2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
25 # Cache any local zones for 60 seconds
29 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/dns
/settings
)
30 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/ethernet
/settings
)
36 IFS
=.
read -r a1 a2 a3 a4
<<< ${addr}
38 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
42 # Read name servers from ISP
43 if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
46 echo "$(</var/run/dns${i})"
50 # Read configured name servers
51 local id address tls_hostname enabled remark
52 while IFS
="," read -r id address tls_hostname enabled remark
; do
53 [ "${enabled}" != "enabled" ] && continue
55 if [ "${PROTO}" = "TLS" ]; then
56 if [ -n "${tls_hostname}" ]; then
57 echo "${address}@853#${tls_hostname}"
62 done < /var
/ipfire
/dns
/servers
66 echo "# This file is automatically generated and any changes"
67 echo "# will be overwritten. DO NOT EDIT!"
75 # Make own hostname resolveable
76 # 1.1.1.1 is reserved for unused green, skip this
77 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
78 echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""
82 for address
in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
83 [ -n "${address}" ] ||
continue
84 [ "${address}" = "1.1.1.1" ] && continue
86 address
=$
(ip_address_revptr
${address})
87 echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""
90 local enabled address hostname domainname generateptr
92 # Find all unique domain names
93 while IFS
="," read -r enabled address hostname domainname generateptr
; do
94 [ "${enabled}" = "on" ] ||
continue
96 # Skip empty domainnames
97 [ "${domainname}" = "" ] && continue
99 echo "local-zone: ${domainname} transparent"
100 done < /var
/ipfire
/main
/hosts |
sort -u
103 while IFS
="," read -r enabled address hostname domainname generateptr
; do
104 [ "${enabled}" = "on" ] ||
continue
107 local fqdn
="${hostname}.${domainname}"
108 echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""
110 # Skip reverse resolution if the address equals the GREEN address
111 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
113 # Skip reverse resolution if user requested not to do so
114 [ "${generateptr}" = "off" ] && continue
117 address
=$
(ip_address_revptr
${address})
118 echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
119 done < /var
/ipfire
/main
/hosts
120 ) > /etc
/unbound
/hosts.conf
123 write_forward_conf
() {
127 # Enable strict QNAME minimisation
128 if [ "${QNAME_MIN}" = "strict" ]; then
130 echo " qname-minimisation-strict: yes"
134 # Force using TCP for upstream servers only
135 if [ "${PROTO}" = "TCP" ]; then
136 echo "# Force using TCP for upstream servers only"
138 echo " tcp-upstream: yes"
142 local insecure_zones
=""
144 local enabled zone server servers remark disable_dnssec rest
145 while IFS
="," read -r enabled zone servers remark disable_dnssec rest
; do
146 # Line must be enabled.
147 [ "${enabled}" = "on" ] ||
continue
149 # Zones that end with .local are commonly used for internal
150 # zones and therefore not signed
153 insecure_zones
="${insecure_zones} ${zone}"
156 if [ "${disable_dnssec}" = "on" ]; then
157 insecure_zones
="${insecure_zones} ${zone}"
163 echo " name: ${zone}"
164 for server
in ${servers//|/ }; do
165 if [[ ${server} =~ ^
[0-9]+\.
[0-9]+\.
[0-9]+\.
[0-9]+$
]]; then
166 echo " stub-addr: ${server}"
168 echo " stub-host: ${server}"
173 # Make all reverse lookup zones transparent
177 echo " local-zone: \"${zone}\" transparent"
181 done < /var
/ipfire
/dnsforward
/config
183 if [ -n "${insecure_zones}" ]; then
186 for zone
in ${insecure_zones}; do
187 echo " domain-insecure: ${zone}"
192 nameservers
=$
(read_name_servers
)
194 # Only write forward zones if any nameservers are configured.
196 # Otherwise fall-back into recursor mode.
197 if [ -n "${nameservers}" ]; then
202 # Force using TLS only
203 if [ "${PROTO}" = "TLS" ]; then
204 echo " forward-tls-upstream: yes"
207 # Add upstream name servers
209 for ns
in ${nameservers}; do
210 echo " forward-addr: ${ns}"
214 ) > /etc
/unbound
/forward.conf
217 write_tuning_conf
() {
218 # https://www.unbound.net/documentation/howto_optimise.html
220 # Determine amount of system memory
221 local mem
=$
(get_memory_amount
)
223 # In the worst case scenario, unbound can use double the
224 # amount of memory allocated to a cache due to malloc overhead
226 # Even larger systems with more than 8GB of RAM
227 if [ ${mem} -ge 8192 ]; then
230 # Extra large systems with more than 4GB of RAM
231 elif [ ${mem} -ge 4096 ]; then
234 # Large systems with more than 2GB of RAM
235 elif [ ${mem} -ge 2048 ]; then
238 # Medium systems with more than 1GB of RAM
239 elif [ ${mem} -ge 1024 ]; then
242 # Small systems with less than 256MB of RAM
243 elif [ ${mem} -le 256 ]; then
255 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
256 echo "msg-cache-size: $(( ${mem} / 4 ))m"
257 echo "key-cache-size: $(( ${mem} / 4 ))m"
259 # Increase parallel queries
260 echo "outgoing-range: 8192"
261 echo "num-queries-per-thread: 4096"
263 # Use larger send/receive buffers
266 ) > /etc
/unbound
/tuning.conf
269 get_memory_amount
() {
272 while read -r key val unit
; do
276 echo "$(( ${val} / 1024 ))"
283 fix_time_if_dns_fails
() {
284 # If DNS is working, everything is fine
285 if resolve
"0.ipfire.pool.ntp.org" &>/dev
/null || \
286 resolve
"1.ipfire.pool.ntp.org" &>/dev
/null
; then
290 # Try to sync time with a known time server
291 boot_mesg
"DNS not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
292 loadproc
/usr
/local
/bin
/settime
81.3.27.46
296 local hostname
="${1}"
300 for answer
in $
(dig +short A
"${hostname}"); do
301 # Filter out non-IP addresses
302 if [[ ! "${answer}" =~ \.$
]]; then
311 # Sets up Safe Search for various search engines
312 update_safe_search
() {
509 # Cleanup previous settings
510 unbound-control local_zone_remove
"bing.com" >/dev
/null
511 unbound-control local_zone_remove
"duckduckgo.com" >/dev
/null
512 unbound-control local_zone_remove
"yandex.com" >/dev
/null
513 unbound-control local_zone_remove
"yandex.ru" >/dev
/null
514 unbound-control local_zone_remove
"youtube.com" >/dev
/null
517 for domain
in ${google_tlds[@]}; do
518 unbound-control local_zone_remove
"${domain}"
521 if [ "${ENABLE_SAFE_SEARCH}" = "on" ]; then
523 unbound-control bing.com transparent
>/dev
/null
524 for address
in $
(resolve
"strict.bing.com"); do
525 unbound-control local_data
"www.bing.com ${LOCAL_TTL} IN A ${address}"
529 unbound-control local_zone duckduckgo.com typetransparent
>/dev
/null
530 for address
in $
(resolve
"safe.duckduckgo.com"); do
531 unbound-control local_data
"duckduckgo.com ${LOCAL_TTL} IN A ${address}"
535 local addresses
="$(resolve "forcesafesearch.google.com
")"
536 for domain
in ${google_tlds[@]}; do
537 unbound-control local_zone
"${domain}" transparent
>/dev
/null
538 for address
in ${addresses}; do
539 unbound-control local_data
"www.${domain} ${LOCAL_TTL} IN A ${address}"
544 for domain
in yandex.com yandex.ru
; do
545 unbound-control local_zone
"${domain}" typetransparent
>/dev
/null
546 for address
in $
(resolve
"familysearch.${domain}"); do
547 unbound-control local_data
"${domain} ${LOCAL_TTL} IN A ${address}"
552 if [ "${ENABLE_SAFE_SEARCH_YOUTUBE}" = "on" ]; then
553 unbound-control local_zone youtube.com transparent
>/dev
/null
554 for address
in $
(resolve
"restrictmoderate.youtube.com"); do
555 unbound-control local_data
"www.youtube.com ${LOCAL_TTL} IN A ${address}"
565 # Print a nicer messagen when unbound is already running
566 if pidofproc
-s unbound
; then
567 statusproc
/usr
/sbin
/unbound
571 # Update configuration files
576 boot_mesg
"Starting Unbound DNS Proxy..."
577 loadproc
/usr
/sbin
/unbound ||
exit $?
579 # Install Safe Search rules when the system is already online
580 if [ -e "/var/ipfire/red/active" ]; then
586 boot_mesg
"Stopping Unbound DNS Proxy..."
587 killproc
/usr
/sbin
/unbound
595 reload|update-forwarders
)
596 # Update configuration files
600 # Call unbound-control and perform the reload
601 /usr
/sbin
/unbound-control
-q reload
603 # Dummy Resolve to wait for unbound
604 resolve
"ping.ipfire.org" &>/dev
/null
606 if [ "$1" = "update-forwarders" ]; then
607 # Make sure DNS works at this point
608 fix_time_if_dns_fails
611 # Update Safe Search rules if the system is online.
612 if [ -e "/var/ipfire/red/active" ]; then
618 statusproc
/usr
/sbin
/unbound
622 resolve
"${2}" ||
exit $?
626 echo "Usage: $0 {start|stop|restart|reload|status|resolve|update-forwarders}"