upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-26 01:29:58 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
7788 commits 23 branches 209 tags 124 MiB
Commit graph

311 commits

Author SHA1 Message Date
W.C.A. Wijngaards
1e0cf1e86b - Merge patch to fix for glue that is outside of zone, with 
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
  Enabling this option protects the Unbound resolver against bad
  glue, that is unverified out of zone glue, by resolving them.
  It uses the records as last resort if there is no other working
  glue.
 2024-08-23 08:56:48 +02:00
W.C.A. Wijngaards
3d350fa73d - Add iter-scrub-ns, iter-scrub-cname and max-global-quota 
configuration options.
 2024-08-20 14:08:52 +02:00
Wouter Wijngaards
ad21dbd1c2
Cookie secret file (#1090) 
* - cookie-secret-file, define struct.

* - cookie-secret-file, add config option, create, read and delete struct.

* - cookie-secret-file, check cookie secrets for cookie validation.

* - cookie-secret-file, unbound-control add_cookie_secret, drop_cookie_secret,
  activate_cookie_secret and print_cookie_secrets.

* - cookie-secret-file, test and fix locks, renew writes a fresh cookie,
  staging cookies get a fresh cookie and spelling in error message.

* - cookie-secret-file, remove unused variable from cookie file unit test.

* Remove unshare and faketime dependencies for cookie_file test; documentation nits.

---------

Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
 2024-08-02 13:32:08 +02:00
W.C.A. Wijngaards
c3dd6a2dbd - Add dnstap-sample-rate that logs only 1/N messages, for high volume 
server environments. Thanks Dan Luther.
 2024-07-19 10:04:40 +02:00
W.C.A. Wijngaards
c3206f4568 - Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li 
from the Network and Information Security Lab of Tsinghua University
  for reporting it.
 2024-05-01 10:10:58 +02:00
W.C.A. Wijngaards
d98c7b9ae3 - Implement cachedb-check-when-serve-expired: yes option, default 
is enabled. When serve expired is enabled with cachedb, it first
  checks cachedb before serving the expired response.
 2024-04-10 11:21:28 +02:00
Yorgos Thessalonikefs
025881d0e9 - Introduce 'cache-min-negative-ttl' option to bound the minimum TTL for 
negative answers overriding 'cache-min-ttl'.
 2024-03-12 11:24:59 +01:00
W.C.A. Wijngaards
3d1bc143af - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. 2023-12-05 10:05:51 +01:00
W.C.A. Wijngaards
18ebe165ba Merge branch 'master' into cachedb-no-store 2023-10-12 14:51:12 +02:00
Wouter Wijngaards
5c6c57ed89
Merge pull request #944 from NLnetLabs/disable-edns-do 
Disable EDNS DO
 2023-10-12 14:04:29 +02:00
W.C.A. Wijngaards
47094fd83f Merge branch 'master' into cachedb-no-store 2023-10-11 13:51:34 +02:00
George Thessalonikefs
e98b89651e - Fix #850: [FR] Ability to use specific database in Redis, with new 
redis-logical-db configuration option.
 2023-10-11 11:44:55 +02:00
W.C.A. Wijngaards
ae96aa0a6d - cachedb-no-store, implement cachedb-no-store: yes configuration option. 2023-10-06 13:22:10 +02:00
W.C.A. Wijngaards
d1977c679b - disable-edns-do, doc and add option disable-edns-do: no. 2023-09-13 13:11:53 +02:00
George Thessalonikefs
49e4258102 - For #762: Interaction between DNS Cookies and source IP ratelimiting 
by allowing Cookies to bypass the ratelimit, but still allowing
  ratelimit to valid DNS Cookie clients via the new
  ip-ratelimit-cookie option.
 2023-08-08 10:14:03 +02:00
George Thessalonikefs
4ccb613396 Merge branch 'master' into features/downstream-cookies 2023-08-05 20:37:48 +02:00
George Thessalonikefs
e1ec3cf893 Merge branch 'nat64' of https://github.com/eqvinox/unbound into eqvinox-nat64 2023-04-26 15:14:39 +02:00
Vadim Fedorenko
04540f82e5 config: add sock_queue_timeout configuration 
Add sock_queue_timeout config option to have queue timeout configurable.

Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
 2023-04-26 03:27:19 -07:00
Vadim Fedorenko
648ad4db6f Linting change. 
Remove config parser/lexer code as it's rebuilded every time but can
break adding new config options.
Also clean up the code base to avoid mixing actual code changes and lint
issues.

Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
 2023-04-25 17:05:00 -07:00
George Thessalonikefs
6bf677e7de Fix #833: [FR] Ability to set the Redis password. 2023-01-23 11:45:07 +01:00
W.C.A. Wijngaards
77f15428c9 - Add #835: [FR] Ability to use Redis unix sockets. 2023-01-23 10:09:28 +01:00
W.C.A. Wijngaards
8df1e58209 - Add harden-unknown-additional option. Default on and it removes 
unknown records from the authority section and additional section.
  Thanks to Xiang Li, from NISL Lab, Tsinghua University.
 2023-01-19 14:59:18 +01:00
George Thessalonikefs
df411b3f28 - Updates for #461 (Add max-query-restarts option). 2022-12-13 15:29:22 +01:00
George Thessalonikefs
71db243b0d Merge branch 'restart_conf' of https://github.com/cgallred/unbound into cgallred-restart_conf 2022-12-13 14:35:01 +01:00
George Thessalonikefs
c61b2121b5 - Expose 'max-sent-count' as a configuration option; the 
default value retains Unbound's behavior.
 2022-12-13 13:57:07 +01:00
George Thessalonikefs
859d0f2dfe - Expose 'statistics-inhibit-zero' as a configuration option; the 
default value retains Unbound's behavior.
 2022-12-13 10:47:37 +01:00
Willem Toorop
8df26b132b Merge branch 'master' into devel/merge-master-into-downstream-cookies 2022-11-07 17:09:20 +00:00
David Lamparter
64fb06f892 NAT64 support 
This implements #721.  Includes documentation and some very basic tests.
Please refer to doc for further detail.
 2022-11-07 11:37:50 +00:00
Yorgos Thessalonikefs
c4e51a4cfe
PROXYv2 downstream support (#760) 2022-10-03 15:29:47 +02:00
Willem Toorop
75f3fbdd65 Downstream DNS Cookies a la RFC7873 and RFC9018 
Create server cookies for clients that send client cookies.
Needs to be turned on in the config file with:

	answer-cookie: yes

A cookie-secret can be configured for anycast setups.
Also adds an access control list that will allow queries with
either a valid cookie or over a stateful transport.
 2022-09-28 10:28:19 +02:00
George Thessalonikefs
c30bdff939 Initial commit for interface based ACL. 2022-09-11 20:21:32 +02:00
W.C.A. Wijngaards
ef57f8bd51 - Fix #734 [FR] enable unbound-checkconf to detect more (basic) 
errors.
 2022-08-05 14:41:05 +02:00
Minghang Chen
249efd4285 Introduce infra-cache-max-rtt option to config max retransmit timeout 
Added the option and let it default to 120 seconds so that it won't change
current behavior.

Related-to #717
 2022-07-16 01:46:18 -07:00
tcarpay
0ce36e8289
Add the basic EDE (RFC8914) cases (#604) 2022-05-06 12:48:53 +02:00
Christian Allred
d19e12ab5d Merge branch 'master' of https://github.com/NLnetLabs/unbound into restart_conf 2022-04-18 12:16:40 -07:00
W.C.A. Wijngaards
a0feea393a - Fix #618: enabling interface-automatic disables DNS-over-TLS. 
Adds the option to list interface-automatic-ports.
 2022-02-11 10:58:53 +01:00
George Thessalonikefs
3086335724 - Introduce ratelimit-backoff and ip-ratelimit-backoff options for more 
aggressive rate limiting.
 2022-01-30 00:36:29 +01:00
W.C.A. Wijngaards
392c1f0f54 - Fix #596: unset the RA bit when a query is blocked by an unbound 
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
  signal that a domain is externally blocked to clients when it
  is blocked with NXDOMAIN by unsetting RA.
 2022-01-04 13:40:07 +01:00
Dimitris Apostolou
c21d6af617
Fix typos 2021-11-13 16:56:15 +02:00
W.C.A. Wijngaards
829f3c932e - Fix for #41: change outbound retry to int to fix signed comparison 
warnings.
 2021-09-08 15:07:11 +02:00
W.C.A. Wijngaards
204edd229e Merge branch 'feature/configure-outbound_msg_retry' of git://github.com/countsudoku/unbound into countsudoku-feature/configure-outbound_msg_retry 2021-09-08 14:38:36 +02:00
Tomasz Ziolkowski
ae45f46b9e Add (stub|forward)-tcp-upstream options which enable using tcp transport only for specified stub/forward zones 2021-08-05 08:44:18 +02:00
Artem Egorenkov
d9153cb35b Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux 2021-07-20 14:46:43 +02:00
George Thessalonikefs
ca4d68c64c - Introduce 'http-user-agent:' and 'hide-http-user-agent:' options. 2021-07-16 14:32:18 +02:00
gthess
45be341267
Merge pull request #486 from fobser/val-max-restart 
Make VAL_MAX_RESTART_COUNT configurable.
 2021-06-09 12:09:27 +02:00
W.C.A. Wijngaards
ea4f1ee8a6 - zonemd-check: yesno option, default no, enables the processing 
of ZONEMD records for that zone.
 2021-05-27 14:20:53 +02:00
Florian Obser
d4314cad33 Make VAL_MAX_RESTART_COUNT configurable. 
unbound tries very hard (up to 6 authoritative servers) to find a
validating answer. This is not always desirable, for example on high
latency links.
 2021-05-08 16:56:32 +02:00
André Cruz
e07f973938
Allow configuration of TCP timeout while waiting for response 
This allows us to configure how long Unbound will wait for a response
on a TCP connection.
 2021-04-28 16:20:46 +01:00
George Thessalonikefs
45328d37b1 - Fix compiler warning for signed/unsigned comparison for 
max_reuse_tcp_queries.
 2021-04-28 16:15:52 +02:00
André Cruz
75875d4d1c
Allow configuration of persistent TCP connections 
Added 2 new options to configure previously hardcoded
values: max-reuse-tcp-queries and tcp-reuse-timeout. These
allow fine-grained control over how unbound uses persistent
TCP connections to authority servers.
 2021-04-21 13:50:45 +01:00