| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
- prevent rapid overlap in DHCP script updates
- check and allow localhost forwards with specific applications
- add option for rate limiting inbound queries
- change UCI list to table format with Unbound conf references
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
The two unique packages "Unbound light" and "Unbound heavy"
were not working well due to the fact that Unbound is mostly
its library. Tools and helpers would crash. Instead a reasonable
default Unbound is built. Also up select options like python
are added. libevent and libpthreads are options to down select.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Unbound has a quirk and may reply on a different device address.
When Unbound answers with from-address different than it
received queries on, it may cause trouble for select VPN and
firewall configurations. Ensure Unbound replies with the same
address by changing this default.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
| |
Fixes commit da76aeb24c1b ("unbound: expose interface-auto to UCI")
Signed-off-by: David Bauer <mail@david-bauer.net>
|
| |
|
|
|
|
|
|
| |
Fixes:
CVE-2020-12662
CVE-2020-12663
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch enables ipset support in the unbound-daemon-heavy variant. See [1] for
instructions on how to use it.
Also fix a minor typo in the libunbound-light description.
[1] https://github.com/NLnetLabs/unbound/pull/28
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
|
| |
|
|
| |
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
| |
Fixes CVE-2019-18934
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes lines that set PKG_BUILD_DIR when the set value is no
different from the default value.
Specifically, the line is removed if the assigned value is:
* $(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
The default PKG_BUILD_DIR was updated[1] to incorporate BUILD_VARIANT
if it is set, so now this is identical to the default value.
* $(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_SOURCE_SUBDIR)
if PKG_SOURCE_SUBDIR is set to $(PKG_NAME)-$(PKG_VERSION), making it
the same as the previous case
* $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
This is the same as the default PKG_BUILD_DIR when there is no
BUILD_VARIANT.
* $(BUILD_DIR)/[name]-$(PKG_VERSION)
where [name] is a string that is identical to PKG_NAME
[1]: https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=e545fac8d968864a965edb9e50c6f90940b0a6c9
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
|
| |
|
|
|
|
| |
Fixes CVE-2019-16866
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Alexander Ryzhov <github@ryzhov-al.ru>
|
| |
|
|
|
|
|
| |
Two seperate package names were chosen instead of menu selected options
because dependents need a ready (large) package in release directory.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Added a dependency to OPENSSL_WITH_EC to prevent any build failures.
Switched URLs to HTTPS.
Added PKG_CPE_ID for proper CVE tracking.
Some Makefile reorganization for consistency between packages.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Changes:
-remove old dns64 patch
-refresh openssl deprecated patch
-add DoT error log patch https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4206
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
|
| |
|
|
| |
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
| |
This will become pointless once OpenSSL 1.1.1 enters the tree.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
| |
- fix AXFR zones to delay a potentially large download with ntp-hotplug
- fix odhcpd link script to properly delete expired lease data from DNS
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
|
| |
bug fixes for memory leaks
bug fixes for DNS over TLS
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
|
| |
- adjust a few UCI translations to coordinate with upstream defaults
- remove OpenSSL < 1.1.0 API log error patch which is included upstream
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
ssl_set1_host() is not available without openssl-1.1.0. Unbound can not do
host cert verification. DNS over TLS connects, but hosts are unverified. A
patch for log err is added with a noitce in README.md.
(see: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658)
Also, squash some minor robustness and TLS usability fixes.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Unbound struggles with boot ifup, so procd triggers changed to push
outside of this noise. Unbound has run in /var/lib/unbound/, so chroot
(jail) protects /etc/, and it can save flash wear. Compiled defaults
reflect this now, so Unbound tools are easier run on the command line.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
With growing interest, DNS over TLS can be setup in Unbounds foward-zone:
clause. A broader UCI solution is added to support forward-, stub-, and
auth- zone clauses in a new 'zone' section. This implentation required
reworking scripts, because they did not scale. 'forward_domain' and
'prefetch_root' options are removed, and superceded by 'zone' section.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When UCI local zone is private and static, Unbound covered private
addresses with defaults. Optional delegated global IP6 prefix
protection lacked a static zone, but it was prevented from appearing
in global DNS responses. Domain names router-as-TLD, "lan." and
"local." were static, but they lacked default SOA or NS such as
Unbound had assinged to private addresses. Clean up these local
zones UCI evaluation and block global DNS inclusion.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
|
| |
|
|
|
|
|
| |
A few bug fixes but importantly fix a deadlock on
AXFR configuration when notify occurs (auth-zone:)
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
|
| |
|
|
|
|
|
| |
This can reduce the lookup times for TCP lookups with a full RTT for
supported servers.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
|
| |
|
|
|
|
|
|
|
| |
Add the possibility to use Unbound auto-zone: clause to
fetch complete root, arpa, in-addr.arpa, and ip6.arpa
zone files. This can speed up recursion when users
access many ccTLD or connection logging hits many PTR.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
|
| |
|
|
|
|
|
|
| |
Some resource options bundled many Unbound.conf options and
made customizing on top of UCI difficult. Make it easier to
use Unbound built defaults (blank conf sections).
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
|
| |
|
|
| |
Signed-off-by: Peter Wagner <tripolar@gmx.at>
|
| |
|
|
|
|
|
|
|
|
|
| |
- Add domain_forward to permit designated domains to forward instead
of recurse as listed in resolve.conf.auto from DHCP WAN client
- Update rebind_protection and add rebind_interface to protect IP6
GLA locally just like RFC 1918 protection
- Rename trigger to trigger_interface with backwards compatability
- Update odhcpd script for efficiency handling many clients
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
|
| |
|
|
| |
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
A vulnerability was discovered in the processing of wildcard synthesized
NSEC records. While synthesis of NSEC records is allowed by RFC4592,
these synthesized owner names should not be used in the NSEC processing.
This does, however, happen in Unbound 1.6.7 and earlier versions.
(see https://unbound.net/downloads/CVE-2017-15105.txt)
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
|