diff options
| author | Eric Luehrsen <ericluehrsen@hotmail.com> | 2018-06-10 15:20:24 -0400 |
|---|---|---|
| committer | Eric Luehrsen <ericluehrsen@hotmail.com> | 2018-06-12 22:32:54 -0400 |
| commit | a7fd69233d59ce38ac73598bb44d20cc05b04d15 (patch) | |
| tree | ca180aae5e55d385c0f0339cc314278f6b8feeb0 /net/unbound/files/README.md | |
| parent | d6e7f64a3dabf86e39ffbce8478366e0c214a535 (diff) | |
unbound: improve local zone evaluation in UCI
When UCI local zone is private and static, Unbound covered private
addresses with defaults. Optional delegated global IP6 prefix
protection lacked a static zone, but it was prevented from appearing
in global DNS responses. Domain names router-as-TLD, "lan." and
"local." were static, but they lacked default SOA or NS such as
Unbound had assinged to private addresses. Clean up these local
zones UCI evaluation and block global DNS inclusion.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Diffstat (limited to 'net/unbound/files/README.md')
| -rw-r--r-- | net/unbound/files/README.md | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index 4e81162f8..d89704438 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -139,7 +139,7 @@ config unbound ### Hybrid Manual/UCI You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation. -The former will be added to the end of the `server:` clause. The later will be added to the end of the file for extended `forward:` and `view:` clauses. You can also disable unbound-control in the UCI which only allows "localhost" connections unencrypted, and then add an encrypted remote `control:` clause. +The file `unbound_srv.conf` will be added into the `server:` clause. The file `unbound_ext.conf` will be added to the end of all configuration. It is for extended `forward-zone:`, `stub-zone:`, `auth-zone:`, and `view:` clauses. You can also disable unbound-control in the UCI which only allows "localhost" connections unencrypted, and then add an encrypted remote `control:` clause. ## Complete List of UCI Options **/etc/config/unbound**: @@ -196,8 +196,11 @@ config unbound option domain_type 'static' Unbound local-zone: <domain> <type>. This allows you to lock - down or allow forwarding of your domain, your router host name - without suffix, and leakage of RFC6762 "local." + down or allow forwarding of the local zone. Notable types: + static - typical single router setup much like OpenWrt dnsmasq default + refuse - to answer overtly with DNS code REFUSED + deny - to drop queries for the local zone + transparent - to use your manually added forward-zone: or stub-zone: clause option edns_size '1280' Bytes. Extended DNS is necessary for DNSSEC. However, it can run @@ -226,9 +229,9 @@ config unbound configuration. Make changes to /etc/unbound/unbound.conf. option prefetch_root '0' - Boolean. Enable Unbound authority zone clauses for "." (root), "arpa," - "in-addr.arpa," and "ip6.arpa" and obtain complete zone files from public - servers using http or AXFR (gTLD are unfortunately not as public). + Boolean. Cache the entire root. Enable Unbound `auth-zone:` clauses for + "." (root), "arpa," "in-addr.arpa," and "ip6.arpa." Obtain complete zone + files from public servers using http or AXFR. (see RFC7706) option protocol 'mixed' Unbound can limit its protocol used for recursive queries. |