DNS flag day 2020, software should reflect the minimum EDNS 1232 bytes.
Added iface_wan and iface_lan to control internal DNS assignemnts and
to control what is local service ACL. Interface wild cards are not
explicitly set so that they can be customized in extended conf.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
# Unbound Recursive DNS Server with UCI
+<!-- markdownlint-disable -->
## Unbound Description
[Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
| --- | ------- | ----- | ----------- | ------- |
| add_extra_dns | 0 | level | Read OpenWrt traditional options for `dnsmasq`.<br>`0`: Disabled<br>`1`: Use only domain<br>`2`: Use domain, mxhost, and srvhost<br>`3`: Use all cname, domain, mxhost, and srvhost | local-data: |
| add_local_fqdn | 0 | level | Each level puts a more detailed router entry within the LAN DNS (except link).<br>`0`: Disabled<br>`1`: Host name on the primary address<br>`2`: Host name on all addresses<br>`3`: FQDN and host name on all addresses<br>`4`: FQDN defined by "iface.hostname.domain" | local-zone: local-data: |
-| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as inferred by `config dhcp` with `option ignore 1`. | local-zone: local-data: |
+| add_wan_fqdn | 0 | level | Same as `add_local_fqdn` but on WAN as listed in `iface_wan` | local-zone: local-data: |
| dns64 | 0 | boolean | Enable DNS64 RFC6052 to bridge IPv4 and IPv6 networks. | module: dns64 |
| dns64_prefix | 64:ff9b::/96 | subnet | DNS64 RFC6052 IPv4 in IPv6 well known prefix. | dns64-prefix: |
| dhcp_link | none | program | Link to a DHCP server with supported scripts. See HOW TO above. | local-zone: local-data: forward-zone: |
| domain | lan | domain | This will suffix DHCP host records and be the default search domain. | local-zone: |
| domain_insecure | (empty) | domain | **List** domains that you wish to skip DNSSEC. It is one way around NTP chicken and egg. Your DHCP domains are automatically included. | domain-insecure: |
| domain_type | static | state | This allows you to lock down or allow forwarding of the local zone.<br>`static`: no forwarding like dnsmasq default<br>`refuse`: answer overtly with REFUSED<br>`deny`: covertly drop all queries<br>`transparent`: may continue forwarding or recusion | local-zone: |
-| edns_size | 1280 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: |
+| edns_size | 1232 | bytes | Extended DNS is necessary for DNSSEC. Use this to manage MTU issues. | edns-size: |
| extended_stats | 0 | boolean | Extended statistics are stored in Unbound memory for report by `unbound-control`. | extended-statistics: |
| hide_binddata | 1 | boolean | Refuse possible attack queries like version.server, version.bind, id.server, and hostname.bind. | hide-identity: hide-version: |
-| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. | interface-automatic: |
+| iface_lan | lan | interface | **List** to add interafaces you wish to consider to be LAN beyond those served by DHCP | interface: access-control: |
+| iface_trig | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - |
+| iface_wan | wan | interface | **List** interafaces you wish to consider to be WAN for masked local zone purposes | interface-outgoing: |
+| interface_auto | 1 | boolean | RECOMMEND ENABLED otherwise Unbound answers to any attached address regardless of query in-address. This also binds Unboud to the wild card address. | interface-automatic: |
| listen_port | 53 | port | Inbound port where Unbound will listen for queries. | port: |
| localservice | 1 | boolean | Prevent DNS amplification attacks. Only answer to subnets this machine has interfaces on. | access-control: |
| manual_conf | 0 | boolean | Skip all this UCI nonsense. Manually edit the configuration in `/etc/unbound/unbound.conf`. | - |
| recursion | passive | state | Unbound has many options for recrusion but UCI is bundled for simplicity.<br>`passive`: slower until cache fills but kind on CPU load<br>`default`: built-in defaults<br>`aggressive`: uses prefetching to handle more requests quickly | (many) |
| resource | small | state | Unbound has many options for memory resources but UCI is bundled for simplicity.<br>`tiny`: similar to published memory restricted configuration<br>`small`: about half of medium<br>`medium`: similar to default<br>`default`: built-in defaults<br>`large`: about double of medium | \*-cache-size: |
| root_age | 9 | day | >90 Disables. Age limit for root data like root DNSSEC key. Scripts will copy from `tmps` to flash ROM with this limit to save write life. | - |
-| trigger_interface | lan wan | interface | **List** interfaces to watch IFUP to restart Unbound. This works around `netifd` and `procd` hyper activity with WAN DHCPv6 (else restart each 2-3 minutes). | - |
| ttl_min | 120 | second | Minimum TTL in cache to avoid abused low TTL for snoop-vertising and non-standard load balancing. Typical to configure maybe 0~300 but 1800 is the maximum accepted. | cache-min-ttl: |
| unbound_control | 0 | level | Enables `unbound-control` application access ports.<br>`0`: None else add your own in unbound_ext.conf<br>`1`: Unencrypted Local Host Access<br>`2`: SSL Local Host Access w/ auto unbound-control-setup<br>`3`: SSL Network Access w/ auto unbound-control-setup<br>`4`: SSL Network Access; static key/pem files must already exist | unbound-control: ... (clause) |
| validator | 0 | boolean | Enable DNSSEC validator module. | module: validator |
Confingure any mix of Unbound `forward-zone:`, `stub-zone:`, or `auth-zone:` clauses. These sections are more compact than Unbound and will unroll into Unbound's configuration syntax.
| UCI | Default | Units | Description | Unbound |
| --- | ------- | ----- | ----------- | ------- |
-| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, ipset-dns, and nsd. | forward-addr: |
+| dns_assist | none | program | Check against local host forwarding by requiring a target program to exist and be enabled else do not permit forwarding `127.0.0.0/8` or `::1`. Includes bind, dnsmasq, http-proxy-dns, ipset-dns, and nsd. | forward-addr: |
| enabled | 0 | boolean | turn zone on or off without deleting it | - |
| fallback | 1 | boolean | Allow this zone to fall through to other zones or recursion. | forward-first: |
| port | 53 | port | Target server's target port for plain DNS operations. | (auto 192.0.2.53 \#53)
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
# where are we?
+UB_ETCDIR=/etc/unbound
UB_LIBDIR=/usr/lib/unbound
UB_VARDIR=/var/lib/unbound
UB_PIDFILE=/var/run/unbound.pid
# TLS keys
UB_TLS_KEY_FILE="TLS server UCI not implemented"
UB_TLS_PEM_FILE="TLS server UCI not implemented"
-UB_TLS_FWD_FILE=$UB_VARDIR/ca-certificates.crt
UB_TLS_ETC_FILE=/etc/ssl/certs/ca-certificates.crt
# start files
UB_SKIP_FILE=$UB_VARDIR/skip.time
# control app keys
-UB_CTLKEY_FILE=$UB_VARDIR/unbound_control.key
-UB_CTLPEM_FILE=$UB_VARDIR/unbound_control.pem
-UB_SRVKEY_FILE=$UB_VARDIR/unbound_server.key
-UB_SRVPEM_FILE=$UB_VARDIR/unbound_server.pem
+UB_CTLKEY_FILE=$UB_ETCDIR/unbound_control.key
+UB_CTLPEM_FILE=$UB_ETCDIR/unbound_control.pem
+UB_SRVKEY_FILE=$UB_ETCDIR/unbound_server.key
+UB_SRVPEM_FILE=$UB_ETCDIR/unbound_server.pem
# similar default SOA / NS RR as Unbound uses for private ARPA zones
UB_XSER=$(( $( date +%s ) / 60 ))
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
DM_D_WAN_FQDN=0
DM_LIST_KNOWN_ZONES="invalid"
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
+UB_IPTOOLS_BLANK=
+
+##############################################################################
+
domain_ptr_ip6() {
# Get the nibble rounded /CIDR ...ip6.arpa.
echo "$1" | awk -F: \
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
+UB_ODHCPD_BLANK=
+
+##############################################################################
+
odhcpd_zonedata() {
. /lib/functions.sh
. /usr/lib/unbound/defaults.sh
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
. /usr/lib/unbound/defaults.sh
##############################################################################
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
START=19
STOP=50
USE_PROCD=1
##############################################################################
service_triggers() {
- local legacy=$( uci_get unbound.@unbound[0].trigger )
- local triggers=$( uci_get unbound.@unbound[0].trigger_interface )
- local trigger="$triggers $legacy"
+ local legacy1=$( uci_get unbound.@unbound[0].trigger )
+ local legacy2=$( uci_get unbound.@unbound[0].trigger_interface )
+ local legacy3=$( uci_get unbound.@unbound[0].iface_trig )
+ local triggers="$legacy1 $legacy2 $legacy3"
. /usr/lib/unbound/defaults.sh
#
##############################################################################
-# Common file location definitions
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
. /usr/lib/unbound/defaults.sh
##############################################################################
-if [ ! -f "$UB_TIME_FILE" -a "$ACTION" = stratum ] ; then
+if [ ! -f "$UB_TIME_FILE" ] && [ "$ACTION" = stratum ] ; then
date -Is > $UB_TIME_FILE
/etc/init.d/unbound enabled && /etc/init.d/unbound restart
# Yes, hard RESTART. We need to be absolutely sure to enable DNSSEC.
#
##############################################################################
+# while useful (sh)ellcheck is pedantic and noisy
+# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
+
UB_B_AUTH_ROOT=0
UB_B_DNS_ASSIST=0
UB_B_DNSSEC=0
UB_IP_DNS64="64:ff9b::/96"
-UB_N_EDNS_SIZE=1280
+UB_N_EDNS_SIZE=1232
UB_N_RX_PORT=53
UB_N_ROOT_AGE=9
UB_N_THREADS=1
##############################################################################
-bundle_lan_networks() {
+bundle_dhcp_networks() {
local cfg="$1"
local interface ifsubnet ifname ifdashname ignore
##############################################################################
+bundle_lan_networks() {
+ local interface="$1"
+ local ifsubnet ifname ifdashname
+
+ network_get_device ifname "$interface"
+ ifdashname="${ifname//./-}"
+
+
+ if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
+ for ifsubnet in $UB_LIST_NETW_ALL ; do
+ case $ifsubnet in
+ "${ifdashname}"@*)
+ # Special GLA protection for local block; ULA protected default
+ UB_LIST_NETW_LAN="$UB_LIST_NETW_LAN $ifsubnet"
+ ;;
+ esac
+ done
+ fi
+}
+
+##############################################################################
+
bundle_wan_networks() {
- local ifsubnet
+ local interface="$1"
+ local ifsubnet ifname ifdashname
+
+ network_get_device ifname "$interface"
+ ifdashname="${ifname//./-}"
- if [ -n "$UB_LIST_NETW_ALL" ] ; then
+ if [ -n "$ifdashname" ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
for ifsubnet in $UB_LIST_NETW_ALL ; do
case $UB_LIST_NETW_LAN in
*"${ifsubnet}"*)
- # If LAN, then not WAN ...
+ # If LAN, then not WAN ... scripts might become complex
;;
*)
- UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
+ case $ifsubnet in
+ "${ifdashname}"@*)
+ # Special GLA protection for local block; ULA protected default
+ UB_LIST_NETW_WAN="$UB_LIST_NETW_WAN $ifsubnet"
+ ;;
+ esac
;;
esac
done
mkdir -p $UB_VARDIR
rm -f $UB_VARDIR/dhcp_*
touch $UB_TOTAL_CONF
- cp -p /etc/unbound/* $UB_VARDIR/
+ cp -p $UB_ETCDIR/*.conf $UB_VARDIR/
+ cp -p $UB_ETCDIR/root.* $UB_VARDIR/
if [ ! -f $UB_RHINT_FILE ] ; then
fi
- if [ -f $UB_TLS_ETC_FILE ] ; then
- # copy the cert bundle into jail
- cp -p $UB_TLS_ETC_FILE $UB_TLS_FWD_FILE
- fi
-
-
# Ensure access and prepare to jail
chown -R unbound:unbound $UB_VARDIR
chmod 755 $UB_VARDIR
chmod 644 $UB_VARDIR/*
- if [ -f $UB_CTLKEY_FILE ] || [ -f $UB_CTLPEM_FILE ] \
- || [ -f $UB_SRVKEY_FILE ] || [ -f $UB_SRVPEM_FILE ] ; then
- # Keys (some) exist already; do not create new ones
- chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
- $UB_SRVKEY_FILE $UB_SRVPEM_FILE
-
- elif [ -x /usr/sbin/unbound-control-setup ] ; then
- case "$UB_D_CONTROL" in
- [2-3])
- # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
- /usr/sbin/unbound-control-setup -d $UB_VARDIR
-
- chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
- $UB_SRVKEY_FILE $UB_SRVPEM_FILE
+ if [ -x /usr/sbin/unbound-control-setup ] ; then
+ if [ ! -f $UB_CTLKEY_FILE ] || [ ! -f $UB_CTLPEM_FILE ] \
+ || [ ! -f $UB_SRVKEY_FILE ] || [ ! -f $UB_SRVPEM_FILE ] ; then
+ case "$UB_D_CONTROL" in
+ [2-3])
+ # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
+ /usr/sbin/unbound-control-setup -d $UB_ETCDIR
- chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
- $UB_SRVKEY_FILE $UB_SRVPEM_FILE
+ chown -R unbound:unbound $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
+ $UB_SRVKEY_FILE $UB_SRVPEM_FILE
- cp -p $UB_CTLKEY_FILE /etc/unbound/unbound_control.key
- cp -p $UB_CTLPEM_FILE /etc/unbound/unbound_control.pem
- cp -p $UB_SRVKEY_FILE /etc/unbound/unbound_server.key
- cp -p $UB_SRVPEM_FILE /etc/unbound/unbound_server.pem
- ;;
- esac
+ chmod 640 $UB_CTLKEY_FILE $UB_CTLPEM_FILE \
+ $UB_SRVKEY_FILE $UB_SRVPEM_FILE
+ ;;
+ esac
+ fi
fi
fi
;;
+ htpps-dns-proxy)
+ if [ -x /usr/sbin/https-dns-proxy ] \
+ && [ -x /etc/init.d/https-dns-proxy ] ; then
+ if /etc/init.d/https-dns-proxy ; then
+ dns_ast=1
+ else
+ dns_ast=0
+ fi
+ else
+ dns_ast=0
+ fi
+ ;;
+
ipset-dns)
if [ -x /usr/sbin/ipset-dns ] && [ -x /etc/init.d/ipset-dns ] ; then
if /etc/init.d/ipset-dns enabled ; then
fi
;;
+ unprotected-loop)
+ # Soft brick risk. The server you are looking to connect to may be offline
+ # and cause loop error: procd, sysupgrade, package order, and other issues.
+ dns_ast=1
+ ;;
+
*)
- # Prevent a soft-brick event through local forwarding loops. Declare your
- # assistant program and this will check to be sure it is there.
+ # Unbound has a local forward blocking option, default on, instead of loop
+ # detection. If it is released, then it may be a soft brick risk.
dns_ast=0
+ ;;
esac
;;
forward_zone)
- if [ ! -f $UB_TLS_FWD_FILE ] && [ "$tls_upstream" = "yes" ] ; then
+ if [ ! -f $UB_TLS_ETC_FILE ] && [ "$tls_upstream" = "yes" ] ; then
logger -p 4 -t unbound -s \
"Forward-zone TLS benefits from authentication in package 'ca-bundle'"
fi
else
case $server in
+ 127.*|::0*)
+ # soft brick loop back risk see DNS assist above
+ echo "do nothing" >/dev/null
+ ;;
+
*@[0-9]*|*#[A-Za-z0-9]*)
# unique Unbound option for server host name
servers_host="$servers_host $server"
} > $UB_CORE_CONF
- if [ -f "$UB_TLS_FWD_FILE" ] ; then
+ if [ -f "$UB_TLS_ETC_FILE" ] ; then
# TLS cert bundle for upstream forwarder and https zone files
# This is loaded before drop to root, so pull from /etc/ssl
- echo " tls-cert-bundle: $UB_TLS_FWD_FILE" >> $UB_CORE_CONF
+ echo " tls-cert-bundle: $UB_TLS_ETC_FILE" >> $UB_CORE_CONF
fi
if [ $UB_B_EXT_STATS -gt 0 ] ; then
{
- # Log More
+ # store more data in memory for unbound-control to report
echo " extended-statistics: yes"
echo
} >> $UB_CORE_CONF
else
{
- # Log Less
+ # store Less
echo " extended-statistics: no"
echo
} >> $UB_CORE_CONF
fi
+ {
+ # avoid interference with SPI/NAT on both reserved and common server ports
+ echo " edns-buffer-size: $UB_N_EDNS_SIZE"
+ echo " port: $UB_N_RX_PORT"
+ echo " outgoing-port-permit: 10240-65535"
+ } >> $UB_CORE_CONF
+
+
case "$UB_D_PROTOCOL" in
ip4_only)
{
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: 0.0.0.0"
- echo " outgoing-interface: 0.0.0.0"
echo " do-ip4: yes"
echo " do-ip6: no"
echo
ip6_only)
{
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: ::0"
- echo " outgoing-interface: ::0"
echo " do-ip4: no"
echo " do-ip6: yes"
echo
} >> $UB_CORE_CONF
;;
- ip6_local)
+ ip6_local)
{
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo " outgoing-interface: 0.0.0.0"
+ # answer your local IPv6 network but avoid broken ISP IPv6
echo " do-ip4: yes"
echo " do-ip6: yes"
+ echo " prefer-ip4: yes"
+ echo " prefer-ip6: no"
echo
} >> $UB_CORE_CONF
;;
ip6_prefer)
{
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo " outgoing-interface: 0.0.0.0"
- echo " outgoing-interface: ::0"
+ # RFC compliant dual stack
echo " do-ip4: yes"
echo " do-ip6: yes"
+ echo " prefer-ip4: no"
echo " prefer-ip6: yes"
echo
} >> $UB_CORE_CONF
mixed)
{
- # Interface Wildcard (access contol handled by "option local_service")
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo " outgoing-interface: 0.0.0.0"
- echo " outgoing-interface: ::0"
echo " do-ip4: yes"
echo " do-ip6: yes"
echo
if [ $UB_B_READY -eq 0 ] ; then
logger -t unbound -s "default protocol configuration"
fi
-
-
- {
- # outgoing-interface has useful defaults; incoming is localhost though
- echo " edns-buffer-size: $UB_N_EDNS_SIZE"
- echo " port: $UB_N_RX_PORT"
- echo " outgoing-port-permit: 10240-65535"
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo
- } >> $UB_CORE_CONF
;;
esac
fi
- if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_ALL" ] ; then
+ if [ $UB_B_LOCL_SERV -gt 0 ] && [ -n "$UB_LIST_NETW_LAN" ] ; then
{
- for ifsubnet in $UB_LIST_NETW_ALL ; do
+ for ifsubnet in $UB_LIST_NETW_LAN ; do
# Only respond to queries from subnets which have an interface.
# Prevent DNS amplification attacks by not responding to the universe.
echo " access-control: ${ifsubnet#*@} allow"
config_get UB_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
- config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
+ config_get UB_N_EDNS_SIZE "$cfg" edns_size 1232
config_get UB_N_RX_PORT "$cfg" listen_port 53
config_get UB_N_ROOT_AGE "$cfg" root_age 9
config_get UB_N_THREADS "$cfg" num_threads 1
config_get UB_TTL_MIN "$cfg" ttl_min 120
config_get UB_TXT_DOMAIN "$cfg" domain lan
- config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
-
+ config_list_foreach "$cfg" domain_insecure bundle_domain_insecure
+ config_list_foreach "$cfg" iface_lan bundle_lan_networks
+ config_list_foreach "$cfg" iface_wan bundle_wan_networks
if [ "$UB_D_DHCP_LINK" = "none" ] ; then
config_get_bool UB_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
if [ $UB_N_EDNS_SIZE -lt 512 ] || [ 4096 -lt $UB_N_EDNS_SIZE ] ; then
logger -t unbound -s "edns_size exceeds range, using default"
- UB_N_EDNS_SIZE=1280
+ UB_N_EDNS_SIZE=1232
fi
##############################################################################
unbound_start() {
+ # get interface subnets together
+ config_load network
+ config_foreach bundle_all_networks interface
+
+ # read Unbound UCI but pick through it later
config_load unbound
config_foreach unbound_uci unbound
unbound_mkdir
# forward-zone: auth-zone: and stub-zone:
config_foreach unbound_zone zone
# associate potential DNS RR with interfaces
- config_load network
- config_foreach bundle_all_networks interface
config_load dhcp
- config_foreach bundle_lan_networks dhcp
- bundle_wan_networks
+ config_foreach bundle_dhcp_networks dhcp
# server:
unbound_conf
unbound_hostname
-config unbound
+config unbound 'ub_main'
option add_extra_dns '0'
option add_local_fqdn '1'
option add_wan_fqdn '0'
option dns64_prefix '64:ff9b::/96'
option domain 'lan'
option domain_type 'static'
- option edns_size '1280'
+ option edns_size '1232'
option extended_stats '0'
option hide_binddata '1'
option interface_auto '1'
option validator '0'
option validator_ntp '1'
option verbosity '1'
- list trigger_interface 'lan'
- list trigger_interface 'wan'
+ list iface_trig 'lan'
+ list iface_trig 'wan'
+ list iface_wan 'wan'
#list domain_insecure 'ntp.example.com'
-config zone
+config zone 'auth_icann'
# cache the root zone all at once to speed up recursion
option enabled '0'
option fallback '1'
list zone_name 'in-addr.arpa.'
list zone_name 'ip6.arpa.'
-config zone
+config zone 'fwd_isp'
# forward ISP account management to DHCP announced DNS servers
option enabled '0'
option fallback '1'
list zone_name 'isp-bill.example.com.'
list zone_name 'isp-mail.example.net.'
+config zone 'fwd_google'
+ option enabled '0'
+ option fallback '1'
+ option tls_index 'dns.google'
+ option tls_upstream '1'
+ option zone_type 'forward_zone'
+ list server '8.8.4.4'
+ list server '8.8.8.8'
+ list server '2001:4860:4860::8844'
+ list server '2001:4860:4860::8888'
+ list zone_name '.'
+
+config zone 'fwd_cloudflare'
+ option enabled '0'
+ option fallback '1'
+ option tls_index 'cloudflare-dns.com'
+ option tls_upstream '1'
+ option zone_type 'forward_zone'
+ list server '1.1.1.1'
+ list server '1.0.0.1'
+ list server '2606:4700:4700::1111'
+ list server '2606:4700:4700::1001'
+ list zone_name '.'
+
projects / feed / packages.git / commitdiff