Browse Source

Unbound: added UCI support for DNS64

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Signed-off-by: Dan Luedte <mail@danrl.com>
lilik-openwrt-22.03
Eric Luehrsen 8 years ago
committed by danrl
parent
commit
c189596a4a
4 changed files with 58 additions and 19 deletions
  1. +1
    -1
      net/unbound/Makefile
  2. +29
    -7
      net/unbound/files/README.md
  3. +26
    -11
      net/unbound/files/unbound.sh
  4. +2
    -0
      net/unbound/files/unbound.uci

+ 1
- 1
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.5.10
PKG_RELEASE:=5
PKG_RELEASE:=6
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE


+ 29
- 7
net/unbound/files/README.md View File

@ -9,14 +9,25 @@ Unbound may be useful on consumer grade embedded hardware. It is *intended* to b
This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
## Work with dnsmasq
Some UCI options will help Unbound and dnsmasq work together in **parallel**. The default DHCP and DNS stub resolver in OpenWrt is dnsmasq, and it will continue to serve this purpose. The following actions will make Unbound the primary DNS server, and make dnsmasq only provide DNS to local DHCP.
Some UCI options will help Unbound and dnsmasq work together in **parallel**. The default DHCP and DNS stub resolver in OpenWrt is dnsmasq, and it will continue to serve this purpose. The following partial examples will make Unbound the primary DNS server, and make dnsmasq only provide DNS to local DHCP.
- Set `unbound` UCI `option dnsmasq_link_dns` to true.
- Set other `unbound` UCI options how you wish.
- Set `dnsmasq` UCI `option noresolv` to true.
- Set `dnsmasq` UCI `option resolvfile` to blank single-quotes.
- Set `dnsmasq` UCI `option port` to 1053 or 5353.
- Add to each `dhcp` UCI `list dhcp_option option:dns-server,0.0.0.0`
**/etc/config/unbound**:
config unbound
option dnsmasq_link_dns '1'
...
**/etc/config/dhcp**:
config dnsmasq
option option noresolv '1'
option resolvfile '<empty>'
option port '1053'
...
config dhcp '<name>'
list dhcp_option 'option:dns-server,0.0.0.0'
...
Alternatives are mentioned here for completeness. DHCP event scripts which write host records are difficult to formulate for Unbound, NSD, or Bind. These programs sometimes need to be forcefully reloaded with host configuration, and reloads can bust cache. **Serial** configuration between dnsmasq and Unbound can be made on 127.0.0.1 with an off-port like #1053. This may double cache storage and incur unnecessary transfer delay.
@ -27,6 +38,8 @@ All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs,
Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider this UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash). Keep the DNSKEY updated with your choice of flash activity.
**/etc/config/unbound**:
config unbound
option manual_conf '1'
option root_age '30'
@ -37,6 +50,15 @@ Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbou
config unbound
Currently only one instance is supported.
option dns64 '0'
Boolean. Enable DNS64 through Unbound in order to bridge networks
that are IPV6 only and IPV4 only (see RFC6052).
option dns64_prefix '64:ff9b::/96'
IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64.
You should use RFC6052 "well known" address, unless you also
redirect to a proxy or gateway for your NAT64.
option dnsmasq_gate_name '0'
Boolean. Forward PTR records for interfaces not serving DHCP.
Assume these are WAN. Example dnsmasq option here to provide


+ 26
- 11
net/unbound/files/unbound.sh View File

@ -23,6 +23,7 @@
UNBOUND_B_CONTROL=0
UNBOUND_B_DNSMASQ=0
UNBOUND_B_DNSSEC=0
UNBOUND_B_DNS64=0
UNBOUND_B_GATE_NAME=0
UNBOUND_B_LOCL_BLCK=0
UNBOUND_B_LOCL_NAME=0
@ -32,6 +33,8 @@ UNBOUND_B_NTP_BOOT=1
UNBOUND_B_PRIV_BLCK=1
UNBOUND_B_QUERY_MIN=0
UNBOUND_IP_DNS64="64:ff9b::/96"
UNBOUND_D_RESOURCE=small
UNBOUND_D_RECURSION=passive
@ -140,7 +143,7 @@ unbound_mkdir() {
unbound_conf() {
local cfg=$1
local rt_mem rt_conn
local rt_mem rt_conn modulestring
{
# Make fresh conf file
@ -285,6 +288,9 @@ unbound_conf() {
logger -t unbound -s "default memory resource consumption"
fi
# Assembly of module-config: options is tricky; order matters
modulestring="iterator"
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
@ -294,23 +300,30 @@ unbound_conf() {
{
# Validation of DNSSEC
echo " module-config: \"validator iterator\""
echo " harden-dnssec-stripped: yes"
echo " val-clean-additional: yes"
echo " ignore-cd-flag: yes"
echo
} >> $UNBOUND_CONFFILE
else
{
# Just iteration without DNSSEC
echo " module-config: \"iterator\""
echo
} >> $UNBOUND_CONFFILE
modulestring="validator $modulestring"
fi
if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then
echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
modulestring="dns64 $modulestring"
fi
{
# Print final module string
echo " module-config: \"$modulestring\""
echo
} >> $UNBOUND_CONFFILE
if [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
# Minor improvement on query privacy
echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
@ -426,7 +439,8 @@ unbound_uci() {
####################
# UCI @ unbound #
####################
config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmsaq_gate_name 0
config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0
@ -439,6 +453,7 @@ unbound_uci() {
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_D_RECURSION "$cfg" recursion passive


+ 2
- 0
net/unbound/files/unbound.uci View File

@ -1,4 +1,6 @@
config unbound
option dns64 '0'
option dns64_prefix '64:ff9b::/96'
option dnsmsaq_gate_name '0'
option dnsmasq_link_dns '0'
option dnsmasq_only_local '0'


Loading…
Cancel
Save