aboutsummaryrefslogtreecommitdiffstats
path: root/config/unbound
diff options
context:
space:
mode:
Diffstat (limited to 'config/unbound')
-rw-r--r--config/unbound/unbound.inc258
-rw-r--r--config/unbound/unbound.xml10
-rw-r--r--config/unbound/unbound_acls.php19
-rw-r--r--config/unbound/unbound_acls.xml8
-rw-r--r--config/unbound/unbound_advanced.xml9
-rwxr-xr-xconfig/unbound/unbound_monitor.sh68
-rw-r--r--config/unbound/unbound_status.php64
7 files changed, 234 insertions, 202 deletions
diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc
index 6588c5c2..f1d68eb7 100644
--- a/config/unbound/unbound.inc
+++ b/config/unbound/unbound.inc
@@ -23,6 +23,12 @@
POSSIBILITY OF SUCH DAMAGE.
*/
+// Define basedir constant for unbound according to FreeBSD version (PBI support or no PBI)
+if (floatval(php_uname("r")) >= 8.3)
+ define("UNBOUND_BASE", "/usr/pbi/unbound-" . php_uname("m"));
+else
+ define("UNBOUND_BASE", "/usr/local");
+
if(!function_exists("is_service_running"))
require_once("service-utils.inc");
@@ -40,34 +46,35 @@ function unbound_initial_setup() {
// Make sure read-write
conf_mount_rw();
-
+
if (!is_array($config['installedpackages']['unbound']['config']))
$config['installedpackages']['unbound']['config'] = array();
$unbound_config = &$config['installedpackages']['unbound']['config'][0];
// Ensure Unbound user exists
- exec("/usr/sbin/pw useradd unbound");
+ mwexec("/usr/sbin/pw useradd unbound", true);
// Setup unbound
// Create and chown dirs
- mwexec("/bin/mkdir -p /usr/local/etc/unbound /usr/local/etc/unbound/dev");
- @chown("/usr/local/etc/unbound/.", "unbound");
- @chown("/usr/local/etc/unbound/dev.", "unbound");
+ mwexec("/bin/mkdir -p " . UNBOUND_BASE . "/etc/unbound/dev");
+ @chown(UNBOUND_BASE . "/etc/unbound/.", "unbound");
+ @chown(UNBOUND_BASE . "/etc/unbound/dev.", "unbound");
// Touch needed files
- @touch("/usr/local/etc/unbound/root.hints");
- @touch("/usr/local/etc/unbound/root-trust-anchor");
+ @touch(UNBOUND_BASE . "/etc/unbound/root.hints");
+ @touch(UNBOUND_BASE . "/etc/unbound/root-trust-anchor");
// Ensure files and folders belong to unbound
- @chown("/usr/local/etc/unbound/root-trust-anchor", "unbound");
- @chgrp("/usr/local/etc/unbound/root-trust-anchor", "wheel");
- @chmod("/usr/local/etc/unbound/root-trust-anchor", 0600);
+ @chown(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", "unbound");
+ @chgrp(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", "wheel");
+ @chmod(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", 0600);
// We do not need the sample conf or the default rc.d startup file
- @unlink_if_exists("/usr/local/etc/unbound/unbound.conf.sample");
+ @unlink_if_exists(UNBOUND_BASE . "/etc/unbound/unbound.conf.sample");
+ @unlink_if_exists(UNBOUND_BASE . "/etc/rc.d/unbound");
@unlink_if_exists("/usr/local/etc/rc.d/unbound");
-
+
// Setup rc file for startup and shutdown.
unbound_rc_setup();
-
+
/* Check to see if Set initial interfaces that are allowed to query to lan, if that does not exist set it to the wan
*
*/
@@ -77,34 +84,34 @@ function unbound_initial_setup() {
else
$unbound_config['active_interface'] = "wan";
}
-
+
unbound_anchor_setup();
unbound_resync_config();
unbound_keys_setup();
- exec("/usr/sbin/chown -R unbound:wheel /usr/local/etc/unbound/*");
+ exec("/usr/sbin/chown -R unbound:wheel " . UNBOUND_BASE . "/etc/unbound/*");
// Write out the XML config
write_config();
-
+
// Back to read-only
conf_mount_ro();
}
function unbound_anchor_setup() {
-
+
$conf = <<<EOD
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
EOD;
- file_put_contents("/usr/local/etc/unbound/root-trust-anchor", $conf);
-
+ file_put_contents(UNBOUND_BASE . "/etc/unbound/root-trust-anchor", $conf);
+
}
function unbound_keys_setup() {
-
+
// Generate SSL Keys for controlling the unbound server
- mwexec("/usr/local/sbin/unbound-control-setup");
+ mwexec(UNBOUND_BASE . "/sbin/unbound-control-setup");
}
@@ -148,25 +155,21 @@ ENDPHP\n";
}
function unbound_install() {
-
- conf_mount_rw();
unbound_initial_setup();
- conf_mount_ro();
-
}
function unbound_control($action) {
global $config, $g;
-
+
$unbound_config = $config['installedpackages']['unbound']['config'][0];
$cache_dumpfile = "/var/tmp/unbound_cache";
-
+
switch ($action) {
case "forward":
/* Dont utilize forward cmd if Unbound is doing DNS queries directly
* XXX: We could make this an option to then make pfSense use Unbound
* as the recursive nameserver instead of upstream ones(?)
- */
+ */
if ($unbound_config['forwarding_mode'] == "on") {
// Get configured DNS servers and add them as forwarders
if (!isset($config['system']['dnsallowoverride'])) {
@@ -182,7 +185,7 @@ function unbound_control($action) {
$dns_servers .= " $nameserver";
}
}
-
+
if(is_service_running("unbound")) {
unbound_ctl_exec("forward $dns_servers");
} else {
@@ -192,7 +195,7 @@ function unbound_control($action) {
}
}
break;
-
+
case "start":
//Start unbound
if($unbound_config['unbound_status'] == "on") {
@@ -203,28 +206,31 @@ function unbound_control($action) {
@unlink("/var/run/dnsmasq.pid");
mwexec("/bin/ln -s /var/run/unbound.pid /var/run/dnsmasq.pid");
}
+ mwexec_bg("/usr/local/bin/unbound_monitor.sh");
fetch_root_hints();
}
break;
-
+
case "stop":
//Stop unbound and unmount the file system
if($unbound_config['unbound_status'] == "on") {
- unbound_ctl_exec("stop");
+ mwexec_bg("/usr/local/bin/unbound_monitor.sh stop");
+ unbound_ctl_exec("stop");
}
break;
-
+
case "termstop":
//Stop Unbound by sigkillbypid();
+ mwexec_bg("/usr/local/bin/unbound_monitor.sh stop");
sigkillbypid("{$g['varrun_path']}/unbound.pid", "TERM");
break;
-
+
case "dump_cache":
//Dump Unbound's Cache
if($unbound_config['dumpcache'] == "on")
unbound_ctl_exec("dump_cache > $cache_dumpfile");
break;
-
+
case "restore_cache":
//Restore Unbound's Cache
if ((is_service_running("unbound")) && ($unbound_config['dumpcache'] == "on")) {
@@ -234,13 +240,13 @@ function unbound_control($action) {
break;
case "anchor_update":
//Update the Root Trust Anchor
- mwexec("/usr/local/sbin/unbound-anchor -a /usr/local/etc/unbound/root-trust-anchor", true);
+ mwexec(UNBOUND_BASE . "/sbin/unbound-anchor -a " . UNBOUND_BASE . "/etc/unbound/root-trust-anchor", true);
break;
default:
break;
-
+
}
-
+
}
function unbound_get_network_interface_addresses() {
@@ -251,7 +257,7 @@ function unbound_get_network_interface_addresses() {
$unboundint = explode(",", $unbound_config['active_interface']);
$unbound_interfaces = array();
$i = 0;
-
+
foreach ($unboundint as $unboundidx => $unboundif) {
/* Configure IPv4 addresses */
if (is_ipaddr($interfaces[$unboundif]['ipaddr'])) {
@@ -269,12 +275,14 @@ function unbound_get_network_interface_addresses() {
log_error("Unbound DNS: There was a problem setting up the Virtual IP for the interface ".link_ip_to_carp_interface($vip['subnet']));
} else {
$unbound_interfaces[$i]['virtual']['ipaddr'] = $virtual_ip;
+ $unbound_interfaces[$i]['virtual']['subnet'] = $vip['subnet_bits'];
+ $unbound_interfaces[$i]['virtual']['network'] = $virtual_ip;
}
}
}
}
}
- } else if(isset($interfaces[$unboundif]['ipaddr'])) {
+ } else if (isset($interfaces[$unboundif]['ipaddr'])) {
/* Find the interface IP address for
* XXX - this only works for IPv4 currently - the pfSense module needs IPv6 love
*/
@@ -283,7 +291,7 @@ function unbound_get_network_interface_addresses() {
$unbound_interfaces[$i]['ipv4']['subnet'] = find_interface_subnet($unboundrealif);
$unbound_interfaces[$i]['ipv4']['network'] = gen_subnet($unbound_interfaces[$i]['ipv4']['ipaddr'],$unbound_interfaces[$i]['ipv4']['subnet']);
}
-
+
/* Configure IPv6 addresses */
if(function_exists("is_ipaddrv6")) {
if(is_ipaddrv6($interfaces[$unboundif]['ipaddrv6'])) {
@@ -370,9 +378,9 @@ function unbound_get_query_interface_addresses() {
function unbound_acls_config() {
global $config;
-
+
/* Configure the ACLs */
- if(is_array($config['installedpackages']['unboundacls']['config'])) {
+ if (is_array($config['installedpackages']['unboundacls']['config'])) {
$unbound_acls = $config['installedpackages']['unboundacls']['config'];
$unboundcfg = "";
foreach($unbound_acls as $unbound_acl){
@@ -381,7 +389,7 @@ function unbound_acls_config() {
if ($unbound_acl['aclaction'] == "allow snoop")
$unbound_acl['aclaction'] = "allow_snoop";
$unboundcfg .= "access-control: {$network['acl_network']}/{$network['mask']} {$unbound_acl['aclaction']}\n";
- }
+ }
}
return $unboundcfg;
} else
@@ -390,23 +398,22 @@ function unbound_acls_config() {
function unbound_resync_config() {
global $config, $g, $input_errors;
-
+
+ $unbound_base = UNBOUND_BASE;
+
if (!is_array($config['installedpackages']['unbound']['config']))
$config['installedpackages']['unbound']['config'] = array();
$unbound_config = &$config['installedpackages']['unbound']['config'][0];
-
+
// Interfaces to bind to and setup acls for nics
$unbound_bind_interfaces = "";
$unbound_allowed_networks = "";
$unboundnetcfg = unbound_get_network_interface_addresses();
foreach($unboundnetcfg as $netent) {
- foreach($netent as $entry) {
- # If virtual interface then skip
- if (!$entry['network'] && !$entry['subnet'] && ($entry['ipaddr'] != "127.0.0.1" && $entry['ipaddr'] != "::1"))
- continue;
+ foreach($netent as $nettype => $entry) {
$unbound_bind_interfaces .="interface: {$entry['ipaddr']}\n";
- if($entry['ipaddr'] != "127.0.0.1" && $entry['ipaddr'] != "::1")
+ if($entry['ipaddr'] != "127.0.0.1" && $entry['ipaddr'] != "::1" && $nettype != "virtual")
$unbound_allowed_networks .= "access-control: {$entry['network']}/{$entry['subnet']} allow\n";
}
}
@@ -420,19 +427,19 @@ function unbound_resync_config() {
/* Configure user configured ACLs */
$unbound_allowed_networks .= unbound_acls_config();
-
+
if($unbound_config['dnssec_status'] == "on") {
$module_config = "validator iterator";
- $anchor_file = "auto-trust-anchor-file: /usr/local/etc/unbound/root-trust-anchor";
+ $anchor_file = "auto-trust-anchor-file: " . UNBOUND_BASE . "/etc/unbound/root-trust-anchor";
} else
$module_config = "iterator";
-
+
// Host entries
$host_entries = unbound_add_host_entries();
-
+
// Domain Overrides
$domain_overrides = unbound_add_domain_overrides();
-
+
// Unbound Statistics
if($unbound_config['stats'] == "on") {
$stats_interval = $unbound_config['stats_interval'];
@@ -440,13 +447,13 @@ function unbound_resync_config() {
if ($unbound_config['extended_stats'] == "on")
$extended_stats = "yes";
else
- $extended_stats = "no";
+ $extended_stats = "no";
} else {
$stats_interval = "0";
$cumulative_stats = "no";
$extended_stats = "no";
}
-
+
// Private-address support for DNS Rebinding
if($unbound_config['private_address'] == "on") {
$pvt_addr = <<<EOF
@@ -467,7 +474,7 @@ EOF;
//Setup optimization
$optimization = unbound_optimization();
-
+
$unbound_config = &$config['installedpackages']['unboundadvanced']['config'][0];
// Setup Advanced options
$log_verbosity = (isset($unbound_config['unbound_verbosity'])) ? $unbound_config['unbound_verbosity'] : "1";
@@ -480,7 +487,7 @@ EOF;
$outgoing_num_tcp = (!empty($unbound_config['outgoing_num_tcp'])) ? $unbound_config['outgoing_num_tcp'] : "10";
$incoming_num_tcp = (!empty($unbound_config['incoming_num_tcp'])) ? $unbound_config['incoming_num_tcp'] : "10";
$edns_buffer_size = (!empty($unbound_config['edns_buffer_size'])) ? $unbound_config['edns_buffer_size'] : "4096";
- $num_queries_per_thread = (!empty($unbound_config['num_queries_per_thread'])) ? $unbound_config['num_queries_per_thread'] : "1024";
+ $num_queries_per_thread = (!empty($unbound_config['num_queries_per_thread'])) ? $unbound_config['num_queries_per_thread'] : "4096";
$jostle_timeout = (!empty($unbound_config['jostle_timeout'])) ? $unbound_config['jostle_timeout'] : "200";
$cache_max_ttl = (!empty($unbound_config['cache_max_ttl'])) ? $unbound_config['cache_max_ttl'] : "86400";
$cache_min_ttl = (!empty($unbound_config['cache_min_ttl'])) ? $unbound_config['cache_min_ttl'] : "0";
@@ -488,8 +495,7 @@ EOF;
$infra_lame_ttl = (!empty($unbound_config['infra_lame_ttl'])) ? $unbound_config['infra_lame_ttl'] : "900";
$infra_cache_numhosts = (!empty($unbound_config['infra_cache_numhosts'])) ? $unbound_config['infra_cache_numhosts'] : "10000";
$unwanted_reply_threshold = (!empty($unbound_config['unwanted_reply_threshold'])) ? $unbound_config['unwanted_reply_threshold'] : "0";
-
-
+
$unbound_conf = <<<EOD
#########################
@@ -502,7 +508,7 @@ EOF;
server:
chroot: ""
username: "unbound"
-directory: "/usr/local/etc/unbound"
+directory: "{$unbound_base}/etc/unbound"
pidfile: "{$g['varrun_path']}/unbound.pid"
root-hints: "root.hints"
harden-referral-path: no
@@ -539,7 +545,7 @@ harden-dnssec-stripped: {$harden_dnssec_stripped}
{$optimization['key_cache_slabs']}
{$optimization['msg_cache_size']}
{$optimization['rrset_cache_size']}
-{$optimization['outgoing_range']}
+outgoing-range: 8192
{$optimization['so_rcvbuf']}
# Interface IP(s) to bind to
@@ -564,14 +570,14 @@ access-control: ::1 allow
EOD;
-# Handle custom options
-if(!empty($unbound_config['custom_options'])) {
- $custom_options = explode(";", ($unbound_config['custom_options']));
- $unbound_conf .= "# Unbound Custom options\n";
- foreach ($custom_options as $ent) {
- $unbound_conf .= $ent."\n";
+ # Handle custom options
+ if(!empty($unbound_config['custom_options'])) {
+ $custom_options = explode(";", ($unbound_config['custom_options']));
+ $unbound_conf .= "# Unbound Custom options\n";
+ foreach ($custom_options as $ent) {
+ $unbound_conf .= $ent."\n";
+ }
}
-}
$unbound_conf .= <<<EOD
@@ -582,22 +588,24 @@ remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
-server-key-file: "/usr/local/etc/unbound/unbound_server.key"
-server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
-control-key-file: "/usr/local/etc/unbound/unbound_control.key"
-control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
+server-key-file: "{$unbound_base}/etc/unbound/unbound_server.key"
+server-cert-file: "{$unbound_base}/etc/unbound/unbound_server.pem"
+control-key-file: "{$unbound_base}/etc/unbound/unbound_control.key"
+control-cert-file: "{$unbound_base}/etc/unbound/unbound_control.pem"
EOD;
- file_put_contents("/usr/local/etc/unbound/unbound.conf", $unbound_conf);
-
+ conf_mount_rw();
+ file_put_contents("{$unbound_base}/etc/unbound/unbound.conf", $unbound_conf);
+ conf_mount_ro();
+
}
function unbound_ctl_exec($cmd) {
-
- mwexec("/usr/local/sbin/unbound-control $cmd");
-
+
+ mwexec(UNBOUND_BASE . "/sbin/unbound-control $cmd");
+
}
@@ -609,28 +617,24 @@ function unbound_optimization() {
$unbound_config = $config['installedpackages']['unboundadvanced']['config'][0];
$optimization_settings = array();
-
+
// Set the number of threads equal to number of CPUs.
// Use 1 (disable threading) if for some reason this sysctl fails.
$numprocs = intval(trim(`/sbin/sysctl kern.smp.cpus | /usr/bin/cut -d" " -f2`));
- if($numprocs > 0)
+ if($numprocs > 1) {
$optimization['number_threads'] = "num-threads: {$numprocs}";
- else
- $optimization['number_threads'] = "num-threads: 1";
-
- // Slabs to help reduce lock contention.
- if ($numprocs > 4) {
- $optimization['msg_cache_slabs'] = "msg-cache-slabs: {$numprocs}";
- $optimization['rrset_cache_slabs'] = "rrset-cache-slabs: {$numprocs}";
- $optimization['infra_cache_slabs'] = "infra-cache-slabs: {$numprocs}";
- $optimization['key_cache_slabs'] = "key-cache-slabs: {$numprocs}";
+ $optimize_num = pow(2,floor(log($numprocs,2)));
} else {
- $optimization['msg_cache_slabs'] = "msg-cache-slabs: 4";
- $optimization['rrset_cache_slabs'] = "rrset-cache-slabs: 4";
- $optimization['infra_cache_slabs'] = "infra-cache-slabs: 4";
- $optimization['key_cache_slabs'] = "key-cache-slabs: 4";
+ $optimization['number_threads'] = "num-threads: 1";
+ $optimize_num = 4;
}
-
+
+ // Slabs to help reduce lock contention.
+ $optimization['msg_cache_slabs'] = "msg-cache-slabs: {$optimize_num}";
+ $optimization['rrset_cache_slabs'] = "rrset-cache-slabs: {$optimize_num}";
+ $optimization['infra_cache_slabs'] = "infra-cache-slabs: {$optimize_num}";
+ $optimization['key_cache_slabs'] = "key-cache-slabs: {$optimize_num}";
+
// Memory usage - default is 4Mb if nothing has been selected
if(isset($unbound_config['msg_cache_size'])) {
$rr = $unbound_config['msg_cache_size']*2;
@@ -640,14 +644,6 @@ function unbound_optimization() {
$optimization['msg_cache_size'] = "msg-cache-size: 4m";
$optimization['rrset_cache_size'] = "rrset-cache-size: 8m";
}
-
- // More outgoing connections per thread otherwise assign a default of 4096 for a single thread
- if($numprocs > 0) {
- $or = (1024/$numprocs) - 50;
- $optimization['outgoing_range'] = "outgoing-range: {$or}";
- } else {
- $optimization['outgoing_range'] = "outgoing-range: {4096}";
- }
// Larger socket buffer for busy servers
// Check that it is set to 4MB (by default the OS has it configured to 4MB)
@@ -659,7 +655,7 @@ function unbound_optimization() {
$optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m";
else
unset($optimization['so_rcvbuf']);
-
+
}
}
// Safety check in case kern.ipc.maxsockbuf is deleted.
@@ -671,12 +667,12 @@ function unbound_optimization() {
function fetch_root_hints() {
- $destination_file = "/usr/local/etc/unbound/root.hints";
+ $destination_file = UNBOUND_BASE . "/etc/unbound/root.hints";
if (filesize($destination_file) == 0 ) {
conf_mount_rw();
$fout = fopen($destination_file, "w");
$url = "ftp://ftp.internic.net/domain/named.cache";
-
+
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
@@ -688,7 +684,7 @@ function fetch_root_hints() {
fwrite($fout, $data);
fclose($fout);
conf_mount_ro();
-
+
return ($http_code == 200) ? true : $http_code;
} else {
return false;
@@ -700,18 +696,18 @@ function unbound_validate($post, $type=null) {
if($post['unbound_status'] == "on" && isset($config['dnsmasq']['enable']))
$input_errors[] = "The system dns-forwarder is still active. Disable it before enabling the Unbound service.";
-
+
/* Validate the access lists */
if($type == "acl") {
$acls = $post;
// Check to ensure values entered is an action that is in the list
if ($acls['aclaction'] != 'refuse' && $acls['aclaction'] != 'allow' && $acls['aclaction'] != 'allow_snoop' && $acls['aclaction'] != 'deny')
$input_errors[] = "{$acls['aclaction']} is not a valid ACL Action. Please select one of the four actions defined in the list.";
-
+
// Make sure there is at least 1 network defined.
- if (!isset($acls['acl_network0']))
+ if (!isset($acls['acl_network0']))
$input_errors[] = "You need to specify at least one network to create a valid ACL.";
-
+
$count = 0;
// Get number of rows added, should be passed by the form - will look into that later
for($i=0; $i<99; $i++) {
@@ -719,7 +715,7 @@ function unbound_validate($post, $type=null) {
// Check to ensure values entered are networks
if(!is_ipaddr($acls['acl_network'.$i]) && !is_subnet($acls['mask'.$i]))
$input_errors[] = "{$acls['acl_network'.$i]}/{$acls['mask'.$i]} is not a valid network.";
- }
+ }
}
} else if($type == "advanced") {
if(!is_numeric($post['cache_max_ttl']))
@@ -732,7 +728,7 @@ function unbound_validate($post, $type=null) {
$input_errors[] = "You must enter a valid number in 'TTL for lame delegation'.";
if(!is_numeric($post['infra_cache_numhosts']))
$input_errors[] = "You must enter a valid number in 'Number of Hosts to cache'.";
-
+
} else if($type == "basic") {
/* Validate settings */
if($post['active_interface'] == "")
@@ -742,9 +738,9 @@ function unbound_validate($post, $type=null) {
function unbound_reconfigure() {
global $config;
-
+
$unbound_config = $config['installedpackages']['unbound']['config'][0];
-
+
if ($unbound_config['unbound_status'] != "on") {
if(is_service_running("unbound"))
unbound_control("termstop");
@@ -759,7 +755,7 @@ function unbound_reconfigure() {
unbound_control("forward");
unbound_control("restore_cache");
}
- }
+ }
}
function unbound_uninstall() {
@@ -769,20 +765,20 @@ function unbound_uninstall() {
unbound_control("termstop");
// Remove pkg config directory and startup file
- mwexec("rm -rf /usr/local/etc/unbound");
+ mwexec("rm -rf " . UNBOUND_BASE . "/etc/unbound");
@unlink("/usr/local/etc/rc.d/unbound.sh");
@unlink("{$g['varlog_path']}/unbound.log");
@unlink("/var/tmp/unbound_cache");
- conf_mount_ro();
+ conf_mount_ro();
}
function read_hosts() {
-
+
// Open /etc/hosts and extract the only dhcpleases info
$etc_hosts = array();
- foreach (file('/etc/hosts') as $line) {
+ foreach (file('/etc/hosts') as $line) {
$d = preg_split('/\s/', $line, -1, PREG_SPLIT_NO_EMPTY);
if (empty($d) || substr(reset($d), 0, 1) == "#")
continue;
@@ -806,12 +802,12 @@ function read_hosts() {
*/
function unbound_add_host_entries() {
global $config;
-
+
/* XXX: break this out into a separate config file and make use of include */
$unboundcfg = $config['installedpackages']['unbound']['config'][0];
$syscfg = $config['system'];
$dnsmasqcfg = $config['dnsmasq'];
-
+
$unbound_entries = "local-zone: \"{$syscfg['domain']}\" transparent\n";
// IPv4 entries
$unbound_entries .= "local-data-ptr: \"127.0.0.1 localhost\"\n";
@@ -823,7 +819,7 @@ function unbound_add_host_entries() {
$unbound_entries .= "local-data: \"localhost AAAA ::1\"\n";
$unbound_entries .= "local-data: \"localhost.{$syscfg['domain']} AAAA ::1\"\n";
}
-
+
if ($config['interfaces']['lan']) {
$cfgip = get_interface_ip("lan");
if (is_ipaddr($cfgip)) {
@@ -866,12 +862,12 @@ function unbound_add_host_entries() {
$host_entries .= "local-data: \"{$host['host']}{$host['domain']} IN A {$host['ip']}\"\n";
if (!empty($host['descr']) && $unboundcfg['txtsupport'] == 'on')
$host_entries .= "local-data: '{$host['host']}{$host['domain']} TXT \"".addslashes($host['descr'])."\"'\n";
-
+
// Do not add duplicate entries
$added_item[$current_host] = true;
}
}
- $unbound_entries .= $host_entries;
+ $unbound_entries .= $host_entries;
}
// Static DHCP entries
$host_entries = "";
@@ -886,7 +882,7 @@ function unbound_add_host_entries() {
$host_entries .= "local-data: '{$host['hostname']}.{$syscfg['domain']} TXT \"".addslashes($host['descr'])."\"'\n";
}
$unbound_entries .= $host_entries;
- }
+ }
// Handle DHCPLeases added host entries
$dhcplcfg = read_hosts();
@@ -915,7 +911,7 @@ function unbound_add_domain_overrides($pvt=false) {
// Domain overrides that have multiple entries need multiple stub-addr: added
$sorted_domains = msort($domains, "domain");
- $result = array();
+ $result = array();
foreach($sorted_domains as $domain) {
$domain_key = current($domain);
if(!isset($result[$domain_key])) {
@@ -923,7 +919,7 @@ function unbound_add_domain_overrides($pvt=false) {
}
$result[$domain_key][] = $domain['ip'];
}
-
+
$domain_entries = "";
foreach($result as $domain=>$ips) {
if($pvt == true) {
@@ -939,7 +935,7 @@ function unbound_add_domain_overrides($pvt=false) {
}
}
return $domain_entries;
- }
+ }
}
function unbound_acl_id_used($id) {
@@ -962,4 +958,4 @@ function unbound_get_next_id() {
return $aclid;
}
-?> \ No newline at end of file
+?>
diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml
index 202e8451..10de1f97 100644
--- a/config/unbound/unbound.xml
+++ b/config/unbound/unbound.xml
@@ -9,7 +9,7 @@
part of the Unbound package for pfSense (http://www.pfSense.com)
Copyright (C) 2011 Warren Baker
All rights reserved.
- */
+ */
/* ========================================================================== */
/*
Redistribution and use in source and binary forms, with or without
@@ -34,13 +34,13 @@
POSSIBILITY OF SUCH DAMAGE.
*/
/* ========================================================================== */
- ]]>
+ ]]>
</copyright>
<description>Unbound is a validating, recursive, and caching DNS resolver.</description>
<requirements/>
<faq/>
<name>unbound</name>
- <version>1.4.14</version>
+ <version>1.4.20_5</version>
<title>Services: Unbound DNS Forwarder: Basic Settings</title>
<include_file>/usr/local/pkg/unbound.inc</include_file>
<menu>
@@ -76,7 +76,7 @@
<item>http://www.pfsense.org/packages/config/unbound/unbound_advanced.xml</item>
</additional_files_needed>
<additional_files_needed>
- <prefix>/usr/local/etc/rc.d/</prefix>
+ <prefix>/usr/local/bin/</prefix>
<chmod>0755</chmod>
<item>http://www.pfsense.org/packages/config/unbound/unbound_monitor.sh</item>
</additional_files_needed>
@@ -142,7 +142,7 @@
<fieldname>forwarding_mode</fieldname>
<fielddescr>Enable forwarding mode</fielddescr>
<description>Configure the server to make use of the DNS servers configured in &lt;a href="system.php"&gt;System: General setup&lt;/a&gt;. &lt;br/&gt;
- &lt;b&gt;Note:&lt;/b&gt; Disabling this will cause Unbound to perform DNS queries without
+ &lt;b&gt;Note:&lt;/b&gt; Disabling this will cause Unbound to perform DNS queries without
using the upstream configured DNS servers.</description>
<type>checkbox</type>
<default_value>on</default_value>
diff --git a/config/unbound/unbound_acls.php b/config/unbound/unbound_acls.php
index a7c3ea9e..59738aab 100644
--- a/config/unbound/unbound_acls.php
+++ b/config/unbound/unbound_acls.php
@@ -95,7 +95,7 @@ if ($_POST) {
$input_errors[] = gettext("You must enter a valid IPv4 address for {$networkacl[$x]['acl_network']}.");
}
}
-
+
if (!$input_errors) {
if ($pconfig['Submit'] == gettext("Save")) {
@@ -139,7 +139,8 @@ include("head.inc");
<script type="text/javascript">
function mask_field(fieldname, fieldsize, n) {
return '<select name="' + fieldname + n + '" class="formselect" id="' + fieldname + n + '"><?php
- for ($i = 128; $i >= 0; $i--) {
+ $start = 24; if (function_exists("is_ipaddrv6")) $start = "128";
+ for ($i = $start; $i >= 0; $i--) {
echo "<option value=\"$i\">$i</option>";
}
?></select>';
@@ -173,7 +174,7 @@ if (is_subsystem_dirty("unbound"))
print_info_box_np(gettext("The settings for Unbound DNS has changed. You must apply the configuration to take affect."));
?>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
+ <tr>
<td class="tabnavtbl">
<ul id="tabnav">
<?php
@@ -186,7 +187,7 @@ if (is_subsystem_dirty("unbound"))
?>
</ul>
</td>
- </tr>
+ </tr>
<tr>
<td class="tabcont">
@@ -221,10 +222,10 @@ if (is_subsystem_dirty("unbound"))
<br/>
<span class="vexpl">
<?=gettext("Choose what to do with DNS requests that match the criteria specified below.");?> <br/>
- <?=gettext("<b>Deny:</b> This actions stops queries from hosts within the netblock defined below.");?> <br/>
- <?=gettext("<b>Refuse:</b> This actions also stops queries from hosts within the netblock defined below, but sends back DNS rcode REFUSED error message back tot eh client.");?> <br/>
- <?=gettext("<b>Allow:</b> This actions allows queries from hosts within the netblock defined below.");?> <br/>
- <?=gettext("<b>Allow Snoop:</b> This actions allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?> <br/>
+ <?=gettext("<b>Deny:</b> This action stops queries from hosts within the netblock defined below.");?> <br/>
+ <?=gettext("<b>Refuse:</b> This action also stops queries from hosts within the netblock defined below, but sends a DNS rcode REFUSED error message back to the client.");?> <br/>
+ <?=gettext("<b>Allow:</b> This action allows queries from hosts within the netblock defined below.");?> <br/>
+ <?=gettext("<b>Allow Snoop:</b> This action allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?> <br/>
</span>
</td>
</tr>
@@ -375,4 +376,4 @@ if (is_subsystem_dirty("unbound"))
</tr>
</table>
</body>
-<?php include("fend.inc"); ?> \ No newline at end of file
+<?php include("fend.inc"); ?>
diff --git a/config/unbound/unbound_acls.xml b/config/unbound/unbound_acls.xml
index 7c6840ce..04319169 100644
--- a/config/unbound/unbound_acls.xml
+++ b/config/unbound/unbound_acls.xml
@@ -99,10 +99,10 @@
<fieldname>aclaction</fieldname>
<fielddescr>Action</fielddescr>
<description>&lt;br/&gt;Choose an action:&lt;br/&gt;&lt;br/&gt;
- &lt;b&gt;Allow:&lt;/b&gt; This actions allows queries from hosts within the netblock(s) defined below.&lt;br/&gt;
- &lt;b&gt;Allow Snoop:&lt;/b&gt; This actions allows recursive and nonrecursive access from hosts within the netblock(s) defined below. Used for cache snooping and ideally should only be configured for your administrative host.&lt;br/&gt;
- &lt;b&gt;Deny:&lt;/b&gt; This actions stops queries from hosts within the netblock(s) defined below.&lt;br/&gt;
- &lt;b&gt;Refuse:&lt;/b&gt; This actions also stops queries from hosts within the netblock(s) defined below, but sends back DNS rcode REFUSED error message back to the client.</description>
+ &lt;b&gt;Allow:&lt;/b&gt; This action allows queries from hosts within the netblock(s) defined below.&lt;br/&gt;
+ &lt;b&gt;Allow Snoop:&lt;/b&gt; This action allows recursive and nonrecursive access from hosts within the netblock(s) defined below. Used for cache snooping and ideally should only be configured for your administrative host.&lt;br/&gt;
+ &lt;b&gt;Deny:&lt;/b&gt; This action stops queries from hosts within the netblock(s) defined below.&lt;br/&gt;
+ &lt;b&gt;Refuse:&lt;/b&gt; This action also stops queries from hosts within the netblock(s) defined below, but sends a DNS rcode REFUSED error message back to the client.</description>
<type>select</type>
<options>
<option><name>Allow</name><value>allow</value></option>
diff --git a/config/unbound/unbound_advanced.xml b/config/unbound/unbound_advanced.xml
index 30fca482..2da5b505 100644
--- a/config/unbound/unbound_advanced.xml
+++ b/config/unbound/unbound_advanced.xml
@@ -99,7 +99,7 @@
<field>
<fieldname>prefetch</fieldname>
<fielddescr>Prefetch Support</fielddescr>
- <description>If enabled, the message cache elements are prefetched before they expire to keep the cache up to date. Enabling this option causes an increase of about 10 percent more traffic and load on the server, but popular items do not expire form the cache. Default is disabled.</description>
+ <description>If enabled, the message cache elements are prefetched before they expire to keep the cache up to date. Enabling this option causes an increase of about 10 percent more traffic and load on the server, but popular items do not expire from the cache. Default is disabled.</description>
<type>checkbox</type>
<default_value>off</default_value>
<advancedfield/>
@@ -123,7 +123,7 @@
<field>
<fieldname>harden_dnssec_stripped</fieldname>
<fielddescr>Harden DNSSEC data</fielddescr>
- <description>If enabled, DNSSEC data is required for trust-anchored zones. If such data is absent, the zone is becomes bogus. If disabled then and no DNSSEC data is received, then the zone is made insecure. The default is enabled.</description>
+ <description>If enabled, DNSSEC data is required for trust-anchored zones. If such data is absent, the zone is considered bogus. If disabled and no DNSSEC data is received, then the zone is made insecure. The default is enabled.</description>
<type>checkbox</type>
<default_value>on</default_value>
<advancedfield/>
@@ -219,11 +219,12 @@
<fieldname>num_queries_per_thread</fieldname>
<description>The number of queries that every thread will service simultaneously. If more queries arrive that need to be serviced, and no queries can be jostled, then these queries are dropped.</description>
<type>select</type>
- <default_value>1024</default_value>
+ <default_value>4096</default_value>
<options>
<option><name>512</name><value>512</value></option>
<option><name>1024</name><value>1024</value></option>
<option><name>2048</name><value>2048</value></option>
+ <option><name>4096</name><value>4096</value></option>
</options>
<advancedfield/>
</field>
@@ -305,7 +306,7 @@
<field>
<fielddescr>Custom Options</fielddescr>
<fieldname>custom_options</fieldname>
- <description>You can put your own custom options here, separated by semi-colons (;). These configurations options will then be added to the configuration file. &lt;br/&gt; &lt;b&gt;Note:&lt;/b&gt; They need to be Unbound native configuration options, otherwise Unbound will &lt;b&gt;not&lt;/b&gt; work.</description>
+ <description>You can put your own custom options here, separated by semi-colons (;). These configuration options will then be added to the configuration file. &lt;br/&gt; &lt;b&gt;Note:&lt;/b&gt; They need to be Unbound native configuration options, otherwise Unbound will &lt;b&gt;not&lt;/b&gt; work.</description>
<type>textarea</type>
<cols>65</cols>
<rows>5</rows>
diff --git a/config/unbound/unbound_monitor.sh b/config/unbound/unbound_monitor.sh
index 152a308e..91e5a2ed 100755
--- a/config/unbound/unbound_monitor.sh
+++ b/config/unbound/unbound_monitor.sh
@@ -27,37 +27,65 @@
# POSSIBILITY OF SUCH DAMAGE.
#
+export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+
set -e
LOOP_SLEEP=5
+PIDFILE=/var/run/unbound_monitor.pid
if [ -f /var/run/unbound_alarm ]; then
rm /var/run/unbound_alarm
fi
+PID=""
+if [ -f "${PIDFILE}" ]; then
+ PID=`head -n 1 ${PIDFILE}`
+fi
+
+if [ "$1" = "stop" ]; then
+ if [ -n "${PID}" ] && ps -p ${PID} | grep -q unbound_monitor.sh; then
+ kill ${PID}
+ else
+ pkill -f unbound_monitor.sh
+ fi
+ exit 0
+fi
+
+if [ -n "${PID}" ] && ps -p ${PID} | grep -q unbound_monitor.sh; then
+ echo "There is another unbound monitor process running"
+ exit 0
+fi
+
+echo $$ > ${PIDFILE}
+
# Sleep 5 seconds on startup not to mangle with existing boot scripts.
sleep 5
-while [ /bin/true ]; do
- if [ ! -f /var/run/unbound_alarm ]; then
- NUM_PROCS=`/bin/pgrep unbound | wc -l | awk '{print $1}'`
- if [ $NUM_PROCS -lt 1 ]; then
- # Unbound is not running
- echo "Unbound has exited." | logger -p daemon.info -i -t Unbound_Alarm
- echo "Attempting restart..." | logger -p daemon.info -i -t Unbound_Alarm
- /usr/local/etc/rc.d/unbound.sh start
- sleep 3
- touch /var/run/unbound_alarm
- fi
- fi
- NUM_PROCS=`/bin/pgrep unbound | wc -l | awk '{print $1}'`
- if [ $NUM_PROCS -gt 0 ]; then
- if [ -f /var/run/unbound_alarm ]; then
- echo "Unbound has resumed." | logger -p daemon.info -i -t Unbound_Alarm
- rm /var/run/unbound_alarm
- fi
- fi
- sleep $LOOP_SLEEP
+while true; do
+ if [ ! -f "${PIDFILE}" ]; then
+ echo $$ > ${PIDFILE}
+ fi
+
+ if [ ! -f /var/run/unbound_alarm ]; then
+ NUM_PROCS=`pgrep unbound | wc -l | awk '{print $1}'`
+ if [ $NUM_PROCS -lt 1 ]; then
+ # Unbound is not running
+ echo "Unbound has exited." | logger -p daemon.info -i -t Unbound_Alarm
+ echo "Attempting restart..." | logger -p daemon.info -i -t Unbound_Alarm
+ /usr/local/etc/rc.d/unbound.sh start
+ sleep 3
+ touch /var/run/unbound_alarm
+ fi
+ fi
+ NUM_PROCS=`pgrep unbound | wc -l | awk '{print $1}'`
+ if [ $NUM_PROCS -gt 0 ]; then
+ if [ -f /var/run/unbound_alarm ]; then
+ echo "Unbound has resumed." | logger -p daemon.info -i -t Unbound_Alarm
+ rm /var/run/unbound_alarm
+ fi
+ fi
+ sleep $LOOP_SLEEP
done
if [ -f /var/run/unbound_alarm ]; then
diff --git a/config/unbound/unbound_status.php b/config/unbound/unbound_status.php
index d011b109..d7371f29 100644
--- a/config/unbound/unbound_status.php
+++ b/config/unbound/unbound_status.php
@@ -31,6 +31,12 @@
require("guiconfig.inc");
+// Define basedir constant for unbound according to FreeBSD version (PBI support or no PBI)
+if (floatval(php_uname("r")) >= 8.3)
+ define("UNBOUND_BASE", "/usr/pbi/unbound-" . php_uname("m"));
+else
+ define("UNBOUND_BASE", "/usr/local");
+
if(!is_process_running("unbound")) {
Header("Location: /pkg_edit.php?xml=unbound.xml&id=0");
exit;
@@ -40,11 +46,11 @@ $pgtitle = "Services: Unbound DNS Forwarder: Status";
include("head.inc");
function doCmdT($title, $command, $rows) {
- echo "<p>\n";
- echo "<a name=\"" . $title . "\">\n";
- echo "<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n";
- echo "<tr><td class=\"listtopic\">" . $title . "</td></tr>\n";
- echo "<tr><td class=\"listlr\"><textarea style=\"font-family:courier\"cols=\"101\" rows=\"$rows\">"; /* no newline after pre */
+ echo "<p>\n";
+ echo "<a name=\"" . $title . "\">\n";
+ echo "<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n";
+ echo "<tr><td class=\"listtopic\">" . $title . "</td></tr>\n";
+ echo "<tr><td class=\"listlr\"><textarea style=\"font-family:courier\"cols=\"101\" rows=\"$rows\">"; /* no newline after pre */
if ($command == "dumpconfigxml") {
$fd = @fopen("/conf/config.xml", "r");
@@ -71,46 +77,46 @@ function doCmdT($title, $command, $rows) {
echo htmlspecialchars($execOutput[$i],ENT_NOQUOTES);
}
}
- echo "</textarea></tr>\n";
- echo "</table>\n";
+ echo "</textarea></tr>\n";
+ echo "</table>\n";
}
/* Execute a command, giving it a title which is the same as the command. */
function doCmd($command) {
- doCmdT($command,$command);
+ doCmdT($command,$command);
}
/* Define a command, with a title, to be executed later. */
function defCmdT($title, $command, $rows = "20") {
- global $commands;
- $title = htmlspecialchars($title,ENT_NOQUOTES);
- $commands[] = array($title, $command, $rows);
+ global $commands;
+ $title = htmlspecialchars($title,ENT_NOQUOTES);
+ $commands[] = array($title, $command, $rows);
}
/* Define a command, with a title which is the same as the command,
* to be executed later.
*/
function defCmd($command) {
- defCmdT($command,$command);
+ defCmdT($command,$command);
}
/* List all of the commands as an index. */
function listCmds() {
- global $commands;
- echo "<p>" . gettext("This status page includes the following information") . ":\n";
- echo "<ul width=\"100%\">\n";
- for ($i = 0; isset($commands[$i]); $i++ ) {
- echo "<li><strong><a href=\"#" . $commands[$i][0] . "\">" . $commands[$i][0] . "</a></strong>\n";
- }
- echo "</ul>\n";
+ global $commands;
+ echo "<p>" . gettext("This status page includes the following information") . ":\n";
+ echo "<ul width=\"100%\">\n";
+ for ($i = 0; isset($commands[$i]); $i++ ) {
+ echo "<li><strong><a href=\"#" . $commands[$i][0] . "\">" . $commands[$i][0] . "</a></strong>\n";
+ }
+ echo "</ul>\n";
}
/* Execute all of the commands which were defined by a call to defCmd. */
function execCmds() {
- global $commands;
- for ($i = 0; isset($commands[$i]); $i++ ) {
- doCmdT($commands[$i][0], $commands[$i][1], $commands[$i][2]);
- }
+ global $commands;
+ for ($i = 0; isset($commands[$i]); $i++ ) {
+ doCmdT($commands[$i][0], $commands[$i][1], $commands[$i][2]);
+ }
}
?>
@@ -135,10 +141,10 @@ function execCmds() {
</tr>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td class="tabcont" width="100%">
+ <tr>
+ <td class="tabcont" width="100%">
<?php
- $entries = trim(exec("/usr/local/sbin/unbound-control dump_cache | wc -l"));
+ $entries = trim(exec(UNBOUND_BASE . "/sbin/unbound-control dump_cache | wc -l"));
defCmdT("Unbound status", "unbound-control status", "6");
defCmdT("Unbound stats", "unbound-control stats_noreset");
defCmdT("Unbound stubs", "unbound-control list_stubs", "8");
@@ -146,12 +152,12 @@ function execCmds() {
defCmdT("Unbound local zones", "unbound-control list_local_zones");
defCmdT("Unbound local data", "unbound-control list_local_data");
defCmdT("Unbound cache ($entries entries)", "unbound-control dump_cache", "60");
- defCmdT("Unbound configuration", "/bin/cat /usr/local/etc/unbound/unbound.conf", "60");
+ defCmdT("Unbound configuration", "/bin/cat " . UNBOUND_BASE . "/etc/unbound/unbound.conf", "60");
listCmds();
execCmds();
?>
- </td>
- </tr>
+ </td>
+ </tr>
</table>
</div>
<?php include("fend.inc"); ?>