]> git.ipfire.org Git - ipfire-2.x.git/blob - src/initscripts/system/unbound
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
unbound: Update setting Safe Search redirects
[ipfire-2.x.git] / src / initscripts / system / unbound
1 #!/bin/sh
2 # Begin $rc_base/init.d/unbound
3
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
6
7 . /etc/sysconfig/rc
8 . ${rc_functions}
9
10 TEST_DOMAIN="ipfire.org"
11
12 # This domain will never validate
13 TEST_DOMAIN_FAIL="dnssec-failed.org"
14
15 # Cache any local zones for 60 seconds
16 LOCAL_TTL=60
17
18 # Load configuration
19 eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
20
21 ip_address_revptr() {
22 local addr=${1}
23
24 local a1 a2 a3 a4
25 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
26
27 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
28 }
29
30 read_name_servers() {
31 local i
32 for i in 1 2; do
33 echo "$(</var/ipfire/red/dns${i})"
34 done 2>/dev/null | xargs echo
35 }
36
37 check_red_has_carrier_and_ip() {
38 # Interface configured ?
39 [ ! -e "/var/ipfire/red/iface" ] && return 0;
40
41 # Interface present ?
42 [ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
43
44 # has carrier ?
45 [ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
46
47 # has ip ?
48 [ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;
49
50 return 1;
51 }
52
53 config_header() {
54 echo "# This file is automatically generated and any changes"
55 echo "# will be overwritten. DO NOT EDIT!"
56 echo
57 }
58
59 own_hostname() {
60 local hostname=$(hostname -f)
61 # 1.1.1.1 is reserved for unused green, skip this
62 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
63 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
64 fi
65
66 local address
67 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
68 [ -n "${address}" ] || continue
69 [ "${address}" = "1.1.1.1" ] && continue
70
71 address=$(ip_address_revptr ${address})
72 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
73 done
74 }
75
76 update_hosts() {
77 local enabled address hostname domainname generateptr
78
79 while IFS="," read -r enabled address hostname domainname generateptr; do
80 [ "${enabled}" = "on" ] || continue
81
82 # Build FQDN
83 local fqdn="${hostname}.${domainname}"
84
85 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
86
87 # Skip reverse resolution if the address equals the GREEN address
88 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
89
90 # Skip reverse resolution if user requested not to do so
91 [ "${generateptr}" = "off" ] && continue
92
93 # Add RDNS
94 address=$(ip_address_revptr ${address})
95 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
96 done < /var/ipfire/main/hosts
97 }
98
99 write_forward_conf() {
100 (
101 config_header
102
103 # Force using TCP for upstream servers only
104 if [ "${PROTO}" = "TCP" ]; then
105 echo "# Force using TCP for upstream servers only"
106 echo "server:"
107 echo " tcp-upstream: yes"
108 echo
109 fi
110
111 local insecure_zones=""
112
113 local enabled zone server servers remark disable_dnssec rest
114 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
115 # Line must be enabled.
116 [ "${enabled}" = "on" ] || continue
117
118 # Zones that end with .local are commonly used for internal
119 # zones and therefore not signed
120 case "${zone}" in
121 *.local)
122 insecure_zones="${insecure_zones} ${zone}"
123 ;;
124 *)
125 if [ "${disable_dnssec}" = "on" ]; then
126 insecure_zones="${insecure_zones} ${zone}"
127 fi
128 ;;
129 esac
130
131 echo "stub-zone:"
132 echo " name: ${zone}"
133 for server in ${servers//|/ }; do
134 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
135 echo " stub-addr: ${server}"
136 else
137 echo " stub-host: ${server}"
138 fi
139 done
140 echo
141
142 # Make all reverse lookup zones transparent
143 case "${zone}" in
144 *.in-addr.arpa)
145 echo "server:"
146 echo " local-zone: \"${zone}\" transparent"
147 echo
148 ;;
149 esac
150 done < /var/ipfire/dnsforward/config
151
152 if [ -n "${insecure_zones}" ]; then
153 echo "server:"
154
155 for zone in ${insecure_zones}; do
156 echo " domain-insecure: ${zone}"
157 done
158 fi
159
160 echo "forward-zone:"
161 echo " name: \".\""
162
163 # Force using TLS only
164 if [ "${PROTO}" = "TLS" ]; then
165 echo " forward-tls-upstream: yes"
166 fi
167
168 # Add upstream name servers
169 local id address tls_hostname enabled remark
170 while IFS="," read -r id address tls_hostname enabled remark; do
171 # Skip disabled servers
172 [ "${enabled}" != "enabled" ] && continue
173
174 # Set DNS server
175 if [ "${PROTO}" = "TLS" ]; then
176 if [ -n "${tls_hostname}" ]; then
177 echo " forward-addr: ${address}@853#${tls_hostname}"
178 fi
179 else
180 echo " forward-addr: ${address}"
181 fi
182 done < /var/ipfire/dns/servers
183 ) > /etc/unbound/forward.conf
184 }
185
186 write_tuning_conf() {
187 # https://www.unbound.net/documentation/howto_optimise.html
188
189 # Determine number of online processors
190 local processors=$(getconf _NPROCESSORS_ONLN)
191
192 # Determine number of slabs
193 local slabs=1
194 while [ ${slabs} -lt ${processors} ]; do
195 slabs=$(( ${slabs} * 2 ))
196 done
197
198 # Determine amount of system memory
199 local mem=$(get_memory_amount)
200
201 # In the worst case scenario, unbound can use double the
202 # amount of memory allocated to a cache due to malloc overhead
203
204 # Even larger systems with more than 8GB of RAM
205 if [ ${mem} -ge 8192 ]; then
206 mem=1024
207
208 # Extra large systems with more than 4GB of RAM
209 elif [ ${mem} -ge 4096 ]; then
210 mem=512
211
212 # Large systems with more than 2GB of RAM
213 elif [ ${mem} -ge 2048 ]; then
214 mem=256
215
216 # Medium systems with more than 1GB of RAM
217 elif [ ${mem} -ge 1024 ]; then
218 mem=128
219
220 # Small systems with less than 256MB of RAM
221 elif [ ${mem} -le 256 ]; then
222 mem=16
223
224 # Everything else
225 else
226 mem=64
227 fi
228
229 (
230 config_header
231
232 # We run one thread per processor
233 echo "num-threads: ${processors}"
234 echo "so-reuseport: yes"
235
236 # Adjust number of slabs
237 echo "infra-cache-slabs: ${slabs}"
238 echo "key-cache-slabs: ${slabs}"
239 echo "msg-cache-slabs: ${slabs}"
240 echo "rrset-cache-slabs: ${slabs}"
241
242 # Slice up the cache
243 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
244 echo "msg-cache-size: $(( ${mem} / 4 ))m"
245 echo "key-cache-size: $(( ${mem} / 4 ))m"
246
247 # Increase parallel queries
248 echo "outgoing-range: 8192"
249 echo "num-queries-per-thread: 4096"
250
251 # Use larger send/receive buffers
252 echo "so-sndbuf: 4m"
253 echo "so-rcvbuf: 4m"
254 ) > /etc/unbound/tuning.conf
255 }
256
257 get_memory_amount() {
258 local key val unit
259
260 while read -r key val unit; do
261 case "${key}" in
262 MemTotal:*)
263 # Convert to MB
264 echo "$(( ${val} / 1024 ))"
265 break
266 ;;
267 esac
268 done < /proc/meminfo
269 }
270
271 fix_time_if_dns_fail() {
272 # If DNS still not work try to init ntp with
273 # hardcoded ntp.ipfire.org (81.3.27.46)
274 check_red_has_carrier_and_ip
275 if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
276 host 0.ipfire.pool.ntp.org > /dev/null 2>&1
277 if [ "${?}" != "0" ]; then
278 boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
279 loadproc /usr/local/bin/settime 81.3.27.46
280 fi
281 fi
282 }
283
284 resolve() {
285 local hostname="${1}"
286
287 local answer
288 for answer in $(dig +short A "${hostname}"); do
289 # Filter out non-IP addresses
290 if [[ ! "${answer}" =~ \.$ ]]; then
291 echo "${answer}"
292 fi
293 done
294 }
295
296 # Sets up Safe Search for various search engines
297 update_safe_search() {
298 local google_tlds=(
299 google.ad
300 google.ae
301 google.al
302 google.am
303 google.as
304 google.at
305 google.az
306 google.ba
307 google.be
308 google.bf
309 google.bg
310 google.bi
311 google.bj
312 google.bs
313 google.bt
314 google.by
315 google.ca
316 google.cat
317 google.cd
318 google.cf
319 google.cg
320 google.ch
321 google.ci
322 google.cl
323 google.cm
324 google.cn
325 google.co.ao
326 google.co.bw
327 google.co.ck
328 google.co.cr
329 google.co.id
330 google.co.il
331 google.co.in
332 google.co.jp
333 google.co.ke
334 google.co.kr
335 google.co.ls
336 google.com
337 google.co.ma
338 google.com.af
339 google.com.ag
340 google.com.ai
341 google.com.ar
342 google.com.au
343 google.com.bd
344 google.com.bh
345 google.com.bn
346 google.com.bo
347 google.com.br
348 google.com.bz
349 google.com.co
350 google.com.cu
351 google.com.cy
352 google.com.do
353 google.com.ec
354 google.com.eg
355 google.com.et
356 google.com.fj
357 google.com.gh
358 google.com.gi
359 google.com.gt
360 google.com.hk
361 google.com.jm
362 google.com.kh
363 google.com.kw
364 google.com.lb
365 google.com.ly
366 google.com.mm
367 google.com.mt
368 google.com.mx
369 google.com.my
370 google.com.na
371 google.com.nf
372 google.com.ng
373 google.com.ni
374 google.com.np
375 google.com.om
376 google.com.pa
377 google.com.pe
378 google.com.pg
379 google.com.ph
380 google.com.pk
381 google.com.pr
382 google.com.py
383 google.com.qa
384 google.com.sa
385 google.com.sb
386 google.com.sg
387 google.com.sl
388 google.com.sv
389 google.com.tj
390 google.com.tr
391 google.com.tw
392 google.com.ua
393 google.com.uy
394 google.com.vc
395 google.com.vn
396 google.co.mz
397 google.co.nz
398 google.co.th
399 google.co.tz
400 google.co.ug
401 google.co.uk
402 google.co.uz
403 google.co.ve
404 google.co.vi
405 google.co.za
406 google.co.zm
407 google.co.zw
408 google.cv
409 google.cz
410 google.de
411 google.dj
412 google.dk
413 google.dm
414 google.dz
415 google.ee
416 google.es
417 google.fi
418 google.fm
419 google.fr
420 google.ga
421 google.ge
422 google.gg
423 google.gl
424 google.gm
425 google.gp
426 google.gr
427 google.gy
428 google.hn
429 google.hr
430 google.ht
431 google.hu
432 google.ie
433 google.im
434 google.iq
435 google.is
436 google.it
437 google.je
438 google.jo
439 google.kg
440 google.ki
441 google.kz
442 google.la
443 google.li
444 google.lk
445 google.lt
446 google.lu
447 google.lv
448 google.md
449 google.me
450 google.mg
451 google.mk
452 google.ml
453 google.mn
454 google.ms
455 google.mu
456 google.mv
457 google.mw
458 google.ne
459 google.nl
460 google.no
461 google.nr
462 google.nu
463 google.pl
464 google.pn
465 google.ps
466 google.pt
467 google.ro
468 google.rs
469 google.ru
470 google.rw
471 google.sc
472 google.se
473 google.sh
474 google.si
475 google.sk
476 google.sm
477 google.sn
478 google.so
479 google.sr
480 google.st
481 google.td
482 google.tg
483 google.tk
484 google.tl
485 google.tm
486 google.tn
487 google.to
488 google.tt
489 google.vg
490 google.vu
491 google.ws
492 )
493
494 # Cleanup previous settings
495 unbound-control local_zone_remove "bing.com" >/dev/null
496 unbound-control local_zone_remove "duckduckgo.com" >/dev/null
497 unbound-control local_zone_remove "yandex.com" >/dev/null
498 unbound-control local_zone_remove "yandex.ru" >/dev/null
499 unbound-control local_zone_remove "youtube.com" >/dev/null
500
501 local domain
502 for domain in ${google_tlds[@]}; do
503 unbound-control local_zone_remove "${domain}"
504 done >/dev/null
505
506 # Nothing to do if safe search is not enabled
507 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
508 return 0
509 fi
510
511 # Bing
512 unbound-control bing.com transparent >/dev/null
513 for address in $(resolve "strict.bing.com"); do
514 unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
515 done >/dev/null
516
517 # DuckDuckGo
518 unbound-control local_zone duckduckgo.com typetransparent >/dev/null
519 for address in $(resolve "safe.duckduckgo.com"); do
520 unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
521 done >/dev/null
522
523 # Google
524 local addresses="$(resolve "forcesafesearch.google.com")"
525 for domain in ${google_tlds[@]}; do
526 unbound-control local_zone "${domain}" transparent >/dev/null
527 for address in ${addresses}; do
528 unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
529 done >/dev/null
530 done
531
532 # Yandex
533 for domain in yandex.com yandex.ru; do
534 unbound-control local_zone "${domain}" typetransparent >/dev/null
535 for address in $(resolve "familysearch.${domain}"); do
536 unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
537 done >/dev/null
538 done
539
540 # YouTube
541 unbound-control local_zone youtube.com transparent >/dev/null
542 for address in $(resolve "restrictmoderate.youtube.com"); do
543 unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
544 done >/dev/null
545
546 return 0
547 }
548
549 case "$1" in
550 start)
551 # Print a nicer messagen when unbound is already running
552 if pidofproc -s unbound; then
553 statusproc /usr/sbin/unbound
554 exit 0
555 fi
556
557 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
558
559 # Update configuration files
560 write_tuning_conf
561 write_forward_conf
562
563 boot_mesg "Starting Unbound DNS Proxy..."
564 loadproc /usr/sbin/unbound || exit $?
565
566 # Make own hostname resolveable
567 own_hostname
568
569 # Install Safe Search rules when the system is already online
570 if [ -e "/var/ipfire/red/active" ]; then
571 update_safe_search
572 fi
573
574 # Update hosts
575 update_hosts
576
577 fix_time_if_dns_fail
578 ;;
579
580 stop)
581 boot_mesg "Stopping Unbound DNS Proxy..."
582 killproc /usr/sbin/unbound
583 ;;
584
585 restart)
586 $0 stop
587 sleep 1
588 $0 start
589 ;;
590
591 status)
592 statusproc /usr/sbin/unbound
593 ;;
594
595 update-forwarders)
596 : # XXX must set ISP name servers if necessary
597
598 # Update Safe Search settings
599 update_safe_search
600 ;;
601
602 remove-forwarders)
603 : # XXX must remove ISP name servers
604 ;;
605
606 resolve)
607 resolve "${2}"
608 ;;
609
610 update-safe-search)
611 update_safe_search
612 ;;
613
614 *)
615 echo "Usage: $0 {start|stop|restart|status|resolve|update-forwarders|remove-forwarders|update-safe-search}"
616 exit 1
617 ;;
618 esac
619
620 # End $rc_base/init.d/unbound
IPFire 2.x development tree