From: Wouter Wijngaards Date: Thu, 8 May 2014 13:39:03 +0000 (+0000) Subject: - Contrib windows scripts from Yuri Voinov added to src/contrib: X-Git-Tag: release-1.5.0rc1~130 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6e236cdfec57507cdacd3b71658830d5f89a1ad;p=thirdparty%2Funbound.git - Contrib windows scripts from Yuri Voinov added to src/contrib: create_unbound_ad_servers.cmd: enters anti-ad server lists. unbound_cache.cmd: saves and loads the cache. - Added unbound-control-setup.cmd from Yuri Voinov to the windows unbound distribution set. It requires openssl installed in %PATH%. git-svn-id: file:///svn/unbound/trunk@3128 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/contrib/README b/contrib/README index 943ce5264..4237c7f2b 100644 --- a/contrib/README +++ b/contrib/README @@ -19,3 +19,6 @@ distribution but may be helpful. Contributed by Ilya Bakulin, 2012-08-28. * patch_rsamd5_enable.diff: this patch enables RSAMD5 validation (otherwise it is treated as insecure). The RSAMD5 algorithm is deprecated (RFC6725). +* create_unbound_ad_servers.cmd: windows script to enter anti-ad server lists. +* unbound_cache.cmd: windows script to save and load the cache. + diff --git a/contrib/create_unbound_ad_servers.cmd b/contrib/create_unbound_ad_servers.cmd new file mode 100644 index 000000000..d8c8baa3a --- /dev/null +++ b/contrib/create_unbound_ad_servers.cmd @@ -0,0 +1,36 @@ +@Echo off +rem Convert the Yoyo.org anti-ad server listing +rem into an unbound dns spoof redirection list. +rem Written by Y.Voinov (c) 2014 + +rem Note: Wget required! + +rem Variables +set prefix="C:\Program Files (x86)" +set dst_dir=%prefix%\Unbound +set work_dir=%TEMP% +set list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D=" + +rem Check Wget installed +for /f "delims=" %%a in ('where wget') do @set wget="%%a" +if /I %wget% == "" ( +echo Wget not found. If installed, add path to PATH environment variable. +exit 1 +) +echo Wget found: %wget% + +%wget% -O %work_dir%\yoyo_ad_servers %list_addr% + +del /Q /F /S %dst_dir%\unbound_ad_servers + +for /F "eol=; tokens=*" %%a in (%work_dir%\yoyo_ad_servers) do ( +echo local-zone: %%a redirect>>%dst_dir%\unbound_ad_servers +echo local-data: "%%a A 127.0.0.1">>%dst_dir%\unbound_ad_servers +) + +echo Done. +rem then add an include line to your unbound.conf pointing to the full path of +rem the unbound_ad_servers file: +rem +rem include: $dst_dir/unbound_ad_servers +rem diff --git a/contrib/unbound_cache.cmd b/contrib/unbound_cache.cmd new file mode 100644 index 000000000..0f0069388 --- /dev/null +++ b/contrib/unbound_cache.cmd @@ -0,0 +1,65 @@ +@echo off +rem -------------------------------------------------------------- +rem -- DNS cache save/load script +rem -- +rem -- Version 1.0 +rem -- By Yuri Voinov (c) 2014 +rem -------------------------------------------------------------- + +rem Variables +set prefix="C:\Program Files (x86)" +set program_path=%prefix%\Unbound +set uc=%program_path%\unbound-control.exe +set fname="unbound_cache.dmp" + +rem Check Unbound installed +if exist %uc% goto start +echo Unbound control not found. Exiting... +exit 1 + +:start + +set arg=%1 + +if /I "%arg%" == "-h" goto help + +if "%arg%" == "" ( +echo Loading cache from %program_path%\%fname% +type %program_path%\%fname%|%uc% load_cache +goto end +) + +if /I "%arg%" == "-s" ( +echo Saving cache to %program_path%\%fname% +%uc% dump_cache>%program_path%\%fname% +echo ok +goto end +) + +if /I "%arg%" == "-l" ( +echo Loading cache from %program_path%\%fname% +type %program_path%\%fname%|%uc% load_cache +goto end +) + +if /I "%arg%" == "-r" ( +echo Saving cache to %program_path%\%fname% +%uc% dump_cache>%program_path%\%fname% +echo ok +echo Loading cache from %program_path%\%fname% +type %program_path%\%fname%|%uc% load_cache +goto end +) + +:help +echo Usage: unbound_cache.cmd [-s] or [-l] or [-r] or [-h] +echo. +echo l - Load - default mode. Warming up Unbound DNS cache from saved file. cache-ttl must be high value. +echo s - Save - save Unbound DNS cache contents to plain file with domain names. +echo r - Reload - reloadind new cache entries and refresh existing cache +echo h - this screen. +echo Note: Run without any arguments will be in default mode. +echo Also, unbound-control must be configured. +exit 1 + +:end diff --git a/doc/Changelog b/doc/Changelog index fa618d5a0..81afc7614 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,10 @@ +8 May 2014: Wouter + - Contrib windows scripts from Yuri Voinov added to src/contrib: + create_unbound_ad_servers.cmd: enters anti-ad server lists. + unbound_cache.cmd: saves and loads the cache. + - Added unbound-control-setup.cmd from Yuri Voinov to the windows + unbound distribution set. It requires openssl installed in %PATH%. + 6 May 2014: Wouter - Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier. diff --git a/makedist.sh b/makedist.sh index b378fae91..6f8b474ae 100755 --- a/makedist.sh +++ b/makedist.sh @@ -290,9 +290,9 @@ if [ "$DOWIN" = "yes" ]; then $strip unbound-service-remove.exe cd tmp.$$ cp ../doc/example.conf example.conf - cp ../unbound.exe ../unbound-anchor.exe ../unbound-host.exe ../unbound-control.exe ../unbound-checkconf.exe ../unbound-service-install.exe ../unbound-service-remove.exe ../LICENSE ../winrc/unbound-website.url ../winrc/service.conf ../winrc/README.txt . + cp ../unbound.exe ../unbound-anchor.exe ../unbound-host.exe ../unbound-control.exe ../unbound-checkconf.exe ../unbound-service-install.exe ../unbound-service-remove.exe ../LICENSE ../winrc/unbound-control-setup.cmd ../winrc/unbound-website.url ../winrc/service.conf ../winrc/README.txt . # zipfile - zip ../$file LICENSE README.txt unbound.exe unbound-anchor.exe unbound-host.exe unbound-control.exe unbound-checkconf.exe unbound-service-install.exe unbound-service-remove.exe example.conf service.conf unbound-website.url + zip ../$file LICENSE README.txt unbound.exe unbound-anchor.exe unbound-host.exe unbound-control.exe unbound-checkconf.exe unbound-service-install.exe unbound-service-remove.exe unbound-control-setup.cmd example.conf service.conf unbound-website.url info "Testing $file" (cd .. ; zip -T $file ) # installer diff --git a/winrc/setup.nsi b/winrc/setup.nsi index 99e34f2e2..cd9fc76df 100644 --- a/winrc/setup.nsi +++ b/winrc/setup.nsi @@ -107,6 +107,7 @@ section "-hidden.postinstall" File "..\unbound-service-install.exe" File "..\unbound-service-remove.exe" File "..\anchor-update.exe" + File "unbound-control-setup.cmd" File "unbound-website.url" File "service.conf" File "..\doc\example.conf" @@ -209,6 +210,7 @@ section "un.Unbound" Delete "$INSTDIR\unbound-service-install.exe" Delete "$INSTDIR\unbound-service-remove.exe" Delete "$INSTDIR\anchor-update.exe" + Delete "$INSTDIR\unbound-control-setup.cmd" Delete "$INSTDIR\unbound-website.url" Delete "$INSTDIR\service.conf" Delete "$INSTDIR\example.conf" diff --git a/winrc/unbound-control-setup.cmd b/winrc/unbound-control-setup.cmd new file mode 100644 index 000000000..46cea1b1f --- /dev/null +++ b/winrc/unbound-control-setup.cmd @@ -0,0 +1,167 @@ +@Echo off +rem +rem unbound-control-setup.cmd - set up SSL certificates for unbound-control +rem +rem Copyright (c) 2008, NLnet Labs. All rights reserved. +rem Modified for Windows by Y.Voinov (c) 2014 +rem +rem This software is open source. +rem +rem Redistribution and use in source and binary forms, with or without +rem modification, are permitted provided that the following conditions +rem are met: +rem +rem Redistributions of source code must retain the above copyright notice, +rem this list of conditions and the following disclaimer. +rem +rem Redistributions in binary form must reproduce the above copyright notice, +rem this list of conditions and the following disclaimer in the documentation +rem and/or other materials provided with the distribution. +rem +rem Neither the name of the NLNET LABS nor the names of its contributors may +rem be used to endorse or promote products derived from this software without +rem specific prior written permission. +rem +rem THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +rem "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +rem LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +rem A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +rem HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +rem SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +rem TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +rem PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +rem LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +rem NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +rem SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +rem settings: + +rem directory for files +set prefix="C:\Program Files (x86)" +set DESTDIR=%prefix%\Unbound + +rem issuer and subject name for certificates +set SERVERNAME=unbound +set CLIENTNAME=unbound-control + +rem validity period for certificates +set DAYS=7200 + +rem size of keys in bits +set BITS=1536 + +rem hash algorithm +set HASH=sha256 + +rem base name for unbound server keys +set SVR_BASE=unbound_server + +rem base name for unbound-control keys +set CTL_BASE=unbound_control + +rem end of options + +rem Check OpenSSL installed +for /f "delims=" %%a in ('where openssl') do @set SSL_PROGRAM=%%a +if /I %SSL_PROGRAM%=="" ( +echo SSL not found. If installed, add path to PATH environment variable. +exit 1 +) +echo SSL found: %SSL_PROGRAM% + +set arg=%1 +if /I "%arg%" == "-h" goto help +if /I "%arg%"=="-d" set DESTDIR=%2 + +rem go!: +echo setup in directory %DESTDIR% +cd %$DESTDIR% + +rem create certificate keys; do not recreate if they already exist. +if exist $SVR_BASE.key ( +echo %SVR_BASE%.key exists +goto next +) +echo generating %SVR_BASE%.key +%SSL_PROGRAM% genrsa -out %SVR_BASE%.key %BITS% || echo could not genrsa && exit 1 + +:next +if exist %CTL_BASE%.key ( +echo %CTL_BASE%.key exists +goto next2 +) +echo generating %CTL_BASE%.key +%SSL_PROGRAM% genrsa -out %CTL_BASE%.key %BITS% || echo could not genrsa && exit 1 + +:next2 +rem create self-signed cert for server +if exist request.cfg (del /F /Q /S request.cfg) +echo [req]>>request.cfg +echo default_bits=%BITS%>>request.cfg +echo default_md=%HASH%>>request.cfg +echo prompt=no>>request.cfg +echo distinguished_name=req_distinguished_name>>request.cfg +echo.>>request.cfg +echo [req_distinguished_name]>>request.cfg +echo commonName=%SERVERNAME%>>request.cfg + +if not exist request.cfg ( +echo could not create request.cfg +exit 1 +) + +echo create %SVR_BASE%.pem (self signed certificate) +%SSL_PROGRAM% req -key %SVR_BASE%.key -config request.cfg -new -x509 -days %DAYS% -out %SVR_BASE%.pem || echo could not create %SVR_BASE%.pem && exit 1 +rem create trusted usage pem +%SSL_PROGRAM% x509 -in %SVR_BASE%.pem -addtrust serverAuth -out %SVR_BASE%_trust.pem + +rem create client request and sign it +if exist request.cfg (del /F /Q /S request.cfg) +echo [req]>>request.cfg +echo default_bits=%BITS%>>request.cfg +echo default_md=%HASH%>>request.cfg +echo prompt=no>>request.cfg +echo distinguished_name=req_distinguished_name>>request.cfg +echo.>>request.cfg +echo [req_distinguished_name]>>request.cfg +echo commonName=%CLIENTNAME%>>request.cfg + +if not exist request.cfg ( +echo could not create request.cfg +exit 1 +) + +echo create %CTL_BASE%.pem (signed client certificate) +%SSL_PROGRAM% req -key %CTL_BASE%.key -config request.cfg -new | %SSL_PROGRAM% x509 -req -days %DAYS% -CA %SVR_BASE%_trust.pem -CAkey %SVR_BASE%.key -CAcreateserial -%HASH% -out %CTL_BASE%.pem + +if not exist %CTL_BASE%.pem ( +echo could not create %CTL_BASE%.pem +exit 1 +) +rem create trusted usage pem +rem %SSL_PROGRAM% x509 -in %CTL_BASE%.pem -addtrust clientAuth -out %CTL_BASE%_trust.pem + +rem see details with %SSL_PROGRAM% x509 -noout -text < %SVR_BASE%.pem +rem echo "create %CTL_BASE%_browser.pfx (web client certificate)" +rem echo "create webbrowser PKCSrem12 .PFX certificate file. In Firefox import in:" +rem echo "preferences - advanced - encryption - view certificates - your certs" +rem echo "empty password is used, simply click OK on the password dialog box." +rem %SSL_PROGRAM% pkcs12 -export -in %CTL_BASE%_trust.pem -inkey %CTL_BASE%.key -name "unbound remote control client cert" -out %CTL_BASE%_browser.pfx -password "pass:" || echo could not create browser certificate && exit 1 + +rem remove crap +del /F /Q /S request.cfg +del /F /Q /S %CTL_BASE%_trust.pem +del /F /Q /S %SVR_BASE%_trust.pem +del /F /Q /S %SVR_BASE%_trust.srl + +echo Setup success. Certificates created. Enable in unbound.conf file to use + +exit 0 + +:help +echo unbound-control-setup.cmd - setup SSL keys for unbound-control +echo -d dir use directory to store keys and certificates. +echo default: %DESTDIR% +echo please run this command using the same user id that the +echo unbound daemon uses, it needs read privileges. +exit 1 \ No newline at end of file