]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/initscripts/system/unbound
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
unbound: skip empty domains at local-data import
[people/pmueller/ipfire-2.x.git] / src / initscripts / system / unbound
1 #!/bin/sh
2 # Begin $rc_base/init.d/unbound
3
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
6
7 . /etc/sysconfig/rc
8 . ${rc_functions}
9
10 # Cache any local zones for 60 seconds
11 LOCAL_TTL=60
12
13 # Load configuration
14 eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
15 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
16
17 ip_address_revptr() {
18 local addr=${1}
19
20 local a1 a2 a3 a4
21 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
22
23 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
24 }
25
26 read_name_servers() {
27 # Read name servers from ISP
28 if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
29 local i
30 for i in 1 2; do
31 echo "$(</var/run/dns${i})"
32 done 2>/dev/null
33 fi
34
35 # Read configured name servers
36 local id address tls_hostname enabled remark
37 while IFS="," read -r id address tls_hostname enabled remark; do
38 [ "${enabled}" != "enabled" ] && continue
39
40 if [ "${PROTO}" = "TLS" ]; then
41 if [ -n "${tls_hostname}" ]; then
42 echo "${address}@853#${tls_hostname}"
43 fi
44 else
45 echo "${address}"
46 fi
47 done < /var/ipfire/dns/servers
48 }
49
50 config_header() {
51 echo "# This file is automatically generated and any changes"
52 echo "# will be overwritten. DO NOT EDIT!"
53 echo
54 }
55
56 write_hosts_conf() {
57 (
58 config_header
59
60 # Make own hostname resolveable
61 # 1.1.1.1 is reserved for unused green, skip this
62 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
63 echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""
64 fi
65
66 local address
67 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
68 [ -n "${address}" ] || continue
69 [ "${address}" = "1.1.1.1" ] && continue
70
71 address=$(ip_address_revptr ${address})
72 echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""
73 done
74
75 local enabled address hostname domainname generateptr
76
77 # Find all unique domain names
78 while IFS="," read -r enabled address hostname domainname generateptr; do
79 [ "${enabled}" = "on" ] || continue
80
81 # Skip empty domainnames
82 [ "${domainname}" = "" ] && continue
83
84 echo "local-zone: ${domainname} typetransparent"
85 done < /var/ipfire/main/hosts | sort -u
86
87 # Add all hosts
88 while IFS="," read -r enabled address hostname domainname generateptr; do
89 [ "${enabled}" = "on" ] || continue
90
91 # Build FQDN
92 local fqdn="${hostname}.${domainname}"
93 echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""
94
95 # Skip reverse resolution if the address equals the GREEN address
96 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
97
98 # Skip reverse resolution if user requested not to do so
99 [ "${generateptr}" = "off" ] && continue
100
101 # Add RDNS
102 address=$(ip_address_revptr ${address})
103 echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
104 done < /var/ipfire/main/hosts
105 ) > /etc/unbound/hosts.conf
106 }
107
108 write_forward_conf() {
109 (
110 config_header
111
112 # Enable strict QNAME minimisation
113 if [ "${QNAME_MIN}" = "strict" ]; then
114 echo "server:"
115 echo " qname-minimisation-strict: yes"
116 echo
117 fi
118
119 # Force using TCP for upstream servers only
120 if [ "${PROTO}" = "TCP" ]; then
121 echo "# Force using TCP for upstream servers only"
122 echo "server:"
123 echo " tcp-upstream: yes"
124 echo
125 fi
126
127 local insecure_zones=""
128
129 local enabled zone server servers remark disable_dnssec rest
130 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
131 # Line must be enabled.
132 [ "${enabled}" = "on" ] || continue
133
134 # Zones that end with .local are commonly used for internal
135 # zones and therefore not signed
136 case "${zone}" in
137 *.local)
138 insecure_zones="${insecure_zones} ${zone}"
139 ;;
140 *)
141 if [ "${disable_dnssec}" = "on" ]; then
142 insecure_zones="${insecure_zones} ${zone}"
143 fi
144 ;;
145 esac
146
147 echo "stub-zone:"
148 echo " name: ${zone}"
149 for server in ${servers//|/ }; do
150 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
151 echo " stub-addr: ${server}"
152 else
153 echo " stub-host: ${server}"
154 fi
155 done
156 echo
157
158 # Make all reverse lookup zones transparent
159 case "${zone}" in
160 *.in-addr.arpa)
161 echo "server:"
162 echo " local-zone: \"${zone}\" transparent"
163 echo
164 ;;
165 esac
166 done < /var/ipfire/dnsforward/config
167
168 if [ -n "${insecure_zones}" ]; then
169 echo "server:"
170
171 for zone in ${insecure_zones}; do
172 echo " domain-insecure: ${zone}"
173 done
174 fi
175
176 # Read name servers.
177 nameservers=$(read_name_servers)
178
179 # Only write forward zones if any nameservers are configured.
180 #
181 # Otherwise fall-back into recursor mode.
182 if [ -n "${nameservers}" ]; then
183
184 echo "forward-zone:"
185 echo " name: \".\""
186
187 # Force using TLS only
188 if [ "${PROTO}" = "TLS" ]; then
189 echo " forward-tls-upstream: yes"
190 fi
191
192 # Add upstream name servers
193 local ns
194 for ns in ${nameservers}; do
195 echo " forward-addr: ${ns}"
196 done
197 fi
198
199 ) > /etc/unbound/forward.conf
200 }
201
202 write_tuning_conf() {
203 # https://www.unbound.net/documentation/howto_optimise.html
204
205 # Determine amount of system memory
206 local mem=$(get_memory_amount)
207
208 # In the worst case scenario, unbound can use double the
209 # amount of memory allocated to a cache due to malloc overhead
210
211 # Even larger systems with more than 8GB of RAM
212 if [ ${mem} -ge 8192 ]; then
213 mem=1024
214
215 # Extra large systems with more than 4GB of RAM
216 elif [ ${mem} -ge 4096 ]; then
217 mem=512
218
219 # Large systems with more than 2GB of RAM
220 elif [ ${mem} -ge 2048 ]; then
221 mem=256
222
223 # Medium systems with more than 1GB of RAM
224 elif [ ${mem} -ge 1024 ]; then
225 mem=128
226
227 # Small systems with less than 256MB of RAM
228 elif [ ${mem} -le 256 ]; then
229 mem=16
230
231 # Everything else
232 else
233 mem=64
234 fi
235
236 (
237 config_header
238
239 # Slice up the cache
240 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
241 echo "msg-cache-size: $(( ${mem} / 4 ))m"
242 echo "key-cache-size: $(( ${mem} / 4 ))m"
243
244 # Increase parallel queries
245 echo "outgoing-range: 8192"
246 echo "num-queries-per-thread: 4096"
247
248 # Use larger send/receive buffers
249 echo "so-sndbuf: 4m"
250 echo "so-rcvbuf: 4m"
251 ) > /etc/unbound/tuning.conf
252 }
253
254 get_memory_amount() {
255 local key val unit
256
257 while read -r key val unit; do
258 case "${key}" in
259 MemTotal:*)
260 # Convert to MB
261 echo "$(( ${val} / 1024 ))"
262 break
263 ;;
264 esac
265 done < /proc/meminfo
266 }
267
268 fix_time_if_dns_fails() {
269 # If DNS is working, everything is fine
270 if resolve "ping.ipfire.org" &>/dev/null; then
271 return 0
272 fi
273
274 # Try to sync time with a known time server
275 boot_mesg "DNS not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
276 loadproc /usr/local/bin/settime 81.3.27.46
277 }
278
279 resolve() {
280 local hostname="${1}"
281 local found=1
282
283 local answer
284 for answer in $(dig +short A "${hostname}"); do
285 # Filter out non-IP addresses
286 if [[ ! "${answer}" =~ \.$ ]]; then
287 found=0
288 echo "${answer}"
289 fi
290 done
291
292 return ${found}
293 }
294
295 # Sets up Safe Search for various search engines
296 update_safe_search() {
297 local google_tlds=(
298 google.ad
299 google.ae
300 google.al
301 google.am
302 google.as
303 google.at
304 google.az
305 google.ba
306 google.be
307 google.bf
308 google.bg
309 google.bi
310 google.bj
311 google.bs
312 google.bt
313 google.by
314 google.ca
315 google.cat
316 google.cd
317 google.cf
318 google.cg
319 google.ch
320 google.ci
321 google.cl
322 google.cm
323 google.cn
324 google.co.ao
325 google.co.bw
326 google.co.ck
327 google.co.cr
328 google.co.id
329 google.co.il
330 google.co.in
331 google.co.jp
332 google.co.ke
333 google.co.kr
334 google.co.ls
335 google.com
336 google.co.ma
337 google.com.af
338 google.com.ag
339 google.com.ai
340 google.com.ar
341 google.com.au
342 google.com.bd
343 google.com.bh
344 google.com.bn
345 google.com.bo
346 google.com.br
347 google.com.bz
348 google.com.co
349 google.com.cu
350 google.com.cy
351 google.com.do
352 google.com.ec
353 google.com.eg
354 google.com.et
355 google.com.fj
356 google.com.gh
357 google.com.gi
358 google.com.gt
359 google.com.hk
360 google.com.jm
361 google.com.kh
362 google.com.kw
363 google.com.lb
364 google.com.ly
365 google.com.mm
366 google.com.mt
367 google.com.mx
368 google.com.my
369 google.com.na
370 google.com.nf
371 google.com.ng
372 google.com.ni
373 google.com.np
374 google.com.om
375 google.com.pa
376 google.com.pe
377 google.com.pg
378 google.com.ph
379 google.com.pk
380 google.com.pr
381 google.com.py
382 google.com.qa
383 google.com.sa
384 google.com.sb
385 google.com.sg
386 google.com.sl
387 google.com.sv
388 google.com.tj
389 google.com.tr
390 google.com.tw
391 google.com.ua
392 google.com.uy
393 google.com.vc
394 google.com.vn
395 google.co.mz
396 google.co.nz
397 google.co.th
398 google.co.tz
399 google.co.ug
400 google.co.uk
401 google.co.uz
402 google.co.ve
403 google.co.vi
404 google.co.za
405 google.co.zm
406 google.co.zw
407 google.cv
408 google.cz
409 google.de
410 google.dj
411 google.dk
412 google.dm
413 google.dz
414 google.ee
415 google.es
416 google.fi
417 google.fm
418 google.fr
419 google.ga
420 google.ge
421 google.gg
422 google.gl
423 google.gm
424 google.gp
425 google.gr
426 google.gy
427 google.hn
428 google.hr
429 google.ht
430 google.hu
431 google.ie
432 google.im
433 google.iq
434 google.is
435 google.it
436 google.je
437 google.jo
438 google.kg
439 google.ki
440 google.kz
441 google.la
442 google.li
443 google.lk
444 google.lt
445 google.lu
446 google.lv
447 google.md
448 google.me
449 google.mg
450 google.mk
451 google.ml
452 google.mn
453 google.ms
454 google.mu
455 google.mv
456 google.mw
457 google.ne
458 google.nl
459 google.no
460 google.nr
461 google.nu
462 google.pl
463 google.pn
464 google.ps
465 google.pt
466 google.ro
467 google.rs
468 google.ru
469 google.rw
470 google.sc
471 google.se
472 google.sh
473 google.si
474 google.sk
475 google.sm
476 google.sn
477 google.so
478 google.sr
479 google.st
480 google.td
481 google.tg
482 google.tk
483 google.tl
484 google.tm
485 google.tn
486 google.to
487 google.tt
488 google.vg
489 google.vu
490 google.ws
491 )
492
493 # Cleanup previous settings
494 unbound-control local_zone_remove "bing.com" >/dev/null
495 unbound-control local_zone_remove "duckduckgo.com" >/dev/null
496 unbound-control local_zone_remove "yandex.com" >/dev/null
497 unbound-control local_zone_remove "yandex.ru" >/dev/null
498 unbound-control local_zone_remove "youtube.com" >/dev/null
499
500 local domain
501 for domain in ${google_tlds[@]}; do
502 unbound-control local_zone_remove "${domain}"
503 done >/dev/null
504
505 # Nothing to do if safe search is not enabled
506 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
507 return 0
508 fi
509
510 # Bing
511 unbound-control bing.com transparent >/dev/null
512 for address in $(resolve "strict.bing.com"); do
513 unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
514 done >/dev/null
515
516 # DuckDuckGo
517 unbound-control local_zone duckduckgo.com typetransparent >/dev/null
518 for address in $(resolve "safe.duckduckgo.com"); do
519 unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
520 done >/dev/null
521
522 # Google
523 local addresses="$(resolve "forcesafesearch.google.com")"
524 for domain in ${google_tlds[@]}; do
525 unbound-control local_zone "${domain}" transparent >/dev/null
526 for address in ${addresses}; do
527 unbound-control local_data "www.${domain} ${LOCAL_TTL} IN A ${address}"
528 done >/dev/null
529 done
530
531 # Yandex
532 for domain in yandex.com yandex.ru; do
533 unbound-control local_zone "${domain}" typetransparent >/dev/null
534 for address in $(resolve "familysearch.${domain}"); do
535 unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
536 done >/dev/null
537 done
538
539 # YouTube
540 unbound-control local_zone youtube.com transparent >/dev/null
541 for address in $(resolve "restrictmoderate.youtube.com"); do
542 unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
543 done >/dev/null
544
545 return 0
546 }
547
548 case "$1" in
549 start)
550 # Print a nicer messagen when unbound is already running
551 if pidofproc -s unbound; then
552 statusproc /usr/sbin/unbound
553 exit 0
554 fi
555
556 # Update configuration files
557 write_tuning_conf
558 write_hosts_conf
559 write_forward_conf
560
561 boot_mesg "Starting Unbound DNS Proxy..."
562 loadproc /usr/sbin/unbound || exit $?
563
564 # Install Safe Search rules when the system is already online
565 if [ -e "/var/ipfire/red/active" ]; then
566 update_safe_search
567 fi
568 ;;
569
570 stop)
571 boot_mesg "Stopping Unbound DNS Proxy..."
572 killproc /usr/sbin/unbound
573 ;;
574
575 restart)
576 $0 stop
577 sleep 1
578 $0 start
579 ;;
580 reload|update-forwarders)
581 # Update configuration files
582 write_forward_conf
583 write_hosts_conf
584
585 # Call unbound-control and perform the reload
586 /usr/sbin/unbound-control -q reload
587
588 # Dummy Resolve to wait for unbound
589 resolve "ping.ipfire.org" &>/dev/null
590
591 if [ "$1" = "update-forwarders" ]; then
592 # Make sure DNS works at this point
593 fix_time_if_dns_fails
594 fi
595
596 # Update Safe Search rules if the system is online.
597 if [ -e "/var/ipfire/red/active" ]; then
598 update_safe_search
599 fi
600 ;;
601
602 status)
603 statusproc /usr/sbin/unbound
604 ;;
605
606 resolve)
607 resolve "${2}" || exit $?
608 ;;
609
610 *)
611 echo "Usage: $0 {start|stop|restart|reload|status|resolve|update-forwarders}"
612 exit 1
613 ;;
614 esac
615
616 # End $rc_base/init.d/unbound
Peter's tree of IPFire 2.x