2 # Begin $rc_base/init.d/unbound
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
10 TEST_DOMAIN
="ipfire.org"
12 # This domain will never validate
13 TEST_DOMAIN_FAIL
="dnssec-failed.org"
15 # Cache any local zones for 60 seconds
19 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/dns
/settings
)
25 IFS
=.
read -r a1 a2 a3 a4
<<< ${addr}
27 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
33 echo "$(</var/ipfire/red/dns${i})"
34 done 2>/dev
/null |
xargs echo
37 check_red_has_carrier_and_ip
() {
38 # Interface configured ?
39 [ ! -e "/var/ipfire/red/iface" ] && return 0;
42 [ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
45 [ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
48 [ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet
")" = "" ] && return 0;
54 echo "# This file is automatically generated and any changes"
55 echo "# will be overwritten. DO NOT EDIT!"
60 local hostname
=$
(hostname
-f)
61 # 1.1.1.1 is reserved for unused green, skip this
62 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
63 unbound-control
-q local_data
"${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
67 for address
in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
68 [ -n "${address}" ] ||
continue
69 [ "${address}" = "1.1.1.1" ] && continue
71 address
=$
(ip_address_revptr
${address})
72 unbound-control
-q local_data
"${address} ${LOCAL_TTL} IN PTR ${hostname}"
77 local enabled address hostname domainname generateptr
79 while IFS
="," read -r enabled address hostname domainname generateptr
; do
80 [ "${enabled}" = "on" ] ||
continue
83 local fqdn
="${hostname}.${domainname}"
85 unbound-control
-q local_data
"${fqdn} ${LOCAL_TTL} IN A ${address}"
87 # Skip reverse resolution if the address equals the GREEN address
88 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
90 # Skip reverse resolution if user requested not to do so
91 [ "${generateptr}" = "off" ] && continue
94 address
=$
(ip_address_revptr
${address})
95 unbound-control
-q local_data
"${address} ${LOCAL_TTL} IN PTR ${fqdn}"
96 done < /var
/ipfire
/main
/hosts
99 write_forward_conf
() {
103 # Force using TCP for upstream servers only
104 if [ "${PROTO}" = "TCP" ]; then
105 echo "# Force using TCP for upstream servers only"
107 echo " tcp-upstream: yes"
111 local insecure_zones
=""
113 local enabled zone server servers remark disable_dnssec rest
114 while IFS
="," read -r enabled zone servers remark disable_dnssec rest
; do
115 # Line must be enabled.
116 [ "${enabled}" = "on" ] ||
continue
118 # Zones that end with .local are commonly used for internal
119 # zones and therefore not signed
122 insecure_zones
="${insecure_zones} ${zone}"
125 if [ "${disable_dnssec}" = "on" ]; then
126 insecure_zones
="${insecure_zones} ${zone}"
132 echo " name: ${zone}"
133 for server
in ${servers//|/ }; do
134 if [[ ${server} =~ ^
[0-9]+\.
[0-9]+\.
[0-9]+\.
[0-9]+$
]]; then
135 echo " stub-addr: ${server}"
137 echo " stub-host: ${server}"
142 # Make all reverse lookup zones transparent
146 echo " local-zone: \"${zone}\" transparent"
150 done < /var
/ipfire
/dnsforward
/config
152 if [ -n "${insecure_zones}" ]; then
155 for zone
in ${insecure_zones}; do
156 echo " domain-insecure: ${zone}"
163 # Force using TLS only
164 if [ "${PROTO}" = "TLS" ]; then
165 echo " forward-tls-upstream: yes"
168 # Add upstream name servers
169 local id address tls_hostname enabled remark
170 while IFS
="," read -r id address tls_hostname enabled remark
; do
171 # Skip disabled servers
172 [ "${enabled}" != "enabled" ] && continue
175 if [ "${PROTO}" = "TLS" ]; then
176 if [ -n "${tls_hostname}" ]; then
177 echo " forward-addr: ${address}@853#${tls_hostname}"
180 echo " forward-addr: ${address}"
182 done < /var
/ipfire
/dns
/servers
183 ) > /etc
/unbound
/forward.conf
186 write_tuning_conf
() {
187 # https://www.unbound.net/documentation/howto_optimise.html
189 # Determine number of online processors
190 local processors
=$
(getconf _NPROCESSORS_ONLN
)
192 # Determine number of slabs
194 while [ ${slabs} -lt ${processors} ]; do
195 slabs
=$
(( ${slabs} * 2 ))
198 # Determine amount of system memory
199 local mem
=$
(get_memory_amount
)
201 # In the worst case scenario, unbound can use double the
202 # amount of memory allocated to a cache due to malloc overhead
204 # Even larger systems with more than 8GB of RAM
205 if [ ${mem} -ge 8192 ]; then
208 # Extra large systems with more than 4GB of RAM
209 elif [ ${mem} -ge 4096 ]; then
212 # Large systems with more than 2GB of RAM
213 elif [ ${mem} -ge 2048 ]; then
216 # Medium systems with more than 1GB of RAM
217 elif [ ${mem} -ge 1024 ]; then
220 # Small systems with less than 256MB of RAM
221 elif [ ${mem} -le 256 ]; then
232 # We run one thread per processor
233 echo "num-threads: ${processors}"
234 echo "so-reuseport: yes"
236 # Adjust number of slabs
237 echo "infra-cache-slabs: ${slabs}"
238 echo "key-cache-slabs: ${slabs}"
239 echo "msg-cache-slabs: ${slabs}"
240 echo "rrset-cache-slabs: ${slabs}"
243 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
244 echo "msg-cache-size: $(( ${mem} / 4 ))m"
245 echo "key-cache-size: $(( ${mem} / 4 ))m"
247 # Increase parallel queries
248 echo "outgoing-range: 8192"
249 echo "num-queries-per-thread: 4096"
251 # Use larger send/receive buffers
254 ) > /etc
/unbound
/tuning.conf
257 get_memory_amount
() {
260 while read -r key val unit
; do
264 echo "$(( ${val} / 1024 ))"
271 fix_time_if_dns_fail
() {
272 # If DNS still not work try to init ntp with
273 # hardcoded ntp.ipfire.org (81.3.27.46)
274 check_red_has_carrier_and_ip
275 if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
276 host 0.ipfire.pool.ntp.org
> /dev
/null
2>&1
277 if [ "${?}" != "0" ]; then
278 boot_mesg
"DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
279 loadproc
/usr
/local
/bin
/settime
81.3.27.46
285 local hostname
="${1}"
288 for answer
in $
(dig +short A
"${hostname}"); do
289 # Filter out non-IP addresses
290 if [[ ! "${answer}" =~ \.$
]]; then
296 # Sets up Safe Search for various search engines
297 update_safe_search
() {
494 # Cleanup previous settings
495 unbound-control local_zone_remove
"bing.com" >/dev
/null
496 unbound-control local_zone_remove
"duckduckgo.com" >/dev
/null
497 unbound-control local_zone_remove
"yandex.com" >/dev
/null
498 unbound-control local_zone_remove
"yandex.ru" >/dev
/null
499 unbound-control local_zone_remove
"youtube.com" >/dev
/null
502 for domain
in ${google_tlds[@]}; do
503 unbound-control local_zone_remove
"${domain}"
506 # Nothing to do if safe search is not enabled
507 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
512 unbound-control bing.com transparent
>/dev
/null
513 for address
in $
(resolve
"strict.bing.com"); do
514 unbound-control local_data
"www.bing.com ${LOCAL_TTL} IN A ${address}"
518 unbound-control local_zone duckduckgo.com typetransparent
>/dev
/null
519 for address
in $
(resolve
"safe.duckduckgo.com"); do
520 unbound-control local_data
"duckduckgo.com ${LOCAL_TTL} IN A ${address}"
524 local addresses
="$(resolve "forcesafesearch.google.com
")"
525 for domain
in ${google_tlds[@]}; do
526 unbound-control local_zone
"${domain}" transparent
>/dev
/null
527 for address
in ${addresses}; do
528 unbound-control local_data
: "www.${domain} ${LOCAL_TTL} IN A ${address}"
533 for domain
in yandex.com yandex.ru
; do
534 unbound-control local_zone
"${domain}" typetransparent
>/dev
/null
535 for address
in $
(resolve
"familysearch.${domain}"); do
536 unbound-control local_data
"${domain} ${LOCAL_TTL} IN A ${address}"
541 unbound-control local_zone youtube.com transparent
>/dev
/null
542 for address
in $
(resolve
"restrictmoderate.youtube.com"); do
543 unbound-control local_data
"www.youtube.com ${LOCAL_TTL} IN A ${address}"
551 # Print a nicer messagen when unbound is already running
552 if pidofproc
-s unbound
; then
553 statusproc
/usr
/sbin
/unbound
557 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/ethernet
/settings
)
559 # Update configuration files
563 boot_mesg
"Starting Unbound DNS Proxy..."
564 loadproc
/usr
/sbin
/unbound ||
exit $?
566 # Make own hostname resolveable
569 # Install Safe Search rules when the system is already online
570 if [ -e "/var/ipfire/red/active" ]; then
581 boot_mesg
"Stopping Unbound DNS Proxy..."
582 killproc
/usr
/sbin
/unbound
592 statusproc
/usr
/sbin
/unbound
596 : # XXX must set ISP name servers if necessary
598 # Update Safe Search settings
603 : # XXX must remove ISP name servers
615 echo "Usage: $0 {start|stop|restart|status|resolve|update-forwarders|remove-forwarders|update-safe-search}"
620 # End $rc_base/init.d/unbound