. /etc/sysconfig/rc
. ${rc_functions}
-TEST_DOMAIN="ipfire.org"
-
-# This domain will never validate
-TEST_DOMAIN_FAIL="dnssec-failed.org"
-
# Cache any local zones for 60 seconds
LOCAL_TTL=60
echo
}
-own_hostname() {
- local hostname=$(hostname -f)
- # 1.1.1.1 is reserved for unused green, skip this
- if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
- unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
- fi
+write_hosts_conf() {
+ (
+ config_header
- local address
- for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
- [ -n "${address}" ] || continue
- [ "${address}" = "1.1.1.1" ] && continue
+ # Make own hostname resolveable
+ # 1.1.1.1 is reserved for unused green, skip this
+ if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
+ echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""
+ fi
- address=$(ip_address_revptr ${address})
- unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
- done
-}
+ local address
+ for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+ [ -n "${address}" ] || continue
+ [ "${address}" = "1.1.1.1" ] && continue
-update_hosts() {
- local enabled address hostname domainname generateptr
+ address=$(ip_address_revptr ${address})
+ echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""
+ done
+
+ local enabled address hostname domainname generateptr
+
+ # Find all unique domain names
+ while IFS="," read -r enabled address hostname domainname generateptr; do
+ [ "${enabled}" = "on" ] || continue
- while IFS="," read -r enabled address hostname domainname generateptr; do
- [ "${enabled}" = "on" ] || continue
+ # Skip empty domainnames
+ [ "${domainname}" = "" ] && continue
- # Build FQDN
- local fqdn="${hostname}.${domainname}"
+ echo "local-zone: ${domainname} typetransparent"
+ done < /var/ipfire/main/hosts | sort -u
- unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
+ # Add all hosts
+ while IFS="," read -r enabled address hostname domainname generateptr; do
+ [ "${enabled}" = "on" ] || continue
+
+ # Build FQDN
+ local fqdn="${hostname}.${domainname}"
+ echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""
- # Skip reverse resolution if the address equals the GREEN address
- [ "${address}" = "${GREEN_ADDRESS}" ] && continue
+ # Skip reverse resolution if the address equals the GREEN address
+ [ "${address}" = "${GREEN_ADDRESS}" ] && continue
- # Skip reverse resolution if user requested not to do so
- [ "${generateptr}" = "off" ] && continue
+ # Skip reverse resolution if user requested not to do so
+ [ "${generateptr}" = "off" ] && continue
- # Add RDNS
- address=$(ip_address_revptr ${address})
- unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
- done < /var/ipfire/main/hosts
+ # Add RDNS
+ address=$(ip_address_revptr ${address})
+ echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
+ done < /var/ipfire/main/hosts
+ ) > /etc/unbound/hosts.conf
}
write_forward_conf() {
done
fi
- echo "forward-zone:"
- echo " name: \".\""
+ # Read name servers.
+ nameservers=$(read_name_servers)
- # Force using TLS only
- if [ "${PROTO}" = "TLS" ]; then
- echo " forward-tls-upstream: yes"
+ # Only write forward zones if any nameservers are configured.
+ #
+ # Otherwise fall-back into recursor mode.
+ if [ -n "${nameservers}" ]; then
+
+ echo "forward-zone:"
+ echo " name: \".\""
+
+ # Force using TLS only
+ if [ "${PROTO}" = "TLS" ]; then
+ echo " forward-tls-upstream: yes"
+ fi
+
+ # Add upstream name servers
+ local ns
+ for ns in ${nameservers}; do
+ echo " forward-addr: ${ns}"
+ done
fi
- # Add upstream name servers
- local ns
- for ns in $(read_name_servers); do
- echo " forward-addr: ${ns}"
- done
) > /etc/unbound/forward.conf
}
write_tuning_conf() {
# https://www.unbound.net/documentation/howto_optimise.html
- # Determine number of online processors
- local processors=$(getconf _NPROCESSORS_ONLN)
-
- # Determine number of slabs
- local slabs=1
- while [ ${slabs} -lt ${processors} ]; do
- slabs=$(( ${slabs} * 2 ))
- done
-
# Determine amount of system memory
local mem=$(get_memory_amount)
(
config_header
- # We run one thread per processor
- echo "num-threads: ${processors}"
- echo "so-reuseport: yes"
-
- # Adjust number of slabs
- echo "infra-cache-slabs: ${slabs}"
- echo "key-cache-slabs: ${slabs}"
- echo "msg-cache-slabs: ${slabs}"
- echo "rrset-cache-slabs: ${slabs}"
-
# Slice up the cache
echo "rrset-cache-size: $(( ${mem} / 2 ))m"
echo "msg-cache-size: $(( ${mem} / 4 ))m"
resolve() {
local hostname="${1}"
+ local found=1
local answer
for answer in $(dig +short A "${hostname}"); do
# Filter out non-IP addresses
if [[ ! "${answer}" =~ \.$ ]]; then
+ found=0
echo "${answer}"
fi
done
-}
-
-update_forwarders() {
- # Do nothing when we do not use the ISP name servers
- [ "${USE_ISP_NAMESERVERS}" != "on" ] && return 0
- # We cannot update anything when using TLS
- # Unbound will then try to connect to the servers using UDP on port 853
- [ "${PROTO}" = "TLS" ] && return 0
-
- # Update unbound about the new servers
- local nameservers=( $(read_name_servers) )
- if [ -n "${nameservers[*]}" ]; then
- unbound-control -q forward "${nameservers[@]}"
- else
- unbound-control -q forward off
- fi
+ return ${found}
}
# Sets up Safe Search for various search engines
unbound-control local_zone_remove "${domain}"
done >/dev/null
- # Nothing to do if safe search is not enabled
- if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
- return 0
- fi
-
- # Bing
- unbound-control bing.com transparent >/dev/null
- for address in $(resolve "strict.bing.com"); do
- unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
- done >/dev/null
-
- # DuckDuckGo
- unbound-control local_zone duckduckgo.com typetransparent >/dev/null
- for address in $(resolve "safe.duckduckgo.com"); do
- unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
- done >/dev/null
-
- # Google
- local addresses="$(resolve "forcesafesearch.google.com")"
- for domain in ${google_tlds[@]}; do
- unbound-control local_zone "${domain}" transparent >/dev/null
- for address in ${addresses}; do
- unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
+ if [ "${ENABLE_SAFE_SEARCH}" = "on" ]; then
+ # Bing
+ unbound-control bing.com transparent >/dev/null
+ for address in $(resolve "strict.bing.com"); do
+ unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
done >/dev/null
- done
- # Yandex
- for domain in yandex.com yandex.ru; do
- unbound-control local_zone "${domain}" typetransparent >/dev/null
- for address in $(resolve "familysearch.${domain}"); do
- unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
+ # DuckDuckGo
+ unbound-control local_zone duckduckgo.com typetransparent >/dev/null
+ for address in $(resolve "safe.duckduckgo.com"); do
+ unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
done >/dev/null
- done
- # YouTube
- unbound-control local_zone youtube.com transparent >/dev/null
- for address in $(resolve "restrictmoderate.youtube.com"); do
- unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
- done >/dev/null
+ # Google
+ local addresses="$(resolve "forcesafesearch.google.com")"
+ for domain in ${google_tlds[@]}; do
+ unbound-control local_zone "${domain}" transparent >/dev/null
+ for address in ${addresses}; do
+ unbound-control local_data "www.${domain} ${LOCAL_TTL} IN A ${address}"
+ done >/dev/null
+ done
+
+ # Yandex
+ for domain in yandex.com yandex.ru; do
+ unbound-control local_zone "${domain}" typetransparent >/dev/null
+ for address in $(resolve "familysearch.${domain}"); do
+ unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
+ done >/dev/null
+ done
+
+ # YouTube
+ if [ "${ENABLE_SAFE_SEARCH_YOUTUBE}" = "on" ]; then
+ unbound-control local_zone youtube.com transparent >/dev/null
+ for address in $(resolve "restrictmoderate.youtube.com"); do
+ unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
+ done >/dev/null
+ fi
+ fi
return 0
}
# Update configuration files
write_tuning_conf
+ write_hosts_conf
write_forward_conf
boot_mesg "Starting Unbound DNS Proxy..."
loadproc /usr/sbin/unbound || exit $?
- # Make own hostname resolveable
- own_hostname
-
# Install Safe Search rules when the system is already online
if [ -e "/var/ipfire/red/active" ]; then
update_safe_search
fi
-
- # Update hosts
- update_hosts
;;
stop)
sleep 1
$0 start
;;
+ reload|update-forwarders)
+ # Update configuration files
+ write_forward_conf
+ write_hosts_conf
- status)
- statusproc /usr/sbin/unbound
- ;;
+ # Call unbound-control and perform the reload
+ /usr/sbin/unbound-control -q reload
- update-forwarders)
- update_forwarders
+ # Dummy Resolve to wait for unbound
+ resolve "ping.ipfire.org" &>/dev/null
- # Make sure DNS works at this point
- fix_time_if_dns_fails
+ if [ "$1" = "update-forwarders" ]; then
+ # Make sure DNS works at this point
+ fix_time_if_dns_fails
+ fi
- # Update Safe Search settings
- update_safe_search
+ # Update Safe Search rules if the system is online.
+ if [ -e "/var/ipfire/red/active" ]; then
+ update_safe_search
+ fi
;;
- remove-forwarders)
- update_forwarders
+ status)
+ statusproc /usr/sbin/unbound
;;
resolve)
- resolve "${2}"
- ;;
-
- update-safe-search)
- update_safe_search
+ resolve "${2}" || exit $?
;;
*)
- echo "Usage: $0 {start|stop|restart|status|resolve|update-forwarders|remove-forwarders|update-safe-search}"
+ echo "Usage: $0 {start|stop|restart|reload|status|resolve|update-forwarders}"
exit 1
;;
esac