4 - Above and interfaces named <iface>.<hostname>.<domain>
option add_wan_fqdn '0'
- Level. Same as previous option only this applies to the WAN. WAN
- are inferred by a UCI `config dhcp` entry that contains the line
- option ignore '1'.
+ Level. Same as previous option only this applies to the WAN. WAN are
+ inferred by a UCI `config dhcp` entry that contains the 'option ignore 1'.
option dns64 '0'
- Boolean. Enable DNS64 through Unbound in order to bridge networks
- that are IPV6 only and IPV4 only (see RFC6052).
+ Boolean. Enable DNS64 through Unbound in order to bridge networks that are
+ IPV6 only and IPV4 only (see RFC6052).
option dns64_prefix '64:ff9b::/96'
- IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64.
- You should use RFC6052 "well known" address, unless you also
- redirect to a proxy or gateway for your NAT64.
+ IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64. You
+ should use RFC6052 "well known" address, unless you also redirect to a proxy
+ or gateway for your NAT64.
option dhcp_link 'none'
Program Name. Link to one of the supported programs we have scripts
Boolean. Skip all this UCI nonsense. Manually edit the
configuration. Make changes to /etc/unbound/unbound.conf.
+ option num_threads '1'
+ Count. Enable multithreading with the "heavy traffic" variant. Base variant
+ spins each as whole proces and is not efficient. Two threads may be used,
+ but they use one shared cache slab. More edges into an industrial setup,
+ and UCI simplificaitons may not be appropriate.
+
option protocol 'mixed'
Unbound can limit its protocol used for recursive queries.
ip4_only - old fashioned IPv4 upstream and downstream
default - Unbound built-in defaults
option query_minimize '0'
- Boolean. Enable a minor privacy option. Don't let each server know
- the next recursion. Query one piece at a time.
+ Boolean. Enable a minor privacy option. Don't let each server know the next
+ recursion. Query one piece at a time.
option query_min_strict '0'
- Boolean. Query minimize is best effort and will fall back to normal
- when it must. This option prevents the fall back, but less than
- standard name servers will fail to resolve their domains.
+ Boolean. Query minimize is best effort and will fall back to normal when it
+ must. This option prevents the fall back, but less than standard name
+ servers will fail to resolve their domains.
option rebind_localhost '0'
- Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses.
- These may used by black hole servers for good purposes like
- ad-blocking or parental access control. Obviously these responses
- also can be used to for bad purposes.
+ Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses. These may
+ used by black hole servers for good purposes like ad-blocking or parental
+ access control. Obviously these responses may be used to for bad purposes.
option rebind_protection '1'
Level. Block your local address responses from global DNS. A poisoned
large - about double of medium
option root_age '9'
- Days. >90 Disables. Age limit for Unbound root data like root
- DNSSEC key. Unbound uses RFC 5011 to manage root key. This could
- harm flash ROM. This activity is mapped to "tmpfs," but every so
- often it needs to be copied back to flash for the next reboot.
+ Days. >90 Disables. Age limit for Unbound root data like root DNSSEC key.
+ Unbound uses RFC 5011 to manage root key. This could harm flash ROM. This
+ activity is mapped to "tmpfs," but every so often it needs to be copied back
+ to flash for the next reboot.
option ttl_min '120'
- Seconds. Minimum TTL in cache. Recursion can be expensive without
- cache. A low TTL is normal for server migration. A low TTL can be
- abused for snoop-vertising (DNS hit counts; recording query IP).
- Typical to configure maybe 0~300, but 1800 is the maximum accepted.
+ Seconds. Minimum TTL in cache. Recursion can be expensive without cache. A
+ low TTL is normal for server migration. A low TTL can be abused for snoop-
+ vertising (DNS hit counts; recording query IP). Typical to configure maybe
+ 0~300, but 1800 is the maximum accepted.
option unbound_control '0'
Level. Enables unbound-control application access ports.
Boolean. Enable DNSSEC. Unbound names this the "validator" module.
option validator_ntp '1'
- Boolean. Disable DNSSEC time checks at boot. Once NTP confirms
- global real time, then DNSSEC is restarted at full strength. Many
- embedded devices don't have a real time power off clock. NTP needs
- DNS to resolve servers. This works around the chicken-and-egg.
+ Boolean. Disable DNSSEC time checks at boot. Once NTP confirms global real
+ time, then DNSSEC is restarted at full strength. Many embedded devices don't
+ have a real time power off clock. NTP needs DNS to resolve servers. This
+ works around the chicken-and-egg.
option verbosity '1'
Level. Sets Unbounds logging intensity.
list trigger_interface 'lan' 'wan'
Interface (logical). This option is a work around for netifd/procd
- interaction with WAN DHCPv6. Minor RA or DHCP changes in IP6 can
- cause netifd to execute procd interface reload. Limit Unbound procd
- triggers to LAN and WAN (IP4 only) to prevent restart @2-3 minutes.
+ interaction with WAN DHCPv6. Minor RA or DHCP changes in IP6 can cause
+ netifd to execute procd interface reload. Limit Unbound procd triggers to
+ LAN and WAN (IP4 only) to prevent restart @2-3 minutes.
config zone
Boolean. Enable the zone clause.
option fallback 1
- Boolean. Permit normal recursion when the narrowly selected servers
- in this zone are unresponsive or return empty responses. Disable, if
- there are security concerns (forward only internal to organization).
+ Boolean. Permit normal recursion when the narrowly selected servers in this
+ zone are unresponsive or return empty responses. Disable, if there are
+ security concerns (forward only internal to organization).
option port 53
Port. Servers are contact on this port for plain DNS operations.
option resolv_conf 0
- Boolean. Use "resolv.conf" as it was filled by the DHCP client. This
- can be used to forward zones within your ISP (mail.example.net) or that
- have co-located services (streamed-movies.example.com). Recursion may
- not yield the most local result, but forwarding may instead.
+ Boolean. Use "resolv.conf" as it was filled by the DHCP client. This can be
+ used to forward zones within your ISP (mail.example.net) or that have co-
+ located services (streamed-movies.example.com). Recursion may not yield the
+ most local result, but forwarding may instead.
option tls_index (n/a)
Domain. Name TLS certificates are signed for (dns.example.net). If this
- option is ommitted, then Unbound will make the connection but not
- validate it.
+ option is ommitted, then Unbound will make connections but not validate.
option tls_port 853
Port. Servers are contact on this port for DNS over TLS operations.
auth_zone type only. Files "${zone_name}.zone" are expect in this path.
option zone_type (n/a)
- State. Required field or the clause is effectively disabled. Check
- Unbound documentation for clarity (unbound-conf).
+ State. Required field or the clause is effectively disabled. Check Unbound
+ documentation for clarity (unbound-conf).
auth_zone - prefetch whole zones from authoritative server (ICANN)
forward_zone - forward queries in these domains to the listed servers
stub_zone - force recursion of these domains to the listed servers
list server (n/a)
- IP. Every zone must have one server. Stub and forward require IP to
- prevent chicken and egg (due to UCI simplicity). Authoritative prefetch
- may use a server name.
+ IP. Every zone must have one server. Stub and forward require IP to prevent
+ chicken and egg (due to UCI simplicity). Authoritative prefetch may use a
+ server name.
list zone_name
- Domain. Every zone must represent some part of the DNS tree. It can be
- all of it "." or you internal organization domain "example.com." Within
- each zone clause all zone names will be matched to all servers.
+ Domain. Every zone must represent some part of the DNS tree. It can be all
+ of it "." or you internal organization domain "example.com." Within each
+ zone clause all zone names will be matched to all servers.
```
## Replaced Options
config unbound / option prefetch_root
- List the domains in a zone with type auth_zone and fill in the server
- or url fields. Root zones are ready but disabled in default install UCI.
+ List the domains in a zone with type auth_zone and fill in the server or url
+ fields. Root zones are ready but disabled in default install UCI.
config unbound / list domain_forward
List the domains in a zone with type forward_zone and enable the
resolv_conf option.
config unbound / list rebind_interface
- Enable rebind_protection at 2 and all DHCP interfaces are also
- protected for IPV6 GLA (parallel to subnets in add_local_fqdn).
+ Enable rebind_protection at 2 and all DHCP interfaces are also protected for
+ IPV6 GLA (parallel to subnets in add_local_fqdn).
UB_N_EDNS_SIZE=1280
UB_N_RX_PORT=53
UB_N_ROOT_AGE=9
+UB_N_THREADS=1
UB_TTL_MIN=120
UB_TXT_DOMAIN=lan
fi
+ if [ "$UB_N_THREADS" -gt 1 ] \
+ && $PROG -h | grep -q "linked libs:.*libevent" ; then
+ # heavy variant using "threads" may need substantial resources
+ echo " num-threads: 2" >> $UB_CORE_CONF
+ else
+ # light variant with one "process" is much more efficient with light traffic
+ echo " num-threads: 1" >> $UB_CORE_CONF
+ fi
+
+
{
- # No threading
- echo " num-threads: 1"
+ # Limited threading (2) with one shared slab
echo " msg-cache-slabs: 1"
echo " rrset-cache-slabs: 1"
echo " infra-cache-slabs: 1"
echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\""
echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'"
echo
- # avoid upstream involvement in RFC6762
- echo " domain-insecure: local"
- echo " private-domain: local"
- echo " local-zone: local $UB_D_DOMAIN_TYPE"
- echo " local-data: \"local. $UB_XSOA\""
- echo " local-data: \"local. $UB_XNS\""
- echo " local-data: 'local. $UB_LTXT'"
- echo
+ if [ "$UB_TXT_DOMAIN" != "local" ] ; then
+ # avoid involvement in RFC6762, unless it is the local zone name
+ echo " local-zone: local always_nxdomain"
+ echo
+ fi
} >> $UB_HOST_CONF
zonetype=2
;;
- transparent|typetransparent)
+ inform|transparent|typetransparent)
{
# transparent will permit forward-zone: or stub-zone: clauses
echo " private-domain: $UB_TXT_DOMAIN"
config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280
config_get UB_N_RX_PORT "$cfg" listen_port 53
config_get UB_N_ROOT_AGE "$cfg" root_age 9
+ config_get UB_N_THREADS "$cfg" num_threads 1
config_get UB_D_CONTROL "$cfg" unbound_control 0
config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static
projects / feed / packages.git / commitdiff