lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 16:44:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

unbound: prefer system nameservers if forwarding is enabled and only run unbound-anchor when necessary (#5625)

Browse Source
This commit is contained in:
Stephan de Wit 2022-03-23 11:21:33 +01:00 committed by GitHub
parent 2637e6ebca
commit b4adcee862
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/etc/inc/plugins.inc.d/unbound.inc
View File

@ -257,6 +257,7 @@ EOF;
$forward_conf = '';
$forward_local = '';
$resolv_conf_root = '';
if (isset($config['unbound']['forwarding'])) {
$dnsservers = array();
@ -282,12 +283,20 @@ EOD;
foreach ($dnsservers as $dnsserver) {
if (strpos($dnsserver, '127.') === 0 || $dnsserver == '::1') {
$forward_local = "do-not-query-localhost: no\n";
} else {
/* Generate a custom resolv.conf file for use by unbound-anchor.
* These servers all use port 53 so exclude localhost from being queried for bootstrapping
* in our custom resolv.conf file as Unbound doesn't exist yet.
*/
$resolv_conf_root .= "nameserver $dnsserver\n";
}
$forward_conf .= "\tforward-addr: $dnsserver\n";
}
}
}
file_put_contents("/var/unbound/resolv.conf.root", $resolv_conf_root, LOCK_EX);
$so_reuseport = empty(system_sysctl_get()['net.inet.rss.enabled']) ? 'yes' : 'no';
$unboundconf = <<<EOD

15
src/opnsense/scripts/unbound/start.sh
View File

@ -30,7 +30,20 @@ set -e
# prepare and startup unbound, so we can easily background it
chroot -u unbound -g unbound / /usr/local/sbin/unbound-anchor -a /var/unbound/root.key
# if the root.key file is missing or damaged, run unbound-anchor
if ! /usr/local/sbin/unbound-checkconf /var/unbound/unbound.conf 2> /dev/null; then
# unbound-anchor has undefined behaviour if file is corrupted, start clean
rm -f /var/unbound/root.key
# if we are in forwarding mode, prefer to use the configured system nameservers
if [ -s /var/unbound/resolv.conf.root ]; then
OPT_RESOLVE="-Rf /var/unbound/resolv.conf.root"
fi
# unbound-anchor exits with 1 on failover, since we would still like to start unbound,
# always let this succeed
chroot -u unbound -g unbound / /usr/local/sbin/unbound-anchor -a /var/unbound/root.key ${OPT_RESOLVE} || true
fi
if [ ! -f /var/unbound/unbound_control.key ]; then
chroot -u unbound -g unbound / /usr/local/sbin/unbound-control-setup -d /var/unbound