Unbound is a validating, recursive, and caching DNS resolver.
https://www.unbound.net
Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
--- /dev/null
+etc/rc.d/init.d/unbound
+#etc/unbound
+#etc/unbound/blocklists
+etc/unbound/forward.conf
+etc/unbound/root.hints
+etc/unbound/root.key
+etc/unbound/unbound.conf
+etc/unbound/unbound_org.conf
+usr/bin/unbound-host
+#usr/include/unbound.h
+#usr/lib/libunbound.la
+#usr/lib/libunbound.so
+usr/lib/libunbound.so.2
+usr/lib/libunbound.so.2.4.1
+#usr/lib/python2.7/site-packages/_unbound.la
+usr/lib/python2.7/site-packages/_unbound.so
+usr/lib/python2.7/site-packages/daemonize.py
+usr/lib/python2.7/site-packages/dhcpd.py
+usr/lib/python2.7/site-packages/params.py
+usr/lib/python2.7/site-packages/unbound.py
+usr/lib/python2.7/site-packages/watcherdhcpd.py
+usr/sbin/unbound
+usr/sbin/unbound-anchor
+usr/sbin/unbound-checkconf
+usr/sbin/unbound-dhcpd.py
+usr/sbin/unbound-control
+usr/sbin/unbound-control-setup
+usr/sbin/unbound-switch
+usr/sbin/unbound-zone
+#usr/share/man/man1/unbound-host.1
+#usr/share/man/man3/libunbound.3
+#usr/share/man/man3/ub_cancel.3
+#usr/share/man/man3/ub_ctx.3
+#usr/share/man/man3/ub_ctx_add_ta.3
+#usr/share/man/man3/ub_ctx_add_ta_file.3
+#usr/share/man/man3/ub_ctx_async.3
+#usr/share/man/man3/ub_ctx_config.3
+#usr/share/man/man3/ub_ctx_create.3
+#usr/share/man/man3/ub_ctx_data_add.3
+#usr/share/man/man3/ub_ctx_data_remove.3
+#usr/share/man/man3/ub_ctx_debuglevel.3
+#usr/share/man/man3/ub_ctx_debugout.3
+#usr/share/man/man3/ub_ctx_delete.3
+#usr/share/man/man3/ub_ctx_get_option.3
+#usr/share/man/man3/ub_ctx_hosts.3
+#usr/share/man/man3/ub_ctx_print_local_zones.3
+#usr/share/man/man3/ub_ctx_resolvconf.3
+#usr/share/man/man3/ub_ctx_set_fwd.3
+#usr/share/man/man3/ub_ctx_set_option.3
+#usr/share/man/man3/ub_ctx_trustedkeys.3
+#usr/share/man/man3/ub_ctx_zone_add.3
+#usr/share/man/man3/ub_ctx_zone_remove.3
+#usr/share/man/man3/ub_fd.3
+#usr/share/man/man3/ub_poll.3
+#usr/share/man/man3/ub_process.3
+#usr/share/man/man3/ub_resolve.3
+#usr/share/man/man3/ub_resolve_async.3
+#usr/share/man/man3/ub_resolve_free.3
+#usr/share/man/man3/ub_result.3
+#usr/share/man/man3/ub_strerror.3
+#usr/share/man/man3/ub_wait.3
+#usr/share/man/man5/unbound.conf.5
+#usr/share/man/man8/unbound-anchor.8
+#usr/share/man/man8/unbound-checkconf.8
+#usr/share/man/man8/unbound-control-setup.8
+#usr/share/man/man8/unbound-control.8
+#usr/share/man/man8/unbound.8
--- /dev/null
+forward-zone:
+ name: "."
+ forward-addr: 85.214.20.141
+ forward-addr: 194.150.168.168
+ forward-addr: 208.67.222.222
+ forward-addr: 208.67.220.220
--- /dev/null
+; This file holds the information on root name servers needed to
+; initialize cache of Internet domain name servers
+; (e.g. reference this file in the "cache . <file>"
+; configuration file of BIND domain name servers).
+;
+; This file is made available by InterNIC
+; under anonymous FTP as
+; file /domain/named.cache
+; on server FTP.INTERNIC.NET
+; -OR- RS.INTERNIC.NET
+;
+; last update: March 23, 2016
+; related version of root zone: 2016032301
+;
+; formerly NS.INTERNIC.NET
+;
+. 3600000 NS A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
+A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+. 3600000 NS B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
+B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
+;
+; FORMERLY C.PSI.NET
+;
+. 3600000 NS C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
+C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
+;
+; FORMERLY TERP.UMD.EDU
+;
+. 3600000 NS D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
+D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
+;
+; FORMERLY NS.NASA.GOV
+;
+. 3600000 NS E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
+;
+; FORMERLY NS.ISC.ORG
+;
+. 3600000 NS F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
+F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+. 3600000 NS G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+. 3600000 NS H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
+H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
+;
+; FORMERLY NIC.NORDU.NET
+;
+. 3600000 NS I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
+I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+. 3600000 NS J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
+J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+. 3600000 NS K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
+K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
+;
+; OPERATED BY ICANN
+;
+. 3600000 NS L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
+L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
+;
+; OPERATED BY WIDE
+;
+. 3600000 NS M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
+M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
+; End of file
--- /dev/null
+; autotrust trust anchor file
+;;id: . 1
+;;last_queried: 1467576595 ;;Sun Jul 3 22:09:55 2016
+;;last_success: 1467576595 ;;Sun Jul 3 22:09:55 2016
+;;next_probe_time: 1467616562 ;;Mon Jul 4 09:16:02 2016
+;;query_failed: 0
+;;query_interval: 43200
+;;retry_time: 8640
+. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1467575383 ;;Sun Jul 3 21:49:43 2016
--- /dev/null
+#
+# Unbound configuration file for IPFire
+#
+# The full documentation is available at:
+# https://www.unbound.net/documentation/unbound.conf.html
+#
+
+server:
+ # common server options
+ chroot: "/etc/unbound"
+ username: "unbound"
+ pidfile: "/var/run/unbound.pid"
+ num-threads: 2
+ port: 53
+ do-ip4: yes
+ do-ip6: no
+ do-udp: yes
+ do-tcp: yes
+ prefetch: yes
+ so-reuseport: yes
+ cache-min-ttl: 3600
+ cache-max-ttl: 86400
+ unwanted-reply-threshold: 10000
+ do-not-query-localhost: yes
+
+ # logging options
+ logfile: "log/unbound.log"
+ use-syslog: no
+ verbosity: 1
+ log-queries: no
+ log-time-ascii: yes
+
+ # Unbound Statistics
+ statistics-interval: 3600
+ statistics-cumulative: yes
+ extended-statistics: yes
+
+ # privacy options
+ hide-identity: yes
+ hide-version: yes
+ qname-minimisation: yes
+ minimal-responses: yes
+
+ # hardening options (some experimental)
+ harden-glue: yes
+ harden-large-queries: yes
+ harden-dnssec-stripped: yes
+ harden-short-bufsize: no
+ harden-below-nxdomain: no
+ harden-referral-path: no
+ harden-algo-downgrade: no
+ use-caps-for-id: yes
+
+ # listen on localhost interface
+ interface: 127.0.0.1
+
+ # file with ipfire interfaces
+ include: "/etc/unbound/interfaces.conf"
+
+ # control which clients are allowed to make (recursive) queries
+ access-control: 0.0.0.0/0 refuse
+ access-control: 127.0.0.0/8 allow
+ access-control: ::0/0 refuse
+ access-control: ::1 allow
+ access-control: ::ffff:127.0.0.1 allow
+
+ # file with ipfire networks
+ include: "/etc/unbound/access.conf"
+
+ # dnssec main options
+ val-clean-additional: yes
+ val-log-level: 1
+ # file with ipfire dnssec configuration
+ include: "/etc/unbound/dnssec.conf"
+
+ # DNS Rebinding
+ # For DNS Rebinding prevention
+ #
+ # All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
+ # IPv4 Addresses
+ private-address: 0.0.0.0/8 # Broadcast address
+ private-address: 10.0.0.0/8
+ private-address: 127.0.0.0/8 # Loopback Localhost
+ private-address: 172.16.0.0/12
+ private-address: 192.168.0.0/16
+ private-address: 169.254.0.0/16
+ private-address: 198.18.0.0/15 # Used for testing inter-network communications
+ private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
+ private-address: 203.0.113.0/24 # Documentation network TEST-NET-3
+ private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-NET
+ # IPv6 Addresses
+ private-address: ::1/128 # Loopback Localhost
+ private-address: 2001:db8::/32 # Documentation network IPv6
+ private-address: fc00::/8 # Unique local address (ULA) part of "fc00::/7", not defined yet
+ private-address: fd00::/8 # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
+ private-address: fe80::/10 # Link-local address (LLA)
+
+ # file with root servers
+ root-hints: "/etc/unbound/root.hints"
+
+ # custom DNS zone files
+ include: "/etc/unbound/zones/*.conf"
+
+ # DHCP leases (if configured)
+ include: /etc/unbound/dhcpleases.conf
+
+ # Blocklists
+ include: "/etc/unbound/blocklists/*.conf"
+# end server config
+
+# enable remote control only on localhost
+remote-control:
+ control-enable: yes
+ control-use-cert: yes
+ control-interface: 127.0.0.1
+ server-key-file: "/etc/unbound/unbound_server.key"
+ server-cert-file: "/etc/unbound/unbound_server.pem"
+ control-key-file: "/etc/unbound/unbound_control.key"
+ control-cert-file: "/etc/unbound/unbound_control.pem"
+# end remote control config
+
+# custom DNS forward config
+include: "/etc/unbound/forward.conf"
--- /dev/null
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER = 1.5.9
+
+THISAPP = unbound-$(VER)
+DL_FILE = $(THISAPP).tar.gz
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 0cefa62c1690b4db18583db84bff00e3
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && \
+ ./configure \
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --with-pidfile=/var/run/unbound.pid
+ --disable-static \
+ --with-libevent
+ cd $(DIR_APP) && make $(MAKETUNING)
+ cd $(DIR_APP) && make install
+ # add ipfire config
+ mkdir -pv /etc/unbound/blocklists
+ mv -v /etc/unbound/unbound.conf /etc/unbound/unbound_org.conf
+ install -v -m 644 $(DIR_SRC)/config/unbound/*.conf /etc/unbound/
+ install -v -m 644 $(DIR_SRC)/config/unbound/root.hints /etc/unbound/
+ install -v -m 644 $(DIR_SRC)/config/unbound/root.key /etc/unbound/
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
ipfiremake dvdrtools
ipfiremake nettle
ipfiremake dnsmasq
+ ipfiremake unbound
ipfiremake dosfstools
ipfiremake reiserfsprogs
ipfiremake xfsprogs
--- /dev/null
+#!/bin/sh
+# Begin $rc_base/init.d/unbound
+
+# Description : Unbound DNS resolver boot script for IPfire
+# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
+#
+# Comment : This init script additional starts the dhcpd watcher daemon
+# if DNS-Update (RFC2136) in web interface enabled
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+
+if [[ ! -d /run/var ]]; then mkdir /run/var; fi;
+
+CONTROL_INTERFACE_FILE=1
+CONTROL_ACCESS_FILE=1
+USE_CUSTOM_FORWARDS=0
+ENABLE_DNSSEC=1
+
+# Unbound daemon pid file
+PIDFILE=/var/run/unbound.pid
+
+# Watcher deamon pid file must be the same in unbound main init script
+WAPIDFILE=/var/run/unbound_dhcpd.pid
+
+function cidr() {
+ local cidr nbits IFS;
+ IFS=. read -r i1 i2 i3 i4 <<< ${1}
+ IFS=. read -r m1 m2 m3 m4 <<< ${2}
+ cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
+ nbits=0
+ IFS=.
+ for dec in $2 ; do
+ case $dec in
+ 255) let nbits+=8;;
+ 254) let nbits+=7;;
+ 252) let nbits+=6;;
+ 248) let nbits+=5;;
+ 240) let nbits+=4;;
+ 224) let nbits+=3;;
+ 192) let nbits+=2;;
+ 128) let nbits+=1;;
+ 0);;
+ *) echo "Error: $dec is not recognised"; exit 1
+ esac
+ done
+ echo "${cidr}/${nbits}"
+}
+
+case "$1" in
+ start)
+
+ if [[ -f ${PIDFILE} ]]; then
+ log_warning_msg "Unbound daemon is running with Process ID $(cat ${PIDFILE})"
+ else
+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+ #ARGS="$CUSTOM_ARGS"
+ #[ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s $DOMAIN_NAME_GREEN"
+
+ echo > /var/ipfire/red/resolv.conf # Clear it
+ if [ -e "/var/ipfire/red/dns1" ]; then
+ DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null)
+ if [ ! -z ${DNS1} ]; then
+ echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.conf
+ NAMESERVERS="${DNS1} "
+ fi
+ fi
+ if [ -e "/var/ipfire/red/dns2" ]; then
+ DNS2=$(cat /var/ipfire/red/dns2 2>/dev/null)
+ if [ ! -z ${DNS2} ]; then
+ echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.conf
+ NAMESERVERS+="${DNS2} "
+ fi
+ fi
+
+ # create unbound interfaces.conf
+ if [ ${CONTROL_INTERFACE_FILE} = 1 ]; then
+ echo -n > /etc/unbound/interfaces.conf # Clear it
+ if [ ! -z ${GREEN_ADDRESS} ]; then
+ echo "interface: ${GREEN_ADDRESS}" >> /etc/unbound/interfaces.conf
+ fi
+ if [ ! -z ${BLUE_ADDRESS} ]; then
+ echo "interface: ${BLUE_ADDRESS}" >> /etc/unbound/interfaces.conf
+ fi
+ if [ ! -z ${ORANGE_ADDRESS} ]; then
+ echo "interface: ${ORANGE_ADDRESS}" >> /etc/unbound/interfaces.conf
+ fi
+ fi
+
+ # create unbound access.conf
+ if [ ${CONTROL_ACCESS_FILE} = 1 ]; then
+ echo -n > /etc/unbound/access.conf # Clear it
+ if [ ! -z ${GREEN_ADDRESS} ]; then
+ echo "access-control: $(cidr ${GREEN_ADDRESS} ${GREEN_NETMASK}) allow" >> /etc/unbound/access.conf
+ fi
+ if [ ! -z ${BLUE_ADDRESS} ]; then
+ echo "access-control: $(cidr ${BLUE_ADDRESS} ${BLUE_NETMASK}) allow" >> /etc/unbound/access.conf
+ fi
+ if [ ! -z ${ORANGE_ADDRESS} ]; then
+ echo "access-control: $(cidr ${ORANGE_ADDRESS} ${ORANGE_NETMASK}) allow" >> /etc/unbound/access.conf
+ fi
+ fi
+
+ # create unbound dnssec.conf
+ echo -n > /etc/unbound/dnssec.conf # Clear it
+ if [ ${ENABLE_DNSSEC} = 1 ]; then
+ echo " # dessec enabled per default" >> /etc/unbound/dnssec.conf
+ echo " # no necessary config options in this file" >> /etc/unbound/dnssec.conf
+ else
+ echo " # dnssec now disabled" >> /etc/unbound/dnssec.conf
+ echo " module-config: iterator" >> /etc/unbound/dnssec.conf
+ echo " val-permissive-mode: yes" >> /etc/unbound/dnssec.conf
+ fi
+
+ # create zone file for internal ipfire domain
+ unbound-zone
+
+ boot_mesg "Starting Unbound DNS proxy..."
+ unbound-anchor
+ loadproc /usr/sbin/unbound
+
+ # start dhcpd watcher daemon if DNS-Update (RFC2136) activated
+ eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
+ if [[ ${DNS_UPDATE_ENABLED} = on && ! -f ${WAPIDFILE} ]]; then
+ /etc/rc.d/init.d/unbound-dhcpd start
+ fi
+
+ # use setup configured DNS servers
+ if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then
+ unbound-control forward_add +i . ${NAMESERVERS} &> /dev/null
+ fi;
+
+ FORWADRS=$(unbound-control list_forwards |sed 's|. IN forward ||g'|sed 's|+i ||g')
+ if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then
+ boot_mesg "Using DNS server(s): ${FORWADRS}"
+ else
+ boot_mesg "Using custom DNS server(s): ${FORWADRS}"
+ fi
+ if [ ${ENABLE_DNSSEC} = 1 ]; then
+ boot_mesg "DNSSEC is enabled!"
+ else
+ boot_mesg "DNSSEC is disabled!"
+ fi
+ fi
+ ;;
+
+ stop)
+
+ if [[ -f ${PIDFILE} ]]; then
+ # stop dhcpd watcher daemon if activted
+ if [[ -f ${WAPIDFILE} ]]; then
+ /etc/rc.d/init.d/unbound-dhcpd stop
+ fi
+ # stop Unbound daemon
+ boot_mesg "Stopping Unbound DNS proxy..."
+ killproc -p "/var/run/unbound.pid" /usr/sbin/unbound
+ else
+ log_warning_msg "Unbound daemon is not running..."
+ fi
+ ;;
+
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+
+ status)
+ statusproc /usr/sbin/unbound
+ ;;
+
+ *)
+ echo "Usage: $0 {start|stop|restart|status}"
+ exit 1
+ ;;
+esac
+
+# End $rc_base/init.d/unbound