"drill -x 192.168.10.201 ~ NODATA" (insted of james-laptop.lan)
option edns_size '1280'
- Extended DNS is necessary for DNSSEC. However, it can run into MTU
- issues. Use this size in bytes to manage drop outs.
+ Bytes. Extended DNS is necessary for DNSSEC. However, it can run
+ into MTU issues. Use this size in bytes to manage drop outs.
+
+ option hide_binddata '1'
+ Boolean. If enabled version.server, version.bind, id.server, and
+ hostname.bind queries are refused.
option listen_port '53'
Port. Incoming. Where Unbound will listen for queries.
Boolean. Skip all this UCI nonsense. Manually edit the
configuration. Make changes to /etc/unbound/unbound.conf.
+ option protocol 'mixed'
+ Unbound can limit its protocol: "ip4_only" for ISP behind the time,
+ "ip6_only" for testing, "ip6_prefer" for ISP with good IP6 support,
+ or default-all "mixed." This affects the protocol used to
+ communicate. The DNS responses always include hosts respective IP4
+ and IP6 data.
+
option query_minimize '0'
- Boolean. Enable a minor privacy option. Query only one name piece
- at a time. Don't let each server know the next recursion.
+ Boolean. Enable a minor privacy option. Don't let each server know
+ the next recursion. Query one piece at a time.
+
+ option query_min_strict '0'
+ Boolean. Query minimize is best effort and will fall back to normal
+ when it must. This option prevents the fall back, but less than
+ standard name servers will fail to resolve their domains.
option rebind_localhost '0'
Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses.
UNBOUND_B_DNSSEC=0
UNBOUND_B_DNS64=0
UNBOUND_B_GATE_NAME=0
+UNBOUND_B_HIDE_BIND=1
UNBOUND_B_LOCL_BLCK=0
UNBOUND_B_LOCL_NAME=0
UNBOUND_B_LOCL_SERV=1
UNBOUND_B_NTP_BOOT=1
UNBOUND_B_PRIV_BLCK=1
UNBOUND_B_QUERY_MIN=0
+UNBOUND_B_QRY_MINST=0
UNBOUND_IP_DNS64="64:ff9b::/96"
UNBOUND_D_RESOURCE=small
UNBOUND_D_RECURSION=passive
+UNBOUND_D_PROTOCOL=mixed
UNBOUND_TXT_FWD_ZONE=""
UNBOUND_TTL_MIN=120
} >> $UNBOUND_CONFFILE
+ case "$UNBOUND_D_PROTOCOL" in
+ ip4_only)
+ {
+ echo " do-ip4: yes"
+ echo " do-ip6: no"
+ } >> $UNBOUND_CONFFILE
+ ;;
+
+ ip6_only)
+ {
+ echo " do-ip4: no"
+ echo " do-ip6: yes"
+ } >> $UNBOUND_CONFFILE
+ ;;
+
+ ip6_prefer)
+ {
+ echo " do-ip4: yes"
+ echo " do-ip6: yes"
+ echo " prefer-ip6: yes"
+ } >> $UNBOUND_CONFFILE
+ ;;
+
+ *)
+ {
+ echo " do-ip4: yes"
+ echo " do-ip6: yes"
+ } >> $UNBOUND_CONFFILE
+ ;;
+ esac
+
+
{
# protocol level tuning
echo " edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
} >> $UNBOUND_CONFFILE
- if [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+ if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+ {
+ # Some query privacy but "strict" will break some name servers
+ echo " qname-minimisation: yes"
+ echo " qname-minimisation-strict: yes"
+ } >> $UNBOUND_CONFFILE
+
+ elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
# Minor improvement on query privacy
echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
} >> $UNBOUND_CONFFILE
+ if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
+ {
+ # Block server id and version DNS TXT records
+ echo " hide-identity: yes"
+ echo " hide-version: yes"
+ echo
+ } >> $UNBOUND_CONFFILE
+ fi
+
+
if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
{
- # Remove DNS reponses from upstream with private IP
+ # Remove _upstream_ or global reponses with private addresses.
+ # Unbounds own "local zone" and "forward zone" may still use these.
+ # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
echo " private-address: 10.0.0.0/8"
+ echo " private-address: 100.64.0.0/10"
echo " private-address: 169.254.0.0/16"
echo " private-address: 172.16.0.0/12"
echo " private-address: 192.168.0.0/16"
####################
# UCI @ unbound #
####################
-
+
config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmasq_gate_name 0
config_get_bool UNBOUND_B_DNSMASQ "$cfg" dnsmasq_link_dns 0
+ config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0
config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
+ config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_IP_DNS64 "$cfg" dns64_prefix "64:ff9b::/96"
+
config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
+ config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7
+
+ config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
config_get UNBOUND_D_RECURSION "$cfg" recursion passive
config_get UNBOUND_D_RESOURCE "$cfg" resource small
- config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7
+
config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120