You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

428 lines
21 KiB

  1. # Unbound Recursive DNS Server with UCI
  2. ## Unbound Description
  3. [Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
  4. ## Package Overview
  5. OpenWrt default build uses [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) for DNS forwarding and DHCP. With a forward only resolver, dependence on the upstream recursors may be cause for concern. They are often provided by the ISP, and some users have switched to public DNS providers. Either way may result in problems due to performance, "snoop-vertising", hijacking (MiM), and other causes. Running a recursive resolver or resolver capable of TLS may be a solution.
  6. Unbound may be useful on consumer grade embedded hardware. It is fully DNSSEC and TLS capable. It is _intended_ to be a recursive resolver only. NLnet Labs [NSD](https://www.nlnetlabs.nl/projects/nsd/) is _intended_ for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver with 8/64 MB router, and remove potential issues from forwarding resolvers outside of their control.
  7. This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and works at the raw "unbound.conf" level.
  8. ## HOW TO: Ad Blocking
  9. The UCI scripts will work with [net/adblock](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md), if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound.
  10. A few tweaks may be needed to enhance the realiability and effectiveness. Ad Block option for delay time may need to be set for upto one minute (adb_triggerdelay), because of boot up race conditions with interfaces calling Unbound restarts. Also many smart devices (TV, microwave, or refigerator) will also use public DNS servers either as a bypass or for certain connections in general. If you wish to force exclusive DNS to your router, then you will need a firewall rule for example:
  11. **/etc/config/firewall**:
  12. ```
  13. config rule
  14. option name 'Block-Public-DNS'
  15. option enabled '1'
  16. option src 'lan'
  17. option dest 'wan'
  18. option dest_port '53 853 5353'
  19. option proto 'tcpudp'
  20. option family 'any'
  21. option target 'REJECT'
  22. ```
  23. ## HOW TO: Integrate with DHCP
  24. Some UCI options and scripts help Unbound to work with DHCP servers to load the local DNS. The examples provided here are serial dnsmasq-unbound, parallel dnsmasq-unbound, and unbound scripted with odhcpd.
  25. ### Serial dnsmasq
  26. In this case, dnsmasq is not changed *much* with respect to the default [OpenWrt](https://openwrt.org/docs/guide-user/base-system/dns_configuration) configuration. Here dnsmasq is forced to use the local Unbound instance as the lone upstream DNS server, instead of your ISP. This may be the easiest implementation, but performance degradation can occur in high volume networks. Unbound and dnsmasq effectively have the same information in memory, and all transfers are double handled.
  27. **/etc/config/unbound**:
  28. ```
  29. config unbound
  30. option add_local_fqdn '0'
  31. option add_wan_fqdn '0'
  32. option dhcp_link 'none'
  33. # dnsmasq should not forward your domain to unbound, but if...
  34. option domain 'yourdomain'
  35. option domain_type 'refuse'
  36. option listen_port '1053'
  37. ...
  38. ```
  39. **/etc/config/dhcp**:
  40. ```
  41. config dnsmasq
  42. option domain 'yourdomain'
  43. option noresolv '1'
  44. option resolvfile '/tmp/resolv.conf.auto'
  45. option port '53'
  46. list server '127.0.0.1#1053'
  47. list server '::1#1053'
  48. ...
  49. ```
  50. ### Parallel dnsmasq
  51. In this case, Unbound serves your local network directly for all purposes. It will look over to dnsmasq for DHCP-DNS resolution. Unbound is generally accessible on port 53, and dnsmasq is only accessed at 127.0.0.1:1053 by Unbound. Although you can dig/drill/nslookup remotely with the proper directives.
  52. **/etc/config/unbound**:
  53. ```
  54. config unbound
  55. option dhcp_link 'dnsmasq'
  56. option listen_port '53'
  57. ...
  58. ```
  59. **/etc/config/dhcp**:
  60. ```
  61. config dnsmasq
  62. option domain 'yourdomain'
  63. option noresolv '1'
  64. option resolvfile '/tmp/resolv.conf.auto'
  65. option port '1053'
  66. ...
  67. config dhcp 'lan'
  68. # dnsmasq may not issue DNS option if not std. configuration
  69. list dhcp_option 'option:dns-server,0.0.0.0'
  70. ...
  71. ```
  72. ### Unbound and odhcpd
  73. You may ask, "can Unbound replace dnsmasq?" You can have DHCP-DNS records with Unbound and [odhcpd](https://github.com/openwrt/odhcpd/blob/master/README) only. The UCI scripts will allow Unbound to act like dnsmasq. When odhcpd configures each DHCP lease, it will call a script. The script provided with Unbound will read the lease file for DHCP-DNS records. The unbound-control application is required, because simply rewriting conf-files and restarting unbound is too much overhead.
  74. - Default OpenWrt has dnsmasq+odhcpd with `odhcpd-ipv6only` limited to DHCPv6.
  75. - If you use dnsmasq+odhcpd together, then use dnsmasq serial or parallel methods above.
  76. - You must install package `odhcpd` (full) to use odhcpd alone.
  77. - You must install package `unbound-control` to load and unload leases.
  78. - Remember to uninstall (or disable) dnsmasq when you won't use it.
  79. **/etc/config/unbound**:
  80. ```
  81. config unbound
  82. # name your router in DNS
  83. option add_local_fqdn '1'
  84. option add_wan_fqdn '1'
  85. option dhcp_link 'odhcpd'
  86. # add SLAAC inferred from DHCPv4
  87. option dhcp4_slaac6 '1'
  88. option domain 'lan'
  89. option domain_type 'static'
  90. option listen_port '53'
  91. option rebind_protection '1'
  92. # install unbound-control and set this
  93. option unbound_control '1'
  94. ...
  95. ```
  96. **/etc/config/dhcp**:
  97. ```
  98. config dhcp 'lan'
  99. option dhcpv4 'server'
  100. option dhcpv6 'server'
  101. option interface 'lan'
  102. option leasetime '12h'
  103. option ra 'server'
  104. option ra_management '1'
  105. ...
  106. config odhcpd 'odhcpd'
  107. option maindhcp '1'
  108. option leasefile '/var/lib/odhcpd/dhcp.leases'
  109. # this is where the magic happens
  110. option leasetrigger '/usr/lib/unbound/odhcpd.sh'
  111. ```
  112. ## HOW TO: Manual Override
  113. Yes, there is a UCI to disable the rest of Unbound UCI. However, OpenWrt or LEDE are targeted at embedded machines with flash ROM. The initialization scripts do a few things to protect flash ROM.
  114. ### Completely Manual (almost)
  115. All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, RAM). Edit your manual `/etc/unbound/unbound.conf` to reference this `/var/lib/unbound` location for included files. Note in preparation for a jail, `/var/lib/unbound` is `chown unbound`. Configure for security in`/etc/unbound/unbound.conf` with options `username:unbound` and `chroot:/var/lib/unbound`.
  116. Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider the age UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash).
  117. **/etc/config/unbound**:
  118. ```
  119. config unbound
  120. option manual_conf '1'
  121. option root_age '9'
  122. # end
  123. ```
  124. ### Hybrid Manual/UCI
  125. You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation.
  126. The file `unbound_srv.conf` will be added into the `server:` clause. The file `unbound_ext.conf` will be added to the end of all configuration. It is for extended `forward-zone:`, `stub-zone:`, `auth-zone:`, and `view:` clauses. You can also disable unbound-control in the UCI which only allows "localhost" connections unencrypted, and then add an encrypted remote `control:` clause.
  127. ## HOW TO: Cache Zone Files
  128. Unbound has the ability to AXFR a whole zone from an authoritative server to prefetch the zone. This can speed up access to common zones. Some may have special bandwidth concerns for DNSSEC overhead. The following is a generic example. UCI defaults include the [root](https://www.internic.net/domain/) zone, but it is disabled as a ready to go example.
  129. **/etc/config/unbound**:
  130. ```
  131. config zone
  132. option enabled '1'
  133. option fallback '1'
  134. option url_dir 'https://asset-management.it.example.com/zones/'
  135. option zone_type 'auth_zone'
  136. list server 'ns1.it.example.com'
  137. list server 'ns2.it.example.com'
  138. list zone_name 'example.com'
  139. ```
  140. ## HOW TO: TLS Over DNS
  141. Unbound can use TLS as a client or server. UCI supports Unbound as a forwarding client with TLS. Servers are more complex and need manual configuration. This may be desired for privacy against stealth tracking. Some public DNS servers seem to advertise help in this quest. If your looking for a better understanding, then some information can be found at [Cloudflare](https://www.cloudflare.com/) DNS [1.1.1.1](https://1.1.1.1/). The following is a generic example. You can mix providers by using complete server specificaiton to override the zones common port and certificate domain index.
  142. **NOTICE:** Unbound requires openssl-1.1.0 to verify host certificates. OpenWrt at present is configured with openssl-1.0.2. Connections will be over TLS, but theoretically, certificates may not be from a trusted source. See report [Unbound #658](https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658). When this is resolved, it will be recommended again to install `ca-bundle`, maintain it, and be sure to include the TLS certificate domain index with the host addresses.
  143. **/etc/config/unbound**:
  144. ```
  145. config zone
  146. option enabled '1'
  147. # question: do you want to recurse when TLS fails or not?
  148. option fallback '0'
  149. option tls_index 'dns.example.net'
  150. option tls_port '853'
  151. option tls_upstream '1'
  152. option zone_type 'forward_zone'
  153. # these servers assume a common TLS port/index
  154. list server '192.0.2.53'
  155. list server '2001:db8::53'
  156. # this alternate server is fully specified inline
  157. list server '192.0.2.153@443#dns.alternate.example.org'
  158. list zone_name '.'
  159. ```
  160. ## Complete List of UCI Options
  161. **/etc/config/unbound**:
  162. ```
  163. config unbound
  164. Currently only one instance is supported.
  165. option add_extra_dns '0'
  166. Level. Execute traditional DNS overrides found in `/etc/config/dhcp`.
  167. Optional so you may use other Unbound conf or redirect to NSD instance.
  168. 0 - Ignore `/etc/config/dhcp`
  169. 1 - Use only 'domain' clause (host records)
  170. 2 - Use 'domain', 'mxhost', and 'srvhost' clauses
  171. 3 - Use all of 'domain', 'mxhost', 'srvhost', and 'cname' clauses
  172. option add_local_fqdn '0'
  173. Level. This puts your routers host name in the LAN (local) DNS.
  174. Each level is more detailed and comprehensive.
  175. 0 - Disabled
  176. 1 - Host Name on only the primary address
  177. 2 - Host Name on all addresses found (except link)
  178. 3 - FQDN and host name on all addresses (except link)
  179. 4 - Above and interfaces named <iface>.<hostname>.<domain>
  180. option add_wan_fqdn '0'
  181. Level. Same as previous option only this applies to the WAN. WAN
  182. are inferred by a UCI `config dhcp` entry that contains the line
  183. option ignore '1'.
  184. option dns64 '0'
  185. Boolean. Enable DNS64 through Unbound in order to bridge networks
  186. that are IPV6 only and IPV4 only (see RFC6052).
  187. option dns64_prefix '64:ff9b::/96'
  188. IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64.
  189. You should use RFC6052 "well known" address, unless you also
  190. redirect to a proxy or gateway for your NAT64.
  191. option dhcp_link 'none'
  192. Program Name. Link to one of the supported programs we have scripts
  193. for. You may also need to install a trigger script in the DHCP
  194. servers configuration. See HOW TO above.
  195. option dhcp4_slaac6 '0'
  196. Boolean. Some DHCP servers do this natively (dnsmasq). Otherwise
  197. the script provided with this package will try to fabricate SLAAC
  198. IP6 addresses from DHCPv4 MAC records.
  199. option domain 'lan'
  200. Unbound local-zone: <domain> <type>. This is used to suffix all
  201. host records, and maintain a local zone. When dnsmasq is dhcp_link
  202. however, then this option is ignored (dnsmasq does it all).
  203. option domain_type 'static'
  204. Unbound local-zone: <domain> <type>. This allows you to lock
  205. down or allow forwarding of the local zone. Notable types:
  206. static - typical single router setup much like OpenWrt dnsmasq default
  207. refuse - to answer overtly with DNS code REFUSED
  208. deny - to drop queries for the local zone
  209. transparent - to use your manually added forward-zone: or stub-zone: clause
  210. option edns_size '1280'
  211. Bytes. Extended DNS is necessary for DNSSEC. However, it can run
  212. into MTU issues. Use this size in bytes to manage drop outs.
  213. option extended_stats '0'
  214. Boolean. extended statistics are printed from unbound-control.
  215. Keeping track of more statistics takes time.
  216. option hide_binddata '1'
  217. Boolean. If enabled version.server, version.bind, id.server, and
  218. hostname.bind queries are refused.
  219. option listen_port '53'
  220. Port. Incoming. Where Unbound will listen for queries.
  221. option localservice '1'
  222. Boolean. Prevent DNS amplification attacks. Only provide access to
  223. Unbound from subnets this machine has interfaces on.
  224. option manual_conf '0'
  225. Boolean. Skip all this UCI nonsense. Manually edit the
  226. configuration. Make changes to /etc/unbound/unbound.conf.
  227. option protocol 'mixed'
  228. Unbound can limit its protocol used for recursive queries.
  229. ip4_only - limit issues if you do not have native IPv6
  230. ip6_only - test environment only; could cauase problems
  231. ip6_prefer - both IPv4 and IPv6 but try IPv6 first
  232. mixed - both IPv4 and IPv6
  233. default - Unbound built-in defaults
  234. option query_minimize '0'
  235. Boolean. Enable a minor privacy option. Don't let each server know
  236. the next recursion. Query one piece at a time.
  237. option query_min_strict '0'
  238. Boolean. Query minimize is best effort and will fall back to normal
  239. when it must. This option prevents the fall back, but less than
  240. standard name servers will fail to resolve their domains.
  241. option rebind_localhost '0'
  242. Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses.
  243. These may used by black hole servers for good purposes like
  244. ad-blocking or parental access control. Obviously these responses
  245. also can be used to for bad purposes.
  246. option rebind_protection '1'
  247. Level. Block your local address responses from global DNS. A poisoned
  248. reponse within "192.168.0.0/24" or "fd00::/8" could turn a local browser
  249. into an external attack proxy server. IP6 GLA may be vulnerable also.
  250. 0 - Off
  251. 1 - Only RFC 1918 and 4193 responses blocked
  252. 2 - Plus GLA /64 on designated interface(s)
  253. 3 - Plus DHCP-PD range passed down interfaces (not implemented)
  254. option recursion 'passive'
  255. Unbound has many options for recrusion but UCI is bundled for simplicity.
  256. passive - slower until cache fills but kind on CPU load
  257. default - Unbound built-in defaults
  258. aggressive - uses prefetching to handle more requests quickly
  259. option resource 'small'
  260. Unbound has many options for resources but UCI is bundled for simplicity.
  261. tiny - similar to published memory restricted configuration
  262. small - about half of medium
  263. medium - similar to default, but fixed for consistency
  264. default - Unbound built-in defaults
  265. large - about double of medium
  266. option root_age '9'
  267. Days. >90 Disables. Age limit for Unbound root data like root
  268. DNSSEC key. Unbound uses RFC 5011 to manage root key. This could
  269. harm flash ROM. This activity is mapped to "tmpfs," but every so
  270. often it needs to be copied back to flash for the next reboot.
  271. option ttl_min '120'
  272. Seconds. Minimum TTL in cache. Recursion can be expensive without
  273. cache. A low TTL is normal for server migration. A low TTL can be
  274. abused for snoop-vertising (DNS hit counts; recording query IP).
  275. Typical to configure maybe 0~300, but 1800 is the maximum accepted.
  276. option unbound_control '0'
  277. Level. Enables unbound-control application access ports.
  278. 0 - No unbound-control Access, or add your own in 'unbound_ext.conf'
  279. 1 - Unencrypted Local Host Access
  280. 2 - SSL Local Host Access; auto unbound-control-setup if available
  281. 3 - SSL Network Access; auto unbound-control-setup if available
  282. 4 - SSL Network Access; static key/pem files must already exist
  283. option validator '0'
  284. Boolean. Enable DNSSEC. Unbound names this the "validator" module.
  285. option validator_ntp '1'
  286. Boolean. Disable DNSSEC time checks at boot. Once NTP confirms
  287. global real time, then DNSSEC is restarted at full strength. Many
  288. embedded devices don't have a real time power off clock. NTP needs
  289. DNS to resolve servers. This works around the chicken-and-egg.
  290. option verbosity '1'
  291. Level. Sets Unbounds logging intensity.
  292. list domain_insecure 'ntp.somewhere.org'
  293. Domain. Domains that you wish to skip DNSSEC. It is one way around NTP
  294. chicken and egg. Your DHCP servered domains are automatically included.
  295. list trigger_interface 'lan' 'wan'
  296. Interface (logical). This option is a work around for netifd/procd
  297. interaction with WAN DHCPv6. Minor RA or DHCP changes in IP6 can
  298. cause netifd to execute procd interface reload. Limit Unbound procd
  299. triggers to LAN and WAN (IP4 only) to prevent restart @2-3 minutes.
  300. config zone
  301. Create Unbounds forward-zone:, stub-zone:, or auth-zone: clauses
  302. option enabled 1
  303. Boolean. Enable the zone clause.
  304. option fallback 1
  305. Boolean. Permit normal recursion when the narrowly selected servers
  306. in this zone are unresponsive or return empty responses. Disable, if
  307. there are security concerns (forward only internal to organization).
  308. option port 53
  309. Port. Servers are contact on this port for plain DNS operations.
  310. option resolv_conf 0
  311. Boolean. Use "resolv.conf" as it was filled by the DHCP client. This
  312. can be used to forward zones within your ISP (mail.example.net) or that
  313. have co-located services (streamed-movies.example.com). Recursion may
  314. not yield the most local result, but forwarding may instead.
  315. option tls_index (n/a)
  316. Domain. Name TLS certificates are signed for (dns.example.net). If this
  317. option is ommitted, then Unbound will make the connection but not
  318. validate it.
  319. option tls_port 853
  320. Port. Servers are contact on this port for DNS over TLS operations.
  321. option tls_upstream 0
  322. Boolean. Use TLS to contact the zone server.
  323. option url_dir
  324. String. http or https path, directory part only, to the zone file for
  325. auth_zone type only. Files "${zone_name}.zone" are expect in this path.
  326. option zone_type (n/a)
  327. State. Required field or the clause is effectively disabled. Check
  328. Unbound documentation for clarity (unbound-conf).
  329. auth_zone - prefetch whole zones from authoritative server (ICANN)
  330. forward_zone - forward queries in these domains to the listed servers
  331. stub_zone - force recursion of these domains to the listed servers
  332. list server (n/a)
  333. IP. Every zone must have one server. Stub and forward require IP to
  334. prevent chicken and egg (due to UCI simplicity). Authoritative prefetch
  335. may use a server name.
  336. list zone_name
  337. Domain. Every zone must represent some part of the DNS tree. It can be
  338. all of it "." or you internal organization domain "example.com." Within
  339. each zone clause all zone names will be matched to all servers.
  340. ```
  341. ## Replaced Options
  342. config unbound / option prefetch_root
  343. List the domains in a zone with type auth_zone and fill in the server
  344. or url fields. Root zones are ready but disabled in default install UCI.
  345. config unbound / list domain_forward
  346. List the domains in a zone with type forward_zone and enable the
  347. resolv_conf option.
  348. config unbound / list rebind_interface
  349. Enable rebind_protection at 2 and all DHCP interfaces are also
  350. protected for IPV6 GLA (parallel to subnets in add_local_fqdn).