<?php /* unbound.inc (C)2010 Warren Baker Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ if(!function_exists("get_dns_servers")) require_once("pfsense-utils.inc"); if(!function_exists("get_nameservers")) require_once("system.inc"); function unbound_initial_setup() { global $config, $g; if (!array($config['installedpackages']['unbound']['config'])) $config['installedpackages']['unbound']['config'] = array(); $unbound_config = &$config['installedpackages']['unbound']['config'][0]; // Ensure Unbound user exists exec("/usr/sbin/pw useradd unbound"); // Setup unbound // Create and chown dirs mwexec("/bin/mkdir -p /usr/local/etc/unbound /usr/local/etc/unbound/dev"); @chown("/usr/local/etc/unbound/.", "unbound"); @chown("/usr/local/etc/unbound/dev.", "unbound"); // Touch needed files @touch("/usr/local/etc/unbound/root.hints"); @touch("/usr/local/etc/unbound/root-trust-anchor"); // Ensure files and folders belong to unbound @chown("/usr/local/etc/unbound/root-trust-anchor", "unbound"); @chgrp("/usr/local/etc/unbound/root-trust-anchor", "wheel"); @chmod("/usr/local/etc/unbound/root-trust-anchor", 0600); // We do not need the sample conf or the default rc.d startup file @unlink_if_exists("/usr/local/etc/unbound/unbound.conf.sample"); @unlink_if_exists("/usr/local/etc/rc.d/unbound"); // Setup rc file for startup and shutdown. unbound_rc_setup(); // Set initial interfaces that are allowed to query to lan, if that does not exist set it to the wan if(count($config['interfaces']) > 1) $unbound_config['active_interface'] = "lan"; else $unbound_config['active_interface'] = "wan"; unbound_anchor_setup(); unbound_resync_config(); unbound_keys_setup(); exec("/usr/sbin/chown -R unbound:wheel /usr/local/etc/unbound/*"); // Write out the XML config write_config(); } function unbound_anchor_setup() { $conf = <<<EOD . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 EOD; file_put_contents("/usr/local/etc/unbound/root-trust-anchor", $conf); } function unbound_keys_setup() { // Generate SSL Keys for controlling the unbound server mwexec("/usr/local/sbin/unbound-control-setup"); } function unbound_rc_setup() { global $config; // Startup process and idea taken from TinyDNS package (author sullrich@gmail.com) $filename = "unbound.sh"; $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP <?php require_once(\"/usr/local/pkg/unbound.inc\"); echo \"Starting and configuring Unbound...\"; fetch_root_hints(); unbound_control(\"start\"); unbound_control(\"forward\"); echo \"done.\\n\"; ?> ENDPHP\n"; $stop = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP <?php require_once(\"/usr/local/pkg/unbound.inc\"); echo \"Stopping Unbound...\"; unbound_control(\"termstop\"); echo \"done.\\n\"; ?> ENDPHP\n"; write_rcfile(array( "file" => $filename, "start" => $start, "stop" => $stop ) ); } function unbound_install() { conf_mount_rw(); unbound_initial_setup(); conf_mount_ro(); } function unbound_control($action) { global $config, $g; $unbound_config = $config['installedpackages']['unbound']['config'][0]; switch ($action) { case "forward": /* Dont utilize forward cmd if Unbound is doing DNS queries directly * XXX: We could make this an option to then make pfSense use Unbound * as the recursive nameserver instead of upstream ones(?) */ if ($unbound_config['forwarding_mode'] == "on") { // Get configured DNS servers and add them as forwarders if (!isset($config['system']['dnsallowoverride'])) { $ns = array_unique(get_nameservers()); foreach($ns as $nameserver) { if($nameserver) $dns_servers .= " $nameserver"; } } else { $ns = array_unique(get_dns_servers()); foreach($ns as $nameserver) { if($nameserver) $dns_servers .= " $nameserver"; } } if(is_service_running("unbound")) { unbound_ctl_exec("forward $dns_servers"); unbound_ctl_exec("reload"); } else { unbound_control("start"); unbound_control("forward"); } } break; case "start": //Start unbound if($unbound_config['unbound_status'] == "on") { unbound_ctl_exec("start"); fetch_root_hints(); sleep(1); } break; case "stop": //Stop unbound and unmount the file system if($unbound_config['unbound_status'] == "on") { unbound_ctl_exec("stop"); } break; case "termstop": //Stop Unbound by sigkillbypid(); sigkillbypid("{$g['varrun_path']}/unbound.pid", "TERM"); break; default: break; } } function unbound_get_network_interface_addresses($subnet=false, $mask=false) { global $config; /* calculate interface ip + subnet information */ $interfaces = explode(",", $config['installedpackages']['unbound']['config'][0]['active_interface']); $unbound_interfaces = array(); foreach ($interfaces as $unboundidx => $unboundif) { $unboundrealif = convert_friendly_interface_to_real_interface_name($unboundif); $unboundip = find_interface_ip($unboundrealif); $ipmask = find_interface_subnet($unboundrealif); // If $subnet is passed then calculate the beginning of the network range for the IP address if ($subnet) $network = gen_subnet($unboundip, $ipmask); else $network = $unboundip; if ($mask) $unbound_interfaces[] = "$network/$ipmask"; else { $unbound_interfaces[] = $network; // Check for CARP addresses and also return those if (isset($config['virtualip'])) { if(is_array($config['virtualip']['vip'])) { foreach($config['virtualip']['vip'] as $vip) { if (($vip['interface'] == $unboundif) && ($vip['mode'] == "carp")) { $virtual_ip = find_interface_ip(link_ip_to_carp_interface($vip['subnet'])); $unbound_interfaces[] = $virtual_ip; } } } } } } return $unbound_interfaces; } function unbound_resync_config() { global $config, $g; if (!array($config['installedpackages']['unbound']['config'])) $config['installedpackages']['unbound']['config'] = array(); $unbound_config = &$config['installedpackages']['unbound']['config'][0]; $interfaces = unbound_get_network_interface_addresses(true, true); foreach($interfaces as $allowed_network) { $unbound_allowed_networks .= "access-control: $allowed_network allow\n"; } if($unbound_config['dnssec_status'] == "on") { $module_config = "validator iterator"; $anchor_file = "auto-trust-anchor-file: /usr/local/etc/unbound/root-trust-anchor"; } else { $module_config = "iterator"; } // Interfaces to bind to $interface_ips = unbound_get_network_interface_addresses(); foreach($interface_ips as $ifip) { $unbound_bind_interfaces .="interface: $ifip\n"; } /* Harden DNSSec responses - if DNSSec is absent, zone is marked as bogus * XXX: for now we always have this set to yes */ $unbound_config['harden-dnssec-stripped'] = "yes"; // Host entries $host_entries = unbound_add_host_entries(); // Domain Overrides $private_domains = unbound_add_domain_overrides(true); $domain_overrides = unbound_add_domain_overrides(); // Unbound Statistics if($unbound_config['stats'] == "on") { $stats_interval = $unbound_config['stats_interval']; $cumulative_stats = $unbound_config['cumulative_stats']; if ($unbound_config['extended_stats'] == "on") $extended_stats = "yes"; else $extended_stats = "no"; } else { $stats_interval = "0"; $cumulative_stats = "no"; $extended_stats = "no"; } $unbound_conf = <<<EOD ######################### # Unbound configuration # ######################### ### # Server config ### server: verbosity: 1 port: 53 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes do-daemonize: yes statistics-interval: {$stats_interval} extended-statistics: {$extended_stats} statistics-cumulative: {$cumulative_stats} # Interface IP(s) to bind to {$unbound_bind_interfaces} chroot: "" username: "unbound" directory: "/usr/local/etc/unbound" pidfile: "{$g['varrun_path']}/unbound.pid" root-hints: "root.hints" harden-dnssec-stripped: {$unbound_config['harden-dnssec-stripped']} harden-referral-path: no prefetch: yes prefetch-key: yes use-syslog: yes module-config: "{$module_config}" unwanted-reply-threshold: 10000000 {$anchor_file} # Networks allowed to utilize service access-control: 127.0.0.0/8 allow {$unbound_allowed_networks} # For DNS Rebinding prevention private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 192.254.0.0/16 # private-address: fd00::/8 # private-address: fe80::/10 # Set private domains in case authorative name server returns a RFC1918 IP address {$private_domains} # Host entries {$host_entries} # Domain overrides {$domain_overrides} ### # Remote Control Config ### remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 953 server-key-file: "/usr/local/etc/unbound/unbound_server.key" server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" control-key-file: "/usr/local/etc/unbound/unbound_control.key" control-cert-file: "/usr/local/etc/unbound/unbound_control.pem" EOD; file_put_contents("/usr/local/etc/unbound/unbound.conf", $unbound_conf); } function unbound_ctl_exec($cmd) { mwexec("/usr/local/sbin/unbound-control $cmd"); } function fetch_root_hints() { $destination_file = "/usr/local/etc/unbound/root.hints"; if (filesize($destination_file) == 0 ) { $fout = fopen($destination_file, "w"); $url = "ftp://ftp.internic.net/domain/named.cache"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, '25'); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); $data = curl_exec($ch); curl_close($ch); fwrite($fout, $data); fclose($fout); return ($http_code == 200) ? true : $http_code; } else { return false; } } function unbound_validate($post) { global $config, $input_errors; if($_POST['unbound_status'] == "on" && isset($config['dnsmasq']['enable'])) $input_errors[] = "The system dns-forwarder is still active. Disable it before enabling the Unbound service."; } function unbound_reconfigure() { global $config, $g, $input_errors; $unbound_config = $config['installedpackages']['unbound']['config'][0]; if ($unbound_config['unbound_status'] != "on") { if(is_service_running("unbound")) { unbound_control("termstop"); } } else { if(is_service_running("unbound")) { unbound_control("termstop"); } unbound_resync_config(); unbound_control("start"); unbound_control("forward"); } } function unbound_uninstall() { global $g, $config; conf_mount_rw(); unbound_control("termstop"); // Remove pkg config directory and startup file mwexec("rm -rf /usr/local/etc/unbound"); mwexec("rm -f /usr/local/etc/rc.d/unbound.sh"); mwexec("rm -f {$g['varlog_path']}/unbound.log"); // Remove unbound user exec("/usr/sbin/pw userdel unbound"); conf_mount_ro(); } function read_hosts() { // Open /etc/hosts and extract the only dhcpleases info $etc_hosts = array(); foreach (file('/etc/hosts') as $line) { $d = preg_split('/\s/', $line, -1, PREG_SPLIT_NO_EMPTY); if (empty($d) || substr(reset($d), 0, 1) == "#") continue; if ($d[3] == "#") { $ip = array_shift($d); $fqdn = array_shift($d); $name = array_shift($d); if ($fqdn != "empty") { if ($name != "empty") array_push($etc_hosts, array(ipaddr => "$ip", fqdn => "$fqdn", name => "$name")); else array_push($etc_hosts, array(ipaddr => "$ip", fqdn => "$fqdn")); } } } return $etc_hosts; } /* Setup /etc/hosts entries by overriding with local-data */ function unbound_add_host_entries() { global $config; /* XXX: break this out into a separate config file and make use of include */ $unboundcfg = $config['installedpackages']['unbound']['config'][0]; $syscfg = $config['system']; $dnsmasqcfg = $config['dnsmasq']; $unbound_entries = "local-zone: \"{$syscfg['domain']}\" transparent\n"; // IPv4 entries $unbound_entries .= "local-data-ptr: \"127.0.0.1 localhost\"\n"; $unbound_entries .= "local-data: \"localhost A 127.0.0.1\"\n"; $unbound_entries .= "local-data: \"localhost.{$syscfg['domain']} A 127.0.0.1\"\n"; if ($config['interfaces']['lan']) { $cfgip = get_interface_ip("lan"); if (is_ipaddr($cfgip)) { $unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n"; } } else { $sysiflist = get_configured_interface_list(); foreach ($sysiflist as $sysif) { if (!interface_has_gateway($sysif)) { $cfgip = get_interface_ip($sysif); if (is_ipaddr($cfgip)) { $unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n"; break; } } } } // DNSMasq entries static host entries if (isset($dnsmasqcfg['hosts'])) { $hosts = $dnsmasqcfg['hosts']; $host_entries = ""; $added_item = array(); foreach ($hosts as $host) { $current_host = $host['host']; if(!$added_item[$current_host]) { $host_entries .= "local-data-ptr: \"{$host['ip']} {$host['host']}.{$host['domain']}\"\n"; $host_entries .= "local-data: \"{$host['host']}.{$host['domain']} IN A {$host['ip']}\"\n"; if (!empty($host['descr'])) $host_entries .= "local-data: '{$host['host']}.{$host['domain']} TXT \"".addslashes($host['descr'])."\"'\n"; // Do not add duplicate entries $added_item[$current_host] = true; } } $unbound_entries .= $host_entries; } // Static DHCP entries $host_entries = ""; if (isset($unboundcfg['regdhcpstatic']) && is_array($config['dhcpd'])) { foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) if(is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) foreach ($dhcpifconf['staticmap'] as $host) if ($host['ipaddr'] && $host['hostname']) { $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['hostname']}.{$syscfg['domain']}\"\n"; $host_entries .= "local-data: \"{$host['hostname']}.{$syscfg['domain']} IN A {$host['ipaddr']}\"\n"; if (!empty($host['descr'])) $host_entries .= "local-data: '{$host['hostname']}.{$syscfg['domain']} TXT \"".addslashes($host['descr'])."\"'\n"; } $unbound_entries .= $host_entries; } // Handle DHCPLeases added host entries $dhcplcfg = read_hosts(); $host_entries = ""; if(is_array($dhcplcfg)) { foreach($dhcplcfg as $key=>$host) { $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['fqdn']}\"\n"; $host_entries .= "local-data: \"{$host['fqdn']} IN A {$host['ipaddr']}\"\n"; if (!empty($host['name'])) { $host_entries .= "local-data-ptr: \"{$host['ipaddr']} {$host['name']}\"\n"; $host_entries .= "local-data: \"{$host['name']} IN A {$host['ipaddr']}\"\n"; } } $unbound_entries .= $host_entries; } return $unbound_entries; } /* Setup any domain overrides that have been configured with stub-zone parameter */ function unbound_add_domain_overrides($pvt=false) { global $config; if (isset($config['dnsmasq']['domainoverrides'])) { $domains = $config['dnsmasq']['domainoverrides']; // Domain overrides that have multiple entries need multiple stub-addr: added $sorted_domains = msort($domains, "domain"); $result = array(); foreach($sorted_domains as $domain) { $domain_key = current($domain); if(!isset($result[$domain_key])) { $result[$domain_key] = array(); } $result[$domain_key][] = $domain['ip']; } $domain_entries = ""; foreach($result as $domain=>$ips) { if($pvt == true) { $domain_entries .= "private-domain: \"$domain\"\n"; } else { $domain_entries .= "stub-zone:\n"; $domain_entries .= "\tname: \"$domain\"\n"; foreach($ips as $ip) { $domain_entries .= "\tstub-addr: $ip\n"; } $domain_entries .= "\tstub-prime: no\n"; } } return $domain_entries; } } ?>