[Swan-dev] setting libunbound options
Paul Wouters
paul at nohats.ca
Wed Jan 30 15:37:32 UTC 2019
On Wed, 30 Jan 2019, Štěpán Brož wrote:
> I was able to make the libunbound configuration working, with the help
> from Wouter, the unbound developer, and Paul. The correct order of
> options is:
>
> ub_ctx_set_option(dns_ctx, "outgoing-port-avoid:", "0-65535");
> ub_ctx_set_option(dns_ctx, "outgoing-port-permit:", "32768-60999");
That's good news.
> I would prefer making this configurable rather than hardcoding it, and
> ideally as part of the ipsec.conf file.
Why is that? I don't think the concept of ephemeral ports is going to
change anytime soon?
> Another, less preferred option from my perspective, might be
> introducing unbound configuration in a dedicated location. This would
> allow more tweaking, but as said eariler, this would require further
> SELinux policy changes.
As soon as we do that though, everyone can add various options to the
unbound style config file which might affect things or have no effect
at all. But I do like the configurability we get. But ultimately, the
only need we need to do is configure our unbound context to connect to
the host resolver.
We are seeing applications bypass the system dns configuration now (see
the new browser/dns issues with using DNS over TLS/HTTPS to 1.1.1.1 and
8.8.8.8) and I would like to stay out of that. I believe we should use
the system resolver, but we should do our own validation. So most
configurations present in a config file would not apply to us.
So I would favour making these two commands part of the unbound
initialization hardcoded.
But I'm interested in hearing from others,
Paul
More information about the Swan-dev
mailing list