diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md
index 712923e57..825a07109 100644
--- a/net/unbound/files/README.md
+++ b/net/unbound/files/README.md
@@ -1,4 +1,5 @@
# Unbound Recursive DNS Server with UCI
+
## Unbound Description
[Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
@@ -202,7 +203,7 @@ One instance is supported currently.
| --- | ------- | ----- | ----------- | ------- |
| add_extra_dns | 0 | level | Read OpenWrt traditional options for `dnsmasq`.
`0`: Disabled
`1`: Use only domain
`2`: Use domain, mxhost, and srvhost
`3`: Use all cname, domain, mxhost, and srvhost | local-data: |
| add_local_fqdn | 0 | level | Each level puts a more detailed router entry within the LAN DNS (except link).
`0`: Disabled
`1`: Host name on the primary address
`2`: Host name on all addresses
`3`: FQDN and host name on all addresses
`4`: FQDN defined by "iface.hostname.domain" | local-zone: local-data: |
-| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as inferred by `config dhcp` with `option ignore 1`. | local-zone: local-data: |
+| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as listed in `iface_wan` | local-zone: local-data: |
| dns64 | 0 | boolean | Enable DNS64 RFC6052 to bridge IPv4 and IPv6 networks. | module: dns64 |
| dns64_prefix | 64:ff9b::/96 | subnet | DNS64 RFC6052 IPv4 in IPv6 well known prefix. | dns64-prefix: |
| dhcp_link | none | program | Link to a DHCP server with supported scripts. See HOW TO above. | local-zone: local-data: forward-zone: |
@@ -210,10 +211,13 @@ One instance is supported currently.
| domain | lan | domain | This will suffix DHCP host records and be the default search domain. | local-zone: |
| domain_insecure | (empty) | domain | **List** domains that you wish to skip DNSSEC. It is one way around NTP chicken and egg. Your DHCP domains are automatically included. | domain-insecure: |
| domain_type | static | state | This allows you to lock down or allow forwarding of the local zone.
`static`: no forwarding like dnsmasq default
`refuse`: answer overtly with REFUSED
`deny`: covertly drop all queries
`transparent`: may continue forwarding or recusion | local-zone: |
-| edns_size | 1280 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: |
+| edns_size | 1232 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: |
| extended_stats | 0 | boolean | Extended statistics are stored in Unbound memory for report by `unbound-control`. | extended-statistics: |
| hide_binddata | 1 | boolean | Refuse possible attack queries like version.server, version.bind, id.server, and hostname.bind. | hide-identity: hide-version: |
-| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. | interface-automatic: |
+| iface_lan | lan | interface | **List** to add interafaces you wish to consider to be LAN beyond those served by DHCP | interface: access-control: |
+| iface_trig | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - |
+| iface_wan | wan | interface | **List** interafaces you wish to consider to be WAN for masked local zone purposes | interface-outgoing: |
+| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. This also binds Unboud to the wild card address. | interface-automatic: |
| listen_port | 53 | port | Inbound port where Unbound will listen for queries. | port: |
| localservice | 1 | boolean | Prevent DNS amplification attacks. Only answer to subnets this machine has interfaces on. | access-control: |
| manual_conf | 0 | boolean | Skip all this UCI nonsense. Manually edit the configuration in `/etc/unbound/unbound.conf`. | - |
@@ -227,7 +231,6 @@ One instance is supported currently.
| recursion | passive | state | Unbound has many options for recrusion but UCI is bundled for simplicity.
`passive`: slower until cache fills but kind on CPU load
`default`: built-in defaults
`aggressive`: uses prefetching to handle more requests quickly | (many) |
| resource | small | state | Unbound has many options for memory resources but UCI is bundled for simplicity.
`tiny`: similar to published memory restricted configuration
`small`: about half of medium
`medium`: similar to default
`default`: built-in defaults
`large`: about double of medium | \*-cache-size: |
| root_age | 9 | day | >90 Disables. Age limit for root data like root DNSSEC key. Scripts will copy from `tmps` to flash ROM with this limit to save write life. | - |
-| trigger_interface | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - |
| ttl_min | 120 | second | Minimum TTL in cache to avoid abused low TTL for snoop-vertising and non-standard load balancing. Typical to configure maybe 0~300 but 1800 is the maximum accepted. | cache-min-ttl: |
| unbound_control | 0 | level | Enables `unbound-control` application access ports.
`0`: None else add your own in unbound_ext.conf
`1`: Unencrypted Local Host Access
`2`: SSL Local Host Access w/ auto unbound-control-setup
`3`: SSL Network Access w/ auto unbound-control-setup
`4`: SSL Network Access; static key/pem files must already exist | unbound-control: ... (clause) |
| validator | 0 | boolean | Enable DNSSEC validator module. | module: validator |
@@ -238,7 +241,7 @@ One instance is supported currently.
Confingure any mix of Unbound `forward-zone:`, `stub-zone:`, or `auth-zone:` clauses. These sections are more compact than Unbound and will unroll into Unbound's configuration syntax.
| UCI | Default | Units | Description | Unbound |
| --- | ------- | ----- | ----------- | ------- |
-| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, ipset-dns, and nsd. | forward-addr: |
+| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, http-proxy-dns, ipset-dns, and nsd. | forward-addr: |
| enabled | 0 | boolean | turn zone on or off without deleting it | - |
| fallback | 1 | boolean | Allow this zone to fall through to other zones or recursion. | forward-first: |
| port | 53 | port | Target server's target port for plain DNS operations. | (auto 192.0.2.53 \#53)
diff --git a/net/unbound/files/defaults.sh b/net/unbound/files/defaults.sh
index 785631e3d..4478ae6ed 100644
--- a/net/unbound/files/defaults.sh
+++ b/net/unbound/files/defaults.sh
@@ -14,7 +14,11 @@
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
# where are we?
+UB_ETCDIR=/etc/unbound
UB_LIBDIR=/usr/lib/unbound
UB_VARDIR=/var/lib/unbound
UB_PIDFILE=/var/run/unbound.pid
@@ -40,7 +44,6 @@ UB_RESOLV_AUTO=/tmp/resolv.conf.d/resolv.conf.auto
# TLS keys
UB_TLS_KEY_FILE="TLS server UCI not implemented"
UB_TLS_PEM_FILE="TLS server UCI not implemented"
-UB_TLS_FWD_FILE=$UB_VARDIR/ca-certificates.crt
UB_TLS_ETC_FILE=/etc/ssl/certs/ca-certificates.crt
# start files
@@ -50,10 +53,10 @@ UB_TIME_FILE=$UB_VARDIR/hotplug.time
UB_SKIP_FILE=$UB_VARDIR/skip.time
# control app keys
-UB_CTLKEY_FILE=$UB_VARDIR/unbound_control.key
-UB_CTLPEM_FILE=$UB_VARDIR/unbound_control.pem
-UB_SRVKEY_FILE=$UB_VARDIR/unbound_server.key
-UB_SRVPEM_FILE=$UB_VARDIR/unbound_server.pem
+UB_CTLKEY_FILE=$UB_ETCDIR/unbound_control.key
+UB_CTLPEM_FILE=$UB_ETCDIR/unbound_control.pem
+UB_SRVKEY_FILE=$UB_ETCDIR/unbound_server.key
+UB_SRVPEM_FILE=$UB_ETCDIR/unbound_server.pem
# similar default SOA / NS RR as Unbound uses for private ARPA zones
UB_XSER=$(( $( date +%s ) / 60 ))
diff --git a/net/unbound/files/dnsmasq.sh b/net/unbound/files/dnsmasq.sh
index 6dcbaecd8..eae8dae98 100644
--- a/net/unbound/files/dnsmasq.sh
+++ b/net/unbound/files/dnsmasq.sh
@@ -23,6 +23,9 @@
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
DM_D_WAN_FQDN=0
DM_LIST_KNOWN_ZONES="invalid"
diff --git a/net/unbound/files/iptools.sh b/net/unbound/files/iptools.sh
index f25265d0f..9524f4ffe 100644
--- a/net/unbound/files/iptools.sh
+++ b/net/unbound/files/iptools.sh
@@ -21,6 +21,13 @@
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
+UB_IPTOOLS_BLANK=
+
+##############################################################################
+
domain_ptr_ip6() {
# Get the nibble rounded /CIDR ...ip6.arpa.
echo "$1" | awk -F: \
diff --git a/net/unbound/files/odhcpd.sh b/net/unbound/files/odhcpd.sh
index d8390c870..b8af615a5 100644
--- a/net/unbound/files/odhcpd.sh
+++ b/net/unbound/files/odhcpd.sh
@@ -23,6 +23,13 @@
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
+UB_ODHCPD_BLANK=
+
+##############################################################################
+
odhcpd_zonedata() {
. /lib/functions.sh
. /usr/lib/unbound/defaults.sh
diff --git a/net/unbound/files/stopping.sh b/net/unbound/files/stopping.sh
index c3f27ecac..90c383a65 100644
--- a/net/unbound/files/stopping.sh
+++ b/net/unbound/files/stopping.sh
@@ -19,6 +19,9 @@
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
. /usr/lib/unbound/defaults.sh
##############################################################################
diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init
index fa94a3b35..fb363e188 100755
--- a/net/unbound/files/unbound.init
+++ b/net/unbound/files/unbound.init
@@ -9,6 +9,9 @@
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
START=19
STOP=50
USE_PROCD=1
@@ -54,9 +57,10 @@ stop_service() {
##############################################################################
service_triggers() {
- local legacy=$( uci_get unbound.@unbound[0].trigger )
- local triggers=$( uci_get unbound.@unbound[0].trigger_interface )
- local trigger="$triggers $legacy"
+ local legacy1=$( uci_get unbound.@unbound[0].trigger )
+ local legacy2=$( uci_get unbound.@unbound[0].trigger_interface )
+ local legacy3=$( uci_get unbound.@unbound[0].iface_trig )
+ local triggers="$legacy1 $legacy2 $legacy3"
. /usr/lib/unbound/defaults.sh
diff --git a/net/unbound/files/unbound.ntpd b/net/unbound/files/unbound.ntpd
index d9d0deefa..6f490cd0a 100755
--- a/net/unbound/files/unbound.ntpd
+++ b/net/unbound/files/unbound.ntpd
@@ -12,12 +12,14 @@
#
##############################################################################
-# Common file location definitions
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
. /usr/lib/unbound/defaults.sh
##############################################################################
-if [ ! -f "$UB_TIME_FILE" -a "$ACTION" = stratum ] ; then
+if [ ! -f "$UB_TIME_FILE" ] && [ "$ACTION" = stratum ] ; then
date -Is > $UB_TIME_FILE
/etc/init.d/unbound enabled && /etc/init.d/unbound restart
# Yes, hard RESTART. We need to be absolutely sure to enable DNSSEC.
diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh
index 0e2ebaf4d..c8460c07c 100644
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@@ -23,6 +23,9 @@
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
UB_B_AUTH_ROOT=0
UB_B_DNS_ASSIST=0
UB_B_DNSSEC=0
@@ -53,7 +56,7 @@ UB_D_WAN_FQDN=0
UB_IP_DNS64="64:ff9b::/96"
-UB_N_EDNS_SIZE=1280
+UB_N_EDNS_SIZE=1232
UB_N_RX_PORT=53
UB_N_ROOT_AGE=9
UB_N_THREADS=1
@@ -114,7 +117,7 @@ bundle_all_networks() {
##############################################################################
-bundle_lan_networks() {
+bundle_dhcp_networks() {
local cfg="$1"
local interface ifsubnet ifname ifdashname ignore
@@ -139,19 +142,50 @@ bundle_lan_networks() {
##############################################################################
+bundle_lan_networks() {
+ local interface="$1"
+ local ifsubnet ifname ifdashname
+
+ network_get_device ifname "$interface"
+ ifdashname="${ifname//./-}"
+
+
+ if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
+ for ifsubnet in $UB_LIST_NETW_ALL ; do
+ case $ifsubnet in
+ "${ifdashname}"@*)
+ # Special GLA protection for local block; ULA protected default
+ UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
+ ;;
+ esac
+ done
+ fi
+}
+
+##############################################################################
+
bundle_wan_networks() {
- local ifsubnet
+ local interface="$1"
+ local ifsubnet ifname ifdashname
+
+ network_get_device ifname "$interface"
+ ifdashname="${ifname//./-}"
- if [ -n "$UB_LIST_NETW_ALL" ] ; then
+ if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
for ifsubnet in $UB_LIST_NETW_ALL ; do
case $UB_LIST_NETW_LAN in
*"${ifsubnet}"*)
- # If LAN, then not WAN ...
+ # If LAN, then not WAN ... scripts might become complex
;;
*)
- UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
+ case $ifsubnet in
+ "${ifdashname}"@*)
+ # Special GLA protection for local block; ULA protected default
+ UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
+ ;;
+ esac
;;
esac
done
@@ -218,7 +252,8 @@ unbound_mkdir() {
mkdir -p $UB_VARDIR
rm -f $UB_VARDIR/dhcp_*
touch $UB_TOTAL_CONF
- cp -p /etc/unbound/* $UB_VARDIR/
+ cp -p $UB_ETCDIR/*.conf $UB_VARDIR/
+ cp -p $UB_ETCDIR/root.* $UB_VARDIR/
if [ ! -f $UB_RHINT_FILE ] ; then
@@ -253,42 +288,28 @@ unbound_mkdir() {
fi
- if [ -f $UB_TLS_ETC_FILE ] ; then
- # copy the cert bundle into jail
- cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
- fi
-
-
# Ensure access and prepare to jail
chown -R unbound:unbound $UB_VARDIR
chmod 755 $UB_VARDIR
chmod 644 $UB_VARDIR/*
- if [ -f $UB_CTLKEY_FILE ] || [ -f $UB_CTLPEM_FILE ] \
- || [ -f $UB_SRVKEY_FILE ] || [ -f $UB_SRVPEM_FILE ] ; then
- # Keys (some) exist already; do not create new ones
- chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
- $UB_SRVKEY_FILE $UB_SRVPEM_FILE
-
- elif [ -x /usr/sbin/unbound-control-setup ] ; then
- case "$UB_D_CONTROL" in
- [2-3])
- # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
- /usr/sbin/unbound-control-setup -d $UB_VARDIR
-
- chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
- $UB_SRVKEY_FILE $UB_SRVPEM_FILE
+ if [ -x /usr/sbin/unbound-control-setup ] ; then
+ if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \
+ || [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then
+ case "$UB_D_CONTROL" in
+ [2-3])
+ # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
+ /usr/sbin/unbound-control-setup -d $UB_ETCDIR
- chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
- $UB_SRVKEY_FILE $UB_SRVPEM_FILE
+ chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
+ $UB_SRVKEY_FILE $UB_SRVPEM_FILE
- cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key
- cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem
- cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key
- cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem
- ;;
- esac
+ chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
+ $UB_SRVKEY_FILE $UB_SRVPEM_FILE
+ ;;
+ esac
+ fi
fi
@@ -452,6 +473,19 @@ unbound_zone() {
fi
;;
+ htpps-dns-proxy)
+ if [ -x /usr/sbin/https-dns-proxy ] \
+ && [ -x /etc/init.d/https-dns-proxy ] ; then
+ if /etc/init.d/https-dns-proxy ; then
+ dns_ast=1
+ else
+ dns_ast=0
+ fi
+ else
+ dns_ast=0
+ fi
+ ;;
+
ipset-dns)
if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then
if /etc/init.d/ipset-dns enabled ; then
@@ -476,10 +510,17 @@ unbound_zone() {
fi
;;
+ unprotected-loop)
+ # Soft brick risk. The server you are looking to connect to may be offline
+ # and cause loop error: procd, sysupgrade, package order, and other issues.
+ dns_ast=1
+ ;;
+
*)
- # Prevent a soft-brick event through local forwarding loops. Declare your
- # assistant program and this will check to be sure it is there.
+ # Unbound has a local forward blocking option, default on, instead of loop
+ # detection. If it is released, then it may be a soft brick risk.
dns_ast=0
+ ;;
esac
@@ -527,7 +568,7 @@ unbound_zone() {
;;
forward_zone)
- if [ ! -f $UB_TLS_FWD_FILE ] && [ "$tls_upstream" = "yes" ] ; then
+ if [ ! -f $UB_TLS_ETC_FILE ] && [ "$tls_upstream" = "yes" ] ; then
logger -p 4 -t unbound -s \
"Forward-zone TLS benefits from authentication in package 'ca-bundle'"
fi
@@ -555,6 +596,11 @@ unbound_zone() {
else
case $server in
+ 127.*|::0*)
+ # soft brick loop back risk see DNS assist above
+ echo "do nothing" >/dev/null
+ ;;
+
*@[0-9]*|*#[A-Za-z0-9]*)
# unique Unbound option for server host name
servers_host="$servers_host $server"
@@ -633,10 +679,10 @@ unbound_conf() {
} > $UB_CORE_CONF
- if [ -f "$UB_TLS_FWD_FILE" ] ; then
+ if [ -f "$UB_TLS_ETC_FILE" ] ; then
# TLS cert bundle for upstream forwarder and https zone files
# This is loaded before drop to root, so pull from /etc/ssl
- echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
+ echo " tls-cert-bundle: $UB_TLS_ETC_FILE" >> $UB_CORE_CONF
fi
@@ -690,14 +736,14 @@ unbound_conf() {
if [ $UB_B_EXT_STATS -gt 0 ] ; then
{
- # Log More
+ # store more data in memory for unbound-control to report
echo " extended-statistics: yes"
echo
} >> $UB_CORE_CONF
else
{
- # Log Less
+ # store Less
echo " extended-statistics: no"
echo
} >> $UB_CORE_CONF
@@ -714,14 +760,17 @@ unbound_conf() {
fi
+ {
+ # avoid interference with SPI/NAT on both reserved and common server ports
+ echo " edns-buffer-size: $UB_N_EDNS_SIZE"
+ echo " port: $UB_N_RX_PORT"
+ echo " outgoing-port-permit: 10240-65535"
+ } >> $UB_CORE_CONF
+
+
case "$UB_D_PROTOCOL" in
ip4_only)
{
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: 0.0.0.0"
- echo " outgoing-interface: 0.0.0.0"
echo " do-ip4: yes"
echo " do-ip6: no"
echo
@@ -730,42 +779,29 @@ unbound_conf() {
ip6_only)
{
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: ::0"
- echo " outgoing-interface: ::0"
echo " do-ip4: no"
echo " do-ip6: yes"
echo
} >> $UB_CORE_CONF
;;
- ip6_local)
+ ip6_local)
{
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo " outgoing-interface: 0.0.0.0"
+ # answer your local IPv6 network but avoid broken ISP IPv6
echo " do-ip4: yes"
echo " do-ip6: yes"
+ echo " prefer-ip4: yes"
+ echo " prefer-ip6: no"
echo
} >> $UB_CORE_CONF
;;
ip6_prefer)
{
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo " outgoing-interface: 0.0.0.0"
- echo " outgoing-interface: ::0"
+ # RFC compliant dual stack
echo " do-ip4: yes"
echo " do-ip6: yes"
+ echo " prefer-ip4: no"
echo " prefer-ip6: yes"
echo
} >> $UB_CORE_CONF
@@ -773,14 +809,6 @@ unbound_conf() {
mixed)
{
- # Interface Wildcard (access contol handled by "option local_service")
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo " outgoing-interface: 0.0.0.0"
- echo " outgoing-interface: ::0"
echo " do-ip4: yes"
echo " do-ip6: yes"
echo
@@ -791,17 +819,6 @@ unbound_conf() {
if [ $UB_B_READY -eq 0 ] ; then
logger -t unbound -s "default protocol configuration"
fi
-
-
- {
- # outgoing-interface has useful defaults; incoming is localhost though
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo
- } >> $UB_CORE_CONF
;;
esac
@@ -1043,9 +1060,9 @@ unbound_conf() {
fi
- if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
+ if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_LAN" ] ; then
{
- for ifsubnet in $UB_LIST_NETW_ALL ; do
+ for ifsubnet in $UB_LIST_NETW_LAN ; do
# Only respond to queries from subnets which have an interface.
# Prevent DNS amplification attacks by not responding to the universe.
echo " access-control: ${ifsubnet#*@} allow"
@@ -1327,7 +1344,7 @@ unbound_uci() {
config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
- config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
+ config_get UB_N_EDNS_SIZE "$cfg" edns_size 1232
config_get UB_N_RX_PORT "$cfg" listen_port 53
config_get UB_N_ROOT_AGE "$cfg" root_age 9
config_get UB_N_THREADS "$cfg" num_threads 1
@@ -1348,8 +1365,9 @@ unbound_uci() {
config_get UB_TTL_MIN "$cfg" ttl_min 120
config_get UB_TXT_DOMAIN "$cfg" domain lan
- config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
-
+ config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
+ config_list_foreach "$cfg" iface_lan bundle_lan_networks
+ config_list_foreach "$cfg" iface_wan bundle_wan_networks
if [ "$UB_D_DHCP_LINK" = "none" ] ; then
config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
@@ -1396,7 +1414,7 @@ unbound_uci() {
if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then
logger -t unbound -s "edns_size exceeds range, using default"
- UB_N_EDNS_SIZE=1280
+ UB_N_EDNS_SIZE=1232
fi
@@ -1541,6 +1559,11 @@ resolv_setup() {
##############################################################################
unbound_start() {
+ # get interface subnets together
+ config_load network
+ config_foreach bundle_all_networks interface
+
+ # read Unbound UCI but pick through it later
config_load unbound
config_foreach unbound_uci unbound
unbound_mkdir
@@ -1551,11 +1574,8 @@ unbound_start() {
# forward-zone: auth-zone: and stub-zone:
config_foreach unbound_zone zone
# associate potential DNS RR with interfaces
- config_load network
- config_foreach bundle_all_networks interface
config_load dhcp
- config_foreach bundle_lan_networks dhcp
- bundle_wan_networks
+ config_foreach bundle_dhcp_networks dhcp
# server:
unbound_conf
unbound_hostname
diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci
index f796a5802..432332e6e 100644
--- a/net/unbound/files/unbound.uci
+++ b/net/unbound/files/unbound.uci
@@ -1,4 +1,4 @@
-config unbound
+config unbound 'ub_main'
option add_extra_dns '0'
option add_local_fqdn '1'
option add_wan_fqdn '0'
@@ -8,7 +8,7 @@ config unbound
option dns64_prefix '64:ff9b::/96'
option domain 'lan'
option domain_type 'static'
- option edns_size '1280'
+ option edns_size '1232'
option extended_stats '0'
option hide_binddata '1'
option interface_auto '1'
@@ -30,11 +30,12 @@ config unbound
option validator '0'
option validator_ntp '1'
option verbosity '1'
- list trigger_interface 'lan'
- list trigger_interface 'wan'
+ list iface_trig 'lan'
+ list iface_trig 'wan'
+ list iface_wan 'wan'
#list domain_insecure 'ntp.example.com'
-config zone
+config zone 'auth_icann'
# cache the root zone all at once to speed up recursion
option enabled '0'
option fallback '1'
@@ -47,7 +48,7 @@ config zone
list zone_name 'in-addr.arpa.'
list zone_name 'ip6.arpa.'
-config zone
+config zone 'fwd_isp'
# forward ISP account management to DHCP announced DNS servers
option enabled '0'
option fallback '1'
@@ -56,3 +57,27 @@ config zone
list zone_name 'isp-bill.example.com.'
list zone_name 'isp-mail.example.net.'
+config zone 'fwd_google'
+ option enabled '0'
+ option fallback '1'
+ option tls_index 'dns.google'
+ option tls_upstream '1'
+ option zone_type 'forward_zone'
+ list server '8.8.4.4'
+ list server '8.8.8.8'
+ list server '2001:4860:4860::8844'
+ list server '2001:4860:4860::8888'
+ list zone_name '.'
+
+config zone 'fwd_cloudflare'
+ option enabled '0'
+ option fallback '1'
+ option tls_index 'cloudflare-dns.com'
+ option tls_upstream '1'
+ option zone_type 'forward_zone'
+ list server '1.1.1.1'
+ list server '1.0.0.1'
+ list server '2606:4700:4700::1111'
+ list server '2606:4700:4700::1001'
+ list zone_name '.'
+