| config BR2_PACKAGE_UNBOUND |
| bool "unbound" |
| depends on !BR2_STATIC_LIBS |
| select BR2_PACKAGE_EXPAT |
| select BR2_PACKAGE_LIBEVENT |
| select BR2_PACKAGE_OPENSSL |
| help |
| Unbound is a validating, recursive, and caching DNS resolver. |
| It supports DNSSEC, QNAME minimisation, DNS-over-TLS and |
| DNSCrypt. |
| |
| https://www.unbound.net |
| |
| if BR2_PACKAGE_UNBOUND |
| config BR2_PACKAGE_UNBOUND_DNSCRYPT |
| bool "enable DNSCrypt" |
| select BR2_PACKAGE_LIBSODIUM |
| help |
| DNSCrypt wraps unmodified DNS queries between a client and |
| a DNS resolver. Default port used is 443 and like with |
| normal unencrypted DNS, it uses UDP first and falling back |
| to TCP if response too large. |
| |
| There is also DNS-over-TLS, a TCP only version |
| of proposed standard for DNS encryption (RFC 7858). |
| Default port for DNS-over-TLS is 853 and Unbound has |
| built-in support for it. |
| |
| https://tools.ietf.org/html/rfc7858 |
| |
| Note: Neither DNSCrypt or DNS-over-TLS encrypt the SNI. |
| Here is some suggestions how to handle SNI encryption: |
| |
| https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00 |
| endif |
| |
| comment "unbound needs a toolchain w/ dynamic library" |
| depends on BR2_STATIC_LIBS |
