diff options
Diffstat (limited to 'config/unbound')
| -rw-r--r-- | config/unbound/unbound.inc | 77 | ||||
| -rw-r--r-- | config/unbound/unbound.xml | 18 | ||||
| -rwxr-xr-x | config/unbound/unbound_monitor.sh | 66 |
3 files changed, 158 insertions, 3 deletions
diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index 76c35277..9c2b75ee 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -72,7 +72,7 @@ function unbound_initial_setup() { * */ if(!isset($unbound_config['active_interface'])) { - if(count($config['interfaces']) > 1) + if (count($config['interfaces']) > 1) $unbound_config['active_interface'] = "lan"; else $unbound_config['active_interface'] = "wan"; @@ -303,6 +303,71 @@ function unbound_get_network_interface_addresses() { return $unbound_interfaces; } +function unbound_get_query_interface_addresses() { + global $config; + + $interfaces = $config['interfaces']; + $unbound_config = $config['installedpackages']['unbound']['config'][0]; + /* If no query interface is configured then just return false */ + if (empty($unbound_config['query_interface'])) + return false; + else + $unboundint = explode(",", $unbound_config['query_interface']); + $unbound_interfaces = array(); + $i = 0; + + foreach ($unboundint as $unboundidx => $unboundif) { + /* Configure IPv4 addresses */ + if (is_ipaddr($interfaces[$unboundif]['ipaddr'])) { + $unbound_interfaces[$i]['ipv4']['ipaddr'] = $interfaces[$unboundif]['ipaddr']; + $unbound_interfaces[$i]['ipv4']['subnet'] = $interfaces[$unboundif]['subnet']; + $unbound_interfaces[$i]['ipv4']['network'] = gen_subnet($unbound_interfaces[$i]['ipv4']['ipaddr'],$unbound_interfaces[$i]['ipv4']['subnet']); + + // Check for CARP addresses and also return those - only IPv4 for now + if (isset($config['virtualip'])) { + if(is_array($config['virtualip']['vip'])) { + foreach($config['virtualip']['vip'] as $vip) { + if (($vip['interface'] == $unboundif) && ($vip['mode'] == "carp")) { + $virtual_ip = find_interface_ip(link_ip_to_carp_interface($vip['subnet'])); + if ($virtual_ip == '') { + log_error("Unbound DNS: There was a problem setting up the Virtual IP for the interface ".link_ip_to_carp_interface($vip['subnet'])); + } else { + $unbound_interfaces[$i]['virtual']['ipaddr'] = $virtual_ip; + } + } + } + } + } + } else if(isset($interfaces[$unboundif]['ipaddr'])) { + /* Find the interface IP address for + * XXX - this only works for IPv4 currently - the pfSense module needs IPv6 love + */ + $unboundrealif = convert_friendly_interface_to_real_interface_name($unboundif); + $unbound_interfaces[$i]['ipv4']['ipaddr'] = find_interface_ip($unboundrealif); + $unbound_interfaces[$i]['ipv4']['subnet'] = find_interface_subnet($unboundrealif); + $unbound_interfaces[$i]['ipv4']['network'] = gen_subnet($unbound_interfaces[$i]['ipv4']['ipaddr'],$unbound_interfaces[$i]['ipv4']['subnet']); + } + + /* Configure IPv6 addresses */ + if(function_exists("is_ipaddrv6")) { + if(is_ipaddrv6($interfaces[$unboundif]['ipaddrv6'])) { + $unbound_interfaces[$i]['ipv6']['ipaddr'] = $interfaces[$unboundif]['ipaddrv6']; + $unbound_interfaces[$i]['ipv6']['subnet'] = $interfaces[$unboundif]['subnetv6']; + $unbound_interfaces[$i]['ipv6']['network'] = gen_subnetv6($unbound_interfaces[$i]['ipv6']['ipaddr'], $unbound_interfaces[$i]['ipv6']['subnet']); + } + } + /* Lastly check for loopback addresses*/ + if($unboundif == "lo0") { + $unbound_interfaces[$i]['loopback']['ipaddr'] = "127.0.0.1"; + if (function_exists("is_ipaddrv6")) + $unbound_interfaces[$i]['loopback6']['ipaddr'] = "::1"; + } + $i++; + } + return $unbound_interfaces; +} + + function unbound_acls_config() { global $config; @@ -343,6 +408,14 @@ function unbound_resync_config() { $unbound_allowed_networks .= "access-control: {$entry['network']}/{$entry['subnet']} allow\n"; } } + if($unboundquerycfg = unbound_get_query_interface_addresses()) { + foreach($unboundquerycfg as $qent) { + $unbound_query_interfaces = "# Interfaces to query from\n"; + foreach($qent as $entry) + $unbound_query_interfaces .= "outgoing-interface: {$entry['ipaddr']}\n"; + } + } + /* Configure user configured ACLs */ $unbound_allowed_networks .= unbound_acls_config(); @@ -470,6 +543,8 @@ harden-dnssec-stripped: {$harden_dnssec_stripped} # Interface IP(s) to bind to {$unbound_bind_interfaces} +{$unbound_query_interfaces} + {$anchor_file} #### Access Control #### diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml index 5e6361d5..f8c33582 100644 --- a/config/unbound/unbound.xml +++ b/config/unbound/unbound.xml @@ -75,7 +75,11 @@ <chmod>0644</chmod> <item>http://www.pfsense.org/packages/config/unbound/unbound_advanced.xml</item> </additional_files_needed> - + <additional_files_needed> + <prefix>/usr/local/etc/rc.d/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/unbound/unbound_monitor.sh</item> + </additional_files_needed> <tabs> <tab> <text>Unbound DNS Settings</text> @@ -110,13 +114,23 @@ <field> <fielddescr>Network interface</fielddescr> <fieldname>active_interface</fieldname> - <description>The network interface(s) the Unbound DNS server will query from.</description> + <description>The network interface(s) the Unbound DNS server will listen on.</description> <type>interfaces_selection</type> <required/> <default_value>wan</default_value> <multiple/> </field> <field> + <fielddescr>Query interfaces</fielddescr> + <fieldname>query_interface</fieldname> + <description>Utilize different network interface(s) that Unbound DNS server will use to send queries to authoritative servers and receive their replies. <br/> + <b>Note:</b> If a query interface is not selected then the default of all interfaces will be used. + </description> + <type>interfaces_selection</type> + <default_value>wan</default_value> + <multiple/> + </field> + <field> <fieldname>dnssec_status</fieldname> <fielddescr>Enable DNSSEC</fielddescr> <description>Enable the use of DNSSEC. <br/> diff --git a/config/unbound/unbound_monitor.sh b/config/unbound/unbound_monitor.sh new file mode 100755 index 00000000..152a308e --- /dev/null +++ b/config/unbound/unbound_monitor.sh @@ -0,0 +1,66 @@ +#!/bin/sh +# $Id$ */ +# +# unbound.sh +# Copyright (C) 2011 Warren Baker +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +set -e + +LOOP_SLEEP=5 + +if [ -f /var/run/unbound_alarm ]; then + rm /var/run/unbound_alarm +fi + +# Sleep 5 seconds on startup not to mangle with existing boot scripts. +sleep 5 + +while [ /bin/true ]; do + if [ ! -f /var/run/unbound_alarm ]; then + NUM_PROCS=`/bin/pgrep unbound | wc -l | awk '{print $1}'` + if [ $NUM_PROCS -lt 1 ]; then + # Unbound is not running + echo "Unbound has exited." | logger -p daemon.info -i -t Unbound_Alarm + echo "Attempting restart..." | logger -p daemon.info -i -t Unbound_Alarm + /usr/local/etc/rc.d/unbound.sh start + sleep 3 + touch /var/run/unbound_alarm + fi + fi + NUM_PROCS=`/bin/pgrep unbound | wc -l | awk '{print $1}'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/unbound_alarm ]; then + echo "Unbound has resumed." | logger -p daemon.info -i -t Unbound_Alarm + rm /var/run/unbound_alarm + fi + fi + sleep $LOOP_SLEEP +done + +if [ -f /var/run/unbound_alarm ]; then + rm /var/run/unbound_alarm +fi + |