Various Unbound functions for configuration

1 files changed, 254 insertions, 2 deletions

diff --git a/etc/inc/unbound.inc b/etc/inc/unbound.inc
index ed5d5f2..e6d8ad0 100644
--- a/etc/inc/unbound.inc
+++ b/etc/inc/unbound.inc
@@ -128,14 +128,14 @@ function unbound_optimization() {
 	return $optimization;
 }
 
+/* Fetch root name servers hints file */
 function unbound_fetch_root_hints() {
 	global $g;
 
 	$hints = "{$g['unbound_chroot_path']}/etc/root.hints";
 	if (@filesize($hints) == 0 ) {
-		conf_mount_rw();
 		$returnvar = mwexec("/usr/bin/dig +tcp +nocmd +answer @`/usr/bin/dig +nocmd +noall +answer +short . NS | /usr/bin/head -1` . NS > {$hints}");
-		conf_mount_ro();
+
 		if ($returnvar != 0) {
 			mwexec("/bin/rm -f {$hints}");
 			return false;
@@ -145,4 +145,256 @@ function unbound_fetch_root_hints() {
 		return true;
 }
 
+/* Configure initial anchor to support DNSSEC */
+function unbound_anchor_setup() {
+	global $g;
+
+	$conf = <<<EOD
+. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
+EOD;
+
+	file_put_contents("{$g['unbound_chroot_path']}/etc/root-trust-anchor", $conf);
+	@chown("{$g['unbound_chroot_path']}/etc/root-trust-anchor", "unbound");
+	@chgrp("{$g['unbound_chroot_path']}/etc/root-trust-anchor", "wheel");
+	@chmod("{$g['unbound_chroot_path']}/etc/root-trust-anchor", 0600);
+
+}
+
+/* Setup Unbound Remote Control SSL keys */
+function unbound_keys_setup() {
+	global $g;
+
+	if (!file_exists("{$g['unbound_chroot_path']}/unbound_control.key"))
+		mwexec("/usr/local/sbin/unbound-control-setup -d {$g['unbound_chroot_path']}");	
+}
+
+function unbound_setup() {
+	global $config, $g;
+
+	unbound_anchor_setup();
+	unbound_resync_config();
+	unbound_keys_setup();
+
+}
+
+function unbound_resync_config() {
+	global $config,$g;
+
+	/* Setup optimization */
+	$optimization = unbound_optimization();
+
+	/* Setup DNSSEC support */
+	if($unbound_config['dnssec_status'] == "on") {
+		$module_config = "validator iterator";
+		$anchor_file = "auto-trust-anchor-file: /etc/root-trust-anchor";
+	} else
+		$module_config = "iterator";
+
+	/* Setup DNS Rebinding */
+	if(!isset($config['system']['webgui']['nodnsrebindcheck'])) {
+		// Private-addresses for DNS Rebinding
+		$private_addr = <<<EOF
+# For DNS Rebinding prevention
+private-address: 10.0.0.0/8
+private-address: 172.16.0.0/12
+private-address: 192.168.0.0/16
+private-address: 192.254.0.0/16
+private-address: fd00::/8
+private-address: fe80::/10
+EOF;
+	}
+
+	/* Allow DNS Rebind for forwarded domains */
+	if (isset($config['unbound']['domainoverrides']) && is_array($config['unbound']['domainoverrides'])) {
+		if(!isset($config['system']['webgui']['nodnsrebindcheck'])) {
+			$private_domains = "# Set private domains in case authoritative name server returns a Private IP address";
+			$private_domains .= unbound_add_domain_overrides(true);
+		}
+	}
+
+	/* Configure static Host entries */
+	$host_entries = unbound_add_host_entries();
+
+	/* Configure Domain Overrides */
+	$domain_overrides = unbound_add_domain_overrides();
+
+
+	/* Add custom Unbound options */
+	//if ($config['unbound']['custom_options']) {
+	//	foreach (preg_split('/\s+/', $config['unbound']['custom_options']) as $c)
+	//
+	//}
+
+	$unboundconf = <<<EOD
+##########################
+# Unbound Configuration
+##########################
+
+##
+# Server configuration
+##
+server:
+chroot: {$g['unbound_chroot_path']}
+username: "unbound"
+directory: "{$g['unbound_chroot_path']}/etc"
+pidfile: "/var/run/unbound.pid"
+root-hints: "root.hints"
+harden-referral-path: no
+prefetch: no
+prefetch-key: no
+use-syslog: yes
+port: 53
+verbosity: 1
+do-ip4: yes
+do-ip6: yes
+do-udp: yes
+do-tcp: yes
+do-daemonize: yes
+module-config: "{$module_config}"
+unwanted-reply-threshold: 0
+num-queries-per-thread: 1024
+jostle-timeout: 200
+infra-host-ttl: 900
+infra-lame-ttl: 900
+infra-cache-numhosts: 10000
+outgoing-num-tcp: 10
+incoming-num-tcp: 10
+edns-buffer-size: 4096
+statistics-interval: 7200
+extended-statistics: yes
+statistics-cumulative: yes
+cache-max-ttl: 86400
+cache-min-ttl: 0
+harden-dnssec-stripped: yes
+{$optimization['number_threads']}
+{$optimization['msg_cache_slabs']}
+{$optimization['rrset_cache_slabs']}
+{$optimization['infra_cache_slabs']}
+{$optimization['key_cache_slabs']}
+{$optimization['msg_cache_size']}
+{$optimization['rrset_cache_size']}
+{$optimization['outgoing_range']}
+{$optimization['so_rcvbuf']}
+{$anchor_file}
+prefetch: {$prefetch}
+prefetch-key: {$prefetch_key}
+
+interface: 0.0.0.0
+interface: ::0
+
+# DNS Rebinding
+{$private_addr}
+{$private_domains}
+
+###
+# Remote Control Config
+###
+remote-control:
+control-enable: yes
+control-interface: 127.0.0.1
+control-port: 953
+server-key-file: "/etc/unbound_server.key"
+server-cert-file: "/etc/unbound_server.pem"
+control-key-file: "/etc/unbound_control.key"
+control-cert-file: "/etc/unbound_control.pem"
+EOD;
+
+
+}
+
+function unbound_add_host_entries() {
+	global $config;
+
+	/* XXX: break this out into a separate config file and make use of include */
+	$syscfg = $config['system'];
+	$dnscfg = $config['dns'];
+
+	$dns_entries = "local-zone: \"{$syscfg['domain']}\" transparent\n";
+	// IPv4 entries
+	$dns_entries .= "local-data-ptr: \"127.0.0.1 localhost\"\n";
+	$dns_entries .= "local-data: \"localhost A 127.0.0.1\"\n";
+	$dns_entries .= "local-data: \"localhost.{$syscfg['domain']} A 127.0.0.1\"\n";
+	// IPv6 entries
+	$dns_entries .= "local-data-ptr: \"::1 localhost\"\n";
+	$dns_entries .= "local-data: \"localhost AAAA ::1\"\n";
+	$dns_entries .= "local-data: \"localhost.{$syscfg['domain']} AAAA ::1\"\n";
+
+	/*if ($config['interfaces']['lan']) {
+		$cfgip = get_interface_ip("lan");
+		if (is_ipaddr($cfgip)) {
+			$unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n";
+			$unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n";
+			$unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n";
+		}
+	} else {
+		$sysiflist = get_configured_interface_list();
+		foreach ($sysiflist as $sysif) {
+			if (!interface_has_gateway($sysif)) {
+				$cfgip = get_interface_ip($sysif);
+				if (is_ipaddr($cfgip)) {
+					$unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n";
+					$unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n";
+					$unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n";
+					break;
+				}
+			}
+		}
+	}*/
+
+	/* Static Host entries */
+	if (isset($dnscfg['hosts'])) {
+		$hosts = $dnscfg['hosts'];
+		$host_entries = "";
+		$added_item = array();
+		foreach ($hosts as $host) {
+			$current_host = $host['host'];
+			if ($host['host'] != "")
+				$host['host'] = $host['host'].".";
+			if(!$added_item[$current_host]) {
+				$host_entries .= "local-data-ptr: \"{$host['ip']} {$host['host']}{$host['domain']}\"\n";
+				if (is_ipaddrv6($host['ip']))
+					$host_entries .= "local-data: \"{$host['host']}{$host['domain']} IN AAAA {$host['ip']}\"\n";
+				else
+					$host_entries .= "local-data: \"{$host['host']}{$host['domain']} IN A {$host['ip']}\"\n";
+				if (!empty($host['descr']) && $dnscfg['txtsupport'] == 'on')
+					$host_entries .= "local-data: '{$host['host']}{$host['domain']} TXT \"".addslashes($host['descr'])."\"'\n";
+
+				// Do not add duplicate entries
+				$added_item[$current_host] = true;
+			}
+		}
+		$unbound_entries .= $host_entries;
+	}
+	// Static DHCP entries
+	$host_entries = "";
+	if (isset($dnscfg['regdhcpstatic']) && is_array($config['dhcpd'])) {
+		foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf)
+			if(is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable']))
+				foreach ($dhcpifconf['staticmap'] as $host)
+					if ($host['ipaddr'] && $host['hostname']) {
+						$host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['hostname']}.{$syscfg['domain']}\"\n";
+						$host_entries .= "local-data: \"{$host['hostname']}.{$syscfg['domain']} IN A {$host['ipaddr']}\"\n";
+						if (!empty($host['descr']) && $unboundcfg['txtsupport'] == 'on')
+							$host_entries .= "local-data: '{$host['hostname']}.{$syscfg['domain']} TXT \"".addslashes($host['descr'])."\"'\n";
+					}
+		$unbound_entries .= $host_entries;
+    }
+
+	// Handle DHCPLeases added host entries
+	$dhcplcfg = read_hosts();
+	$host_entries = "";
+	if(is_array($dhcplcfg)) {
+		foreach($dhcplcfg as $key=>$host) {
+			$host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n";
+			$host_entries .= "local-data: \"{$host['fqdn']} IN A {$host['ipaddr']}\"\n";
+			if (!empty($host['name'])) {
+				$host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['name']}\"\n";
+				$host_entries .= "local-data: \"{$host['name']} IN A {$host['ipaddr']}\"\n";
+			}
+		}
+		$unbound_entries .= $host_entries;
+	}
+	return $unbound_entries;
+}
+
 ?>
\ No newline at end of file