From 658c27ea97a246d313173e38e6962558aebed52b Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Mon, 26 Oct 2020 23:09:18 -0400 Subject: [PATCH] unbound: clean up interface interpretation in UCI DNS flag day 2020, software should reflect the minimum EDNS 1232 bytes. Added iface_wan and iface_lan to control internal DNS assignemnts and to control what is local service ACL. Interface wild cards are not explicitly set so that they can be customized in extended conf. Signed-off-by: Eric Luehrsen --- net/unbound/files/README.md | 13 +- net/unbound/files/defaults.sh | 13 +- net/unbound/files/dnsmasq.sh | 3 + net/unbound/files/iptools.sh | 7 ++ net/unbound/files/odhcpd.sh | 7 ++ net/unbound/files/stopping.sh | 3 + net/unbound/files/unbound.init | 10 +- net/unbound/files/unbound.ntpd | 6 +- net/unbound/files/unbound.sh | 210 ++++++++++++++++++--------------- net/unbound/files/unbound.uci | 37 +++++- 10 files changed, 193 insertions(+), 116 deletions(-) diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index 712923e57..825a07109 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -1,4 +1,5 @@ # Unbound Recursive DNS Server with UCI + ## Unbound Description [Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. @@ -202,7 +203,7 @@ One instance is supported currently. | --- | ------- | ----- | ----------- | ------- | | add_extra_dns | 0 | level | Read OpenWrt traditional options for `dnsmasq`.
`0`: Disabled
`1`: Use only domain
`2`: Use domain, mxhost, and srvhost
`3`: Use all cname, domain, mxhost, and srvhost | local-data: | | add_local_fqdn | 0 | level | Each level puts a more detailed router entry within the LAN DNS (except link).
`0`: Disabled
`1`: Host name on the primary address
`2`: Host name on all addresses
`3`: FQDN and host name on all addresses
`4`: FQDN defined by "iface.hostname.domain" | local-zone: local-data: | -| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as inferred by `config dhcp` with `option ignore 1`. | local-zone: local-data: | +| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as listed in `iface_wan` | local-zone: local-data: | | dns64 | 0 | boolean | Enable DNS64 RFC6052 to bridge IPv4 and IPv6 networks. | module: dns64 | | dns64_prefix | 64:ff9b::/96 | subnet | DNS64 RFC6052 IPv4 in IPv6 well known prefix. | dns64-prefix: | | dhcp_link | none | program | Link to a DHCP server with supported scripts. See HOW TO above. | local-zone: local-data: forward-zone: | @@ -210,10 +211,13 @@ One instance is supported currently. | domain | lan | domain | This will suffix DHCP host records and be the default search domain. | local-zone: | | domain_insecure | (empty) | domain | **List** domains that you wish to skip DNSSEC. It is one way around NTP chicken and egg. Your DHCP domains are automatically included. | domain-insecure: | | domain_type | static | state | This allows you to lock down or allow forwarding of the local zone.
`static`: no forwarding like dnsmasq default
`refuse`: answer overtly with REFUSED
`deny`: covertly drop all queries
`transparent`: may continue forwarding or recusion | local-zone: | -| edns_size | 1280 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: | +| edns_size | 1232 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: | | extended_stats | 0 | boolean | Extended statistics are stored in Unbound memory for report by `unbound-control`. | extended-statistics: | | hide_binddata | 1 | boolean | Refuse possible attack queries like version.server, version.bind, id.server, and hostname.bind. | hide-identity: hide-version: | -| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. | interface-automatic: | +| iface_lan | lan | interface | **List** to add interafaces you wish to consider to be LAN beyond those served by DHCP | interface: access-control: | +| iface_trig | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - | +| iface_wan | wan | interface | **List** interafaces you wish to consider to be WAN for masked local zone purposes | interface-outgoing: | +| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. This also binds Unboud to the wild card address. | interface-automatic: | | listen_port | 53 | port | Inbound port where Unbound will listen for queries. | port: | | localservice | 1 | boolean | Prevent DNS amplification attacks. Only answer to subnets this machine has interfaces on. | access-control: | | manual_conf | 0 | boolean | Skip all this UCI nonsense. Manually edit the configuration in `/etc/unbound/unbound.conf`. | - | @@ -227,7 +231,6 @@ One instance is supported currently. | recursion | passive | state | Unbound has many options for recrusion but UCI is bundled for simplicity.
`passive`: slower until cache fills but kind on CPU load
`default`: built-in defaults
`aggressive`: uses prefetching to handle more requests quickly | (many) | | resource | small | state | Unbound has many options for memory resources but UCI is bundled for simplicity.
`tiny`: similar to published memory restricted configuration
`small`: about half of medium
`medium`: similar to default
`default`: built-in defaults
`large`: about double of medium | \*-cache-size: | | root_age | 9 | day | >90 Disables. Age limit for root data like root DNSSEC key. Scripts will copy from `tmps` to flash ROM with this limit to save write life. | - | -| trigger_interface | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - | | ttl_min | 120 | second | Minimum TTL in cache to avoid abused low TTL for snoop-vertising and non-standard load balancing. Typical to configure maybe 0~300 but 1800 is the maximum accepted. | cache-min-ttl: | | unbound_control | 0 | level | Enables `unbound-control` application access ports.
`0`: None else add your own in unbound_ext.conf
`1`: Unencrypted Local Host Access
`2`: SSL Local Host Access w/ auto unbound-control-setup
`3`: SSL Network Access w/ auto unbound-control-setup
`4`: SSL Network Access; static key/pem files must already exist | unbound-control: ... (clause) | | validator | 0 | boolean | Enable DNSSEC validator module. | module: validator | @@ -238,7 +241,7 @@ One instance is supported currently. Confingure any mix of Unbound `forward-zone:`, `stub-zone:`, or `auth-zone:` clauses. These sections are more compact than Unbound and will unroll into Unbound's configuration syntax. | UCI | Default | Units | Description | Unbound | | --- | ------- | ----- | ----------- | ------- | -| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, ipset-dns, and nsd. | forward-addr: | +| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, http-proxy-dns, ipset-dns, and nsd. | forward-addr: | | enabled | 0 | boolean | turn zone on or off without deleting it | - | | fallback | 1 | boolean | Allow this zone to fall through to other zones or recursion. | forward-first: | | port | 53 | port | Target server's target port for plain DNS operations. | (auto 192.0.2.53 \#53) diff --git a/net/unbound/files/defaults.sh b/net/unbound/files/defaults.sh index 785631e3d..4478ae6ed 100644 --- a/net/unbound/files/defaults.sh +++ b/net/unbound/files/defaults.sh @@ -14,7 +14,11 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + # where are we? +UB_ETCDIR=/etc/unbound UB_LIBDIR=/usr/lib/unbound UB_VARDIR=/var/lib/unbound UB_PIDFILE=/var/run/unbound.pid @@ -40,7 +44,6 @@ UB_RESOLV_AUTO=/tmp/resolv.conf.d/resolv.conf.auto # TLS keys UB_TLS_KEY_FILE="TLS server UCI not implemented" UB_TLS_PEM_FILE="TLS server UCI not implemented" -UB_TLS_FWD_FILE=$UB_VARDIR/ca-certificates.crt UB_TLS_ETC_FILE=/etc/ssl/certs/ca-certificates.crt # start files @@ -50,10 +53,10 @@ UB_TIME_FILE=$UB_VARDIR/hotplug.time UB_SKIP_FILE=$UB_VARDIR/skip.time # control app keys -UB_CTLKEY_FILE=$UB_VARDIR/unbound_control.key -UB_CTLPEM_FILE=$UB_VARDIR/unbound_control.pem -UB_SRVKEY_FILE=$UB_VARDIR/unbound_server.key -UB_SRVPEM_FILE=$UB_VARDIR/unbound_server.pem +UB_CTLKEY_FILE=$UB_ETCDIR/unbound_control.key +UB_CTLPEM_FILE=$UB_ETCDIR/unbound_control.pem +UB_SRVKEY_FILE=$UB_ETCDIR/unbound_server.key +UB_SRVPEM_FILE=$UB_ETCDIR/unbound_server.pem # similar default SOA / NS RR as Unbound uses for private ARPA zones UB_XSER=$(( $( date +%s ) / 60 )) diff --git a/net/unbound/files/dnsmasq.sh b/net/unbound/files/dnsmasq.sh index 6dcbaecd8..eae8dae98 100644 --- a/net/unbound/files/dnsmasq.sh +++ b/net/unbound/files/dnsmasq.sh @@ -23,6 +23,9 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + DM_D_WAN_FQDN=0 DM_LIST_KNOWN_ZONES="invalid" diff --git a/net/unbound/files/iptools.sh b/net/unbound/files/iptools.sh index f25265d0f..9524f4ffe 100644 --- a/net/unbound/files/iptools.sh +++ b/net/unbound/files/iptools.sh @@ -21,6 +21,13 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + +UB_IPTOOLS_BLANK= + +############################################################################## + domain_ptr_ip6() { # Get the nibble rounded /CIDR ...ip6.arpa. echo "$1" | awk -F: \ diff --git a/net/unbound/files/odhcpd.sh b/net/unbound/files/odhcpd.sh index d8390c870..b8af615a5 100644 --- a/net/unbound/files/odhcpd.sh +++ b/net/unbound/files/odhcpd.sh @@ -23,6 +23,13 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + +UB_ODHCPD_BLANK= + +############################################################################## + odhcpd_zonedata() { . /lib/functions.sh . /usr/lib/unbound/defaults.sh diff --git a/net/unbound/files/stopping.sh b/net/unbound/files/stopping.sh index c3f27ecac..90c383a65 100644 --- a/net/unbound/files/stopping.sh +++ b/net/unbound/files/stopping.sh @@ -19,6 +19,9 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + . /usr/lib/unbound/defaults.sh ############################################################################## diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init index fa94a3b35..fb363e188 100755 --- a/net/unbound/files/unbound.init +++ b/net/unbound/files/unbound.init @@ -9,6 +9,9 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + START=19 STOP=50 USE_PROCD=1 @@ -54,9 +57,10 @@ stop_service() { ############################################################################## service_triggers() { - local legacy=$( uci_get unbound.@unbound[0].trigger ) - local triggers=$( uci_get unbound.@unbound[0].trigger_interface ) - local trigger="$triggers $legacy" + local legacy1=$( uci_get unbound.@unbound[0].trigger ) + local legacy2=$( uci_get unbound.@unbound[0].trigger_interface ) + local legacy3=$( uci_get unbound.@unbound[0].iface_trig ) + local triggers="$legacy1 $legacy2 $legacy3" . /usr/lib/unbound/defaults.sh diff --git a/net/unbound/files/unbound.ntpd b/net/unbound/files/unbound.ntpd index d9d0deefa..6f490cd0a 100755 --- a/net/unbound/files/unbound.ntpd +++ b/net/unbound/files/unbound.ntpd @@ -12,12 +12,14 @@ # ############################################################################## -# Common file location definitions +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + . /usr/lib/unbound/defaults.sh ############################################################################## -if [ ! -f "$UB_TIME_FILE" -a "$ACTION" = stratum ] ; then +if [ ! -f "$UB_TIME_FILE" ] && [ "$ACTION" = stratum ] ; then date -Is > $UB_TIME_FILE /etc/init.d/unbound enabled && /etc/init.d/unbound restart # Yes, hard RESTART. We need to be absolutely sure to enable DNSSEC. diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 0e2ebaf4d..c8460c07c 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -23,6 +23,9 @@ # ############################################################################## +# while useful (sh)ellcheck is pedantic and noisy +# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 + UB_B_AUTH_ROOT=0 UB_B_DNS_ASSIST=0 UB_B_DNSSEC=0 @@ -53,7 +56,7 @@ UB_D_WAN_FQDN=0 UB_IP_DNS64="64:ff9b::/96" -UB_N_EDNS_SIZE=1280 +UB_N_EDNS_SIZE=1232 UB_N_RX_PORT=53 UB_N_ROOT_AGE=9 UB_N_THREADS=1 @@ -114,7 +117,7 @@ bundle_all_networks() { ############################################################################## -bundle_lan_networks() { +bundle_dhcp_networks() { local cfg="$1" local interface ifsubnet ifname ifdashname ignore @@ -139,19 +142,50 @@ bundle_lan_networks() { ############################################################################## +bundle_lan_networks() { + local interface="$1" + local ifsubnet ifname ifdashname + + network_get_device ifname "$interface" + ifdashname="${ifname//./-}" + + + if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then + for ifsubnet in $UB_LIST_NETW_ALL ; do + case $ifsubnet in + "${ifdashname}"@*) + # Special GLA protection for local block; ULA protected default + UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet" + ;; + esac + done + fi +} + +############################################################################## + bundle_wan_networks() { - local ifsubnet + local interface="$1" + local ifsubnet ifname ifdashname + + network_get_device ifname "$interface" + ifdashname="${ifname//./-}" - if [ -n "$UB_LIST_NETW_ALL" ] ; then + if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then for ifsubnet in $UB_LIST_NETW_ALL ; do case $UB_LIST_NETW_LAN in *"${ifsubnet}"*) - # If LAN, then not WAN ... + # If LAN, then not WAN ... scripts might become complex ;; *) - UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet" + case $ifsubnet in + "${ifdashname}"@*) + # Special GLA protection for local block; ULA protected default + UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet" + ;; + esac ;; esac done @@ -218,7 +252,8 @@ unbound_mkdir() { mkdir -p $UB_VARDIR rm -f $UB_VARDIR/dhcp_* touch $UB_TOTAL_CONF - cp -p /etc/unbound/* $UB_VARDIR/ + cp -p $UB_ETCDIR/*.conf $UB_VARDIR/ + cp -p $UB_ETCDIR/root.* $UB_VARDIR/ if [ ! -f $UB_RHINT_FILE ] ; then @@ -253,42 +288,28 @@ unbound_mkdir() { fi - if [ -f $UB_TLS_ETC_FILE ] ; then - # copy the cert bundle into jail - cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE - fi - - # Ensure access and prepare to jail chown -R unbound:unbound $UB_VARDIR chmod 755 $UB_VARDIR chmod 644 $UB_VARDIR/* - if [ -f $UB_CTLKEY_FILE ] || [ -f $UB_CTLPEM_FILE ] \ - || [ -f $UB_SRVKEY_FILE ] || [ -f $UB_SRVPEM_FILE ] ; then - # Keys (some) exist already; do not create new ones - chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \ - $UB_SRVKEY_FILE $UB_SRVPEM_FILE - - elif [ -x /usr/sbin/unbound-control-setup ] ; then - case "$UB_D_CONTROL" in - [2-3]) - # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static" - /usr/sbin/unbound-control-setup -d $UB_VARDIR - - chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \ - $UB_SRVKEY_FILE $UB_SRVPEM_FILE + if [ -x /usr/sbin/unbound-control-setup ] ; then + if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \ + || [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then + case "$UB_D_CONTROL" in + [2-3]) + # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static" + /usr/sbin/unbound-control-setup -d $UB_ETCDIR - chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \ - $UB_SRVKEY_FILE $UB_SRVPEM_FILE + chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \ + $UB_SRVKEY_FILE $UB_SRVPEM_FILE - cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key - cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem - cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key - cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem - ;; - esac + chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \ + $UB_SRVKEY_FILE $UB_SRVPEM_FILE + ;; + esac + fi fi @@ -452,6 +473,19 @@ unbound_zone() { fi ;; + htpps-dns-proxy) + if [ -x /usr/sbin/https-dns-proxy ] \ + && [ -x /etc/init.d/https-dns-proxy ] ; then + if /etc/init.d/https-dns-proxy ; then + dns_ast=1 + else + dns_ast=0 + fi + else + dns_ast=0 + fi + ;; + ipset-dns) if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then if /etc/init.d/ipset-dns enabled ; then @@ -476,10 +510,17 @@ unbound_zone() { fi ;; + unprotected-loop) + # Soft brick risk. The server you are looking to connect to may be offline + # and cause loop error: procd, sysupgrade, package order, and other issues. + dns_ast=1 + ;; + *) - # Prevent a soft-brick event through local forwarding loops. Declare your - # assistant program and this will check to be sure it is there. + # Unbound has a local forward blocking option, default on, instead of loop + # detection. If it is released, then it may be a soft brick risk. dns_ast=0 + ;; esac @@ -527,7 +568,7 @@ unbound_zone() { ;; forward_zone) - if [ ! -f $UB_TLS_FWD_FILE ] && [ "$tls_upstream" = "yes" ] ; then + if [ ! -f $UB_TLS_ETC_FILE ] && [ "$tls_upstream" = "yes" ] ; then logger -p 4 -t unbound -s \ "Forward-zone TLS benefits from authentication in package 'ca-bundle'" fi @@ -555,6 +596,11 @@ unbound_zone() { else case $server in + 127.*|::0*) + # soft brick loop back risk see DNS assist above + echo "do nothing" >/dev/null + ;; + *@[0-9]*|*#[A-Za-z0-9]*) # unique Unbound option for server host name servers_host="$servers_host $server" @@ -633,10 +679,10 @@ unbound_conf() { } > $UB_CORE_CONF - if [ -f "$UB_TLS_FWD_FILE" ] ; then + if [ -f "$UB_TLS_ETC_FILE" ] ; then # TLS cert bundle for upstream forwarder and https zone files # This is loaded before drop to root, so pull from /etc/ssl - echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF + echo " tls-cert-bundle: $UB_TLS_ETC_FILE" >> $UB_CORE_CONF fi @@ -690,14 +736,14 @@ unbound_conf() { if [ $UB_B_EXT_STATS -gt 0 ] ; then { - # Log More + # store more data in memory for unbound-control to report echo " extended-statistics: yes" echo } >> $UB_CORE_CONF else { - # Log Less + # store Less echo " extended-statistics: no" echo } >> $UB_CORE_CONF @@ -714,14 +760,17 @@ unbound_conf() { fi + { + # avoid interference with SPI/NAT on both reserved and common server ports + echo " edns-buffer-size: $UB_N_EDNS_SIZE" + echo " port: $UB_N_RX_PORT" + echo " outgoing-port-permit: 10240-65535" + } >> $UB_CORE_CONF + + case "$UB_D_PROTOCOL" in ip4_only) { - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: 0.0.0.0" - echo " outgoing-interface: 0.0.0.0" echo " do-ip4: yes" echo " do-ip6: no" echo @@ -730,42 +779,29 @@ unbound_conf() { ip6_only) { - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: ::0" - echo " outgoing-interface: ::0" echo " do-ip4: no" echo " do-ip6: yes" echo } >> $UB_CORE_CONF ;; - ip6_local) + ip6_local) { - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: 0.0.0.0" - echo " interface: ::0" - echo " outgoing-interface: 0.0.0.0" + # answer your local IPv6 network but avoid broken ISP IPv6 echo " do-ip4: yes" echo " do-ip6: yes" + echo " prefer-ip4: yes" + echo " prefer-ip6: no" echo } >> $UB_CORE_CONF ;; ip6_prefer) { - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: 0.0.0.0" - echo " interface: ::0" - echo " outgoing-interface: 0.0.0.0" - echo " outgoing-interface: ::0" + # RFC compliant dual stack echo " do-ip4: yes" echo " do-ip6: yes" + echo " prefer-ip4: no" echo " prefer-ip6: yes" echo } >> $UB_CORE_CONF @@ -773,14 +809,6 @@ unbound_conf() { mixed) { - # Interface Wildcard (access contol handled by "option local_service") - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: 0.0.0.0" - echo " interface: ::0" - echo " outgoing-interface: 0.0.0.0" - echo " outgoing-interface: ::0" echo " do-ip4: yes" echo " do-ip6: yes" echo @@ -791,17 +819,6 @@ unbound_conf() { if [ $UB_B_READY -eq 0 ] ; then logger -t unbound -s "default protocol configuration" fi - - - { - # outgoing-interface has useful defaults; incoming is localhost though - echo " edns-buffer-size: $UB_N_EDNS_SIZE" - echo " port: $UB_N_RX_PORT" - echo " outgoing-port-permit: 10240-65535" - echo " interface: 0.0.0.0" - echo " interface: ::0" - echo - } >> $UB_CORE_CONF ;; esac @@ -1043,9 +1060,9 @@ unbound_conf() { fi - if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then + if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_LAN" ] ; then { - for ifsubnet in $UB_LIST_NETW_ALL ; do + for ifsubnet in $UB_LIST_NETW_LAN ; do # Only respond to queries from subnets which have an interface. # Prevent DNS amplification attacks by not responding to the universe. echo " access-control: ${ifsubnet#*@} allow" @@ -1327,7 +1344,7 @@ unbound_uci() { config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96" - config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280 + config_get UB_N_EDNS_SIZE "$cfg" edns_size 1232 config_get UB_N_RX_PORT "$cfg" listen_port 53 config_get UB_N_ROOT_AGE "$cfg" root_age 9 config_get UB_N_THREADS "$cfg" num_threads 1 @@ -1348,8 +1365,9 @@ unbound_uci() { config_get UB_TTL_MIN "$cfg" ttl_min 120 config_get UB_TXT_DOMAIN "$cfg" domain lan - config_list_foreach "$cfg" domain_insecure bundle_domain_insecure - + config_list_foreach "$cfg" domain_insecure bundle_domain_insecure + config_list_foreach "$cfg" iface_lan bundle_lan_networks + config_list_foreach "$cfg" iface_wan bundle_wan_networks if [ "$UB_D_DHCP_LINK" = "none" ] ; then config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0 @@ -1396,7 +1414,7 @@ unbound_uci() { if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then logger -t unbound -s "edns_size exceeds range, using default" - UB_N_EDNS_SIZE=1280 + UB_N_EDNS_SIZE=1232 fi @@ -1541,6 +1559,11 @@ resolv_setup() { ############################################################################## unbound_start() { + # get interface subnets together + config_load network + config_foreach bundle_all_networks interface + + # read Unbound UCI but pick through it later config_load unbound config_foreach unbound_uci unbound unbound_mkdir @@ -1551,11 +1574,8 @@ unbound_start() { # forward-zone: auth-zone: and stub-zone: config_foreach unbound_zone zone # associate potential DNS RR with interfaces - config_load network - config_foreach bundle_all_networks interface config_load dhcp - config_foreach bundle_lan_networks dhcp - bundle_wan_networks + config_foreach bundle_dhcp_networks dhcp # server: unbound_conf unbound_hostname diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index f796a5802..432332e6e 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -1,4 +1,4 @@ -config unbound +config unbound 'ub_main' option add_extra_dns '0' option add_local_fqdn '1' option add_wan_fqdn '0' @@ -8,7 +8,7 @@ config unbound option dns64_prefix '64:ff9b::/96' option domain 'lan' option domain_type 'static' - option edns_size '1280' + option edns_size '1232' option extended_stats '0' option hide_binddata '1' option interface_auto '1' @@ -30,11 +30,12 @@ config unbound option validator '0' option validator_ntp '1' option verbosity '1' - list trigger_interface 'lan' - list trigger_interface 'wan' + list iface_trig 'lan' + list iface_trig 'wan' + list iface_wan 'wan' #list domain_insecure 'ntp.example.com' -config zone +config zone 'auth_icann' # cache the root zone all at once to speed up recursion option enabled '0' option fallback '1' @@ -47,7 +48,7 @@ config zone list zone_name 'in-addr.arpa.' list zone_name 'ip6.arpa.' -config zone +config zone 'fwd_isp' # forward ISP account management to DHCP announced DNS servers option enabled '0' option fallback '1' @@ -56,3 +57,27 @@ config zone list zone_name 'isp-bill.example.com.' list zone_name 'isp-mail.example.net.' +config zone 'fwd_google' + option enabled '0' + option fallback '1' + option tls_index 'dns.google' + option tls_upstream '1' + option zone_type 'forward_zone' + list server '8.8.4.4' + list server '8.8.8.8' + list server '2001:4860:4860::8844' + list server '2001:4860:4860::8888' + list zone_name '.' + +config zone 'fwd_cloudflare' + option enabled '0' + option fallback '1' + option tls_index 'cloudflare-dns.com' + option tls_upstream '1' + option zone_type 'forward_zone' + list server '1.1.1.1' + list server '1.0.0.1' + list server '2606:4700:4700::1111' + list server '2606:4700:4700::1001' + list zone_name '.' +