Why is custom options for Unbound removed in 21.7 ?

[deadmeatgames]

So theres no support for custom SRV records then?

I managd to move my private domins over but i have a kms SRV record set up for auto detection.

[Patrick M. Hausen]

So theres no support for custom SRV records then?

Unbound is not an authoritative nameserver but strictly a recursive resolver. You would need to use the BIND plugin - which supports SRV records just fine.

[Taomyn]

Unbound is not an authoritative nameserver but strictly a recursive resolver. You would need to use the BIND plugin - which supports SRV records just fine.

This is what I did in order for my firewall to hold a local copy of my main DNS zone (on Windows servers). Bind is set up as a slave zone and Unbound uses it as the lookup for my internal domain, however, for it to be able to do that you have to enable "local DNS access" as that gets blocked and this can only be done with a custom option.

[Patrick M. Hausen]

This can be achieved now via the documented /usr/local/etc/unbound.opnsense.d directory.

If you feel like it you could implement it as a full featured option and send a pull request. Adding a single field/option to an existing dialog and writing out a handful of lines to a config file is not that difficult even if one doesn't know (much) PHP. It's mainly XML and Jinja ...

[Taomyn]

This can be achieved now via the documented /usr/local/etc/unbound.opnsense.d directory.

If you feel like it you could implement it as a full featured option and send a pull request. Adding a single field/option to an existing dialog and writing out a handful of lines to a config file is not that difficult even if one doesn't know (much) PHP. It's mainly XML and Jinja ...

I used the Custom Options plug-in, will leave the coding to the experts - I'm fine at scripting but don't enjoy the kind of changes required for this.

[AlexV]

I have read the whole discussion and would like to say a few words.
Franco says he wants to eliminate certain parameters (such as Dns Unbound coustom option) from the graphic configuration because with the expansion of the user base many novice people could make big problems using them.
But firewalls are complex systems, and whoever uses them must at least read a fucking manual before doing a basic setup.
No firewall manufacturer that I know of whether it is Checkpoint or Cisco or juiniper or Palo alto would have ever followed this logic.

Furthermore, if during an update such a feature is deleted before proceeding, the system must give a warning big as a house  to the system administrator, especially because it is not certain that one can quickly realize that the configuration has changed. because the Dnscrypt service is still formally active and if you do not check the service logs or the Unbound configuration, you risk exposing yourself to a security risk because a system security feature has been removed without however disabling the related service.

Perhaps instead of disabling that field from the graphical configuration I would have put a nice warning banner with a check mark so that the inexperienced user would realize that changing it without having the right knowledge could lead to catastrophic results.

this is my two cents.

[franco]

must at least read a fucking manual

Nice try for a technical discussion with validity and security concerns, but won't bite. If software development for Unbound and OPNsense stood still I would agree but it does not. :)


Cheers,
Franco

[mimugmail]

There is a deprecation note for nearly a year and there will be a known limitation note in the major release notes. Whats the deal here AlexV?

[Patrick M. Hausen]

Plus there is a well documented supported option for power users. Only need to use the command line.

[AlexV]

Nice try for a technical discussion with validity and security concerns, but won't bite. If software development for Unbound and OPNsense stood still I would agree but it does not. :)


Cheers,
Franco

Maybe you are right, but at the moment Unbound Configuration of DOH is less flexible than DnsCrypt proxy.
for example for add a dns in dnscrypt  i can use the well know list based on NS domain name.
in the unbound must be use the ip .

so if you decide to remove a function to replace it with another, the latter must have at least all the functionality of the replaced function.

by the way i will reported a issue with Dnscrypt log that are not more visibile form GUI.
can  you fix this ?

[allebone]

Problem is in open source is there are no coders developing something then just moaning that it must be maintained in a certain way is not helpful.  When you bring up other companies and say company x would never have done this they would have supported Y in some way, this is illogical. They pay people to code whatever they want. Open source does not work this way. Either you contribute or you dont moan. So either write and submit the code you want added or learn to adapt like the rest of us have.

[Patrick M. Hausen]

You can still have all the custom configuration you need. Just put it as a text config file into the documented directory. Documented, supported, will survive reboots and updates. The ONLY location where it was removed is the UI!

[mimugmail]

by the way i will reported a issue with Dnscrypt log that are not more visibile form GUI.
can  you fix this ?

22.1.1