39 lines
1.1 KiB
Plaintext
39 lines
1.1 KiB
Plaintext
|
config BR2_PACKAGE_UNBOUND
|
||
|
bool "unbound"
|
||
|
depends on !BR2_STATIC_LIBS
|
||
|
select BR2_PACKAGE_EXPAT
|
||
|
select BR2_PACKAGE_LIBEVENT
|
||
|
select BR2_PACKAGE_OPENSSL
|
||
|
help
|
||
|
Unbound is a validating, recursive, and caching DNS resolver.
|
||
|
It supports DNSSEC, QNAME minimisation, DNS-over-TLS and
|
||
|
DNSCrypt.
|
||
|
|
||
|
https://www.unbound.net
|
||
|
|
||
|
if BR2_PACKAGE_UNBOUND
|
||
|
config BR2_PACKAGE_UNBOUND_DNSCRYPT
|
||
|
bool "enable DNSCrypt"
|
||
|
select BR2_PACKAGE_LIBSODIUM
|
||
|
help
|
||
|
DNSCrypt wraps unmodified DNS queries between a client and
|
||
|
a DNS resolver. Default port used is 443 and like with
|
||
|
normal unencrypted DNS, it uses UDP first and falling back
|
||
|
to TCP if response too large.
|
||
|
|
||
|
There is also DNS-over-TLS, a TCP only version
|
||
|
of proposed standard for DNS encryption (RFC 7858).
|
||
|
Default port for DNS-over-TLS is 853 and Unbound has
|
||
|
built-in support for it.
|
||
|
|
||
|
https://tools.ietf.org/html/rfc7858
|
||
|
|
||
|
Note: Neither DNSCrypt or DNS-over-TLS encrypt the SNI.
|
||
|
Here is some suggestions how to handle SNI encryption:
|
||
|
|
||
|
https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00
|
||
|
endif
|
||
|
|
||
|
comment "unbound needs a toolchain w/ dynamic library"
|
||
|
depends on BR2_STATIC_LIBS
|