projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #4136 from danrl/jool
[feed/packages.git] / net / unbound / files / README.md
1 # Unbound Recursive DNS Server with UCI
2
3 ## Unbound Description
4 Unbound is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.unbound.net/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.
5
6 ## Package Overview
7 Unbound may be useful on consumer grade embedded hardware. It is *intended* to be a recursive resolver only. [NLnet Labs NSD](https://www.nlnetlabs.nl/projects/nsd/) is *intended* for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver, and remove potential issues from forwarding resolvers outside of their control.
8
9 This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
10
11 ## Adblocking
12 The UCI scripts will work with OpenWrt/pacakages/net/adblock (2.3.0 and above) if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound.
13
14 ## HOW TO Integrate with DHCP
15 Some UCI options and scripts help Unbound to work with DHCP servers to load the local DNS. The examples provided here are serial dnsmasq-unbound, parallel dnsmasq-unbound, and unbound scripted with odhcpd.
16
17 ### Serial dnsmasq
18 In this case, dnsmasq is not changed *much* with respect to the default OpenWRT/LEDE configuration. Here dnsmasq is forced to use the local Unbound instance as the lone upstream DNS server, instead of your ISP. This may be the easiest implementation, but performance degradation can occur in high volume networks. dnsmasq and Unbound effectively have the same information in memory, and all transfers are double handled.
19
20 **/etc/config/unbound**:
21
22 config unbound
23 option add_local_fqdn '0'
24 option add_wan_fqdn '0'
25 option dhcp_link 'none'
26 # dnsmasq should not forward your domain to unbound, but if...
27 option domain 'yourdomain'
28 option domain_type 'refuse'
29 option listen_port '1053'
30 ...
31
32 **/etc/config/dhcp**:
33
34 config dnsmasq
35 option domain 'yourdomain'
36 option noresolv '1'
37 option resolvfile '/tmp/resolv.conf.auto'
38 option port '53'
39 list server '127.0.0.1#1053'
40 list server '::1#1053'
41 ...
42
43 ### Parallel dnsmasq
44 In this case, Unbound serves your local network directly for all purposes. It will look over to dnsmasq for DHCP-DNS resolution. Unbound is generally accessible on port 53, and dnsmasq is only accessed at 127.0.0.1:1053 by Unbound. Although you can dig/drill/nslookup remotely with the proper directives.
45
46 **/etc/config/unbound**:
47
48 config unbound
49 option dhcp_link 'dnsmasq'
50 option listen_port '53'
51 ...
52
53 **/etc/config/dhcp**:
54
55 config dnsmasq
56 option domain 'yourdomain'
57 option noresolv '1'
58 option resolvfile '/tmp/resolv.conf.auto'
59 option port '1053'
60 ...
61
62 config dhcp 'lan'
63 # dnsmasq may not issue DNS option if not std. configuration
64 list dhcp_option 'option:dns-server,0.0.0.0'
65 ...
66
67 ### Only odhcpd
68 Why use dnsmasq you might ask? Well test, try, and review. You can have Unbound and odhcpd only. When odhcpd configures each DHCP lease, it will call a script. The script provided with Unbound will read the lease file and enter DHCP-DNS records as much as dnsmasq once did. You **must install** `unbound-control`, because the lease records are added and removed without starting, stopping, flushing cache, or re-writing conf files.
69
70 *note: if you run the default LEDE/OpenWrt setup with dnsmasq and odhcpd, then use the link to dnsmasq. Unbound will pole dnsmasq. dnsmasq merges its lease file and odhcpd lease file.*
71
72 **/etc/config/unbound**:
73
74 config unbound
75 # name your router in DNS
76 option add_local_fqdn '1'
77 option add_wan_fqdn '1'
78 option dhcp_link 'odhcpd'
79 # add SLAAC inferred from DHCPv4
80 option dhcp4_slaac6 '1'
81 option domain 'lan'
82 option domain_type 'static'
83 option listen_port '53'
84 option rebind_protection '1'
85 # install unbound-control and set this
86 option unbound_control '1'
87 ...
88
89 **/etc/config/dhcp**:
90
91 config dhcp 'lan'
92 option dhcpv4 'server'
93 option dhcpv6 'server'
94 option interface 'lan'
95 # short times help renew events to refresh dns
96 option leasetime '4h'
97 option ra 'server'
98 option ra_management '1'
99 # issue your ULA and avoid default [fe80::]
100 list dns 'fdxx:xxxx:xxxx::1'
101
102 config odhcpd 'odhcpd'
103 option maindhcp '1'
104 option leasefile '/var/lib/odhcpd/dhcp.leases'
105 # this is where the magic happens
106 option leasetrigger '/usr/lib/unbound/odhcpd.sh'
107
108 ## Back to Manual Configuration
109 Yes, there is a UCI to disable the rest of Unbound UCI. However, OpenWrt or LEDE are targeted at embedded machines with flash ROM. The initialization scripts do a few things to protect flash ROM.
110
111 ### Completely Manual (almost)
112 All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, RAM). Edit your manual `/etc/unbound/unbound.conf` to reference this `/var/lib/unbound` location for included files. Note in preparation for a jail, `/var/lib/unbound` is `chown unbound`. Configure for security in`/etc/unbound/unbound.conf` with options `username:unbound` and `chroot:/var/lib/unbound`.
113
114 Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider the age UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash).
115
116 **/etc/config/unbound**:
117
118 config unbound
119 option manual_conf '1'
120 option root_age '9'
121
122 ### Hybrid Manual/UCI
123 You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation.
124
125 The former will be added to the end of the `server:` clause. The later will be added to the end of the file for extended `forward:` and `view:` clauses. You can also disable unbound-control in the UCI which only allows "localhost" connections unencrypted, and then add an encrypted remote `control:` clause.
126
127 ## Complete List of UCI Options
128 **/etc/config/unbound**:
129
130 config unbound
131 Currently only one instance is supported.
132
133 option add_local_fqdn '0'
134 Level. This puts your routers host name in the LAN (local) DNS.
135 Each level is more detailed and comprehensive.
136 0 - Disabled
137 1 - Host Name on only the primary address
138 2 - Host Name on all addresses found (except link)
139 3 - FQDN and host name on all addresses (except link)
140 4 - Above and interfaces named <iface>.<hostname>.<domain>
141
142 option add_wan_fqdn '0'
143 Level. Same as previous option only this applies to the WAN. WAN
144 are inferred by a UCI `config dhcp` entry that contains the line
145 option ignore '1'.
146
147 option dns64 '0'
148 Boolean. Enable DNS64 through Unbound in order to bridge networks
149 that are IPV6 only and IPV4 only (see RFC6052).
150
151 option dns64_prefix '64:ff9b::/96'
152 IPV6 Prefix. The IPV6 prefix wrapped on the IPV4 address for DNS64.
153 You should use RFC6052 "well known" address, unless you also
154 redirect to a proxy or gateway for your NAT64.
155
156 option dhcp_link 'none'
157 Program Name. Link to one of the supported programs we have scripts
158 for. You may also need to install a trigger script in the DHCP
159 servers configuration. See HOW TO above.
160
161 option dhcp4_slaac6 '0'
162 Boolean. Some DHCP servers do this natively (dnsmasq). Otherwise
163 the script provided with this package will try to fabricate SLAAC
164 IP6 addresses from DHCPv4 MAC records.
165
166 option domain 'lan'
167 Unbound local-zone: <domain> <type>. This is used to suffix all
168 host records, and maintain a local zone. When dnsmasq is dhcp_link
169 however, then this option is ignored (dnsmasq does it all).
170
171 option domain_type 'static'
172 Unbound local-zone: <domain> <type>. This allows you to lock
173 down or allow forwarding of your domain, your router host name
174 without suffix, and leakage of RFC6762 "local."
175
176 option edns_size '1280'
177 Bytes. Extended DNS is necessary for DNSSEC. However, it can run
178 into MTU issues. Use this size in bytes to manage drop outs.
179
180 option hide_binddata '1'
181 Boolean. If enabled version.server, version.bind, id.server, and
182 hostname.bind queries are refused.
183
184 option listen_port '53'
185 Port. Incoming. Where Unbound will listen for queries.
186
187 option localservice '1'
188 Boolean. Prevent DNS amplification attacks. Only provide access to
189 Unbound from subnets this machine has interfaces on.
190
191 option manual_conf '0'
192 Boolean. Skip all this UCI nonsense. Manually edit the
193 configuration. Make changes to /etc/unbound/unbound.conf.
194
195 option protocol 'mixed'
196 Unbound can limit its protocol used for recursive queries.
197 Set 'ip4_only' to avoid issues if you do not have native IP6.
198 Set 'ip6_prefer' to possibly improve performance as well as
199 not consume NAT paths for the client computers.
200 Do not use 'ip6_only' unless testing.
201
202 option query_minimize '0'
203 Boolean. Enable a minor privacy option. Don't let each server know
204 the next recursion. Query one piece at a time.
205
206 option query_min_strict '0'
207 Boolean. Query minimize is best effort and will fall back to normal
208 when it must. This option prevents the fall back, but less than
209 standard name servers will fail to resolve their domains.
210
211 option rebind_localhost '0'
212 Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses.
213 These may used by black hole servers for good purposes like
214 ad-blocking or parental access control. Obviously these responses
215 also can be used to for bad purposes.
216
217 option rebind_protection '1'
218 Boolean. Prevent RFC 1918 Reponses from global DNS. Example a
219 poisoned reponse within "192.168.0.0/24" could be used to turn a
220 local browser into an external attack proxy server.
221
222 option recursion 'passive'
223 Unbound has numerous options for how it recurses. This UCI combines
224 them into "passive," "aggressive," or Unbound's own "default."
225 Passive is easy on resources, but slower until cache fills.
226
227 option resource 'small'
228 Unbound has numerous options for resources. This UCI gives "tiny,"
229 "small," "medium," and "large." Medium is most like the compiled
230 defaults with a bit of balancing. Tiny is close to the published
231 memory restricted configuration. Small 1/2 medium, and large 2x.
232
233 option root_age '9'
234 Days. >90 Disables. Age limit for Unbound root data like root
235 DNSSEC key. Unbound uses RFC 5011 to manage root key. This could
236 harm flash ROM. This activity is mapped to "tmpfs," but every so
237 often it needs to be copied back to flash for the next reboot.
238
239 option ttl_min '120'
240 Seconds. Minimum TTL in cache. Recursion can be expensive without
241 cache. A low TTL is normal for server migration. A low TTL can be
242 abused for snoop-vertising (DNS hit counts; recording query IP).
243 Typical to configure maybe 0~300, but 1800 is the maximum accepted.
244
245 option unbound_control '0'
246 Boolean. Enables unbound-control application access ports. Enabling
247 this without the unbound-control package installed is robust.
248
249 option validator '0'
250 Boolean. Enable DNSSEC. Unbound names this the "validator" module.
251
252 option validator_ntp '1'
253 Boolean. Disable DNSSEC time checks at boot. Once NTP confirms
254 global real time, then DNSSEC is restarted at full strength. Many
255 embedded devices don't have a real time power off clock. NTP needs
256 DNS to resolve servers. This works around the chicken-and-egg.
257
258 list domain_insecure
259 List. Domains or pointers that you wish to skip DNSSEC. Your DHCP
260 domains and pointers in dnsmasq will get this automatically.
261
262 ## Deprecated UCI
263 The dnsmasq specific UCI will still work as well as they did, but please use `option dhcp_link 'dnsmasq'` above. Local host name and WAN host name will be lifted and configured from DHCP UCI subpart dnsmasq. (`dnsmasq_gate_name`, `dnsmasq_link_dns`, `dnsmasq_only_local`)
264
Mirror of packages feed