OpenVPN/IPsec IPv6 prefix in DNS Resolver access list. Issue #10460
Aggressive NSEC option. Issue #10449
Merge pull request #4203 from vktg/edns1232
EDNS buffer size configuration. Issue #10293
DNS64 support. Issue #10274
Update SSL refs to SSL/TLS. Fixes #10172
This is 2020. Issue #9245
Add 127.0.0.0/8 to Unbound private-address list. Fixes #9708
Merge pull request #4029 from BBcan177/patch-1
Fix copyright message years to reflect BSDP -> ESF -> Netgate
Rewrite unbound remotecontrol.conf when it is empty. Fixes #9470
Comment out all pfSense_fsync() calls until it's properly fixed
Add back DNS over TLS host verification code. Fixes #8602
Requires Unbound 1.9.0_1 from pfsense/freebsd-ports, which fixes a bugin Unbound 1.9.0 which did not fully implement OpenSSL 1.0.2 hostvalidation support. See https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4206#c5
Update unbound.inc
Update copyright notices to 2019. Happy New Year
Add IPv6 version of IPv4 private nets to DNS Rebinding list. Fixes #8750
PHP7 syntax fix
Revert "Add fields for DNS server hostnames for TLS verification. Implements #8602"
Per https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658 the verificationrequires OpenSSL 1.1.x, and FreeBSD 11.2 base OpenSSL is 1.0.x.
This reverts commit ad08a8242ca45907e0486712d218a5f8f34c7332.
Fix #8646
Add fields for DNS server hostnames for TLS verification. Implements #8602
Add GUI controls to the DNS Resolver for providing DNS over TLS service to local clients. Implements #8030
Do not remove unbound testing config when it fails to make it easier to debug
Add a TLS option for DNS Resolver Domain Overrides. Implements #8431
Add query name minimization options to DNS Resolver. Implements #8028
Add GUI option for DNS over TLS. Implements #8388
Update the Copyright notice for pfSense.
Add isset, other vars seem to use it
Doesn't seem to have a point though :)
typo
Unbound: Disable IPv6 outgoing queries if IPv6 blocked in firewall, as they can never go anywhere
If IPv6 is disallowed in system->advanced->network, then any IPv6 lookups by Unbound will always be blocked, so there's no point sending them.
The practical purpose is that they also clog up the log and may fractionally slow down the resolver because the resolver then has to deal with IPv6 not replying, fallback lookups, etc....
Merge pull request #3183 from znerol/feature/master/register-openvpn-cn
Merge pull request #3826 from doktornotor/patch-5
Unbound Serve expired
Serve expired – Records stay in cache after TTL expires, with a TTL value of 0, if a new lookup is requested the cached record will be served for maximum performance, but at same time the resolver will ask for a new value from upstream to refresh the value and TTL.
Unbound - allow snoop from localhost
dig +trace fails without this, which is super annoying for debugging/diagnostics/benchmarking or whatever similar purposes. Allowing both recursive and non-recursive queries should be of no security concern as long as it's localhost-only.
Fix typo
Restructure how unbound zone data is written to fix processing of "redirect" zone entries. Fixes #7690Also corrects some other misc issues for formatting of zone data.While here, add an option, not exposed in the GUI, for users to get the previous behavior of defining short names for hosts.
unbound-control needs to know the config path or else it can't work properly. Fixes #7667
Only add include section to unbound config when regovpnclients config option is enabled
Register CN of OpenVPN clients in DNS Resolver
Make the changes suggested by jim-p and changed the way the disable function work to ensure the manually added host entries or DHCP reservations still work.
Unbound: Added ability to disable automatically added host entries
Fix #6712
Use system_hosts_entries to generate unbound host_entries.conf
Ticket #6712: Deprecate read_hosts()
Read local items from system_hosts_local_entries()
Fix #3560 correctly handle disabled static routes
1) util.inc - add parameter to get_staticroutes() so the caller canchoose to see all static routes or only the ones that are currentlyenabled.2) filter.inc - just process enabled static routes when making direct...
Unbound - add support for "deny_non_local" and "refuse_non_local" ACLs (Feature #6914)
Move copyright from ESF to Netgate
Move to Apache License 2.0
Review license / copyright on all files (final round)
Review license / copyright on all files (1st round)
Omit non-qualified hostnames from unbound's local-data. Ticket #6064
Switch domain overrides from stub-zone to forward-zone. Ticket #6065
Fix unbound.inc so zero value for *_num_tcp is honored
In the Unbound documentation, it is noted that setting "outgoing-num-tcp" to "0" disables TCP queries. In testing I noticed that although I could select & save a value of "0" in the Unbound Advanced Config, the actual value written to /var/unbound/unbound.conf was still the default "10". Apparently in PHP, a value of "0" still tests "false" for !empty(). Changing the test to isset() seems to fix the issue.
Don't include 127.0.0.0/8 in unbound.conf in forward mode. Ticket #5750
Remove unnecessary checks. Code prevents var from being empty.
Wrap var in string with braces.
Move unbound local zone types array to function in unbound.inc.
Protect against breaking the system; check for valid unbound local zone type rather than just the setting existence.
Update license on files from /etc/inc
Fix #5767 config validation errors when first enabling DNS Resolver
Generate a complete set of test conf files in /var/unbound/test subdir when doing the validation of the tentative config that is being saved.This avoids any dependency on any of the "real" files already existing in /var/unbound and also avoids the chance of overwriting a live file that is currently in use by the running unbound....
Remove all pfSense_MODULE and pfSense_BUILDER_BINARIES definitions, whatever was the reason they were added, it was never finished and it's not being used
Services - DNS Resolver - System Domain Local Zone Type Option
Expose system domain unbound local-zone type to be configurable.
It is not necessary to omit link-local for unbound. Ticket #4021
Now that the issue in 4062 is fixed, no need to omit link local here. Ticket #4021
Bind to IP aliases correctly in Unbound. Ticket #5464
unbound_statistics section should be written to unbound.conf
The stuff generated by unbound_statistics() goes into unbound.confIt had got separated out and was going nowhere. This puts the behavior back the way it was yesterday.
Note: There is a separate issue about this because the UI has no place to actually select the statistics settings. There is some upgrade code that looks like it was converting statistics settings from the old Unbound package into custom commands in the integrated Unbound. So it looks like the unbound_statistics() function can/should be removed???
Add global so that unbound.conf gets written
to the correct place based on $g setting.
Rearrange calls in unbound.inc so config text can be generated without writing the actual file and a syntax check can be run. Rearrange services_unbound.php to wait until input checking is complete before saving things to global config and run syntax check as part of input checking. Implements #4411.
Check unbound root.key file contents, and remove it if invalid, before unbound-anchor runs otherwise it will fail and unbound will fail to start. fsync the file after writing to prevent the problem. Ticket #5334
Move main pfSense content to src/