Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #13841 from EricLuehrsen/unbound_112

Browse source 
unbound: update to 1.1.12
This commit is contained in:
Rosen Penev 2020-11-04 18:55:05 -08:00 committed by GitHub
commit b370669643
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 211 additions and 127 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
net/unbound/Makefile
View file

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.11.0
PKG_RELEASE:=4
PKG_VERSION:=1.12.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://nlnetlabs.nl/downloads/unbound
PKG_HASH:=9f2f0798f76eb8f30feaeda7e442ceed479bc54db0e3ac19c052d68685e51ef7
PKG_HASH:=5b9253a97812f24419bf2e6b3ad28c69287261cf8c8fa79e3e9f6d3bf7ef5835
PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@gmail.com>
PKG_LICENSE:=BSD-3-Clause
@ -28,6 +28,7 @@ PKG_CONFIG_DEPENDS:=CONFIG_PACKAGE_libunbound_dnscrypt \
CONFIG_PACKAGE_libunbound_ipset \
CONFIG_PACKAGE_libunbound_libevent \
CONFIG_PACKAGE_libunbound_libpthread \
CONFIG_PACKAGE_libunbound_nghttp2 \
CONFIG_PACKAGE_libunbound_pythonmodule \
CONFIG_PACKAGE_libunbound_subnet \
CONFIG_PACKAGE_libunbound_dnstap
@ -41,7 +42,7 @@ define Package/unbound/Default
USERID:=unbound:unbound
TITLE:=Recursive DNS Server
URL:=https://nlnetlabs.nl/projects/unbound/about
DEPENDS:=+libopenssl +@OPENSSL_WITH_EC
DEPENDS:=+ca-bundle +libopenssl +@OPENSSL_WITH_EC
endef
define Package/unbound-daemon
@ -66,9 +67,10 @@ define Package/libunbound
DEPENDS+=+PACKAGE_libunbound_dnscrypt:libsodium \
+PACKAGE_libunbound_ipset:libmnl \
+PACKAGE_libunbound_libevent:libevent2 \
+PACKAGE_libunbound_libpthread:libpthread \
+PACKAGE_libunbound_pythonmodule:python3-base \
+PACKAGE_libunbound_dnstap:libprotobuf-c
+PACKAGE_libunbound_libpthread:libpthread \
+PACKAGE_libunbound_nghttp2:libnghttp2 \
+PACKAGE_libunbound_pythonmodule:python3-base \
+PACKAGE_libunbound_dnstap:libprotobuf-c
endef
define Package/libunbound/description
@ -141,6 +143,9 @@ define Package/libunbound/config
config PACKAGE_libunbound_libpthread
bool "Build with POSIX threading (libpthread) support."
default y
config PACKAGE_libunbound_nghttp2
bool "Build with DNS over HTTPS support (nghttp2 framework)."
default n
config PACKAGE_libunbound_pythonmodule
bool "Build with PYTHON module for prototyping and data analysis."
default n
@ -172,6 +177,8 @@ CONFIGURE_ARGS += \
--enable-ipset --with-libmnl="$(STAGING_DIR)/usr",) \
$(if $(CONFIG_PACKAGE_libunbound_libevent), \
--enable-event-api --with-libevent="$(STAGING_DIR)/usr",--without-libevent) \
$(if $(CONFIG_PACKAGE_libunbound_nghttp2), \
--with-libnghttp2="$(STAGING_DIR)/usr",) \
$(if $(CONFIG_PACKAGE_libunbound_libpthread), \
--with-pthreads,--without-pthreads --without-solaris-threads) \
$(if $(CONFIG_PACKAGE_libunbound_python),--with-pythonmodule,) \
@ -200,14 +207,14 @@ define Package/unbound-daemon/install
$(INSTALL_BIN) \
$(PKG_INSTALL_DIR)/usr/sbin/unbound $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/etc/unbound
$(INSTALL_DATA) \
$(INSTALL_CONF) \
$(PKG_INSTALL_DIR)/var/lib/unbound/unbound.conf \
$(1)/etc/unbound/unbound.conf
$(INSTALL_DATA) ./files/root.key $(1)/etc/unbound/root.key
$(INSTALL_DATA) ./files/unbound_ext.conf $(1)/etc/unbound/unbound_ext.conf
$(INSTALL_DATA) ./files/unbound_srv.conf $(1)/etc/unbound/unbound_srv.conf
$(INSTALL_CONF) ./files/unbound_ext.conf $(1)/etc/unbound/unbound_ext.conf
$(INSTALL_CONF) ./files/unbound_srv.conf $(1)/etc/unbound/unbound_srv.conf
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_DATA) ./files/unbound.uci $(1)/etc/config/unbound
$(INSTALL_CONF) ./files/unbound.uci $(1)/etc/config/unbound
$(INSTALL_DIR) $(1)/etc/hotplug.d/ntp
$(INSTALL_BIN) ./files/unbound.ntpd $(1)/etc/hotplug.d/ntp/25-unbound
$(INSTALL_DIR) $(1)/etc/init.d

13
net/unbound/files/README.md
View file

@ -1,4 +1,5 @@
# Unbound Recursive DNS Server with UCI
<!-- markdownlint-disable -->
## Unbound Description
[Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
@ -202,7 +203,7 @@ One instance is supported currently.
| --- | ------- | ----- | ----------- | ------- |
| add_extra_dns | 0 | level | Read OpenWrt traditional options for `dnsmasq`.<br>`0`: Disabled<br>`1`: Use only domain<br>`2`: Use domain, mxhost, and srvhost<br>`3`: Use all cname, domain, mxhost, and srvhost | local-data: |
| add_local_fqdn | 0 | level | Each level puts a more detailed router entry within the LAN DNS (except link).<br>`0`: Disabled<br>`1`: Host name on the primary address<br>`2`: Host name on all addresses<br>`3`: FQDN and host name on all addresses<br>`4`: FQDN defined by "iface.hostname.domain" | local-zone: local-data: |
| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as inferred by `config dhcp` with `option ignore 1`. | local-zone: local-data: |
| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as listed in `iface_wan` | local-zone: local-data: |
| dns64 | 0 | boolean | Enable DNS64 RFC6052 to bridge IPv4 and IPv6 networks. | module: dns64 |
| dns64_prefix | 64:ff9b::/96 | subnet | DNS64 RFC6052 IPv4 in IPv6 well known prefix. | dns64-prefix: |
| dhcp_link | none | program | Link to a DHCP server with supported scripts. See HOW TO above. | local-zone: local-data: forward-zone: |
@ -210,10 +211,13 @@ One instance is supported currently.
| domain | lan | domain | This will suffix DHCP host records and be the default search domain. | local-zone: |
| domain_insecure | (empty) | domain | **List** domains that you wish to skip DNSSEC. It is one way around NTP chicken and egg. Your DHCP domains are automatically included. | domain-insecure: |
| domain_type | static | state | This allows you to lock down or allow forwarding of the local zone.<br>`static`: no forwarding like dnsmasq default<br>`refuse`: answer overtly with REFUSED<br>`deny`: covertly drop all queries<br>`transparent`: may continue forwarding or recusion | local-zone: |
| edns_size | 1280 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: |
| edns_size | 1232 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: |
| extended_stats | 0 | boolean | Extended statistics are stored in Unbound memory for report by `unbound-control`. | extended-statistics: |
| hide_binddata | 1 | boolean | Refuse possible attack queries like version.server, version.bind, id.server, and hostname.bind. | hide-identity: hide-version: |
| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. | interface-automatic: |
| iface_lan | lan | interface | **List** to add interafaces you wish to consider to be LAN beyond those served by DHCP | interface: access-control: |
| iface_trig | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - |
| iface_wan | wan | interface | **List** interafaces you wish to consider to be WAN for masked local zone purposes | interface-outgoing: |
| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. This also binds Unboud to the wild card address. | interface-automatic: |
| listen_port | 53 | port | Inbound port where Unbound will listen for queries. | port: |
| localservice | 1 | boolean | Prevent DNS amplification attacks. Only answer to subnets this machine has interfaces on. | access-control: |
| manual_conf | 0 | boolean | Skip all this UCI nonsense. Manually edit the configuration in `/etc/unbound/unbound.conf`. | - |
@ -227,7 +231,6 @@ One instance is supported currently.
| recursion | passive | state | Unbound has many options for recrusion but UCI is bundled for simplicity.<br>`passive`: slower until cache fills but kind on CPU load<br>`default`: built-in defaults<br>`aggressive`: uses prefetching to handle more requests quickly | (many) |
| resource | small | state | Unbound has many options for memory resources but UCI is bundled for simplicity.<br>`tiny`: similar to published memory restricted configuration<br>`small`: about half of medium<br>`medium`: similar to default<br>`default`: built-in defaults<br>`large`: about double of medium | \*-cache-size: |
| root_age | 9 | day | >90 Disables. Age limit for root data like root DNSSEC key. Scripts will copy from `tmps` to flash ROM with this limit to save write life. | - |
| trigger_interface | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - |
| ttl_min | 120 | second | Minimum TTL in cache to avoid abused low TTL for snoop-vertising and non-standard load balancing. Typical to configure maybe 0~300 but 1800 is the maximum accepted. | cache-min-ttl: |
| unbound_control | 0 | level | Enables `unbound-control` application access ports.<br>`0`: None else add your own in unbound_ext.conf<br>`1`: Unencrypted Local Host Access<br>`2`: SSL Local Host Access w/ auto unbound-control-setup<br>`3`: SSL Network Access w/ auto unbound-control-setup<br>`4`: SSL Network Access; static key/pem files must already exist | unbound-control: ... (clause) |
| validator | 0 | boolean | Enable DNSSEC validator module. | module: validator |
@ -238,7 +241,7 @@ One instance is supported currently.
Confingure any mix of Unbound `forward-zone:`, `stub-zone:`, or `auth-zone:` clauses. These sections are more compact than Unbound and will unroll into Unbound's configuration syntax.
| UCI | Default | Units | Description | Unbound |
| --- | ------- | ----- | ----------- | ------- |
| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, ipset-dns, and nsd. | forward-addr: |
| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, http-proxy-dns, ipset-dns, and nsd. | forward-addr: |
| enabled | 0 | boolean | turn zone on or off without deleting it | - |
| fallback | 1 | boolean | Allow this zone to fall through to other zones or recursion. | forward-first: |
| port | 53 | port | Target server's target port for plain DNS operations. | (auto 192.0.2.53 \#53)

13
net/unbound/files/defaults.sh
View file

@ -14,7 +14,11 @@
#
##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
# where are we?
UB_ETCDIR=/etc/unbound
UB_LIBDIR=/usr/lib/unbound
UB_VARDIR=/var/lib/unbound
UB_PIDFILE=/var/run/unbound.pid
@ -40,7 +44,6 @@ UB_RESOLV_AUTO=/tmp/resolv.conf.d/resolv.conf.auto
# TLS keys
UB_TLS_KEY_FILE="TLS server UCI not implemented"
UB_TLS_PEM_FILE="TLS server UCI not implemented"
UB_TLS_FWD_FILE=$UB_VARDIR/ca-certificates.crt
UB_TLS_ETC_FILE=/etc/ssl/certs/ca-certificates.crt
# start files
@ -50,10 +53,10 @@ UB_TIME_FILE=$UB_VARDIR/hotplug.time
UB_SKIP_FILE=$UB_VARDIR/skip.time
# control app keys
UB_CTLKEY_FILE=$UB_VARDIR/unbound_control.key
UB_CTLPEM_FILE=$UB_VARDIR/unbound_control.pem
UB_SRVKEY_FILE=$UB_VARDIR/unbound_server.key
UB_SRVPEM_FILE=$UB_VARDIR/unbound_server.pem
UB_CTLKEY_FILE=$UB_ETCDIR/unbound_control.key
UB_CTLPEM_FILE=$UB_ETCDIR/unbound_control.pem
UB_SRVKEY_FILE=$UB_ETCDIR/unbound_server.key
UB_SRVPEM_FILE=$UB_ETCDIR/unbound_server.pem
# similar default SOA / NS RR as Unbound uses for private ARPA zones
UB_XSER=$(( $( date +%s ) / 60 ))

3
net/unbound/files/dnsmasq.sh
View file

@ -23,6 +23,9 @@
#
##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
DM_D_WAN_FQDN=0
DM_LIST_KNOWN_ZONES="invalid"

7
net/unbound/files/iptools.sh
View file

@ -21,6 +21,13 @@
#
##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
UB_IPTOOLS_BLANK=
##############################################################################
domain_ptr_ip6() {
# Get the nibble rounded /CIDR ...ip6.arpa.
echo "$1" | awk -F: \

7
net/unbound/files/odhcpd.sh
View file

@ -23,6 +23,13 @@
#
##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
UB_ODHCPD_BLANK=
##############################################################################
odhcpd_zonedata() {
. /lib/functions.sh
. /usr/lib/unbound/defaults.sh

3
net/unbound/files/stopping.sh
View file

@ -19,6 +19,9 @@
#
##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
. /usr/lib/unbound/defaults.sh
##############################################################################

10
net/unbound/files/unbound.init
View file

@ -9,6 +9,9 @@
#
##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
START=19
STOP=50
USE_PROCD=1
@ -54,9 +57,10 @@ stop_service() {
##############################################################################
service_triggers() {
local legacy=$( uci_get unbound.@unbound[0].trigger )
local triggers=$( uci_get unbound.@unbound[0].trigger_interface )
local trigger="$triggers $legacy"
local legacy1=$( uci_get unbound.@unbound[0].trigger )
local legacy2=$( uci_get unbound.@unbound[0].trigger_interface )
local legacy3=$( uci_get unbound.@unbound[0].iface_trig )
local triggers="$legacy1 $legacy2 $legacy3"
. /usr/lib/unbound/defaults.sh

6
net/unbound/files/unbound.ntpd
View file

@ -12,12 +12,14 @@
#
##############################################################################
# Common file location definitions
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
. /usr/lib/unbound/defaults.sh
##############################################################################
if [ ! -f "$UB_TIME_FILE" -a "$ACTION" = stratum ] ; then
if [ ! -f "$UB_TIME_FILE" ] && [ "$ACTION" = stratum ] ; then
date -Is > $UB_TIME_FILE
/etc/init.d/unbound enabled && /etc/init.d/unbound restart
# Yes, hard RESTART. We need to be absolutely sure to enable DNSSEC.

210
net/unbound/files/unbound.sh
View file

@ -23,6 +23,9 @@
#
##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
UB_B_AUTH_ROOT=0
UB_B_DNS_ASSIST=0
UB_B_DNSSEC=0
@ -53,7 +56,7 @@ UB_D_WAN_FQDN=0
UB_IP_DNS64="64:ff9b::/96"
UB_N_EDNS_SIZE=1280
UB_N_EDNS_SIZE=1232
UB_N_RX_PORT=53
UB_N_ROOT_AGE=9
UB_N_THREADS=1
@ -114,7 +117,7 @@ bundle_all_networks() {
##############################################################################
bundle_lan_networks() {
bundle_dhcp_networks() {
local cfg="$1"
local interface ifsubnet ifname ifdashname ignore
@ -139,19 +142,50 @@ bundle_lan_networks() {
##############################################################################
bundle_lan_networks() {
local interface="$1"
local ifsubnet ifname ifdashname
network_get_device ifname "$interface"
ifdashname="${ifname//./-}"
if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
for ifsubnet in $UB_LIST_NETW_ALL ; do
case $ifsubnet in
"${ifdashname}"@*)
# Special GLA protection for local block; ULA protected default
UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
;;
esac
done
fi
}
##############################################################################
bundle_wan_networks() {
local ifsubnet
local interface="$1"
local ifsubnet ifname ifdashname
network_get_device ifname "$interface"
ifdashname="${ifname//./-}"
if [ -n "$UB_LIST_NETW_ALL" ] ; then
if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
for ifsubnet in $UB_LIST_NETW_ALL ; do
case $UB_LIST_NETW_LAN in
*"${ifsubnet}"*)
# If LAN, then not WAN ...
# If LAN, then not WAN ... scripts might become complex
;;
*)
UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
case $ifsubnet in
"${ifdashname}"@*)
# Special GLA protection for local block; ULA protected default
UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
;;
esac
;;
esac
done
@ -218,7 +252,8 @@ unbound_mkdir() {
mkdir -p $UB_VARDIR
rm -f $UB_VARDIR/dhcp_*
touch $UB_TOTAL_CONF
cp -p /etc/unbound/* $UB_VARDIR/
cp -p $UB_ETCDIR/*.conf $UB_VARDIR/
cp -p $UB_ETCDIR/root.* $UB_VARDIR/
if [ ! -f $UB_RHINT_FILE ] ; then
@ -253,42 +288,28 @@ unbound_mkdir() {
fi
if [ -f $UB_TLS_ETC_FILE ] ; then
# copy the cert bundle into jail
cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
fi
# Ensure access and prepare to jail
chown -R unbound:unbound $UB_VARDIR
chmod 755 $UB_VARDIR
chmod 644 $UB_VARDIR/*
if [ -f $UB_CTLKEY_FILE ] || [ -f $UB_CTLPEM_FILE ] \
|| [ -f $UB_SRVKEY_FILE ] || [ -f $UB_SRVPEM_FILE ] ; then
# Keys (some) exist already; do not create new ones
chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
$UB_SRVKEY_FILE $UB_SRVPEM_FILE
if [ -x /usr/sbin/unbound-control-setup ] ; then
if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \
|| [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then
case "$UB_D_CONTROL" in
[2-3])
# unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
/usr/sbin/unbound-control-setup -d $UB_ETCDIR
elif [ -x /usr/sbin/unbound-control-setup ] ; then
case "$UB_D_CONTROL" in
[2-3])
# unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
/usr/sbin/unbound-control-setup -d $UB_VARDIR
chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
$UB_SRVKEY_FILE $UB_SRVPEM_FILE
chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
$UB_SRVKEY_FILE $UB_SRVPEM_FILE
chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
$UB_SRVKEY_FILE $UB_SRVPEM_FILE
cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key
cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem
cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key
cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem
;;
esac
chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
$UB_SRVKEY_FILE $UB_SRVPEM_FILE
;;
esac
fi
fi
@ -452,6 +473,19 @@ unbound_zone() {
fi
;;
htpps-dns-proxy)
if [ -x /usr/sbin/https-dns-proxy ] \
&& [ -x /etc/init.d/https-dns-proxy ] ; then
if /etc/init.d/https-dns-proxy ; then
dns_ast=1
else
dns_ast=0
fi
else
dns_ast=0
fi
;;
ipset-dns)
if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then
if /etc/init.d/ipset-dns enabled ; then
@ -476,10 +510,17 @@ unbound_zone() {
fi
;;
unprotected-loop)
# Soft brick risk. The server you are looking to connect to may be offline
# and cause loop error: procd, sysupgrade, package order, and other issues.
dns_ast=1
;;
*)
# Prevent a soft-brick event through local forwarding loops. Declare your
# assistant program and this will check to be sure it is there.
# Unbound has a local forward blocking option, default on, instead of loop
# detection. If it is released, then it may be a soft brick risk.
dns_ast=0
;;
esac
@ -527,7 +568,7 @@ unbound_zone() {
;;
forward_zone)
if [ ! -f $UB_TLS_FWD_FILE ] && [ "$tls_upstream" = "yes" ] ; then
if [ ! -f $UB_TLS_ETC_FILE ] && [ "$tls_upstream" = "yes" ] ; then
logger -p 4 -t unbound -s \
"Forward-zone TLS benefits from authentication in package 'ca-bundle'"
fi
@ -555,6 +596,11 @@ unbound_zone() {
else
case $server in
127.*|::0*)
# soft brick loop back risk see DNS assist above
echo "do nothing" >/dev/null
;;
*@[0-9]*|*#[A-Za-z0-9]*)
# unique Unbound option for server host name
servers_host="$servers_host $server"
@ -633,10 +679,10 @@ unbound_conf() {
} > $UB_CORE_CONF
if [ -f "$UB_TLS_FWD_FILE" ] ; then
if [ -f "$UB_TLS_ETC_FILE" ] ; then
# TLS cert bundle for upstream forwarder and https zone files
# This is loaded before drop to root, so pull from /etc/ssl
echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
echo " tls-cert-bundle: $UB_TLS_ETC_FILE" >> $UB_CORE_CONF
fi
@ -690,14 +736,14 @@ unbound_conf() {
if [ $UB_B_EXT_STATS -gt 0 ] ; then
{
# Log More
# store more data in memory for unbound-control to report
echo " extended-statistics: yes"
echo
} >> $UB_CORE_CONF
else
{
# Log Less
# store Less
echo " extended-statistics: no"
echo
} >> $UB_CORE_CONF
@ -714,14 +760,17 @@ unbound_conf() {
fi
{
# avoid interference with SPI/NAT on both reserved and common server ports
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
} >> $UB_CORE_CONF
case "$UB_D_PROTOCOL" in
ip4_only)
{
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: 0.0.0.0"
echo " outgoing-interface: 0.0.0.0"
echo " do-ip4: yes"
echo " do-ip6: no"
echo
@ -730,42 +779,29 @@ unbound_conf() {
ip6_only)
{
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: ::0"
echo " outgoing-interface: ::0"
echo " do-ip4: no"
echo " do-ip6: yes"
echo
} >> $UB_CORE_CONF
;;
ip6_local)
ip6_local)
{
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo " outgoing-interface: 0.0.0.0"
# answer your local IPv6 network but avoid broken ISP IPv6
echo " do-ip4: yes"
echo " do-ip6: yes"
echo " prefer-ip4: yes"
echo " prefer-ip6: no"
echo
} >> $UB_CORE_CONF
;;
ip6_prefer)
{
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo " outgoing-interface: 0.0.0.0"
echo " outgoing-interface: ::0"
# RFC compliant dual stack
echo " do-ip4: yes"
echo " do-ip6: yes"
echo " prefer-ip4: no"
echo " prefer-ip6: yes"
echo
} >> $UB_CORE_CONF
@ -773,14 +809,6 @@ unbound_conf() {
mixed)
{
# Interface Wildcard (access contol handled by "option local_service")
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo " outgoing-interface: 0.0.0.0"
echo " outgoing-interface: ::0"
echo " do-ip4: yes"
echo " do-ip6: yes"
echo
@ -791,17 +819,6 @@ unbound_conf() {
if [ $UB_B_READY -eq 0 ] ; then
logger -t unbound -s "default protocol configuration"
fi
{
# outgoing-interface has useful defaults; incoming is localhost though
echo " edns-buffer-size: $UB_N_EDNS_SIZE"
echo " port: $UB_N_RX_PORT"
echo " outgoing-port-permit: 10240-65535"
echo " interface: 0.0.0.0"
echo " interface: ::0"
echo
} >> $UB_CORE_CONF
;;
esac
@ -1043,9 +1060,9 @@ unbound_conf() {
fi
if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_LAN" ] ; then
{
for ifsubnet in $UB_LIST_NETW_ALL ; do
for ifsubnet in $UB_LIST_NETW_LAN ; do
# Only respond to queries from subnets which have an interface.
# Prevent DNS amplification attacks by not responding to the universe.
echo " access-control: ${ifsubnet#*@} allow"
@ -1327,7 +1344,7 @@ unbound_uci() {
config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
config_get UB_N_EDNS_SIZE "$cfg" edns_size 1232
config_get UB_N_RX_PORT "$cfg" listen_port 53
config_get UB_N_ROOT_AGE "$cfg" root_age 9
config_get UB_N_THREADS "$cfg" num_threads 1
@ -1348,8 +1365,9 @@ unbound_uci() {
config_get UB_TTL_MIN "$cfg" ttl_min 120
config_get UB_TXT_DOMAIN "$cfg" domain lan
config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
config_list_foreach "$cfg" iface_lan bundle_lan_networks
config_list_foreach "$cfg" iface_wan bundle_wan_networks
if [ "$UB_D_DHCP_LINK" = "none" ] ; then
config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
@ -1396,7 +1414,7 @@ unbound_uci() {
if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then
logger -t unbound -s "edns_size exceeds range, using default"
UB_N_EDNS_SIZE=1280
UB_N_EDNS_SIZE=1232
fi
@ -1541,6 +1559,11 @@ resolv_setup() {
##############################################################################
unbound_start() {
# get interface subnets together
config_load network
config_foreach bundle_all_networks interface
# read Unbound UCI but pick through it later
config_load unbound
config_foreach unbound_uci unbound
unbound_mkdir
@ -1551,11 +1574,8 @@ unbound_start() {
# forward-zone: auth-zone: and stub-zone:
config_foreach unbound_zone zone
# associate potential DNS RR with interfaces
config_load network
config_foreach bundle_all_networks interface
config_load dhcp
config_foreach bundle_lan_networks dhcp
bundle_wan_networks
config_foreach bundle_dhcp_networks dhcp
# server:
unbound_conf
unbound_hostname

37
net/unbound/files/unbound.uci
View file

@ -1,4 +1,4 @@
config unbound
config unbound 'ub_main'
option add_extra_dns '0'
option add_local_fqdn '1'
option add_wan_fqdn '0'
@ -8,7 +8,7 @@ config unbound
option dns64_prefix '64:ff9b::/96'
option domain 'lan'
option domain_type 'static'
option edns_size '1280'
option edns_size '1232'
option extended_stats '0'
option hide_binddata '1'
option interface_auto '1'
@ -30,11 +30,12 @@ config unbound
option validator '0'
option validator_ntp '1'
option verbosity '1'
list trigger_interface 'lan'
list trigger_interface 'wan'
list iface_trig 'lan'
list iface_trig 'wan'
list iface_wan 'wan'
#list domain_insecure 'ntp.example.com'
config zone
config zone 'auth_icann'
# cache the root zone all at once to speed up recursion
option enabled '0'
option fallback '1'
@ -47,7 +48,7 @@ config zone
list zone_name 'in-addr.arpa.'
list zone_name 'ip6.arpa.'
config zone
config zone 'fwd_isp'
# forward ISP account management to DHCP announced DNS servers
option enabled '0'
option fallback '1'
@ -56,3 +57,27 @@ config zone
list zone_name 'isp-bill.example.com.'
list zone_name 'isp-mail.example.net.'
config zone 'fwd_google'
option enabled '0'
option fallback '1'
option tls_index 'dns.google'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '8.8.4.4'
list server '8.8.8.8'
list server '2001:4860:4860::8844'
list server '2001:4860:4860::8888'
list zone_name '.'
config zone 'fwd_cloudflare'
option enabled '0'
option fallback '1'
option tls_index 'cloudflare-dns.com'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '1.1.1.1'
list server '1.0.0.1'
list server '2606:4700:4700::1111'
list server '2606:4700:4700::1001'
list zone_name '.'