[people/pmueller/ipfire-2.x.git] / src / initscripts / system / unbound

#!/bin/sh
# Begin $rc_base/init.d/unbound

# Description : Unbound DNS resolver boot script for IPfire
# Author      : Marcel Lorenz <marcel.lorenz@ipfire.org>

. /etc/sysconfig/rc
. ${rc_functions}

# Cache any local zones for 60 seconds
LOCAL_TTL=60

# Load configuration
eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

ip_address_revptr() {
	local addr=${1}

	local a1 a2 a3 a4
	IFS=. read -r a1 a2 a3 a4 <<< ${addr}

	echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
}

read_name_servers() {
	# Read name servers from ISP
	if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
		local i
		for i in 1 2; do
			echo "$(</var/run/dns${i})"
		done 2>/dev/null
	fi

	# Read configured name servers
	local id address tls_hostname enabled remark
	while IFS="," read -r id address tls_hostname enabled remark; do
		[ "${enabled}" != "enabled" ] && continue

		if [ "${PROTO}" = "TLS" ]; then
			if [ -n "${tls_hostname}" ]; then
				echo "${address}@853#${tls_hostname}"
			fi
		else
			echo "${address}"
		fi
	done < /var/ipfire/dns/servers
}

config_header() {
	echo "# This file is automatically generated and any changes"
	echo "# will be overwritten. DO NOT EDIT!"
	echo
}

write_hosts_conf() {
	(
		config_header

		# Make own hostname resolveable
		# 1.1.1.1 is reserved for unused green, skip this
		if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
			echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""
		fi

		local address
		for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
			[ -n "${address}" ] || continue
			[ "${address}" = "1.1.1.1" ] && continue

			address=$(ip_address_revptr ${address})
			echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""
		done

		# Add all hosts
		local enabled address hostname domainname generateptr
		while IFS="," read -r enabled address hostname domainname generateptr; do
			[ "${enabled}" = "on" ] || continue

			# Build FQDN
			local fqdn="${hostname}.${domainname}"
			echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""

			# Skip reverse resolution if the address equals the GREEN address
			[ "${address}" = "${GREEN_ADDRESS}" ] && continue

			# Skip reverse resolution if user requested not to do so
			[ "${generateptr}" = "off" ] && continue

			# Add RDNS
			address=$(ip_address_revptr ${address})
			echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
		done < /var/ipfire/main/hosts
	) > /etc/unbound/hosts.conf
}

write_forward_conf() {
	(
		config_header

		# Enable strict QNAME minimisation
		if [ "${QNAME_MIN}" = "strict" ]; then
			echo "server:"
			echo "	qname-minimisation-strict: yes"
			echo
		fi

		# Force using TCP for upstream servers only
		if [ "${PROTO}" = "TCP" ]; then
			echo "# Force using TCP for upstream servers only"
			echo "server:"
			echo "	tcp-upstream: yes"
			echo
		fi

		local insecure_zones=""

		local enabled zone server servers remark disable_dnssec rest
		while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
			# Line must be enabled.
			[ "${enabled}" = "on" ] || continue

			# Zones that end with .local are commonly used for internal
			# zones and therefore not signed
			case "${zone}" in
				*.local)
					insecure_zones="${insecure_zones} ${zone}"
					;;
				*)
					if [ "${disable_dnssec}" = "on" ]; then
						insecure_zones="${insecure_zones} ${zone}"
					fi
					;;
			esac

			echo "stub-zone:"
			echo "	name: ${zone}"
			for server in ${servers//|/ }; do
				if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
					echo "	stub-addr: ${server}"
				else
					echo "	stub-host: ${server}"
				fi
			done
			echo

			# Make all reverse lookup zones transparent
			case "${zone}" in
				*.in-addr.arpa)
					echo "server:"
					echo "	local-zone: \"${zone}\" transparent"
					echo
					;;
			esac
		done < /var/ipfire/dnsforward/config

		if [ -n "${insecure_zones}" ]; then
			echo "server:"

			for zone in ${insecure_zones}; do
				echo "	domain-insecure: ${zone}"
			done
		fi

		echo "forward-zone:"
		echo "	name: \".\""

		# Force using TLS only
		if [ "${PROTO}" = "TLS" ]; then
			echo "	forward-tls-upstream: yes"
		fi

		# Add upstream name servers
		local ns
		for ns in $(read_name_servers); do
			echo "	forward-addr: ${ns}"
		done
	) > /etc/unbound/forward.conf
}

write_tuning_conf() {
	# https://www.unbound.net/documentation/howto_optimise.html

	# Determine number of online processors
	local processors=$(getconf _NPROCESSORS_ONLN)

	# Determine number of slabs
	local slabs=1
	while [ ${slabs} -lt ${processors} ]; do
		slabs=$(( ${slabs} * 2 ))
	done

	# Determine amount of system memory
	local mem=$(get_memory_amount)

	# In the worst case scenario, unbound can use double the
	# amount of memory allocated to a cache due to malloc overhead

	# Even larger systems with more than 8GB of RAM
	if [ ${mem} -ge 8192 ]; then
		mem=1024

	# Extra large systems with more than 4GB of RAM
	elif [ ${mem} -ge 4096 ]; then
		mem=512

	# Large systems with more than 2GB of RAM
	elif [ ${mem} -ge 2048 ]; then
		mem=256

	# Medium systems with more than 1GB of RAM
	elif [ ${mem} -ge 1024 ]; then
		mem=128

	# Small systems with less than 256MB of RAM
	elif [ ${mem} -le 256 ]; then
		mem=16

	# Everything else
	else
		mem=64
	fi

	(
		config_header

		# We run one thread per processor
		echo "num-threads: ${processors}"
		echo "so-reuseport: yes"

		# Adjust number of slabs
		echo "infra-cache-slabs: ${slabs}"
		echo "key-cache-slabs: ${slabs}"
		echo "msg-cache-slabs: ${slabs}"
		echo "rrset-cache-slabs: ${slabs}"

		# Slice up the cache
		echo "rrset-cache-size: $(( ${mem} / 2 ))m"
		echo "msg-cache-size: $(( ${mem} / 4 ))m"
		echo "key-cache-size: $(( ${mem} / 4 ))m"

		# Increase parallel queries
		echo "outgoing-range: 8192"
		echo "num-queries-per-thread: 4096"

		# Use larger send/receive buffers
		echo "so-sndbuf: 4m"
		echo "so-rcvbuf: 4m"
	) > /etc/unbound/tuning.conf
}

get_memory_amount() {
	local key val unit

	while read -r key val unit; do
		case "${key}" in
			MemTotal:*)
				# Convert to MB
				echo "$(( ${val} / 1024 ))"
				break
				;;
		esac
	done < /proc/meminfo
}

fix_time_if_dns_fails() {
	# If DNS is working, everything is fine
	if resolve "ping.ipfire.org" &>/dev/null; then
		return 0
	fi

	# Try to sync time with a known time server
	boot_mesg "DNS not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
	loadproc /usr/local/bin/settime 81.3.27.46
}

resolve() {
	local hostname="${1}"

	local answer
	for answer in $(dig +short A "${hostname}"); do
		# Filter out non-IP addresses
		if [[ ! "${answer}" =~ \.$ ]]; then
			echo "${answer}"
		fi
	done
}

# Sets up Safe Search for various search engines
update_safe_search() {
	local google_tlds=(
		google.ad
		google.ae
		google.al
		google.am
		google.as
		google.at
		google.az
		google.ba
		google.be
		google.bf
		google.bg
		google.bi
		google.bj
		google.bs
		google.bt
		google.by
		google.ca
		google.cat
		google.cd
		google.cf
		google.cg
		google.ch
		google.ci
		google.cl
		google.cm
		google.cn
		google.co.ao
		google.co.bw
		google.co.ck
		google.co.cr
		google.co.id
		google.co.il
		google.co.in
		google.co.jp
		google.co.ke
		google.co.kr
		google.co.ls
		google.com
		google.co.ma
		google.com.af
		google.com.ag
		google.com.ai
		google.com.ar
		google.com.au
		google.com.bd
		google.com.bh
		google.com.bn
		google.com.bo
		google.com.br
		google.com.bz
		google.com.co
		google.com.cu
		google.com.cy
		google.com.do
		google.com.ec
		google.com.eg
		google.com.et
		google.com.fj
		google.com.gh
		google.com.gi
		google.com.gt
		google.com.hk
		google.com.jm
		google.com.kh
		google.com.kw
		google.com.lb
		google.com.ly
		google.com.mm
		google.com.mt
		google.com.mx
		google.com.my
		google.com.na
		google.com.nf
		google.com.ng
		google.com.ni
		google.com.np
		google.com.om
		google.com.pa
		google.com.pe
		google.com.pg
		google.com.ph
		google.com.pk
		google.com.pr
		google.com.py
		google.com.qa
		google.com.sa
		google.com.sb
		google.com.sg
		google.com.sl
		google.com.sv
		google.com.tj
		google.com.tr
		google.com.tw
		google.com.ua
		google.com.uy
		google.com.vc
		google.com.vn
		google.co.mz
		google.co.nz
		google.co.th
		google.co.tz
		google.co.ug
		google.co.uk
		google.co.uz
		google.co.ve
		google.co.vi
		google.co.za
		google.co.zm
		google.co.zw
		google.cv
		google.cz
		google.de
		google.dj
		google.dk
		google.dm
		google.dz
		google.ee
		google.es
		google.fi
		google.fm
		google.fr
		google.ga
		google.ge
		google.gg
		google.gl
		google.gm
		google.gp
		google.gr
		google.gy
		google.hn
		google.hr
		google.ht
		google.hu
		google.ie
		google.im
		google.iq
		google.is
		google.it
		google.je
		google.jo
		google.kg
		google.ki
		google.kz
		google.la
		google.li
		google.lk
		google.lt
		google.lu
		google.lv
		google.md
		google.me
		google.mg
		google.mk
		google.ml
		google.mn
		google.ms
		google.mu
		google.mv
		google.mw
		google.ne
		google.nl
		google.no
		google.nr
		google.nu
		google.pl
		google.pn
		google.ps
		google.pt
		google.ro
		google.rs
		google.ru
		google.rw
		google.sc
		google.se
		google.sh
		google.si
		google.sk
		google.sm
		google.sn
		google.so
		google.sr
		google.st
		google.td
		google.tg
		google.tk
		google.tl
		google.tm
		google.tn
		google.to
		google.tt
		google.vg
		google.vu
		google.ws
	)

	# Cleanup previous settings
	unbound-control local_zone_remove "bing.com" >/dev/null
	unbound-control local_zone_remove "duckduckgo.com" >/dev/null
	unbound-control local_zone_remove "yandex.com" >/dev/null
	unbound-control local_zone_remove "yandex.ru" >/dev/null
	unbound-control local_zone_remove "youtube.com" >/dev/null

	local domain
	for domain in ${google_tlds[@]}; do
		unbound-control local_zone_remove "${domain}"
	done >/dev/null

	# Nothing to do if safe search is not enabled
	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
		return 0
	fi

	# Bing
	unbound-control bing.com transparent >/dev/null
	for address in $(resolve "strict.bing.com"); do
		unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	# DuckDuckGo
	unbound-control local_zone duckduckgo.com typetransparent >/dev/null
	for address in $(resolve "safe.duckduckgo.com"); do
		unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	# Google
	local addresses="$(resolve "forcesafesearch.google.com")"
	for domain in ${google_tlds[@]}; do
		unbound-control local_zone "${domain}" transparent >/dev/null
		for address in ${addresses}; do
			unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
		done >/dev/null
	done

	# Yandex
	for domain in yandex.com yandex.ru; do
		unbound-control local_zone "${domain}" typetransparent >/dev/null
		for address in $(resolve "familysearch.${domain}"); do
			unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
		done >/dev/null
	done

	# YouTube
	unbound-control local_zone youtube.com transparent >/dev/null
	for address in $(resolve "restrictmoderate.youtube.com"); do
		unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	return 0
}

case "$1" in
	start)
		# Print a nicer messagen when unbound is already running
		if pidofproc -s unbound; then
			statusproc /usr/sbin/unbound
			exit 0
		fi

		# Update configuration files
		write_tuning_conf
		write_hosts_conf
		write_forward_conf

		boot_mesg "Starting Unbound DNS Proxy..."
		loadproc /usr/sbin/unbound || exit $?

		# Install Safe Search rules when the system is already online
		if [ -e "/var/ipfire/red/active" ]; then
			update_safe_search
		fi
		;;

	stop)
		boot_mesg "Stopping Unbound DNS Proxy..."
		killproc /usr/sbin/unbound
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;
	reload|remove-forwarders)
		# Update configuration files
		write_forward_conf
		write_hosts_conf

		# Update Safe Search rules if the system is online.
		if [ -e "/var/ipfire/red/active" ]; then
			update_safe_search
		fi

		# Call unbound-control and perform the reload
		/usr/sbin/unbound-control -q reload
		;;

	status)
		statusproc /usr/sbin/unbound
		;;

	update-forwarders)
		$0 reload

		# Make sure DNS works at this point
		fix_time_if_dns_fails
		;;

	resolve)
		resolve "${2}"
		;;

	*)
		echo "Usage: $0 {start|stop|restart|reload|status|resolve|update-forwarders|remove-forwarders}"
		exit 1
		;;
esac

# End $rc_base/init.d/unbound
Commit	Line	Data
d0e5f71f ML	1	#!/bin/sh
	2	# Begin $rc_base/init.d/unbound
	3
	4	# Description : Unbound DNS resolver boot script for IPfire
	5	# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
d0e5f71f ML	6
	7	. /etc/sysconfig/rc
	8	. ${rc_functions}
	9
36792be6 MT	10	# Cache any local zones for 60 seconds
	11	LOCAL_TTL=60
	12
ee90aa98 MT	13	# Load configuration
ee90aa98 MT	14	eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
4b26aac6	15	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
d0e5f71f	16
f75c279b AF	17	ip_address_revptr() {
	18	local addr=${1}
	19
	20	local a1 a2 a3 a4
	21	IFS=. read -r a1 a2 a3 a4 <<< ${addr}
	22
	23	echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
	24	}
	25
b8f5eda8	26	read_name_servers() {
2654c669 MT	27	# Read name servers from ISP
	28	if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
	29	local i
	30	for i in 1 2; do
	31	echo "$(</var/run/dns${i})"
	32	done 2>/dev/null
	33	fi
	34
	35	# Read configured name servers
	36	local id address tls_hostname enabled remark
	37	while IFS="," read -r id address tls_hostname enabled remark; do
	38	[ "${enabled}" != "enabled" ] && continue
	39
	40	if [ "${PROTO}" = "TLS" ]; then
	41	if [ -n "${tls_hostname}" ]; then
	42	echo "${address}@853#${tls_hostname}"
	43	fi
	44	else
	45	echo "${address}"
	46	fi
	47	done < /var/ipfire/dns/servers
b8f5eda8 MT	48	}
	49
	50	config_header() {
	51	echo "# This file is automatically generated and any changes"
	52	echo "# will be overwritten. DO NOT EDIT!"
	53	echo
	54	}
	55
6137797c MT	56	write_hosts_conf() {
	57	(
	58	config_header
f75c279b	59
6137797c MT	60	# Make own hostname resolveable
	61	# 1.1.1.1 is reserved for unused green, skip this
	62	if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
	63	echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""
	64	fi
f59bc0c5	65
6137797c MT	66	local address
	67	for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	68	[ -n "${address}" ] \|\| continue
	69	[ "${address}" = "1.1.1.1" ] && continue
36792be6	70
6137797c MT	71	address=$(ip_address_revptr ${address})
	72	echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""
	73	done
36792be6	74
6137797c MT	75	# Add all hosts
	76	local enabled address hostname domainname generateptr
	77	while IFS="," read -r enabled address hostname domainname generateptr; do
	78	[ "${enabled}" = "on" ] \|\| continue
36792be6	79
6137797c MT	80	# Build FQDN
	81	local fqdn="${hostname}.${domainname}"
	82	echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""
f75c279b	83
6137797c MT	84	# Skip reverse resolution if the address equals the GREEN address
6137797c MT	85	[ "${address}" = "${GREEN_ADDRESS}" ] && continue
868d2a1f	86
6137797c MT	87	# Skip reverse resolution if user requested not to do so
6137797c MT	88	[ "${generateptr}" = "off" ] && continue
6874a576	89
6137797c MT	90	# Add RDNS
	91	address=$(ip_address_revptr ${address})
	92	echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
	93	done < /var/ipfire/main/hosts
	94	) > /etc/unbound/hosts.conf
36792be6 MT	95	}
36792be6 MT	96
b8f5eda8 MT	97	write_forward_conf() {
	98	(
	99	config_header
	100
beebf925 MT	101	# Enable strict QNAME minimisation
	102	if [ "${QNAME_MIN}" = "strict" ]; then
	103	echo "server:"
	104	echo " qname-minimisation-strict: yes"
	105	echo
	106	fi
	107
974d8653	108	# Force using TCP for upstream servers only
ee90aa98	109	if [ "${PROTO}" = "TCP" ]; then
974d8653 MT	110	echo "# Force using TCP for upstream servers only"
	111	echo "server:"
	112	echo " tcp-upstream: yes"
	113	echo
	114	fi
	115
ee90aa98	116	local insecure_zones=""
a6dcc5bb	117
1ececb67 MT	118	local enabled zone server servers remark disable_dnssec rest
1ececb67 MT	119	while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
b8f5eda8 MT	120	# Line must be enabled.
	121	[ "${enabled}" = "on" ] \|\| continue
	122
a6dcc5bb MT	123	# Zones that end with .local are commonly used for internal
	124	# zones and therefore not signed
	125	case "${zone}" in
	126	*.local)
	127	insecure_zones="${insecure_zones} ${zone}"
	128	;;
1ececb67 MT	129	*)
	130	if [ "${disable_dnssec}" = "on" ]; then
	131	insecure_zones="${insecure_zones} ${zone}"
	132	fi
	133	;;
a6dcc5bb MT	134	esac
a6dcc5bb MT	135
15cf79e3 MT	136	echo "stub-zone:"
	137	echo " name: ${zone}"
	138	for server in ${servers//\|/ }; do
	139	if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	140	echo " stub-addr: ${server}"
	141	else
	142	echo " stub-host: ${server}"
	143	fi
	144	done
	145	echo
	146
	147	# Make all reverse lookup zones transparent
c7e41255 MT	148	case "${zone}" in
c7e41255 MT	149	*.in-addr.arpa)
c7e41255	150	echo "server:"
9f099932	151	echo " local-zone: \"${zone}\" transparent"
c7e41255 MT	152	echo
c7e41255 MT	153	;;
c7e41255	154	esac
b8f5eda8	155	done < /var/ipfire/dnsforward/config
a6dcc5bb MT	156
	157	if [ -n "${insecure_zones}" ]; then
	158	echo "server:"
	159
	160	for zone in ${insecure_zones}; do
	161	echo " domain-insecure: ${zone}"
	162	done
	163	fi
50005ad1 MT	164
	165	echo "forward-zone:"
	166	echo " name: \".\""
	167
	168	# Force using TLS only
ee90aa98	169	if [ "${PROTO}" = "TLS" ]; then
50005ad1 MT	170	echo " forward-tls-upstream: yes"
	171	fi
	172
	173	# Add upstream name servers
2654c669 MT	174	local ns
	175	for ns in $(read_name_servers); do
	176	echo " forward-addr: ${ns}"
	177	done
b8f5eda8 MT	178	) > /etc/unbound/forward.conf
	179	}
	180
b658a451 MT	181	write_tuning_conf() {
	182	# https://www.unbound.net/documentation/howto_optimise.html
	183
	184	# Determine number of online processors
	185	local processors=$(getconf _NPROCESSORS_ONLN)
	186
	187	# Determine number of slabs
	188	local slabs=1
	189	while [ ${slabs} -lt ${processors} ]; do
	190	slabs=$(( ${slabs} * 2 ))
	191	done
	192
	193	# Determine amount of system memory
	194	local mem=$(get_memory_amount)
	195
	196	# In the worst case scenario, unbound can use double the
	197	# amount of memory allocated to a cache due to malloc overhead
	198
4a0d69ca MT	199	# Even larger systems with more than 8GB of RAM
	200	if [ ${mem} -ge 8192 ]; then
	201	mem=1024
	202
	203	# Extra large systems with more than 4GB of RAM
	204	elif [ ${mem} -ge 4096 ]; then
	205	mem=512
	206
b658a451	207	# Large systems with more than 2GB of RAM
4a0d69ca	208	elif [ ${mem} -ge 2048 ]; then
128db1a3	209	mem=256
b658a451	210
4a0d69ca MT	211	# Medium systems with more than 1GB of RAM
	212	elif [ ${mem} -ge 1024 ]; then
	213	mem=128
	214
b658a451 MT	215	# Small systems with less than 256MB of RAM
b658a451 MT	216	elif [ ${mem} -le 256 ]; then
128db1a3	217	mem=16
b658a451 MT	218
	219	# Everything else
	220	else
128db1a3	221	mem=64
b658a451 MT	222	fi
	223
	224	(
	225	config_header
	226
	227	# We run one thread per processor
	228	echo "num-threads: ${processors}"
5012e53c	229	echo "so-reuseport: yes"
b658a451 MT	230
	231	# Adjust number of slabs
	232	echo "infra-cache-slabs: ${slabs}"
	233	echo "key-cache-slabs: ${slabs}"
	234	echo "msg-cache-slabs: ${slabs}"
	235	echo "rrset-cache-slabs: ${slabs}"
	236
	237	# Slice up the cache
	238	echo "rrset-cache-size: $(( ${mem} / 2 ))m"
	239	echo "msg-cache-size: $(( ${mem} / 4 ))m"
	240	echo "key-cache-size: $(( ${mem} / 4 ))m"
0a7dca2c MT	241
	242	# Increase parallel queries
	243	echo "outgoing-range: 8192"
	244	echo "num-queries-per-thread: 4096"
c20b2009 MT	245
	246	# Use larger send/receive buffers
	247	echo "so-sndbuf: 4m"
	248	echo "so-rcvbuf: 4m"
b658a451 MT	249	) > /etc/unbound/tuning.conf
	250	}
	251
	252	get_memory_amount() {
	253	local key val unit
	254
	255	while read -r key val unit; do
	256	case "${key}" in
	257	MemTotal:*)
	258	# Convert to MB
	259	echo "$(( ${val} / 1024 ))"
	260	break
	261	;;
	262	esac
	263	done < /proc/meminfo
	264	}
b8f5eda8	265
a33489a7 MT	266	fix_time_if_dns_fails() {
	267	# If DNS is working, everything is fine
	268	if resolve "ping.ipfire.org" &>/dev/null; then
	269	return 0
68fac98a	270	fi
a33489a7 MT	271
	272	# Try to sync time with a known time server
	273	boot_mesg "DNS not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
	274	loadproc /usr/local/bin/settime 81.3.27.46
68fac98a AF	275	}
68fac98a AF	276
043e7aa5 MT	277	resolve() {
	278	local hostname="${1}"
	279
54898bc6 MT	280	local answer
	281	for answer in $(dig +short A "${hostname}"); do
	282	# Filter out non-IP addresses
	283	if [[ ! "${answer}" =~ \.$ ]]; then
	284	echo "${answer}"
	285	fi
043e7aa5 MT	286	done
	287	}
	288
661ab153	289	# Sets up Safe Search for various search engines
d7190078	290	update_safe_search() {
661ab153 MT	291	local google_tlds=(
	292	google.ad
	293	google.ae
	294	google.al
	295	google.am
	296	google.as
	297	google.at
	298	google.az
	299	google.ba
	300	google.be
	301	google.bf
	302	google.bg
	303	google.bi
	304	google.bj
	305	google.bs
	306	google.bt
	307	google.by
	308	google.ca
	309	google.cat
	310	google.cd
	311	google.cf
	312	google.cg
	313	google.ch
	314	google.ci
	315	google.cl
	316	google.cm
	317	google.cn
	318	google.co.ao
	319	google.co.bw
	320	google.co.ck
	321	google.co.cr
	322	google.co.id
	323	google.co.il
	324	google.co.in
	325	google.co.jp
	326	google.co.ke
	327	google.co.kr
	328	google.co.ls
	329	google.com
	330	google.co.ma
	331	google.com.af
	332	google.com.ag
	333	google.com.ai
	334	google.com.ar
	335	google.com.au
	336	google.com.bd
	337	google.com.bh
	338	google.com.bn
	339	google.com.bo
	340	google.com.br
	341	google.com.bz
	342	google.com.co
	343	google.com.cu
	344	google.com.cy
	345	google.com.do
	346	google.com.ec
	347	google.com.eg
	348	google.com.et
	349	google.com.fj
	350	google.com.gh
	351	google.com.gi
	352	google.com.gt
	353	google.com.hk
	354	google.com.jm
355	google.com.kh
356	google.com.kw
357	google.com.lb
358	google.com.ly
359	google.com.mm
360	google.com.mt
361	google.com.mx
362	google.com.my
363	google.com.na
364	google.com.nf
365	google.com.ng
366	google.com.ni
367	google.com.np
368	google.com.om
369	google.com.pa
370	google.com.pe
371	google.com.pg
372	google.com.ph
373	google.com.pk
374	google.com.pr
375	google.com.py
376	google.com.qa
377	google.com.sa
378	google.com.sb
379	google.com.sg
380	google.com.sl
381	google.com.sv
382	google.com.tj
383	google.com.tr
384	google.com.tw
385	google.com.ua
386	google.com.uy
387	google.com.vc
388	google.com.vn
389	google.co.mz
390	google.co.nz
391	google.co.th
392	google.co.tz
393	google.co.ug
394	google.co.uk
395	google.co.uz
396	google.co.ve
397	google.co.vi
398	google.co.za
399	google.co.zm
400	google.co.zw
401	google.cv
402	google.cz
403	google.de
404	google.dj
405	google.dk
406	google.dm
407	google.dz
408	google.ee
409	google.es
410	google.fi
411	google.fm
412	google.fr
413	google.ga
414	google.ge
415	google.gg
416	google.gl
417	google.gm
418	google.gp
419	google.gr
420	google.gy
421	google.hn
422	google.hr
423	google.ht
424	google.hu
425	google.ie
426	google.im
427	google.iq
428	google.is
429	google.it
430	google.je
431	google.jo
432	google.kg
433	google.ki
434	google.kz
435	google.la
436	google.li
437	google.lk
438	google.lt
439	google.lu
440	google.lv
441	google.md
442	google.me
443	google.mg
444	google.mk
445	google.ml
446	google.mn
447	google.ms
448	google.mu
449	google.mv
450	google.mw
451	google.ne
452	google.nl
453	google.no
454	google.nr
455	google.nu
456	google.pl
457	google.pn
458	google.ps
459	google.pt
460	google.ro
461	google.rs
462	google.ru
463	google.rw
464	google.sc
465	google.se
466	google.sh
467	google.si
468	google.sk
469	google.sm
470	google.sn
471	google.so
472	google.sr
473	google.st
474	google.td
475	google.tg
476	google.tk
477	google.tl
478	google.tm
479	google.tn
480	google.to
481	google.tt
482	google.vg
483	google.vu
484	google.ws
485	)
486
d7190078 MT	487	# Cleanup previous settings
	488	unbound-control local_zone_remove "bing.com" >/dev/null
	489	unbound-control local_zone_remove "duckduckgo.com" >/dev/null
	490	unbound-control local_zone_remove "yandex.com" >/dev/null
	491	unbound-control local_zone_remove "yandex.ru" >/dev/null
	492	unbound-control local_zone_remove "youtube.com" >/dev/null
661ab153	493
d7190078 MT	494	local domain
	495	for domain in ${google_tlds[@]}; do
	496	unbound-control local_zone_remove "${domain}"
	497	done >/dev/null
661ab153	498
d7190078 MT	499	# Nothing to do if safe search is not enabled
	500	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
	501	return 0
	502	fi
661ab153	503
d7190078 MT	504	# Bing
	505	unbound-control bing.com transparent >/dev/null
	506	for address in $(resolve "strict.bing.com"); do
	507	unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
	508	done >/dev/null
	509
	510	# DuckDuckGo
	511	unbound-control local_zone duckduckgo.com typetransparent >/dev/null
	512	for address in $(resolve "safe.duckduckgo.com"); do
	513	unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
	514	done >/dev/null
	515
	516	# Google
	517	local addresses="$(resolve "forcesafesearch.google.com")"
	518	for domain in ${google_tlds[@]}; do
	519	unbound-control local_zone "${domain}" transparent >/dev/null
	520	for address in ${addresses}; do
	521	unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
	522	done >/dev/null
	523	done
661ab153	524
d7190078 MT	525	# Yandex
	526	for domain in yandex.com yandex.ru; do
	527	unbound-control local_zone "${domain}" typetransparent >/dev/null
	528	for address in $(resolve "familysearch.${domain}"); do
	529	unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
	530	done >/dev/null
	531	done
661ab153	532
d7190078 MT	533	# YouTube
	534	unbound-control local_zone youtube.com transparent >/dev/null
	535	for address in $(resolve "restrictmoderate.youtube.com"); do
	536	unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
	537	done >/dev/null
f617fd91	538
d7190078	539	return 0
661ab153 MT	540	}
661ab153 MT	541
d0e5f71f ML	542	case "$1" in
d0e5f71f ML	543	start)
80bc6022 MT	544	# Print a nicer messagen when unbound is already running
	545	if pidofproc -s unbound; then
	546	statusproc /usr/sbin/unbound
	547	exit 0
	548	fi
	549
b8f5eda8	550	# Update configuration files
b658a451	551	write_tuning_conf
6137797c	552	write_hosts_conf
b8f5eda8 MT	553	write_forward_conf
	554
	555	boot_mesg "Starting Unbound DNS Proxy..."
	556	loadproc /usr/sbin/unbound \|\| exit $?
	557
d7190078 MT	558	# Install Safe Search rules when the system is already online
	559	if [ -e "/var/ipfire/red/active" ]; then
	560	update_safe_search
	561	fi
b8f5eda8	562	;;
d0e5f71f ML	563
d0e5f71f ML	564	stop)
b8f5eda8 MT	565	boot_mesg "Stopping Unbound DNS Proxy..."
	566	killproc /usr/sbin/unbound
	567	;;
d0e5f71f ML	568
d0e5f71f ML	569	restart)
b8f5eda8 MT	570	$0 stop
	571	sleep 1
	572	$0 start
	573	;;
24a694d4	574	reload\|remove-forwarders)
0c109477	575	# Update configuration files
0c109477	576	write_forward_conf
6137797c	577	write_hosts_conf
0c109477 SS	578
	579	# Update Safe Search rules if the system is online.
	580	if [ -e "/var/ipfire/red/active" ]; then
	581	update_safe_search
	582	fi
	583
0c109477 SS	584	# Call unbound-control and perform the reload
	585	/usr/sbin/unbound-control -q reload
	586	;;
d0e5f71f ML	587
d0e5f71f ML	588	status)
b8f5eda8	589	statusproc /usr/sbin/unbound
b8f5eda8 MT	590	;;
	591
	592	update-forwarders)
24a694d4	593	$0 reload
54898bc6	594
a33489a7 MT	595	# Make sure DNS works at this point
a33489a7 MT	596	fix_time_if_dns_fails
3ec3329d AF	597	;;
3ec3329d AF	598
043e7aa5 MT	599	resolve)
	600	resolve "${2}"
	601	;;
	602
d0e5f71f	603	*)
04b7a781	604	echo "Usage: $0 {start\|stop\|restart\|reload\|status\|resolve\|update-forwarders\|remove-forwarders}"
b8f5eda8 MT	605	exit 1
b8f5eda8 MT	606	;;
d0e5f71f ML	607	esac
	608
	609	# End $rc_base/init.d/unbound