diff options
| -rw-r--r-- | net/unbound/files/README.md | 13 | ||||
| -rw-r--r-- | net/unbound/files/defaults.sh | 13 | ||||
| -rw-r--r-- | net/unbound/files/dnsmasq.sh | 3 | ||||
| -rw-r--r-- | net/unbound/files/iptools.sh | 7 | ||||
| -rw-r--r-- | net/unbound/files/odhcpd.sh | 7 | ||||
| -rw-r--r-- | net/unbound/files/stopping.sh | 3 | ||||
| -rwxr-xr-x | net/unbound/files/unbound.init | 10 | ||||
| -rwxr-xr-x | net/unbound/files/unbound.ntpd | 6 | ||||
| -rw-r--r-- | net/unbound/files/unbound.sh | 210 | ||||
| -rw-r--r-- | net/unbound/files/unbound.uci | 37 |
10 files changed, 193 insertions, 116 deletions
diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index 712923e57..825a07109 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -1,4 +1,5 @@ # Unbound Recursive DNS Server with UCI +<!-- markdownlint-disable --> ## Unbound Description [Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. @@ -202,7 +203,7 @@ One instance is supported currently. | --- | ------- | ----- | ----------- | ------- | | add_extra_dns | 0 | level | Read OpenWrt traditional options for `dnsmasq`.<br>`0`: Disabled<br>`1`: Use only domain<br>`2`: Use domain, mxhost, and srvhost<br>`3`: Use all cname, domain, mxhost, and srvhost | local-data: | | add_local_fqdn | 0 | level | Each level puts a more detailed router entry within the LAN DNS (except link).<br>`0`: Disabled<br>`1`: Host name on the primary address<br>`2`: Host name on all addresses<br>`3`: FQDN and host name on all addresses<br>`4`: FQDN defined by "iface.hostname.domain" | local-zone: local-data: | -| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as inferred by `config dhcp` with `option ignore 1`. | local-zone: local-data: | +| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as listed in `iface_wan` | local-zone: local-data: | | dns64 | 0 | boolean | Enable DNS64 RFC6052 to bridge IPv4 and IPv6 networks. | module: dns64 | | dns64_prefix | 64:ff9b::/96 | subnet | DNS64 RFC6052 IPv4 in IPv6 well known prefix. | dns64-prefix: | | dhcp_link | none | program | Link to a DHCP server with supported scripts. See HOW TO above. | local-zone: local-data: forward-zone: | @@ -210,10 +211,13 @@ One instance is supported currently. | domain | lan | domain | This will suffix DHCP host records and be the default search domain. | local-zone: | | domain_insecure | (empty) | domain | **List** domains that you wish to skip DNSSEC. It is one way around NTP chicken and egg. Your DHCP domains are automatically included. | domain-insecure: | | domain_type | static | state | This allows you to lock down or allow forwarding of the local zone.<br>`static`: no forwarding like dnsmasq default<br>`refuse`: answer overtly with REFUSED<br>`deny`: covertly drop all queries<br>`transparent`: may continue forwarding or recusion | local-zone: | -| edns_size | 1280 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: | +| edns_size | 1232 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: | | extended_stats | 0 | boolean | Extended statistics are stored in Unbound memory for report by `unbound-control`. | extended-statistics: | | hide_binddata | 1 | boolean | Refuse possible attack queries like version.server, version.bind, id.server, and hostname.bind. | hide-identity: hide-version: | -| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. | interface-automatic: | +| iface_lan | lan | interface | **List** to add interafaces you wish to consider to be LAN beyond those served by DHCP | interface: access-control: | +| iface_trig | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - | +| iface_wan | wan | interface | **List** interafaces you wish to consider to be WAN for masked local zone purposes | interface-outgoing: | +| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. This also binds Unboud to the wild card address. | interface-automatic: | | listen_port | 53 | port | Inbound port where Unbound will listen for queries. | port: | | localservice | 1 | boolean | Prevent DNS amplification attacks. Only answer to subnets this machine has interfaces on. | access-control: | | manual_conf | 0 | boolean | Skip all this UCI nonsense. Manually edit the configuration in `/etc/unbound/unbound.conf`. | - | @@ -227,7 +231,6 @@ One instance is supported currently. | recursion | passive | state | Unbound has many options for recrusion but UCI is bundled for simplicity.<br>`passive`: slower until cache fills but kind on CPU load<br>`default`: built-in defaults<br>`aggressive`: uses prefetching to handle more requests quickly | (many) | | resource | small | state | Unbound has many options for memory resources but UCI is bundled for simplicity.<br>`tiny`: similar to published memory restricted configuration<br>`small`: about half of medium<br>`medium`: similar to default<br>`default`: built-in defaults<br>`large`: about double of medium | \*-cache-size: | | root_age | 9 | day | >90 Disables. Age limit for root data like root DNSSEC key. Scripts will copy from `tmps` to flash ROM with this limit to save write life. | - | -| trigger_interface | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - | | ttl_min | 120 | second | Minimum TTL in cache to avoid abused low TTL for snoop-vertising and non-standard load balancing. Typical to configure maybe 0~300 but 1800 is the maximum accepted. | cache-min-ttl: | | unbound_control | 0 | level | Enables `unbound-control` application access ports.<br>`0`: None else add your own in unbound_ext.conf<br>`1`: Unencrypted Local Host Access<br>`2`: SSL Local Host Access w/ auto unbound-control-setup<br>`3`: SSL Network Access w/ auto unbound-control-setup<br>`4`: SSL Network Access; static key/pem files must already exist | unbound-control: ... (clause) | | validator | 0 | boolean | Enable DNSSEC validator module. | module: validator | @@ -238,7 +241,7 @@ One instance is supported currently. Confingure any mix of Unbound `forward-zone:`, `stub-zone:`, or `auth-zone:` clauses. These sections are more compact than Unbound and will unroll into Unbound's configuration syntax. | UCI | Default | Units | Description | Unbound | | --- | ------- | ----- | ----------- | ------- | -| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, ipset-dns, and nsd. | forward-addr: | +| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, http-proxy-dns, ipset-dns, and nsd. | forward-addr: | | enabled | 0 | boolean | turn zone on or off without deleting it | - | | fallback | 1 | boolean | Allow this zone to fall through to other zones or recursion. | forward-first: | | port | 53 | port | Target server's target port for plain DNS operations. | (auto 192.0.2.53 \#53) diff --git a/net/unbound/files/defaults.sh b/net/unbound/files/defaults.sh index 785631e3d..4478ae6ed 100644 --- a/net/unbound/files/defaults.sh +++ b/net/unbound/files/defaults.sh @@ -14,7 +14,11 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + # where are we? +UB_ETCDIR=/etc/unbound UB_LIBDIR=/usr/lib/unbound UB_VARDIR=/var/lib/unbound UB_PIDFILE=/var/run/unbound.pid @@ -40,7 +44,6 @@ UB_RESOLV_AUTO=/tmp/resolv.conf.d/resolv.conf.auto # TLS keys UB_TLS_KEY_FILE="TLS server UCI not implemented" UB_TLS_PEM_FILE="TLS server UCI not implemented" -UB_TLS_FWD_FILE=$UB_VARDIR/ca-certificates.crt UB_TLS_ETC_FILE=/etc/ssl/certs/ca-certificates.crt # start files @@ -50,10 +53,10 @@ UB_TIME_FILE=$UB_VARDIR/hotplug.time UB_SKIP_FILE=$UB_VARDIR/skip.time # control app keys -UB_CTLKEY_FILE=$UB_VARDIR/unbound_control.key -UB_CTLPEM_FILE=$UB_VARDIR/unbound_control.pem -UB_SRVKEY_FILE=$UB_VARDIR/unbound_server.key -UB_SRVPEM_FILE=$UB_VARDIR/unbound_server.pem +UB_CTLKEY_FILE=$UB_ETCDIR/unbound_control.key +UB_CTLPEM_FILE=$UB_ETCDIR/unbound_control.pem +UB_SRVKEY_FILE=$UB_ETCDIR/unbound_server.key +UB_SRVPEM_FILE=$UB_ETCDIR/unbound_server.pem # similar default SOA / NS RR as Unbound uses for private ARPA zones UB_XSER=$(( $( date +%s ) / 60 )) diff --git a/net/unbound/files/dnsmasq.sh b/net/unbound/files/dnsmasq.sh index 6dcbaecd8..eae8dae98 100644 --- a/net/unbound/files/dnsmasq.sh +++ b/net/unbound/files/dnsmasq.sh @@ -23,6 +23,9 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + DM_D_WAN_FQDN=0 DM_LIST_KNOWN_ZONES="invalid" diff --git a/net/unbound/files/iptools.sh b/net/unbound/files/iptools.sh index f25265d0f..9524f4ffe 100644 --- a/net/unbound/files/iptools.sh +++ b/net/unbound/files/iptools.sh @@ -21,6 +21,13 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + +UB_IPTOOLS_BLANK= + +############################################################################## + domain_ptr_ip6() { # Get the nibble rounded /CIDR ...ip6.arpa. echo "$1" | awk -F: \ diff --git a/net/unbound/files/odhcpd.sh b/net/unbound/files/odhcpd.sh index d8390c870..b8af615a5 100644 --- a/net/unbound/files/odhcpd.sh +++ b/net/unbound/files/odhcpd.sh @@ -23,6 +23,13 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + +UB_ODHCPD_BLANK= + +############################################################################## + odhcpd_zonedata() { . /lib/functions.sh . /usr/lib/unbound/defaults.sh diff --git a/net/unbound/files/stopping.sh b/net/unbound/files/stopping.sh index c3f27ecac..90c383a65 100644 --- a/net/unbound/files/stopping.sh +++ b/net/unbound/files/stopping.sh @@ -19,6 +19,9 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + . /usr/lib/unbound/defaults.sh ############################################################################## diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init index fa94a3b35..fb363e188 100755 --- a/net/unbound/files/unbound.init +++ b/net/unbound/files/unbound.init @@ -9,6 +9,9 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + START=19 STOP=50 USE_PROCD=1 @@ -54,9 +57,10 @@ stop_service() { ############################################################################## service_triggers() { - local legacy=$( uci_get unbound.@unbound[0].trigger ) - local triggers=$( uci_get unbound.@unbound[0].trigger_interface ) - local trigger="$triggers $legacy" + local legacy1=$( uci_get unbound.@unbound[0].trigger ) + local legacy2=$( uci_get unbound.@unbound[0].trigger_interface ) + local legacy3=$( uci_get unbound.@unbound[0].iface_trig ) + local triggers="$legacy1 $legacy2 $legacy3" . /usr/lib/unbound/defaults.sh diff --git a/net/unbound/files/unbound.ntpd b/net/unbound/files/unbound.ntpd index d9d0deefa..6f490cd0a 100755 --- a/net/unbound/files/unbound.ntpd +++ b/net/unbound/files/unbound.ntpd @@ -12,12 +12,14 @@ # ############################################################################## -# Common file location definitions +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + . /usr/lib/unbound/defaults.sh ############################################################################## -if [ ! -f "$UB_TIME_FILE" -a "$ACTION" = stratum ] ; then +if [ ! -f "$UB_TIME_FILE" ] && [ "$ACTION" = stratum ] ; then date -Is > $UB_TIME_FILE /etc/init.d/unbound enabled && /etc/init.d/unbound restart # Yes, hard RESTART. We need to be absolutely sure to enable DNSSEC. diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 0e2ebaf4d..c8460c07c 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -23,6 +23,9 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + UB_B_AUTH_ROOT=0 UB_B_DNS_ASSIST=0 UB_B_DNSSEC=0 @@ -53,7 +56,7 @@ UB_D_WAN_FQDN=0 UB_IP_DNS64="64:ff9b::/96" -UB_N_EDNS_SIZE=1280 +UB_N_EDNS_SIZE=1232 UB_N_RX_PORT=53 UB_N_ROOT_AGE=9 UB_N_THREADS=1 @@ -114,7 +117,7 @@ bundle_all_networks() { ############################################################################## -bundle_lan_networks() { +bundle_dhcp_networks() { local cfg="$1" local interface ifsubnet ifname ifdashname ignore @@ -139,19 +142,50 @@ bundle_lan_networks() { ############################################################################## +bundle_lan_networks() { + local interface="$1" + local ifsubnet ifname ifdashname + + network_get_device ifname "$interface" + ifdashname="${ifname//./-}" + + + if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then + for ifsubnet in $UB_LIST_NETW_ALL ; do + case $ifsubnet in + "${ifdashname}"@*) + # Special GLA protection for local block; ULA protected default + UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet" + ;; + esac + done + fi +} + +############################################################################## + bundle_wan_networks() { - local ifsubnet + local interface="$1" + local ifsubnet ifname ifdashname + + network_get_device ifname "$interface" + ifdashname="${ifname//./-}" - if [ -n "$UB_LIST_NETW_ALL" ] ; then + if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then for ifsubnet in $UB_LIST_NETW_ALL ; do case $UB_LIST_NETW_LAN in *"${ifsubnet}"*) - # If LAN, then not WAN ... + # If LAN, then not WAN ... scripts might become complex ;; *) - UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet" + case $ifsubnet in + "${ifdashname}"@*) + # Special GLA protection for local block; ULA protected default + UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet" + ;; + esac ;; esac done @@ -218,7 +252,8 @@ unbound_mkdir() { mkdir -p $UB_VARDIR rm -f $UB_VARDIR/dhcp_* touch $UB_TOTAL_CONF - cp -p /etc/unbound/* $UB_VARDIR/ + cp -p $UB_ETCDIR/*.conf $UB_VARDIR/ + cp -p $UB_ETCDIR/root.* $UB_VARDIR/ if [ ! -f $UB_RHINT_FILE ] ; then @@ -253,42 +288,28 @@ unbound_mkdir() { fi - if [ -f $UB_TLS_ETC_FILE ] ; then - # copy the cert bundle into jail - cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE - fi - - # Ensure access and prepare to jail chown -R unbound:unbound $UB_VARDIR chmod 755 $UB_VARDIR chmod 644 $UB_VARDIR/* - if [ -f $UB_CTLKEY_FILE ] || [ -f $UB_CTLPEM_FILE ] \ - || [ -f $UB_SRVKEY_FILE ] || [ -f $UB_SRVPEM_FILE ] ; then - # Keys (some) exist already; do not create new ones - chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \ - $UB_SRVKEY_FILE $UB_SRVPEM_FILE - - elif [ -x /usr/sbin/unbound-control-setup ] ; then - case "$UB_D_CONTROL" in - [2-3]) - # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static" - /usr/sbin/unbound-control-setup -d $UB_VARDIR - - chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \ - $UB_SRVKEY_FILE $UB_SRVPEM_FILE + if [ -x /usr/sbin/unbound-control-setup ] ; then + if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \ + || [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then + case "$UB_D_CONTROL" in + [2-3]) + # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static" + /usr/sbin/unbound-control-setup -d $UB_ETCDIR - chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \ - $UB_SRVKEY_FILE $UB_SRVPEM_FILE + chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \ + $UB_SRVKEY_FILE $UB_SRVPEM_FILE - cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key - cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem - cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key - cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem - ;; - esac + chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \ + $UB_SRVKEY_FILE $UB_SRVPEM_FILE + ;; + esac + fi fi @@ -452,6 +473,19 @@ unbound_zone() { fi ;; + htpps-dns-proxy) + if [ -x /usr/sbin/https-dns-proxy ] \ + && [ -x /etc/init.d/https-dns-proxy ] ; then + if /etc/init.d/https-dns-proxy ; then + dns_ast=1 + else + dns_ast=0 + fi + else + dns_ast=0 + fi + ;; + ipset-dns) if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then if /etc/init.d/ipset-dns enabled ; then @@ -476,10 +510,17 @@ unbound_zone() { fi ;; + unprotected-loop) + # Soft brick risk. The server you are looking to connect to may be offline + # and cause loop error: procd, sysupgrade, package order, and other issues. + dns_ast=1 + ;; + *) - # Prevent a soft-brick event through local forwarding loops. Declare your - # assistant program and this will check to be sure it is there. + # Unbound has a local forward blocking option, default on, instead of loop + # detection. If it is released, then it may be a soft brick risk. dns_ast=0 + ;; esac @@ -527,7 +568,7 @@ unbound_zone() { ;; forward_zone) - if [ ! -f $UB_TLS_FWD_FILE ] && [ "$tls_upstream" = "yes" ] ; then + if [ ! -f $UB_TLS_ETC_FILE ] && [ "$tls_upstream" = "yes" ] ; then logger -p 4 -t unbound -s \ "Forward-zone TLS benefits from authentication in package 'ca-bundle'" fi @@ -555,6 +596,11 @@ unbound_zone() { else case $server in + 127.*|::0*) + # soft brick loop back risk see DNS assist above + echo "do nothing" >/dev/null + ;; + *@[0-9]*|*#[A-Za-z0-9]*) # unique Unbound option for server host name servers_host="$servers_host $server" @@ -633,10 +679,10 @@ unbound_conf() { } > $UB_CORE_CONF - if [ -f "$UB_TLS_FWD_FILE" ] ; then + if [ -f "$UB_TLS_ETC_FILE" ] ; then # TLS cert bundle for upstream forwarder and https zone files # This is loaded before drop to root, so pull from /etc/ssl - echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF + echo " tls-cert-bundle: $UB_TLS_ETC_FILE" >> $UB_CORE_CONF fi @@ -690,14 +736,14 @@ unbound_conf() { if [ $UB_B_EXT_STATS -gt 0 ] ; then { - # Log More + # store more data in memory for unbound-control to report echo " extended-statistics: yes" echo } >> $UB_CORE_CONF else { - # Log Less + # store Less echo " extended-statistics: no" echo } >> $UB_CORE_CONF @@ -714,14 +760,17 @@ unbound_conf() { fi + { + # avoid interference with SPI/NAT on both reserved and common server ports + echo " edns-buffer-size: $UB_N_EDNS_SIZE" + echo " port: $UB_N_RX_PORT" + echo " outgoing-port-permit: 10240-65535" + } >> $UB_CORE_CONF + + case "$UB_D_PROTOCOL" in ip4_only) { - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: 0.0.0.0" - echo " outgoing-interface: 0.0.0.0" echo " do-ip4: yes" echo " do-ip6: no" echo @@ -730,42 +779,29 @@ unbound_conf() { ip6_only) { - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: ::0" - echo " outgoing-interface: ::0" echo " do-ip4: no" echo " do-ip6: yes" echo } >> $UB_CORE_CONF ;; - ip6_local) + ip6_local) { - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: 0.0.0.0" - echo " interface: ::0" - echo " outgoing-interface: 0.0.0.0" + # answer your local IPv6 network but avoid broken ISP IPv6 echo " do-ip4: yes" echo " do-ip6: yes" + echo " prefer-ip4: yes" + echo " prefer-ip6: no" echo } >> $UB_CORE_CONF ;; ip6_prefer) { - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: 0.0.0.0" - echo " interface: ::0" - echo " outgoing-interface: 0.0.0.0" - echo " outgoing-interface: ::0" + # RFC compliant dual stack echo " do-ip4: yes" echo " do-ip6: yes" + echo " prefer-ip4: no" echo " prefer-ip6: yes" echo } >> $UB_CORE_CONF @@ -773,14 +809,6 @@ unbound_conf() { mixed) { - # Interface Wildcard (access contol handled by "option local_service") - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: 0.0.0.0" - echo " interface: ::0" - echo " outgoing-interface: 0.0.0.0" - echo " outgoing-interface: ::0" echo " do-ip4: yes" echo " do-ip6: yes" echo @@ -791,17 +819,6 @@ unbound_conf() { if [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default protocol configuration" fi - - - { - # outgoing-interface has useful defaults; incoming is localhost though - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: 0.0.0.0" - echo " interface: ::0" - echo - } >> $UB_CORE_CONF ;; esac @@ -1043,9 +1060,9 @@ unbound_conf() { fi - if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then + if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_LAN" ] ; then { - for ifsubnet in $UB_LIST_NETW_ALL ; do + for ifsubnet in $UB_LIST_NETW_LAN ; do # Only respond to queries from subnets which have an interface. # Prevent DNS amplification attacks by not responding to the universe. echo " access-control: ${ifsubnet#*@} allow" @@ -1327,7 +1344,7 @@ unbound_uci() { config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96" - config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280 + config_get UB_N_EDNS_SIZE "$cfg" edns_size 1232 config_get UB_N_RX_PORT "$cfg" listen_port 53 config_get UB_N_ROOT_AGE "$cfg" root_age 9 config_get UB_N_THREADS "$cfg" num_threads 1 @@ -1348,8 +1365,9 @@ unbound_uci() { config_get UB_TTL_MIN "$cfg" ttl_min 120 config_get UB_TXT_DOMAIN "$cfg" domain lan - config_list_foreach "$cfg" domain_insecure bundle_domain_insecure - + config_list_foreach "$cfg" domain_insecure bundle_domain_insecure + config_list_foreach "$cfg" iface_lan bundle_lan_networks + config_list_foreach "$cfg" iface_wan bundle_wan_networks if [ "$UB_D_DHCP_LINK" = "none" ] ; then config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0 @@ -1396,7 +1414,7 @@ unbound_uci() { if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then logger -t unbound -s "edns_size exceeds range, using default" - UB_N_EDNS_SIZE=1280 + UB_N_EDNS_SIZE=1232 fi @@ -1541,6 +1559,11 @@ resolv_setup() { ############################################################################## unbound_start() { + # get interface subnets together + config_load network + config_foreach bundle_all_networks interface + + # read Unbound UCI but pick through it later config_load unbound config_foreach unbound_uci unbound unbound_mkdir @@ -1551,11 +1574,8 @@ unbound_start() { # forward-zone: auth-zone: and stub-zone: config_foreach unbound_zone zone # associate potential DNS RR with interfaces - config_load network - config_foreach bundle_all_networks interface config_load dhcp - config_foreach bundle_lan_networks dhcp - bundle_wan_networks + config_foreach bundle_dhcp_networks dhcp # server: unbound_conf unbound_hostname diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index f796a5802..432332e6e 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -1,4 +1,4 @@ -config unbound +config unbound 'ub_main' option add_extra_dns '0' option add_local_fqdn '1' option add_wan_fqdn '0' @@ -8,7 +8,7 @@ config unbound option dns64_prefix '64:ff9b::/96' option domain 'lan' option domain_type 'static' - option edns_size '1280' + option edns_size '1232' option extended_stats '0' option hide_binddata '1' option interface_auto '1' @@ -30,11 +30,12 @@ config unbound option validator '0' option validator_ntp '1' option verbosity '1' - list trigger_interface 'lan' - list trigger_interface 'wan' + list iface_trig 'lan' + list iface_trig 'wan' + list iface_wan 'wan' #list domain_insecure 'ntp.example.com' -config zone +config zone 'auth_icann' # cache the root zone all at once to speed up recursion option enabled '0' option fallback '1' @@ -47,7 +48,7 @@ config zone list zone_name 'in-addr.arpa.' list zone_name 'ip6.arpa.' -config zone +config zone 'fwd_isp' # forward ISP account management to DHCP announced DNS servers option enabled '0' option fallback '1' @@ -56,3 +57,27 @@ config zone list zone_name 'isp-bill.example.com.' list zone_name 'isp-mail.example.net.' +config zone 'fwd_google' + option enabled '0' + option fallback '1' + option tls_index 'dns.google' + option tls_upstream '1' + option zone_type 'forward_zone' + list server '8.8.4.4' + list server '8.8.8.8' + list server '2001:4860:4860::8844' + list server '2001:4860:4860::8888' + list zone_name '.' + +config zone 'fwd_cloudflare' + option enabled '0' + option fallback '1' + option tls_index 'cloudflare-dns.com' + option tls_upstream '1' + option zone_type 'forward_zone' + list server '1.1.1.1' + list server '1.0.0.1' + list server '2606:4700:4700::1111' + list server '2606:4700:4700::1001' + list zone_name '.' + |