forked from DNSCrypt/dnscrypt-server-docker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
unbound.sh
executable file
·154 lines (141 loc) · 4.32 KB
/
unbound.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#! /usr/bin/env bash
KEYS_DIR="/opt/encrypted-dns/etc/keys"
ZONES_DIR="/opt/unbound/etc/unbound/zones"
reserved=134217728
availableMemory=$((1024 * $( (grep -F MemAvailable /proc/meminfo || grep -F MemTotal /proc/meminfo) | sed 's/[^0-9]//g')))
if [ $availableMemory -le $((reserved * 2)) ]; then
echo "Not enough memory" >&2
exit 1
fi
availableMemory=$((availableMemory - reserved))
msg_cache_size=$((availableMemory / 4))
rr_cache_size=$((availableMemory / 3))
nproc=$(nproc)
if [ "$nproc" -gt 1 ]; then
threads=$((nproc - 1))
else
threads=1
fi
provider_name=$(cat "$KEYS_DIR/provider_name")
sed \
-e "s/@MSG_CACHE_SIZE@/${msg_cache_size}/" \
-e "s/@PROVIDER_NAME@/${provider_name}/" \
-e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
-e "s/@THREADS@/${threads}/" \
-e "s#@ZONES_DIR@#${ZONES_DIR}#" \
> /opt/unbound/etc/unbound/unbound.conf << EOT
server:
verbosity: 1
num-threads: @THREADS@
interface: 127.0.0.1@553
so-reuseport: yes
edns-buffer-size: 1232
delay-close: 10000
cache-min-ttl: 3600
cache-max-ttl: 86400
do-daemonize: no
username: "_unbound"
log-queries: no
hide-version: yes
identity: "DNSCrypt"
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: no
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
rrset-roundrobin: yes
minimal-responses: yes
chroot: "/opt/unbound/etc/unbound"
directory: "/opt/unbound/etc/unbound"
auto-trust-anchor-file: "var/root.key"
num-queries-per-thread: 4096
outgoing-range: 8192
msg-cache-size: @MSG_CACHE_SIZE@
rrset-cache-size: @RR_CACHE_SIZE@
neg-cache-size: 4M
serve-expired: yes
serve-expired-ttl: 86400
serve-expired-ttl-reset: yes
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
aggressive-nsec: yes
local-zone: "1." static
local-zone: "10.in-addr.arpa." static
local-zone: "127.in-addr.arpa." static
local-zone: "16.172.in-addr.arpa." static
local-zone: "168.192.in-addr.arpa." static
local-zone: "f.f.ip6.arpa." static
local-zone: "8.e.f.ip6.arpa." static
local-zone: "airdream." static
local-zone: "api." static
local-zone: "bbrouter." static
local-zone: "belkin." static
local-zone: "blinkap." static
local-zone: "corp." static
local-zone: "davolink." static
local-zone: "dearmyrouter." static
local-zone: "dhcp." static
local-zone: "dlink." static
local-zone: "domain." static
local-zone: "envoy." static
local-zone: "example." static
local-zone: "grp." static
local-zone: "gw==." static
local-zone: "home." static
local-zone: "hub." static
local-zone: "internal." static
local-zone: "intra." static
local-zone: "intranet." static
local-zone: "invalid." static
local-zone: "ksyun." static
local-zone: "lan." static
local-zone: "loc." static
local-zone: "local." static
local-zone: "localdomain." static
local-zone: "localhost." static
local-zone: "localnet." static
local-zone: "modem." static
local-zone: "mynet." static
local-zone: "myrouter." static
local-zone: "novalocal." static
local-zone: "onion." static
local-zone: "openstacklocal." static
local-zone: "priv." static
local-zone: "private." static
local-zone: "prv." static
local-zone: "router." static
local-zone: "telus." static
local-zone: "test." static
local-zone: "totolink." static
local-zone: "wlan_ap." static
local-zone: "workgroup." static
local-zone: "zghjccbob3n0." static
local-zone: "@PROVIDER_NAME@." refuse
include: "@ZONES_DIR@/*.conf"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "var/root.zone"
EOT
mkdir -p /opt/unbound/etc/unbound/dev &&
cp -a /dev/random /dev/urandom /opt/unbound/etc/unbound/dev/
mkdir -p -m 700 /opt/unbound/etc/unbound/var &&
chown _unbound:_unbound /opt/unbound/etc/unbound/var &&
/opt/unbound/sbin/unbound-anchor -a /opt/unbound/etc/unbound/var/root.key
if [ ! -f /opt/unbound/etc/unbound/unbound_control.pem ]; then
/opt/unbound/sbin/unbound-control-setup 2> /dev/null || :
fi
mkdir -p /opt/unbound/etc/unbound/zones
exec /opt/unbound/sbin/unbound