1*4882a593Smuzhiyunconfig BR2_PACKAGE_UNBOUND 2*4882a593Smuzhiyun bool "unbound" 3*4882a593Smuzhiyun depends on !BR2_STATIC_LIBS 4*4882a593Smuzhiyun select BR2_PACKAGE_EXPAT 5*4882a593Smuzhiyun select BR2_PACKAGE_LIBEVENT 6*4882a593Smuzhiyun select BR2_PACKAGE_OPENSSL 7*4882a593Smuzhiyun help 8*4882a593Smuzhiyun Unbound is a validating, recursive, and caching DNS resolver. 9*4882a593Smuzhiyun It supports DNSSEC, QNAME minimisation, DNS-over-TLS and 10*4882a593Smuzhiyun DNSCrypt. 11*4882a593Smuzhiyun 12*4882a593Smuzhiyun https://www.unbound.net 13*4882a593Smuzhiyun 14*4882a593Smuzhiyunif BR2_PACKAGE_UNBOUND 15*4882a593Smuzhiyunconfig BR2_PACKAGE_UNBOUND_DNSCRYPT 16*4882a593Smuzhiyun bool "enable DNSCrypt" 17*4882a593Smuzhiyun select BR2_PACKAGE_LIBSODIUM 18*4882a593Smuzhiyun help 19*4882a593Smuzhiyun DNSCrypt wraps unmodified DNS queries between a client and 20*4882a593Smuzhiyun a DNS resolver. Default port used is 443 and like with 21*4882a593Smuzhiyun normal unencrypted DNS, it uses UDP first and falling back 22*4882a593Smuzhiyun to TCP if response too large. 23*4882a593Smuzhiyun 24*4882a593Smuzhiyun There is also DNS-over-TLS, a TCP only version 25*4882a593Smuzhiyun of proposed standard for DNS encryption (RFC 7858). 26*4882a593Smuzhiyun Default port for DNS-over-TLS is 853 and Unbound has 27*4882a593Smuzhiyun built-in support for it. 28*4882a593Smuzhiyun 29*4882a593Smuzhiyun https://tools.ietf.org/html/rfc7858 30*4882a593Smuzhiyun 31*4882a593Smuzhiyun Note: Neither DNSCrypt or DNS-over-TLS encrypt the SNI. 32*4882a593Smuzhiyun Here is some suggestions how to handle SNI encryption: 33*4882a593Smuzhiyun 34*4882a593Smuzhiyun https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00 35*4882a593Smuzhiyunendif 36*4882a593Smuzhiyun 37*4882a593Smuzhiyuncomment "unbound needs a toolchain w/ dynamic library" 38*4882a593Smuzhiyun depends on BR2_STATIC_LIBS 39