From 82c2368177ce93b15db6001f48e28ace5460d14e Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Sun, 18 Dec 2016 22:38:03 -0500 Subject: [PATCH] unbound: UCI updates to take advantage of 1.6.0 - UCI to take advantage of "qname-minimisation-strict:" - UCI to block chaos reponses bind, server, and version - UCI to limit or prefer recrusion over IP4 or IP6 Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 2 +- net/unbound/files/README.md | 24 ++++++++++-- net/unbound/files/unbound.sh | 69 +++++++++++++++++++++++++++++++++-- net/unbound/files/unbound.uci | 3 ++ 4 files changed, 89 insertions(+), 9 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 1422b9cae..fcfa12bf5 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.6.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index 084a8af94..d0bb3376f 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -79,8 +79,12 @@ Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbou "drill -x 192.168.10.201 ~ NODATA" (insted of james-laptop.lan) option edns_size '1280' - Extended DNS is necessary for DNSSEC. However, it can run into MTU - issues. Use this size in bytes to manage drop outs. + Bytes. Extended DNS is necessary for DNSSEC. However, it can run + into MTU issues. Use this size in bytes to manage drop outs. + + option hide_binddata '1' + Boolean. If enabled version.server, version.bind, id.server, and + hostname.bind queries are refused. option listen_port '53' Port. Incoming. Where Unbound will listen for queries. @@ -93,9 +97,21 @@ Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbou Boolean. Skip all this UCI nonsense. Manually edit the configuration. Make changes to /etc/unbound/unbound.conf. + option protocol 'mixed' + Unbound can limit its protocol: "ip4_only" for ISP behind the time, + "ip6_only" for testing, "ip6_prefer" for ISP with good IP6 support, + or default-all "mixed." This affects the protocol used to + communicate. The DNS responses always include hosts respective IP4 + and IP6 data. + option query_minimize '0' - Boolean. Enable a minor privacy option. Query only one name piece - at a time. Don't let each server know the next recursion. + Boolean. Enable a minor privacy option. Don't let each server know + the next recursion. Query one piece at a time. + + option query_min_strict '0' + Boolean. Query minimize is best effort and will fall back to normal + when it must. This option prevents the fall back, but less than + standard name servers will fail to resolve their domains. option rebind_localhost '0' Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses. diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 26090251a..fce36967e 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -25,6 +25,7 @@ UNBOUND_B_DNSMASQ=0 UNBOUND_B_DNSSEC=0 UNBOUND_B_DNS64=0 UNBOUND_B_GATE_NAME=0 +UNBOUND_B_HIDE_BIND=1 UNBOUND_B_LOCL_BLCK=0 UNBOUND_B_LOCL_NAME=0 UNBOUND_B_LOCL_SERV=1 @@ -32,11 +33,13 @@ UNBOUND_B_MAN_CONF=0 UNBOUND_B_NTP_BOOT=1 UNBOUND_B_PRIV_BLCK=1 UNBOUND_B_QUERY_MIN=0 +UNBOUND_B_QRY_MINST=0 UNBOUND_IP_DNS64="64:ff9b::/96" UNBOUND_D_RESOURCE=small UNBOUND_D_RECURSION=passive +UNBOUND_D_PROTOCOL=mixed UNBOUND_TXT_FWD_ZONE="" UNBOUND_TTL_MIN=120 @@ -207,6 +210,38 @@ unbound_conf() { } >> $UNBOUND_CONFFILE + case "$UNBOUND_D_PROTOCOL" in + ip4_only) + { + echo " do-ip4: yes" + echo " do-ip6: no" + } >> $UNBOUND_CONFFILE + ;; + + ip6_only) + { + echo " do-ip4: no" + echo " do-ip6: yes" + } >> $UNBOUND_CONFFILE + ;; + + ip6_prefer) + { + echo " do-ip4: yes" + echo " do-ip6: yes" + echo " prefer-ip6: yes" + } >> $UNBOUND_CONFFILE + ;; + + *) + { + echo " do-ip4: yes" + echo " do-ip6: yes" + } >> $UNBOUND_CONFFILE + ;; + esac + + { # protocol level tuning echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE" @@ -324,7 +359,14 @@ unbound_conf() { } >> $UNBOUND_CONFFILE - if [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + { + # Some query privacy but "strict" will break some name servers + echo " qname-minimisation: yes" + echo " qname-minimisation-strict: yes" + } >> $UNBOUND_CONFFILE + + elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then # Minor improvement on query privacy echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE @@ -370,10 +412,23 @@ unbound_conf() { } >> $UNBOUND_CONFFILE + if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then + { + # Block server id and version DNS TXT records + echo " hide-identity: yes" + echo " hide-version: yes" + echo + } >> $UNBOUND_CONFFILE + fi + + if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then { - # Remove DNS reponses from upstream with private IP + # Remove _upstream_ or global reponses with private addresses. + # Unbounds own "local zone" and "forward zone" may still use these. + # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890 echo " private-address: 10.0.0.0/8" + echo " private-address: 100.64.0.0/10" echo " private-address: 169.254.0.0/16" echo " private-address: 172.16.0.0/12" echo " private-address: 192.168.0.0/16" @@ -439,14 +494,16 @@ unbound_uci() { #################### # UCI @ unbound # #################### - + config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0 config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmasq_gate_name 0 config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0 + config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1 config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0 config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1 config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0 config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0 + config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0 config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1 config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0 config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0 @@ -454,11 +511,15 @@ unbound_uci() { config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96" + config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280 config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53 + config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7 + + config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed config_get UNBOUND_D_RECURSION "$cfg" recursion passive config_get UNBOUND_D_RESOURCE "$cfg" resource small - config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7 + config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120 diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index ca348a6c4..6e887c86b 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -5,10 +5,13 @@ config unbound option dnsmasq_link_dns '0' option dnsmasq_only_local '0' option edns_size '1280' + option hide_binddata '1' option listen_port '53' option localservice '1' option manual_conf '0' + option protocol 'mixed' option query_minimize '0' + option query_min_strict '0' option rebind_localhost '0' option rebind_protection '1' option recursion 'passive'