Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
packages/net/unbound/files/README.md

262 lines
12 KiB
Markdown
Raw Normal View History

Unbound: Add UCI primer files -README.md to describe the UCI in detail -unbound.uci to get you started Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-28 02:02:00 +00:00
# Unbound Recursive DNS Server with UCI
## Unbound Description
Unbound is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.unbound.net/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
## Package Overview
Unbound may be useful on consumer grade embedded hardware. It is *intended* to be a recursive resolver only. [NLnet Labs NSD](https://www.nlnetlabs.nl/projects/nsd/) is *intended* for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver, and remove potential issues from forwarding resolvers outside of their control.
This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
## HOW TO Integrate with DHCP
Some UCI options and scripts help Unbound to work with DHCP servers to load the local DNS. The examples provided here are serial dnsmasq-unbound, parallel dnsmasq-unbound, and unbound scripted with odhcpd.
### Serial dnsmasq
In this case, dnsmasq is not changed *much* with respect to the default OpenWRT/LEDE configuration. Here dnsmasq is forced to use the local Unbound instance as the lone upstream DNS server, instead of your ISP. This may be the easiest implementation, but performance degradation can occur in high volume networks. dnsmasq and Unbound effectively have the same information in memory, and all transfers are double handled.
Unbound: Add UCI primer files -README.md to describe the UCI in detail -unbound.uci to get you started Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-28 02:02:00 +00:00
Unbound: added UCI support for DNS64 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com> Signed-off-by: Dan Luedte <mail@danrl.com>
2016-12-10 18:40:54 +00:00
**/etc/config/unbound**:
config unbound
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
option add_local_fqdn '0'
option add_wan_fqdn '0'
option dhcp_link 'none'
# dnsmasq should not forward your domain to unbound, but if...
option domain 'yourdomain'
option domain_type 'refuse'
option listen_port '1053'
Unbound: added UCI support for DNS64 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com> Signed-off-by: Dan Luedte <mail@danrl.com>
2016-12-10 18:40:54 +00:00
...
**/etc/config/dhcp**:
config dnsmasq
unbound: error in README.md for unbound+dnsmasq
2017-01-23 06:48:32 +00:00
option noresolv '0'
option resolvfile '/tmp/resolv.conf.auto'
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
option port '53'
list server '127.0.0.1#1053'
list server '::1#1053'
...
### Parallel dnsmasq
In this case, Unbound serves your local network directly for all purposes. It will look over to dnsmasq for DHCP-DNS resolution. Unbound is generally accessible on port 53, and dnsmasq is only accessed at 127.0.0.1:1053 by Unbound. Although you can dig/drill/nslookup remotely with the proper directives.
**/etc/config/unbound**:
config unbound
option dhcp_link 'dnsmasq'
option listen_port '53'
...
**/etc/config/dhcp**:
config dnsmasq
option domain 'yourdomain'
option noresolv '1'
unbound: error in README.md for unbound+dnsmasq
2017-01-23 06:48:32 +00:00
option resolvfile '/tmp/resolv.conf.auto'
Unbound: added UCI support for DNS64 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com> Signed-off-by: Dan Luedte <mail@danrl.com>
2016-12-10 18:40:54 +00:00
option port '1053'
...
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
config dhcp 'lan'
Unbound: added UCI support for DNS64 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com> Signed-off-by: Dan Luedte <mail@danrl.com>
2016-12-10 18:40:54 +00:00
list dhcp_option 'option:dns-server,0.0.0.0'
...
Unbound: Add UCI primer files -README.md to describe the UCI in detail -unbound.uci to get you started Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-28 02:02:00 +00:00
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
### Only odhcpd
Why use dnsmasq you might ask? Well test, try, and review. You can have Unbound and odhcpd only. When odhcpd configures as DHCP lease, it will call a script. The script provided with Unbound will read the lease file and enter DHCP-DNS records as much as dnsmasq once did.
*note: You must install unbound-control. The lease file loads are done without starting, stopping, or re-writing conf files.*
*note: if you run the default LEDE/OpenWrt setup with dnsmasq and odhcpd, then use the link to dnsmasq. Unbound will pole dnsmasq. dnsmasq merges its lease file and odhcpd lease file.*
**/etc/config/unbound**:
config unbound
# name your router in DNS
option add_local_fqdn '1'
option add_wan_fqdn '1'
option dhcp_link 'odhcpd'
# add SLAAC inferred from DHCPv4
option dhcp4_slaac6 '1'
option domain 'lan'
option domain_type 'static'
option listen_port '53'
option rebind_protection '1'
# install unbound-control and set this
option unbound_control '1'
...
**/etc/config/dhcp**:
config dhcp 'lan'
option dhcpv4 'server'
option dhcpv6 'server'
option interface 'lan'
# short times help renew events to refresh dns
option leasetime '4h'
option ra 'server'
option ra_management '1'
# issue your ULA and avoid default [fe80::]
list dns 'fdxx:xxxx:xxxx::1'
config odhcpd 'odhcpd'
option maindhcp '1'
option leasefile '/var/lib/odhcpd/dhcp.leases'
# this is where the magic happens
option leasetrigger '/usr/lib/unbound/odhcpd.sh'
Unbound: Add UCI primer files -README.md to describe the UCI in detail -unbound.uci to get you started Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-28 02:02:00 +00:00
Unbound: fix regression of manual conf for power user - History: prior to package 1.5.10-3 /var/lib/unbound was not used - History: prior to package 1.5.10-4 no UCI scripts were provided - Problem: UCI 'option manual_conf 1' only copied unbound.conf and root.key - Problem: power users that had complex file nests cannot use this - Fix: README.md includes instructions for /var/lib/unbound jail - Fix: unbound.sh copies ALL of /etc/unbound for 'option manual_conf 1' Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-08 03:07:08 +00:00
## Back to Manual Configuration
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
Yes, there is a UCI to disable the rest of Unbound UCI. However, OpenWrt or LEDE are targeted at embedded machines with flash ROM. The initialization scripts do a few things to protect flash ROM.
Unbound: fix regression of manual conf for power user - History: prior to package 1.5.10-3 /var/lib/unbound was not used - History: prior to package 1.5.10-4 no UCI scripts were provided - Problem: UCI 'option manual_conf 1' only copied unbound.conf and root.key - Problem: power users that had complex file nests cannot use this - Fix: README.md includes instructions for /var/lib/unbound jail - Fix: unbound.sh copies ALL of /etc/unbound for 'option manual_conf 1' Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-08 03:07:08 +00:00
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
### Completely Manual (almost)
All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, RAM). Edit your manual `/etc/unbound/unbound.conf` to reference this `/var/lib/unbound` location for included files. Note in preparation for a jail, `/var/lib/unbound` is `chown unbound`. Configure for security in`/etc/unbound/unbound.conf` with options `username:unbound` and `chroot:/var/lib/unbound`.
Unbound: fix regression of manual conf for power user - History: prior to package 1.5.10-3 /var/lib/unbound was not used - History: prior to package 1.5.10-4 no UCI scripts were provided - Problem: UCI 'option manual_conf 1' only copied unbound.conf and root.key - Problem: power users that had complex file nests cannot use this - Fix: README.md includes instructions for /var/lib/unbound jail - Fix: unbound.sh copies ALL of /etc/unbound for 'option manual_conf 1' Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-08 03:07:08 +00:00
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider the age UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash).
Unbound: fix regression of manual conf for power user - History: prior to package 1.5.10-3 /var/lib/unbound was not used - History: prior to package 1.5.10-4 no UCI scripts were provided - Problem: UCI 'option manual_conf 1' only copied unbound.conf and root.key - Problem: power users that had complex file nests cannot use this - Fix: README.md includes instructions for /var/lib/unbound jail - Fix: unbound.sh copies ALL of /etc/unbound for 'option manual_conf 1' Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-08 03:07:08 +00:00
Unbound: added UCI support for DNS64 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com> Signed-off-by: Dan Luedte <mail@danrl.com>
2016-12-10 18:40:54 +00:00
**/etc/config/unbound**:
Unbound: fix regression of manual conf for power user - History: prior to package 1.5.10-3 /var/lib/unbound was not used - History: prior to package 1.5.10-4 no UCI scripts were provided - Problem: UCI 'option manual_conf 1' only copied unbound.conf and root.key - Problem: power users that had complex file nests cannot use this - Fix: README.md includes instructions for /var/lib/unbound jail - Fix: unbound.sh copies ALL of /etc/unbound for 'option manual_conf 1' Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-08 03:07:08 +00:00
config unbound
option manual_conf '1'
option root_age '30'
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
### Hybrid Manual/UCI
You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation.
The former will be added to the end of the `server:` clause. The later will be added to the end of the file for extended `forward:` and `view:` clauses. You can also disable unbound-control in the UCI which only allows "localhost" connections unencrypted, and then add an encrypted remote `control:` clause.
Unbound: fix regression of manual conf for power user - History: prior to package 1.5.10-3 /var/lib/unbound was not used - History: prior to package 1.5.10-4 no UCI scripts were provided - Problem: UCI 'option manual_conf 1' only copied unbound.conf and root.key - Problem: power users that had complex file nests cannot use this - Fix: README.md includes instructions for /var/lib/unbound jail - Fix: unbound.sh copies ALL of /etc/unbound for 'option manual_conf 1' Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-08 03:07:08 +00:00
## Complete List of UCI Options
Unbound: Add UCI primer files -README.md to describe the UCI in detail -unbound.uci to get you started Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-28 02:02:00 +00:00
**/etc/config/unbound**:
config unbound
Currently only one instance is supported.
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
option add_local_fqdn '0'
Level. This puts your routers host name in the LAN (local) DNS.
Each level is more detailed and comprehensive.
0 - Disabled
1 - Host Name on only the primary address
2 - Host Name on all addresses found (except link)
3 - FQDN and host name on all addresses (except link)
4 - Above and interfaces named <iface>.<hostname>.<domain>
option add_wan_fqdn '0'
Level. Same as previous option only this applies to the WAN. WAN
are inferred by a UCI `config dhcp` entry that contains the line
option ignore '1'.
Unbound: added UCI support for DNS64 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com> Signed-off-by: Dan Luedte <mail@danrl.com>
2016-12-10 18:40:54 +00:00
option dns64 '0'
Boolean. Enable DNS64 through Unbound in order to bridge networks
that are IPV6 only and IPV4 only (see RFC6052).
option dns64_prefix '64:ff9b::/96'
IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64.
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
You should use RFC6052 "well known" address, unless you also
Unbound: added UCI support for DNS64 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com> Signed-off-by: Dan Luedte <mail@danrl.com>
2016-12-10 18:40:54 +00:00
redirect to a proxy or gateway for your NAT64.
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
option dhcp_link 'none'
Program Name. Link to one of the supported programs we have scripts
for. You may also need to install a trigger script in the DHCP
servers configuration. See HOW TO above.
option dhcp4_slaac6 '0'
Boolean. Some DHCP servers do this natively (dnsmasq). Otherwise
the script provided with this package will try to fabricate SLAAC
IP6 addresses from DHCPv4 MAC records.
option domain 'lan'
Unbound local-zone: <domain> <type>. This is used to suffix all
host records, and maintain a local zone. When dnsmasq is dhcp_link
however, then this option is ignored (dnsmasq does it all).
option domain_type 'static'
Unbound local-zone: <domain> <type>. This allows you to lock
down or allow forwarding of your domain, your router host name
without suffix, and leakage of RFC6762 "local."
Unbound: Add UCI primer files -README.md to describe the UCI in detail -unbound.uci to get you started Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-28 02:02:00 +00:00
option edns_size '1280'
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
Bytes. Extended DNS is necessary for DNSSEC. However, it can run
unbound: UCI updates to take advantage of 1.6.0 - UCI to take advantage of "qname-minimisation-strict:" - UCI to block chaos reponses bind, server, and version - UCI to limit or prefer recrusion over IP4 or IP6 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-19 03:38:03 +00:00
into MTU issues. Use this size in bytes to manage drop outs.
option hide_binddata '1'
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
Boolean. If enabled version.server, version.bind, id.server, and
unbound: UCI updates to take advantage of 1.6.0 - UCI to take advantage of "qname-minimisation-strict:" - UCI to block chaos reponses bind, server, and version - UCI to limit or prefer recrusion over IP4 or IP6 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-19 03:38:03 +00:00
hostname.bind queries are refused.
Unbound: Add UCI primer files -README.md to describe the UCI in detail -unbound.uci to get you started Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-28 02:02:00 +00:00
option listen_port '53'
Port. Incoming. Where Unbound will listen for queries.
option localservice '1'
Boolean. Prevent DNS amplification attacks. Only provide access to
Unbound from subnets this machine has interfaces on.
option manual_conf '0'
Boolean. Skip all this UCI nonsense. Manually edit the
configuration. Make changes to /etc/unbound/unbound.conf.
unbound: UCI updates to take advantage of 1.6.0 - UCI to take advantage of "qname-minimisation-strict:" - UCI to block chaos reponses bind, server, and version - UCI to limit or prefer recrusion over IP4 or IP6 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-19 03:38:03 +00:00
option protocol 'mixed'
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
Unbound can limit its protocol used for recursive queries.
Set 'ip4_only' to avoid issues if you do not have native IP6.
Set 'ip6_prefer' to possibly improve performance as well as
not consume NAT paths for the client computers.
Do not use 'ip6_only' unless testing.
unbound: UCI updates to take advantage of 1.6.0 - UCI to take advantage of "qname-minimisation-strict:" - UCI to block chaos reponses bind, server, and version - UCI to limit or prefer recrusion over IP4 or IP6 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-19 03:38:03 +00:00
Unbound: Add UCI primer files -README.md to describe the UCI in detail -unbound.uci to get you started Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-28 02:02:00 +00:00
option query_minimize '0'
unbound: UCI updates to take advantage of 1.6.0 - UCI to take advantage of "qname-minimisation-strict:" - UCI to block chaos reponses bind, server, and version - UCI to limit or prefer recrusion over IP4 or IP6 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-19 03:38:03 +00:00
Boolean. Enable a minor privacy option. Don't let each server know
the next recursion. Query one piece at a time.
option query_min_strict '0'
Boolean. Query minimize is best effort and will fall back to normal
when it must. This option prevents the fall back, but less than
standard name servers will fail to resolve their domains.
Unbound: Add UCI primer files -README.md to describe the UCI in detail -unbound.uci to get you started Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-28 02:02:00 +00:00
option rebind_localhost '0'
Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses.
These may used by black hole servers for good purposes like
ad-blocking or parental access control. Obviously these responses
also can be used to for bad purposes.
option rebind_protection '1'
Boolean. Prevent RFC 1918 Reponses from global DNS. Example a
poisoned reponse within "192.168.0.0/24" could be used to turn a
local browser into an external attack proxy server.
option recursion 'passive'
Unbound has numerous options for how it recurses. This UCI combines
them into "passive," "aggressive," or Unbound's own "default."
Passive is easy on resources, but slower until cache fills.
option resource 'small'
Unbound has numerous options for resources. This UCI gives "tiny,"
"small," "medium," and "large." Medium is most like the compiled
defaults with a bit of balancing. Tiny is close to the published
memory restricted configuration. Small 1/2 medium, and large 2x.
option root_age '30'
Days. >90 Disables. Age limit for Unbound root data like root
DNSSEC key. Unbound uses RFC 5011 to manage root key. This could
harm flash ROM. This activity is mapped to "tmpfs," but every so
often it needs to be copied back to flash for the next reboot.
option ttl_min '120'
Seconds. Minimum TTL in cache. Recursion can be expensive without
cache. A low TTL is normal for server migration. A low TTL can be
abused for snoop-vertising (DNS hit counts; recording query IP).
Typical to configure maybe 0~300, but 1800 is the maximum accepted.
option unbound_control '0'
Boolean. Enables unbound-control application access ports. Enabling
this without the unbound-control package installed is robust.
option validator '0'
Boolean. Enable DNSSEC. Unbound names this the "validator" module.
option validator_ntp '1'
Boolean. Disable DNSSEC time checks at boot. Once NTP confirms
global real time, then DNSSEC is restarted at full strength. Many
embedded devices don't have a real time power off clock. NTP needs
DNS to resolve servers. This works around the chicken-and-egg.
list domain_insecure
List. Domains or pointers that you wish to skip DNSSEC. Your DHCP
domains and pointers in dnsmasq will get this automatically.
unbound: expand UCI to cover some popular dnsmasq features Unbound+DHCP (server of your choice) should be able to replicate a lot of what dnsmasq provides. With this change set Unbound still works with dnsmasq, but also it can work with a plain DHCP server. Features have been added within the UCI itself to act like dnsmasq. - alone: name each interface relative to router hostname - alone: prevent upstream leakage of your domain and '.local' - dnsmasq: use dnsmasq UCI to configure forwarding clauses - dhcp: work with odhcpd as example of companion DHCP-DNS - dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records - all: enable encrypted remote unbound-control using splice conf - all: allow user spliced conf-files for hybrid UCI and manual conf -- 'unbound_srv.conf' will be spliced into the 'server:' clause -- 'unbound_ext.conf' will add clauses to the end, example 'forward:' README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and unbound-with-odhcpd have better/added UCI starters. HOW TO for including unbound_srv.conf and unbound_ext.conf are added. Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6, dhcp_link, domain, and domain_type Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-12-29 06:32:31 +00:00
## Deprecated UCI
The dnsmasq specific UCI will still work as well as they did, but please use `option dhcp_link 'dnsmasq'` above. Local host name and WAN host name will be lifted and configured from DHCP UCI subpart dnsmasq. (`dnsmasq_gate_name`, `dnsmasq_link_dns`, `dnsmasq_only_local`)
Reference in a new issue Copy permalink