#
server:
- # common server options
- chroot: "/etc/unbound"
- username: "unbound"
- pidfile: "/var/run/unbound.pid"
+ # Common Server Options
+ chroot: ""
+ directory: "/etc/unbound"
+ username: "nobody"
num-threads: 2
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
- prefetch: yes
so-reuseport: yes
- cache-min-ttl: 3600
- cache-max-ttl: 86400
- unwanted-reply-threshold: 10000
do-not-query-localhost: yes
- # logging options
- logfile: "log/unbound.log"
- use-syslog: no
+ # Logging Options
verbosity: 1
- log-queries: no
+ use-syslog: yes
log-time-ascii: yes
+ log-queries: no
# Unbound Statistics
- statistics-interval: 3600
+ statistics-interval: 0
statistics-cumulative: yes
extended-statistics: yes
- # privacy options
+ # Cache Sizes
+ msg-cache-size: 8m
+ rrset-cache-size: 8m
+ key-cache-size: 4m
+ prefetch: yes
+ prefetch-key: yes
+
+ # Randomise any cached responses
+ rrset-roundrobin: yes
+
+ # Privacy Options
hide-identity: yes
hide-version: yes
qname-minimisation: yes
minimal-responses: yes
- # hardening options (some experimental)
+ # DNSSEC
+ auto-trust-anchor-file: "/var/lib/unbound/root.key"
+ val-permissive-mode: no
+ val-clean-additional: yes
+ val-log-level: 1
+
+ # Hardening Options
harden-glue: yes
+ harden-short-bufsize: no
harden-large-queries: yes
harden-dnssec-stripped: yes
- harden-short-bufsize: no
- harden-below-nxdomain: no
- harden-referral-path: no
+ harden-below-nxdomain: yes
+ harden-referral-path: yes
harden-algo-downgrade: no
- use-caps-for-id: yes
-
- # listen on localhost interface
- interface: 127.0.0.1
+ use-caps-for-id: no
- # file with ipfire interfaces
- include: "/etc/unbound/interfaces.conf"
-
- # control which clients are allowed to make (recursive) queries
+ # Deny access from everywhere
access-control: 0.0.0.0/0 refuse
- access-control: 127.0.0.0/8 allow
- access-control: ::0/0 refuse
- access-control: ::1 allow
- access-control: ::ffff:127.0.0.1 allow
- # file with ipfire networks
- include: "/etc/unbound/access.conf"
+ # Listen on localhost
+ interface: 127.0.0.1
+ access-control: 127.0.0.0/8 allow
- # dnssec main options
- val-clean-additional: yes
- val-log-level: 1
- # file with ipfire dnssec configuration
- include: "/etc/unbound/dnssec.conf"
-
- # DNS Rebinding
- # For DNS Rebinding prevention
- #
- # All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
- # IPv4 Addresses
- private-address: 0.0.0.0/8 # Broadcast address
- private-address: 10.0.0.0/8
- private-address: 127.0.0.0/8 # Loopback Localhost
- private-address: 172.16.0.0/12
- private-address: 192.168.0.0/16
- private-address: 169.254.0.0/16
- private-address: 198.18.0.0/15 # Used for testing inter-network communications
- private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
- private-address: 203.0.113.0/24 # Documentation network TEST-NET-3
- private-address: 233.252.0.0/24 # Documentation network MCAST-TEST-NET
- # IPv6 Addresses
- private-address: ::1/128 # Loopback Localhost
- private-address: 2001:db8::/32 # Documentation network IPv6
- private-address: fc00::/8 # Unique local address (ULA) part of "fc00::/7", not defined yet
- private-address: fd00::/8 # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
- private-address: fe80::/10 # Link-local address (LLA)
-
- # file with root servers
+ # Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
- # custom DNS zone files
- include: "/etc/unbound/zones/*.conf"
+ # IPFire interface configuration
+ include: "/etc/unbound/interfaces.conf"
+ interface-automatic: no
- # DHCP leases (if configured)
- include: /etc/unbound/dhcpleases.conf
+ # Include DHCP leases
+ include: "/etc/unbound/dhcp-leases.conf"
- # Blocklists
- include: "/etc/unbound/blocklists/*.conf"
-# end server config
+ # Include any forward zones
+ include: "/etc/unbound/forward.conf"
-# enable remote control only on localhost
remote-control:
control-enable: yes
control-use-cert: yes
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
-# end remote control config
-# custom DNS forward config
-include: "/etc/unbound/forward.conf"
+# Import any local configurations
+include: "/etc/unbound/local.d/*.conf"
. /etc/sysconfig/rc
. ${rc_functions}
-if [[ ! -d /run/var ]]; then mkdir /run/var; fi;
+USE_FORWARDERS=1
-CONTROL_INTERFACE_FILE=1
-CONTROL_ACCESS_FILE=1
-USE_CUSTOM_FORWARDS=0
-ENABLE_DNSSEC=1
-
-# Unbound daemon pid file
-PIDFILE=/var/run/unbound.pid
-
-# Watcher deamon pid file must be the same in unbound main init script
-WAPIDFILE=/var/run/unbound_dhcpd.pid
+# Load optional configuration
+[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
function cidr() {
local cidr nbits IFS;
echo "${cidr}/${nbits}"
}
+read_name_servers() {
+ local i
+ for i in 1 2; do
+ echo "$(</var/ipfire/red/dns${i})"
+ done | xargs echo
+}
+
+config_header() {
+ echo "# This file is automatically generated and any changes"
+ echo "# will be overwritten. DO NOT EDIT!"
+ echo
+}
+
+update_forwarders() {
+ local forwarders="$(read_name_servers)"
+
+ if [ "${USE_FORWARDERS}" = "1" ] && [ -n "${forwarders}" ]; then
+ boot_mesg "Using Name Server(s): ${forwarders}"
+ boot_mesg_flush
+
+ unbound-control -q forward ${forwarders}
+
+ # If forwarders cannot be used we run in recursor mode
+ else
+ unbound-control -q forward off
+ fi
+}
+
+write_interfaces_conf() {
+ (
+ config_header
+
+ if [ -n "${GREEN_ADDRESS}" ]; then
+ echo "# GREEN"
+ echo "interface: ${GREEN_ADDRESS}"
+ echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow"
+ fi
+
+ if [ -n "${BLUE_ADDRESS}" ]; then
+ echo "# BLUE"
+ echo "interface: ${BLUE_ADDRESS}"
+ echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow"
+ fi
+ ) > /etc/unbound/interfaces.conf
+}
+
+write_forward_conf() {
+ (
+ config_header
+
+ local enabled zone server remark
+ while IFS="," read -r enabled zone server remark; do
+ # Line must be enabled.
+ [ "${enabled}" = "on" ] || continue
+
+ echo "forward-zone:"
+ echo " name: ${zone}"
+ echo " forward-addr: ${server}"
+ echo
+ done < /var/ipfire/dnsforward/config
+ ) > /etc/unbound/forward.conf
+}
+
+
case "$1" in
start)
+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+ eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
- if [[ -f ${PIDFILE} ]]; then
- log_warning_msg "Unbound daemon is running with Process ID $(cat ${PIDFILE})"
- else
- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
- #ARGS="$CUSTOM_ARGS"
- #[ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s $DOMAIN_NAME_GREEN"
-
- echo > /var/ipfire/red/resolv.conf # Clear it
- if [ -e "/var/ipfire/red/dns1" ]; then
- DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null)
- if [ ! -z ${DNS1} ]; then
- echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.conf
- NAMESERVERS="${DNS1} "
- fi
- fi
- if [ -e "/var/ipfire/red/dns2" ]; then
- DNS2=$(cat /var/ipfire/red/dns2 2>/dev/null)
- if [ ! -z ${DNS2} ]; then
- echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.conf
- NAMESERVERS+="${DNS2} "
- fi
- fi
-
- # create unbound interfaces.conf
- if [ ${CONTROL_INTERFACE_FILE} = 1 ]; then
- echo -n > /etc/unbound/interfaces.conf # Clear it
- if [ ! -z ${GREEN_ADDRESS} ]; then
- echo "interface: ${GREEN_ADDRESS}" >> /etc/unbound/interfaces.conf
- fi
- if [ ! -z ${BLUE_ADDRESS} ]; then
- echo "interface: ${BLUE_ADDRESS}" >> /etc/unbound/interfaces.conf
- fi
- if [ ! -z ${ORANGE_ADDRESS} ]; then
- echo "interface: ${ORANGE_ADDRESS}" >> /etc/unbound/interfaces.conf
- fi
- fi
-
- # create unbound access.conf
- if [ ${CONTROL_ACCESS_FILE} = 1 ]; then
- echo -n > /etc/unbound/access.conf # Clear it
- if [ ! -z ${GREEN_ADDRESS} ]; then
- echo "access-control: $(cidr ${GREEN_ADDRESS} ${GREEN_NETMASK}) allow" >> /etc/unbound/access.conf
- fi
- if [ ! -z ${BLUE_ADDRESS} ]; then
- echo "access-control: $(cidr ${BLUE_ADDRESS} ${BLUE_NETMASK}) allow" >> /etc/unbound/access.conf
- fi
- if [ ! -z ${ORANGE_ADDRESS} ]; then
- echo "access-control: $(cidr ${ORANGE_ADDRESS} ${ORANGE_NETMASK}) allow" >> /etc/unbound/access.conf
- fi
- fi
-
- # create unbound dnssec.conf
- echo -n > /etc/unbound/dnssec.conf # Clear it
- if [ ${ENABLE_DNSSEC} = 1 ]; then
- echo " # dessec enabled per default" >> /etc/unbound/dnssec.conf
- echo " # no necessary config options in this file" >> /etc/unbound/dnssec.conf
- else
- echo " # dnssec now disabled" >> /etc/unbound/dnssec.conf
- echo " module-config: iterator" >> /etc/unbound/dnssec.conf
- echo " val-permissive-mode: yes" >> /etc/unbound/dnssec.conf
- fi
-
- # create zone file for internal ipfire domain
- unbound-zone
-
- boot_mesg "Starting Unbound DNS proxy..."
- unbound-anchor
- loadproc /usr/sbin/unbound
-
- # start dhcpd watcher daemon if DNS-Update (RFC2136) activated
- eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
- if [[ ${DNS_UPDATE_ENABLED} = on && ! -f ${WAPIDFILE} ]]; then
- /etc/rc.d/init.d/unbound-dhcpd start
- fi
-
- # use setup configured DNS servers
- if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then
- unbound-control forward_add +i . ${NAMESERVERS} &> /dev/null
- fi;
-
- FORWADRS=$(unbound-control list_forwards |sed 's|. IN forward ||g'|sed 's|+i ||g')
- if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then
- boot_mesg "Using DNS server(s): ${FORWADRS}"
- else
- boot_mesg "Using custom DNS server(s): ${FORWADRS}"
- fi
- if [ ${ENABLE_DNSSEC} = 1 ]; then
- boot_mesg "DNSSEC is enabled!"
- else
- boot_mesg "DNSSEC is disabled!"
- fi
- fi
- ;;
+ # Create control keys at first run
+ if [ ! -r "/etc/unbound/unbound_control.key" ]; then
+ unbound-control-setup -d /etc/unbound &>/dev/null
+ fi
+
+ # Update configuration files
+ write_interfaces_conf
+ write_forward_conf
+
+ boot_mesg "Starting Unbound DNS Proxy..."
+ loadproc /usr/sbin/unbound || exit $?
+
+ # Update any known forwarding name servers
+ update_forwarders
+
+ # Start Unbound DHCP Lease Bridge unless RFC2136 is used
+ if [ "${DNS_UPDATE_ENABLED}" != on ]; then
+ boot_mesg "Starting Unbound DHCP Leases Bridge..."
+ loadproc /usr/sbin/unbound-dhcp-leases-bridge -d
+ fi
+ ;;
stop)
+ boot_mesg "Stopping Unbound DHCP Leases Bridge..."
+ killproc /usr/sbin/unbound-dhcp-leases-bridge
- if [[ -f ${PIDFILE} ]]; then
- # stop dhcpd watcher daemon if activted
- if [[ -f ${WAPIDFILE} ]]; then
- /etc/rc.d/init.d/unbound-dhcpd stop
- fi
- # stop Unbound daemon
- boot_mesg "Stopping Unbound DNS proxy..."
- killproc -p "/var/run/unbound.pid" /usr/sbin/unbound
- else
- log_warning_msg "Unbound daemon is not running..."
- fi
- ;;
+ boot_mesg "Stopping Unbound DNS Proxy..."
+ killproc /usr/sbin/unbound
+ ;;
restart)
- $0 stop
- sleep 1
- $0 start
- ;;
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
status)
- statusproc /usr/sbin/unbound
- ;;
+ statusproc /usr/sbin/unbound
+ statusproc /usr/sbin/unbound-dhcp-leases-bridge
+ ;;
+
+ update-forwarders)
+ update_forwarders
+ ;;
*)
- echo "Usage: $0 {start|stop|restart|status}"
- exit 1
- ;;
+ echo "Usage: $0 {start|stop|restart|status|update-forwarders}"
+ exit 1
+ ;;
esac
# End $rc_base/init.d/unbound