DNS flag day 2020, software should reflect the minimum EDNS 1232 bytes.
Added iface_wan and iface_lan to control internal DNS assignemnts and
to control what is local service ACL. Interface wild cards are not
explicitly set so that they can be customized in extended conf.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
- prevent rapid overlap in DHCP script updates
- check and allow localhost forwards with specific applications
- add option for rate limiting inbound queries
- change UCI list to table format with Unbound conf references
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
The two unique packages "Unbound light" and "Unbound heavy"
were not working well due to the fact that Unbound is mostly
its library. Tools and helpers would crash. Instead a reasonable
default Unbound is built. Also up select options like python
are added. libevent and libpthreads are options to down select.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
Unbound has a quirk and may reply on a different device address.
When Unbound answers with from-address different than it
received queries on, it may cause trouble for select VPN and
firewall configurations. Ensure Unbound replies with the same
address by changing this default.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
This exposes the interface-auto option to UCI.
By default, interface-auto is disabled.
This leads to the DNS reply possibly originating from
a different address then the request was sent to.
Devices with a packet filter might not receive the reply in this case.
Enabling interface-auto ensures the reply is sent with the
source-address the request was sent to.
Signed-off-by: David Bauer <mail@david-bauer.net>
- treat RFC6762 'local.' as nxdomain because avahi and other services
will disable if SOA or NS records appear in central DNS.
- allow two threads to be enabled with the 'heavy traffic' variant of
Unbound packages.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
Expressions '-o', '-a', and '\( \)' within test or '[ ]' are obsolete.
POSIX allows few arguments to test, so long expressions are not
portable. '[ p -a q ]' can be replaced with '[ p ] && [ q ]' instead.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
- fix AXFR zones to delay a potentially large download with ntp-hotplug
- fix odhcpd link script to properly delete expired lease data from DNS
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
- adjust a few UCI translations to coordinate with upstream defaults
- remove OpenSSL < 1.1.0 API log error patch which is included upstream
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
ssl_set1_host() is not available without openssl-1.1.0. Unbound can not do
host cert verification. DNS over TLS connects, but hosts are unverified. A
patch for log err is added with a noitce in README.md.
(see: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658)
Also, squash some minor robustness and TLS usability fixes.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
Unbound struggles with boot ifup, so procd triggers changed to push
outside of this noise. Unbound has run in /var/lib/unbound/, so chroot
(jail) protects /etc/, and it can save flash wear. Compiled defaults
reflect this now, so Unbound tools are easier run on the command line.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
With growing interest, DNS over TLS can be setup in Unbounds foward-zone:
clause. A broader UCI solution is added to support forward-, stub-, and
auth- zone clauses in a new 'zone' section. This implentation required
reworking scripts, because they did not scale. 'forward_domain' and
'prefetch_root' options are removed, and superceded by 'zone' section.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
When UCI local zone is private and static, Unbound covered private
addresses with defaults. Optional delegated global IP6 prefix
protection lacked a static zone, but it was prevented from appearing
in global DNS responses. Domain names router-as-TLD, "lan." and
"local." were static, but they lacked default SOA or NS such as
Unbound had assinged to private addresses. Clean up these local
zones UCI evaluation and block global DNS inclusion.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Add the possibility to use Unbound auto-zone: clause to
fetch complete root, arpa, in-addr.arpa, and ip6.arpa
zone files. This can speed up recursion when users
access many ccTLD or connection logging hits many PTR.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Some resource options bundled many Unbound.conf options and
made customizing on top of UCI difficult. Make it easier to
use Unbound built defaults (blank conf sections).
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
- Add domain_forward to permit designated domains to forward instead
of recurse as listed in resolve.conf.auto from DHCP WAN client
- Update rebind_protection and add rebind_interface to protect IP6
GLA locally just like RFC 1918 protection
- Rename trigger to trigger_interface with backwards compatability
- Update odhcpd script for efficiency handling many clients
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Enhance the 'control' option to allow using SSL
to connect to the server. Add the 'extended_stats'
option to match 'extended-statistics: yes.'
Document the 'extended_luci' option; it does not
control Unbound, but changes the LuCI tabs.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
With this patch the unbound init routines manage resolv.conf if and only if
when unbound will listen on 127.0.0.1#53 and dnsmasq is not.
Also logs some cases where config values are overriden with sane defaults.
Fixes (partially) LEDE FS#785
Fixesopenwrt/packages#4487
Signed-off-by: Paul Oranje <por@xs4all.nl>
Base LEDE/OpenWrt UCI for dnsmasq provides for DNS override in
/etc/config/dhcp. It is desired to be able to use dnsmasq and
Unbound as transparently as possible. Option 'add_extra_dns'
will pull 'domain', 'mxhost', 'srvhost, and 'cname' from base.
netifd/procd have an interaction with DHCPv6/RA on WAN (FS#713).
Minor IP6 parameter updates can cause Unbound reload events every
few minutes. List option 'trigger' selects which interfaces may
cause reload. For example 'lan', 'wan' but not 'wan6'.
Squash other cosmetics.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
procd interface triggers may be busy. Unbound hard restarts will
flush the cache. This might happen frequently depending on how
interface triggers occur.
Change the procd trigger to reduce occurences. Load this trigger
prior to netifd (START=20), but only truly start Unbound from
the trigger rather than immediately in init. Clean up log entries
in scripts after Unbound, NTP, and DNSSEC are established.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Unbound is configured to restart on hotplug/iface but this can result
in numerous restarts at boot. Unbound also has a restart for NTP.
This was observed to generate trouble and even with procd robustness
too many crashes might occur (rare). Unbound would not be running.
Give more care to /var/lib/unbound/root.key during restarts. Use procd
for iface restarts. Check pidof() to wait one more second for Unbound.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
options 'add_local_fqdn' and 'add_wan_fqdn' can be affected
by race conditions when they are at level 4. Interface name
may not be returned by network tools. The conf file has bad
record formats and Unbound just will not load. Detect this
and fall back to only the host FQDN (level 3).
squash: improve documentation wording and format codes.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Unbound UCI tries to protect embedded flash from excess
use. Unbound RFC5011 KSK tracking can rewrite root.key
every few minutes to an hour. It also writes and destroys
files in the same directory during the process.
Recommended UCI delays for copying busy work in /var/
back to /etc/ may be too conservative. These are all
changed from 28 to 9 days.
The RFC5011 KSK results were also destroyed by an
init.d restart, even if /var/ is mounted on persistent
storage like USB drive. /var/lib/unbound/root.key is
now preserved during this process, unless a newer key
is installed in /etc/ manually or package update.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
When for example 'package/net/adblock' and DNSSEC vs NTP robustness
is enabled, significant restart thrashing can occur at boot up. DHCP
lease triggers may be occuring at the same time. Unbounds DNS-DHCP
may be incomplete until new DHCP solicit events. Solve this by
leaving a passive but complete host conf file during lease trigger.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Bug fix dhcp4_slaac6 option was adding to all IP6 routes.
Filtering was added to this process to only include addresses
served from "this dhcp interface."
adblock 2.3.0 file output is now detected and automatically
integrated into Unbound local-zones. adblock deposites its
block site zone-files into /var/lib/unbound. If this is not
desired, then disable adblock or reconfigure to avoid Unbound.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Unbound+DHCP (server of your choice) should be able to replicate
a lot of what dnsmasq provides. With this change set Unbound
still works with dnsmasq, but also it can work with a plain
DHCP server. Features have been added within the UCI itself
to act like dnsmasq.
- alone: name each interface relative to router hostname
- alone: prevent upstream leakage of your domain and '.local'
- dnsmasq: use dnsmasq UCI to configure forwarding clauses
- dhcp: work with odhcpd as example of companion DHCP-DNS
- dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records
- all: enable encrypted remote unbound-control using splice conf
- all: allow user spliced conf-files for hybrid UCI and manual conf
-- 'unbound_srv.conf' will be spliced into the 'server:' clause
-- 'unbound_ext.conf' will add clauses to the end, example 'forward:'
README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and
unbound-with-odhcpd have better/added UCI starters. HOW TO for
including unbound_srv.conf and unbound_ext.conf are added.
Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6,
dhcp_link, domain, and domain_type
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
This is bare minimum change in 'unbound.sh' and
'dnsmasq.sh' to migrate the UCI option set for
more flexibility. The boolean(s) to link to
dnsmasq are being changed to a state to include
odhcpd. It is executable but a small step for
clear change management.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
- UCI to take advantage of "qname-minimisation-strict:"
- UCI to block chaos reponses bind, server, and version
- UCI to limit or prefer recrusion over IP4 or IP6
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
- UCI option dnsmasq_gate_name typo in few locations
- NTP hotplug to check /etc/init.d/unbound not ..dnsmasq
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
- History: prior to package 1.5.10-3 /var/lib/unbound was not used
- History: prior to package 1.5.10-4 no UCI scripts were provided
- Problem: UCI 'option manual_conf 1' only copied unbound.conf and root.key
- Problem: power users that had complex file nests cannot use this
- Fix: README.md includes instructions for /var/lib/unbound jail
- Fix: unbound.sh copies ALL of /etc/unbound for 'option manual_conf 1'
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
-unbound.sh implements the majority of requirements in README.md
-rootzone.sh reloads a small subset for alternate trigger maintenance
-unbound.init sets procd triggers on Unbound and dnsmasq (dhcp) UCI
-two part commit squashed with Makefile included
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
-Unbound RFC 5011 is busy and writes frequently
-RFC 5011 creates working files in same directory
-DNSSEC root.key managed in /var/lib/unbound
-Protect against flash ROM wear out in /etc/unbound
-Scripts will copy back every 7 days instead
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Eric Luehrsen
David Bauer
Eric Luehrsen
Peter Wagner
Paul Oranje