diff options
Diffstat (limited to 'src/etc/inc/unbound.inc')
-rw-r--r-- | src/etc/inc/unbound.inc | 135 |
1 files changed, 85 insertions, 50 deletions
diff --git a/src/etc/inc/unbound.inc b/src/etc/inc/unbound.inc index 043ced2..ccae458 100644 --- a/src/etc/inc/unbound.inc +++ b/src/etc/inc/unbound.inc @@ -25,10 +25,6 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - pfSense_BUILDER_BINARIES: /usr/local/sbin/unbound /usr/local/sbin/unbound-anchor /usr/local/sbin/unbound-checkconf - pfSense_BUILDER_BINARIES: /usr/local/sbin/unbound-control /usr/local/sbin/unbound-control-setup - pfSense_MODULE: unbound */ /* include all configuration functions */ @@ -103,14 +99,52 @@ function unbound_optimization() { } +function test_unbound_config($unboundcfg, &$output) { + global $g; + + $cfgfile = "{$g['unbound_chroot_path']}/unbound.test.conf"; + $unboundcfgtxt = unbound_generate_config_text($unboundcfg); + file_put_contents($cfgfile, $unboundcfgtxt); + + $rv = 0; + exec("/usr/local/sbin/unbound-checkconf {$cfgfile} 2>&1", $output, $rv); + unlink_if_exists($cfgfile); + + return $rv; +} + + function unbound_generate_config() { + global $g; + + $unboundcfgtxt = unbound_generate_config_text(); + + // Configure static Host entries + unbound_add_host_entries(); + + // Configure Domain Overrides + unbound_add_domain_overrides(); + + // Configure Unbound access-lists + unbound_acls_config(); + + create_unbound_chroot_path(); + file_put_contents("{$g['unbound_chroot_path']}/unbound.conf", $unboundcfgtxt); +} + + +function unbound_generate_config_text($unboundcfg=NULL) { + global $config, $g; + if (is_null($unboundcfg)) { + $unboundcfg = $config['unbound']; + } // Setup optimization $optimization = unbound_optimization(); // Setup DNSSEC support - if (isset($config['unbound']['dnssec'])) { + if (isset($unboundcfg['dnssec'])) { $module_config = "validator iterator"; $anchor_file = "auto-trust-anchor-file: {$g['unbound_chroot_path']}/root.key"; } else { @@ -133,8 +167,8 @@ EOF; // Determine interfaces to run on $bindints = ""; - if (!empty($config['unbound']['active_interface'])) { - $active_interfaces = explode(",", $config['unbound']['active_interface']); + if (!empty($unboundcfg['active_interface'])) { + $active_interfaces = explode(",", $unboundcfg['active_interface']); if (in_array("all", $active_interfaces, true)) { $bindints .= "interface: 0.0.0.0\n"; $bindints .= "interface: ::0\n"; @@ -142,7 +176,7 @@ EOF; } else { foreach ($active_interfaces as $ubif) { if (is_ipaddr($ubif)) { - //$bindints .= "interface: $ubif\n"; -- until redmine #4062 is fixed, then uncomment this. + $bindints .= "interface: $ubif\n"; } else { $intip = get_interface_ip($ubif); if (is_ipaddrv4($intip)) { @@ -150,9 +184,7 @@ EOF; } $intip = get_interface_ipv6($ubif); if (is_ipaddrv6($intip)) { - if (!is_linklocal($intip)) { // skipping link local for the moment to not break people's configs: https://redmine.pfsense.org/issues/4062 - $bindints .= "interface: $intip\n"; - } + $bindints .= "interface: $intip\n"; } } } @@ -166,9 +198,9 @@ EOF; // Determine interfaces to run on $outgoingints = ""; - if (!empty($config['unbound']['outgoing_interface'])) { + if (!empty($unboundcfg['outgoing_interface'])) { $outgoingints = "# Outgoing interfaces to be used\n"; - $outgoing_interfaces = explode(",", $config['unbound']['outgoing_interface']); + $outgoing_interfaces = explode(",", $unboundcfg['outgoing_interface']); foreach ($outgoing_interfaces as $outif) { $outip = get_interface_ip($outif); if (is_ipaddr($outip)) { @@ -182,7 +214,7 @@ EOF; } // Allow DNS Rebind for forwarded domains - if (isset($config['unbound']['domainoverrides']) && is_array($config['unbound']['domainoverrides'])) { + if (isset($unboundcfg['domainoverrides']) && is_array($unboundcfg['domainoverrides'])) { if (!isset($config['system']['webgui']['nodnsrebindcheck'])) { $private_domains = "# Set private domains in case authoritative name server returns a Private IP address\n"; $private_domains .= unbound_add_domain_overrides("private"); @@ -190,21 +222,12 @@ EOF; $reverse_zones .= unbound_add_domain_overrides("reverse"); } - // Configure static Host entries - unbound_add_host_entries(); - - // Configure Domain Overrides - unbound_add_domain_overrides(); - // Configure Unbound statistics $statistics = unbound_statistics(); - // Configure Unbound access-lists - unbound_acls_config(); - // Add custom Unbound options - if ($config['unbound']['custom_options']) { - $custom_options_source = explode("\n", base64_decode($config['unbound']['custom_options'])); + if ($unboundcfg['custom_options']) { + $custom_options_source = explode("\n", base64_decode($unboundcfg['custom_options'])); $custom_options = "# Unbound custom options\n"; foreach ($custom_options_source as $ent) { $custom_options .= $ent."\n"; @@ -212,31 +235,31 @@ EOF; } // Server configuration variables - $port = (is_port($config['unbound']['port'])) ? $config['unbound']['port'] : "53"; - $hide_identity = isset($config['unbound']['hideidentity']) ? "yes" : "no"; - $hide_version = isset($config['unbound']['hideversion']) ? "yes" : "no"; - $harden_dnssec_stripped = isset($config['unbound']['dnssecstripped']) ? "yes" : "no"; - $prefetch = isset($config['unbound']['prefetch']) ? "yes" : "no"; - $prefetch_key = isset($config['unbound']['prefetchkey']) ? "yes" : "no"; - $outgoing_num_tcp = (!empty($config['unbound']['outgoing_num_tcp'])) ? $config['unbound']['outgoing_num_tcp'] : "10"; - $incoming_num_tcp = (!empty($config['unbound']['incoming_num_tcp'])) ? $config['unbound']['incoming_num_tcp'] : "10"; - $edns_buffer_size = (!empty($config['unbound']['edns_buffer_size'])) ? $config['unbound']['edns_buffer_size'] : "4096"; - $num_queries_per_thread = (!empty($config['unbound']['num_queries_per_thread'])) ? $config['unbound']['num_queries_per_thread'] : "4096"; - $jostle_timeout = (!empty($config['unbound']['jostle_timeout'])) ? $config['unbound']['jostle_timeout'] : "200"; - $cache_max_ttl = (!empty($config['unbound']['cache_max_ttl'])) ? $config['unbound']['cache_max_ttl'] : "86400"; - $cache_min_ttl = (!empty($config['unbound']['cache_min_ttl'])) ? $config['unbound']['cache_min_ttl'] : "0"; - $infra_host_ttl = (!empty($config['unbound']['infra_host_ttl'])) ? $config['unbound']['infra_host_ttl'] : "900"; - $infra_cache_numhosts = (!empty($config['unbound']['infra_cache_numhosts'])) ? $config['unbound']['infra_cache_numhosts'] : "10000"; - $unwanted_reply_threshold = (!empty($config['unbound']['unwanted_reply_threshold'])) ? $config['unbound']['unwanted_reply_threshold'] : "0"; + $port = (is_port($unboundcfg['port'])) ? $unboundcfg['port'] : "53"; + $hide_identity = isset($unboundcfg['hideidentity']) ? "yes" : "no"; + $hide_version = isset($unboundcfg['hideversion']) ? "yes" : "no"; + $harden_dnssec_stripped = isset($unboundcfg['dnssecstripped']) ? "yes" : "no"; + $prefetch = isset($unboundcfg['prefetch']) ? "yes" : "no"; + $prefetch_key = isset($unboundcfg['prefetchkey']) ? "yes" : "no"; + $outgoing_num_tcp = (!empty($unboundcfg['outgoing_num_tcp'])) ? $unboundcfg['outgoing_num_tcp'] : "10"; + $incoming_num_tcp = (!empty($unboundcfg['incoming_num_tcp'])) ? $unboundcfg['incoming_num_tcp'] : "10"; + $edns_buffer_size = (!empty($unboundcfg['edns_buffer_size'])) ? $unboundcfg['edns_buffer_size'] : "4096"; + $num_queries_per_thread = (!empty($unboundcfg['num_queries_per_thread'])) ? $unboundcfg['num_queries_per_thread'] : "4096"; + $jostle_timeout = (!empty($unboundcfg['jostle_timeout'])) ? $unboundcfg['jostle_timeout'] : "200"; + $cache_max_ttl = (!empty($unboundcfg['cache_max_ttl'])) ? $unboundcfg['cache_max_ttl'] : "86400"; + $cache_min_ttl = (!empty($unboundcfg['cache_min_ttl'])) ? $unboundcfg['cache_min_ttl'] : "0"; + $infra_host_ttl = (!empty($unboundcfg['infra_host_ttl'])) ? $unboundcfg['infra_host_ttl'] : "900"; + $infra_cache_numhosts = (!empty($unboundcfg['infra_cache_numhosts'])) ? $unboundcfg['infra_cache_numhosts'] : "10000"; + $unwanted_reply_threshold = (!empty($unboundcfg['unwanted_reply_threshold'])) ? $unboundcfg['unwanted_reply_threshold'] : "0"; if ($unwanted_reply_threshold == "disabled") { $unwanted_reply_threshold = "0"; } - $msg_cache_size = (!empty($config['unbound']['msgcachesize'])) ? $config['unbound']['msgcachesize'] : "4"; - $verbosity = isset($config['unbound']['log_verbosity']) ? $config['unbound']['log_verbosity'] : 1; - $use_caps = isset($config['unbound']['use_caps']) ? "yes" : "no"; + $msg_cache_size = (!empty($unboundcfg['msgcachesize'])) ? $unboundcfg['msgcachesize'] : "4"; + $verbosity = isset($unboundcfg['log_verbosity']) ? $unboundcfg['log_verbosity'] : 1; + $use_caps = isset($unboundcfg['use_caps']) ? "yes" : "no"; // Set up forwarding if it is configured - if (isset($config['unbound']['forwarding'])) { + if (isset($unboundcfg['forwarding'])) { $dnsservers = array(); if (isset($config['system']['dnsallowoverride'])) { $ns = array_unique(get_nameservers()); @@ -356,10 +379,7 @@ include: {$g['unbound_chroot_path']}/remotecontrol.conf EOD; - create_unbound_chroot_path(); - file_put_contents("{$g['unbound_chroot_path']}/unbound.conf", $unboundconf); - - return 0; + return $unboundconf; } function unbound_remote_control_setup() { @@ -470,7 +490,16 @@ function do_as_unbound_user($cmd) { mwexec("echo '/usr/local/sbin/unbound-control reload' | /usr/bin/su -m unbound", true); break; case "unbound-anchor": + // sanity check root.key because unbound-anchor will fail without manual removal otherwise. redmine #5334 + if (file_exists("{$g['unbound_chroot_path']}/root.key")) { + $rootkeycheck = mwexec("/usr/bin/grep 'autotrust trust anchor file' {$g['unbound_chroot_path']}/root.key", true); + if ($rootkeycheck != "0") { + log_error("Unbound root.key file is corrupt, removing and recreating."); + unlink_if_exists("{$g['unbound_chroot_path']}/root.key"); + } + } mwexec("echo '/usr/local/sbin/unbound-anchor -a {$g['unbound_chroot_path']}/root.key' | /usr/bin/su -m unbound", true); + pfSense_fsync("{$g['unbound_chroot_path']}/root.key"); break; case "unbound-control-setup": mwexec("echo '/usr/local/sbin/unbound-control-setup -d {$g['unbound_chroot_path']}' | /usr/bin/su -m unbound", true); @@ -526,7 +555,13 @@ function unbound_add_domain_overrides($pvt_rev="") { function unbound_add_host_entries() { global $config, $g; - $unbound_entries = "local-zone: \"{$config['system']['domain']}\" transparent\n"; + if (empty($config['unbound']['system_domain_local_zone_type'])) { + $system_domain_local_zone_type = "transparent"; + } else { + $system_domain_local_zone_type = $config['unbound']['system_domain_local_zone_type']; + } + + $unbound_entries = "local-zone: \"{$config['system']['domain']}\" $system_domain_local_zone_type\n"; $hosts = read_hosts(); $added_ptr = array(); |