ /dev/null @@ -1,6 +0,0 @@ -forward-zone: - name: "." - forward-addr: 85.214.20.141 - forward-addr: 194.150.168.168 - forward-addr: 208.67.222.222 - forward-addr: 208.67.220.220 diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 8dc72e6716..a736e19550 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -6,109 +6,82 @@ # server: - # common server options - chroot: "/etc/unbound" - username: "unbound" - pidfile: "/var/run/unbound.pid" + # Common Server Options + chroot: "" + directory: "/etc/unbound" + username: "nobody" num-threads: 2 port: 53 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes - prefetch: yes so-reuseport: yes - cache-min-ttl: 3600 - cache-max-ttl: 86400 - unwanted-reply-threshold: 10000 do-not-query-localhost: yes - # logging options - logfile: "log/unbound.log" - use-syslog: no + # Logging Options verbosity: 1 - log-queries: no + use-syslog: yes log-time-ascii: yes + log-queries: no # Unbound Statistics - statistics-interval: 3600 + statistics-interval: 0 statistics-cumulative: yes extended-statistics: yes - # privacy options + # Cache Sizes + msg-cache-size: 8m + rrset-cache-size: 8m + key-cache-size: 4m + prefetch: yes + prefetch-key: yes + + # Randomise any cached responses + rrset-roundrobin: yes + + # Privacy Options hide-identity: yes hide-version: yes qname-minimisation: yes minimal-responses: yes - # hardening options (some experimental) + # DNSSEC + auto-trust-anchor-file: "/var/lib/unbound/root.key" + val-permissive-mode: no + val-clean-additional: yes + val-log-level: 1 + + # Hardening Options harden-glue: yes + harden-short-bufsize: no harden-large-queries: yes harden-dnssec-stripped: yes - harden-short-bufsize: no - harden-below-nxdomain: no - harden-referral-path: no + harden-below-nxdomain: yes + harden-referral-path: yes harden-algo-downgrade: no - use-caps-for-id: yes - - # listen on localhost interface - interface: 127.0.0.1 + use-caps-for-id: no - # file with ipfire interfaces - include: "/etc/unbound/interfaces.conf" - - # control which clients are allowed to make (recursive) queries + # Deny access from everywhere access-control: 0.0.0.0/0 refuse - access-control: 127.0.0.0/8 allow - access-control: ::0/0 refuse - access-control: ::1 allow - access-control: ::ffff:127.0.0.1 allow - # file with ipfire networks - include: "/etc/unbound/access.conf" + # Listen on localhost + interface: 127.0.0.1 + access-control: 127.0.0.0/8 allow - # dnssec main options - val-clean-additional: yes - val-log-level: 1 - # file with ipfire dnssec configuration - include: "/etc/unbound/dnssec.conf" - - # DNS Rebinding - # For DNS Rebinding prevention - # - # All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet. - # IPv4 Addresses - private-address: 0.0.0.0/8 # Broadcast address - private-address: 10.0.0.0/8 - private-address: 127.0.0.0/8 # Loopback Localhost - private-address: 172.16.0.0/12 - private-address: 192.168.0.0/16 - private-address: 169.254.0.0/16 - private-address: 198.18.0.0/15 # Used for testing inter-network communications - private-address: 198.51.100.0/24 # Documentation network TEST-NET-2 - private-address: 203.0.113.0/24 # Documentation network TEST-NET-3 - private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-NET - # IPv6 Addresses - private-address: ::1/128 # Loopback Localhost - private-address: 2001:db8::/32 # Documentation network IPv6 - private-address: fc00::/8 # Unique local address (ULA) part of "fc00::/7", not defined yet - private-address: fd00::/8 # Unique local address (ULA) part of "fc00::/7", "/48" prefix group - private-address: fe80::/10 # Link-local address (LLA) - - # file with root servers + # Bootstrap root servers root-hints: "/etc/unbound/root.hints" - # custom DNS zone files - include: "/etc/unbound/zones/*.conf" + # IPFire interface configuration + include: "/etc/unbound/interfaces.conf" + interface-automatic: no - # DHCP leases (if configured) - include: /etc/unbound/dhcpleases.conf + # Include DHCP leases + include: "/etc/unbound/dhcp-leases.conf" - # Blocklists - include: "/etc/unbound/blocklists/*.conf" -# end server config + # Include any forward zones + include: "/etc/unbound/forward.conf" -# enable remote control only on localhost remote-control: control-enable: yes control-use-cert: yes @@ -117,7 +90,6 @@ remote-control: server-cert-file: "/etc/unbound/unbound_server.pem" control-key-file: "/etc/unbound/unbound_control.key" control-cert-file: "/etc/unbound/unbound_control.pem" -# end remote control config -# custom DNS forward config -include: "/etc/unbound/forward.conf" +# Import any local configurations +include: "/etc/unbound/local.d/*.conf" diff --git a/lfs/unbound b/lfs/unbound index 5065048efe..536a4fbe39 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -80,11 +80,16 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --with-libevent cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - # add ipfire config - mkdir -pv /etc/unbound/blocklists - mv -v /etc/unbound/unbound.conf /etc/unbound/unbound_org.conf - install -v -m 644 $(DIR_SRC)/config/unbound/*.conf /etc/unbound/ - install -v -m 644 $(DIR_SRC)/config/unbound/root.hints /etc/unbound/ + + # Install configuration + install -v -m 644 $(DIR_SRC)/config/unbound/unbound.conf \ + /etc/unbound/unbound.conf + touch /etc/unbound/{dhcp-leases,forward}.conf + -mkdir -pv /etc/unbound/local.d + + # Install root hints + install -v -m 644 $(DIR_SRC)/config/unbound/root.hints \ + /etc/unbound/root.hints # Install DHCP leases bridge install -v -m 755 $(DIR_SRC)/config/unbound/unbound-dhcp-leases-bridge \ diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index 8e6881e4d9..54e40834bb 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -10,18 +10,10 @@ . /etc/sysconfig/rc . ${rc_functions} -if [[ ! -d /run/var ]]; then mkdir /run/var; fi; +USE_FORWARDERS=1 -CONTROL_INTERFACE_FILE=1 -CONTROL_ACCESS_FILE=1 -USE_CUSTOM_FORWARDS=0 -ENABLE_DNSSEC=1 - -# Unbound daemon pid file -PIDFILE=/var/run/unbound.pid - -# Watcher deamon pid file must be the same in unbound main init script -WAPIDFILE=/var/run/unbound_dhcpd.pid +# Load optional configuration +[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound function cidr() { local cidr nbits IFS; @@ -47,132 +39,124 @@ function cidr() { echo "${cidr}/${nbits}" } +read_name_servers() { + local i + for i in 1 2; do + echo "$( /etc/unbound/interfaces.conf +} + +write_forward_conf() { + ( + config_header + + local enabled zone server remark + while IFS="," read -r enabled zone server remark; do + # Line must be enabled. + [ "${enabled}" = "on" ] || continue + + echo "forward-zone:" + echo " name: ${zone}" + echo " forward-addr: ${server}" + echo + done < /var/ipfire/dnsforward/config + ) > /etc/unbound/forward.conf +} + + case "$1" in start) + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) + eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings) - if [[ -f ${PIDFILE} ]]; then - log_warning_msg "Unbound daemon is running with Process ID $(cat ${PIDFILE})" - else - eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) - #ARGS="$CUSTOM_ARGS" - #[ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s $DOMAIN_NAME_GREEN" - - echo > /var/ipfire/red/resolv.conf # Clear it - if [ -e "/var/ipfire/red/dns1" ]; then - DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null) - if [ ! -z ${DNS1} ]; then - echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.conf - NAMESERVERS="${DNS1} " - fi - fi - if [ -e "/var/ipfire/red/dns2" ]; then - DNS2=$(cat /var/ipfire/red/dns2 2>/dev/null) - if [ ! -z ${DNS2} ]; then - echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.conf - NAMESERVERS+="${DNS2} " - fi - fi - - # create unbound interfaces.conf - if [ ${CONTROL_INTERFACE_FILE} = 1 ]; then - echo -n > /etc/unbound/interfaces.conf # Clear it - if [ ! -z ${GREEN_ADDRESS} ]; then - echo "interface: ${GREEN_ADDRESS}" >> /etc/unbound/interfaces.conf - fi - if [ ! -z ${BLUE_ADDRESS} ]; then - echo "interface: ${BLUE_ADDRESS}" >> /etc/unbound/interfaces.conf - fi - if [ ! -z ${ORANGE_ADDRESS} ]; then - echo "interface: ${ORANGE_ADDRESS}" >> /etc/unbound/interfaces.conf - fi - fi - - # create unbound access.conf - if [ ${CONTROL_ACCESS_FILE} = 1 ]; then - echo -n > /etc/unbound/access.conf # Clear it - if [ ! -z ${GREEN_ADDRESS} ]; then - echo "access-control: $(cidr ${GREEN_ADDRESS} ${GREEN_NETMASK}) allow" >> /etc/unbound/access.conf - fi - if [ ! -z ${BLUE_ADDRESS} ]; then - echo "access-control: $(cidr ${BLUE_ADDRESS} ${BLUE_NETMASK}) allow" >> /etc/unbound/access.conf - fi - if [ ! -z ${ORANGE_ADDRESS} ]; then - echo "access-control: $(cidr ${ORANGE_ADDRESS} ${ORANGE_NETMASK}) allow" >> /etc/unbound/access.conf - fi - fi - - # create unbound dnssec.conf - echo -n > /etc/unbound/dnssec.conf # Clear it - if [ ${ENABLE_DNSSEC} = 1 ]; then - echo " # dessec enabled per default" >> /etc/unbound/dnssec.conf - echo " # no necessary config options in this file" >> /etc/unbound/dnssec.conf - else - echo " # dnssec now disabled" >> /etc/unbound/dnssec.conf - echo " module-config: iterator" >> /etc/unbound/dnssec.conf - echo " val-permissive-mode: yes" >> /etc/unbound/dnssec.conf - fi - - # create zone file for internal ipfire domain - unbound-zone - - boot_mesg "Starting Unbound DNS proxy..." - unbound-anchor - loadproc /usr/sbin/unbound - - # start dhcpd watcher daemon if DNS-Update (RFC2136) activated - eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings) - if [[ ${DNS_UPDATE_ENABLED} = on && ! -f ${WAPIDFILE} ]]; then - /etc/rc.d/init.d/unbound-dhcpd start - fi - - # use setup configured DNS servers - if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then - unbound-control forward_add +i . ${NAMESERVERS} &> /dev/null - fi; - - FORWADRS=$(unbound-control list_forwards |sed 's|. IN forward ||g'|sed 's|+i ||g') - if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then - boot_mesg "Using DNS server(s): ${FORWADRS}" - else - boot_mesg "Using custom DNS server(s): ${FORWADRS}" - fi - if [ ${ENABLE_DNSSEC} = 1 ]; then - boot_mesg "DNSSEC is enabled!" - else - boot_mesg "DNSSEC is disabled!" - fi - fi - ;; + # Create control keys at first run + if [ ! -r "/etc/unbound/unbound_control.key" ]; then + unbound-control-setup -d /etc/unbound &>/dev/null + fi + + # Update configuration files + write_interfaces_conf + write_forward_conf + + boot_mesg "Starting Unbound DNS Proxy..." + loadproc /usr/sbin/unbound || exit $? + + # Update any known forwarding name servers + update_forwarders + + # Start Unbound DHCP Lease Bridge unless RFC2136 is used + if [ "${DNS_UPDATE_ENABLED}" != on ]; then + boot_mesg "Starting Unbound DHCP Leases Bridge..." + loadproc /usr/sbin/unbound-dhcp-leases-bridge -d + fi + ;; stop) + boot_mesg "Stopping Unbound DHCP Leases Bridge..." + killproc /usr/sbin/unbound-dhcp-leases-bridge - if [[ -f ${PIDFILE} ]]; then - # stop dhcpd watcher daemon if activted - if [[ -f ${WAPIDFILE} ]]; then - /etc/rc.d/init.d/unbound-dhcpd stop - fi - # stop Unbound daemon - boot_mesg "Stopping Unbound DNS proxy..." - killproc -p "/var/run/unbound.pid" /usr/sbin/unbound - else - log_warning_msg "Unbound daemon is not running..." - fi - ;; + boot_mesg "Stopping Unbound DNS Proxy..." + killproc /usr/sbin/unbound + ;; restart) - $0 stop - sleep 1 - $0 start - ;; + $0 stop + sleep 1 + $0 start + ;; status) - statusproc /usr/sbin/unbound - ;; + statusproc /usr/sbin/unbound + statusproc /usr/sbin/unbound-dhcp-leases-bridge + ;; + + update-forwarders) + update_forwarders + ;; *) - echo "Usage: $0 {start|stop|restart|status}" - exit 1 - ;; + echo "Usage: $0 {start|stop|restart|status|update-forwarders}" + exit 1 + ;; esac # End $rc_base/init.d/unbound -- 2.39.2