From 7ad7a640435a37e26aaab1afc3fd32b5f2cd7c33 Mon Sep 17 00:00:00 2001 From: Stephan de Wit Date: Wed, 5 Apr 2023 13:20:08 +0200 Subject: [PATCH] unbound: advanced: categorize options and improve header styling note that the header styling affects the plugins repo, but does not affect functionality. The original

did not space and center the text correctly, so some more fluff was needed here. --- .../OPNsense/Unbound/forms/advanced.xml | 229 ++++++++++-------- .../app/views/layout_partials/base_form.volt | 10 +- 2 files changed, 127 insertions(+), 112 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml index 34f9c1ff9..df9a9efd5 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml @@ -1,4 +1,8 @@
+ + header + + unbound.advanced.hideidentity @@ -11,16 +15,6 @@ checkbox If enabled, version.server and version.bind queries are refused. - - unbound.advanced.prefetch - - checkbox - - Message cache elements are prefetched before they expire to help keep the cache up to date. - When enabled, this option can cause an increase of around 10% more DNS traffic and load - on the server, but frequently requested items will not expire from the cache. - - unbound.advanced.prefetchkey @@ -39,6 +33,106 @@ If this is disabled and no DNSSEC data is received, then the zone is made insecure. + + unbound.advanced.qnameminstrict + + checkbox + + Send minimum amount of information to upstream servers to enhance privacy. + Do not fall-back to sending full QNAME to potentially broken nameservers. + A lot of domains will not be resolvable when this option in enabled. + Only use if you know what you are doing. + + + + unbound.advanced.outgoingnumtcp + + text + + The number of outgoing TCP buffers to allocate per thread. + If 0 is selected then no TCP queries, to authoritative servers, are done. + + + + unbound.advanced.incomingnumtcp + + text + + The number of incoming TCP buffers to allocate per thread. + If 0 is selected then no TCP queries, from clients, are accepted. + + + + unbound.advanced.numqueriesperthread + + text + + The number of queries that every thread will service simultaneously. If more queries arrive that + need to be serviced, and no queries can be jostled out (see "Jostle Timeout"), + then these queries are dropped. This forces the client to resend after a timeout, allowing the + server time to work on the existing queries. + + + + unbound.advanced.outgoingrange + + text + + The number of ports to open. This number of file descriptors can be opened per thread. Larger numbers + need extra resources from the operating system. For performance a very large value is best. + For reference, usually double the amount of queries per thread is used. + + + + unbound.advanced.jostletimeout + + text + + This timeout is used for when the server is very busy. Set to a value that usually results in one + round-trip to the authority servers. If too many queries arrive, then 50% of the queries are allowed + to run to completion, and the other 50% are replaced with the new incoming query if they have + already spent more than their allowed time. This protects against denial of service by + slow queries or high query rates. + + + + unbound.advanced.privatedomain + + select_multiple + + true + + List of domains to mark as private. These domains and all its subdomains are allowed to contain + private addresses. + + + + unbound.advanced.privateaddress + + select_multiple + + true + + These are addresses on your private network, and are not allowed to be returned for public internet names. + Any occurrence of such addresses are removed from DNS answers. + Additionally, the DNSSEC validator may mark the answers bogus. + This protects against so-called DNS Rebinding. + + (Only applicable when DNS rebind check is enabled in System->Settings->Administration) + + + + unbound.advanced.insecuredomain + + select_multiple + + true + List of domains to mark as insecure. DNSSEC chain of trust is ignored towards the domain name. + + + header + + unbound.advanced.serveexpired @@ -92,15 +186,8 @@ - unbound.advanced.qnameminstrict - - checkbox - - Send minimum amount of information to upstream servers to enhance privacy. - Do not fall-back to sending full QNAME to potentially broken nameservers. - A lot of domains will not be resolvable when this option in enabled. - Only use if you know what you are doing. - + header + unbound.advanced.extendedstatistics @@ -185,46 +272,35 @@ - unbound.advanced.privatedomain - - select_multiple - - true + header + + + + unbound.advanced.prefetch + + checkbox - List of domains to mark as private. These domains and all its subdomains are allowed to contain - private addresses. + Message cache elements are prefetched before they expire to help keep the cache up to date. + When enabled, this option can cause an increase of around 10% more DNS traffic and load + on the server, but frequently requested items will not expire from the cache. - unbound.advanced.privateaddress - - select_multiple - - true + unbound.advanced.unwantedreplythreshold + + text - These are addresses on your private network, and are not allowed to be returned for public internet names. - Any occurrence of such addresses are removed from DNS answers. - Additionally, the DNSSEC validator may mark the answers bogus. - This protects against so-called DNS Rebinding. - - (Only applicable when DNS rebind check is enabled in System->Settings->Administration) + If enabled, a total number of unwanted replies is kept track of in every thread. + When it reaches the threshold, a defensive action is taken and a warning is printed to the log file. + This defensive action is to clear the RRSet and message caches, hopefully flushing away any poison. - - unbound.advanced.insecuredomain - - select_multiple - - true - List of domains to mark as insecure. DNSSEC chain of trust is ignored towards the domain name. - unbound.advanced.msgcachesize text Size of the message cache. The message cache stores DNS rcodes and validation statuses. - The RRSet cache will automatically be set to twice this amount. The RRSet cache contains the actual RR data. Valid input is plain bytes, optionally appended with 'k', 'm', or 'g' for kilobytes, megabytes or gigabytes respectively. @@ -238,57 +314,6 @@ with 'k', 'm', or 'g' for kilobytes, megabytes or gigabytes respectively. - - unbound.advanced.outgoingnumtcp - - text - - The number of outgoing TCP buffers to allocate per thread. - If 0 is selected then no TCP queries, to authoritative servers, are done. - - - - unbound.advanced.incomingnumtcp - - text - - The number of incoming TCP buffers to allocate per thread. - If 0 is selected then no TCP queries, from clients, are accepted. - - - - unbound.advanced.numqueriesperthread - - text - - The number of queries that every thread will service simultaneously. If more queries arrive that - need to be serviced, and no queries can be jostled out (see "Jostle Timeout"), - then these queries are dropped. This forces the client to resend after a timeout, allowing the - server time to work on the existing queries. - - - - unbound.advanced.outgoingrange - - text - - The number of ports to open. This number of file descriptors can be opened per thread. Larger numbers - need extra resources from the operating system. For performance a very large value is best. - For reference, usually double the amount of queries per thread is used. - - - - unbound.advanced.jostletimeout - - text - - This timeout is used for when the server is very busy. Set to a value that usually results in one - round-trip to the authority servers. If too many queries arrive, then 50% of the queries are allowed - to run to completion, and the other 50% are replaced with the new incoming query if they have - already spent more than their allowed time. This protects against denial of service by - slow queries or high query rates. - - unbound.advanced.cachemaxttl @@ -339,14 +364,4 @@ Number of hosts for which information is cached. - - unbound.advanced.unwantedreplythreshold - - text - - If enabled, a total number of unwanted replies is kept track of in every thread. - When it reaches the threshold, a defensive action is taken and a warning is printed to the log file. - This defensive action is to clear the RRSet and message caches, hopefully flushing away any poison. - -
diff --git a/src/opnsense/mvc/app/views/layout_partials/base_form.volt b/src/opnsense/mvc/app/views/layout_partials/base_form.volt index c1b998d90..74b12b52f 100644 --- a/src/opnsense/mvc/app/views/layout_partials/base_form.volt +++ b/src/opnsense/mvc/app/views/layout_partials/base_form.volt @@ -82,12 +82,12 @@ - - -

{{field['label']}}

- - + + + +
{{field['label']}}
+ {#- endmacro #} {% else %}