[ipfire-2.x.git] / src / initscripts / system / unbound

#!/bin/sh
# Begin $rc_base/init.d/unbound

# Description : Unbound DNS resolver boot script for IPfire
# Author      : Marcel Lorenz <marcel.lorenz@ipfire.org>

. /etc/sysconfig/rc
. ${rc_functions}

TEST_DOMAIN="ipfire.org"

# This domain will never validate
TEST_DOMAIN_FAIL="dnssec-failed.org"

INSECURE_ZONES=
USE_FORWARDERS=1
ENABLE_SAFE_SEARCH=off

# Cache any local zones for 60 seconds
LOCAL_TTL=60

# EDNS buffer size
EDNS_DEFAULT_BUFFER_SIZE=4096

# Load optional configuration
[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound

ip_address_revptr() {
	local addr=${1}

	local a1 a2 a3 a4
	IFS=. read -r a1 a2 a3 a4 <<< ${addr}

	echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
}

read_name_servers() {
	local i
	for i in 1 2; do
		echo "$(</var/ipfire/red/dns${i})"
	done 2>/dev/null | xargs echo
}

config_header() {
	echo "# This file is automatically generated and any changes"
	echo "# will be overwritten. DO NOT EDIT!"
	echo
}

update_forwarders() {
	if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/active" ]; then
		local forwarders
		local broken_forwarders

		local ns
		for ns in $(read_name_servers); do
			test_name_server ${ns} &>/dev/null
			case "$?" in
				# Only use DNSSEC-validating or DNSSEC-aware name servers
				0|2)
					forwarders="${forwarders} ${ns}"
					;;
				*)
					broken_forwarders="${broken_forwarders} ${ns}"
					;;
			esac
		done

		# Determine EDNS buffer size
		local new_edns_buffer_size=${EDNS_DEFAULT_BUFFER_SIZE}

		for ns in ${forwarders}; do
			local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
			if [ -n "${edns_buffer_size}" ]; then
				if [ ${edns_buffer_size} -lt ${new_edns_buffer_size} ]; then
					new_edns_buffer_size=${edns_buffer_size}
				fi
			fi
		done

		if [ ${new_edns_buffer_size} -lt ${EDNS_DEFAULT_BUFFER_SIZE} ]; then
			boot_mesg "EDNS buffer size reduced to ${new_edns_buffer_size}" ${WARNING}
			echo_warning

			unbound-control -q set_option edns-buffer-size: ${new_edns_buffer_size}
		fi

		# Show warning for any broken upstream name servers
		if [ -n "${broken_forwarders}" ]; then
			boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
			echo_warning
		fi

		if [ -n "${forwarders}" ]; then
			boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
			echo_ok

			# Make sure DNSSEC is activated
			enable_dnssec

			echo "${forwarders}" > /var/ipfire/red/dns
			unbound-control -q forward ${forwarders}
			return 0

		# In case we have found no working forwarders
		else
			# Test if the recursor mode is available
			if can_resolve_root +bufsize=${new_edns_buffer_size}; then
				# Make sure DNSSEC is activated
				enable_dnssec

				boot_mesg "Falling back to recursor mode" ${WARNING}
				echo_warning

			# If not, we set DNSSEC in permissive mode and allow using all recursors
			elif [ -n "${broken_forwarders}" ]; then
				disable_dnssec

				boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
				echo_failure

				echo "${broken_forwarders}" > /var/ipfire/red/dns
				unbound-control -q forward ${broken_forwarders}
				return 0
			fi
		fi
	fi

	# If forwarders cannot be used we run in recursor mode
	echo "local recursor" > /var/ipfire/red/dns
	unbound-control -q forward off
}

own_hostname() {
	local hostname=$(hostname -f)
	# 1.1.1.1 is reserved for unused green, skip this
	if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
		unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
	fi

	local address
	for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
		[ -n "${address}" ] || continue
		[ "${address}" = "1.1.1.1" ] && continue

		address=$(ip_address_revptr ${address})
		unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
	done
}

update_hosts() {
	local enabled address hostname domainname generateptr

	while IFS="," read -r enabled address hostname domainname generateptr; do
		[ "${enabled}" = "on" ] || continue

		# Build FQDN
		local fqdn="${hostname}.${domainname}"

		unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"

		# Skip reverse resolution if the address equals the GREEN address
		[ "${address}" = "${GREEN_ADDRESS}" ] && continue

		# Skip reverse resolution if user requested not to do so
		[ "${generateptr}" = "off" ] && continue

		# Add RDNS
		address=$(ip_address_revptr ${address})
		unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
	done < /var/ipfire/main/hosts
}

write_forward_conf() {
	(
		config_header

		local insecure_zones="${INSECURE_ZONES}"

		local enabled zone server servers remark disable_dnssec rest
		while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
			# Line must be enabled.
			[ "${enabled}" = "on" ] || continue

			# Zones that end with .local are commonly used for internal
			# zones and therefore not signed
			case "${zone}" in
				*.local)
					insecure_zones="${insecure_zones} ${zone}"
					;;
				*)
					if [ "${disable_dnssec}" = "on" ]; then
						insecure_zones="${insecure_zones} ${zone}"
					fi
					;;
			esac

			# Reverse-lookup zones must be stubs
			case "${zone}" in
				*.in-addr.arpa)
					echo "stub-zone:"
					echo "	name: ${zone}"
					for server in ${servers//|/ }; do
						if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
							echo "	stub-addr: ${server}"
						else
							echo "	stub-host: ${server}"
						fi
					done
					echo
					echo "server:"
					echo "	local-zone: \"${zone}\" transparent"
					echo
					;;
				*)
					echo "forward-zone:"
					echo "	name: ${zone}"
					for server in ${servers//|/ }; do
						if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
							echo "	forward-addr: ${server}"
						else
							echo "	forward-host: ${server}"
						fi
					done
					echo
					;;
			esac
		done < /var/ipfire/dnsforward/config

		if [ -n "${insecure_zones}" ]; then
			echo "server:"

			for zone in ${insecure_zones}; do
				echo "	domain-insecure: ${zone}"
			done
		fi
	) > /etc/unbound/forward.conf
}

write_tuning_conf() {
	# https://www.unbound.net/documentation/howto_optimise.html

	# Determine number of online processors
	local processors=$(getconf _NPROCESSORS_ONLN)

	# Determine number of slabs
	local slabs=1
	while [ ${slabs} -lt ${processors} ]; do
		slabs=$(( ${slabs} * 2 ))
	done

	# Determine amount of system memory
	local mem=$(get_memory_amount)

	# In the worst case scenario, unbound can use double the
	# amount of memory allocated to a cache due to malloc overhead

	# Even larger systems with more than 8GB of RAM
	if [ ${mem} -ge 8192 ]; then
		mem=1024

	# Extra large systems with more than 4GB of RAM
	elif [ ${mem} -ge 4096 ]; then
		mem=512

	# Large systems with more than 2GB of RAM
	elif [ ${mem} -ge 2048 ]; then
		mem=256

	# Medium systems with more than 1GB of RAM
	elif [ ${mem} -ge 1024 ]; then
		mem=128

	# Small systems with less than 256MB of RAM
	elif [ ${mem} -le 256 ]; then
		mem=16

	# Everything else
	else
		mem=64
	fi

	(
		config_header

		# We run one thread per processor
		echo "num-threads: ${processors}"
		echo "so-reuseport: yes"

		# Adjust number of slabs
		echo "infra-cache-slabs: ${slabs}"
		echo "key-cache-slabs: ${slabs}"
		echo "msg-cache-slabs: ${slabs}"
		echo "rrset-cache-slabs: ${slabs}"

		# Slice up the cache
		echo "rrset-cache-size: $(( ${mem} / 2 ))m"
		echo "msg-cache-size: $(( ${mem} / 4 ))m"
		echo "key-cache-size: $(( ${mem} / 4 ))m"

		# Increase parallel queries
		echo "outgoing-range: 8192"
		echo "num-queries-per-thread: 4096"

		# Use larger send/receive buffers
		echo "so-sndbuf: 4m"
		echo "so-rcvbuf: 4m"
	) > /etc/unbound/tuning.conf
}

get_memory_amount() {
	local key val unit

	while read -r key val unit; do
		case "${key}" in
			MemTotal:*)
				# Convert to MB
				echo "$(( ${val} / 1024 ))"
				break
				;;
		esac
	done < /proc/meminfo
}

test_name_server() {
	local ns=${1}
	local args

	# Return codes:
	# 0	DNSSEC validating
	# 1	Error: unreachable, etc.
	# 2	DNSSEC aware
	# 3	NOT DNSSEC-aware

	# Exit when the server is not reachable
	ns_is_online ${ns} || return 1

	# Determine the maximum edns buffer size that works
	local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
	if [ -n "${edns_buffer_size}" ]; then
		args="${args} +bufsize=${edns_buffer_size}"
	fi

	local errors
	for rr in DNSKEY DS RRSIG; do
		if ! ns_forwards_${rr} ${ns} ${args}; then
			errors="${errors} ${rr}"
		fi
	done

	if [ -n "${errors}" ]; then
		echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
		return 3
	fi

	if ns_is_validating ${ns} ${args}; then
		# Return 0 if validating
		return 0
	else
		# Is DNSSEC-aware
		return 2
	fi
}

# Sends an A query to the nameserver w/o DNSSEC
ns_is_online() {
	local ns=${1}
	shift

	dig @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
}

# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
ns_is_validating() {
	local ns=${1}
	shift

	if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
		return 1
	else
		# Determine if NS replies with "ad" data flag if DNSSEC enabled
		dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
	fi
}

# Checks if we can retrieve the DNSKEY for this domain.
# dig will print the SOA if nothing was found
ns_forwards_DNSKEY() {
	local ns=${1}
	shift

	dig @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
}

ns_forwards_DS() {
	local ns=${1}
	shift

	dig @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
}

ns_forwards_RRSIG() {
	local ns=${1}
	shift

	dig @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
}

ns_supports_tcp() {
	local ns=${1}
	shift

	dig @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
}

ns_determine_edns_buffer_size() {
	local ns=${1}
	shift

	local b
	for b in 4096 2048 1500 1480 1464 1400 1280 512; do
		if dig @${ns} +dnssec +bufsize=${b} A ${TEST_DOMAIN} $@ >/dev/null; then
			echo "${b}"
			return 0
		fi
	done

	return 1
}

get_root_nameservers() {
	while read -r hostname ttl record address; do
		# Searching for A records
		[ "${record}" = "A" ] || continue

		echo "${address}"
	done < /etc/unbound/root.hints
}

can_resolve_root() {
	local ns
	for ns in $(get_root_nameservers); do
		if dig @${ns} +dnssec SOA . $@ >/dev/null; then
			return 0
		fi
	done

	# none of the servers was reachable
	return 1
}

enable_dnssec() {
	local status=$(unbound-control get_option val-permissive-mode)

	# Log DNSSEC status
	echo "on" > /var/ipfire/red/dnssec-status

	# Don't do anything if DNSSEC is already activated
	[ "${status}" = "no" ] && return 0

	# Activate DNSSEC and flush cache with any stale and unvalidated data
	unbound-control -q set_option val-permissive-mode: no
	unbound-control -q flush_zone .
}

disable_dnssec() {
	# Log DNSSEC status
	echo "off" > /var/ipfire/red/dnssec-status

	unbound-control -q set_option val-permissive-mode: yes
}

fix_time_if_dns_fail() {
	# If DNS still not work try to init ntp with
	# hardcoded ntp.ipfire.org (81.3.27.46)
	if [ -e /var/ipfire/red/active ]; then
		host 0.ipfire.pool.ntp.org > /dev/null 2>&1
		if [ "${?}" != "0" ]; then
			boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
			loadproc /usr/local/bin/settime 81.3.27.46
		fi
	fi
}

# Sets up Safe Search for various search engines
write_safe_search_conf() {
	local google_tlds=(
		google.ad
		google.ae
		google.al
		google.am
		google.as
		google.at
		google.az
		google.ba
		google.be
		google.bf
		google.bg
		google.bi
		google.bj
		google.bs
		google.bt
		google.by
		google.ca
		google.cat
		google.cd
		google.cf
		google.cg
		google.ch
		google.ci
		google.cl
		google.cm
		google.cn
		google.co.ao
		google.co.bw
		google.co.ck
		google.co.cr
		google.co.id
		google.co.il
		google.co.in
		google.co.jp
		google.co.ke
		google.co.kr
		google.co.ls
		google.com
		google.co.ma
		google.com.af
		google.com.ag
		google.com.ai
		google.com.ar
		google.com.au
		google.com.bd
		google.com.bh
		google.com.bn
		google.com.bo
		google.com.br
		google.com.bz
		google.com.co
		google.com.cu
		google.com.cy
		google.com.do
		google.com.ec
		google.com.eg
		google.com.et
		google.com.fj
		google.com.gh
		google.com.gi
		google.com.gt
		google.com.hk
		google.com.jm
		google.com.kh
		google.com.kw
		google.com.lb
		google.com.ly
		google.com.mm
		google.com.mt
		google.com.mx
		google.com.my
		google.com.na
		google.com.nf
		google.com.ng
		google.com.ni
		google.com.np
		google.com.om
		google.com.pa
		google.com.pe
		google.com.pg
		google.com.ph
		google.com.pk
		google.com.pr
		google.com.py
		google.com.qa
		google.com.sa
		google.com.sb
		google.com.sg
		google.com.sl
		google.com.sv
		google.com.tj
		google.com.tr
		google.com.tw
		google.com.ua
		google.com.uy
		google.com.vc
		google.com.vn
		google.co.mz
		google.co.nz
		google.co.th
		google.co.tz
		google.co.ug
		google.co.uk
		google.co.uz
		google.co.ve
		google.co.vi
		google.co.za
		google.co.zm
		google.co.zw
		google.cv
		google.cz
		google.de
		google.dj
		google.dk
		google.dm
		google.dz
		google.ee
		google.es
		google.fi
		google.fm
		google.fr
		google.ga
		google.ge
		google.gg
		google.gl
		google.gm
		google.gp
		google.gr
		google.gy
		google.hn
		google.hr
		google.ht
		google.hu
		google.ie
		google.im
		google.iq
		google.is
		google.it
		google.je
		google.jo
		google.kg
		google.ki
		google.kz
		google.la
		google.li
		google.lk
		google.lt
		google.lu
		google.lv
		google.md
		google.me
		google.mg
		google.mk
		google.ml
		google.mn
		google.ms
		google.mu
		google.mv
		google.mw
		google.ne
		google.nl
		google.no
		google.nr
		google.nu
		google.pl
		google.pn
		google.ps
		google.pt
		google.ro
		google.rs
		google.ru
		google.rw
		google.sc
		google.se
		google.sh
		google.si
		google.sk
		google.sm
		google.sn
		google.so
		google.sr
		google.st
		google.td
		google.tg
		google.tk
		google.tl
		google.tm
		google.tn
		google.to
		google.tt
		google.vg
		google.vu
		google.ws
	)

	(
		# Nothing to do if safe search is not enabled
		if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
			exit 0
		fi

		# This all belongs into the server: section
		echo "server:"

		# Bing
		echo "	local-zone: bing.com transparent"
		echo "	local-data: \"www.bing.com CNAME strict.bing.com.\""

		# DuckDuckGo
		echo "	local-zone: duckduckgo.com transparent"
		echo "	local-data: \"duckduckgo.com CNAME safe.duckduckgo.com.\""

		# Google
		local domain
		for domain in ${google_tlds[@]}; do
			echo "	local-zone: ${domain} transparent"
			echo "	local-data: \"www.${domain} CNAME forcesafesearch.google.com.\""
		done

		# Yandex
		echo "	local-zone: yandex.ru transparent"
		echo "	local-data: \"yandex.ru A 213.180.193.56\""
	) > /etc/unbound/safe-search.conf
}

case "$1" in
	start)
		# Print a nicer messagen when unbound is already running
		if pidofproc -s unbound; then
			statusproc /usr/sbin/unbound
			exit 0
		fi

		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

		# Update configuration files
		write_tuning_conf
		write_forward_conf
		write_safe_search_conf

		boot_mesg "Starting Unbound DNS Proxy..."
		loadproc /usr/sbin/unbound || exit $?

		# Make own hostname resolveable
		own_hostname

		# Update any known forwarding name servers
		update_forwarders

		# Update hosts
		update_hosts

		fix_time_if_dns_fail
		;;

	stop)
		boot_mesg "Stopping Unbound DNS Proxy..."
		killproc /usr/sbin/unbound
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	status)
		statusproc /usr/sbin/unbound
		;;

	update-forwarders)
		# Do not try updating forwarders when unbound is not running
		if ! pgrep unbound &>/dev/null; then
			exit 0
		fi

		update_forwarders

		unbound-control flush_negative > /dev/null
		unbound-control flush_bogus > /dev/null

		fix_time_if_dns_fail
		;;

	test-name-server)
		ns=${2}

		test_name_server ${ns}
		ret=${?}

		case "${ret}" in
			0)
				echo "${ns} is validating"
				;;
			2)
				echo "${ns} is DNSSEC-aware"
				;;
			3)
				echo "${ns} is NOT DNSSEC-aware"
				;;
			*)
				echo "Test failed for an unknown reason"
				exit ${ret}
				;;
		esac

		if ns_supports_tcp ${ns}; then
			echo "${ns} supports TCP fallback"
		else
			echo "${ns} does not support TCP fallback"
		fi

		edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
		if [ -n "${edns_buffer_size}" ]; then
			echo "EDNS buffer size for ${ns}: ${edns_buffer_size}"
		fi

		exit ${ret}
		;;

	*)
		echo "Usage: $0 {start|stop|restart|status|update-forwarders|test-name-server}"
		exit 1
		;;
esac

# End $rc_base/init.d/unbound
Commit	Line	Data
d0e5f71f ML	1	#!/bin/sh
	2	# Begin $rc_base/init.d/unbound
	3
	4	# Description : Unbound DNS resolver boot script for IPfire
	5	# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
d0e5f71f ML	6
	7	. /etc/sysconfig/rc
	8	. ${rc_functions}
	9
b29c97b1 AF	10	TEST_DOMAIN="ipfire.org"
	11
	12	# This domain will never validate
	13	TEST_DOMAIN_FAIL="dnssec-failed.org"
	14
7ebc0a16	15	INSECURE_ZONES=
b8f5eda8	16	USE_FORWARDERS=1
661ab153	17	ENABLE_SAFE_SEARCH=off
d0e5f71f	18
36792be6 MT	19	# Cache any local zones for 60 seconds
	20	LOCAL_TTL=60
	21
b2f96a94 MT	22	# EDNS buffer size
	23	EDNS_DEFAULT_BUFFER_SIZE=4096
	24
b8f5eda8 MT	25	# Load optional configuration
b8f5eda8 MT	26	[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
d0e5f71f	27
f75c279b AF	28	ip_address_revptr() {
	29	local addr=${1}
	30
	31	local a1 a2 a3 a4
	32	IFS=. read -r a1 a2 a3 a4 <<< ${addr}
	33
	34	echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
	35	}
	36
b8f5eda8 MT	37	read_name_servers() {
	38	local i
	39	for i in 1 2; do
	40	echo "$(</var/ipfire/red/dns${i})"
682a6b2d	41	done 2>/dev/null \| xargs echo
b8f5eda8 MT	42	}
	43
	44	config_header() {
	45	echo "# This file is automatically generated and any changes"
	46	echo "# will be overwritten. DO NOT EDIT!"
	47	echo
	48	}
	49
	50	update_forwarders() {
b29c97b1 AF	51	if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/active" ]; then
	52	local forwarders
	53	local broken_forwarders
	54
	55	local ns
	56	for ns in $(read_name_servers); do
	57	test_name_server ${ns} &>/dev/null
	58	case "$?" in
	59	# Only use DNSSEC-validating or DNSSEC-aware name servers
	60	0\|2)
	61	forwarders="${forwarders} ${ns}"
	62	;;
	63	*)
	64	broken_forwarders="${broken_forwarders} ${ns}"
	65	;;
	66	esac
	67	done
	68
8f3034d0	69	# Determine EDNS buffer size
b2f96a94	70	local new_edns_buffer_size=${EDNS_DEFAULT_BUFFER_SIZE}
8f3034d0	71
b2f96a94 MT	72	for ns in ${forwarders}; do
	73	local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
	74	if [ -n "${edns_buffer_size}" ]; then
	75	if [ ${edns_buffer_size} -lt ${new_edns_buffer_size} ]; then
	76	new_edns_buffer_size=${edns_buffer_size}
8f3034d0	77	fi
b2f96a94 MT	78	fi
	79	done
	80
	81	if [ ${new_edns_buffer_size} -lt ${EDNS_DEFAULT_BUFFER_SIZE} ]; then
	82	boot_mesg "EDNS buffer size reduced to ${new_edns_buffer_size}" ${WARNING}
	83	echo_warning
8f3034d0 MT	84
	85	unbound-control -q set_option edns-buffer-size: ${new_edns_buffer_size}
	86	fi
	87
b29c97b1 AF	88	# Show warning for any broken upstream name servers
	89	if [ -n "${broken_forwarders}" ]; then
	90	boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
	91	echo_warning
	92	fi
b8f5eda8	93
e432689a	94	if [ -n "${forwarders}" ]; then
b29c97b1 AF	95	boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
b29c97b1 AF	96	echo_ok
b8f5eda8	97
e432689a MT	98	# Make sure DNSSEC is activated
	99	enable_dnssec
	100
e24d6112	101	echo "${forwarders}" > /var/ipfire/red/dns
b29c97b1 AF	102	unbound-control -q forward ${forwarders}
b29c97b1 AF	103	return 0
e432689a MT	104
	105	# In case we have found no working forwarders
	106	else
	107	# Test if the recursor mode is available
	108	if can_resolve_root +bufsize=${new_edns_buffer_size}; then
	109	# Make sure DNSSEC is activated
	110	enable_dnssec
	111
	112	boot_mesg "Falling back to recursor mode" ${WARNING}
	113	echo_warning
	114
	115	# If not, we set DNSSEC in permissive mode and allow using all recursors
	116	elif [ -n "${broken_forwarders}" ]; then
	117	disable_dnssec
	118
	119	boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
	120	echo_failure
	121
	122	echo "${broken_forwarders}" > /var/ipfire/red/dns
	123	unbound-control -q forward ${broken_forwarders}
	124	return 0
	125	fi
b29c97b1	126	fi
b8f5eda8	127	fi
b29c97b1 AF	128
b29c97b1 AF	129	# If forwarders cannot be used we run in recursor mode
e24d6112	130	echo "local recursor" > /var/ipfire/red/dns
b29c97b1	131	unbound-control -q forward off
b8f5eda8 MT	132	}
b8f5eda8 MT	133
f75c279b AF	134	own_hostname() {
f75c279b AF	135	local hostname=$(hostname -f)
0d7ca700	136	# 1.1.1.1 is reserved for unused green, skip this
f75c279b AF	137	if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
	138	unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
	139	fi
	140
	141	local address
	142	for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	143	[ -n "${address}" ] \|\| continue
	144	[ "${address}" = "1.1.1.1" ] && continue
	145
	146	address=$(ip_address_revptr ${address})
	147	unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
	148	done
	149	}
	150
36792be6	151	update_hosts() {
6874a576	152	local enabled address hostname domainname generateptr
36792be6	153
6874a576	154	while IFS="," read -r enabled address hostname domainname generateptr; do
36792be6 MT	155	[ "${enabled}" = "on" ] \|\| continue
	156
	157	# Build FQDN
	158	local fqdn="${hostname}.${domainname}"
	159
	160	unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
f75c279b	161
868d2a1f MT	162	# Skip reverse resolution if the address equals the GREEN address
	163	[ "${address}" = "${GREEN_ADDRESS}" ] && continue
	164
6874a576 PM	165	# Skip reverse resolution if user requested not to do so
	166	[ "${generateptr}" = "off" ] && continue
	167
f75c279b AF	168	# Add RDNS
	169	address=$(ip_address_revptr ${address})
	170	unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
36792be6 MT	171	done < /var/ipfire/main/hosts
	172	}
	173
b8f5eda8 MT	174	write_forward_conf() {
	175	(
	176	config_header
	177
7ebc0a16	178	local insecure_zones="${INSECURE_ZONES}"
a6dcc5bb	179
1ececb67 MT	180	local enabled zone server servers remark disable_dnssec rest
1ececb67 MT	181	while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
b8f5eda8 MT	182	# Line must be enabled.
	183	[ "${enabled}" = "on" ] \|\| continue
	184
a6dcc5bb MT	185	# Zones that end with .local are commonly used for internal
	186	# zones and therefore not signed
	187	case "${zone}" in
	188	*.local)
	189	insecure_zones="${insecure_zones} ${zone}"
	190	;;
1ececb67 MT	191	*)
	192	if [ "${disable_dnssec}" = "on" ]; then
	193	insecure_zones="${insecure_zones} ${zone}"
	194	fi
	195	;;
a6dcc5bb MT	196	esac
a6dcc5bb MT	197
c7e41255 MT	198	# Reverse-lookup zones must be stubs
	199	case "${zone}" in
	200	*.in-addr.arpa)
	201	echo "stub-zone:"
9f099932	202	echo " name: ${zone}"
c9ae511e	203	for server in ${servers//\|/ }; do
f33d2897 MT	204	if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	205	echo " stub-addr: ${server}"
	206	else
	207	echo " stub-host: ${server}"
	208	fi
c9ae511e	209	done
c7e41255 MT	210	echo
c7e41255 MT	211	echo "server:"
9f099932	212	echo " local-zone: \"${zone}\" transparent"
c7e41255 MT	213	echo
	214	;;
	215	*)
	216	echo "forward-zone:"
9f099932	217	echo " name: ${zone}"
c9ae511e	218	for server in ${servers//\|/ }; do
f33d2897 MT	219	if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	220	echo " forward-addr: ${server}"
	221	else
	222	echo " forward-host: ${server}"
	223	fi
c9ae511e	224	done
c7e41255 MT	225	echo
	226	;;
	227	esac
b8f5eda8	228	done < /var/ipfire/dnsforward/config
a6dcc5bb MT	229
	230	if [ -n "${insecure_zones}" ]; then
	231	echo "server:"
	232
	233	for zone in ${insecure_zones}; do
	234	echo " domain-insecure: ${zone}"
	235	done
	236	fi
b8f5eda8 MT	237	) > /etc/unbound/forward.conf
	238	}
	239
b658a451 MT	240	write_tuning_conf() {
	241	# https://www.unbound.net/documentation/howto_optimise.html
	242
	243	# Determine number of online processors
	244	local processors=$(getconf _NPROCESSORS_ONLN)
	245
	246	# Determine number of slabs
	247	local slabs=1
	248	while [ ${slabs} -lt ${processors} ]; do
	249	slabs=$(( ${slabs} * 2 ))
	250	done
	251
	252	# Determine amount of system memory
	253	local mem=$(get_memory_amount)
	254
	255	# In the worst case scenario, unbound can use double the
	256	# amount of memory allocated to a cache due to malloc overhead
	257
4a0d69ca MT	258	# Even larger systems with more than 8GB of RAM
	259	if [ ${mem} -ge 8192 ]; then
	260	mem=1024
	261
	262	# Extra large systems with more than 4GB of RAM
	263	elif [ ${mem} -ge 4096 ]; then
	264	mem=512
	265
b658a451	266	# Large systems with more than 2GB of RAM
4a0d69ca	267	elif [ ${mem} -ge 2048 ]; then
128db1a3	268	mem=256
b658a451	269
4a0d69ca MT	270	# Medium systems with more than 1GB of RAM
	271	elif [ ${mem} -ge 1024 ]; then
	272	mem=128
	273
b658a451 MT	274	# Small systems with less than 256MB of RAM
b658a451 MT	275	elif [ ${mem} -le 256 ]; then
128db1a3	276	mem=16
b658a451 MT	277
	278	# Everything else
	279	else
128db1a3	280	mem=64
b658a451 MT	281	fi
	282
	283	(
	284	config_header
	285
	286	# We run one thread per processor
	287	echo "num-threads: ${processors}"
5012e53c	288	echo "so-reuseport: yes"
b658a451 MT	289
	290	# Adjust number of slabs
	291	echo "infra-cache-slabs: ${slabs}"
	292	echo "key-cache-slabs: ${slabs}"
	293	echo "msg-cache-slabs: ${slabs}"
	294	echo "rrset-cache-slabs: ${slabs}"
	295
	296	# Slice up the cache
	297	echo "rrset-cache-size: $(( ${mem} / 2 ))m"
	298	echo "msg-cache-size: $(( ${mem} / 4 ))m"
	299	echo "key-cache-size: $(( ${mem} / 4 ))m"
0a7dca2c MT	300
	301	# Increase parallel queries
	302	echo "outgoing-range: 8192"
	303	echo "num-queries-per-thread: 4096"
c20b2009 MT	304
	305	# Use larger send/receive buffers
	306	echo "so-sndbuf: 4m"
	307	echo "so-rcvbuf: 4m"
b658a451 MT	308	) > /etc/unbound/tuning.conf
	309	}
	310
	311	get_memory_amount() {
	312	local key val unit
	313
	314	while read -r key val unit; do
	315	case "${key}" in
	316	MemTotal:*)
	317	# Convert to MB
	318	echo "$(( ${val} / 1024 ))"
	319	break
	320	;;
	321	esac
	322	done < /proc/meminfo
	323	}
b8f5eda8	324
b29c97b1 AF	325	test_name_server() {
b29c97b1 AF	326	local ns=${1}
8f3034d0	327	local args
b29c97b1 AF	328
	329	# Return codes:
	330	# 0 DNSSEC validating
	331	# 1 Error: unreachable, etc.
	332	# 2 DNSSEC aware
	333	# 3 NOT DNSSEC-aware
	334
	335	# Exit when the server is not reachable
	336	ns_is_online ${ns} \|\| return 1
	337
8f3034d0 MT	338	# Determine the maximum edns buffer size that works
	339	local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
	340	if [ -n "${edns_buffer_size}" ]; then
	341	args="${args} +bufsize=${edns_buffer_size}"
	342	fi
	343
b29c97b1 AF	344	local errors
b29c97b1 AF	345	for rr in DNSKEY DS RRSIG; do
8f3034d0	346	if ! ns_forwards_${rr} ${ns} ${args}; then
b29c97b1 AF	347	errors="${errors} ${rr}"
	348	fi
	349	done
	350
	351	if [ -n "${errors}" ]; then
	352	echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
	353	return 3
	354	fi
	355
8f3034d0	356	if ns_is_validating ${ns} ${args}; then
2aa15dee MT	357	# Return 0 if validating
	358	return 0
	359	else
	360	# Is DNSSEC-aware
	361	return 2
	362	fi
b29c97b1 AF	363	}
	364
	365	# Sends an A query to the nameserver w/o DNSSEC
	366	ns_is_online() {
	367	local ns=${1}
8f3034d0	368	shift
b29c97b1	369
8f3034d0	370	dig @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
b29c97b1 AF	371	}
	372
	373	# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
	374	ns_is_validating() {
	375	local ns=${1}
8f3034d0	376	shift
b29c97b1	377
438da7e0 PM	378	if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ \| grep -q SERVFAIL; then
	379	return 1
	380	else
	381	# Determine if NS replies with "ad" data flag if DNSSEC enabled
	382	dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ \| awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
	383	fi
b29c97b1 AF	384	}
	385
	386	# Checks if we can retrieve the DNSKEY for this domain.
	387	# dig will print the SOA if nothing was found
	388	ns_forwards_DNSKEY() {
	389	local ns=${1}
8f3034d0	390	shift
b29c97b1	391
8f3034d0	392	dig @${ns} DNSKEY ${TEST_DOMAIN} $@ \| grep -qv SOA
b29c97b1 AF	393	}
	394
	395	ns_forwards_DS() {
	396	local ns=${1}
8f3034d0	397	shift
b29c97b1	398
8f3034d0	399	dig @${ns} DS ${TEST_DOMAIN} $@ \| grep -qv SOA
b29c97b1 AF	400	}
	401
	402	ns_forwards_RRSIG() {
	403	local ns=${1}
8f3034d0	404	shift
b29c97b1	405
8f3034d0	406	dig @${ns} +dnssec A ${TEST_DOMAIN} $@ \| grep -q RRSIG
b29c97b1 AF	407	}
	408
	409	ns_supports_tcp() {
	410	local ns=${1}
8f3034d0 MT	411	shift
	412
	413	dig @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null \|\| return 1
	414	}
	415
	416	ns_determine_edns_buffer_size() {
	417	local ns=${1}
	418	shift
	419
	420	local b
	421	for b in 4096 2048 1500 1480 1464 1400 1280 512; do
	422	if dig @${ns} +dnssec +bufsize=${b} A ${TEST_DOMAIN} $@ >/dev/null; then
	423	echo "${b}"
	424	return 0
	425	fi
	426	done
b29c97b1	427
8f3034d0	428	return 1
b29c97b1 AF	429	}
b29c97b1 AF	430
e432689a MT	431	get_root_nameservers() {
	432	while read -r hostname ttl record address; do
	433	# Searching for A records
	434	[ "${record}" = "A" ] \|\| continue
	435
	436	echo "${address}"
	437	done < /etc/unbound/root.hints
	438	}
	439
	440	can_resolve_root() {
	441	local ns
	442	for ns in $(get_root_nameservers); do
	443	if dig @${ns} +dnssec SOA . $@ >/dev/null; then
	444	return 0
	445	fi
	446	done
	447
	448	# none of the servers was reachable
	449	return 1
	450	}
	451
	452	enable_dnssec() {
	453	local status=$(unbound-control get_option val-permissive-mode)
	454
183b23b5 MT	455	# Log DNSSEC status
	456	echo "on" > /var/ipfire/red/dnssec-status
	457
094a27c8 MT	458	# Don't do anything if DNSSEC is already activated
	459	[ "${status}" = "no" ] && return 0
	460
e432689a MT	461	# Activate DNSSEC and flush cache with any stale and unvalidated data
	462	unbound-control -q set_option val-permissive-mode: no
	463	unbound-control -q flush_zone .
	464	}
	465
	466	disable_dnssec() {
183b23b5 MT	467	# Log DNSSEC status
	468	echo "off" > /var/ipfire/red/dnssec-status
	469
e432689a MT	470	unbound-control -q set_option val-permissive-mode: yes
	471	}
	472
68fac98a AF	473	fix_time_if_dns_fail() {
	474	# If DNS still not work try to init ntp with
	475	# hardcoded ntp.ipfire.org (81.3.27.46)
	476	if [ -e /var/ipfire/red/active ]; then
	477	host 0.ipfire.pool.ntp.org > /dev/null 2>&1
	478	if [ "${?}" != "0" ]; then
3eeff87f	479	boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
68fac98a AF	480	loadproc /usr/local/bin/settime 81.3.27.46
	481	fi
	482	fi
	483	}
	484
661ab153 MT	485	# Sets up Safe Search for various search engines
	486	write_safe_search_conf() {
	487	local google_tlds=(
	488	google.ad
	489	google.ae
	490	google.al
	491	google.am
	492	google.as
	493	google.at
	494	google.az
	495	google.ba
	496	google.be
	497	google.bf
	498	google.bg
	499	google.bi
	500	google.bj
	501	google.bs
	502	google.bt
	503	google.by
	504	google.ca
	505	google.cat
	506	google.cd
	507	google.cf
	508	google.cg
	509	google.ch
	510	google.ci
	511	google.cl
	512	google.cm
	513	google.cn
	514	google.co.ao
	515	google.co.bw
	516	google.co.ck
	517	google.co.cr
	518	google.co.id
	519	google.co.il
	520	google.co.in
	521	google.co.jp
	522	google.co.ke
	523	google.co.kr
	524	google.co.ls
	525	google.com
	526	google.co.ma
	527	google.com.af
	528	google.com.ag
	529	google.com.ai
	530	google.com.ar
	531	google.com.au
	532	google.com.bd
	533	google.com.bh
	534	google.com.bn
	535	google.com.bo
	536	google.com.br
	537	google.com.bz
	538	google.com.co
	539	google.com.cu
	540	google.com.cy
	541	google.com.do
	542	google.com.ec
	543	google.com.eg
	544	google.com.et
	545	google.com.fj
	546	google.com.gh
	547	google.com.gi
	548	google.com.gt
549	google.com.hk
550	google.com.jm
551	google.com.kh
552	google.com.kw
553	google.com.lb
554	google.com.ly
555	google.com.mm
556	google.com.mt
557	google.com.mx
558	google.com.my
559	google.com.na
560	google.com.nf
561	google.com.ng
562	google.com.ni
563	google.com.np
564	google.com.om
565	google.com.pa
566	google.com.pe
567	google.com.pg
568	google.com.ph
569	google.com.pk
570	google.com.pr
571	google.com.py
572	google.com.qa
573	google.com.sa
574	google.com.sb
575	google.com.sg
576	google.com.sl
577	google.com.sv
578	google.com.tj
579	google.com.tr
580	google.com.tw
581	google.com.ua
582	google.com.uy
583	google.com.vc
584	google.com.vn
585	google.co.mz
586	google.co.nz
587	google.co.th
588	google.co.tz
589	google.co.ug
590	google.co.uk
591	google.co.uz
592	google.co.ve
593	google.co.vi
594	google.co.za
595	google.co.zm
596	google.co.zw
597	google.cv
598	google.cz
599	google.de
600	google.dj
601	google.dk
602	google.dm
603	google.dz
604	google.ee
605	google.es
606	google.fi
607	google.fm
608	google.fr
609	google.ga
610	google.ge
611	google.gg
612	google.gl
613	google.gm
614	google.gp
615	google.gr
616	google.gy
617	google.hn
618	google.hr
619	google.ht
620	google.hu
621	google.ie
622	google.im
623	google.iq
624	google.is
625	google.it
626	google.je
627	google.jo
628	google.kg
629	google.ki
630	google.kz
631	google.la
632	google.li
633	google.lk
634	google.lt
635	google.lu
636	google.lv
637	google.md
638	google.me
639	google.mg
640	google.mk
641	google.ml
642	google.mn
643	google.ms
644	google.mu
645	google.mv
646	google.mw
647	google.ne
648	google.nl
649	google.no
650	google.nr
651	google.nu
652	google.pl
653	google.pn
654	google.ps
655	google.pt
656	google.ro
657	google.rs
658	google.ru
659	google.rw
660	google.sc
661	google.se
662	google.sh
663	google.si
664	google.sk
665	google.sm
666	google.sn
667	google.so
668	google.sr
669	google.st
670	google.td
671	google.tg
672	google.tk
673	google.tl
674	google.tm
675	google.tn
676	google.to
677	google.tt
678	google.vg
679	google.vu
680	google.ws
681	)
682
683	(
684	# Nothing to do if safe search is not enabled
685	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
686	exit 0
687	fi
688
689	# This all belongs into the server: section
690	echo "server:"
691
692	# Bing
693	echo " local-zone: bing.com transparent"
694	echo " local-data: \"www.bing.com CNAME strict.bing.com.\""
695
696	# DuckDuckGo
697	echo " local-zone: duckduckgo.com transparent"
698	echo " local-data: \"duckduckgo.com CNAME safe.duckduckgo.com.\""
699
700	# Google
701	local domain
702	for domain in ${google_tlds[@]}; do
703	echo " local-zone: ${domain} transparent"
704	echo " local-data: \"www.${domain} CNAME forcesafesearch.google.com.\""
705	done
706
707	# Yandex
708	echo " local-zone: yandex.ru transparent"
709	echo " local-data: \"yandex.ru A 213.180.193.56\""
710	) > /etc/unbound/safe-search.conf
711	}
712
d0e5f71f ML	713	case "$1" in
d0e5f71f ML	714	start)
80bc6022 MT	715	# Print a nicer messagen when unbound is already running
	716	if pidofproc -s unbound; then
	717	statusproc /usr/sbin/unbound
	718	exit 0
	719	fi
	720
b8f5eda8	721	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
d0e5f71f	722
b8f5eda8	723	# Update configuration files
b658a451	724	write_tuning_conf
b8f5eda8	725	write_forward_conf
661ab153	726	write_safe_search_conf
b8f5eda8 MT	727
	728	boot_mesg "Starting Unbound DNS Proxy..."
	729	loadproc /usr/sbin/unbound \|\| exit $?
	730
f75c279b AF	731	# Make own hostname resolveable
	732	own_hostname
	733
b8f5eda8 MT	734	# Update any known forwarding name servers
b8f5eda8 MT	735	update_forwarders
36792be6 MT	736
	737	# Update hosts
	738	update_hosts
05478072	739
68fac98a	740	fix_time_if_dns_fail
b8f5eda8	741	;;
d0e5f71f ML	742
d0e5f71f ML	743	stop)
b8f5eda8 MT	744	boot_mesg "Stopping Unbound DNS Proxy..."
	745	killproc /usr/sbin/unbound
	746	;;
d0e5f71f ML	747
d0e5f71f ML	748	restart)
b8f5eda8 MT	749	$0 stop
	750	sleep 1
	751	$0 start
	752	;;
d0e5f71f ML	753
d0e5f71f ML	754	status)
b8f5eda8	755	statusproc /usr/sbin/unbound
b8f5eda8 MT	756	;;
	757
	758	update-forwarders)
cd812106 MT	759	# Do not try updating forwarders when unbound is not running
	760	if ! pgrep unbound &>/dev/null; then
	761	exit 0
	762	fi
	763
b8f5eda8	764	update_forwarders
68fac98a	765
391e3390 AF	766	unbound-control flush_negative > /dev/null
	767	unbound-control flush_bogus > /dev/null
	768
68fac98a	769	fix_time_if_dns_fail
b8f5eda8	770	;;
d0e5f71f	771
b29c97b1 AF	772	test-name-server)
	773	ns=${2}
	774
	775	test_name_server ${ns}
	776	ret=${?}
	777
	778	case "${ret}" in
	779	0)
	780	echo "${ns} is validating"
	781	;;
	782	2)
	783	echo "${ns} is DNSSEC-aware"
	784	;;
	785	3)
	786	echo "${ns} is NOT DNSSEC-aware"
	787	;;
	788	*)
	789	echo "Test failed for an unknown reason"
8f3034d0	790	exit ${ret}
b29c97b1 AF	791	;;
	792	esac
	793
	794	if ns_supports_tcp ${ns}; then
	795	echo "${ns} supports TCP fallback"
	796	else
	797	echo "${ns} does not support TCP fallback"
	798	fi
	799
8f3034d0 MT	800	edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
	801	if [ -n "${edns_buffer_size}" ]; then
	802	echo "EDNS buffer size for ${ns}: ${edns_buffer_size}"
	803	fi
	804
b29c97b1 AF	805	exit ${ret}
	806	;;
	807
d0e5f71f	808	*)
b29c97b1	809	echo "Usage: $0 {start\|stop\|restart\|status\|update-forwarders\|test-name-server}"
b8f5eda8 MT	810	exit 1
b8f5eda8 MT	811	;;
d0e5f71f ML	812	esac
	813
	814	# End $rc_base/init.d/unbound