This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
## Work with dnsmasq
-Some UCI options will help Unbound and dnsmasq work together in **parallel**. The default DHCP and DNS stub resolver in OpenWrt is dnsmasq, and it will continue to serve this purpose. The following actions will make Unbound the primary DNS server, and make dnsmasq only provide DNS to local DHCP.
+Some UCI options will help Unbound and dnsmasq work together in **parallel**. The default DHCP and DNS stub resolver in OpenWrt is dnsmasq, and it will continue to serve this purpose. The following partial examples will make Unbound the primary DNS server, and make dnsmasq only provide DNS to local DHCP.
-- Set `unbound` UCI `option dnsmasq_link_dns` to true.
-- Set other `unbound` UCI options how you wish.
-- Set `dnsmasq` UCI `option noresolv` to true.
-- Set `dnsmasq` UCI `option resolvfile` to blank single-quotes.
-- Set `dnsmasq` UCI `option port` to 1053 or 5353.
-- Add to each `dhcp` UCI `list dhcp_option option:dns-server,0.0.0.0`
+**/etc/config/unbound**:
+
+ config unbound
+ option dnsmasq_link_dns '1'
+ ...
+
+**/etc/config/dhcp**:
+
+ config dnsmasq
+ option option noresolv '1'
+ option resolvfile '<empty>'
+ option port '1053'
+ ...
+
+ config dhcp '<name>'
+ list dhcp_option 'option:dns-server,0.0.0.0'
+ ...
Alternatives are mentioned here for completeness. DHCP event scripts which write host records are difficult to formulate for Unbound, NSD, or Bind. These programs sometimes need to be forcefully reloaded with host configuration, and reloads can bust cache. **Serial** configuration between dnsmasq and Unbound can be made on 127.0.0.1 with an off-port like #1053. This may double cache storage and incur unnecessary transfer delay.
Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider this UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash). Keep the DNSKEY updated with your choice of flash activity.
+**/etc/config/unbound**:
+
config unbound
option manual_conf '1'
option root_age '30'
config unbound
Currently only one instance is supported.
+ option dns64 '0'
+ Boolean. Enable DNS64 through Unbound in order to bridge networks
+ that are IPV6 only and IPV4 only (see RFC6052).
+
+ option dns64_prefix '64:ff9b::/96'
+ IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64.
+ You should use RFC6052 "well known" address, unless you also
+ redirect to a proxy or gateway for your NAT64.
+
option dnsmasq_gate_name '0'
Boolean. Forward PTR records for interfaces not serving DHCP.
Assume these are WAN. Example dnsmasq option here to provide
UNBOUND_B_CONTROL=0
UNBOUND_B_DNSMASQ=0
UNBOUND_B_DNSSEC=0
+UNBOUND_B_DNS64=0
UNBOUND_B_GATE_NAME=0
UNBOUND_B_LOCL_BLCK=0
UNBOUND_B_LOCL_NAME=0
UNBOUND_B_PRIV_BLCK=1
UNBOUND_B_QUERY_MIN=0
+UNBOUND_IP_DNS64="64:ff9b::/96"
+
UNBOUND_D_RESOURCE=small
UNBOUND_D_RECURSION=passive
unbound_conf() {
local cfg=$1
- local rt_mem rt_conn
+ local rt_mem rt_conn modulestring
{
# Make fresh conf file
logger -t unbound -s "default memory resource consumption"
fi
+ # Assembly of module-config: options is tricky; order matters
+ modulestring="iterator"
+
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
{
- # Validation of DNSSEC
- echo " module-config: \"validator iterator\""
echo " harden-dnssec-stripped: yes"
echo " val-clean-additional: yes"
echo " ignore-cd-flag: yes"
- echo
} >> $UNBOUND_CONFFILE
- else
- {
- # Just iteration without DNSSEC
- echo " module-config: \"iterator\""
- echo
- } >> $UNBOUND_CONFFILE
+
+ modulestring="validator $modulestring"
fi
+ if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then
+ echo " dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE
+
+ modulestring="dns64 $modulestring"
+ fi
+
+
+ {
+ # Print final module string
+ echo " module-config: \"$modulestring\""
+ echo
+ } >> $UNBOUND_CONFFILE
+
+
if [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
# Minor improvement on query privacy
echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
####################
# UCI @ unbound #
####################
-
+
+ config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmsaq_gate_name 0
config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
+ config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_D_RECURSION "$cfg" recursion passive
projects / feed / packages.git / commitdiff