* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 233141c6c9983b39a2d385f781e0d787b8f315de
@ 2020-03-04 21:49 Arne Fitzenreiter
0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2020-03-04 21:49 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 7927 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 233141c6c9983b39a2d385f781e0d787b8f315de (commit)
via 9700617aeb4051f845e3f261da2829201a2b6fe9 (commit)
via 0f0f3ae7dc5da502c1aaf4bb295778d7657a0af5 (commit)
via e737776db5edaca90a22c7aaeb11e8fbb7c0d9fa (commit)
via 80bed5817d176e728cca6077dcefa7821f5c16ef (commit)
from 0bdb63924b13d4e47db7cd03c6714cdfdd9280a9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 233141c6c9983b39a2d385f781e0d787b8f315de
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Mar 4 21:49:05 2020 +0000
core142: add unbound.conf to updater
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 9700617aeb4051f845e3f261da2829201a2b6fe9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Mar 4 21:11:53 2020 +0000
unbound: Disable using mixed case for DNS queries
This seems to cause that some resolvers do not respond
to queries any more until unbound falls back.
To ensure better DNS performance, we disabled this.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 0f0f3ae7dc5da502c1aaf4bb295778d7657a0af5
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Mar 4 21:11:52 2020 +0000
unbound: Only launch one process
When unbound is running multiple threads, we have observed
that queries where sent for each thread.
Since no user should have so much DNS traffic that more than
one processor core is being saturated, this is a safe change.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit e737776db5edaca90a22c7aaeb11e8fbb7c0d9fa
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Jan 20 19:36:00 2020 +0000
unbound.conf: Do not set defaults explicitly
In order to keep configuration files small and easy to review/audit,
omitting defaults makes more sense than configure them explicitly (have
changed my mind here).
Unbound comes with a good default confiuration, and we should only make
changes when they are necessary. In addition, this patch updates the
documentation's URL to the current one.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 80bed5817d176e728cca6077dcefa7821f5c16ef
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Mar 4 21:38:24 2020 +0000
dns.cgi: restart suricata before unbound reload
if unbound is reloaded it start a bunch of dns queries
so suricata needs to now which servers should used.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/142/filelists/files | 1 +
config/unbound/unbound.conf | 23 ++---------------------
html/cgi-bin/dns.cgi | 5 ++---
src/initscripts/system/unbound | 19 -------------------
4 files changed, 5 insertions(+), 43 deletions(-)
Difference in files:
diff --git a/config/rootfiles/core/142/filelists/files b/config/rootfiles/core/142/filelists/files
index 0ac4861cd..11daea4b5 100644
--- a/config/rootfiles/core/142/filelists/files
+++ b/config/rootfiles/core/142/filelists/files
@@ -2,6 +2,7 @@ etc/system-release
etc/issue
srv/web/ipfire/cgi-bin/credits.cgi
var/ipfire/langs
+etc/unbound/unbound.conf
etc/rc.d/helper/aws-setup
etc/rc.d/helper/azure-setup
etc/rc.d/init.d/unbound
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 24822ee67..3aab6ea46 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -2,7 +2,7 @@
# Unbound configuration file for IPFire
#
# The full documentation is available at:
-# https://www.unbound.net/documentation/unbound.conf.html
+# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
#
server:
@@ -10,26 +10,17 @@ server:
chroot: ""
directory: "/etc/unbound"
username: "nobody"
- port: 53
- do-ip4: yes
do-ip6: no
- do-udp: yes
- do-tcp: yes
- so-reuseport: yes
- do-not-query-localhost: yes
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
- verbosity: 1
use-syslog: yes
log-time-ascii: yes
- log-queries: no
# Unbound Statistics
statistics-interval: 86400
- statistics-cumulative: yes
extended-statistics: yes
# Prefetching
@@ -42,26 +33,16 @@ server:
# Privacy Options
hide-identity: yes
hide-version: yes
- qname-minimisation: yes
- minimal-responses: yes
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
- val-permissive-mode: no
- val-clean-additional: yes
val-log-level: 1
+ log-servfail: yes
# Hardening Options
- harden-glue: yes
- harden-short-bufsize: no
harden-large-queries: yes
- harden-dnssec-stripped: yes
- harden-below-nxdomain: yes
harden-referral-path: yes
- harden-algo-downgrade: no
- use-caps-for-id: yes
aggressive-nsec: yes
- qname-minimisation: yes
# TLS
tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi
index 09fd50206..676d95f8a 100755
--- a/html/cgi-bin/dns.cgi
+++ b/html/cgi-bin/dns.cgi
@@ -815,9 +815,6 @@ END
# Private function to handle the restart of unbound and more.
sub _handle_unbound_and_more () {
- # Restart unbound
- system('/usr/local/bin/unboundctrl reload >/dev/null');
-
# Check if the IDS is running.
if(&IDS::ids_is_running()) {
# Re-generate the file which contains the DNS Server
@@ -827,6 +824,8 @@ sub _handle_unbound_and_more () {
# Call suricatactrl to perform a reload.
&IDS::call_suricatactrl("restart");
}
+ # Restart unbound
+ system('/usr/local/bin/unboundctrl reload >/dev/null');
}
# Check if the system is online (RED is connected).
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index c845c436f..1cf26ec0e 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -191,15 +191,6 @@ write_forward_conf() {
write_tuning_conf() {
# https://www.unbound.net/documentation/howto_optimise.html
- # Determine number of online processors
- local processors=$(getconf _NPROCESSORS_ONLN)
-
- # Determine number of slabs
- local slabs=1
- while [ ${slabs} -lt ${processors} ]; do
- slabs=$(( ${slabs} * 2 ))
- done
-
# Determine amount of system memory
local mem=$(get_memory_amount)
@@ -234,16 +225,6 @@ write_tuning_conf() {
(
config_header
- # We run one thread per processor
- echo "num-threads: ${processors}"
- echo "so-reuseport: yes"
-
- # Adjust number of slabs
- echo "infra-cache-slabs: ${slabs}"
- echo "key-cache-slabs: ${slabs}"
- echo "msg-cache-slabs: ${slabs}"
- echo "rrset-cache-slabs: ${slabs}"
-
# Slice up the cache
echo "rrset-cache-size: $(( ${mem} / 2 ))m"
echo "msg-cache-size: $(( ${mem} / 4 ))m"
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-03-04 21:49 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-04 21:49 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 233141c6c9983b39a2d385f781e0d787b8f315de Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox