From 4e2d3325afaf413e707e5d4db7172c7f379b59ce Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 7 Jan 2020 13:06:09 +0000 Subject: [PATCH] unbound: Drop live checks Those checks have caused us a lot of trouble and are now being dropped. Users must make sure to choose servers that support DNSSEC or enable any of the tunneling mechanisms to be able to reach them. Fixes: #12239 Signed-off-by: Michael Tremer --- .../red.up/05-update-dns-forwarders | 13 +- src/initscripts/system/unbound | 233 +----------------- 2 files changed, 5 insertions(+), 241 deletions(-) diff --git a/src/initscripts/networking/red.up/05-update-dns-forwarders b/src/initscripts/networking/red.up/05-update-dns-forwarders index 4ff2e58ef7..cdae7781ff 100644 --- a/src/initscripts/networking/red.up/05-update-dns-forwarders +++ b/src/initscripts/networking/red.up/05-update-dns-forwarders @@ -1,13 +1,4 @@ #!/bin/bash -# If network has not fully been brought up here, we start unbound -# so that all following scripts can rely on DNS resolution - -pidof unbound > /dev/null -if [ "${?}" = "0" ]; then - # unbound is run so update the forwarders - /etc/init.d/unbound update-forwarders -else - # Start unbound if it is not running, yet - /etc/init.d/unbound start -fi +# Update DNS forwarders +exec /etc/init.d/unbound update-forwarders diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 70cb6edd32..138b962356 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -62,79 +62,6 @@ config_header() { echo } -update_forwarders() { - check_red_has_carrier_and_ip - if [ "${?}" = "1" ]; then - local forwarders - local broken_forwarders - - local ns - for ns in $(read_name_servers); do - test_name_server ${ns} &>/dev/null - case "$?" in - # Only use DNSSEC-validating or DNSSEC-aware name servers - 0|2) - forwarders="${forwarders} ${ns}" - ;; - *) - broken_forwarders="${broken_forwarders} ${ns}" - ;; - esac - done - - # Show warning for any broken upstream name servers - if [ -n "${broken_forwarders}" ]; then - boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING} - echo_warning - fi - - if [ -n "${forwarders}" ]; then - boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO} - echo_ok - - # Make sure DNSSEC is activated - enable_dnssec - - echo "${forwarders}" > /var/ipfire/red/dns - unbound-control -q forward ${forwarders} - return 0 - - # In case we have found no working forwarders - else - # Test if the recursor mode is available - if can_resolve_root; then - # Make sure DNSSEC is activated - enable_dnssec - - boot_mesg "Falling back to recursor mode" ${WARNING} - echo_warning - - # If not, we set DNSSEC in permissive mode and allow using all recursors - elif [ -n "${broken_forwarders}" ]; then - disable_dnssec - - boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE} - echo_failure - - echo "${broken_forwarders}" > /var/ipfire/red/dns - unbound-control -q forward ${broken_forwarders} - return 0 - fi - fi - fi - - # If forwarders cannot be used we run in recursor mode - echo "local recursor" > /var/ipfire/red/dns - unbound-control -q forward off -} - -remove_forwarders() { - enable_dnssec - echo "local recursor" > /var/ipfire/red/dns - unbound-control -q forward off - -} - own_hostname() { local hostname=$(hostname -f) # 1.1.1.1 is reserved for unused green, skip this @@ -347,138 +274,6 @@ get_memory_amount() { done < /proc/meminfo } -test_name_server() { - local ns=${1} - local args - - # Return codes: - # 0 DNSSEC validating - # 1 Error: unreachable, etc. - # 2 DNSSEC aware - # 3 NOT DNSSEC-aware - - # Exit when the server is not reachable - ns_is_online ${ns} || return 1 - - local errors - for rr in DNSKEY DS RRSIG; do - if ! ns_forwards_${rr} ${ns} ${args}; then - errors="${errors} ${rr}" - fi - done - - if [ -n "${errors}" ]; then - echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}" - return 3 - fi - - if ns_is_validating ${ns} ${args}; then - # Return 0 if validating - return 0 - else - # Is DNSSEC-aware - return 2 - fi -} - -# Sends an A query to the nameserver w/o DNSSEC -ns_is_online() { - local ns=${1} - shift - - dig "${DIG_ARGS[@]}" @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null -} - -# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating -ns_is_validating() { - local ns=${1} - shift - - if ! dig "${DIG_ARGS[@]}" @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then - return 1 - else - # Determine if NS replies with "ad" data flag if DNSSEC enabled - dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }' - fi -} - -# Checks if we can retrieve the DNSKEY for this domain. -# dig will print the SOA if nothing was found -ns_forwards_DNSKEY() { - local ns=${1} - shift - - dig "${DIG_ARGS[@]}" @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA -} - -ns_forwards_DS() { - local ns=${1} - shift - - dig "${DIG_ARGS[@]}" @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA -} - -ns_forwards_RRSIG() { - local ns=${1} - shift - - dig "${DIG_ARGS[@]}" @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG -} - -ns_supports_tcp() { - local ns=${1} - shift - - # If TCP is forced we know by now if the server responds to it - if [ "${PROTO}" = "TCP" ]; then - return 0 - fi - - dig "${DIG_ARGS[@]}" @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1 -} - -get_root_nameservers() { - while read -r hostname ttl record address; do - # Searching for A records - [ "${record}" = "A" ] || continue - - echo "${address}" - done < /etc/unbound/root.hints -} - -can_resolve_root() { - local ns - for ns in $(get_root_nameservers); do - if dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA . $@ >/dev/null; then - return 0 - fi - done - - # none of the servers was reachable - return 1 -} - -enable_dnssec() { - local status=$(unbound-control get_option val-permissive-mode) - - # Log DNSSEC status - echo "on" > /var/ipfire/red/dnssec-status - - # Don't do anything if DNSSEC is already activated - [ "${status}" = "no" ] && return 0 - - # Activate DNSSEC and flush cache with any stale and unvalidated data - unbound-control -q set_option val-permissive-mode: no - unbound-control -q flush_zone . -} - -disable_dnssec() { - # Log DNSSEC status - echo "off" > /var/ipfire/red/dnssec-status - - unbound-control -q set_option val-permissive-mode: yes -} - fix_time_if_dns_fail() { # If DNS still not work try to init ntp with # hardcoded ntp.ipfire.org (81.3.27.46) @@ -786,9 +581,6 @@ case "$1" in # Make own hostname resolveable own_hostname - # Update any known forwarding name servers - update_forwarders - # Install Safe Search rules when the system is already online if [ -e "/var/ipfire/red/active" ]; then update_safe_search @@ -816,32 +608,13 @@ case "$1" in ;; update-forwarders) - # Do not try updating forwarders when unbound is not running - if ! pgrep unbound &>/dev/null; then - exit 0 - fi - - update_forwarders - - unbound-control flush_negative > /dev/null - unbound-control flush_bogus > /dev/null - - fix_time_if_dns_fail + : # XXX must set ISP name servers if necessary ;; remove-forwarders) - # Do not try updating forwarders when unbound is not running - if ! pgrep unbound &>/dev/null; then - exit 0 - fi - - remove_forwarders - - unbound-control flush_negative > /dev/null - unbound-control flush_bogus > /dev/null + : # XXX must remove ISP name servers ;; - resolve) resolve "${2}" ;; @@ -851,7 +624,7 @@ case "$1" in ;; *) - echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|resolve|update-safe-search}" + echo "Usage: $0 {start|stop|restart|status|resolve|update-forwarders|remove-forwarders|update-safe-search}" exit 1 ;; esac -- 2.39.5