From add3e6c699e148460fa7bca4011b9fbf95a0ef75 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Sun, 2 Jun 2019 14:14:23 -0400 Subject: [PATCH] unbound: improve a few UCI settings - treat RFC6762 'local.' as nxdomain because avahi and other services will disable if SOA or NS records appear in central DNS. - allow two threads to be enabled with the 'heavy traffic' variant of Unbound packages. Signed-off-by: Eric Luehrsen --- net/unbound/files/README.md | 109 +++++++++++++++++---------------- net/unbound/files/unbound.init | 4 +- net/unbound/files/unbound.sh | 30 +++++---- net/unbound/files/unbound.uci | 1 + 4 files changed, 78 insertions(+), 66 deletions(-) diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index 24cf1f242b..653a3f8367 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -212,18 +212,17 @@ config unbound 4 - Above and interfaces named .. option add_wan_fqdn '0' - Level. Same as previous option only this applies to the WAN. WAN - are inferred by a UCI `config dhcp` entry that contains the line - option ignore '1'. + Level. Same as previous option only this applies to the WAN. WAN are + inferred by a UCI `config dhcp` entry that contains the 'option ignore 1'. option dns64 '0' - Boolean. Enable DNS64 through Unbound in order to bridge networks - that are IPV6 only and IPV4 only (see RFC6052). + Boolean. Enable DNS64 through Unbound in order to bridge networks that are + IPV6 only and IPV4 only (see RFC6052). option dns64_prefix '64:ff9b::/96' - IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64. - You should use RFC6052 "well known" address, unless you also - redirect to a proxy or gateway for your NAT64. + IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64. You + should use RFC6052 "well known" address, unless you also redirect to a proxy + or gateway for your NAT64. option dhcp_link 'none' Program Name. Link to one of the supported programs we have scripts @@ -271,6 +270,12 @@ config unbound Boolean. Skip all this UCI nonsense. Manually edit the configuration. Make changes to /etc/unbound/unbound.conf. + option num_threads '1' + Count. Enable multithreading with the "heavy traffic" variant. Base variant + spins each as whole proces and is not efficient. Two threads may be used, + but they use one shared cache slab. More edges into an industrial setup, + and UCI simplificaitons may not be appropriate. + option protocol 'mixed' Unbound can limit its protocol used for recursive queries. ip4_only - old fashioned IPv4 upstream and downstream @@ -281,19 +286,18 @@ config unbound default - Unbound built-in defaults option query_minimize '0' - Boolean. Enable a minor privacy option. Don't let each server know - the next recursion. Query one piece at a time. + Boolean. Enable a minor privacy option. Don't let each server know the next + recursion. Query one piece at a time. option query_min_strict '0' - Boolean. Query minimize is best effort and will fall back to normal - when it must. This option prevents the fall back, but less than - standard name servers will fail to resolve their domains. + Boolean. Query minimize is best effort and will fall back to normal when it + must. This option prevents the fall back, but less than standard name + servers will fail to resolve their domains. option rebind_localhost '0' - Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses. - These may used by black hole servers for good purposes like - ad-blocking or parental access control. Obviously these responses - also can be used to for bad purposes. + Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses. These may + used by black hole servers for good purposes like ad-blocking or parental + access control. Obviously these responses may be used to for bad purposes. option rebind_protection '1' Level. Block your local address responses from global DNS. A poisoned @@ -319,16 +323,16 @@ config unbound large - about double of medium option root_age '9' - Days. >90 Disables. Age limit for Unbound root data like root - DNSSEC key. Unbound uses RFC 5011 to manage root key. This could - harm flash ROM. This activity is mapped to "tmpfs," but every so - often it needs to be copied back to flash for the next reboot. + Days. >90 Disables. Age limit for Unbound root data like root DNSSEC key. + Unbound uses RFC 5011 to manage root key. This could harm flash ROM. This + activity is mapped to "tmpfs," but every so often it needs to be copied back + to flash for the next reboot. option ttl_min '120' - Seconds. Minimum TTL in cache. Recursion can be expensive without - cache. A low TTL is normal for server migration. A low TTL can be - abused for snoop-vertising (DNS hit counts; recording query IP). - Typical to configure maybe 0~300, but 1800 is the maximum accepted. + Seconds. Minimum TTL in cache. Recursion can be expensive without cache. A + low TTL is normal for server migration. A low TTL can be abused for snoop- + vertising (DNS hit counts; recording query IP). Typical to configure maybe + 0~300, but 1800 is the maximum accepted. option unbound_control '0' Level. Enables unbound-control application access ports. @@ -342,10 +346,10 @@ config unbound Boolean. Enable DNSSEC. Unbound names this the "validator" module. option validator_ntp '1' - Boolean. Disable DNSSEC time checks at boot. Once NTP confirms - global real time, then DNSSEC is restarted at full strength. Many - embedded devices don't have a real time power off clock. NTP needs - DNS to resolve servers. This works around the chicken-and-egg. + Boolean. Disable DNSSEC time checks at boot. Once NTP confirms global real + time, then DNSSEC is restarted at full strength. Many embedded devices don't + have a real time power off clock. NTP needs DNS to resolve servers. This + works around the chicken-and-egg. option verbosity '1' Level. Sets Unbounds logging intensity. @@ -356,9 +360,9 @@ config unbound list trigger_interface 'lan' 'wan' Interface (logical). This option is a work around for netifd/procd - interaction with WAN DHCPv6. Minor RA or DHCP changes in IP6 can - cause netifd to execute procd interface reload. Limit Unbound procd - triggers to LAN and WAN (IP4 only) to prevent restart @2-3 minutes. + interaction with WAN DHCPv6. Minor RA or DHCP changes in IP6 can cause + netifd to execute procd interface reload. Limit Unbound procd triggers to + LAN and WAN (IP4 only) to prevent restart @2-3 minutes. config zone @@ -368,23 +372,22 @@ config zone Boolean. Enable the zone clause. option fallback 1 - Boolean. Permit normal recursion when the narrowly selected servers - in this zone are unresponsive or return empty responses. Disable, if - there are security concerns (forward only internal to organization). + Boolean. Permit normal recursion when the narrowly selected servers in this + zone are unresponsive or return empty responses. Disable, if there are + security concerns (forward only internal to organization). option port 53 Port. Servers are contact on this port for plain DNS operations. option resolv_conf 0 - Boolean. Use "resolv.conf" as it was filled by the DHCP client. This - can be used to forward zones within your ISP (mail.example.net) or that - have co-located services (streamed-movies.example.com). Recursion may - not yield the most local result, but forwarding may instead. + Boolean. Use "resolv.conf" as it was filled by the DHCP client. This can be + used to forward zones within your ISP (mail.example.net) or that have co- + located services (streamed-movies.example.com). Recursion may not yield the + most local result, but forwarding may instead. option tls_index (n/a) Domain. Name TLS certificates are signed for (dns.example.net). If this - option is ommitted, then Unbound will make the connection but not - validate it. + option is ommitted, then Unbound will make connections but not validate. option tls_port 853 Port. Servers are contact on this port for DNS over TLS operations. @@ -397,33 +400,33 @@ config zone auth_zone type only. Files "${zone_name}.zone" are expect in this path. option zone_type (n/a) - State. Required field or the clause is effectively disabled. Check - Unbound documentation for clarity (unbound-conf). + State. Required field or the clause is effectively disabled. Check Unbound + documentation for clarity (unbound-conf). auth_zone - prefetch whole zones from authoritative server (ICANN) forward_zone - forward queries in these domains to the listed servers stub_zone - force recursion of these domains to the listed servers list server (n/a) - IP. Every zone must have one server. Stub and forward require IP to - prevent chicken and egg (due to UCI simplicity). Authoritative prefetch - may use a server name. + IP. Every zone must have one server. Stub and forward require IP to prevent + chicken and egg (due to UCI simplicity). Authoritative prefetch may use a + server name. list zone_name - Domain. Every zone must represent some part of the DNS tree. It can be - all of it "." or you internal organization domain "example.com." Within - each zone clause all zone names will be matched to all servers. + Domain. Every zone must represent some part of the DNS tree. It can be all + of it "." or you internal organization domain "example.com." Within each + zone clause all zone names will be matched to all servers. ``` ## Replaced Options config unbound / option prefetch_root - List the domains in a zone with type auth_zone and fill in the server - or url fields. Root zones are ready but disabled in default install UCI. + List the domains in a zone with type auth_zone and fill in the server or url + fields. Root zones are ready but disabled in default install UCI. config unbound / list domain_forward List the domains in a zone with type forward_zone and enable the resolv_conf option. config unbound / list rebind_interface - Enable rebind_protection at 2 and all DHCP interfaces are also - protected for IPV6 GLA (parallel to subnets in add_local_fqdn). + Enable rebind_protection at 2 and all DHCP interfaces are also protected for + IPV6 GLA (parallel to subnets in add_local_fqdn). diff --git a/net/unbound/files/unbound.init b/net/unbound/files/unbound.init index e76f68cd1a..2f2df14834 100755 --- a/net/unbound/files/unbound.init +++ b/net/unbound/files/unbound.init @@ -62,8 +62,8 @@ service_triggers() { if [ ! -f "$UB_TOTAL_CONF" ] || [ -n "$UB_BOOT" ] ; then - # Unbound is can be a bit heavy, so wait some on first start but any - # interface coming up affects the trigger and delay so guarantee start + # Unbound can be a bit heavy, so wait some on first start. Any interface + # up affects the trigger delay and will guarantee start. procd_add_raw_trigger "interface.*.up" 3000 /etc/init.d/unbound restart elif [ -n "$triggers" ] ; then diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index f89901ddc4..f44cfec6cf 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -54,6 +54,7 @@ UB_IP_DNS64="64:ff9b::/96" UB_N_EDNS_SIZE=1280 UB_N_RX_PORT=53 UB_N_ROOT_AGE=9 +UB_N_THREADS=1 UB_TTL_MIN=120 UB_TXT_DOMAIN=lan @@ -580,9 +581,18 @@ unbound_conf() { fi + if [ "$UB_N_THREADS" -gt 1 ] \ + && $PROG -h | grep -q "linked libs:.*libevent" ; then + # heavy variant using "threads" may need substantial resources + echo " num-threads: 2" >> $UB_CORE_CONF + else + # light variant with one "process" is much more efficient with light traffic + echo " num-threads: 1" >> $UB_CORE_CONF + fi + + { - # No threading - echo " num-threads: 1" + # Limited threading (2) with one shared slab echo " msg-cache-slabs: 1" echo " rrset-cache-slabs: 1" echo " infra-cache-slabs: 1" @@ -967,19 +977,16 @@ unbound_hostname() { echo " local-data: \"$UB_TXT_DOMAIN. $UB_XNS\"" echo " local-data: '$UB_TXT_DOMAIN. $UB_XTXT'" echo - # avoid upstream involvement in RFC6762 - echo " domain-insecure: local" - echo " private-domain: local" - echo " local-zone: local $UB_D_DOMAIN_TYPE" - echo " local-data: \"local. $UB_XSOA\"" - echo " local-data: \"local. $UB_XNS\"" - echo " local-data: 'local. $UB_LTXT'" - echo + if [ "$UB_TXT_DOMAIN" != "local" ] ; then + # avoid involvement in RFC6762, unless it is the local zone name + echo " local-zone: local always_nxdomain" + echo + fi } >> $UB_HOST_CONF zonetype=2 ;; - transparent|typetransparent) + inform|transparent|typetransparent) { # transparent will permit forward-zone: or stub-zone: clauses echo " private-domain: $UB_TXT_DOMAIN" @@ -1205,6 +1212,7 @@ unbound_uci() { config_get UB_N_EDNS_SIZE "$cfg" edns_size 1280 config_get UB_N_RX_PORT "$cfg" listen_port 53 config_get UB_N_ROOT_AGE "$cfg" root_age 9 + config_get UB_N_THREADS "$cfg" num_threads 1 config_get UB_D_CONTROL "$cfg" unbound_control 0 config_get UB_D_DOMAIN_TYPE "$cfg" domain_type static diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index 9614357eb6..604c960aa3 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -14,6 +14,7 @@ config unbound option listen_port '53' option localservice '1' option manual_conf '0' + option num_threads '1' option protocol 'default' option query_minimize '0' option query_min_strict '0' -- 2.30.2