Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Ability to set the Redis password #833

Closed
alpominth opened this issue Jan 22, 2023 · 1 comment
Closed

[FR] Ability to set the Redis password #833

alpominth opened this issue Jan 22, 2023 · 1 comment
Assignees
@gthess

Comments

@alpominth
Copy link

Many prefer to keep the Redis database protected with a password.

There is no option in Unbound for setting it.

An option for setting the Redis password in Unbound would be very welcome
@alpominth alpominth mentioned this issue Jan 23, 2023
Closed
@gthess gthess closed this as completed in 6bf677e Jan 23, 2023
@gthess gthess self-assigned this Jan 23, 2023
@alpominth
Copy link
Author

Your commit is fully working:

===========================

Configuration:

server:
  interface: 127.0.0.1
  interface: ::1
  port: 53
  cache-max-ttl: 5184000
  cache-min-ttl: 5184000
  cache-max-negative-ttl: 604800
  val-bogus-ttl: 0
  delay-close: 10000
  chroot: ""
  username: user
  directory: ""
  pidfile: ""
  do-not-query-localhost: no
  module-config: "validator cachedb iterator"

cachedb:
  backend: redis
  redis-server-host: ::1
  redis-server-port: 6379
  redis-server-password: "passwd123"
  # redis-server-path: "/var/lib/redis/redis-server.sock"
  redis-timeout: 5000

forward-zone:
  name: "."
  forward-addr: ::1@10053

Tests:

# time dig @127.0.0.1 -p 53 +dnssec cloudflare.com
; <<>> DiG 9.18.10-2-Debian <<>> @127.0.0.1 -p 53 +dnssec cloudflare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50406
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.			IN	A
;; ANSWER SECTION:
cloudflare.com.		5184000	IN	A	104.16.132.229
cloudflare.com.		5184000	IN	A	104.16.133.229
cloudflare.com.		5184000	IN	RRSIG	A 13 2 300 20230124120955 20230122100955 34505 cloudflare.com. d2LeaBSMVvCVEdK3zbT3U5Uol1B1YbXu9zjpQJ9avLjLU+dwvOUXuoHH Jke8FqFyXtb2j9O7rs5PuQ431UMvNw==
;; Query time: 283 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Jan 23 06:09:35 EST 2023
;; MSG SIZE  rcvd: 185
real	0m0.306s
user	0m0.009s
sys	0m0.002s

# /opt/unbound/unbound -dd -c /opt/unbound/permcache.conf 
[1674472167] unbound[1787041:0] notice: init module 0: validator
[1674472167] unbound[1787041:0] notice: init module 1: cachedb
[1674472167] unbound[1787041:0] warning: cachedb: serve-expired-reply-ttl is set but not working for data originating from the external cache; 0 TLL is used for those.
[1674472167] unbound[1787041:0] notice: init module 2: iterator
[1674472167] unbound[1787041:0] info: start of service (unbound 1.17.2).
^C[1674472180] unbound[1787041:0] info: service stopped (unbound 1.17.2).
[1674472180] unbound[1787041:0] info: server stats for thread 0: 3 queries, 0 answers from cache, 3 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1674472180] unbound[1787041:0] info: server stats for thread 0: requestlist max 1 avg 0.333333 exceeded 0 jostled 0
[1674472180] unbound[1787041:0] info: average recursion processing time 0.274533 sec
[1674472180] unbound[1787041:0] info: histogram of recursion processing times
[1674472180] unbound[1787041:0] info: [25%]=0 median[50%]=0 [75%]=0
[1674472180] unbound[1787041:0] info: lower(secs) upper(secs) recursions
[1674472180] unbound[1787041:0] info:    0.262144    0.524288 3

# time dig @127.0.0.1 -p 53 +dnssec cloudflare.com
; <<>> DiG 9.18.10-2-Debian <<>> @127.0.0.1 -p 53 +dnssec cloudflare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4582
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;cloudflare.com.			IN	A
;; ANSWER SECTION:
cloudflare.com.		5183990	IN	A	104.16.133.229
cloudflare.com.		5183990	IN	A	104.16.132.229
cloudflare.com.		5183990	IN	RRSIG	A 13 2 300 20230124120955 20230122100955 34505 cloudflare.com. d2LeaBSMVvCVEdK3zbT3U5Uol1B1YbXu9zjpQJ9avLjLU+dwvOUXuoHH Jke8FqFyXtb2j9O7rs5PuQ431UMvNw==
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Jan 23 06:09:45 EST 2023
;; MSG SIZE  rcvd: 185
real	0m0.021s
user	0m0.008s
sys	0m0.002s

# /opt/unbound/unbound -dd -c /opt/unbound/permcache.conf 
[1674472182] unbound[1788239:0] notice: init module 0: validator
[1674472182] unbound[1788239:0] notice: init module 1: cachedb
[1674472182] unbound[1788239:0] warning: cachedb: serve-expired-reply-ttl is set but not working for data originating from the external cache; 0 TLL is used for those.
[1674472182] unbound[1788239:0] notice: init module 2: iterator
[1674472182] unbound[1788239:0] info: start of service (unbound 1.17.2).
^C[1674472487] unbound[1788239:0] info: service stopped (unbound 1.17.2).
[1674472487] unbound[1788239:0] info: server stats for thread 0: 5 queries, 0 answers from cache, 5 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1674472487] unbound[1788239:0] info: server stats for thread 0: requestlist max 1 avg 0.4 exceeded 0 jostled 0
[1674472487] unbound[1788239:0] info: average recursion processing time 0.229617 sec
[1674472487] unbound[1788239:0] info: histogram of recursion processing times
[1674472487] unbound[1788239:0] info: [25%]=0.16384 median[50%]=0.305835 [75%]=0.415061
[1674472487] unbound[1788239:0] info: lower(secs) upper(secs) recursions
[1674472487] unbound[1788239:0] info:    0.000000    0.000001 1
[1674472487] unbound[1788239:0] info:    0.131072    0.262144 1
[1674472487] unbound[1788239:0] info:    0.262144    0.524288 3

======================================

I'm already using, thank you very much!

jedisct1 added a commit to jedisct1/unbound that referenced this issue Feb 15, 2023
@jedisct1
Merge remote-tracking branch 'nlnet/master'
ca5eb7a 
* nlnet/master:
  Regenerate configure for the fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
  - Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
  Fix NLnetLabs#833: [FR] Ability to set the Redis password.
  - Fix NLnetLabs#835: [FR] Ability to use Redis unix sockets.
  - Add NLnetLabs#835: [FR] Ability to use Redis unix sockets.
  Changelog note for NLnetLabs#819, generate configparser.c and comment syntax change. - Merge NLnetLabs#819: Added new static zone type block_a to suppress all A   queries for specific zones.
  - Fix test for new default.
  - Set default for harden-unknown-additional to no. So that it does   not hamper future protocol developments.
  - Add harden-unknown-additional option. Default on and it removes   unknown records from the authority section and additional section.   Thanks to Xiang Li, from NISL Lab, Tsinghua University.
  - Set max-udp-size default to 1232. This is the same default value as   the default value for edns-buffer-size. It restricts client edns   buffer size choices, and makes unbound behave similar to other DNS   resolvers. The new choice, down from 4096 means it is harder to get   large responses from Unbound. Thanks to Xiang Li, from NISL Lab,   Tsinghua University.
  - Fix not following cleared RD flags potentially enables amplification   DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,   Tsinghua University. The fix stops query loops, by refusing to send   RD=0 queries to a forwarder, they still get answered from cache.
  Added new static zone type block_a to suppress all A queries for specific zones
@jagerzhang jagerzhang mentioned this issue Apr 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gthess gthess

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gthess @alpominth