Current odhcpd in master writes MAC addresses with colons in his lease file,
this new odhcpd format leads to a crash loop in unbound (if DHCPv4 to SLAAC is selected).
Just remove the colons, before the processing in slaac_eui64 begins, fixes#28032
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add adblock-fast to the Ad Blocking segment
* fix grammar (Its -> It's)
* modify last paragraph of the instructions as they are specific to adblock
Signed-off-by: Stan Grishin <stangri@melmac.ca>
For cnames with a local data target the A RR is not resolved and
missing in the response. As most applications don't send another
query and fail, these entries are placed in a rpz zone instead.
Signed-off-by: Tobias Waldvogel <tobias.waldvogel@gmail.com>
Updated 010-configure-uname.patch as source changed.
Removed 100-example-conf-in.patch as not needed any more.
Release message:
This release has a fix for the DNSBomb issue CVE-2024-33655. This has a
low severity for Unbound, since it makes Unbound complicit in targeting
others, but does not affect Unbound so much.
To mitigate the issue new configuration options are introduced.
The options discard-timeout: 1900, wait-limit: 1000
and wait-limit-cookie: 10000 are enabled by default. They limit the
number of outstanding queries that a querier can have. This limits
the reply pulse, and make Unbound less favorable for the issue.
With the config wait-limit-netblock and wait-limit-cookie-netblock
the parameters can be fine tuned for specific destinations.
More information on the attack and Unbound's mitigations are
presented further down.
Other fixes in this release are that Unbound no longer follows symlinks
when truncating the pidfile. Unbound also does not chown the pidfile,
this is for safety reasons. There are also a number of fixes for RPZ, in
handling CNAMEs. There is a memory leak fix for the edns client subnet
cache. For DNSSEC validation a case is fixed when the query is of type
DNAME. The unbound-anchor program is fixed to first write to a temporary
file, before replacing the original. This handles disk full situations,
and because of it unbound-anchor needs permission to create that file,
in the same directory as the original file. There is also a fix for
IP_DONTFRAG, to disable fragmentation instead of the opposite.
The option cache-min-negative-ttl can be used to set the minimum TTL
for negative responses in the cache. It complements existing options to
set the maximum ttl for negative responses and to set the minimum and
maximum ttl but not specifically for negative responses.
The option cachedb-check-when-serve-expired option makes Unbound use
cachedb to check for expired responses, when serve-expired is enabled,
and cachedb is used. It is enabled by default.
The -q option for unbound-checkconf can be added to silence it when
there are no errors.
Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
* adblock-fast can generate the compatible adb_list-file, but it's
only pulled if net/adblock installed, this patch also pulls in the
adb_list file if net/adblock-fast is installed.
* also bump PKG_RELEASE
Signed-off-by: Stan Grishin <stangri@melmac.ca>
that way, procd does not needlessly restart unbound on triggers when
everything remains the same - changes in non-default included
configuration files will not be registered, however
Signed-off-by: Jan Klos <jan@klos.xyz>
The function `create_host_record_from_host` fails if the `dns` option
is not set in the host entry.
This sets a default to the `dns` variable in order to fix this error.
Fixes: #22691
Signed-off-by: Julien Cassette <julien.cassette@gmail.com>
The "Extra DNS" option allows to create records from the DHCP
"Hostnames" configuration entries.
This allows to create such records from the DHCP "Static leases"
configuration entries too.
Fixes: #22593
Signed-off-by: Julien Cassette <julien.cassette@gmail.com>
This prevents a forwarding server named like ::1@5453 from being added
to unbound.conf as a forward-host instead of the correct forward-addr.
forward-host requires the name to be resolved, which is impossible in
the absence of another nameserver. Thus, forwarding-only configurations
referencing only the IPv6 loopback address with a port number were
broken.
Signed-off-by: Mark Mentovai <mark@mentovai.com>
Currently there is a problem with log spam when ipv6 network
is dropped. Fix this by backporting a patch to silence these errors
when verbose logging is not enabled.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
DNS flag day 2020, software should reflect the minimum EDNS 1232 bytes.
Added iface_wan and iface_lan to control internal DNS assignemnts and
to control what is local service ACL. Interface wild cards are not
explicitly set so that they can be customized in extended conf.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
