net/unbound/files/README.md

   1 # Unbound Recursive DNS Server with UCI
   2
   3 ## Unbound Description
   4 Unbound is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.unbound.net/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
   5
   6 ## Package Overview
   7 Unbound may be useful on consumer grade embedded hardware. It is *intended* to be a recursive resolver only. [NLnet Labs NSD](https://www.nlnetlabs.nl/projects/nsd/) is *intended* for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver, and remove potential issues from forwarding resolvers outside of their control.
   8
   9 This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
  10
  11 ## Work with dnsmasq
  12 Some UCI options will help Unbound and dnsmasq work together in **parallel**. The default DHCP and DNS stub resolver in OpenWrt is dnsmasq, and it will continue to serve this purpose. The following actions will make Unbound the primary DNS server, and make dnsmasq only provide DNS to local DHCP.
  13
  14 - Set `unbound` UCI `option dnsmasq_link_dns` to true.
  15 - Set other `unbound` UCI options how you wish.
  16 - Set `dnsmasq` UCI `option noresolv` to true.
  17 - Set `dnsmasq` UCI `option resolvfile` to blank single-quotes.
  18 - Set `dnsmasq` UCI `option port` to 1053 or 5353.
  19 - Add to each `dhcp` UCI `list dhcp_option option:dns-server,0.0.0.0`
  20
  21 Alternatives are mentioned here for completeness. DHCP event scripts which write host records are difficult to formulate for Unbound, NSD, or Bind. These programs sometimes need to be forcefully reloaded with host configuration, and reloads can bust cache. **Serial** configuration between dnsmasq and Unbound can be made on 127.0.0.1 with an off-port like #1053. This may double cache storage and incur unnecessary transfer delay.
  22
  23 ## UCI Options
  24 **/etc/config/unbound**:
  25
  26         config unbound
  27                 Currently only one instance is supported.
  28
  29         option dnsmasq_gate_name '0'
  30                 Boolean. Forward PTR records for interfaces not serving DHCP.
  31                 Assume these are WAN. Example dnsmasq option here to provide
  32                 logs with a name when your ISP won't link DHCP-DNS.
  33                 "dnsmasq.conf: interface-name=way-out.myrouter.lan,eth0.1"
  34
  35         option dnsmasq_link_dns '0'
  36                 Boolean. Master link to dnsmasq. Parse /etc/config/dhcp for dnsmasq
  37                 options. Forward domain such as "lan" and PTR records for DHCP
  38                 interfaces and their deligated subnets, IP4 and IP6.
  39
  40         option dnsmasq_only_local '0'
  41                 TODO: not yet implemented
  42                 Boolean. Restrict link to dnsmasq. DNS only to local host. Obscure
  43                 names of other connected hosts on the network. Example:
  44                 "drill -x 198.51.100.17  ~ IN PTR way-out.myrouter.lan"
  45                 "drill -x 192.168.10.1   ~ IN PTR guest-wifi.myrouter.lan"
  46                 "drill -x 192.168.10.201 ~ NODATA" (insted of james-laptop.lan)
  47
  48         option edns_size '1280'
  49                 Extended DNS is necessary for DNSSEC. However, it can run into MTU
  50                 issues. Use this size in bytes to manage drop outs.
  51
  52         option listen_port '53'
  53                 Port. Incoming. Where Unbound will listen for queries.
  54
  55         option localservice '1'
  56                 Boolean. Prevent DNS amplification attacks. Only provide access to
  57                 Unbound from subnets this machine has interfaces on.
  58
  59         option manual_conf '0'
  60                 Boolean. Skip all this UCI nonsense. Manually edit the
  61                 configuration. Make changes to /etc/unbound/unbound.conf.
  62
  63         option query_minimize '0'
  64                 Boolean. Enable a minor privacy option. Query only one name piece
  65                 at a time. Don't let each server know the next recursion.
  66
  67         option rebind_localhost '0'
  68                 Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses.
  69                 These may used by black hole servers for good purposes like
  70                 ad-blocking or parental access control. Obviously these responses
  71                 also can be used to for bad purposes.
  72
  73         option rebind_protection '1'
  74                 Boolean. Prevent RFC 1918 Reponses from global DNS. Example a
  75                 poisoned reponse within "192.168.0.0/24" could be used to turn a
  76                 local browser into an external attack proxy server.
  77
  78         option recursion 'passive'
  79                 Unbound has numerous options for how it recurses. This UCI combines
  80                 them into "passive," "aggressive," or Unbound's own "default."
  81                 Passive is easy on resources, but slower until cache fills.
  82
  83         option resource 'small'
  84                 Unbound has numerous options for resources. This UCI gives "tiny,"
  85                 "small," "medium," and "large." Medium is most like the compiled
  86                 defaults with a bit of balancing. Tiny is close to the published
  87                 memory restricted configuration. Small 1/2 medium, and large 2x.
  88
  89         option root_age '30'
  90                 Days. >90 Disables. Age limit for Unbound root data like root
  91                 DNSSEC key. Unbound uses RFC 5011 to manage root key. This could
  92                 harm flash ROM. This activity is mapped to "tmpfs," but every so
  93                 often it needs to be copied back to flash for the next reboot.
  94
  95         option ttl_min '120'
  96                 Seconds. Minimum TTL in cache. Recursion can be expensive without
  97                 cache. A low TTL is normal for server migration. A low TTL can be
  98                 abused for snoop-vertising (DNS hit counts; recording query IP).
  99                 Typical to configure maybe 0~300, but 1800 is the maximum accepted.
 100
 101         option unbound_control '0'
 102                 Boolean. Enables unbound-control application access ports. Enabling
 103                 this without the unbound-control package installed is robust.
 104
 105         option validator '0'
 106                 Boolean. Enable DNSSEC. Unbound names this the "validator" module.
 107
 108         option validator_ntp '1'
 109                 Boolean. Disable DNSSEC time checks at boot. Once NTP confirms
 110                 global real time, then DNSSEC is restarted at full strength. Many
 111                 embedded devices don't have a real time power off clock. NTP needs
 112                 DNS to resolve servers. This works around the chicken-and-egg.
 113
 114         list domain_insecure
 115                 List. Domains or pointers that you wish to skip DNSSEC. Your DHCP
 116                 domains and pointers in dnsmasq will get this automatically.
 117