unbound: check if red/iface exists before read it
[ipfire-2.x.git] / src / initscripts / system / unbound
CommitLineData
d0e5f71f
ML
1#!/bin/sh
2# Begin $rc_base/init.d/unbound
3
4# Description : Unbound DNS resolver boot script for IPfire
5# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
d0e5f71f
ML
6
7. /etc/sysconfig/rc
8. ${rc_functions}
9
b29c97b1
AF
10TEST_DOMAIN="ipfire.org"
11
12# This domain will never validate
13TEST_DOMAIN_FAIL="dnssec-failed.org"
14
7ebc0a16 15INSECURE_ZONES=
b8f5eda8 16USE_FORWARDERS=1
661ab153 17ENABLE_SAFE_SEARCH=off
d0e5f71f 18
36792be6
MT
19# Cache any local zones for 60 seconds
20LOCAL_TTL=60
21
b2f96a94
MT
22# EDNS buffer size
23EDNS_DEFAULT_BUFFER_SIZE=4096
24
b8f5eda8
MT
25# Load optional configuration
26[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
d0e5f71f 27
f75c279b
AF
28ip_address_revptr() {
29 local addr=${1}
30
31 local a1 a2 a3 a4
32 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
33
34 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
35}
36
b8f5eda8
MT
37read_name_servers() {
38 local i
39 for i in 1 2; do
40 echo "$(</var/ipfire/red/dns${i})"
682a6b2d 41 done 2>/dev/null | xargs echo
b8f5eda8
MT
42}
43
44config_header() {
45 echo "# This file is automatically generated and any changes"
46 echo "# will be overwritten. DO NOT EDIT!"
47 echo
48}
49
50update_forwarders() {
4cd82be0 51 if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/iface" -a "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ]; then
b29c97b1
AF
52 local forwarders
53 local broken_forwarders
54
55 local ns
56 for ns in $(read_name_servers); do
57 test_name_server ${ns} &>/dev/null
58 case "$?" in
59 # Only use DNSSEC-validating or DNSSEC-aware name servers
60 0|2)
61 forwarders="${forwarders} ${ns}"
62 ;;
63 *)
64 broken_forwarders="${broken_forwarders} ${ns}"
65 ;;
66 esac
67 done
68
8f3034d0 69 # Determine EDNS buffer size
b2f96a94 70 local new_edns_buffer_size=${EDNS_DEFAULT_BUFFER_SIZE}
8f3034d0 71
b2f96a94
MT
72 for ns in ${forwarders}; do
73 local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
74 if [ -n "${edns_buffer_size}" ]; then
75 if [ ${edns_buffer_size} -lt ${new_edns_buffer_size} ]; then
76 new_edns_buffer_size=${edns_buffer_size}
8f3034d0 77 fi
b2f96a94
MT
78 fi
79 done
80
81 if [ ${new_edns_buffer_size} -lt ${EDNS_DEFAULT_BUFFER_SIZE} ]; then
82 boot_mesg "EDNS buffer size reduced to ${new_edns_buffer_size}" ${WARNING}
83 echo_warning
8f3034d0
MT
84
85 unbound-control -q set_option edns-buffer-size: ${new_edns_buffer_size}
86 fi
87
b29c97b1
AF
88 # Show warning for any broken upstream name servers
89 if [ -n "${broken_forwarders}" ]; then
90 boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
91 echo_warning
92 fi
b8f5eda8 93
e432689a 94 if [ -n "${forwarders}" ]; then
b29c97b1
AF
95 boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
96 echo_ok
b8f5eda8 97
e432689a
MT
98 # Make sure DNSSEC is activated
99 enable_dnssec
100
e24d6112 101 echo "${forwarders}" > /var/ipfire/red/dns
b29c97b1
AF
102 unbound-control -q forward ${forwarders}
103 return 0
e432689a
MT
104
105 # In case we have found no working forwarders
106 else
107 # Test if the recursor mode is available
108 if can_resolve_root +bufsize=${new_edns_buffer_size}; then
109 # Make sure DNSSEC is activated
110 enable_dnssec
111
112 boot_mesg "Falling back to recursor mode" ${WARNING}
113 echo_warning
114
115 # If not, we set DNSSEC in permissive mode and allow using all recursors
116 elif [ -n "${broken_forwarders}" ]; then
117 disable_dnssec
118
119 boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
120 echo_failure
121
122 echo "${broken_forwarders}" > /var/ipfire/red/dns
123 unbound-control -q forward ${broken_forwarders}
124 return 0
125 fi
b29c97b1 126 fi
b8f5eda8 127 fi
b29c97b1
AF
128
129 # If forwarders cannot be used we run in recursor mode
e24d6112 130 echo "local recursor" > /var/ipfire/red/dns
b29c97b1 131 unbound-control -q forward off
b8f5eda8
MT
132}
133
f75c279b
AF
134own_hostname() {
135 local hostname=$(hostname -f)
0d7ca700 136 # 1.1.1.1 is reserved for unused green, skip this
f75c279b
AF
137 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
138 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
139 fi
140
141 local address
142 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
143 [ -n "${address}" ] || continue
144 [ "${address}" = "1.1.1.1" ] && continue
145
146 address=$(ip_address_revptr ${address})
147 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
148 done
149}
150
36792be6 151update_hosts() {
6874a576 152 local enabled address hostname domainname generateptr
36792be6 153
6874a576 154 while IFS="," read -r enabled address hostname domainname generateptr; do
36792be6
MT
155 [ "${enabled}" = "on" ] || continue
156
157 # Build FQDN
158 local fqdn="${hostname}.${domainname}"
159
160 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
f75c279b 161
868d2a1f
MT
162 # Skip reverse resolution if the address equals the GREEN address
163 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
164
6874a576
PM
165 # Skip reverse resolution if user requested not to do so
166 [ "${generateptr}" = "off" ] && continue
167
f75c279b
AF
168 # Add RDNS
169 address=$(ip_address_revptr ${address})
170 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
36792be6
MT
171 done < /var/ipfire/main/hosts
172}
173
b8f5eda8
MT
174write_forward_conf() {
175 (
176 config_header
177
7ebc0a16 178 local insecure_zones="${INSECURE_ZONES}"
a6dcc5bb 179
1ececb67
MT
180 local enabled zone server servers remark disable_dnssec rest
181 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
b8f5eda8
MT
182 # Line must be enabled.
183 [ "${enabled}" = "on" ] || continue
184
a6dcc5bb
MT
185 # Zones that end with .local are commonly used for internal
186 # zones and therefore not signed
187 case "${zone}" in
188 *.local)
189 insecure_zones="${insecure_zones} ${zone}"
190 ;;
1ececb67
MT
191 *)
192 if [ "${disable_dnssec}" = "on" ]; then
193 insecure_zones="${insecure_zones} ${zone}"
194 fi
195 ;;
a6dcc5bb
MT
196 esac
197
c7e41255
MT
198 # Reverse-lookup zones must be stubs
199 case "${zone}" in
200 *.in-addr.arpa)
201 echo "stub-zone:"
9f099932 202 echo " name: ${zone}"
c9ae511e 203 for server in ${servers//|/ }; do
f33d2897
MT
204 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
205 echo " stub-addr: ${server}"
206 else
207 echo " stub-host: ${server}"
208 fi
c9ae511e 209 done
c7e41255
MT
210 echo
211 echo "server:"
9f099932 212 echo " local-zone: \"${zone}\" transparent"
c7e41255
MT
213 echo
214 ;;
215 *)
216 echo "forward-zone:"
9f099932 217 echo " name: ${zone}"
c9ae511e 218 for server in ${servers//|/ }; do
f33d2897
MT
219 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
220 echo " forward-addr: ${server}"
221 else
222 echo " forward-host: ${server}"
223 fi
c9ae511e 224 done
c7e41255
MT
225 echo
226 ;;
227 esac
b8f5eda8 228 done < /var/ipfire/dnsforward/config
a6dcc5bb
MT
229
230 if [ -n "${insecure_zones}" ]; then
231 echo "server:"
232
233 for zone in ${insecure_zones}; do
234 echo " domain-insecure: ${zone}"
235 done
236 fi
b8f5eda8
MT
237 ) > /etc/unbound/forward.conf
238}
239
b658a451
MT
240write_tuning_conf() {
241 # https://www.unbound.net/documentation/howto_optimise.html
242
243 # Determine number of online processors
244 local processors=$(getconf _NPROCESSORS_ONLN)
245
246 # Determine number of slabs
247 local slabs=1
248 while [ ${slabs} -lt ${processors} ]; do
249 slabs=$(( ${slabs} * 2 ))
250 done
251
252 # Determine amount of system memory
253 local mem=$(get_memory_amount)
254
255 # In the worst case scenario, unbound can use double the
256 # amount of memory allocated to a cache due to malloc overhead
257
4a0d69ca
MT
258 # Even larger systems with more than 8GB of RAM
259 if [ ${mem} -ge 8192 ]; then
260 mem=1024
261
262 # Extra large systems with more than 4GB of RAM
263 elif [ ${mem} -ge 4096 ]; then
264 mem=512
265
b658a451 266 # Large systems with more than 2GB of RAM
4a0d69ca 267 elif [ ${mem} -ge 2048 ]; then
128db1a3 268 mem=256
b658a451 269
4a0d69ca
MT
270 # Medium systems with more than 1GB of RAM
271 elif [ ${mem} -ge 1024 ]; then
272 mem=128
273
b658a451
MT
274 # Small systems with less than 256MB of RAM
275 elif [ ${mem} -le 256 ]; then
128db1a3 276 mem=16
b658a451
MT
277
278 # Everything else
279 else
128db1a3 280 mem=64
b658a451
MT
281 fi
282
283 (
284 config_header
285
286 # We run one thread per processor
287 echo "num-threads: ${processors}"
5012e53c 288 echo "so-reuseport: yes"
b658a451
MT
289
290 # Adjust number of slabs
291 echo "infra-cache-slabs: ${slabs}"
292 echo "key-cache-slabs: ${slabs}"
293 echo "msg-cache-slabs: ${slabs}"
294 echo "rrset-cache-slabs: ${slabs}"
295
296 # Slice up the cache
297 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
298 echo "msg-cache-size: $(( ${mem} / 4 ))m"
299 echo "key-cache-size: $(( ${mem} / 4 ))m"
0a7dca2c
MT
300
301 # Increase parallel queries
302 echo "outgoing-range: 8192"
303 echo "num-queries-per-thread: 4096"
c20b2009
MT
304
305 # Use larger send/receive buffers
306 echo "so-sndbuf: 4m"
307 echo "so-rcvbuf: 4m"
b658a451
MT
308 ) > /etc/unbound/tuning.conf
309}
310
311get_memory_amount() {
312 local key val unit
313
314 while read -r key val unit; do
315 case "${key}" in
316 MemTotal:*)
317 # Convert to MB
318 echo "$(( ${val} / 1024 ))"
319 break
320 ;;
321 esac
322 done < /proc/meminfo
323}
b8f5eda8 324
b29c97b1
AF
325test_name_server() {
326 local ns=${1}
8f3034d0 327 local args
b29c97b1
AF
328
329 # Return codes:
330 # 0 DNSSEC validating
331 # 1 Error: unreachable, etc.
332 # 2 DNSSEC aware
333 # 3 NOT DNSSEC-aware
334
335 # Exit when the server is not reachable
336 ns_is_online ${ns} || return 1
337
8f3034d0
MT
338 # Determine the maximum edns buffer size that works
339 local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
340 if [ -n "${edns_buffer_size}" ]; then
341 args="${args} +bufsize=${edns_buffer_size}"
342 fi
343
b29c97b1
AF
344 local errors
345 for rr in DNSKEY DS RRSIG; do
8f3034d0 346 if ! ns_forwards_${rr} ${ns} ${args}; then
b29c97b1
AF
347 errors="${errors} ${rr}"
348 fi
349 done
350
351 if [ -n "${errors}" ]; then
352 echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
353 return 3
354 fi
355
8f3034d0 356 if ns_is_validating ${ns} ${args}; then
2aa15dee
MT
357 # Return 0 if validating
358 return 0
359 else
360 # Is DNSSEC-aware
361 return 2
362 fi
b29c97b1
AF
363}
364
365# Sends an A query to the nameserver w/o DNSSEC
366ns_is_online() {
367 local ns=${1}
8f3034d0 368 shift
b29c97b1 369
8f3034d0 370 dig @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
b29c97b1
AF
371}
372
373# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
374ns_is_validating() {
375 local ns=${1}
8f3034d0 376 shift
b29c97b1 377
438da7e0
PM
378 if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
379 return 1
380 else
381 # Determine if NS replies with "ad" data flag if DNSSEC enabled
382 dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
383 fi
b29c97b1
AF
384}
385
386# Checks if we can retrieve the DNSKEY for this domain.
387# dig will print the SOA if nothing was found
388ns_forwards_DNSKEY() {
389 local ns=${1}
8f3034d0 390 shift
b29c97b1 391
8f3034d0 392 dig @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
b29c97b1
AF
393}
394
395ns_forwards_DS() {
396 local ns=${1}
8f3034d0 397 shift
b29c97b1 398
8f3034d0 399 dig @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
b29c97b1
AF
400}
401
402ns_forwards_RRSIG() {
403 local ns=${1}
8f3034d0 404 shift
b29c97b1 405
8f3034d0 406 dig @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
b29c97b1
AF
407}
408
409ns_supports_tcp() {
410 local ns=${1}
8f3034d0
MT
411 shift
412
413 dig @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
414}
415
416ns_determine_edns_buffer_size() {
417 local ns=${1}
418 shift
419
420 local b
421 for b in 4096 2048 1500 1480 1464 1400 1280 512; do
422 if dig @${ns} +dnssec +bufsize=${b} A ${TEST_DOMAIN} $@ >/dev/null; then
423 echo "${b}"
424 return 0
425 fi
426 done
b29c97b1 427
8f3034d0 428 return 1
b29c97b1
AF
429}
430
e432689a
MT
431get_root_nameservers() {
432 while read -r hostname ttl record address; do
433 # Searching for A records
434 [ "${record}" = "A" ] || continue
435
436 echo "${address}"
437 done < /etc/unbound/root.hints
438}
439
440can_resolve_root() {
441 local ns
442 for ns in $(get_root_nameservers); do
443 if dig @${ns} +dnssec SOA . $@ >/dev/null; then
444 return 0
445 fi
446 done
447
448 # none of the servers was reachable
449 return 1
450}
451
452enable_dnssec() {
453 local status=$(unbound-control get_option val-permissive-mode)
454
183b23b5
MT
455 # Log DNSSEC status
456 echo "on" > /var/ipfire/red/dnssec-status
457
094a27c8
MT
458 # Don't do anything if DNSSEC is already activated
459 [ "${status}" = "no" ] && return 0
460
e432689a
MT
461 # Activate DNSSEC and flush cache with any stale and unvalidated data
462 unbound-control -q set_option val-permissive-mode: no
463 unbound-control -q flush_zone .
464}
465
466disable_dnssec() {
183b23b5
MT
467 # Log DNSSEC status
468 echo "off" > /var/ipfire/red/dnssec-status
469
e432689a
MT
470 unbound-control -q set_option val-permissive-mode: yes
471}
472
68fac98a
AF
473fix_time_if_dns_fail() {
474 # If DNS still not work try to init ntp with
475 # hardcoded ntp.ipfire.org (81.3.27.46)
4cd82be0 476 if [ -e "/var/ipfire/red/iface" -a "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ]; then
68fac98a
AF
477 host 0.ipfire.pool.ntp.org > /dev/null 2>&1
478 if [ "${?}" != "0" ]; then
3eeff87f 479 boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
68fac98a
AF
480 loadproc /usr/local/bin/settime 81.3.27.46
481 fi
482 fi
483}
484
043e7aa5
MT
485resolve() {
486 local hostname="${1}"
487
488 local found=0
489 local ns
490 for ns in $(read_name_servers); do
491 local answer
492 for answer in $(dig +short "@${ns}" A "${hostname}"); do
493 found=1
494
495 # Filter out non-IP addresses
496 if [[ ! "${answer}" =~ \.$ ]]; then
497 echo "${answer}"
498 fi
499 done
500
501 # End loop when we have got something
502 [ ${found} -eq 1 ] && break
503 done
504}
505
661ab153
MT
506# Sets up Safe Search for various search engines
507write_safe_search_conf() {
508 local google_tlds=(
509 google.ad
510 google.ae
511 google.al
512 google.am
513 google.as
514 google.at
515 google.az
516 google.ba
517 google.be
518 google.bf
519 google.bg
520 google.bi
521 google.bj
522 google.bs
523 google.bt
524 google.by
525 google.ca
526 google.cat
527 google.cd
528 google.cf
529 google.cg
530 google.ch
531 google.ci
532 google.cl
533 google.cm
534 google.cn
535 google.co.ao
536 google.co.bw
537 google.co.ck
538 google.co.cr
539 google.co.id
540 google.co.il
541 google.co.in
542 google.co.jp
543 google.co.ke
544 google.co.kr
545 google.co.ls
546 google.com
547 google.co.ma
548 google.com.af
549 google.com.ag
550 google.com.ai
551 google.com.ar
552 google.com.au
553 google.com.bd
554 google.com.bh
555 google.com.bn
556 google.com.bo
557 google.com.br
558 google.com.bz
559 google.com.co
560 google.com.cu
561 google.com.cy
562 google.com.do
563 google.com.ec
564 google.com.eg
565 google.com.et
566 google.com.fj
567 google.com.gh
568 google.com.gi
569 google.com.gt
570 google.com.hk
571 google.com.jm
572 google.com.kh
573 google.com.kw
574 google.com.lb
575 google.com.ly
576 google.com.mm
577 google.com.mt
578 google.com.mx
579 google.com.my
580 google.com.na
581 google.com.nf
582 google.com.ng
583 google.com.ni
584 google.com.np
585 google.com.om
586 google.com.pa
587 google.com.pe
588 google.com.pg
589 google.com.ph
590 google.com.pk
591 google.com.pr
592 google.com.py
593 google.com.qa
594 google.com.sa
595 google.com.sb
596 google.com.sg
597 google.com.sl
598 google.com.sv
599 google.com.tj
600 google.com.tr
601 google.com.tw
602 google.com.ua
603 google.com.uy
604 google.com.vc
605 google.com.vn
606 google.co.mz
607 google.co.nz
608 google.co.th
609 google.co.tz
610 google.co.ug
611 google.co.uk
612 google.co.uz
613 google.co.ve
614 google.co.vi
615 google.co.za
616 google.co.zm
617 google.co.zw
618 google.cv
619 google.cz
620 google.de
621 google.dj
622 google.dk
623 google.dm
624 google.dz
625 google.ee
626 google.es
627 google.fi
628 google.fm
629 google.fr
630 google.ga
631 google.ge
632 google.gg
633 google.gl
634 google.gm
635 google.gp
636 google.gr
637 google.gy
638 google.hn
639 google.hr
640 google.ht
641 google.hu
642 google.ie
643 google.im
644 google.iq
645 google.is
646 google.it
647 google.je
648 google.jo
649 google.kg
650 google.ki
651 google.kz
652 google.la
653 google.li
654 google.lk
655 google.lt
656 google.lu
657 google.lv
658 google.md
659 google.me
660 google.mg
661 google.mk
662 google.ml
663 google.mn
664 google.ms
665 google.mu
666 google.mv
667 google.mw
668 google.ne
669 google.nl
670 google.no
671 google.nr
672 google.nu
673 google.pl
674 google.pn
675 google.ps
676 google.pt
677 google.ro
678 google.rs
679 google.ru
680 google.rw
681 google.sc
682 google.se
683 google.sh
684 google.si
685 google.sk
686 google.sm
687 google.sn
688 google.so
689 google.sr
690 google.st
691 google.td
692 google.tg
693 google.tk
694 google.tl
695 google.tm
696 google.tn
697 google.to
698 google.tt
699 google.vg
700 google.vu
701 google.ws
702 )
703
704 (
705 # Nothing to do if safe search is not enabled
706 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
707 exit 0
708 fi
709
710 # This all belongs into the server: section
711 echo "server:"
712
713 # Bing
e263c29c 714 echo " local-zone: bing.com transparent"
043e7aa5
MT
715 for address in $(resolve "strict.bing.com"); do
716 echo " local-data: \"www.bing.com ${LOCAL_TTL} IN A ${address}\""
717 done
661ab153
MT
718
719 # DuckDuckGo
e263c29c 720 echo " local-zone: duckduckgo.com typetransparent"
043e7aa5
MT
721 for address in $(resolve "safe.duckduckgo.com"); do
722 echo " local-data: \"duckduckgo.com ${LOCAL_TTL} IN A ${address}\""
723 done
661ab153
MT
724
725 # Google
043e7aa5 726 addresses="$(resolve "forcesafesearch.google.com")"
661ab153
MT
727 local domain
728 for domain in ${google_tlds[@]}; do
729 echo " local-zone: ${domain} transparent"
043e7aa5
MT
730 for address in ${addresses}; do
731 echo " local-data: \"www.${domain} ${LOCAL_TTL} IN A ${address}\""
732 done
661ab153
MT
733 done
734
735 # Yandex
91056ade 736 for domain in yandex.com yandex.ru; do
e263c29c 737 echo " local-zone: ${domain} typetransparent"
91056ade
MT
738 for address in $(resolve "familysearch.${domain}"); do
739 echo " local-data: \"${domain} ${LOCAL_TTL} IN A ${address}\""
740 done
741 done
f617fd91
MT
742
743 # YouTube
744 echo " local-zone: youtube.com transparent"
043e7aa5
MT
745 for address in $(resolve "restrictmoderate.youtube.com"); do
746 echo " local-data: \"www.youtube.com ${LOCAL_TTL} IN A ${address}\""
747 done
661ab153
MT
748 ) > /etc/unbound/safe-search.conf
749}
750
d0e5f71f
ML
751case "$1" in
752 start)
80bc6022
MT
753 # Print a nicer messagen when unbound is already running
754 if pidofproc -s unbound; then
755 statusproc /usr/sbin/unbound
756 exit 0
757 fi
758
b8f5eda8 759 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
d0e5f71f 760
b8f5eda8 761 # Update configuration files
b658a451 762 write_tuning_conf
b8f5eda8 763 write_forward_conf
661ab153 764 write_safe_search_conf
b8f5eda8
MT
765
766 boot_mesg "Starting Unbound DNS Proxy..."
767 loadproc /usr/sbin/unbound || exit $?
768
f75c279b
AF
769 # Make own hostname resolveable
770 own_hostname
771
b8f5eda8
MT
772 # Update any known forwarding name servers
773 update_forwarders
36792be6
MT
774
775 # Update hosts
776 update_hosts
05478072 777
68fac98a 778 fix_time_if_dns_fail
b8f5eda8 779 ;;
d0e5f71f
ML
780
781 stop)
b8f5eda8
MT
782 boot_mesg "Stopping Unbound DNS Proxy..."
783 killproc /usr/sbin/unbound
784 ;;
d0e5f71f
ML
785
786 restart)
b8f5eda8
MT
787 $0 stop
788 sleep 1
789 $0 start
790 ;;
d0e5f71f
ML
791
792 status)
b8f5eda8 793 statusproc /usr/sbin/unbound
b8f5eda8
MT
794 ;;
795
796 update-forwarders)
cd812106
MT
797 # Do not try updating forwarders when unbound is not running
798 if ! pgrep unbound &>/dev/null; then
799 exit 0
800 fi
801
b8f5eda8 802 update_forwarders
68fac98a 803
391e3390
AF
804 unbound-control flush_negative > /dev/null
805 unbound-control flush_bogus > /dev/null
806
68fac98a 807 fix_time_if_dns_fail
b8f5eda8 808 ;;
d0e5f71f 809
b29c97b1
AF
810 test-name-server)
811 ns=${2}
812
813 test_name_server ${ns}
814 ret=${?}
815
816 case "${ret}" in
817 0)
818 echo "${ns} is validating"
819 ;;
820 2)
821 echo "${ns} is DNSSEC-aware"
822 ;;
823 3)
824 echo "${ns} is NOT DNSSEC-aware"
825 ;;
826 *)
827 echo "Test failed for an unknown reason"
8f3034d0 828 exit ${ret}
b29c97b1
AF
829 ;;
830 esac
831
832 if ns_supports_tcp ${ns}; then
833 echo "${ns} supports TCP fallback"
834 else
835 echo "${ns} does not support TCP fallback"
836 fi
837
8f3034d0
MT
838 edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
839 if [ -n "${edns_buffer_size}" ]; then
840 echo "EDNS buffer size for ${ns}: ${edns_buffer_size}"
841 fi
842
b29c97b1
AF
843 exit ${ret}
844 ;;
845
043e7aa5
MT
846 resolve)
847 resolve "${2}"
848 ;;
849
d0e5f71f 850 *)
043e7aa5 851 echo "Usage: $0 {start|stop|restart|status|update-forwarders|test-name-server|resolve}"
b8f5eda8
MT
852 exit 1
853 ;;
d0e5f71f
ML
854esac
855
856# End $rc_base/init.d/unbound