From cdeefec73e9e70a7180c9fb5a337bdefbe34e5b1 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Mon, 28 May 2018 12:50:14 -0400 Subject: [PATCH 1/2] unbound: provide transparent defaults with documentation Some resource options bundled many Unbound.conf options and made customizing on top of UCI difficult. Make it easier to use Unbound built defaults (blank conf sections). Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 2 +- net/unbound/files/README.md | 28 ++++++------ net/unbound/files/unbound.sh | 80 +++++++++++++++++++++-------------- net/unbound/files/unbound.uci | 6 +-- 4 files changed, 68 insertions(+), 48 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index af52b51a8..8df91fc96 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.7.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index c4bf1b210..fe8305dce 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -204,7 +204,7 @@ config unbound into MTU issues. Use this size in bytes to manage drop outs. option extended_luci '0' - Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration. + Boolean. Extends a tab hierarchy in LuCI for advanced configuration. option extended_stats '0' Boolean. extended statistics are printed from unbound-control. @@ -227,10 +227,11 @@ config unbound option protocol 'mixed' Unbound can limit its protocol used for recursive queries. - Set 'ip4_only' to avoid issues if you do not have native IP6. - Set 'ip6_prefer' to possibly improve performance as well as - not consume NAT paths for the client computers. - Do not use 'ip6_only' unless testing. + ip4_only - limit issues if you do not have native IPv6 + ip6_only - test environment only; could cauase problems + ip6_prefer - both IPv4 and IPv6 but try IPv6 first + mixed - both IPv4 and IPv6 + default - Unbound built-in defaults option query_minimize '0' Boolean. Enable a minor privacy option. Don't let each server know @@ -257,15 +258,18 @@ config unbound 3 - Plus DHCP-PD range passed down interfaces (not implemented) option recursion 'passive' - Unbound has numerous options for how it recurses. This UCI combines - them into "passive," "aggressive," or Unbound's own "default." - Passive is easy on resources, but slower until cache fills. + Unbound has many options for recrusion but UCI is bundled for simplicity. + passive - slower until cache fills but kind on CPU load + default - Unbound built-in defaults + aggressive - uses prefetching to handle more requests quickly option resource 'small' - Unbound has numerous options for resources. This UCI gives "tiny," - "small," "medium," and "large." Medium is most like the compiled - defaults with a bit of balancing. Tiny is close to the published - memory restricted configuration. Small 1/2 medium, and large 2x. + Unbound has many options for resources but UCI is bundled for simplicity. + tiny - similar to published memory restricted configuration + small - about half of medium + medium - similar to default, but fixed for consistency + default - Unbound built-in defaults + large - about double of medium option root_age '9' Days. >90 Disables. Age limit for Unbound root data like root diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 002ce9fa4..696cb3753 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -449,7 +449,7 @@ unbound_mkdir() { cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then - logger -t unbound -s "iterator will use built-in root hints" + logger -t unbound -s "default root hints (built in rootservers.net)" fi fi @@ -463,7 +463,7 @@ unbound_mkdir() { $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then - logger -t unbound -s "validator will use built-in trust anchor" + logger -t unbound -s "default trust anchor (built in root DS record)" fi fi @@ -616,9 +616,13 @@ unbound_conf() { # Make fresh conf file echo "# $UNBOUND_CONFFILE generated by UCI $( date )" echo - # No threading echo "server:" echo " username: unbound" + echo " chroot: \"$UNBOUND_VARDIR\"" + echo " directory: \"$UNBOUND_VARDIR\"" + echo " pidfile: \"$UNBOUND_PIDFILE\"" + echo + # No threading echo " num-threads: 1" echo " msg-cache-slabs: 1" echo " rrset-cache-slabs: 1" @@ -632,6 +636,7 @@ unbound_conf() { echo " outgoing-interface: ::0" echo # Logging + echo " use-syslog: yes" echo " verbosity: 1" echo " statistics-interval: 0" echo " statistics-cumulative: no" @@ -677,12 +682,18 @@ unbound_conf() { } >> $UNBOUND_CONFFILE ;; - *) + mixed) { echo " do-ip4: yes" echo " do-ip6: yes" } >> $UNBOUND_CONFFILE ;; + + *) + if [ ! -f "$UNBOUND_TIMEFILE" ] ; then + logger -t unbound -s "default protocol configuration" + fi + ;; esac @@ -708,15 +719,6 @@ unbound_conf() { } >> $UNBOUND_CONFFILE - { - # Default Files - echo " use-syslog: yes" - echo " chroot: \"$UNBOUND_VARDIR\"" - echo " directory: \"$UNBOUND_VARDIR\"" - echo " pidfile: \"$UNBOUND_PIDFILE\"" - } >> $UNBOUND_CONFFILE - - if [ -f "$UNBOUND_HINTFILE" ] ; then # Optional hints if found echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE @@ -764,7 +766,7 @@ unbound_conf() { } >> $UNBOUND_CONFFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then - logger -t unbound -s "default memory resource consumption" + logger -t unbound -s "default memory configuration" fi # Assembly of module-config: options is tricky; order matters @@ -803,27 +805,26 @@ unbound_conf() { } >> $UNBOUND_CONFFILE - if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then - { - # Some query privacy but "strict" will break some name servers - echo " qname-minimisation: yes" - echo " qname-minimisation-strict: yes" - } >> $UNBOUND_CONFFILE - - elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then - # Minor improvement on query privacy - echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE - - else - echo " qname-minimisation: no" >> $UNBOUND_CONFFILE - fi - - case "$UNBOUND_D_RECURSION" in passive) { + # Some query privacy but "strict" will break some servers + if [ "$UNBOUND_B_QRY_MINST" -gt 0 \ + -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + echo " qname-minimisation-strict: yes" + elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + else + echo " qname-minimisation: no" + fi + # Use DNSSEC to quickly understand NXDOMAIN ranges + if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then + echo " aggressive-nsec: yes" + echo " prefetch-key: no" + fi + # On demand fetching echo " prefetch: no" - echo " prefetch-key: no" echo " target-fetch-policy: \"0 0 0 0 0\"" echo } >> $UNBOUND_CONFFILE @@ -831,8 +832,23 @@ unbound_conf() { aggressive) { + # Some query privacy but "strict" will break some servers + if [ "$UNBOUND_B_QRY_MINST" -gt 0 \ + -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + echo " qname-minimisation-strict: yes" + elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + else + echo " qname-minimisation: no" + fi + # Use DNSSEC to quickly understand NXDOMAIN ranges + if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then + echo " aggressive-nsec: yes" + echo " prefetch-key: yes" + fi + # Prefetch what can be echo " prefetch: yes" - echo " prefetch-key: yes" echo " target-fetch-policy: \"3 2 1 0 0\"" echo } >> $UNBOUND_CONFFILE diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index 45034085a..2df2d6fa1 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -15,13 +15,13 @@ config unbound option listen_port '53' option localservice '1' option manual_conf '0' - option protocol 'mixed' + option protocol 'default' option query_minimize '0' option query_min_strict '0' option rebind_localhost '0' option rebind_protection '1' - option recursion 'passive' - option resource 'small' + option recursion 'default' + option resource 'default' option root_age '9' option ttl_min '120' option unbound_control '0' From 36e1aa089255eb481125a3455f4e958b3b1ba4f3 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Mon, 28 May 2018 22:46:07 -0400 Subject: [PATCH 2/2] unbound: add root zone file cache option Add the possibility to use Unbound auto-zone: clause to fetch complete root, arpa, in-addr.arpa, and ip6.arpa zone files. This can speed up recursion when users access many ccTLD or connection logging hits many PTR. Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 2 +- net/unbound/files/README.md | 5 ++++ net/unbound/files/unbound.sh | 54 +++++++++++++++++++++++++++++------ net/unbound/files/unbound.uci | 1 + 4 files changed, 53 insertions(+), 9 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 8df91fc96..a846ca699 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.7.1 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index fe8305dce..4e81162f8 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -225,6 +225,11 @@ config unbound Boolean. Skip all this UCI nonsense. Manually edit the configuration. Make changes to /etc/unbound/unbound.conf. + option prefetch_root '0' + Boolean. Enable Unbound authority zone clauses for "." (root), "arpa," + "in-addr.arpa," and "ip6.arpa" and obtain complete zone files from public + servers using http or AXFR (gTLD are unfortunately not as public). + option protocol 'mixed' Unbound can limit its protocol used for recursive queries. ip4_only - limit issues if you do not have native IPv6 diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 696cb3753..2fda84e86 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0 UNBOUND_B_NTP_BOOT=1 UNBOUND_B_QUERY_MIN=0 UNBOUND_B_QRY_MINST=0 +UNBOUND_B_AUTH_ROOT=0 UNBOUND_D_CONTROL=0 UNBOUND_D_DOMAIN_TYPE=static @@ -605,6 +606,45 @@ unbound_forward() { ############################################################################## +unbound_auth_root() { + local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org" + local httpserver="http://www.internic.net/domain/" + local authzones="root arpa in-addr.arpa ip6.arpa" + local server zone realzone + # Download or AXFR the root and arpa zones to reduce the work needed at + # top level of recursion. If your users will hit many ccTLD or you have + # tracking logs resolving many PTR, then this can speed things up. + # Total size of text in TMPFS could be about 5MB. + + + if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then + for zone in $authzones ; do + if [ "$zone" = "root" ] ; then + realzone="." + else + realzone=$zone + fi + + + { + echo "auth-zone:" + echo " name: \"$realzone\"" + for server in $axfrservers ; do + echo " master: \"$server\"" + done + echo " url: \"$httpserver$zone.zone\"" + echo " fallback-enabled: yes" + echo " for-downstream: no" + echo " for-upstream: yes" + echo " zonefile: \"$zone.zone\"" + echo + } >> $UNBOUND_CONFFILE + done + fi +} + +############################################################################## + unbound_conf() { local rt_mem rt_conn modulestring domain ifsubnet @@ -1086,6 +1126,7 @@ unbound_uci() { config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0 config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0 config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0 + config_get_bool UNBOUND_B_AUTH_ROOT "$cfg" prefetch_root 0 config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0 config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 @@ -1181,7 +1222,7 @@ unbound_uci() { ############################################################################## -_resolv_setup() { +unbound_resolv_setup() { if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then return fi @@ -1210,7 +1251,7 @@ _resolv_setup() { ############################################################################## -_resolv_teardown() { +unbound_resolv_teardown() { case $( cat /tmp/resolv.conf ) in *"generated by Unbound UCI"*) # our resolver file, reset to auto resolver file. @@ -1225,8 +1266,6 @@ _resolv_teardown() { unbound_start() { config_load unbound config_foreach unbound_uci unbound - - unbound_mkdir @@ -1245,19 +1284,18 @@ unbound_start() { unbound_forward + unbound_auth_root unbound_control fi - _resolv_setup + unbound_resolv_setup } ############################################################################## unbound_stop() { - _resolv_teardown - - + unbound_resolv_teardown rootzone_update } diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index 2df2d6fa1..fb0f6c887 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -15,6 +15,7 @@ config unbound option listen_port '53' option localservice '1' option manual_conf '0' + option prefetch_root '0' option protocol 'default' option query_minimize '0' option query_min_strict '0'