Unbound custom parameters

Ricardo · August 05, 2019, 03:33:10 PM

I found in 19.7 under the Unbound settings that "Custom options" will be deprecated in the future. Can the team share the plans how the not-so-common parameters be still used if "custom options" input box will no longer be available?

mimugmail · August 05, 2019, 03:34:54 PM

Maybe include file where you have to put it in via CLI

Ricardo · August 05, 2019, 04:21:49 PM

That would be a huge steps backwards. Is there any reason why this is the plan?

mimugmail · August 05, 2019, 04:35:09 PM

Because you can put everything in this field, also commands and whatever and you have to trust the application it validates everything correctly.

Why not just put a feature request so you don't have to use this field?

Oliver · August 05, 2019, 11:34:23 PM

I have just opened a feature request for the DNS blacklist case.

Another entry in OPNsense Unbound Custom options, which I have been using for diagnosis, is this one:

Code Select

log-queries: yes

Could this be achieved currently without using Custom options?

Ricardo · August 06, 2019, 10:40:44 AM

I have these:

extended-statistics: yes
log-queries:yes

and I dont think there is any other way in Opnsense to use these special options without the "Custom options" input field.

For the record, this was the reason why I opened this thread:

Custom options
This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.
Enter any additional options you would like to add to the Unbound configuration here.

mimugmail · August 06, 2019, 12:46:52 PM

The removal wont happen too soon .. so no panic.
Just add a new FR with these two options as a checkbox, it shouldn't be that hard to implement.

mrkev · August 06, 2019, 01:30:45 PM

What are the reasons for the removal of the custom options? I use the custom options to bulk import host and domain blocking lists as well as import dkim settings. I found it really useful for that. If there is no alternative then i guess i will be moving back to pfsense in the future.

mimugmail · August 06, 2019, 01:36:32 PM

Quote from: mrkev on August 06, 2019, 01:30:45 PM
What are the reasons for the removal of the custom options? I use the custom options to bulk import host and domain blocking lists as well as import dkim settings. I found it really useful for that. If there is no alternative then i guess i will be moving back to pfsense in the future.

https://github.com/opnsense/core/commit/d62015df1cdb0c0711b488bd66ced631b9a4f37b

There is no date set when to remove this feature .. it can also be in 2021 .. and for every usecase there will be an alternative, trust me :)

Ricardo · August 06, 2019, 02:19:46 PM

At least please please put some kind of ETA if the "planned to be deprecated" text is already printed on the setup GUI.

mimugmail · August 06, 2019, 02:50:08 PM

Nobody thought about an ETA .. that means, it won't happen in 20.1.

Usually you bring all the stuff in to mitigate this field, then wait for 1 or 2 major upgrades and then remove it after plenty of warnings.

BTW, we are working on a file include .. so you can put everything on the options field, paste in a file and you are done.

Mks · August 06, 2019, 08:51:45 PM

Hi,

I'm also using the custom options for different purposes, e.g

DNS Blacklist include
server
tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
name: "."
forward-tls-upstream: yes
...
server:
#Access control for Internal IPv4/6
access-control-view: 192.168.xx.0/24 lanview
access-control-view: xxxx:xxxx:xxxx:xxxx::/64 lanview
view:
name: "lanview"
local-zone: "xxxxxxxx" transparent
local-data: "xxxxxxxx A xxxxxxxxx"
local-data: "xxxx A xxxxxxxxxx"

This should be covered in the alternative solution too.

br

franco · August 21, 2019, 05:23:22 PM

We deprecate the GUI custom advanced fields because of OpenVPN shell injection issues we had reported. The freeform input cannot be validated. We still offer file-based includes everywhere it makes sense.

We deprecate the GUI custom advanced fields because our policy is to make fool-proof and future-safe features.

We deprecate the GUI custom advanced fields because services that don't have them have better UX in general and users are more keen to report and share their use cases which in turn helps shape and introduce new easy to use features.

We deprecate the GUI custom advanced fields without a schedule to raise awareness and to avoid surprises on updates.

Cheers,
Franco

Mks · September 14, 2019, 03:10:29 PM

Within 19.7.4 there is ,,support file-based custom-includes" mentioned as new unbound feature.

I'm not sure if this is the replacement for ,,Unbound custom parameter"?

br

mimugmail · September 14, 2019, 07:24:57 PM

No, but a hook. I'm building a unbound-plus plugin. First release will offer dnsbl, future versions DoT and options you put in custom field. Just file them as an issue in github

Unbound custom parameters

Ricardo

August 05, 2019, 03:33:10 PM

mimugmail

August 05, 2019, 03:34:54 PM #1

Ricardo

August 05, 2019, 04:21:49 PM #2

mimugmail

August 05, 2019, 04:35:09 PM #3

Oliver

August 05, 2019, 11:34:23 PM #4

Ricardo

August 06, 2019, 10:40:44 AM #5

mimugmail

August 06, 2019, 12:46:52 PM #6

mrkev

August 06, 2019, 01:30:45 PM #7

mimugmail

August 06, 2019, 01:36:32 PM #8

Ricardo

August 06, 2019, 02:19:46 PM #9

mimugmail

August 06, 2019, 02:50:08 PM #10

Mks

August 06, 2019, 08:51:45 PM #11

franco

August 21, 2019, 05:23:22 PM #12

Mks

September 14, 2019, 03:10:29 PM #13

mimugmail

September 14, 2019, 07:24:57 PM #14