lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-13 08:09:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

unbound: advanced: categorize options and improve header styling

Browse Source 
note that the header styling affects the plugins repo, but does not affect functionality. The original <h2> did not space and center the text correctly, so some more fluff was needed here.
This commit is contained in:
Stephan de Wit 2023-04-05 13:20:08 +02:00
parent 8030df31ca
commit 7ad7a64043
2 changed files with 127 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

229
src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
View File

@ -1,4 +1,8 @@
<form>
<field>
<type>header</type>
<label>General Settings</label>
</field>
<field>
<id>unbound.advanced.hideidentity</id>
<label>Hide Identity</label>
@ -11,16 +15,6 @@
<type>checkbox</type>
<help>If enabled, version.server and version.bind queries are refused.</help>
</field>
<field>
<id>unbound.advanced.prefetch</id>
<label>Prefetch Support</label>
<type>checkbox</type>
<help>
Message cache elements are prefetched before they expire to help keep the cache up to date.
When enabled, this option can cause an increase of around 10% more DNS traffic and load
on the server, but frequently requested items will not expire from the cache.
</help>
</field>
<field>
<id>unbound.advanced.prefetchkey</id>
<label>Prefetch DNS Key Support</label>
@ -39,6 +33,106 @@
If this is disabled and no DNSSEC data is received, then the zone is made insecure.
</help>
</field>
<field>
<id>unbound.advanced.qnameminstrict</id>
<label>Strict QNAME Minimisation</label>
<type>checkbox</type>
<help>
Send minimum amount of information to upstream servers to enhance privacy.
Do not fall-back to sending full QNAME to potentially broken nameservers.
A lot of domains will not be resolvable when this option in enabled.
Only use if you know what you are doing.
</help>
</field>
<field>
<id>unbound.advanced.outgoingnumtcp</id>
<label>Outgoing TCP Buffers</label>
<type>text</type>
<help>
The number of outgoing TCP buffers to allocate per thread.
If 0 is selected then no TCP queries, to authoritative servers, are done.
</help>
</field>
<field>
<id>unbound.advanced.incomingnumtcp</id>
<label>Incoming TCP Buffers</label>
<type>text</type>
<help>
The number of incoming TCP buffers to allocate per thread.
If 0 is selected then no TCP queries, from clients, are accepted.
</help>
</field>
<field>
<id>unbound.advanced.numqueriesperthread</id>
<label>Number of queries per thread</label>
<type>text</type>
<help>
The number of queries that every thread will service simultaneously. If more queries arrive that
need to be serviced, and no queries can be jostled out (see "Jostle Timeout"),
then these queries are dropped. This forces the client to resend after a timeout, allowing the
server time to work on the existing queries.
</help>
</field>
<field>
<id>unbound.advanced.outgoingrange</id>
<label>Outgoing Range</label>
<type>text</type>
<help>
The number of ports to open. This number of file descriptors can be opened per thread. Larger numbers
need extra resources from the operating system. For performance a very large value is best.
For reference, usually double the amount of queries per thread is used.
</help>
</field>
<field>
<id>unbound.advanced.jostletimeout</id>
<label>Jostle Timeout</label>
<type>text</type>
<help>
This timeout is used for when the server is very busy. Set to a value that usually results in one
round-trip to the authority servers. If too many queries arrive, then 50% of the queries are allowed
to run to completion, and the other 50% are replaced with the new incoming query if they have
already spent more than their allowed time. This protects against denial of service by
slow queries or high query rates.
</help>
</field>
<field>
<id>unbound.advanced.privatedomain</id>
<label>Private Domains</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>
List of domains to mark as private. These domains and all its subdomains are allowed to contain
private addresses.
</help>
</field>
<field>
<id>unbound.advanced.privateaddress</id>
<label>Rebind protection networks</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>
These are addresses on your private network, and are not allowed to be returned for public internet names.
Any occurrence of such addresses are removed from DNS answers.
Additionally, the DNSSEC validator may mark the answers bogus.
This protects against so-called DNS Rebinding.
(Only applicable when DNS rebind check is enabled in System->Settings->Administration)
</help>
</field>
<field>
<id>unbound.advanced.insecuredomain</id>
<label>Insecure Domains</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>List of domains to mark as insecure. DNSSEC chain of trust is ignored towards the domain name.</help>
</field>
<field>
<type>header</type>
<label>Serve Expired Settings</label>
</field>
<field>
<id>unbound.advanced.serveexpired</id>
<label>Serve Expired Responses</label>
@ -92,15 +186,8 @@
</help>
</field>
<field>
<id>unbound.advanced.qnameminstrict</id>
<label>Strict QNAME Minimisation</label>
<type>checkbox</type>
<help>
Send minimum amount of information to upstream servers to enhance privacy.
Do not fall-back to sending full QNAME to potentially broken nameservers.
A lot of domains will not be resolvable when this option in enabled.
Only use if you know what you are doing.
</help>
<type>header</type>
<label>Logging Settings</label>
</field>
<field>
<id>unbound.advanced.extendedstatistics</id>
@ -185,46 +272,35 @@
</help>
</field>
<field>
<id>unbound.advanced.privatedomain</id>
<label>Private Domains</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<type>header</type>
<label>Cache Settings</label>
</field>
<field>
<id>unbound.advanced.prefetch</id>
<label>Prefetch Support</label>
<type>checkbox</type>
<help>
List of domains to mark as private. These domains and all its subdomains are allowed to contain
private addresses.
Message cache elements are prefetched before they expire to help keep the cache up to date.
When enabled, this option can cause an increase of around 10% more DNS traffic and load
on the server, but frequently requested items will not expire from the cache.
</help>
</field>
<field>
<id>unbound.advanced.privateaddress</id>
<label>Rebind protection networks</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<id>unbound.advanced.unwantedreplythreshold</id>
<label>Unwanted Reply Threshold</label>
<type>text</type>
<help>
These are addresses on your private network, and are not allowed to be returned for public internet names.
Any occurrence of such addresses are removed from DNS answers.
Additionally, the DNSSEC validator may mark the answers bogus.
This protects against so-called DNS Rebinding.
(Only applicable when DNS rebind check is enabled in System->Settings->Administration)
If enabled, a total number of unwanted replies is kept track of in every thread.
When it reaches the threshold, a defensive action is taken and a warning is printed to the log file.
This defensive action is to clear the RRSet and message caches, hopefully flushing away any poison.
</help>
</field>
<field>
<id>unbound.advanced.insecuredomain</id>
<label>Insecure Domains</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help>List of domains to mark as insecure. DNSSEC chain of trust is ignored towards the domain name.</help>
</field>
<field>
<id>unbound.advanced.msgcachesize</id>
<label>Message Cache Size</label>
<type>text</type>
<help>
Size of the message cache. The message cache stores DNS rcodes and validation statuses.
The RRSet cache will automatically be set to twice this amount. The RRSet cache contains the actual RR data.
Valid input is plain bytes, optionally appended with 'k', 'm', or 'g' for kilobytes, megabytes
or gigabytes respectively.
</help>
@ -238,57 +314,6 @@
with 'k', 'm', or 'g' for kilobytes, megabytes or gigabytes respectively.
</help>
</field>
<field>
<id>unbound.advanced.outgoingnumtcp</id>
<label>Outgoing TCP Buffers</label>
<type>text</type>
<help>
The number of outgoing TCP buffers to allocate per thread.
If 0 is selected then no TCP queries, to authoritative servers, are done.
</help>
</field>
<field>
<id>unbound.advanced.incomingnumtcp</id>
<label>Incoming TCP Buffers</label>
<type>text</type>
<help>
The number of incoming TCP buffers to allocate per thread.
If 0 is selected then no TCP queries, from clients, are accepted.
</help>
</field>
<field>
<id>unbound.advanced.numqueriesperthread</id>
<label>Number of queries per thread</label>
<type>text</type>
<help>
The number of queries that every thread will service simultaneously. If more queries arrive that
need to be serviced, and no queries can be jostled out (see "Jostle Timeout"),
then these queries are dropped. This forces the client to resend after a timeout, allowing the
server time to work on the existing queries.
</help>
</field>
<field>
<id>unbound.advanced.outgoingrange</id>
<label>Outgoing Range</label>
<type>text</type>
<help>
The number of ports to open. This number of file descriptors can be opened per thread. Larger numbers
need extra resources from the operating system. For performance a very large value is best.
For reference, usually double the amount of queries per thread is used.
</help>
</field>
<field>
<id>unbound.advanced.jostletimeout</id>
<label>Jostle Timeout</label>
<type>text</type>
<help>
This timeout is used for when the server is very busy. Set to a value that usually results in one
round-trip to the authority servers. If too many queries arrive, then 50% of the queries are allowed
to run to completion, and the other 50% are replaced with the new incoming query if they have
already spent more than their allowed time. This protects against denial of service by
slow queries or high query rates.
</help>
</field>
<field>
<id>unbound.advanced.cachemaxttl</id>
<label>Maximum TTL for RRsets and messages</label>
@ -339,14 +364,4 @@
Number of hosts for which information is cached.
</help>
</field>
<field>
<id>unbound.advanced.unwantedreplythreshold</id>
<label>Unwanted Reply Threshold</label>
<type>text</type>
<help>
If enabled, a total number of unwanted replies is kept track of in every thread.
When it reaches the threshold, a defensive action is taken and a warning is printed to the log file.
This defensive action is to clear the RRSet and message caches, hopefully flushing away any poison.
</help>
</field>
</form>

10
src/opnsense/mvc/app/views/layout_partials/base_form.volt
View File

@ -82,12 +82,12 @@
<col class="col-md-4"/>
<col class="col-md-5"/>
</colgroup>
<thead>
<tr {% if field['advanced']|default(false)=='true' %} data-advanced="true"{% endif %}>
<th colspan="3"><h2>{{field['label']}}</h2></th>
</tr>
</thead>
<tbody>
<tr style="display:none;"></tr>
<tr><td colspan="3"></td></tr>
<tr {% if field['advanced']|default(false)=='true' %} data-advanced="true"{% endif %}>
<td colspan="3"><div style="padding-bottom: 8px; padding-top: 8px; font-size: 17px;"><b>{{field['label']}}</b></div></td>
</tr>
{#- endmacro #}
{% else %}