into MTU issues. Use this size in bytes to manage drop outs.
option extended_luci '0'
- Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
+ Boolean. Extends a tab hierarchy in LuCI for advanced configuration.
option extended_stats '0'
Boolean. extended statistics are printed from unbound-control.
option protocol 'mixed'
Unbound can limit its protocol used for recursive queries.
- Set 'ip4_only' to avoid issues if you do not have native IP6.
- Set 'ip6_prefer' to possibly improve performance as well as
- not consume NAT paths for the client computers.
- Do not use 'ip6_only' unless testing.
+ ip4_only - limit issues if you do not have native IPv6
+ ip6_only - test environment only; could cauase problems
+ ip6_prefer - both IPv4 and IPv6 but try IPv6 first
+ mixed - both IPv4 and IPv6
+ default - Unbound built-in defaults
option query_minimize '0'
Boolean. Enable a minor privacy option. Don't let each server know
3 - Plus DHCP-PD range passed down interfaces (not implemented)
option recursion 'passive'
- Unbound has numerous options for how it recurses. This UCI combines
- them into "passive," "aggressive," or Unbound's own "default."
- Passive is easy on resources, but slower until cache fills.
+ Unbound has many options for recrusion but UCI is bundled for simplicity.
+ passive - slower until cache fills but kind on CPU load
+ default - Unbound built-in defaults
+ aggressive - uses prefetching to handle more requests quickly
option resource 'small'
- Unbound has numerous options for resources. This UCI gives "tiny,"
- "small," "medium," and "large." Medium is most like the compiled
- defaults with a bit of balancing. Tiny is close to the published
- memory restricted configuration. Small 1/2 medium, and large 2x.
+ Unbound has many options for resources but UCI is bundled for simplicity.
+ tiny - similar to published memory restricted configuration
+ small - about half of medium
+ medium - similar to default, but fixed for consistency
+ default - Unbound built-in defaults
+ large - about double of medium
option root_age '9'
Days. >90 Disables. Age limit for Unbound root data like root
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
- logger -t unbound -s "iterator will use built-in root hints"
+ logger -t unbound -s "default root hints (built in rootservers.net)"
fi
fi
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
- logger -t unbound -s "validator will use built-in trust anchor"
+ logger -t unbound -s "default trust anchor (built in root DS record)"
fi
fi
# Make fresh conf file
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
echo
- # No threading
echo "server:"
echo " username: unbound"
+ echo " chroot: \"$UNBOUND_VARDIR\""
+ echo " directory: \"$UNBOUND_VARDIR\""
+ echo " pidfile: \"$UNBOUND_PIDFILE\""
+ echo
+ # No threading
echo " num-threads: 1"
echo " msg-cache-slabs: 1"
echo " rrset-cache-slabs: 1"
echo " outgoing-interface: ::0"
echo
# Logging
+ echo " use-syslog: yes"
echo " verbosity: 1"
echo " statistics-interval: 0"
echo " statistics-cumulative: no"
} >> $UNBOUND_CONFFILE
;;
- *)
+ mixed)
{
echo " do-ip4: yes"
echo " do-ip6: yes"
} >> $UNBOUND_CONFFILE
;;
+
+ *)
+ if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
+ logger -t unbound -s "default protocol configuration"
+ fi
+ ;;
esac
} >> $UNBOUND_CONFFILE
- {
- # Default Files
- echo " use-syslog: yes"
- echo " chroot: \"$UNBOUND_VARDIR\""
- echo " directory: \"$UNBOUND_VARDIR\""
- echo " pidfile: \"$UNBOUND_PIDFILE\""
- } >> $UNBOUND_CONFFILE
-
-
if [ -f "$UNBOUND_HINTFILE" ] ; then
# Optional hints if found
echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
} >> $UNBOUND_CONFFILE
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
- logger -t unbound -s "default memory resource consumption"
+ logger -t unbound -s "default memory configuration"
fi
# Assembly of module-config: options is tricky; order matters
} >> $UNBOUND_CONFFILE
- if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
- {
- # Some query privacy but "strict" will break some name servers
- echo " qname-minimisation: yes"
- echo " qname-minimisation-strict: yes"
- } >> $UNBOUND_CONFFILE
-
- elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
- # Minor improvement on query privacy
- echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
-
- else
- echo " qname-minimisation: no" >> $UNBOUND_CONFFILE
- fi
-
-
case "$UNBOUND_D_RECURSION" in
passive)
{
+ # Some query privacy but "strict" will break some servers
+ if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+ -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+ echo " qname-minimisation: yes"
+ echo " qname-minimisation-strict: yes"
+ elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+ echo " qname-minimisation: yes"
+ else
+ echo " qname-minimisation: no"
+ fi
+ # Use DNSSEC to quickly understand NXDOMAIN ranges
+ if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+ echo " aggressive-nsec: yes"
+ echo " prefetch-key: no"
+ fi
+ # On demand fetching
echo " prefetch: no"
- echo " prefetch-key: no"
echo " target-fetch-policy: \"0 0 0 0 0\""
echo
} >> $UNBOUND_CONFFILE
aggressive)
{
+ # Some query privacy but "strict" will break some servers
+ if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+ -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+ echo " qname-minimisation: yes"
+ echo " qname-minimisation-strict: yes"
+ elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+ echo " qname-minimisation: yes"
+ else
+ echo " qname-minimisation: no"
+ fi
+ # Use DNSSEC to quickly understand NXDOMAIN ranges
+ if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+ echo " aggressive-nsec: yes"
+ echo " prefetch-key: yes"
+ fi
+ # Prefetch what can be
echo " prefetch: yes"
- echo " prefetch-key: yes"
echo " target-fetch-policy: \"3 2 1 0 0\""
echo
} >> $UNBOUND_CONFFILE
projects / feed / packages.git / commitdiff