cubixle/packages
1
0
Fork 0
mirror of https://github.com/novatiq/packages.git synced 2026-04-30 15:38:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

unbound: add UCI for forward stub and auth zone clauses

Browse Source 
With growing interest, DNS over TLS can be setup in Unbounds foward-zone:
clause. A broader UCI solution is added to support forward-, stub-, and
auth- zone clauses in a new 'zone' section. This implentation required
reworking scripts, because they did not scale. 'forward_domain' and
'prefetch_root' options are removed, and superceded by 'zone' section.

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
This commit is contained in:
Eric Luehrsen
2018-06-28 20:41:37 -04:00
parent 7bbec3b06b
commit 408047628e
12 changed files with 1380 additions and 1095 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/unbound/files/dnsmasq.sh
+236 -109
View File
@@ -23,6 +23,140 @@
#
##############################################################################
DM_D_WAN_FQDN=0
DM_LIST_KNOWN_ZONES="invalid"
DM_LIST_TRN_ZONES=""
DM_LIST_LOCAL_DATA=""
DM_LIST_LOCAL_PTR=""
DM_LIST_FWD_PORTS=""
DM_LIST_FWD_ZONES=""
##############################################################################
create_local_zone() {
local target="$1"
local partial domain found
case $DM_LIST_TRN_ZONES in
*"${target}"*)
found=1
;;
*)
case $target in
[A-Za-z0-9]*.[A-Za-z0-9]*)
found=0
;;
*) # no dots
found=1
;;
esac
esac
if [ $found -eq 0 ] ; then
# New Zone! Bundle local-zones: by first two name tiers "abcd.tld."
partial=$( echo "$target" | awk -F. '{ j=NF ; i=j-1; print $i"."$j }' )
DM_LIST_TRN_ZONES="$DM_LIST_TRN_ZONES $partial"
DM_LIST_KNOWN_ZONES="$DM_LIST_KNOWN_ZONES $partial"
fi
}
##############################################################################
create_host_record() {
local cfg="$1"
local ip name debug_ip
# basefiles dhcp "domain" clause which means host A, AAAA, and PRT record
config_get ip "$cfg" ip
config_get name "$cfg" name
if [ -n "$name" -a -n "$ip" ] ; then
create_local_zone "$name"
case $ip in
fe80:*|169.254.*)
debug_ip="$ip@$host"
;;
[1-9a-f]*:*[0-9a-f])
DM_LIST_LOCAL_DATA="$DM_LIST_LOCAL_DATA $name.@@300@@IN@@AAAA@@$ip"
DM_LIST_LOCAL_PTR="$DM_LIST_LOCAL_PTR $ip@@300@@$name"
;;
[1-9]*.*[0-9])
DM_LIST_LOCAL_DATA="$DM_LIST_LOCAL_DATA $name.@@300@@IN@@A@@$ip"
DM_LIST_LOCAL_PTR="$DM_LIST_LOCAL_PTR $ip@@300@@$name"
;;
esac
fi
}
##############################################################################
create_mx_record() {
local cfg="$1"
local domain relay pref record
# Insert a static MX record
config_get domain "$cfg" domain
config_get relay "$cfg" relay
config_get pref "$cfg" pref 10
if [ -n "$domain" -a -n "$relay" ] ; then
create_local_zone "$domain"
record="$domain.@@300@@IN@@MX@@$pref@@$relay."
DM_LIST_LOCAL_DATA="$DM_LIST_LOCAL_DATA $record"
fi
}
##############################################################################
create_srv_record() {
local cfg="$1"
local srv target port class weight record
# Insert a static SRV record such as SIP server
config_get srv "$cfg" srv
config_get target "$cfg" target
config_get port "$cfg" port
config_get class "$cfg" class 10
config_get weight "$cfg" weight 10
if [ -n "$srv" -a -n "$target" -a -n "$port" ] ; then
create_local_zone "$srv"
record="$srv.@@300@@IN@@SRV@@$class@@$weight@@$port@@$target."
DM_LIST_LOCAL_DATA="$DM_LIST_LOCAL_DATA $record"
fi
}
##############################################################################
create_cname_record() {
local cfg="$1"
local cname target record
# Insert static CNAME record
config_get cname "$cfg" cname
config_get target "$cfg" target
if [ -n "$cname" -a -n "$target" ] ; then
create_local_zone "$cname"
record="$cname.@@300@@IN@@CNAME@@$target."
DM_LIST_LOCAL_DATA="$DM_LIST_LOCAL_DATA $record"
fi
}
##############################################################################
dnsmasq_local_zone() {
local cfg="$1"
local fwd_port fwd_domain wan_fqdn
@@ -34,130 +168,127 @@ dnsmasq_local_zone() {
if [ -n "$wan_fqdn" ] ; then
UNBOUND_D_WAN_FQDN=$wan_fqdn
DM_D_WAN_FQDN=$wan_fqdn
fi
if [ -n "$fwd_domain" -a -n "$fwd_port" -a ! "${fwd_port:-53}" -eq 53 ] ; then
# dnsmasq localhost listening ports (possible multiple instances)
UNBOUND_N_FWD_PORTS="$UNBOUND_N_FWD_PORTS $fwd_port"
UNBOUND_TXT_FWD_ZONE="$UNBOUND_TXT_FWD_ZONE $fwd_domain"
{
# This creates DOMAIN local privledges
echo " private-domain: \"$fwd_domain\""
echo " local-zone: \"$fwd_domain.\" transparent"
echo " domain-insecure: \"$fwd_domain\""
echo
} >> $UNBOUND_CONFFILE
DM_LIST_FWD_PORTS="$DM_LIST_FWD_PORTS $fwd_port"
DM_LIST_FWD_ZONES="$DM_LIST_FWD_ZONES $fwd_domain"
fi
}
##############################################################################
dnsmasq_local_arpa() {
local cfg="$1"
local logint dhcpv4 dhcpv6 ignore
local subnets subnets4 subnets6
local forward arpa
local validip4 validip6 privateip
config_get logint "$cfg" interface
config_get dhcpv4 "$cfg" dhcpv4
config_get dhcpv6 "$cfg" dhcpv6
config_get_bool ignore "$cfg" ignore 0
# Find the list of addresses assigned to a logical interface
# Its typical to have a logical gateway split NAME and NAME6
network_get_subnets subnets4 "$logint"
network_get_subnets6 subnets6 "$logint"
subnets="$subnets4 $subnets6"
network_get_subnets subnets4 "${logint}6"
network_get_subnets6 subnets6 "${logint}6"
subnets="$subnets $subnets4 $subnets6"
local ifarpa ifsubnet
if [ -z "$subnets" ] ; then
forward=""
elif [ -z "$UNBOUND_N_FWD_PORTS" ] ; then
forward=""
elif [ "$ignore" -gt 0 ] ; then
if [ "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
# Only forward the one gateway host.
forward="host"
else
forward=""
fi
else
# Forward the entire private subnet.
forward="domain"
if [ -n "$UB_LIST_NETW_LAN" ] ; then
for ifsubnet in $UB_LIST_NETW_LAN ; do
ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
DM_LIST_FWD_ZONES="$DM_LIST_FWD_ZONES $ifarpa"
done
fi
if [ -n "$forward" ] ; then
for subnet in $subnets ; do
validip4=$( valid_subnet4 $subnet )
validip6=$( valid_subnet6 $subnet )
privateip=$( private_subnet $subnet )
if [ "$validip4" = "ok" -a "$dhcpv4" != "disable" ] ; then
if [ "$forward" = "domain" ] ; then
arpa=$( domain_ptr_ip4 "$subnet" )
else
arpa=$( host_ptr_ip4 "$subnet" )
fi
elif [ "$validip6" = "ok" -a "$dhcpv6" != "disable" ] ; then
if [ "$forward" = "domain" ] ; then
arpa=$( domain_ptr_ip6 "$subnet" )
else
arpa=$( host_ptr_ip6 "$subnet" )
fi
else
arpa=""
fi
if [ -n "$arpa" ] ; then
if [ "$privateip" = "ok" ] ; then
{
# This creates ARPA local zone privledges
echo " local-zone: \"$arpa.\" transparent"
echo " domain-insecure: \"$arpa\""
echo
} >> $UNBOUND_CONFFILE
fi
UNBOUND_TXT_FWD_ZONE="$UNBOUND_TXT_FWD_ZONE $arpa"
fi
if [ -n "$UB_LIST_NETW_WAN" -a "$DM_D_WAN_FQDN" -gt 0 ] ; then
for ifsubnet in $UB_LIST_NETW_WAN ; do
ifarpa=$( domain_ptr_any "${ifsubnet#*@}" )
DM_LIST_FWD_ZONES="$DM_LIST_FWD_ZONES $ifarpa"
done
fi
}
##############################################################################
dnsmasq_forward_zone() {
if [ -n "$UNBOUND_N_FWD_PORTS" -a -n "$UNBOUND_TXT_FWD_ZONE" ] ; then
for fwd_domain in $UNBOUND_TXT_FWD_ZONE ; do
{
# This is derived of dnsmasq_local_zone/arpa
# but forward: clauses need to be seperate
echo "forward-zone:"
echo " name: \"$fwd_domain.\""
dnsmasq_inactive() {
local record
for port in $UNBOUND_N_FWD_PORTS ; do
if [ "$UB_D_EXTRA_DNS" -gt 0 ] ; then
# Parasite from the uci.dhcp.domain clauses
DM_LIST_KNOWN_ZONES="$DM_LIST_KNOWN_ZONES $UB_TXT_DOMAIN"
config_load dhcp
config_foreach create_host_record domain
if [ "$UB_D_EXTRA_DNS" -gt 1 ] ; then
config_foreach create_srv_record srvhost
config_foreach create_mx_record mxhost
fi
if [ "$UB_D_EXTRA_DNS" -gt 2 ] ; then
config_foreach create_cname_record cname
fi
{
echo "# $UB_SRVMASQ_CONF generated by UCI $( date -Is )"
if [ -n "$DM_LIST_TRN_ZONES" ] ; then
for record in $DM_LIST_TRN_ZONES ; do
echo " local-zone: $record transparent"
done
echo
fi
if [ -n "$DM_LIST_LOCAL_DATA" ] ; then
for record in $DM_LIST_LOCAL_DATA ; do
echo " local-data: \"${record//@@/ }\""
done
echo
fi
if [ -n "$DM_LIST_LOCAL_PTR" ] ; then
for record in $DM_LIST_LOCAL_PTR ; do
echo " local-data-ptr: \"${record//@@/ }\""
done
echo
fi
} > $UB_SRVMASQ_CONF
fi
}
##############################################################################
dnsmasq_active() {
# Look at dnsmasq settings
config_load dhcp
# Zone for DHCP / SLAAC-PING DOMAIN
config_foreach dnsmasq_local_zone dnsmasq
# Zone for DHCP / SLAAC-PING ARPA
dnsmasq_local_arpa
if [ -n "$DM_LIST_FWD_PORTS" -a -n "$DM_LIST_FWD_ZONES" ] ; then
{
# Forward to dnsmasq on same host for DHCP lease hosts
echo "# $UB_SRVMASQ_CONF generated by UCI $( date -Is )"
echo " do-not-query-localhost: no"
echo
} > $UB_SRVMASQ_CONF
echo "# $UB_EXTMASQ_CONF generated by UCI $( date -Is )" > $UB_EXTMASQ_CONF
for fwd_domain in $DM_LIST_FWD_ZONES ; do
{
# This creates a domain with local privledges
echo " domain-insecure: $fwd_domain"
echo " private-domain: $fwd_domain"
echo " local-zone: $fwd_domain transparent"
echo
} >> $UB_SRVMASQ_CONF
{
# This is derived from dnsmasq local domain and dhcp service subnets
echo "forward-zone:"
echo " name: $fwd_domain"
echo " forward-first: no"
for port in $DM_LIST_FWD_PORTS ; do
echo " forward-addr: 127.0.0.1@$port"
done
echo
} >> $UNBOUND_CONFFILE
} >> $UB_EXTMASQ_CONF
done
fi
}
@@ -165,16 +296,12 @@ dnsmasq_forward_zone() {
##############################################################################
dnsmasq_link() {
# Forward to dnsmasq on same host for DHCP lease hosts
echo " do-not-query-localhost: no" >> $UNBOUND_CONFFILE
# Look at dnsmasq settings
config_load dhcp
# Zone for DHCP / SLAAC-PING DOMAIN
config_foreach dnsmasq_local_zone dnsmasq
# Zone for DHCP / SLAAC-PING ARPA
config_foreach dnsmasq_local_arpa dhcp
# Now create ALL seperate forward: clauses
dnsmasq_forward_zone
if [ "$UB_D_DHCP_LINK" = "dnsmasq" ] ; then
dnsmasq_active
else
dnsmasq_inactive
fi
}
##############################################################################