From 82c2368177ce93b15db6001f48e28ace5460d14e Mon Sep 17 00:00:00 2001
From: Eric Luehrsen <ericluehrsen@hotmail.com>
Date: Sun, 18 Dec 2016 22:38:03 -0500
Subject: [PATCH] unbound: UCI updates to take advantage of 1.6.0 - UCI to take
 advantage of "qname-minimisation-strict:" - UCI to block chaos reponses bind,
 server, and version - UCI to limit or prefer recrusion over IP4 or IP6

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
---
 net/unbound/Makefile          |  2 +-
 net/unbound/files/README.md   | 24 ++++++++++--
 net/unbound/files/unbound.sh  | 69 +++++++++++++++++++++++++++++++++--
 net/unbound/files/unbound.uci |  3 ++
 4 files changed, 89 insertions(+), 9 deletions(-)

diff --git a/net/unbound/Makefile b/net/unbound/Makefile
index 1422b9cae..fcfa12bf5 100644
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.6.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md
index 084a8af94..d0bb3376f 100644
--- a/net/unbound/files/README.md
+++ b/net/unbound/files/README.md
@@ -79,8 +79,12 @@ Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbou
 		"drill -x 192.168.10.201 ~ NODATA" (insted of james-laptop.lan)
 
 	option edns_size '1280'
-		Extended DNS is necessary for DNSSEC. However, it can run into MTU
-		issues. Use this size in bytes to manage drop outs.
+		Bytes. Extended DNS is necessary for DNSSEC. However, it can run 
+		into MTU issues. Use this size in bytes to manage drop outs.
+
+	option hide_binddata '1'
+		Boolean. If enabled version.server, version.bind, id.server, and 
+		hostname.bind queries are refused.
 
 	option listen_port '53'
 		Port. Incoming. Where Unbound will listen for queries.
@@ -93,9 +97,21 @@ Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbou
 		Boolean. Skip all this UCI nonsense. Manually edit the
 		configuration. Make changes to /etc/unbound/unbound.conf.
 
+	option protocol 'mixed'
+		Unbound can limit its protocol: "ip4_only" for ISP behind the time,
+		"ip6_only" for testing, "ip6_prefer" for ISP with good IP6 support,
+		or default-all "mixed." This affects the protocol	used to 
+		communicate. The DNS responses always include hosts respective IP4
+		and IP6 data.
+
 	option query_minimize '0'
-		Boolean. Enable a minor privacy option. Query only one name piece
-		at a time. Don't let each server know the next recursion.
+		Boolean. Enable a minor privacy option. Don't let each server know
+		the next recursion. Query one piece at a time.
+
+	option query_min_strict '0'
+		Boolean. Query minimize is best effort and will fall back to normal
+		when it must. This option prevents the fall back, but less than
+		standard name servers will fail to resolve their domains.
 
 	option rebind_localhost '0'
 		Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses.
diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh
index 26090251a..fce36967e 100644
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@@ -25,6 +25,7 @@ UNBOUND_B_DNSMASQ=0
 UNBOUND_B_DNSSEC=0
 UNBOUND_B_DNS64=0
 UNBOUND_B_GATE_NAME=0
+UNBOUND_B_HIDE_BIND=1
 UNBOUND_B_LOCL_BLCK=0
 UNBOUND_B_LOCL_NAME=0
 UNBOUND_B_LOCL_SERV=1
@@ -32,11 +33,13 @@ UNBOUND_B_MAN_CONF=0
 UNBOUND_B_NTP_BOOT=1
 UNBOUND_B_PRIV_BLCK=1
 UNBOUND_B_QUERY_MIN=0
+UNBOUND_B_QRY_MINST=0
 
 UNBOUND_IP_DNS64="64:ff9b::/96"
 
 UNBOUND_D_RESOURCE=small
 UNBOUND_D_RECURSION=passive
+UNBOUND_D_PROTOCOL=mixed
 
 UNBOUND_TXT_FWD_ZONE=""
 UNBOUND_TTL_MIN=120
@@ -207,6 +210,38 @@ unbound_conf() {
   } >> $UNBOUND_CONFFILE
 
 
+  case "$UNBOUND_D_PROTOCOL" in
+    ip4_only)
+      {
+        echo "  do-ip4: yes"
+        echo "  do-ip6: no"
+      } >> $UNBOUND_CONFFILE
+      ;;
+
+    ip6_only)
+      {
+        echo "  do-ip4: no"
+        echo "  do-ip6: yes"
+      } >> $UNBOUND_CONFFILE
+      ;;
+
+    ip6_prefer)
+      {
+        echo "  do-ip4: yes"
+        echo "  do-ip6: yes"
+        echo "  prefer-ip6: yes"
+      } >> $UNBOUND_CONFFILE
+      ;;
+
+    *)
+      {
+        echo "  do-ip4: yes"
+        echo "  do-ip6: yes"
+      } >> $UNBOUND_CONFFILE
+      ;;
+  esac
+
+
   {
     # protocol level tuning
     echo "  edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
@@ -324,7 +359,14 @@ unbound_conf() {
   }  >> $UNBOUND_CONFFILE
 
 
-  if [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+    {
+      # Some query privacy but "strict" will break some name servers
+      echo "  qname-minimisation: yes"
+      echo "  qname-minimisation-strict: yes"
+    } >> $UNBOUND_CONFFILE
+
+  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
     # Minor improvement on query privacy
     echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
 
@@ -370,10 +412,23 @@ unbound_conf() {
   } >> $UNBOUND_CONFFILE
 
 
+  if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
+    {
+      # Block server id and version DNS TXT records
+      echo "  hide-identity: yes"
+      echo "  hide-version: yes"
+      echo
+    } >> $UNBOUND_CONFFILE
+  fi
+
+
   if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
     {
-      # Remove DNS reponses from upstream with private IP
+      # Remove _upstream_ or global reponses with private addresses.
+      # Unbounds own "local zone" and "forward zone" may still use these.
+      # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
       echo "  private-address: 10.0.0.0/8"
+      echo "  private-address: 100.64.0.0/10"
       echo "  private-address: 169.254.0.0/16"
       echo "  private-address: 172.16.0.0/12"
       echo "  private-address: 192.168.0.0/16"
@@ -439,14 +494,16 @@ unbound_uci() {
   ####################
   # UCI @ unbound    #
   ####################
-  
+
   config_get_bool UNBOUND_B_DNS64     "$cfg" dns64 0
   config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmasq_gate_name 0
   config_get_bool UNBOUND_B_DNSMASQ   "$cfg" dnsmasq_link_dns 0
+  config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
   config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0
   config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
   config_get_bool UNBOUND_B_MAN_CONF  "$cfg" manual_conf 0
   config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
+  config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
   config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
   config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
   config_get_bool UNBOUND_B_CONTROL   "$cfg" unbound_control 0
@@ -454,11 +511,15 @@ unbound_uci() {
   config_get_bool UNBOUND_B_NTP_BOOT  "$cfg" validator_ntp 1
 
   config_get UNBOUND_IP_DNS64    "$cfg" dns64_prefix "64:ff9b::/96"
+
   config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
   config_get UNBOUND_N_RX_PORT   "$cfg" listen_port 53
+  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 7
+
+  config_get UNBOUND_D_PROTOCOL  "$cfg" protocol mixed
   config_get UNBOUND_D_RECURSION "$cfg" recursion passive
   config_get UNBOUND_D_RESOURCE  "$cfg" resource small
-  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 7
+
   config_get UNBOUND_TTL_MIN     "$cfg" ttl_min 120
 
 
diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci
index ca348a6c4..6e887c86b 100644
--- a/net/unbound/files/unbound.uci
+++ b/net/unbound/files/unbound.uci
@@ -5,10 +5,13 @@ config unbound
 	option dnsmasq_link_dns '0'
 	option dnsmasq_only_local '0'
 	option edns_size '1280'
+	option hide_binddata '1'
 	option listen_port '53'
 	option localservice '1'
 	option manual_conf '0'
+	option protocol 'mixed'
 	option query_minimize '0'
+	option query_min_strict '0'
 	option rebind_localhost '0'
 	option rebind_protection '1'
 	option recursion 'passive'