PKG_NAME:=unbound
PKG_VERSION:=1.7.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
$(INSTALL_DIR) $(1)/usr/lib/unbound
- $(INSTALL_BIN) ./files/odhcpd.sh $(1)/usr/lib/unbound/odhcpd.sh
- $(INSTALL_DATA) ./files/odhcpd.awk $(1)/usr/lib/unbound/odhcpd.awk
+ $(INSTALL_DATA) ./files/defaults.sh $(1)/usr/lib/unbound/defaults.sh
$(INSTALL_DATA) ./files/dnsmasq.sh $(1)/usr/lib/unbound/dnsmasq.sh
$(INSTALL_DATA) ./files/iptools.sh $(1)/usr/lib/unbound/iptools.sh
+ $(INSTALL_BIN) ./files/odhcpd.sh $(1)/usr/lib/unbound/odhcpd.sh
+ $(INSTALL_DATA) ./files/odhcpd.awk $(1)/usr/lib/unbound/odhcpd.awk
$(INSTALL_DATA) ./files/rootzone.sh $(1)/usr/lib/unbound/rootzone.sh
$(INSTALL_DATA) ./files/unbound.sh $(1)/usr/lib/unbound/unbound.sh
endef
## Package Overview
Unbound may be useful on consumer grade embedded hardware. It is _intended_ to be a recursive resolver only. [NLnet Labs NSD](https://www.nlnetlabs.nl/projects/nsd/) is _intended_ for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver with 8/64 MB router, and remove potential issues from forwarding resolvers outside of their control.
-This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
+This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and works at the raw "unbound.conf" level.
## HOW TO Adblocking
The UCI scripts will work with [net/adblock 2.3+](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md), if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound.
also can be used to for bad purposes.
option rebind_protection '1'
- Boolean. Prevent RFC 1918 Reponses from global DNS. Example a
- poisoned reponse within "192.168.0.0/24" could be used to turn a
- local browser into an external attack proxy server.
+ Level. Block your local address responses from global DNS. A poisoned
+ reponse within "192.168.0.0/24" or "fd00::/8" could turn a local browser
+ into an external attack proxy server. IP6 GLA may be vulnerable also.
+ 0 - Off
+ 1 - Only RFC 1918 and 4193 responses blocked
+ 2 - Plus GLA /64 on designated interface(s)
+ 3 - Plus DHCP-PD range passed down interfaces (not implemented)
option recursion 'passive'
Unbound has numerous options for how it recurses. This UCI combines
embedded devices don't have a real time power off clock. NTP needs
DNS to resolve servers. This works around the chicken-and-egg.
- list domain_insecure 'www.example.com'
- Domain. Domains that you wish to skip DNSSEC. Your DHCP
- domains and pointers will get this automatically.
+ list domain_forward 'mail.my-isp.com'
+ Domain. Do not recurse, but rather forward the domains to given DNS
+ servers found in resolve.conf.auto from WAN DHCP client. This may
+ provide better access to mirror servers in 'your neigborhood.' This
+ may be useful in keeping local organization lookups on local subnets.
- list trigger 'lan' 'wan'
+ list domain_insecure 'ntp.somewhere.org'
+ Domain. Domains that you wish to skip DNSSEC. It is one way around NTP
+ chicken and egg. Your DHCP servered domains are automatically included.
+
+ list rebind_interface 'lan'
+ Interface (logical). Works with 'rebind_protection' options 2 and 3.
+
+ list trigger_interface 'lan' 'wan'
Interface (logical). This option is a work around for netifd/procd
interaction with WAN DHCPv6. Minor RA or DHCP changes in IP6 can
cause netifd to execute procd interface reload. Limit Unbound procd
--- /dev/null
+#!/bin/sh
+##############################################################################
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# Copyright (C) 2016 Eric Luehrsen
+#
+##############################################################################
+
+UNBOUND_LIBDIR=/usr/lib/unbound
+UNBOUND_VARDIR=/var/lib/unbound
+
+UNBOUND_PIDFILE=/var/run/unbound.pid
+
+UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
+UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
+UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf
+UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
+
+UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
+UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
+UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time
+
+UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
+UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
+UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
+UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem
+
+##############################################################################
+
+UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
+UNBOUND_CONTROL=/usr/sbin/unbound-control
+UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
+
+##############################################################################
+
while ( ( cmd | getline adr ) > 0 ) {
- if (( substr( adr, 1, 5 ) <= "fd00:" ) \
+ if (( substr( adr, 1, 5 ) <= "fdff:" ) \
&& ( index( adr, "anycast" ) == 0 ) \
&& ( index( adr, "via" ) == 0 )) {
# GA or ULA routed addresses only (not LL or MC)
#
##############################################################################
-# Common file location definitions
-. /usr/lib/unbound/unbound.sh
-
-##############################################################################
-
-odhcpd_settings() {
- # This trigger is out of normal init context, so we need to read some UCI.
- local cfg="$1"
- config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
- config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
- config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
-}
+. /lib/functions.sh
+. /usr/lib/unbound/defaults.sh
##############################################################################
odhcpd_zonedata() {
+ local longconf dateconf
local dns_ls_add=$UNBOUND_VARDIR/dhcp_dns.add
local dns_ls_del=$UNBOUND_VARDIR/dhcp_dns.del
local dhcp_ls_new=$UNBOUND_VARDIR/dhcp_lease.new
local dhcp_ls_old=$UNBOUND_VARDIR/dhcp_lease.old
local dhcp_ls_add=$UNBOUND_VARDIR/dhcp_lease.add
local dhcp_ls_del=$UNBOUND_VARDIR/dhcp_lease.del
- local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
- config_load unbound
- config_foreach odhcpd_settings unbound
+ local dhcp_link=$( uci_get unbound.@unbound[0].dhcp_link )
+ local dhcp4_slaac6=$( uci_get unbound.@unbound[0].dhcp4_slaac6 )
+ local dhcp_domain=$( uci_get unbound.@unbound[0].domain )
+ local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
- if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a -f "$dhcp_origin" ] ; then
+ if [ "$dhcp_link" = "odhcpd" -a -f "$dhcp_origin" ] ; then
# Capture the lease file which could be changing often
- cat $dhcp_origin | sort > $dhcp_ls_new
- touch $dhcp_ls_old
- sort $dhcp_ls_new $dhcp_ls_old $dhcp_ls_old | uniq -u > $dhcp_ls_add
- sort $dhcp_ls_old $dhcp_ls_new $dhcp_ls_new | uniq -u > $dhcp_ls_del
-
- # Go through the messy business of coding up A, AAAA, and PTR records
- # This static conf will be available if Unbound restarts asynchronously
- awk -v hostfile=$UNBOUND_DHCP_CONF -v domain=$UNBOUND_TXT_DOMAIN \
- -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=1 \
- -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
-
- # Deleting and adding all records into Unbound can be a burden in a
- # high density environment. Use unbound-control incrementally.
- awk -v hostfile=$dns_ls_del -v domain=$UNBOUND_TXT_DOMAIN \
- -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \
- -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_del
-
- awk -v hostfile=$dns_ls_add -v domain=$UNBOUND_TXT_DOMAIN \
- -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \
- -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_add
+ sort $dhcp_origin > $dhcp_ls_new
+
+
+ if [ ! -f $UNBOUND_DHCP_CONF -o ! -f $dhcp_ls_old ] ; then
+ longconf=2
+
+ else
+ dateconf=$(( $( date +%s ) - $( date -r $UNBOUND_DHCP_CONF +%s ) ))
+
+
+ if [ $dateconf > 150 ] ; then
+ longconf=1
+ else
+ longconf=0
+ fi
+ fi
+
+
+ if [ $longconf -gt 0 ] ; then
+ # Go through the messy business of coding up A, AAAA, and PTR records
+ # This static conf will be available if Unbound restarts asynchronously
+ awk -v hostfile=$UNBOUND_DHCP_CONF -v domain=$dhcp_domain \
+ -v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=1 \
+ -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
+ fi
+
+
+ if [ $longconf -lt 2 ] ; then
+ # Deleting and adding all records into Unbound can be a burden in a
+ # high density environment. Use unbound-control incrementally.
+ sort $dhcp_ls_old $dhcp_ls_new $dhcp_ls_new | uniq -u > $dhcp_ls_del
+ awk -v hostfile=$dns_ls_del -v domain=$dhcp_domain \
+ -v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=0 \
+ -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_del
+
+ sort $dhcp_ls_new $dhcp_ls_old $dhcp_ls_old | uniq -u > $dhcp_ls_add
+ awk -v hostfile=$dns_ls_add -v domain=$dhcp_domain \
+ -v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=0 \
+ -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_add
+
+ else
+ awk -v hostfile=$dns_ls_add -v domain=$dhcp_domain \
+ -v bslaac=$dhcp4_slaac6 -v bisolt=0 -v bconf=0 \
+ -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
+ fi
if [ -f "$dns_ls_del" ] ; then
#
##############################################################################
#
-# This component needs to be used within the unbound.sh as an include. It uses
-# defaults and UCI scope variables defined there. It will copy root.key back
-# to /etc/unbound/ periodically, but avoid ROM flash abuse (UCI option).
+# This component will copy root.key back to /etc/unbound/ periodically, but
+# avoid ROM flash abuse (UCI option).
#
##############################################################################
-rootzone_uci() {
- local cfg=$1
-
- # This will likely be called outside of "start_service()" context
- config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
- config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
- config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
-}
-
-##############################################################################
-
roothints_update() {
# TODO: Might not be implemented. Unbound doesn't natively update hints.
# Unbound philosophy is built in root hints are good for machine life.
rootkey_update() {
local basekey_date rootkey_date rootkey_age filestuff
+ local dnssec=$( uci_get unbound.@unbound[0].validator )
+ local dnssec_ntp=$( uci_get unbound.@unbound[0].validator_ntp )
+ local dnssec_age=$( uci_get unbound.@unbound[0].root_age )
+
- if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then
+ if [ "$dnssec_age" -gt 90 -o "$dnssec" -lt 1 ] ; then
# Feature disabled
return 0
- elif [ "$UNBOUND_B_NTP_BOOT" -gt 0 -a ! -f "$UNBOUND_TIMEFILE" ] ; then
+ elif [ "$dnssec_ntp" -gt 0 -a ! -f "$UNBOUND_TIMEFILE" ] ; then
# We don't have time yet
return 0
fi
fi
- if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then
+ if [ "$rootkey_age" -gt "$dnssec_age" ] ; then
filestuff=$( cat $UNBOUND_KEYFILE )
##############################################################################
rootzone_update() {
- # Partial UCI fetch for this functional group
- config_load unbound
- config_foreach rootzone_uci unbound
-
- # You need root.hints and root.key to boot strap recursion
roothints_update
rootkey_update
}
service_triggers() {
local trigger
- local triggers=$( uci_get unbound.@unbound[0].trigger )
+ local legacy=$( uci_get unbound.@unbound[0].trigger )
+ local triggers=$( uci_get unbound.@unbound[0].trigger_interface )
+ triggers="$triggers $legacy"
PROCD_RELOAD_DELAY=2000
procd_add_reload_trigger "unbound"
+
if [ -n "$triggers" ] ; then
for trigger in $triggers ; do
# due to some netifd/procd interactions with IP6, limit interfaces
UNBOUND_B_LOCL_SERV=1
UNBOUND_B_MAN_CONF=0
UNBOUND_B_NTP_BOOT=1
-UNBOUND_B_PRIV_BLCK=1
UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0
UNBOUND_D_DHCP_LINK=none
UNBOUND_D_EXTRA_DNS=0
UNBOUND_D_LAN_FQDN=0
+UNBOUND_D_PRIV_BLCK=1
UNBOUND_D_PROTOCOL=mixed
UNBOUND_D_RESOURCE=small
UNBOUND_D_RECURSION=passive
UNBOUND_TXT_FWD_ZONE=""
UNBOUND_TXT_HOSTNAME=thisrouter
+UNBOUND_LIST_FORWARD=""
UNBOUND_LIST_INSECURE=""
+UNBOUND_LIST_PRV_SUBNET=""
##############################################################################
##############################################################################
-UNBOUND_LIBDIR=/usr/lib/unbound
-UNBOUND_VARDIR=/var/lib/unbound
-
-UNBOUND_PIDFILE=/var/run/unbound.pid
-
-UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
-UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
-UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf
-UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
-
-UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
-UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
-UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time
-
-UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
-UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
-UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
-UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem
-
-##############################################################################
-
-UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
-UNBOUND_CONTROL=/usr/sbin/unbound-control
-UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
-
-##############################################################################
-
. /lib/functions.sh
. /lib/functions/network.sh
-. $UNBOUND_LIBDIR/dnsmasq.sh
-. $UNBOUND_LIBDIR/iptools.sh
-. $UNBOUND_LIBDIR/rootzone.sh
+. /usr/lib/unbound/defaults.sh
+. /usr/lib/unbound/dnsmasq.sh
+. /usr/lib/unbound/iptools.sh
+. /usr/lib/unbound/rootzone.sh
##############################################################################
##############################################################################
-create_domain_insecure() {
+bundle_domain_forward() {
+ UNBOUND_LIST_FORWARD="$UNBOUND_LIST_FORWARD $1"
+}
+
+##############################################################################
+
+bundle_domain_insecure() {
UNBOUND_LIST_INSECURE="$UNBOUND_LIST_INSECURE $1"
}
##############################################################################
+bundle_private_interface() {
+ local ipcommand ifsubnet ifsubnets ifname
+
+ network_get_device ifname $1
+
+ if [ -n "$ifname" ] ; then
+ ipcommand="ip -6 -o address show $ifname"
+ ifsubnets=$( $ipcommand | awk '/inet6/{ print $4 }' )
+
+
+ if [ -n "$ifsubnets" ] ; then
+ for ifsubnet in $ifsubnets ; do
+ case $ifsubnet in
+ [1-9]*:*[0-9a-f])
+ # Special GLA protection for local block; ULA protected as a catagory
+ UNBOUND_LIST_PRV_SUBNET="$UNBOUND_LIST_PRV_SUBNET $ifsubnet" ;;
+ esac
+ done
+ fi
+ fi
+}
+
+##############################################################################
+
unbound_mkdir() {
local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
local dhcp_dir=$( dirname $dhcp_origin )
##############################################################################
+unbound_forward() {
+ local fdomain fresolver resolvers
+ # Forward selected domains to the upstream (WAN) stub resolver. This may be
+ # faster or local pool addresses to ISP service login page. This may keep
+ # internal organization lookups, well, internal to the organization.
+
+
+ if [ -n "$UNBOUND_LIST_FORWARD" ] ; then
+ resolvers=$( grep nameserver /tmp/resolv.conf.auto | sed "s/nameserver//g" )
+
+
+ if [ -n "$resolvers" ] ; then
+ for fdomain in $UNBOUND_LIST_FORWARD ; do
+ {
+ echo "forward-zone:"
+ echo " name: \"$fdomain.\""
+ for fresolver in $resolvers ; do
+ echo " forward-addr: $fresolver"
+ done
+ echo
+ } >> $UNBOUND_CONFFILE
+ done
+ fi
+ fi
+}
+
+##############################################################################
+
unbound_conf() {
- local rt_mem rt_conn modulestring domain
+ local rt_mem rt_conn modulestring domain ifsubnet
# Make fresh conf file
echo > $UNBOUND_CONFFILE
fi
- if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
+ if [ "$UNBOUND_D_PRIV_BLCK" -gt 0 ] ; then
{
# Remove _upstream_ or global reponses with private addresses.
# Unbounds own "local zone" and "forward zone" may still use these.
echo " private-address: 169.254.0.0/16"
echo " private-address: 172.16.0.0/12"
echo " private-address: 192.168.0.0/16"
- echo " private-address: fc00::/8"
- echo " private-address: fd00::/8"
+ echo " private-address: fc00::/7"
echo " private-address: fe80::/10"
+ echo
} >> $UNBOUND_CONFFILE
fi
+ if [ -n "$UNBOUND_LIST_PRV_SUBNET" -a "$UNBOUND_D_PRIV_BLCK" -gt 1 ] ; then
+ for ifsubnet in $UNBOUND_LIST_PRV_SUBNET ; do
+ # Remove global DNS responses with your local network IP6 GLA
+ echo " private-address: $ifsubnet" >> $UNBOUND_CONFFILE
+ done
+
+
+ echo >> $UNBOUND_CONFFILE
+ fi
+
+
if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
{
# Remove DNS reponses from upstream with loopback IP
echo " private-address: ::1/128"
echo
} >> $UNBOUND_CONFFILE
-
- else
- echo >> $UNBOUND_CONFFILE
fi
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
- config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0
config_get UNBOUND_D_LAN_FQDN "$cfg" add_local_fqdn 0
+ config_get UNBOUND_D_PRIV_BLCK "$cfg" rebind_protection 1
config_get UNBOUND_D_PROTOCOL "$cfg" protocol mixed
config_get UNBOUND_D_RECURSION "$cfg" recursion passive
config_get UNBOUND_D_RESOURCE "$cfg" resource small
config_get UNBOUND_TTL_MIN "$cfg" ttl_min 120
config_get UNBOUND_TXT_DOMAIN "$cfg" domain lan
- config_list_foreach "$cfg" "domain_insecure" create_domain_insecure
+ config_list_foreach "$cfg" "domain_forward" bundle_domain_forward
+ config_list_foreach "$cfg" "domain_insecure" bundle_domain_insecure
+ config_list_foreach "$cfg" "rebind_interface" bundle_private_interface
UNBOUND_LIST_DOMAINS="nowhere $UNBOUND_TXT_DOMAIN"
# unbound is designated to listen on 127.0.0.1#53,
# set resolver file to local.
rm -f /tmp/resolv.conf
+
{
echo "# /tmp/resolv.conf generated by Unbound UCI $( date )"
echo "nameserver 127.0.0.1"
echo "nameserver ::1"
- echo "search $UNBOUND_TXT_DOMAIN"
+ echo "search $UNBOUND_TXT_DOMAIN."
} > /tmp/resolv.conf
}
unbound_records
fi
+
+ unbound_forward
unbound_control
fi
option unbound_control '0'
option validator '0'
option validator_ntp '1'
- list trigger 'lan'
- list trigger 'wan'
- #list domain_insecure 'www.example.com'
+ list trigger_interface 'lan'
+ list trigger_interface 'wan'
+ #list rebind_interface 'lan'
+ #list domain_insecure 'ntp.example.com'
+ #list domain_forward 'mail.example.com'
git.99rst.org / openwrt-packages.git / commitdiff