Project

General

Profile

Bug #8473 » unbound_stilez.patch

patches for 5 files against 2.4.3 - Stilez y, 04/19/2018 12:25 PM

View differences:

/usr/local/www/services_unbound.php 2018-04-19 16:04:30.000000000 +0100
53 53
if (isset($a_unboundcfg['enable'])) {
54 54
       $pconfig['enable'] = true;
55 55
}
56
if (isset($a_unboundcfg['dnssec'])) {
57
       $pconfig['dnssec'] = true;
58
}
59 56
if (isset($a_unboundcfg['forwarding'])) {
60 57
       $pconfig['forwarding'] = true;
61 58
}
......
182 179
       if (!$input_errors) {
183 180
               $a_unboundcfg['enable'] = isset($pconfig['enable']);
184 181
               $a_unboundcfg['port'] = $pconfig['port'];
185
               $a_unboundcfg['dnssec'] = isset($pconfig['dnssec']);
182
               $a_unboundcfg['dnssec'] = isset($a_unboundcfg['dnssec']) ? $a_unboundcfg['dnssec'] : false;
183
               $a_unboundcfg['qname'] = isset($a_unboundcfg['qname']) ? $a_unboundcfg['qname'] : 'disabled';
186 184
               $a_unboundcfg['forwarding'] = isset($pconfig['forwarding']);
187 185
               $a_unboundcfg['regdhcp'] = isset($pconfig['regdhcp']);
188 186
               $a_unboundcfg['regdhcpstatic'] = isset($pconfig['regdhcpstatic']);
......
270 268
$tab_array = array();
271 269
$tab_array[] = array(gettext("General Settings"), true, "services_unbound.php");
270
$tab_array[] = array(gettext("Security and Privacy"), false, "services_unbound_security.php");
272 271
$tab_array[] = array(gettext("Advanced Settings"), false, "services_unbound_advanced.php");
273 272
$tab_array[] = array(gettext("Access Lists"), false, "/services_unbound_acls.php");
274 273
display_top_tabs($tab_array, true);
......
322 321
))->setHelp('The local-zone type used for the pfSense system domain (System | General Setup | Domain).  Transparent is the default.  Local-Zone                                                                                                                                                                                                                            type descriptions are available in the unbound.conf(5) manual pages.');
323 322
$section->addInput(new Form_Checkbox(
324
       'dnssec',
325
       'DNSSEC',
326
       'Enable DNSSEC Support',
327
       $pconfig['dnssec']
328
));
329

  
330
$section->addInput(new Form_Checkbox(
331 323
       'forwarding',
332 324
       'DNS Query Forwarding',
333 325
       'Enable Forwarding Mode',
/usr/local/www/services_unbound_acls.php 2018-04-19 14:44:57.000000000 +0100
182 182
$tab_array = array();
183 183
$tab_array[] = array(gettext("General Settings"), false, "/services_unbound.php");
184
$tab_array[] = array(gettext("Security and Privacy"), false, "services_unbound_security.php");
184 185
$tab_array[] = array(gettext("Advanced Settings"), false, "services_unbound_advanced.php");
185 186
$tab_array[] = array(gettext("Access Lists"), true, "/services_unbound_acls.php");
186 187
display_top_tabs($tab_array, true);
187 188

  
188 189

  
189 190

  
190 191

  
191 192

  
192 193

  
193
-- /usr/local/www/services_unbound_advanced.php  2018-04-19 14:38:38.449865000 +0100
194
++ /usr/local/www/services_unbound_advanced.php       2018-04-19 17:44:49.000000000 +0100
......
34 34
       $config['unbound'] = array();
35 35
}
36
if (isset($config['unbound']['hideidentity'])) {
37
       $pconfig['hideidentity'] = true;
38
}
39

  
40
if (isset($config['unbound']['hideversion'])) {
41
       $pconfig['hideversion'] = true;
42
}
43

  
44 36
if (isset($config['unbound']['prefetch'])) {
45 37
       $pconfig['prefetch'] = true;
46 38
}
......
50 42
       $pconfig['prefetchkey'] = true;
51 43
}
52
if (isset($config['unbound']['dnssecstripped'])) {
53
       $pconfig['dnssecstripped'] = true;
54
}
55

  
56 44
if (isset($config['unbound']['dnsrecordcache'])) {
57 45
       $pconfig['dnsrecordcache'] = true;
58 46
}
......
70 58
$pconfig['infra_cache_numhosts'] = isset($config['unbound']['infra_cache_numhosts']) ? $config['unbound']['infra_cache_numhosts'] : '10000';
71 59
$pconfig['unwanted_reply_threshold'] = isset($config['unbound']['unwanted_reply_threshold']) ? $config['unbound']['unwanted_reply_threshold'] : 'disabled';
72 60
$pconfig['log_verbosity'] = isset($config['unbound']['log_verbosity']) ? $config['unbound']['log_verbosity'] : "1";
61
$pconfig['proto'] = ($config['unbound']['proto'] =='tcp' || $config['unbound']['proto'] == 'udp') ? $config['unbound']['proto'] : 'both';
62

  
73 63
if (isset($config['unbound']['disable_auto_added_access_control'])) {
74 64
       $pconfig['disable_auto_added_access_control'] = true;
......
79 69
       $pconfig['disable_auto_added_host_entries'] = true;
80 70
}
81
if (isset($config['unbound']['use_caps'])) {
82
       $pconfig['use_caps'] = true;
83
}
84

  
85 71
if ($_POST) {
86 72
       if ($_POST['apply']) {
87 73
               $retval = 0;
......
94 80
               unset($input_errors);
95 81
               $pconfig = $_POST;
82
               if (isset($_POST['proto']) && !in_array($_POST['proto'], array('both', 'tcp', 'udp'))) {
83
                       $input_errors[] = gettext("A valid protocol must be specified.");
84
               }
96 85
               if (isset($_POST['msgcachesize']) && !in_array($_POST['msgcachesize'], array('4', '10', '20', '50', '100', '250', '512'), true)) {
97 86
                       $input_errors[] = gettext("A valid value for Message Cache Size must be specified.");
98 87
               }
......
130 119
               if (isset($_POST['log_verbosity']) && !in_array($_POST['log_verbosity'], array('0', '1', '2', '3', '4', '5'), true)) {
131 120
                       $input_errors[] = gettext("A valid value must be specified for Log Level.");
132 121
               }
133
               if (isset($_POST['dnssecstripped']) && !isset($config['unbound']['dnssec'])) {
134
                       $input_errors[] = gettext("Harden DNSSEC Data option can only be enabled if DNSSEC support is enabled.");
135
               }
136 122
               if (!$input_errors) {
137
                       if (isset($_POST['hideidentity'])) {
138
                               $config['unbound']['hideidentity'] = true;
139
                       } else {
140
                               unset($config['unbound']['hideidentity']);
141
                       }
142
                       if (isset($_POST['hideversion'])) {
143
                               $config['unbound']['hideversion'] = true;
144
                       } else {
145
                               unset($config['unbound']['hideversion']);
146
                       }
147 123
                       if (isset($_POST['prefetch'])) {
148 124
                               $config['unbound']['prefetch'] = true;
149 125
                       } else {
......
155 131
                       } else {
156 132
                               unset($config['unbound']['prefetchkey']);
157 133
                       }
158
                       if (isset($_POST['dnssecstripped'])) {
159
                               $config['unbound']['dnssecstripped'] = true;
160
                       } else {
161
                               unset($config['unbound']['dnssecstripped']);
162
                       }
163 134
                       if (isset($_POST['dnsrecordcache'])) {
164 135
                               $config['unbound']['dnsrecordcache'] = true;
165 136
                       } else {
......
178 149
                       $config['unbound']['unwanted_reply_threshold'] = $_POST['unwanted_reply_threshold'];
179 150
                       $config['unbound']['log_verbosity'] = $_POST['log_verbosity'];
151
                       if (isset($_POST['proto']) && ($_POST['proto'] == 'udp' || $_POST['proto'] == 'tcp')) {
152
                               $config['unbound']['proto'] = $_POST['proto'];
153
                       } else {
154
                               unset($config['unbound']['proto']);
155
                       }
156

  
180 157
                       if (isset($_POST['disable_auto_added_access_control'])) {
181 158
                               $config['unbound']['disable_auto_added_access_control'] = true;
182 159
                       } else {
......
190 167
                               unset($config['unbound']['disable_auto_added_host_entries']);
191 168
                       }
192
                       if (isset($_POST['use_caps'])) {
193
                               $config['unbound']['use_caps'] = true;
194
                       } else {
195
                               unset($config['unbound']['use_caps']);
196
                       }
197

  
198 169
                       write_config(gettext("DNS Resolver configured."));
199 170
                       mark_subsystem_dirty('unbound');
......
222 193
$tab_array = array();
223 194
$tab_array[] = array(gettext("General Settings"), false, "services_unbound.php");
195
$tab_array[] = array(gettext("Security and Privacy"), false, "services_unbound_security.php");
224 196
$tab_array[] = array(gettext("Advanced Settings"), true, "services_unbound_advanced.php");
225 197
$tab_array[] = array(gettext("Access Lists"), false, "/services_unbound_acls.php");
226 198
display_top_tabs($tab_array, true);
......
231 203
$section = new Form_Section('Advanced Resolver Options');
232 204
$section->addInput(new Form_Checkbox(
233
       'hideidentity',
234
       'Hide Identity',
235
       'id.server and hostname.bind queries are refused',
236
       $pconfig['hideidentity']
237
));
238

  
239
$section->addInput(new Form_Checkbox(
240
       'hideversion',
241
       'Hide Version',
242
       'version.server and version.bind queries are refused',
243
       $pconfig['hideversion']
244
));
245

  
246
$section->addInput(new Form_Checkbox(
247 205
       'prefetch',
248 206
       'Prefetch Support',
249 207
       'Message cache elements are prefetched before they expire to help keep the cache up to date',
......
259 217
))->setHelp('This helps lower the latency of requests but does utilize a little more CPU. See: %1$sWikipedia%2$s', '<a href="http://en.wikipedia.org/wiki/List_of_DNS_record_types">', '</a>');
260 218
$section->addInput(new Form_Checkbox(
261
       'dnssecstripped',
262
       'Harden DNSSEC Data',
263
       'DNSSEC data is required for trust-anchored zones.',
264
       $pconfig['dnssecstripped']
265
))->setHelp('If such data is absent, the zone becomes bogus. If Disabled and no DNSSEC data is received, then the zone is made insecure. ');
266

  
267
$section->addInput(new Form_Checkbox(
268 219
       'dnsrecordcache',
269 220
       'Serve Expired',
270 221
       'Serve cache records even with TTL of 0',
......
280 231
))->setHelp('Size of the message cache. The message cache stores DNS response codes and validation statuses. The Resource Record Set (RRSet) cache will automatically be set to twice this amount. The RRSet cache contains the actual RR data. The default is 4 megabytes.');
281 232
$section->addInput(new Form_Select(
233
       'proto',
234
       'Protocols',
235
       $pconfig['proto'],
236
       array('both' => 'Both UDP and TCP', 'udp' => 'UDP only', 'tcp' => 'TCP only')
237
))->setHelp('Normally the resolver will allow both UDP and TCP for incoming and outgoing data. In some cases - particularly when DNS traffic will be proxied or tunnelled ' .
238
       '- it can be necessary to restrict the resolver to using only UDP or only TCP.%1$sThis setting should usually be left at the default, "both".%2$s',
239
       '<br/><b>',
240
       '</b>'
241
);
242

  
243
$section->addInput(new Form_Select(
282 244
       'outgoing_num_tcp',
283 245
       'Outgoing TCP Buffers',
284 246
       $pconfig['outgoing_num_tcp'],
......
393 355
       $pconfig['disable_auto_added_host_entries']
394 356
))->setHelp('By default, the primary IPv4 and IPv6 addresses of this firewall are added as records for the system domain of this firewall as configured in %1$sSystem: General Setup%2$s. This disables the auto generation of these entries.', '<a href="system.php">', '</a>');
395
$section->addInput(new Form_Checkbox(
396
       'use_caps',
397
       'Experimental Bit 0x20 Support',
398
       'Use 0x-20 encoded random bits in the DNS query to foil spoofing attempts.',
399
       $pconfig['use_caps']
400
))->setHelp('See the implementation %1$sdraft dns-0x20%2$s for more information.', '<a href="https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00">', '</a>');
401

  
402 357
$form->add($section);
403 358
print($form);
404
-- /usr/local/www/services_unbound_security.php  2018-04-19 14:39:03.217902000 +0100
359
++ /usr/local/www/services_unbound_security.php       2018-04-19 17:19:08.000000000 +0100
......
1
<?php
2
/*
3
 * services_unbound_security.php
4
 *
5
 * part of pfSense (https://www.pfsense.org)
6
 * Copyright (c) 2004-2018 Rubicon Communications, LLC (Netgate)
7
 * Copyright (c) 2014 Warren Baker (warren@pfsense.org)
8
 * All rights reserved.
9
 *
10
 * Licensed under the Apache License, Version 2.0 (the "License");
11
 * you may not use this file except in compliance with the License.
12
 * You may obtain a copy of the License at
13
 *
14
 * http://www.apache.org/licenses/LICENSE-2.0
15
 *
16
 * Unless required by applicable law or agreed to in writing, software
17
 * distributed under the License is distributed on an "AS IS" BASIS,
18
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19
 * See the License for the specific language governing permissions and
20
 * limitations under the License.
21
 */
22

  
23
##|+PRIV
24
##|*IDENT=page-services-dnsresolver-security
25
##|*NAME=Services: DNS Resolver: Security and Privacy
26
##|*DESCR=Allow access to the 'Services: DNS Resolver: Security and Privacy' page.
27
##|*MATCH=services_unbound_security.php*
28
##|-PRIV
29

  
30
require_once("guiconfig.inc");
31
require_once("unbound.inc");
32

  
33
$dnssec_opts = array(
34
       0 => array(
35
               'descrip' => 'DNSSEC disabled',
36
               'dnssec_value' => false,
37
               'dnssecstripped_value' => false
38
       ),
39
       1 => array(
40
               'descrip' => 'DNSSEC enabled: zones without DNSSEC data considered INSECURE',
41
               'dnssec_value' => true,
42
               'dnssecstripped_value' => false
43
       ),
44
       2 => array(
45
               'descrip' => 'DNSSEC enabled and hardened: zones without DNSSEC data considered BOGUS',
46
               'dnssec_value' => true,
47
               'dnssecstripped_value' => true
48
       )
49
);
50

  
51
$qname_opts = array(
52
       'disabled' => 'QNAME minimization disabled',
53
       'preferred' => 'QNAME minimization preferred ("best efforts")',
54
       'strict' => 'QNAME minimization required'
55
);
56

  
57
if (!is_array($config['unbound'])) {
58
       $config['unbound'] = array();
59
}
60

  
61
if (isset($config['unbound']['hideidentity'])) {
62
       $pconfig['hideidentity'] = true;
63
}
64

  
65
if (isset($config['unbound']['hideversion'])) {
66
       $pconfig['hideversion'] = true;
67
}
68

  
69
if (isset($a_unboundcfg['dnssec'])) {
70
       $pconfig['dnssec'] = true;
71
}
72
if (isset($config['unbound']['dnssecstripped'])) {
73
       $pconfig['dnssecstripped'] = true;
74
}
75

  
76
if (isset($config['unbound']['use_caps'])) {
77
       $pconfig['use_caps'] = true;
78
}
79

  
80
if (array_key_exists($config['unbound']['qname'], $qname_opts)) {
81
       $pconfig['qname'] = $config['unbound']['qname'];
82
} else {
83
       $pconfig['qname'] = 'disabled';
84
}
85

  
86
if (isset($config['unbound']['tls_upstream'])) {
87
       $pconfig['tls_upstream'] = true;
88
}
89

  
90
if ($_POST) {
91
       if ($_POST['apply']) {
92
               $retval = 0;
93
               $retval |= services_unbound_configure();
94
               if ($retval == 0) {
95
                       clear_subsystem_dirty('unbound');
96
               }
97
       } else {
98
               unset($input_errors);
99
               $pconfig = $_POST;
100

  
101

  
102
               if (!array_key_exists($_POST['dnssec_level'], $dnssec_opts)) {
103
                       $input_errors[] = gettext("Invalid DNSSEC option.");
104
               }
105

  
106
               if (!array_key_exists($_POST['qname'], $qname_opts)) {
107
                       $input_errors[] = gettext("Invalid QNAME minimization option.");
108
               }
109

  
110
               if (!$input_errors) {
111
                       if (isset($_POST['hideidentity'])) {
112
                               $config['unbound']['hideidentity'] = true;
113
                       } else {
114
                               unset($config['unbound']['hideidentity']);
115
                       }
116
                       if (isset($_POST['hideversion'])) {
117
                               $config['unbound']['hideversion'] = true;
118
                       } else {
119
                               unset($config['unbound']['hideversion']);
120
                       }
121
                       $config['unbound']['dnssec'] = $dnsopts[$_POST['dnssec_level']]['dnssec_value'];
122
                       if ($dnsopts[$_POST['dnssec_level']]['dnssecstripped_value']) {
123
                               $config['unbound']['dnssecstripped'] = true;
124
                       } else {
125
                               unset($config['unbound']['dnssecstripped']);
126
                       }
127
                       if (isset($_POST['use_caps'])) {
128
                               $config['unbound']['use_caps'] = true;
129
                       } else {
130
                               unset($config['unbound']['use_caps']);
131
                       }
132
                       $config['qname'] = $_POST['qname'];
133
                       if (isset($_POST['tls_upstream'])) {
134
                               $config['unbound']['tls_upstream'] = true;
135
                       } else {
136
                               unset($config['unbound']['tls_upstream']);
137
                       }
138

  
139
                       write_config(gettext("DNS Resolver configured."));
140

  
141
                       mark_subsystem_dirty('unbound');
142
               }
143
       }
144
}
145

  
146
$pgtitle = array(gettext("Services"), gettext("DNS Resolver"), gettext("Security and Privacy"));
147
$pglinks = array("", "services_unbound.php", "@self");
148
$shortcut_section = "resolver";
149
include_once("head.inc");
150

  
151
if ($input_errors) {
152
       print_input_errors($input_errors);
153
}
154

  
155
if ($_POST['apply']) {
156
       print_apply_result_box($retval);
157
}
158

  
159
if (is_subsystem_dirty('unbound')) {
160
       print_apply_box(gettext("The DNS resolver configuration has been changed.") . "<br />" . gettext("The changes must be applied for them to take effect."));
161
}
162

  
163
$tab_array = array();
164
$tab_array[] = array(gettext("General Settings"), false, "services_unbound.php");
165
$tab_array[] = array(gettext("Security and Privacy"), true, "services_unbound_security.php");
166
$tab_array[] = array(gettext("Advanced Settings"), false, "services_unbound_advanced.php");
167
$tab_array[] = array(gettext("Access Lists"), false, "/services_unbound_acls.php");
168
display_top_tabs($tab_array, true);
169

  
170
$form = new Form();
171

  
172
$section = new Form_Section('Resolver Security and Privacy Options');
173

  
174
$section->addInput(new Form_Checkbox(
175
       'hideidentity',
176
       'Hide Identity',
177
       'id.server and hostname.bind queries are refused',
178
       $pconfig['hideidentity']
179
));
180

  
181
$section->addInput(new Form_Checkbox(
182
       'hideversion',
183
       'Hide Version',
184
       'version.server and version.bind queries are refused',
185
       $pconfig['hideversion']
186
));
187

  
188
if (!isset($pconfig['dnssec']) || !$pconfig['dnssec']) {
189
       $lev = 0;
190
} elseif (!isset($pconfig['dnssecstripped']) || !$pconfig['dnssecstripped']) {
191
       $lev = 1;
192
} else {
193
       $lev=2;
194
}
195
$section->addInput(new Form_Select(
196
       'dnssec_level',
197
       'DNSSEC enable and hardening',
198
       $lev,
199
       array_combine(array_keys($dnssec_opts), array_column($dnssec_opts, 'descrip'))
200
))->setHelp('When DNSSEC is enabled, DNS data will be required in all replies, for trust-anchored zones.<br/>' .
201
       'A zone whose reply omits DNSSEC data will be treated as INSECURE, ' .
202
       'or as BOGUS with hardening selected.');
203

  
204
$section->addInput(new Form_Checkbox(
205
       'use_caps',
206
       'Experimental Bit 0x20 Support',
207
       'Use 0x-20 encoded random bits in the DNS query to foil spoofing attempts.',
208
       $pconfig['use_caps']
209
))->setHelp('See the implementation %1$sdraft dns-0x20%2$s for more information.', '<a href="https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00">', '</a>');
210

  
211

  
212
$section->addInput(new Form_Select(
213
       'QNAME minimization',
214
       'Minimize data sent to DNS servers',
215
       $pconfig['qname'],
216
       $qname_opts
217
))->setHelp('QNAME minimization is a privacy option that reduces the risk that a third party or major DNS servers can track domain queries.%1$s' .
218
       '%2$sDisabled (the default for most devices on the Internet)%3$s -  full query information is sent to DNS servers, for fast and efficient lookup.%4$s' .
219
       '%2$sPreferred%3$s - The resolver attempts to query each DNS server for one level of the domain only. For example, %5$swww.example.com%6$s will ' .
220
       'be resolved by querying a root server for the ".com" domain, then querying the .com name server for "example.com", and finally querying the ' .
221
       '.example.com name server for "www.example.com". The result is that higher level name servers do not see lower level subdomain targets. %5$s' .
222
       'Many DNS servers do not support this feature yet. The resolver will retry with normal lookup on failure.%6$s%4$s' .
223
       '%2$sStrict%3$s - The lookup will fail if QNAME minimization can not be maintained (instead of falling back to usual lookup). ' .
224
       '%2$sWarning: This will cause DNS lookup failure for many sites and domains!%3$s%7$s',
225
       '<ul><li>',
226
       '<b>',
227
       '</b>',
228
       '</li><li>',
229
       '<i>',
230
       '</i>',
231
       '</li></ul>'
232
);
233

  
234
$section->addInput(new Form_Checkbox(
235
       'tls_upstream',
236
       'Use TLS for upstream queries',
237
       '',
238
       $pconfig['tls_upstream']
239
))->setHelp('Wrap outgoing DNS queries within TLS encryption. This provides good security for the query and reply %1$sbetween this platform ' .
240
       'and the DNS server%2$s, but does not protect against a malicious user or logging with access to the DNS server or the local network.<br/>' .
241
       '%1$sWarning: not all servers can accept TLS. If a remote DNS server can not accept TLS, then the DNS query will fail.%2$s',
242
       '<b>',
243
       '</b>'
244
);
245

  
246
$form->add($section);
247
print($form);
248

  
249
include("foot.inc");
......
0
-- /etc/inc/unbound.inc    2018-03-19 11:27:44.000000000 +0000
250
++ /etc/inc/unbound.inc 2018-04-19 18:03:11.000000000 +0100
251 251
       $prefetch = isset($unboundcfg['prefetch']) ? "yes" : "no";
252 252
       $prefetch_key = isset($unboundcfg['prefetchkey']) ? "yes" : "no";
253 253
       $dns_record_cache = isset($unboundcfg['dnsrecordcache']) ? "yes" : "no";
254
       // only disallow TCP if option set to UDP and vice-versa
255
       $do_udp = ($unboundcfg['proto'] == 'tcp') ? "no" : "yes";
256
       $do_tcp = ($unboundcfg['proto'] == 'udp') ? "no" : "yes";
254 257
       $outgoing_num_tcp = isset($unboundcfg['outgoing_num_tcp']) ? $unboundcfg['outgoing_num_tcp'] : "10";
255 258
       $incoming_num_tcp = isset($unboundcfg['incoming_num_tcp']) ? $unboundcfg['incoming_num_tcp'] : "10";
256 259
       $edns_buffer_size = (!empty($unboundcfg['edns_buffer_size'])) ? $unboundcfg['edns_buffer_size'] : "4096";
......
267 270
       $msg_cache_size = (!empty($unboundcfg['msgcachesize'])) ? $unboundcfg['msgcachesize'] : "4";
268 271
       $verbosity = isset($unboundcfg['log_verbosity']) ? $unboundcfg['log_verbosity'] : 1;
269 272
       $use_caps = isset($unboundcfg['use_caps']) ? "yes" : "no";
273
       $tls_upstream = isset($unboundcfg['tls_upstream']) ? "yes" : "no";
274
    $qname_minimisation = ($unboundcfg['qname'] == 'preferred' || $unboundcfg['qname'] == 'strict')  ? "yes" : "no";
275
       $qname_minimisation_strict = ($unboundcfg['qname'] == 'strict')  ? "yes" : "no";
270 276
       if (isset($unboundcfg['regovpnclients'])) {
271 277
               $openvpn_clients_conf .=<<<EOD
......
339 345
harden-glue: yes
340 346
do-ip4: yes
341 347
do-ip6: {$ipv6_allow}
342
do-udp: yes
343
do-tcp: yes
348
do-udp: {$do_udp}
349
do-tcp: {$do_tcp}
344 350
do-daemonize: yes
345 351
module-config: "{$module_config}"
346 352
unwanted-reply-threshold: {$unwanted_reply_threshold}
......
368 374
prefetch: {$prefetch}
369 375
prefetch-key: {$prefetch_key}
370 376
use-caps-for-id: {$use_caps}
377
qname-minimisation: {$qname_minimisation}
378
qname-minimisation-strict: {$qname_minimisation_strict}
379
### UPSTREAM BUG: FIXME: for some reason "tls-upstream" isn't accepted, but the equivalent "ssl-upstream" is fine. So use that instead!
380
ssl-upstream: {$tls_upstream}
381

  
382

  
371 383
serve-expired: {$dns_record_cache}
372 384
# Statistics
373 385
{$statistics}
(1-1/2)