README for Unbound 1.22.0
Copyright 2007 NLnet Labs
http://unbound.net

This software is under BSD license, see LICENSE for details.
The DNS64 module has BSD license in dns64/dns64.c.
The DNSTAP code has BSD license in dnstap/dnstap.c.

* Download the latest release version of this software from
  	http://unbound.net
  or get a beta version from the svn repository at
  	http://unbound.net/svn/

* Uses the following libraries;
  * libevent	http://www.monkey.org/~provos/libevent/		(BSD license)
    (optional) can use builtin alternative instead.
  * libexpat	(for the unbound-anchor helper program)		(MIT license)

* Make and install: ./configure; make; make install
  * --with-libevent=/path/to/libevent
  	Can be set to either the system install or the build directory.
	--with-libevent=no gives a builtin alternative implementation.
	Libevent is enabled by default, it is useful when having many
	(thousands) of outgoing ports. This improves randomization and spoof
	resistance. It also allows a higher number of outgoing queries.
  * --with-libexpat=/path/to/libexpat
  	Can be set to the install directory of libexpat.
  * --without-pthreads
	This disables pthreads. Without this option the pthreads library
	is detected automatically. Use this option to disable threading
	altogether, or, on Solaris, also use --with(out)-solaris-threads.
  * --enable-checking
  	This enables assertions in the code that guard against a variety of
	programming errors, among which buffer overflows.  The program exits
	with an error if an assertion fails (but the buffer did not overflow).
  * --enable-static-exe
	This enables a debug option to statically link against the
	libevent library.
  * --enable-lock-checks
  	This enables a debug option to check lock and unlock calls. It needs
	a recent pthreads library to work.
  * --enable-alloc-checks
	This enables a debug option to check malloc (calloc, realloc, free).
	The server periodically checks if the amount of memory used fits with
	the amount of memory it thinks it should be using, and reports
	memory usage in detail.
  * --with-conf-file=filename
  	Set default location of config file,
	the default is /usr/local/etc/unbound/unbound.conf.
  * --with-pidfile=filename
  	Set default location of pidfile,
	the default is /usr/local/etc/unbound/unbound.pid.
  * --with-run-dir=path
  	Set default working directory,
	the default is /usr/local/etc/unbound.
  * --with-chroot-dir=path
  	Set default chroot directory,
	the default is /usr/local/etc/unbound.
  * --with-rootkey-file=path
  	Set the default root.key path.  This file is read and written.
	the default is /usr/local/etc/unbound/root.key
  * --with-rootcert-file=path
  	Set the default root update certificate path.  A builtin certificate
	is used if this file is empty or does not exist.
	the default is /usr/local/etc/unbound/icannbundle.pem
  * --with-username=user
  	Set default user name to change to,
	the default is the "unbound" user.
  * --with-pyunbound
  	Create libunbound wrapper usable from python.
	Needs python-devel and swig development tools.
  * --with-pythonmodule
  	Compile the python module that processes responses in the server.
  * --disable-sha2
  	Disable support for RSASHA256 and RSASHA512 crypto.
  * --disable-gost
  	Disable support for GOST crypto, RFC 5933.
  * --enable-subnet
  	Enable EDNS client subnet processing.

* 'make test' runs a series of self checks.

Known issues
------------
o If there are no replies for a forward or stub zone, for a reverse zone,
  you may need to add a local-zone: name transparent or nodefault to the
  server: section of the config file to unblock the reverse zone.
  Only happens for (sub)zones that are blocked by default; e.g. 10.in-addr.arpa
o If libevent is older (before 1.3c), unbound will exit instead of reload
  on sighup. On a restart 'did not exit gracefully last time' warning is
  printed. Perform ./configure --with-libevent=no or update libevent, rerun
  configure and recompile unbound to make sighup work correctly.
  It is strongly suggested to use a recent version of libevent.
o If you are not receiving the correct source IP address on replies (e.g.
  you are running a multihomed, anycast server), the interface-automatic
  option can be enabled to set socket options to achieve the correct
  source IP address on UDP replies. Listing all IP addresses explicitly in
  the config file is an alternative. The interface-automatic option uses
  non portable socket options, Linux and FreeBSD should work fine.
o The warning 'openssl has no entropy, seeding with time', with chroot
  enabled, may be solved with a symbolic link to /dev/urandom from <chrootdir>.
o On Solaris 5.10 some libtool packages from repositories do not work with
  gcc, showing errors gcc: unrecognized option `-KPIC'
  To solve this do ./configure libtool=./libtool [your options...].
  On Solaris you may pass CFLAGS="-xO4 -xtarget=generic" if you use sun-cc.
o If unbound-control (or munin graphs) do not work, this can often be because
  the unbound-control-setup script creates the keys with restricted
  permissions, and the files need to be made readable or ownered by both the
  unbound daemon and unbound-control.
o Crosscompile seems to hang.  You tried to install unbound under wine.
  wine regedit and remove all the unbound entries from the registry or
  delete .wine/drive_c.

Acknowledgements
----------------
o Unbound was written in portable C by Wouter Wijngaards (NLnet Labs).
o Thanks to David Blacka and Matt Larson (Verisign) for the unbound-java
  prototype. Design and code from that prototype has been used to create
  this program. Such as the iterator state machine and the cache design.
o Other code origins are from the NSD (NLnet Labs) and LDNS (NLnet Labs)
  projects. Such as buffer, region-allocator and red-black tree code.
o See Credits file for contributors.


Your Support
------------
NLnet Labs offers all of its software products as open source, most are
published under a BSD license. You can download them, not only from the
NLnet Labs website but also through the various OS distributions for
which NSD, ldns, and Unbound are packaged. We therefore have little idea
who uses our software in production environments and have no direct ties
with 'our customers'.

Therefore, we ask you to contact us at users@NLnetLabs.nl and tell us
whether you use one of our products in your production environment,
what that environment looks like, and maybe even share some praise.
We would like to refer to the fact that your organization is using our
products. We will only do that if you explicitly allow us. In all other
cases we will keep the information you share with us to ourselves.

In addition to the moral support you can also support us
financially. NLnet Labs is a recognized not-for-profit charity foundation
that is chartered to develop open-source software and open-standards
for the Internet. If you use our software to satisfaction please express
that by giving us a donation. For small donations PayPal can be used. For
larger and regular donations please contact us at users@NLnetLabs.nl. Also
see http://www.nlnetlabs.nl/labs/contributors/.


* mailto:unbound-bugs@nlnetlabs.nl

The DNS64 code was written by Viagenie, 2009, by Simon Perrault as part
of the Ecdysis project.  The code is copyright by them, and has the BSD
license (see the dns64/dns64.c file).

To enable DNS64 functionality in Unbound, two directives in unbound.conf must
be edited:

1. The "module-config" directive must start with "dns64". For example:

    module-config: "dns64 validator iterator"

If you're not using DNSSEC then you may remove "validator".

2. The "dns64-prefix" directive indicates your DNS64 prefix. For example:

    dns64-prefix: 64:FF9B::/96

The prefix must be a /96 or shorter.

To test that things are working right, perform a query against Unbound for a
domain name for which no AAAA record exists. You should see a AAAA record in
the answer section. The corresponding IPv6 address will be inside the DNS64
prefix. For example:

    $ unbound -c unbound.conf
    $ dig @localhost jazz-v4.viagenie.ca aaaa
    [...]
    ;; ANSWER SECTION:
    jazz-v4.viagenie.ca.        86400   IN      AAAA    64:ff9b::ce7b:1f02


NAT64 support was added by David Lamparter in 2022; license(s) of the
surrounding code apply.  Note that NAT64 is closely related but functionally
orthogonal to DNS64;  it allows Unbound to send outgoing queries to IPv4-only
servers over IPv6 through the configured NAT64 prefix.  This allows running
an Unbound instance on an IPv6-only host without breaking every single domain
that only has IPv4 servers.  Whether that Unbound instance also does DNS64 is
an independent choice.

To enable NAT64 in Unbound, add to unbound.conf's "server" section:

    do-nat64: yes

The NAT64 prefix defaults to the DNS64 prefix, which in turn defaults to the
standard 64:FF9B::/96 prefix.  You can reconfigure it with:

    nat64-prefix: 64:FF9B::/96

To test NAT64 operation, pick a domain that only has IPv4 reachability for its
nameservers and try resolving any names in that domain.

## Created a module to support the ipset that could add the domain's ip to a list easily.

### Purposes:
* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn.
So, I set up a transparent proxy to proxy the traffic which has been blocked only.
At the final step, I need to install a dns service which would work with ipset well to launch the system.
I did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community.
```
# unbound.conf
server:
  ...
  local-zone: "facebook.com" ipset
  local-zone: "twitter.com" ipset
  local-zone: "instagram.com" ipset
  more social website

ipset:
  name-v4: "gfwlist"
```
```
# iptables
iptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
iptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
```

* This patch could work with iptables rules to batch block the IPs.
```
# unbound.conf
server:
  ...
  local-zone: "facebook.com" ipset
  local-zone: "twitter.com" ipset
  local-zone: "instagram.com" ipset
  more social website

ipset:
  name-v4: "blacklist"
  name-v6: "blacklist6"
```
```
# iptables
iptables -A INPUT -m set --set blacklist src -j DROP
ip6tables -A INPUT -m set --set blacklist6 src -j DROP
```

### Notes:
* To enable this module the root privileges is required.
* Please create a set with ipset command first. eg. **ipset -N blacklist iphash**

### How to use:
```
./configure --enable-ipset
make && make install
```

### Configuration:
```
# unbound.conf
server:
  ...
  local-zone: "example.com" ipset

ipset:
  name-v4: "blacklist"
```

README.svn

For a svn checkout:
* configure script, aclocal.m4, as well as yacc/lex output files are
  committed to the repository.
* use --enable-debug flag for configure to enable dependency tracking and
  assertions, otherwise, use make clean; make after svn update.

* Note changes in the Changelog.
* Every check-in a postcommit hook is run
	(the postcommit hook is in the svn/unbound/hooks directory).
	* generates commit email with your changes and comment.
	* compiles and runs the tests (with testcode/do-tests.sh).
	* If build errors or test errors happen
		* Please fix your errors and commit again.

* Use gnu make to compile, make or 'gmake'.

README unbound tests

For a quick test that runs unit tests and state machine tests, use
	make test

There is a long test setup for unbound that needs tools installed. Use
	make longtest
To make and run the long tests. The results are summarized at the end.

You need to have the following programs installed and in your PATH.
* dig - from the bind-tools package. Used to send DNS queries.
* splint (optional) - for lint test
* doxygen (optional) - for doc completeness test
* ldns-testns - from ldns examples. Used as DNS auth server.
* xxd and nc (optional) - for (malformed) packet transmission.
The optional programs are detected and can be omitted.

You can also use prepared Dockerfile to run tests inside docker based on latest gcc image:
* build container: docker build -t unbound-tester -f contrib/Dockerfile.tests .
* run container: docker run -it --mount type=bind,source="$(pwd)",target=/usr/src/unbound --rm unbound-tester
* configure environment: ./configure
* run test: make test
* run long tests: make longtest
It is worth to mention that you need to enable [ipv6 in your docker daemon configuration](https://docs.docker.com/config/daemon/ipv6/) because some tests need ipv6 network stack.

testdata/ contains the data for tests.
testcode/ contains scripts and c code for the tests.

do-tests.sh : runs all the tests in the testdata directory.
testbed.sh : compiles on a set of (user specific) hosts and runs do-tests.

Tests are run using testcode/mini_tpkg.sh.