[people/pmueller/ipfire-2.x.git] / src / initscripts / system / unbound

#!/bin/sh
# Begin $rc_base/init.d/unbound

# Description : Unbound DNS resolver boot script for IPfire
# Author      : Marcel Lorenz <marcel.lorenz@ipfire.org>

. /etc/sysconfig/rc
. ${rc_functions}

TEST_DOMAIN="ipfire.org"

# This domain will never validate
TEST_DOMAIN_FAIL="dnssec-failed.org"

# Cache any local zones for 60 seconds
LOCAL_TTL=60

# Load configuration
eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)

ip_address_revptr() {
	local addr=${1}

	local a1 a2 a3 a4
	IFS=. read -r a1 a2 a3 a4 <<< ${addr}

	echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
}

read_name_servers() {
	local i
	for i in 1 2; do
		echo "$(</var/ipfire/red/dns${i})"
	done 2>/dev/null | xargs echo
}

check_red_has_carrier_and_ip() {
	# Interface configured ?
	[ ! -e "/var/ipfire/red/iface" ] && return 0;

	# Interface present ?
	[ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;

	# has carrier ?
	[ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;

	# has ip ?
	[ "$(ip address show dev $(</var/ipfire/red/iface) | grep "inet")" = "" ] && return 0;

	return 1;
}

config_header() {
	echo "# This file is automatically generated and any changes"
	echo "# will be overwritten. DO NOT EDIT!"
	echo
}

own_hostname() {
	local hostname=$(hostname -f)
	# 1.1.1.1 is reserved for unused green, skip this
	if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
		unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
	fi

	local address
	for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
		[ -n "${address}" ] || continue
		[ "${address}" = "1.1.1.1" ] && continue

		address=$(ip_address_revptr ${address})
		unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
	done
}

update_hosts() {
	local enabled address hostname domainname generateptr

	while IFS="," read -r enabled address hostname domainname generateptr; do
		[ "${enabled}" = "on" ] || continue

		# Build FQDN
		local fqdn="${hostname}.${domainname}"

		unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"

		# Skip reverse resolution if the address equals the GREEN address
		[ "${address}" = "${GREEN_ADDRESS}" ] && continue

		# Skip reverse resolution if user requested not to do so
		[ "${generateptr}" = "off" ] && continue

		# Add RDNS
		address=$(ip_address_revptr ${address})
		unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
	done < /var/ipfire/main/hosts
}

write_forward_conf() {
	(
		config_header

		# Force using TCP for upstream servers only
		if [ "${PROTO}" = "TCP" ]; then
			echo "# Force using TCP for upstream servers only"
			echo "server:"
			echo "	tcp-upstream: yes"
			echo
		fi

		local insecure_zones=""

		local enabled zone server servers remark disable_dnssec rest
		while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
			# Line must be enabled.
			[ "${enabled}" = "on" ] || continue

			# Zones that end with .local are commonly used for internal
			# zones and therefore not signed
			case "${zone}" in
				*.local)
					insecure_zones="${insecure_zones} ${zone}"
					;;
				*)
					if [ "${disable_dnssec}" = "on" ]; then
						insecure_zones="${insecure_zones} ${zone}"
					fi
					;;
			esac

			echo "stub-zone:"
			echo "	name: ${zone}"
			for server in ${servers//|/ }; do
				if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
					echo "	stub-addr: ${server}"
				else
					echo "	stub-host: ${server}"
				fi
			done
			echo

			# Make all reverse lookup zones transparent
			case "${zone}" in
				*.in-addr.arpa)
					echo "server:"
					echo "	local-zone: \"${zone}\" transparent"
					echo
					;;
			esac
		done < /var/ipfire/dnsforward/config

		if [ -n "${insecure_zones}" ]; then
			echo "server:"

			for zone in ${insecure_zones}; do
				echo "	domain-insecure: ${zone}"
			done
		fi

		echo "forward-zone:"
		echo "	name: \".\""

		# Force using TLS only
		if [ "${PROTO}" = "TLS" ]; then
			echo "	forward-tls-upstream: yes"
		fi

		# Add upstream name servers
		local id address tls_hostname enabled remark
		while IFS="," read -r id address tls_hostname enabled remark; do
			# Skip disabled servers
			[ "${enabled}" != "enabled" ] && continue

			# Set DNS server
			if [ "${PROTO}" = "TLS" ]; then
				if [ -n "${tls_hostname}" ]; then
					echo "	forward-addr: ${address}@853#${tls_hostname}"
				fi
			else
				echo "	forward-addr: ${address}"
			fi
		done < /var/ipfire/dns/servers
	) > /etc/unbound/forward.conf
}

write_tuning_conf() {
	# https://www.unbound.net/documentation/howto_optimise.html

	# Determine number of online processors
	local processors=$(getconf _NPROCESSORS_ONLN)

	# Determine number of slabs
	local slabs=1
	while [ ${slabs} -lt ${processors} ]; do
		slabs=$(( ${slabs} * 2 ))
	done

	# Determine amount of system memory
	local mem=$(get_memory_amount)

	# In the worst case scenario, unbound can use double the
	# amount of memory allocated to a cache due to malloc overhead

	# Even larger systems with more than 8GB of RAM
	if [ ${mem} -ge 8192 ]; then
		mem=1024

	# Extra large systems with more than 4GB of RAM
	elif [ ${mem} -ge 4096 ]; then
		mem=512

	# Large systems with more than 2GB of RAM
	elif [ ${mem} -ge 2048 ]; then
		mem=256

	# Medium systems with more than 1GB of RAM
	elif [ ${mem} -ge 1024 ]; then
		mem=128

	# Small systems with less than 256MB of RAM
	elif [ ${mem} -le 256 ]; then
		mem=16

	# Everything else
	else
		mem=64
	fi

	(
		config_header

		# We run one thread per processor
		echo "num-threads: ${processors}"
		echo "so-reuseport: yes"

		# Adjust number of slabs
		echo "infra-cache-slabs: ${slabs}"
		echo "key-cache-slabs: ${slabs}"
		echo "msg-cache-slabs: ${slabs}"
		echo "rrset-cache-slabs: ${slabs}"

		# Slice up the cache
		echo "rrset-cache-size: $(( ${mem} / 2 ))m"
		echo "msg-cache-size: $(( ${mem} / 4 ))m"
		echo "key-cache-size: $(( ${mem} / 4 ))m"

		# Increase parallel queries
		echo "outgoing-range: 8192"
		echo "num-queries-per-thread: 4096"

		# Use larger send/receive buffers
		echo "so-sndbuf: 4m"
		echo "so-rcvbuf: 4m"
	) > /etc/unbound/tuning.conf
}

get_memory_amount() {
	local key val unit

	while read -r key val unit; do
		case "${key}" in
			MemTotal:*)
				# Convert to MB
				echo "$(( ${val} / 1024 ))"
				break
				;;
		esac
	done < /proc/meminfo
}

fix_time_if_dns_fail() {
	# If DNS still not work try to init ntp with
	# hardcoded ntp.ipfire.org (81.3.27.46)
	check_red_has_carrier_and_ip
	if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
		host 0.ipfire.pool.ntp.org > /dev/null 2>&1
		if [ "${?}" != "0" ]; then
			boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
			loadproc /usr/local/bin/settime 81.3.27.46
		fi
	fi
}

resolve() {
	local hostname="${1}"

	local answer
	for answer in $(dig +short A "${hostname}"); do
		# Filter out non-IP addresses
		if [[ ! "${answer}" =~ \.$ ]]; then
			echo "${answer}"
		fi
	done
}

# Sets up Safe Search for various search engines
update_safe_search() {
	local google_tlds=(
		google.ad
		google.ae
		google.al
		google.am
		google.as
		google.at
		google.az
		google.ba
		google.be
		google.bf
		google.bg
		google.bi
		google.bj
		google.bs
		google.bt
		google.by
		google.ca
		google.cat
		google.cd
		google.cf
		google.cg
		google.ch
		google.ci
		google.cl
		google.cm
		google.cn
		google.co.ao
		google.co.bw
		google.co.ck
		google.co.cr
		google.co.id
		google.co.il
		google.co.in
		google.co.jp
		google.co.ke
		google.co.kr
		google.co.ls
		google.com
		google.co.ma
		google.com.af
		google.com.ag
		google.com.ai
		google.com.ar
		google.com.au
		google.com.bd
		google.com.bh
		google.com.bn
		google.com.bo
		google.com.br
		google.com.bz
		google.com.co
		google.com.cu
		google.com.cy
		google.com.do
		google.com.ec
		google.com.eg
		google.com.et
		google.com.fj
		google.com.gh
		google.com.gi
		google.com.gt
		google.com.hk
		google.com.jm
		google.com.kh
		google.com.kw
		google.com.lb
		google.com.ly
		google.com.mm
		google.com.mt
		google.com.mx
		google.com.my
		google.com.na
		google.com.nf
		google.com.ng
		google.com.ni
		google.com.np
		google.com.om
		google.com.pa
		google.com.pe
		google.com.pg
		google.com.ph
		google.com.pk
		google.com.pr
		google.com.py
		google.com.qa
		google.com.sa
		google.com.sb
		google.com.sg
		google.com.sl
		google.com.sv
		google.com.tj
		google.com.tr
		google.com.tw
		google.com.ua
		google.com.uy
		google.com.vc
		google.com.vn
		google.co.mz
		google.co.nz
		google.co.th
		google.co.tz
		google.co.ug
		google.co.uk
		google.co.uz
		google.co.ve
		google.co.vi
		google.co.za
		google.co.zm
		google.co.zw
		google.cv
		google.cz
		google.de
		google.dj
		google.dk
		google.dm
		google.dz
		google.ee
		google.es
		google.fi
		google.fm
		google.fr
		google.ga
		google.ge
		google.gg
		google.gl
		google.gm
		google.gp
		google.gr
		google.gy
		google.hn
		google.hr
		google.ht
		google.hu
		google.ie
		google.im
		google.iq
		google.is
		google.it
		google.je
		google.jo
		google.kg
		google.ki
		google.kz
		google.la
		google.li
		google.lk
		google.lt
		google.lu
		google.lv
		google.md
		google.me
		google.mg
		google.mk
		google.ml
		google.mn
		google.ms
		google.mu
		google.mv
		google.mw
		google.ne
		google.nl
		google.no
		google.nr
		google.nu
		google.pl
		google.pn
		google.ps
		google.pt
		google.ro
		google.rs
		google.ru
		google.rw
		google.sc
		google.se
		google.sh
		google.si
		google.sk
		google.sm
		google.sn
		google.so
		google.sr
		google.st
		google.td
		google.tg
		google.tk
		google.tl
		google.tm
		google.tn
		google.to
		google.tt
		google.vg
		google.vu
		google.ws
	)

	# Cleanup previous settings
	unbound-control local_zone_remove "bing.com" >/dev/null
	unbound-control local_zone_remove "duckduckgo.com" >/dev/null
	unbound-control local_zone_remove "yandex.com" >/dev/null
	unbound-control local_zone_remove "yandex.ru" >/dev/null
	unbound-control local_zone_remove "youtube.com" >/dev/null

	local domain
	for domain in ${google_tlds[@]}; do
		unbound-control local_zone_remove "${domain}"
	done >/dev/null

	# Nothing to do if safe search is not enabled
	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
		return 0
	fi

	# Bing
	unbound-control bing.com transparent >/dev/null
	for address in $(resolve "strict.bing.com"); do
		unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	# DuckDuckGo
	unbound-control local_zone duckduckgo.com typetransparent >/dev/null
	for address in $(resolve "safe.duckduckgo.com"); do
		unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	# Google
	local addresses="$(resolve "forcesafesearch.google.com")"
	for domain in ${google_tlds[@]}; do
		unbound-control local_zone "${domain}" transparent >/dev/null
		for address in ${addresses}; do
			unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
		done >/dev/null
	done

	# Yandex
	for domain in yandex.com yandex.ru; do
		unbound-control local_zone "${domain}" typetransparent >/dev/null
		for address in $(resolve "familysearch.${domain}"); do
			unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
		done >/dev/null
	done

	# YouTube
	unbound-control local_zone youtube.com transparent >/dev/null
	for address in $(resolve "restrictmoderate.youtube.com"); do
		unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
	done >/dev/null

	return 0
}

case "$1" in
	start)
		# Print a nicer messagen when unbound is already running
		if pidofproc -s unbound; then
			statusproc /usr/sbin/unbound
			exit 0
		fi

		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

		# Update configuration files
		write_tuning_conf
		write_forward_conf

		boot_mesg "Starting Unbound DNS Proxy..."
		loadproc /usr/sbin/unbound || exit $?

		# Make own hostname resolveable
		own_hostname

		# Install Safe Search rules when the system is already online
		if [ -e "/var/ipfire/red/active" ]; then
			update_safe_search
		fi

		# Update hosts
		update_hosts

		fix_time_if_dns_fail
		;;

	stop)
		boot_mesg "Stopping Unbound DNS Proxy..."
		killproc /usr/sbin/unbound
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	status)
		statusproc /usr/sbin/unbound
		;;

	update-forwarders)
		: # XXX must set ISP name servers if necessary

		# Update Safe Search settings
		update_safe_search
		;;

	remove-forwarders)
		: # XXX must remove ISP name servers
		;;

	resolve)
		resolve "${2}"
		;;

	update-safe-search)
		update_safe_search
		;;

	*)
		echo "Usage: $0 {start|stop|restart|status|resolve|update-forwarders|remove-forwarders|update-safe-search}"
		exit 1
		;;
esac

# End $rc_base/init.d/unbound
Commit	Line	Data
d0e5f71f ML	1	#!/bin/sh
	2	# Begin $rc_base/init.d/unbound
	3
	4	# Description : Unbound DNS resolver boot script for IPfire
	5	# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
d0e5f71f ML	6
	7	. /etc/sysconfig/rc
	8	. ${rc_functions}
	9
b29c97b1 AF	10	TEST_DOMAIN="ipfire.org"
	11
	12	# This domain will never validate
	13	TEST_DOMAIN_FAIL="dnssec-failed.org"
	14
36792be6 MT	15	# Cache any local zones for 60 seconds
	16	LOCAL_TTL=60
	17
ee90aa98 MT	18	# Load configuration
ee90aa98 MT	19	eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
d0e5f71f	20
f75c279b AF	21	ip_address_revptr() {
	22	local addr=${1}
	23
	24	local a1 a2 a3 a4
	25	IFS=. read -r a1 a2 a3 a4 <<< ${addr}
	26
	27	echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
	28	}
	29
b8f5eda8 MT	30	read_name_servers() {
	31	local i
	32	for i in 1 2; do
	33	echo "$(</var/ipfire/red/dns${i})"
682a6b2d	34	done 2>/dev/null \| xargs echo
b8f5eda8 MT	35	}
b8f5eda8 MT	36
3ec3329d AF	37	check_red_has_carrier_and_ip() {
	38	# Interface configured ?
	39	[ ! -e "/var/ipfire/red/iface" ] && return 0;
	40
	41	# Interface present ?
	42	[ ! -e "/sys/class/net/$(</var/ipfire/red/iface)" ] && return 0;
	43
	44	# has carrier ?
	45	[ ! "$(</sys/class/net/$(</var/ipfire/red/iface)/carrier)" = "1" ] && return 0;
	46
	47	# has ip ?
	48	[ "$(ip address show dev $(</var/ipfire/red/iface) \| grep "inet")" = "" ] && return 0;
	49
	50	return 1;
	51	}
	52
b8f5eda8 MT	53	config_header() {
	54	echo "# This file is automatically generated and any changes"
	55	echo "# will be overwritten. DO NOT EDIT!"
	56	echo
	57	}
	58
f75c279b AF	59	own_hostname() {
f75c279b AF	60	local hostname=$(hostname -f)
0d7ca700	61	# 1.1.1.1 is reserved for unused green, skip this
f75c279b AF	62	if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
	63	unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
	64	fi
	65
	66	local address
	67	for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	68	[ -n "${address}" ] \|\| continue
	69	[ "${address}" = "1.1.1.1" ] && continue
	70
	71	address=$(ip_address_revptr ${address})
	72	unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
	73	done
	74	}
	75
36792be6	76	update_hosts() {
6874a576	77	local enabled address hostname domainname generateptr
36792be6	78
6874a576	79	while IFS="," read -r enabled address hostname domainname generateptr; do
36792be6 MT	80	[ "${enabled}" = "on" ] \|\| continue
	81
	82	# Build FQDN
	83	local fqdn="${hostname}.${domainname}"
	84
	85	unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
f75c279b	86
868d2a1f MT	87	# Skip reverse resolution if the address equals the GREEN address
	88	[ "${address}" = "${GREEN_ADDRESS}" ] && continue
	89
6874a576 PM	90	# Skip reverse resolution if user requested not to do so
	91	[ "${generateptr}" = "off" ] && continue
	92
f75c279b AF	93	# Add RDNS
	94	address=$(ip_address_revptr ${address})
	95	unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
36792be6 MT	96	done < /var/ipfire/main/hosts
	97	}
	98
b8f5eda8 MT	99	write_forward_conf() {
	100	(
	101	config_header
	102
974d8653	103	# Force using TCP for upstream servers only
ee90aa98	104	if [ "${PROTO}" = "TCP" ]; then
974d8653 MT	105	echo "# Force using TCP for upstream servers only"
	106	echo "server:"
	107	echo " tcp-upstream: yes"
	108	echo
	109	fi
	110
ee90aa98	111	local insecure_zones=""
a6dcc5bb	112
1ececb67 MT	113	local enabled zone server servers remark disable_dnssec rest
1ececb67 MT	114	while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
b8f5eda8 MT	115	# Line must be enabled.
	116	[ "${enabled}" = "on" ] \|\| continue
	117
a6dcc5bb MT	118	# Zones that end with .local are commonly used for internal
	119	# zones and therefore not signed
	120	case "${zone}" in
	121	*.local)
	122	insecure_zones="${insecure_zones} ${zone}"
	123	;;
1ececb67 MT	124	*)
	125	if [ "${disable_dnssec}" = "on" ]; then
	126	insecure_zones="${insecure_zones} ${zone}"
	127	fi
	128	;;
a6dcc5bb MT	129	esac
a6dcc5bb MT	130
15cf79e3 MT	131	echo "stub-zone:"
	132	echo " name: ${zone}"
	133	for server in ${servers//\|/ }; do
	134	if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	135	echo " stub-addr: ${server}"
	136	else
	137	echo " stub-host: ${server}"
	138	fi
	139	done
	140	echo
	141
	142	# Make all reverse lookup zones transparent
c7e41255 MT	143	case "${zone}" in
c7e41255 MT	144	*.in-addr.arpa)
c7e41255	145	echo "server:"
9f099932	146	echo " local-zone: \"${zone}\" transparent"
c7e41255 MT	147	echo
c7e41255 MT	148	;;
c7e41255	149	esac
b8f5eda8	150	done < /var/ipfire/dnsforward/config
a6dcc5bb MT	151
	152	if [ -n "${insecure_zones}" ]; then
	153	echo "server:"
	154
	155	for zone in ${insecure_zones}; do
	156	echo " domain-insecure: ${zone}"
	157	done
	158	fi
50005ad1 MT	159
	160	echo "forward-zone:"
	161	echo " name: \".\""
	162
	163	# Force using TLS only
ee90aa98	164	if [ "${PROTO}" = "TLS" ]; then
50005ad1 MT	165	echo " forward-tls-upstream: yes"
	166	fi
	167
	168	# Add upstream name servers
	169	local id address tls_hostname enabled remark
	170	while IFS="," read -r id address tls_hostname enabled remark; do
	171	# Skip disabled servers
	172	[ "${enabled}" != "enabled" ] && continue
	173
	174	# Set DNS server
	175	if [ "${PROTO}" = "TLS" ]; then
	176	if [ -n "${tls_hostname}" ]; then
	177	echo " forward-addr: ${address}@853#${tls_hostname}"
	178	fi
	179	else
	180	echo " forward-addr: ${address}"
	181	fi
	182	done < /var/ipfire/dns/servers
b8f5eda8 MT	183	) > /etc/unbound/forward.conf
	184	}
	185
b658a451 MT	186	write_tuning_conf() {
	187	# https://www.unbound.net/documentation/howto_optimise.html
	188
	189	# Determine number of online processors
	190	local processors=$(getconf _NPROCESSORS_ONLN)
	191
	192	# Determine number of slabs
	193	local slabs=1
	194	while [ ${slabs} -lt ${processors} ]; do
	195	slabs=$(( ${slabs} * 2 ))
	196	done
	197
	198	# Determine amount of system memory
	199	local mem=$(get_memory_amount)
	200
	201	# In the worst case scenario, unbound can use double the
	202	# amount of memory allocated to a cache due to malloc overhead
	203
4a0d69ca MT	204	# Even larger systems with more than 8GB of RAM
	205	if [ ${mem} -ge 8192 ]; then
	206	mem=1024
	207
	208	# Extra large systems with more than 4GB of RAM
	209	elif [ ${mem} -ge 4096 ]; then
	210	mem=512
	211
b658a451	212	# Large systems with more than 2GB of RAM
4a0d69ca	213	elif [ ${mem} -ge 2048 ]; then
128db1a3	214	mem=256
b658a451	215
4a0d69ca MT	216	# Medium systems with more than 1GB of RAM
	217	elif [ ${mem} -ge 1024 ]; then
	218	mem=128
	219
b658a451 MT	220	# Small systems with less than 256MB of RAM
b658a451 MT	221	elif [ ${mem} -le 256 ]; then
128db1a3	222	mem=16
b658a451 MT	223
	224	# Everything else
	225	else
128db1a3	226	mem=64
b658a451 MT	227	fi
	228
	229	(
	230	config_header
	231
	232	# We run one thread per processor
	233	echo "num-threads: ${processors}"
5012e53c	234	echo "so-reuseport: yes"
b658a451 MT	235
	236	# Adjust number of slabs
	237	echo "infra-cache-slabs: ${slabs}"
	238	echo "key-cache-slabs: ${slabs}"
	239	echo "msg-cache-slabs: ${slabs}"
	240	echo "rrset-cache-slabs: ${slabs}"
	241
	242	# Slice up the cache
	243	echo "rrset-cache-size: $(( ${mem} / 2 ))m"
	244	echo "msg-cache-size: $(( ${mem} / 4 ))m"
	245	echo "key-cache-size: $(( ${mem} / 4 ))m"
0a7dca2c MT	246
	247	# Increase parallel queries
	248	echo "outgoing-range: 8192"
	249	echo "num-queries-per-thread: 4096"
c20b2009 MT	250
	251	# Use larger send/receive buffers
	252	echo "so-sndbuf: 4m"
	253	echo "so-rcvbuf: 4m"
b658a451 MT	254	) > /etc/unbound/tuning.conf
	255	}
	256
	257	get_memory_amount() {
	258	local key val unit
	259
	260	while read -r key val unit; do
	261	case "${key}" in
	262	MemTotal:*)
	263	# Convert to MB
	264	echo "$(( ${val} / 1024 ))"
	265	break
	266	;;
	267	esac
	268	done < /proc/meminfo
	269	}
b8f5eda8	270
68fac98a AF	271	fix_time_if_dns_fail() {
	272	# If DNS still not work try to init ntp with
	273	# hardcoded ntp.ipfire.org (81.3.27.46)
3ec3329d AF	274	check_red_has_carrier_and_ip
3ec3329d AF	275	if [ -e "/var/ipfire/red/iface" -a "${?}" = "1" ]; then
68fac98a AF	276	host 0.ipfire.pool.ntp.org > /dev/null 2>&1
68fac98a AF	277	if [ "${?}" != "0" ]; then
3eeff87f	278	boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
68fac98a AF	279	loadproc /usr/local/bin/settime 81.3.27.46
	280	fi
	281	fi
	282	}
	283
043e7aa5 MT	284	resolve() {
	285	local hostname="${1}"
	286
54898bc6 MT	287	local answer
	288	for answer in $(dig +short A "${hostname}"); do
	289	# Filter out non-IP addresses
	290	if [[ ! "${answer}" =~ \.$ ]]; then
	291	echo "${answer}"
	292	fi
043e7aa5 MT	293	done
	294	}
	295
661ab153	296	# Sets up Safe Search for various search engines
d7190078	297	update_safe_search() {
661ab153 MT	298	local google_tlds=(
	299	google.ad
	300	google.ae
	301	google.al
	302	google.am
	303	google.as
	304	google.at
	305	google.az
	306	google.ba
	307	google.be
	308	google.bf
	309	google.bg
	310	google.bi
	311	google.bj
	312	google.bs
	313	google.bt
	314	google.by
	315	google.ca
	316	google.cat
	317	google.cd
	318	google.cf
	319	google.cg
	320	google.ch
	321	google.ci
	322	google.cl
	323	google.cm
	324	google.cn
	325	google.co.ao
	326	google.co.bw
	327	google.co.ck
	328	google.co.cr
	329	google.co.id
	330	google.co.il
	331	google.co.in
	332	google.co.jp
	333	google.co.ke
	334	google.co.kr
	335	google.co.ls
	336	google.com
	337	google.co.ma
	338	google.com.af
	339	google.com.ag
	340	google.com.ai
	341	google.com.ar
	342	google.com.au
	343	google.com.bd
	344	google.com.bh
	345	google.com.bn
	346	google.com.bo
	347	google.com.br
	348	google.com.bz
	349	google.com.co
	350	google.com.cu
	351	google.com.cy
	352	google.com.do
	353	google.com.ec
	354	google.com.eg
	355	google.com.et
	356	google.com.fj
	357	google.com.gh
	358	google.com.gi
	359	google.com.gt
	360	google.com.hk
	361	google.com.jm
362	google.com.kh
363	google.com.kw
364	google.com.lb
365	google.com.ly
366	google.com.mm
367	google.com.mt
368	google.com.mx
369	google.com.my
370	google.com.na
371	google.com.nf
372	google.com.ng
373	google.com.ni
374	google.com.np
375	google.com.om
376	google.com.pa
377	google.com.pe
378	google.com.pg
379	google.com.ph
380	google.com.pk
381	google.com.pr
382	google.com.py
383	google.com.qa
384	google.com.sa
385	google.com.sb
386	google.com.sg
387	google.com.sl
388	google.com.sv
389	google.com.tj
390	google.com.tr
391	google.com.tw
392	google.com.ua
393	google.com.uy
394	google.com.vc
395	google.com.vn
396	google.co.mz
397	google.co.nz
398	google.co.th
399	google.co.tz
400	google.co.ug
401	google.co.uk
402	google.co.uz
403	google.co.ve
404	google.co.vi
405	google.co.za
406	google.co.zm
407	google.co.zw
408	google.cv
409	google.cz
410	google.de
411	google.dj
412	google.dk
413	google.dm
414	google.dz
415	google.ee
416	google.es
417	google.fi
418	google.fm
419	google.fr
420	google.ga
421	google.ge
422	google.gg
423	google.gl
424	google.gm
425	google.gp
426	google.gr
427	google.gy
428	google.hn
429	google.hr
430	google.ht
431	google.hu
432	google.ie
433	google.im
434	google.iq
435	google.is
436	google.it
437	google.je
438	google.jo
439	google.kg
440	google.ki
441	google.kz
442	google.la
443	google.li
444	google.lk
445	google.lt
446	google.lu
447	google.lv
448	google.md
449	google.me
450	google.mg
451	google.mk
452	google.ml
453	google.mn
454	google.ms
455	google.mu
456	google.mv
457	google.mw
458	google.ne
459	google.nl
460	google.no
461	google.nr
462	google.nu
463	google.pl
464	google.pn
465	google.ps
466	google.pt
467	google.ro
468	google.rs
469	google.ru
470	google.rw
471	google.sc
472	google.se
473	google.sh
474	google.si
475	google.sk
476	google.sm
477	google.sn
478	google.so
479	google.sr
480	google.st
481	google.td
482	google.tg
483	google.tk
484	google.tl
485	google.tm
486	google.tn
487	google.to
488	google.tt
489	google.vg
490	google.vu
491	google.ws
492	)
493
d7190078 MT	494	# Cleanup previous settings
	495	unbound-control local_zone_remove "bing.com" >/dev/null
	496	unbound-control local_zone_remove "duckduckgo.com" >/dev/null
	497	unbound-control local_zone_remove "yandex.com" >/dev/null
	498	unbound-control local_zone_remove "yandex.ru" >/dev/null
	499	unbound-control local_zone_remove "youtube.com" >/dev/null
661ab153	500
d7190078 MT	501	local domain
	502	for domain in ${google_tlds[@]}; do
	503	unbound-control local_zone_remove "${domain}"
	504	done >/dev/null
661ab153	505
d7190078 MT	506	# Nothing to do if safe search is not enabled
	507	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
	508	return 0
	509	fi
661ab153	510
d7190078 MT	511	# Bing
	512	unbound-control bing.com transparent >/dev/null
	513	for address in $(resolve "strict.bing.com"); do
	514	unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
	515	done >/dev/null
	516
	517	# DuckDuckGo
	518	unbound-control local_zone duckduckgo.com typetransparent >/dev/null
	519	for address in $(resolve "safe.duckduckgo.com"); do
	520	unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
	521	done >/dev/null
	522
	523	# Google
	524	local addresses="$(resolve "forcesafesearch.google.com")"
	525	for domain in ${google_tlds[@]}; do
	526	unbound-control local_zone "${domain}" transparent >/dev/null
	527	for address in ${addresses}; do
	528	unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
	529	done >/dev/null
	530	done
661ab153	531
d7190078 MT	532	# Yandex
	533	for domain in yandex.com yandex.ru; do
	534	unbound-control local_zone "${domain}" typetransparent >/dev/null
	535	for address in $(resolve "familysearch.${domain}"); do
	536	unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
	537	done >/dev/null
	538	done
661ab153	539
d7190078 MT	540	# YouTube
	541	unbound-control local_zone youtube.com transparent >/dev/null
	542	for address in $(resolve "restrictmoderate.youtube.com"); do
	543	unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
	544	done >/dev/null
f617fd91	545
d7190078	546	return 0
661ab153 MT	547	}
661ab153 MT	548
d0e5f71f ML	549	case "$1" in
d0e5f71f ML	550	start)
80bc6022 MT	551	# Print a nicer messagen when unbound is already running
	552	if pidofproc -s unbound; then
	553	statusproc /usr/sbin/unbound
	554	exit 0
	555	fi
	556
b8f5eda8	557	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
d0e5f71f	558
b8f5eda8	559	# Update configuration files
b658a451	560	write_tuning_conf
b8f5eda8 MT	561	write_forward_conf
	562
	563	boot_mesg "Starting Unbound DNS Proxy..."
	564	loadproc /usr/sbin/unbound \|\| exit $?
	565
f75c279b AF	566	# Make own hostname resolveable
	567	own_hostname
	568
d7190078 MT	569	# Install Safe Search rules when the system is already online
	570	if [ -e "/var/ipfire/red/active" ]; then
	571	update_safe_search
	572	fi
	573
36792be6 MT	574	# Update hosts
36792be6 MT	575	update_hosts
05478072	576
68fac98a	577	fix_time_if_dns_fail
b8f5eda8	578	;;
d0e5f71f ML	579
d0e5f71f ML	580	stop)
b8f5eda8 MT	581	boot_mesg "Stopping Unbound DNS Proxy..."
	582	killproc /usr/sbin/unbound
	583	;;
d0e5f71f ML	584
d0e5f71f ML	585	restart)
b8f5eda8 MT	586	$0 stop
	587	sleep 1
	588	$0 start
	589	;;
d0e5f71f ML	590
d0e5f71f ML	591	status)
b8f5eda8	592	statusproc /usr/sbin/unbound
b8f5eda8 MT	593	;;
	594
	595	update-forwarders)
4e2d3325	596	: # XXX must set ISP name servers if necessary
54898bc6 MT	597
	598	# Update Safe Search settings
	599	update_safe_search
b8f5eda8	600	;;
d0e5f71f	601
3ec3329d	602	remove-forwarders)
4e2d3325	603	: # XXX must remove ISP name servers
3ec3329d AF	604	;;
3ec3329d AF	605
043e7aa5 MT	606	resolve)
	607	resolve "${2}"
	608	;;
	609
d7190078 MT	610	update-safe-search)
	611	update_safe_search
	612	;;
	613
d0e5f71f	614	*)
4e2d3325	615	echo "Usage: $0 {start\|stop\|restart\|status\|resolve\|update-forwarders\|remove-forwarders\|update-safe-search}"
b8f5eda8 MT	616	exit 1
b8f5eda8 MT	617	;;
d0e5f71f ML	618	esac
	619
	620	# End $rc_base/init.d/unbound