]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/initscripts/system/unbound
projects / people / pmueller / ipfire-2.x.git / blob
? search:


7df50e9d4632d48bc04d27984eec4f8477a854c1
[people/pmueller/ipfire-2.x.git] / src / initscripts / system / unbound
1 #!/bin/sh
2 # Begin $rc_base/init.d/unbound
3
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
6
7 . /etc/sysconfig/rc
8 . ${rc_functions}
9
10 # Cache any local zones for 60 seconds
11 LOCAL_TTL=60
12
13 # Load configuration
14 eval $(/usr/local/bin/readhash /var/ipfire/dns/settings)
15 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
16
17 ip_address_revptr() {
18 local addr=${1}
19
20 local a1 a2 a3 a4
21 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
22
23 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
24 }
25
26 read_name_servers() {
27 # Read name servers from ISP
28 if [ "${USE_ISP_NAMESERVERS}" = "on" -a "${PROTO}" != "TLS" ]; then
29 local i
30 for i in 1 2; do
31 echo "$(</var/run/dns${i})"
32 done 2>/dev/null
33 fi
34
35 # Read configured name servers
36 local id address tls_hostname enabled remark
37 while IFS="," read -r id address tls_hostname enabled remark; do
38 [ "${enabled}" != "enabled" ] && continue
39
40 if [ "${PROTO}" = "TLS" ]; then
41 if [ -n "${tls_hostname}" ]; then
42 echo "${address}@853#${tls_hostname}"
43 fi
44 else
45 echo "${address}"
46 fi
47 done < /var/ipfire/dns/servers
48 }
49
50 config_header() {
51 echo "# This file is automatically generated and any changes"
52 echo "# will be overwritten. DO NOT EDIT!"
53 echo
54 }
55
56 write_hosts_conf() {
57 (
58 config_header
59
60 # Make own hostname resolveable
61 # 1.1.1.1 is reserved for unused green, skip this
62 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
63 echo "local-data: \"${HOSTNAME} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}\""
64 fi
65
66 local address
67 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
68 [ -n "${address}" ] || continue
69 [ "${address}" = "1.1.1.1" ] && continue
70
71 address=$(ip_address_revptr ${address})
72 echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${HOSTNAME}\""
73 done
74
75 # Add all hosts
76 local enabled address hostname domainname generateptr
77 while IFS="," read -r enabled address hostname domainname generateptr; do
78 [ "${enabled}" = "on" ] || continue
79
80 # Build FQDN
81 local fqdn="${hostname}.${domainname}"
82 echo "local-data: \"${fqdn} ${LOCAL_TTL} IN A ${address}\""
83
84 # Skip reverse resolution if the address equals the GREEN address
85 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
86
87 # Skip reverse resolution if user requested not to do so
88 [ "${generateptr}" = "off" ] && continue
89
90 # Add RDNS
91 address=$(ip_address_revptr ${address})
92 echo "local-data: \"${address} ${LOCAL_TTL} IN PTR ${fqdn}\""
93 done < /var/ipfire/main/hosts
94 ) > /etc/unbound/hosts.conf
95 }
96
97 write_forward_conf() {
98 (
99 config_header
100
101 # Enable strict QNAME minimisation
102 if [ "${QNAME_MIN}" = "strict" ]; then
103 echo "server:"
104 echo " qname-minimisation-strict: yes"
105 echo
106 fi
107
108 # Force using TCP for upstream servers only
109 if [ "${PROTO}" = "TCP" ]; then
110 echo "# Force using TCP for upstream servers only"
111 echo "server:"
112 echo " tcp-upstream: yes"
113 echo
114 fi
115
116 local insecure_zones=""
117
118 local enabled zone server servers remark disable_dnssec rest
119 while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
120 # Line must be enabled.
121 [ "${enabled}" = "on" ] || continue
122
123 # Zones that end with .local are commonly used for internal
124 # zones and therefore not signed
125 case "${zone}" in
126 *.local)
127 insecure_zones="${insecure_zones} ${zone}"
128 ;;
129 *)
130 if [ "${disable_dnssec}" = "on" ]; then
131 insecure_zones="${insecure_zones} ${zone}"
132 fi
133 ;;
134 esac
135
136 echo "stub-zone:"
137 echo " name: ${zone}"
138 for server in ${servers//|/ }; do
139 if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
140 echo " stub-addr: ${server}"
141 else
142 echo " stub-host: ${server}"
143 fi
144 done
145 echo
146
147 # Make all reverse lookup zones transparent
148 case "${zone}" in
149 *.in-addr.arpa)
150 echo "server:"
151 echo " local-zone: \"${zone}\" transparent"
152 echo
153 ;;
154 esac
155 done < /var/ipfire/dnsforward/config
156
157 if [ -n "${insecure_zones}" ]; then
158 echo "server:"
159
160 for zone in ${insecure_zones}; do
161 echo " domain-insecure: ${zone}"
162 done
163 fi
164
165 echo "forward-zone:"
166 echo " name: \".\""
167
168 # Force using TLS only
169 if [ "${PROTO}" = "TLS" ]; then
170 echo " forward-tls-upstream: yes"
171 fi
172
173 # Add upstream name servers
174 local ns
175 for ns in $(read_name_servers); do
176 echo " forward-addr: ${ns}"
177 done
178 ) > /etc/unbound/forward.conf
179 }
180
181 write_tuning_conf() {
182 # https://www.unbound.net/documentation/howto_optimise.html
183
184 # Determine number of online processors
185 local processors=$(getconf _NPROCESSORS_ONLN)
186
187 # Determine number of slabs
188 local slabs=1
189 while [ ${slabs} -lt ${processors} ]; do
190 slabs=$(( ${slabs} * 2 ))
191 done
192
193 # Determine amount of system memory
194 local mem=$(get_memory_amount)
195
196 # In the worst case scenario, unbound can use double the
197 # amount of memory allocated to a cache due to malloc overhead
198
199 # Even larger systems with more than 8GB of RAM
200 if [ ${mem} -ge 8192 ]; then
201 mem=1024
202
203 # Extra large systems with more than 4GB of RAM
204 elif [ ${mem} -ge 4096 ]; then
205 mem=512
206
207 # Large systems with more than 2GB of RAM
208 elif [ ${mem} -ge 2048 ]; then
209 mem=256
210
211 # Medium systems with more than 1GB of RAM
212 elif [ ${mem} -ge 1024 ]; then
213 mem=128
214
215 # Small systems with less than 256MB of RAM
216 elif [ ${mem} -le 256 ]; then
217 mem=16
218
219 # Everything else
220 else
221 mem=64
222 fi
223
224 (
225 config_header
226
227 # We run one thread per processor
228 echo "num-threads: ${processors}"
229 echo "so-reuseport: yes"
230
231 # Adjust number of slabs
232 echo "infra-cache-slabs: ${slabs}"
233 echo "key-cache-slabs: ${slabs}"
234 echo "msg-cache-slabs: ${slabs}"
235 echo "rrset-cache-slabs: ${slabs}"
236
237 # Slice up the cache
238 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
239 echo "msg-cache-size: $(( ${mem} / 4 ))m"
240 echo "key-cache-size: $(( ${mem} / 4 ))m"
241
242 # Increase parallel queries
243 echo "outgoing-range: 8192"
244 echo "num-queries-per-thread: 4096"
245
246 # Use larger send/receive buffers
247 echo "so-sndbuf: 4m"
248 echo "so-rcvbuf: 4m"
249 ) > /etc/unbound/tuning.conf
250 }
251
252 get_memory_amount() {
253 local key val unit
254
255 while read -r key val unit; do
256 case "${key}" in
257 MemTotal:*)
258 # Convert to MB
259 echo "$(( ${val} / 1024 ))"
260 break
261 ;;
262 esac
263 done < /proc/meminfo
264 }
265
266 fix_time_if_dns_fails() {
267 # If DNS is working, everything is fine
268 if resolve "ping.ipfire.org" &>/dev/null; then
269 return 0
270 fi
271
272 # Try to sync time with a known time server
273 boot_mesg "DNS not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
274 loadproc /usr/local/bin/settime 81.3.27.46
275 }
276
277 resolve() {
278 local hostname="${1}"
279
280 local answer
281 for answer in $(dig +short A "${hostname}"); do
282 # Filter out non-IP addresses
283 if [[ ! "${answer}" =~ \.$ ]]; then
284 echo "${answer}"
285 fi
286 done
287 }
288
289 # Sets up Safe Search for various search engines
290 update_safe_search() {
291 local google_tlds=(
292 google.ad
293 google.ae
294 google.al
295 google.am
296 google.as
297 google.at
298 google.az
299 google.ba
300 google.be
301 google.bf
302 google.bg
303 google.bi
304 google.bj
305 google.bs
306 google.bt
307 google.by
308 google.ca
309 google.cat
310 google.cd
311 google.cf
312 google.cg
313 google.ch
314 google.ci
315 google.cl
316 google.cm
317 google.cn
318 google.co.ao
319 google.co.bw
320 google.co.ck
321 google.co.cr
322 google.co.id
323 google.co.il
324 google.co.in
325 google.co.jp
326 google.co.ke
327 google.co.kr
328 google.co.ls
329 google.com
330 google.co.ma
331 google.com.af
332 google.com.ag
333 google.com.ai
334 google.com.ar
335 google.com.au
336 google.com.bd
337 google.com.bh
338 google.com.bn
339 google.com.bo
340 google.com.br
341 google.com.bz
342 google.com.co
343 google.com.cu
344 google.com.cy
345 google.com.do
346 google.com.ec
347 google.com.eg
348 google.com.et
349 google.com.fj
350 google.com.gh
351 google.com.gi
352 google.com.gt
353 google.com.hk
354 google.com.jm
355 google.com.kh
356 google.com.kw
357 google.com.lb
358 google.com.ly
359 google.com.mm
360 google.com.mt
361 google.com.mx
362 google.com.my
363 google.com.na
364 google.com.nf
365 google.com.ng
366 google.com.ni
367 google.com.np
368 google.com.om
369 google.com.pa
370 google.com.pe
371 google.com.pg
372 google.com.ph
373 google.com.pk
374 google.com.pr
375 google.com.py
376 google.com.qa
377 google.com.sa
378 google.com.sb
379 google.com.sg
380 google.com.sl
381 google.com.sv
382 google.com.tj
383 google.com.tr
384 google.com.tw
385 google.com.ua
386 google.com.uy
387 google.com.vc
388 google.com.vn
389 google.co.mz
390 google.co.nz
391 google.co.th
392 google.co.tz
393 google.co.ug
394 google.co.uk
395 google.co.uz
396 google.co.ve
397 google.co.vi
398 google.co.za
399 google.co.zm
400 google.co.zw
401 google.cv
402 google.cz
403 google.de
404 google.dj
405 google.dk
406 google.dm
407 google.dz
408 google.ee
409 google.es
410 google.fi
411 google.fm
412 google.fr
413 google.ga
414 google.ge
415 google.gg
416 google.gl
417 google.gm
418 google.gp
419 google.gr
420 google.gy
421 google.hn
422 google.hr
423 google.ht
424 google.hu
425 google.ie
426 google.im
427 google.iq
428 google.is
429 google.it
430 google.je
431 google.jo
432 google.kg
433 google.ki
434 google.kz
435 google.la
436 google.li
437 google.lk
438 google.lt
439 google.lu
440 google.lv
441 google.md
442 google.me
443 google.mg
444 google.mk
445 google.ml
446 google.mn
447 google.ms
448 google.mu
449 google.mv
450 google.mw
451 google.ne
452 google.nl
453 google.no
454 google.nr
455 google.nu
456 google.pl
457 google.pn
458 google.ps
459 google.pt
460 google.ro
461 google.rs
462 google.ru
463 google.rw
464 google.sc
465 google.se
466 google.sh
467 google.si
468 google.sk
469 google.sm
470 google.sn
471 google.so
472 google.sr
473 google.st
474 google.td
475 google.tg
476 google.tk
477 google.tl
478 google.tm
479 google.tn
480 google.to
481 google.tt
482 google.vg
483 google.vu
484 google.ws
485 )
486
487 # Cleanup previous settings
488 unbound-control local_zone_remove "bing.com" >/dev/null
489 unbound-control local_zone_remove "duckduckgo.com" >/dev/null
490 unbound-control local_zone_remove "yandex.com" >/dev/null
491 unbound-control local_zone_remove "yandex.ru" >/dev/null
492 unbound-control local_zone_remove "youtube.com" >/dev/null
493
494 local domain
495 for domain in ${google_tlds[@]}; do
496 unbound-control local_zone_remove "${domain}"
497 done >/dev/null
498
499 # Nothing to do if safe search is not enabled
500 if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
501 return 0
502 fi
503
504 # Bing
505 unbound-control bing.com transparent >/dev/null
506 for address in $(resolve "strict.bing.com"); do
507 unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
508 done >/dev/null
509
510 # DuckDuckGo
511 unbound-control local_zone duckduckgo.com typetransparent >/dev/null
512 for address in $(resolve "safe.duckduckgo.com"); do
513 unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
514 done >/dev/null
515
516 # Google
517 local addresses="$(resolve "forcesafesearch.google.com")"
518 for domain in ${google_tlds[@]}; do
519 unbound-control local_zone "${domain}" transparent >/dev/null
520 for address in ${addresses}; do
521 unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
522 done >/dev/null
523 done
524
525 # Yandex
526 for domain in yandex.com yandex.ru; do
527 unbound-control local_zone "${domain}" typetransparent >/dev/null
528 for address in $(resolve "familysearch.${domain}"); do
529 unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
530 done >/dev/null
531 done
532
533 # YouTube
534 unbound-control local_zone youtube.com transparent >/dev/null
535 for address in $(resolve "restrictmoderate.youtube.com"); do
536 unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
537 done >/dev/null
538
539 return 0
540 }
541
542 case "$1" in
543 start)
544 # Print a nicer messagen when unbound is already running
545 if pidofproc -s unbound; then
546 statusproc /usr/sbin/unbound
547 exit 0
548 fi
549
550 # Update configuration files
551 write_tuning_conf
552 write_hosts_conf
553 write_forward_conf
554
555 boot_mesg "Starting Unbound DNS Proxy..."
556 loadproc /usr/sbin/unbound || exit $?
557
558 # Install Safe Search rules when the system is already online
559 if [ -e "/var/ipfire/red/active" ]; then
560 update_safe_search
561 fi
562 ;;
563
564 stop)
565 boot_mesg "Stopping Unbound DNS Proxy..."
566 killproc /usr/sbin/unbound
567 ;;
568
569 restart)
570 $0 stop
571 sleep 1
572 $0 start
573 ;;
574 reload|remove-forwarders)
575 # Update configuration files
576 write_forward_conf
577 write_hosts_conf
578
579 # Update Safe Search rules if the system is online.
580 if [ -e "/var/ipfire/red/active" ]; then
581 update_safe_search
582 fi
583
584 # Call unbound-control and perform the reload
585 /usr/sbin/unbound-control -q reload
586 ;;
587
588 status)
589 statusproc /usr/sbin/unbound
590 ;;
591
592 update-forwarders)
593 $0 reload
594
595 # Make sure DNS works at this point
596 fix_time_if_dns_fails
597 ;;
598
599 resolve)
600 resolve "${2}"
601 ;;
602
603 *)
604 echo "Usage: $0 {start|stop|restart|reload|status|resolve|update-forwarders|remove-forwarders}"
605 exit 1
606 ;;
607 esac
608
609 # End $rc_base/init.d/unbound
Peter's tree of IPFire 2.x