When the bridge cannot detect a domain name for any of the leases, it
uses localdomain which is not always the best choice. So instead, this
patches changes the behaviour that we read the default domain of the
firewall.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
This saves some resources when we re-read the same configuration file
too often.
Suggested-by: Anthony Heading <ajrh@ajrh.net>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch changes that the script will listen to changes to the
directory instead of the file which got complicated when files got
renamed.
It also processes all changes at the same time and tries finding out
what actions have to be performed in order to avoid unnecessary
iterations.
The script is also limited to process any changes only once every five
seconds to keep resource usage in check on busy systems.
Suggested-by: Anthony Heading <ajrh@ajrh.net>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This improves logging and enables logging to the console.
Suggested-by: Anthony Heading <ajrh@ajrh.net>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These are meanwhile set by Unbound upstream as well, so there is no need
to do things twice here.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Till now when a server was in the "blocking regime" there was one probe
made every 15 min, to see if this server is up again. In situations
where all servers where down (e.g. because of a massive package loss)
it could take up to 15 min to have a working dns again.
This patch changes this behaviour in a way that a server marked down is
probed every 2 min.
Fixes: #12557
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This seems to cause that some resolvers do not respond
to queries any more until unbound falls back.
To ensure better DNS performance, we disabled this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
In order to keep configuration files small and easy to review/audit,
omitting defaults makes more sense than configure them explicitly (have
changed my mind here).
Unbound comes with a good default confiuration, and we should only make
changes when they are necessary. In addition, this patch updates the
documentation's URL to the current one.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
unbound runs as nobody and cannot reload its configuration
when this file is only readable for root.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This file is no longer generated and therefore cannot
be imported any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is a feature that will filter adult content from search
engine's results.
The old method of rewriting the HTTP request no longer works.
This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.
However, there is no better solution available to this and this
an optional feature, too.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
When there is a large number of leases, writing the file may
take a long time. When unbound is re-reading its configuration
in that time, the file might syntactically incorrect.
This change writes the file first and then moves it
to the right place in one transaction.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These are a cause of worry because they are sometimes generated with
an invalid timestamp and therefore render unbound being unusable.
There is no strong reason to use self-signed certificates for extra
security here.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Currently, Unbound only prints statistics if it is being shutdown
(mostly because of a machine reboot). This makes detecting DNS
anomalies hard as no intermediate statistic result is being logged.
This patch changes Unbound's behaviour in order to log statistics
every 86,400 seconds (i.e. 24 hours).
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
random bits into upstream queries. Upstream documentation claims
it to be an experimental implementation, it did not cause any trouble
on productive systems here.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
further details.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
By default, Unbound neither keeps track of the number of unwanted
replies nor initiates countermeasures if they become too large (DNS
cache poisoning).
This sets the maximum number of tolerated unwanted replies to
1M, causing the cache to be flushed afterwards. (Upstream documentation
recommends 10M as a threshold, but this turned out to be ineffective
against attacks in the wild.)
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
details. This version of the patch uses 1M as threshold instead of
5M and supersedes the first and second version.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This causes trouble when you try to resolve a record like
a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound
won't try to resolve a.b.blah.com because it is assumed that
everything longer than b.blah.com does not exist which is
probably not good usability.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.
This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If there are any invalid hostnames in the DHCP leases
table, we just skip them and do not create and RRs for
them.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This allows us to restart unbound and all DHCP leases
will be re-imported even if the unbound-dhcp-leases-bridge is
not restarted.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
