From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcel Lorenz To: development@lists.ipfire.org Subject: [PATCH] New package: Unbound 1.5.9 Repacement for dnsmasq Date: Tue, 02 Aug 2016 20:48:16 +0200 Message-ID: <1470163697-30802-1-git-send-email-marcel.lorenz@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1631923831296469709==" List-Id: --===============1631923831296469709== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, i have build Unbound 1.5.9 as addon for IPFire. Later this can completly repl= ace dnsmaqs on IPFire. I myself run unbound over 6 weeks on more than 8 IPfir= e installations wihtout any problems! (x86 and x64). In this time i optimizin= g the config and the scripts. Now i think it's time to push my work to the ma= iling list... :) Addon Description: Unbound is a validating, recursive, and caching DNS resolver. It is designed = as a set of modular components that incorporate modern features, such as enha= nced security (DNSSEC) validation, Internet Protocol Version 6 (IPv6), and a = client resolver library API as an integral part of the architecture. https://www.unbound.net/ http://www.linuxfromscratch.org/blfs/view/svn/server/unbound.html Configuration: The main config file is the "/etc/unbound/unbound.conf" (default). I created = a cleared config file with no descriptions and with all necessary and useful = settings. (The original unbound.conf was renamed to unbound_org.conf). Unboun= d runs with this config in chroot mode under a separate user ("unbound" creat= ed while installing the addon). The config file is prepared for IPv6, but is = disabled with "do-ip6: no". The logfile is located at /etc/unbound/log/. In c= hroot mode the only working location! The logrotate script moves the log dail= y to /var/log/unbound/. Nice statistcis are possible for IPFire's WebIF. Take= a look to https://www.unbound.net/documentation/howto_statistics.html. I hav= e written two addintional scripts and the init scripts to integrate Unbound i= nto IPFire. The second deamon is a watcher for the dhcpd lease file. It is only started i= f the DNS-Update (RFC2136) in WebIF is enabled. The unbound init script checks the WebIf valve and stats the watcher daemon a= utomatically. I need a working solution to start a deamon from Webif with nobody rights when click "save" on dhcp server section. New folders: /etc/unbound - main config folder /etc/unbound/blocklists - for block lists, named as "*.conf" /etc/unbound/log - contains undbound.log /etc/unbound/zones - for extra zone files, named as "*.conf" and contain= s local.conf /var/log/unbound - contains the older logfiles The /etc/unbound/forward.conf can be edit for extra DNS-Server independently = from IPFire setup. More than 2 servers are possible. Needed scripts: /usr/sbin/unbound-switch Switching between dnsmasq and unbound. Creates and removes the autostart link= s for unbound und dnsmasq and switches the network init script /usr/sbin/unbound-zone Reading current IPFire's network, domain and static hosts config and create I= PFire's DNS-Zone file (/etc/unbound/zones/local.conf)=20 /src/initscripts/init.d/unbound The init script for unbound under IPFire. This Srcipt creates the needed inte= rface.conf and dnssec.conf under /etc/unbound/. These values are read from th= e files /var/ipfire/ethernet/settings and /var/ipfire/red/resolv.conf /src/initscripts/init.d/network-unbound A copy from /src/initscripts/init.d/network with removed workarounds for dnsm= asq. It's not a perfect solution, but i have no better idea to remove error m= essages in boot log. /src/initscripts/init.d/unbound-dhcpd The init script for python written dhcp watcher daemon /usr/sbin/watcherdhcpd.py This script and the additional python files comes from the OPNsense Firewall = disribution. I modified the watcher script to work with universal standard ti= mes in the IPFire's dhcp lease file (/var/state/dhcp/dhcpd.leases) Additional python files under /usr/lib/python2.7/site-packages daemonize.py for demonizing the python watcher script dhcpd.py needed file for watcherdhcpd.py (read the lease file) params.py needed file for watcherdhcpd.py (procces python daemon args) Special init scipt options (default settings): CONTROL_INTERFACE_FILE=3D1 - enable or disable creation/updating of /etc/unbo= und/interfaces.conf CONTROL_ACCESS_FILE=3D1 - enable or disable creation/updating of /etc/unbo= und/access.conf USE_CUSTOM_FORWARDS=3D0 - enable or disable the unsing of custom DNS forwa= rds file /etc/unbound/forward.conf=20 ENABLE_DNSSEC=3D1 - enable or disable DNSSEC (deactivates unbounds v= alidator module) /etc/unbound/dnssec.conf As an goodie, my patch include a block list for microsoft (skynet) windows te= lemetry hosts to disable phone home. The /etc/unbound/blocklists/ms-telemetry= .conf file can be removed or renamed if not needed. The second goodie: the /etc/fcron.weekly/update_unbound_anchor script downloa= ds an ad-server block list zone file for unbound from http://pgl.yoyo.org/ads= ervers/#unbound. This is a very nice block list for ads.=20 If not needed remove the line: "curl -sS -L --compressed "http://pgl.yoyo.org= /adservers/serverlist.php?hostformat=3Dunbound&showintro=3D0&mimetype=3Dplain= text" > /etc/unbound/blocklists/ad-servers.conf" from the file. I hope this small description is useful for all. Hints and suggestions are we= lcome. Greetings, Marcel --=20 1.9.1 --===============1631923831296469709==--