From 6abd1181c88bcae7524203a8fd5fdb95f58173a3 Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Tue, 16 Nov 2010 22:13:42 +0200 Subject: Initial commit of the Unbound package (that 1 day will replace dnsmasq). It is currently limited in configuration options but it does what DNSMasq does excluding the DNS rebind check. Need to investigate that. --- config/unbound/unbound.inc | 415 +++++++++++++++++++++++++++++++++++++++++++++ config/unbound/unbound.xml | 125 ++++++++++++++ pkg_config.8.xml | 17 ++ 3 files changed, 557 insertions(+) create mode 100644 config/unbound/unbound.inc create mode 100644 config/unbound/unbound.xml diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc new file mode 100644 index 00000000..dd7d3024 --- /dev/null +++ b/config/unbound/unbound.inc @@ -0,0 +1,415 @@ + 1) + $unbound_config['active_interface'] = "lan"; + else + $unbound_config['active_interface'] = "wan"; + + unbound_anchor_setup(); + unbound_resync_config(); + unbound_keys_setup(); + + // Write out the XML config + write_config(); + +} + +function unbound_anchor_setup() { + + $conf = << +ENDPHP\n"; + +$stop = "/usr/local/bin/php -q -d auto_prepend_file=config.inc < + +ENDPHP\n"; + + write_rcfile(array( + "file" => $filename, + "start" => $start, + "stop" => $stop + ) + ); + +} + +function unbound_install() { + + conf_mount_rw(); + unbound_initial_setup(); + conf_mount_ro(); + +} + +function unbound_control($action) { + global $config, $g; + + $unbound_config = $config['installedpackages']['unbound']['config'][0]; + + switch ($action) { + case "forward": + /* Dont utilize forward cmd if Unbound is doing DNS queries directly + * XXX: We could make this an option to then make pfSense use Unbound + * as the recursive nameserver instead of upstream ones(?) + */ + if ($unbound_config['forwarding_mode'] == "on") { + // Get configured DNS servers and add them as forwarders + if (!isset($config['system']['dnsallowoverride'])) { + $ns = array_unique(get_nameservers()); + foreach($ns as $nameserver) { + if($nameserver) + $dns_servers .= " $nameserver"; + } + } else { + $ns = array_unique(get_dns_servers()); + foreach($ns as $nameserver) { + if($nameserver) + $dns_servers .= " $nameserver"; + } + } + + if(is_service_running("unbound")) { + unbound_ctl_exec("forward $dns_servers"); + unbound_ctl_exec("reload"); + } else { + unbound_control("start"); + unbound_control("forward"); + } + } + break; + + case "start": + //Start unbound + if($unbound_config['unbound_status'] == "on") { + unbound_ctl_exec("start"); + fetch_root_hints(); + sleep(1); + } + break; + + case "stop": + //Stop unbound and unmount the file system + if($unbound_config['unbound_status'] == "on") { + unbound_ctl_exec("stop"); + } + break; + + case "termstop": + //Stop Unbound by sigkillbypid(); + sigkillbypid("{$g['varrun_path']}/unbound.pid", "TERM"); + break; + + default: + break; + + } + +} + +function unbound_get_network_interface_addresses($subnet=false, $mask=false) { + global $config; + + /* calculate interface ip + subnet information */ + $interfaces = explode(",", $config['installedpackages']['unbound']['config'][0]['active_interface']); + $unbound_interfaces = array(); + foreach ($interfaces as $unboundidx => $unboundif) { + $unboundrealif = convert_friendly_interface_to_real_interface_name($unboundif); + $unboundip = find_interface_ip($unboundrealif); + $ipmask = find_interface_subnet($unboundrealif); + // If $subnet is passed then calculate the beginning of the network range for the IP address + if ($subnet) + $network = gen_subnet($unboundip, $ipmask); + else + $network = $unboundip; + if ($mask) + $unbound_interfaces[] = "$network/$ipmask"; + else + $unbound_interfaces[] = "$network"; + } + return $unbound_interfaces; +} + +function unbound_resync_config() { + global $config, $g; + + if (!array($config['installedpackages']['unbound']['config'])) + $config['installedpackages']['unbound']['config'] = array(); + + $unbound_config = &$config['installedpackages']['unbound']['config'][0]; + + $interfaces = unbound_get_network_interface_addresses(true, true); + foreach($interfaces as $allowed_network) { + $unbound_allowed_networks .= "access-control: $allowed_network allow\n"; + } + + if($unbound_config['dnssec_status'] == "on") { + $module_config = "validator iterator"; + $anchor_file = "auto-trust-anchor-file: /usr/local/etc/unbound/root-trust-anchor"; + } else { + $module_config = "iterator"; + } + + // Interfaces to bind to + $interface_ips = unbound_get_network_interface_addresses(); + foreach($interface_ips as $ifip) { + $unbound_bind_interfaces .="interface: $ifip\n"; + } + + /* Harden DNSSec responses - if DNSSec is absent, zone is marked as bogus + * XXX: for now we always have this set to yes + */ + $unbound_config['harden-dnssec-stripped'] = "yes"; + + // Syslog logging + $unbound_config['use-syslog'] = "yes"; + + // Host entries + $host_entries = unbound_add_host_entries(); + + // Domain Overrides + $domain_overrides = unbound_add_domain_overrides(); + + $unbound_conf = << \ No newline at end of file diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml new file mode 100644 index 00000000..8b895f9f --- /dev/null +++ b/config/unbound/unbound.xml @@ -0,0 +1,125 @@ + + + + + + + + Unbound is a validating, recursive, and caching DNS resolver. + + + unbound + 1.4.6 + Services: Unbound DNS Forwarder + /usr/local/pkg/unbound.inc + + Unbound DNS + Setup Unbound specific settings +
Services
+ pkg_edit.php?xml=unbound.xml&id=0 +
+ + unbound + unbound.sh + unbound + Unbound is a validating, recursive, and caching DNS resolver. + + + /usr/local/pkg/ + 0644 + http://pkg.percol8.co.za/packages/config/unbound/unbound.inc + + + /usr/local/pkg/ + 0644 + http://pkg.percol8.co.za/packages/config/unbound/unbound.xml + + + + Unbound DNS Settings + /pkg_edit.php?xml=unbound.xml&id=0 + + + + + + Unbound DNS Settings + listtopic + + + unbound_status + Enable Unbound + Enable the use of Unbound as your DNS forwarder. + checkbox + + + Network interface + active_interface + The network interface(s) the Unbound DNS server will queries from. + interfaces_selection + + wan + + + + dnssec_status + Enable DNSSEC + Enable the use of DNSSEC. <br/> + <b>Note:</b> It is recommended that when enabling DNSSEC you disable the use of forwarding mode and allow Unbound to do the resolving. This is to ensure that DNS replies are valid and authentic. + checkbox + on + + + forwarding_mode + Enable forwarding mode + Configure the server to make use of the DNS servers configured in <a href="system.php">System: General setup</a>. <br/> + <b>Note:</b> Disabling this will cause Unbound to perform DNS queries without + using the upstream configured DNS servers. + checkbox + on + + + + + + + unbound_reconfigure(); + + + unbound_install(); + + + unbound_uninstall(); + +
diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 1b99d5ef..75df613c 100755 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -938,5 +938,22 @@ 1.2.3 ifbwstats.xml + + Unbound + Unbound is a validating, recursive, and caching DNS resolver. + http://www.unbound.net/ + Services + 1.0 + Beta + 2.0 + http://doc.pfsense.org/index.php/Tinydns_package + http://www.pfsense.com/packages/config/unbound/unbound.xml + unbound.xml + http://files.pfsense.org/packages/8/All/ + unbound-1.4.7.tbz + expat-2.0.1_1.tbz + openssl-1.0.0_2.tbz + /usr/ports/dns/unbound + WITHOUT_MAN=true WITH_SRV=true -- cgit v1.2.3