remove ipv6

2026-03-19 21:58:14 +07:00
parent 9fdeb2795d
commit 7fcbc016da
1 changed files with 44 additions and 34 deletions
--- a/unbound.sh
+++ b/unbound.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 set -e

+# ─────────────────────────────────────────────
+# Unbound setup script (no package installation)
 # ─────────────────────────────────────────────

 RED='\033[0;31m'
@@ -23,16 +25,12 @@ if ! command -v unbound &>/dev/null; then
    error "unbound is not installed. Install it first:\n  apt install unbound  /  dnf install unbound  /  pacman -S unbound"
 fi

-if ! command -v unbound-anchor &>/dev/null; then
-    error "unbound-anchor not found. Make sure the full unbound package is installed."
-fi
-
 # ── Variables ───────────────────────────────
 UNBOUND_DIR="/var/lib/unbound"
 CONF_DIR="/etc/unbound/unbound.conf.d"
 CONF_FILE="$CONF_DIR/personal.conf"
+MAIN_CONF="/etc/unbound/unbound.conf"
 ROOT_HINTS="$UNBOUND_DIR/root.hints"
-ROOT_KEY="$UNBOUND_DIR/root.key"
 ROOT_HINTS_URL="https://www.internic.net/domain/named.root"

 # ── Create directories ───────────────────────
@@ -51,29 +49,49 @@ else
 fi
 success "Root hints downloaded"

-# ── Initialize DNSSEC anchor ─────────────────
-info "Initializing DNSSEC trust anchor..."
-unbound-anchor -a "$ROOT_KEY" || warn "unbound-anchor returned non-zero (this can be normal if key already exists)"
-success "DNSSEC anchor initialized"
-
 # ── Fix ownership ─────────────────────────────
 info "Setting permissions..."
 chown -R unbound:unbound "$UNBOUND_DIR" 2>/dev/null || warn "Could not chown $UNBOUND_DIR (unbound user may not exist)"

-# ── Write config ──────────────────────────────
+# ── Patch main config ─────────────────────────
+info "Patching main config..."
+
+# Disable any active trust-anchor-file (causes SERVFAIL without valid key)
+sed -i 's|^[[:space:]]*trust-anchor-file:|#	trust-anchor-file:|g' "$MAIN_CONF"
+
+# Disable validator module if explicitly set
+sed -i 's|^[[:space:]]*module-config:.*validator.*|# & # disabled by setup script|g' "$MAIN_CONF"
+
+# Add include for conf.d if not already present
+if ! grep -q 'unbound.conf.d' "$MAIN_CONF"; then
+    echo 'include: "/etc/unbound/unbound.conf.d/*.conf"' >> "$MAIN_CONF"
+    success "Added include for conf.d"
+fi
+
+# ── Write personal config ─────────────────────
 info "Writing config to $CONF_FILE..."
-cat > "$CONF_FILE" <<'EOF'
+cat > "$CONF_FILE" <<EOF
 server:
+    # Disable chroot so paths work correctly
+    chroot: ""
+
+    # No DNSSEC validation — iterator only
+    module-config: "iterator"
+
+    # IPv4 only (IPv6 root servers unreachable on many setups)
+    do-ip6: no
+
    # Listen on localhost only
    interface: 127.0.0.1
-    interface: ::1
    port: 53

    # Allow only localhost
    access-control: 127.0.0.0/8 allow
-    access-control: ::1/128 allow
    access-control: 0.0.0.0/0 refuse

+    # Root hints
+    root-hints: "$ROOT_HINTS"
+
    # Performance
    num-threads: 2
    cache-min-ttl: 300
@@ -86,13 +104,6 @@ server:
    hide-identity: yes
    hide-version: yes
    qname-minimisation: yes
-    aggressive-nsec: yes
-
-    # DNSSEC
-    auto-trust-anchor-file: "/var/lib/unbound/root.key"
-
-    # Root hints
-    root-hints: "/var/lib/unbound/root.hints"

    # Prefetch popular records before they expire
    prefetch: yes
@@ -106,28 +117,23 @@ success "Config written"

 # ── Validate config ───────────────────────────
 info "Validating config..."
-if unbound-checkconf "$CONF_FILE" &>/dev/null; then
+if unbound-checkconf "$MAIN_CONF" &>/dev/null; then
    success "Config is valid"
 else
-    warn "Config check failed, trying full config..."
-    if unbound-checkconf /etc/unbound/unbound.conf; then
-        success "Full config is valid"
-    else
-        error "Config validation failed. Run: unbound-checkconf /etc/unbound/unbound.conf"
-    fi
+    unbound-checkconf "$MAIN_CONF" || error "Config validation failed — see above"
 fi

 # ── Enable and restart service ────────────────
 info "Enabling and restarting unbound..."
 systemctl enable unbound
 systemctl restart unbound
-
 sleep 1

 if systemctl is-active --quiet unbound; then
    success "unbound is running"
 else
-    error "unbound failed to start. Check: journalctl -u unbound -n 30"
+    journalctl -u unbound -n 20 --no-pager
+    error "unbound failed to start — see logs above"
 fi

 # ── Verify DNS resolution ─────────────────────
@@ -137,7 +143,12 @@ sleep 1
 if dig @127.0.0.1 google.com +short &>/dev/null; then
    success "DNS resolution works"
 else
-    warn "dig test failed — try manually: dig @127.0.0.1 google.com"
+    warn "dig test failed — unbound may need a forwarder"
+    warn "Try manually: dig @127.0.0.1 google.com"
+    warn "If it fails, add a forwarder to $CONF_FILE:"
+    warn "  forward-zone:"
+    warn "      name: \".\""
+    warn "      forward-addr: 1.1.1.1"
 fi

 # ── Done ──────────────────────────────────────
@@ -148,12 +159,11 @@ echo -e "${GREEN}═════════════════════
 echo ""
 echo "  Verify with:"
 echo "    dig @127.0.0.1 google.com"
-echo "    dig @127.0.0.1 google.com +dnssec   # look for 'ad' flag"
-echo "    dig @127.0.0.1 sigfail.verteiltesysteme.net  # should be SERVFAIL"
+echo "    dig @127.0.0.1 google.com | grep 'Query time'  # run twice, 2nd should be 0ms"
 echo ""
 echo "  To use as system resolver, add to /etc/resolv.conf:"
 echo "    nameserver 127.0.0.1"
 echo ""
 echo "  Or in WireGuard [Interface]:"
 echo "    DNS = 127.0.0.1"
-echo ""
+echo ""