diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 17f3065f1..0883c952f 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.5.10 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index a66ac74b5..084a8af94 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -9,14 +9,25 @@ Unbound may be useful on consumer grade embedded hardware. It is *intended* to b This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level. ## Work with dnsmasq -Some UCI options will help Unbound and dnsmasq work together in **parallel**. The default DHCP and DNS stub resolver in OpenWrt is dnsmasq, and it will continue to serve this purpose. The following actions will make Unbound the primary DNS server, and make dnsmasq only provide DNS to local DHCP. +Some UCI options will help Unbound and dnsmasq work together in **parallel**. The default DHCP and DNS stub resolver in OpenWrt is dnsmasq, and it will continue to serve this purpose. The following partial examples will make Unbound the primary DNS server, and make dnsmasq only provide DNS to local DHCP. -- Set `unbound` UCI `option dnsmasq_link_dns` to true. -- Set other `unbound` UCI options how you wish. -- Set `dnsmasq` UCI `option noresolv` to true. -- Set `dnsmasq` UCI `option resolvfile` to blank single-quotes. -- Set `dnsmasq` UCI `option port` to 1053 or 5353. -- Add to each `dhcp` UCI `list dhcp_option option:dns-server,0.0.0.0` +**/etc/config/unbound**: + + config unbound + option dnsmasq_link_dns '1' + ... + +**/etc/config/dhcp**: + + config dnsmasq + option option noresolv '1' + option resolvfile '' + option port '1053' + ... + + config dhcp '' + list dhcp_option 'option:dns-server,0.0.0.0' + ... Alternatives are mentioned here for completeness. DHCP event scripts which write host records are difficult to formulate for Unbound, NSD, or Bind. These programs sometimes need to be forcefully reloaded with host configuration, and reloads can bust cache. **Serial** configuration between dnsmasq and Unbound can be made on 127.0.0.1 with an off-port like #1053. This may double cache storage and incur unnecessary transfer delay. @@ -27,6 +38,8 @@ All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider this UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash). Keep the DNSKEY updated with your choice of flash activity. +**/etc/config/unbound**: + config unbound option manual_conf '1' option root_age '30' @@ -37,6 +50,15 @@ Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbou config unbound Currently only one instance is supported. + option dns64 '0' + Boolean. Enable DNS64 through Unbound in order to bridge networks + that are IPV6 only and IPV4 only (see RFC6052). + + option dns64_prefix '64:ff9b::/96' + IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64. + You should use RFC6052 "well known" address, unless you also + redirect to a proxy or gateway for your NAT64. + option dnsmasq_gate_name '0' Boolean. Forward PTR records for interfaces not serving DHCP. Assume these are WAN. Example dnsmasq option here to provide diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 568c62741..16291dcbe 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -23,6 +23,7 @@ UNBOUND_B_CONTROL=0 UNBOUND_B_DNSMASQ=0 UNBOUND_B_DNSSEC=0 +UNBOUND_B_DNS64=0 UNBOUND_B_GATE_NAME=0 UNBOUND_B_LOCL_BLCK=0 UNBOUND_B_LOCL_NAME=0 @@ -32,6 +33,8 @@ UNBOUND_B_NTP_BOOT=1 UNBOUND_B_PRIV_BLCK=1 UNBOUND_B_QUERY_MIN=0 +UNBOUND_IP_DNS64="64:ff9b::/96" + UNBOUND_D_RESOURCE=small UNBOUND_D_RECURSION=passive @@ -140,7 +143,7 @@ unbound_mkdir() { unbound_conf() { local cfg=$1 - local rt_mem rt_conn + local rt_mem rt_conn modulestring { # Make fresh conf file @@ -285,6 +288,9 @@ unbound_conf() { logger -t unbound -s "default memory resource consumption" fi + # Assembly of module-config: options is tricky; order matters + modulestring="iterator" + if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then @@ -294,23 +300,30 @@ unbound_conf() { { - # Validation of DNSSEC - echo " module-config: \"validator iterator\"" echo " harden-dnssec-stripped: yes" echo " val-clean-additional: yes" echo " ignore-cd-flag: yes" - echo } >> $UNBOUND_CONFFILE - else - { - # Just iteration without DNSSEC - echo " module-config: \"iterator\"" - echo - } >> $UNBOUND_CONFFILE + + modulestring="validator $modulestring" fi + if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then + echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE + + modulestring="dns64 $modulestring" + fi + + + { + # Print final module string + echo " module-config: \"$modulestring\"" + echo + } >> $UNBOUND_CONFFILE + + if [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then # Minor improvement on query privacy echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE @@ -426,7 +439,8 @@ unbound_uci() { #################### # UCI @ unbound # #################### - + + config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0 config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmsaq_gate_name 0 config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0 config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0 @@ -439,6 +453,7 @@ unbound_uci() { config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 + config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96" config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280 config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53 config_get UNBOUND_D_RECURSION "$cfg" recursion passive diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index 02854a838..5fee3eb92 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -1,4 +1,6 @@ config unbound + option dns64 '0' + option dns64_prefix '64:ff9b::/96' option dnsmsaq_gate_name '0' option dnsmasq_link_dns '0' option dnsmasq_only_local '0'