cubixle/packages
1
0
Fork 0
mirror of https://github.com/novatiq/packages.git synced 2026-04-30 15:38:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

unbound: expand UCI to cover some popular dnsmasq features

Browse Source 
Unbound+DHCP (server of your choice) should be able to replicate
a lot of what dnsmasq provides. With this change set Unbound
still works with dnsmasq, but also it can work with a plain
DHCP server. Features have been added within the UCI itself
to act like dnsmasq.

- alone: name each interface relative to router hostname
- alone: prevent upstream leakage of your domain and '.local'
- dnsmasq: use dnsmasq UCI to configure forwarding clauses
- dhcp: work with odhcpd as example of companion DHCP-DNS
- dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records
- all: enable encrypted remote unbound-control using splice conf
- all: allow user spliced conf-files for hybrid UCI and manual conf
-- 'unbound_srv.conf' will be spliced into the 'server:' clause
-- 'unbound_ext.conf' will add clauses to the end, example 'forward:'

README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and
unbound-with-odhcpd have better/added UCI starters. HOW TO for
including unbound_srv.conf and unbound_ext.conf are added.
Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6,
dhcp_link, domain, and domain_type

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
This commit is contained in:
Eric Luehrsen
2016-12-29 01:32:31 -05:00
parent 89e7bb8f38
commit de1198d54d
8 changed files with 455 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/unbound/files/unbound.sh
+264 -103
View File
@@ -21,12 +21,12 @@
##############################################################################
UNBOUND_B_CONTROL=0
UNBOUND_B_SLAAC6_MAC=0
UNBOUND_B_DNSSEC=0
UNBOUND_B_DNS64=0
UNBOUND_B_GATE_NAME=0
UNBOUND_B_HIDE_BIND=1
UNBOUND_B_LOCL_BLCK=0
UNBOUND_B_LOCL_NAME=0
UNBOUND_B_LOCL_SERV=1
UNBOUND_B_MAN_CONF=0
UNBOUND_B_NTP_BOOT=1
@@ -34,10 +34,13 @@ UNBOUND_B_PRIV_BLCK=1
UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0
UNBOUND_D_DOMAIN_TYPE=static
UNBOUND_D_DHCP_LINK=none
UNBOUND_D_LAN_FQDN=0
UNBOUND_D_PROTOCOL=mixed
UNBOUND_D_RESOURCE=small
UNBOUND_D_RECURSION=passive
UNBOUND_D_WAN_FQDN=0
UNBOUND_IP_DNS64="64:ff9b::/96"
@@ -50,6 +53,7 @@ UNBOUND_TTL_MIN=120
UNBOUND_TXT_DOMAIN=lan
UNBOUND_TXT_FWD_ZONE=""
UNBOUND_TXT_HOSTNAME=thisrouter
##############################################################################
@@ -58,7 +62,10 @@ UNBOUND_VARDIR=/var/lib/unbound
UNBOUND_PIDFILE=/var/run/unbound.pid
UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_TIMEFILE=$UNBOUND_VARDIR/unbound.time
@@ -80,6 +87,106 @@ UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
##############################################################################
create_interface_dns() {
local cfg="$1"
local ipcommand logint ignore ifname ifdashname
local name names address addresses
local ulaprefix if_fqdn host_fqdn mode mode_ptr
# Create local-data: references for this hosts interfaces (router).
config_get logint "$cfg" interface
config_get_bool ignore "$cfg" ignore 0
network_get_device ifname "$cfg"
ifdashname="${ifname//./-}"
ipcommand="ip -o address show $ifname"
addresses="$($ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}')"
ulaprefix="$(uci_get network @globals[0] ula_prefix)"
host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"
if_fqdn="$ifdashname.$host_fqdn"
if [ "$ignore" -gt 0 ] ; then
mode="$UNBOUND_D_WAN_FQDN"
else
mode="$UNBOUND_D_LAN_FQDN"
fi
case "$mode" in
3)
mode_ptr="$host_fqdn"
names="$host_fqdn $UNBOUND_TXT_HOSTNAME"
;;
4)
mode_ptr="$if_fqdn"
names="$if_fqdn $host_fqdn $UNBOUND_TXT_HOSTNAME"
;;
*)
mode_ptr="$UNBOUND_TXT_HOSTNAME"
names="$UNBOUND_TXT_HOSTNAME"
;;
esac
if [ "$mode" -gt 1 ] ; then
{
for address in $addresses ; do
case $address in
fe80:*|169.254.*)
echo " # note link address $address"
;;
[1-9a-f]*:*[0-9a-f])
# GA and ULA IP6 for HOST IN AAA records (ip command is robust)
for name in $names ; do
echo " local-data: \"$name. 120 IN AAAA $address\""
done
echo " local-data-ptr: \"$address 120 $mode_ptr\""
;;
[1-9]*.*[0-9])
# Old fashioned HOST IN A records
for name in $names ; do
echo " local-data: \"$name. 120 IN A $address\""
done
echo " local-data-ptr: \"$address 120 $mode_ptr\""
;;
esac
done
echo
} >> $UNBOUND_CONFFILE
elif [ "$mode" -gt 0 ] ; then
{
for address in $addresses ; do
case $address in
fe80:*|169.254.*)
echo " # note link address $address"
;;
"${ulaprefix%%:/*}"*)
# Only this networks ULA and only hostname
echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
;;
[1-9]*.*[0-9])
echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""
echo " local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
;;
esac
done
echo
} >> $UNBOUND_CONFFILE
fi
}
##############################################################################
create_access_control() {
local cfg="$1"
local subnets subnets4 subnets6
@@ -133,61 +240,63 @@ unbound_mkdir() {
# Set resolver file to local but not if /etc/init.d/dnsmasq will do it.
echo "nameserver 127.0.0.1"
echo "nameserver ::1"
echo "search $UNBOUND_TXT_DOMAIN"
} > /tmp/resolv.conf
fi
if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -d "$dhcp_dir" ] ; then
# make sure odhcpd has a directory to write (not done itself, yet)
mkdir -p "$dhcp_dir"
fi
mkdir -p $UNBOUND_VARDIR
touch $UNBOUND_CONFFILE
rm -f $UNBOUND_VARDIR/dhcp_*
touch $UNBOUND_CONFFILE
touch $UNBOUND_SRV_CONF
touch $UNBOUND_EXT_CONF
cp -p /etc/unbound/* $UNBOUND_VARDIR/
if [ -f /etc/unbound/root.hints ] ; then
# Your own local copy of root.hints
cp -p /etc/unbound/root.hints $UNBOUND_HINTFILE
if [ ! -f $UNBOUND_HINTFILE ] ; then
if [ -f /usr/share/dns/root.hints ] ; then
# Debian-like package dns-root-data
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
elif [ -f /usr/share/dns/root.hints ] ; then
# Debian-like package dns-root-data
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
else
logger -t unbound -s "iterator will use built-in root hints"
else
logger -t unbound -s "iterator will use built-in root hints"
fi
fi
if [ -f /etc/unbound/root.key ] ; then
# Your own local copy of a root.key
cp -p /etc/unbound/root.key $UNBOUND_KEYFILE
if [ ! -f $UNBOUND_KEYFILE ] ; then
if [ -f /usr/share/dns/root.key ] ; then
# Debian-like package dns-root-data
cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
elif [ -f /usr/share/dns/root.key ] ; then
# Debian-like package dns-root-data
cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
elif [ -x "$UNBOUND_ANCHOR" ] ; then
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
elif [ -x "$UNBOUND_ANCHOR" ] ; then
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
else
logger -t unbound -s "validator will use built-in trust anchor"
else
logger -t unbound -s "validator will use built-in trust anchor"
fi
fi
# Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR
chmod 775 $UNBOUND_VARDIR
chmod 664 $UNBOUND_VARDIR/*
}
##############################################################################
unbound_conf() {
local cfg=$1
local rt_mem rt_conn modulestring
{
# Make fresh conf file
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
echo
} > $UNBOUND_CONFFILE
unbound_control() {
if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
{
# Enable remote control tool, but only at local host for security
# You can hand write fancier encrypted access with /etc/..._ext.conf
echo "remote-control:"
echo " control-enable: yes"
echo " control-use-cert: no"
@@ -198,6 +307,29 @@ unbound_conf() {
fi
{
# Amend your own extended clauses here like forward zones or disable
# above (local, no encryption) and amend your own remote encrypted control
echo
echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
echo
} >> $UNBOUND_CONFFILE
}
##############################################################################
unbound_conf() {
local cfg="$1"
local rt_mem rt_conn modulestring
{
# Make fresh conf file
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
echo
} > $UNBOUND_CONFFILE
{
# No threading
echo "server:"
@@ -474,14 +606,18 @@ unbound_conf() {
fi
# Domain Exceptions
# Except and accept domains as insecure (DNSSEC); work around broken domains
config_list_foreach "$cfg" "domain_insecure" create_domain_insecure
echo >> $UNBOUND_CONFFILE
}
##############################################################################
####################
# UCI @ network #
####################
unbound_access() {
# TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to
# each access-control IP block, and then divert access.
# -- "guest" WIFI will not be allowed to see local zone data
# -- "child" LAN can black whole a list of domains to http~deadpixel
if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
@@ -490,6 +626,7 @@ unbound_conf() {
config_load network
config_foreach create_access_control interface
{
echo " access-control: 127.0.0.0/8 allow"
echo " access-control: ::1/128 allow"
@@ -504,30 +641,75 @@ unbound_conf() {
echo
} >> $UNBOUND_CONFFILE
fi
{
# Amend your own "server:" stuff here
echo
echo "include: $UNBOUND_SRV_CONF"
echo
} >> $UNBOUND_CONFFILE
}
##############################################################################
unbound_hostname() {
if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
{
# TODO: Unbound 1.6.0 added "tags" and "views" and we could make
# domains by interface to prevent DNS from "guest" to "home"
echo " local-zone: $UNBOUND_TXT_DOMAIN. $UNBOUND_D_DOMAIN_TYPE"
echo " domain-insecure: $UNBOUND_TXT_DOMAIN"
echo " private-domain: $UNBOUND_TXT_DOMAIN"
echo
echo " local-zone: $UNBOUND_TXT_HOSTNAME. $UNBOUND_D_DOMAIN_TYPE"
echo " domain-insecure: $UNBOUND_TXT_HOSTNAME"
echo " private-domain: $UNBOUND_TXT_HOSTNAME"
echo
} >> $UNBOUND_CONFFILE
case "$UNBOUND_D_DOMAIN_TYPE" in
deny|inform_deny|refuse|static)
{
# avoid upstream involvement in RFC6762 like responses (link only)
echo " local-zone: local. $UNBOUND_D_DOMAIN_TYPE"
echo " domain-insecure: local"
echo " private-domain: local"
echo
} >> $UNBOUND_CONFFILE
;;
esac
if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
config_load dhcp
config_foreach create_interface_dns dhcp
fi
fi
}
##############################################################################
unbound_uci() {
local cfg=$1
local dnsmasqpath
local cfg="$1"
local dnsmasqpath hostnm
####################
# UCI @ unbound #
####################
hostnm="$(uci_get system.@system[0].hostname | awk '{print tolower($0)}')"
UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter}
config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
@@ -535,16 +717,19 @@ unbound_uci() {
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
config_get UNBOUND_D_RECURSION "$cfg" recursion passive
config_get UNBOUND_D_RESOURCE "$cfg" resource small
config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0
config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
config_get UNBOUND_D_RECURSION "$cfg" recursion passive
config_get UNBOUND_D_RESOURCE "$cfg" resource small
config_get UNBOUND_D_WAN_FQDN "$cfg" add_wan_fqdn 0
config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120
config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmasq_gate_name 0
config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
@@ -601,61 +786,33 @@ unbound_uci() {
# that could have had awful side effects
UNBOUND_TTL_MIN=300
fi
if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
# Don't want this being triggered. Maybe we could, but then the
# base conf you provide would need to be just right.
UNBOUND_D_DHCP_LINK=none
else
unbound_conf $cfg
fi
}
##############################################################################
unbound_own () {
local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile )
if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
# You are doing your own thing, so just copy /etc/ to /var/
cp -p /etc/unbound/* $UNBOUND_VARDIR/
fi
if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -f "$dhcp_origin" ] ; then
# odhcpd will not (yet) create its own lease file home
mkdir -p $( dirname "$dhcp_origin" )
fi
# Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR
chmod 775 $UNBOUND_VARDIR
chmod 664 $UNBOUND_VARDIR/*
}
##############################################################################
unbound_prepare() {
# Make a home for Unbound in /var/lib/unbound
unbound_mkdir
# Load up the chunks of UCI
unbound_start() {
config_load unbound
config_foreach unbound_uci unbound
unbound_mkdir
# Unbound primary DNS, and dnsmasq side service DHCP-DNS (dnsmasq.sh)
dnsmasq_link
# Unbound needs chroot ownership
unbound_own
if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
unbound_conf
unbound_access
if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
dnsmasq_link
else
unbound_hostname
fi
unbound_control
fi
}
##############################################################################
unbound_cleanup() {
unbound_stop() {
local resolvsym=0
rootzone_update
@@ -673,6 +830,10 @@ unbound_cleanup() {
rm -f /tmp/resolv.conf
ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
fi
# Unbound has a log dump which takes time; don't overlap a "restart"
sleep 1
}
##############################################################################