Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

one unbound config for all OS, fix #602 #604

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

one unbound config for all OS, fix #602 #604

wants to merge 14 commits into from

Conversation

HenryNe
Copy link
Contributor

@HenryNe HenryNe commented Mar 31, 2020
edited
Loading

Fix for #602
Create config /etc/unbound/unbound.conf.d/openvpn.conf,
include this config into /etc/unbound/unbound.conf,
do it for all OS.

On uninstall simple remove the include, if if was injected by openvpn-install.

edit:
tested on Debian 9 and Arch Linux 1.4

@HenryNe
one unbound config for all OS
148cbf9 
Fix for angristan#602
Create new config as /etc/unbound/unbound.conf.d/openvpn.conf,
include this into /etc/unbound/unbound.conf.
On uninstall simple remove the include, if if was injected by openvpn-install.
randshell
randshell suggested changes Apr 1, 2020
View reviewed changes
openvpn-install.sh Outdated Show resolved Hide resolved
openvpn-install.sh Outdated Show resolved Hide resolved
openvpn-install.sh Outdated Show resolved Hide resolved
@randshell randshell mentioned this pull request Apr 1, 2020
Open
@HenryNe
harden-glue: and qname-minimisation for all OS
d31dad4 
harden-glue: yes and qname-minimisation: yes for all OS, not only for Arch.
@HenryNe
DNS Rebinding fix for all OS
d744222
@HenryNe
Full path to remove include openvpn.conf
6e21a54 
Full path to remove include of /etc/unbound/unbound.conf.d/openvpn.conf,
and missing ":" after the "include".
@HenryNe
Remove intermediate echo
e5f169a
@randshell
Copy link
Contributor

@angristan I think in Arch we can remove the following code because they are defaults.

openvpn-install/openvpn-install.sh

Line 116 in e5f169a

curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

openvpn-install/openvpn-install.sh

Lines 120 to 128 in e5f169a

echo 'server:
use-syslog: yes
do-daemonize: no
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
root-hints: root.hints
port: 53
num-threads: 2' >/etc/unbound/unbound.conf

The non defaults are the root-hints option because they are built in and so downloading them isn't necessary and the num-threads: 2 option that defaults to 1 (see https://wiki.archlinux.org/index.php/Unbound#Issues_concerning_num-threads)

@randshell
Copy link
Contributor

randshell commented Apr 2, 2020
edited
Loading

https://wiki.archlinux.org/index.php/Unbound#Issues_concerning_num-threads

num-threads is 4 on Centos 7. In this case we can keep the default value that comes with the package on each distro or maybe overwrite it to 2 if it defaults to 1.

As a note, we specify qname-minimisation: yes for privacy reasons but it seems that it falls back to no sending all QNAME if the nameservers are broken and don't accept the minimsation. See https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/#qname-minimisation

randshell
randshell suggested changes Apr 2, 2020
View reviewed changes
Copy link
Contributor

@randshell randshell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update the path to our config in the questions please?

openvpn-install/openvpn-install.sh

Line 270 in e5f169a

echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."

randshell
randshell approved these changes Apr 2, 2020
View reviewed changes
Copy link
Contributor

@randshell randshell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@HenryNe Looks good.
Now I'm waiting for feedback from @angristan to resolve my previous comments.

@randshell randshell mentioned this pull request Apr 2, 2020
Merged
@HenryNe
arch: username unbound default
3cc3715 
"username: unbound" is default. Found in arch linu xdefauls unbound.conf and https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/#username
@HenryNe
Copy link
Contributor Author

HenryNe commented Apr 4, 2020

username: unbound is default. Testet on Arch Linux:

  1. Removed the "username: ..." from /etc/unbound/unbound.conf
  2. systemctl restart unbound
  3. Get Current UID ps l -p pidof unbound``
    F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
    4 976 1569 1 20 0 92292 15012 - Ssl ? 0:00 /usr/bin/unbound -d -p
  4. Check user ID id 976
    uid=976(unbound) gid=976(unbound) groups=976(unbound)

@randshell
Copy link
Contributor

@HenryNe these are defaults too #604 (comment).

You can use unbound.conf.txt to see them

@HenryNe
Copy link
Contributor Author

HenryNe commented Apr 4, 2020

"directory: /etc/unbound" is default on Arch Linux.

  1. Removed the "directory: ..." from /etc/unbound/unbound.conf
  2. systemctl restart unbound
  3. Get Current Working Directory from running daemon:
ls -l /proc/`pidof unbound`/cwd
lrwxrwxrwx 1 root root 0 Apr  4 19:24 /proc/1569/cwd -> /etc/unbound

@HenryNe
arch-Linux: Remove defaults
96e2420 
use-syslog is default, directory /etc/unbound is default, port 53 is default
@randshell
Copy link
Contributor

ls -l /proc/pidof unbound/cwd

Or you can use unbound-checkconf -o directory. See https://www.nlnetlabs.nl/documentation/unbound/unbound-checkconf/

@HenryNe
Copy link
Contributor Author

HenryNe commented Apr 4, 2020

unbound is started with /usr/bin/unbound -d -p under Arch Linux.
So the do-daemonize: no not need.ed.

@HenryNe
Copy link
Contributor Author

HenryNe commented Apr 4, 2020

The only last would be num-threads: 2, which is 1 default.

@HenryNe
Arch: do-daemonize no is default
d670973 
Arch Linux starts "/usr/bin/unbound -d -p".
"-d" do not fork into the background.
So the "daemonize: no" is default. (For Systemd on Arch Linux)
@HenryNe
openvpn.conf: TAB/ident
fdd576e 
All entries after "server:" with a TAP/ident
@HenryNe HenryNe marked this pull request as ready for review April 7, 2020 19:35
@HenryNe
Copy link
Contributor Author

HenryNe commented Apr 7, 2020

I changed the PR into ready for pull now, because this change uses the same options as before. Only the include and config file was movoed.

@HenryNe HenryNe changed the title one unbound config for all OS one unbound config for all OS, fix #602 Apr 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@randshell randshell randshell approved these changes

Assignees
No one assigned
Labels
bug fix need-rebase to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@HenryNe @randshell @angristan