Bytes. Extended DNS is necessary for DNSSEC. However, it can run
into MTU issues. Use this size in bytes to manage drop outs.
+ option extended_luci '0'
+ Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
+
+ option extended_stats '0'
+ Boolean. extended statistics are printed from unbound-control.
+ Keeping track of more statistics takes time.
+
option hide_binddata '1'
Boolean. If enabled version.server, version.bind, id.server, and
hostname.bind queries are refused.
Typical to configure maybe 0~300, but 1800 is the maximum accepted.
option unbound_control '0'
- Boolean. Enables unbound-control application access ports. Enabling
- this without the unbound-control package installed is robust.
+ Level. Enables unbound-control application access ports.
+ 0 - No unbound-control Access, or add your own in 'unbound_ext.conf'
+ 1 - Unencrypted Local Host Access
+ 2 - SSL Local Host Access; auto unbound-control-setup if available
+ 3 - SSL Network Access; auto unbound-control-setup if available
+ 4 - SSL Network Access; static key/pem files must already exist
option validator '0'
Boolean. Enable DNSSEC. Unbound names this the "validator" module.
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN A " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
- print ( x "\n" y ) > hostfile ;
+ print ( x "\n" y "\n" ) > hostfile ;
}
else {
# GA or ULA routed addresses only (not LL or MC)
sub( /\/.*/, "", adr ) ;
adr = ( adr slaac ) ;
-
-
- if ( split( adr, tmp0, ":" ) >= 8 ) {
- sub( "::", ":", adr ) ;
+
+
+ if ( split( adr, tmp0, ":" ) >= 8 ) {
+ sub( "::", ":", adr ) ;
}
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
- print ( x "\n" y ) > hostfile ;
+ print ( x "\n" y "\n" ) > hostfile ;
}
else {
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
- print ( x "\n" y ) > hostfile ;
+ print ( x "\n" y "\n" ) > hostfile ;
}
else {
print ( x "\n" y ) > hostfile ;
}
}
-
+
if (( cdr2 == 128 ) && ( hst != "-" )) {
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr2 "\"" ) ;
y = ( "local-data-ptr: \"" adr2 " 120 " fqdn "\"" ) ;
- print ( x "\n" y ) > hostfile ;
+ print ( x "\n" y "\n" ) > hostfile ;
}
else {
#
##############################################################################
-UNBOUND_B_CONTROL=0
UNBOUND_B_SLAAC6_MAC=0
UNBOUND_B_DNSSEC=0
UNBOUND_B_DNS64=0
+UNBOUND_B_EXT_STATS=0
UNBOUND_B_GATE_NAME=0
UNBOUND_B_HIDE_BIND=1
UNBOUND_B_LOCL_BLCK=0
UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0
+UNBOUND_D_CONTROL=0
UNBOUND_D_DOMAIN_TYPE=static
UNBOUND_D_DHCP_LINK=none
UNBOUND_D_EXTRA_DNS=0
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time
+UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
+UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
+UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
+UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem
+
##############################################################################
UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
# Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR
- chmod 775 $UNBOUND_VARDIR
- chmod 664 $UNBOUND_VARDIR/*
+ chmod 755 $UNBOUND_VARDIR
+ chmod 644 $UNBOUND_VARDIR/*
+
+
+ if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \
+ -o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then
+ # Keys (some) exist already; do not create new ones
+ chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
+ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
+
+ elif [ -x /usr/sbin/unbound-control-setup ] ; then
+ case "$UNBOUND_D_CONTROL" in
+ [2-3])
+ # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
+ /usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR
+
+ chown -R unbound:unbound $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
+ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
+
+ chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
+ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
+
+ cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key
+ cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem
+ cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key
+ cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem
+ ;;
+ esac
+ fi
}
##############################################################################
unbound_control() {
- if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
+ if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then
+ if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \
+ -o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then
+ # Key files need to be present; if unbound-control-setup was found, then
+ # they might have been made during unbound_makedir() above.
+ UNBOUND_D_CONTROL=0
+ fi
+ fi
+
+
+ case "$UNBOUND_D_CONTROL" in
+ 1)
{
- # Enable remote control tool, but only at local host for security
- # You can hand write fancier encrypted access with /etc/..._ext.conf
+ # Local Host Only Unencrypted Remote Control
echo "remote-control:"
echo " control-enable: yes"
echo " control-use-cert: no"
echo " control-interface: ::1"
echo
} >> $UNBOUND_CONFFILE
- fi
+ ;;
+
+ 2)
+ {
+ # Local Host Only Encrypted Remote Control
+ echo "remote-control:"
+ echo " control-enable: yes"
+ echo " control-use-cert: yes"
+ echo " control-interface: 127.0.0.1"
+ echo " control-interface: ::1"
+ echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
+ echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
+ echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
+ echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
+ echo
+ } >> $UNBOUND_CONFFILE
+ ;;
+
+ [3-4])
+ {
+ # Network Encrypted Remote Control
+ # (3) may auto setup and (4) must have static key/pem files
+ # TODO: add UCI list for interfaces to bind
+ echo "remote-control:"
+ echo " control-enable: yes"
+ echo " control-use-cert: yes"
+ echo " control-interface: 0.0.0.0"
+ echo " control-interface: ::0"
+ echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
+ echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
+ echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
+ echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
+ echo
+ } >> $UNBOUND_CONFFILE
+ ;;
+ esac
{
local cfg="$1"
local rt_mem rt_conn modulestring
+ # Make fresh conf file
+ echo > $UNBOUND_CONFFILE
+
{
# Make fresh conf file
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
echo
- } > $UNBOUND_CONFFILE
-
-
- {
# No threading
echo "server:"
echo " username: unbound"
echo " infra-cache-slabs: 1"
echo " key-cache-slabs: 1"
echo
- } >> $UNBOUND_CONFFILE
-
-
- {
+ # Interface Wildcard (access contol handled by "option local_service")
+ echo " interface: 0.0.0.0"
+ echo " interface: ::0"
+ echo " outgoing-interface: 0.0.0.0"
+ echo " outgoing-interface: ::0"
+ echo
# Logging
echo " verbosity: 1"
echo " statistics-interval: 0"
echo " statistics-cumulative: no"
- echo " extended-statistics: no"
- echo
} >> $UNBOUND_CONFFILE
- {
- # Interfaces (access contol "option local_service")
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo " outgoing-interface: 0.0.0.0"
- echo " outgoing-interface: ::0"
- echo
- } >> $UNBOUND_CONFFILE
+ if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then
+ {
+ # Log More
+ echo " extended-statistics: yes"
+ echo
+ } >> $UNBOUND_CONFFILE
+
+ else
+ {
+ # Log Less
+ echo " extended-statistics: no"
+ echo
+ } >> $UNBOUND_CONFFILE
+ fi
case "$UNBOUND_D_PROTOCOL" in
config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
+ config_get_bool UNBOUND_B_EXT_STATS "$cfg" extended_stats 0
config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
- config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
+ config_get UNBOUND_D_CONTROL "$cfg" unbound_control 0
config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0