Message ID | 20191230130250.1303-1-fff@chrisi01.de |
---|---|
State | Superseded |
Headers | show |
diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-dhcp/Makefile index c481d82..fed1a2b 100644 --- a/src/packages/fff/fff-dhcp/Makefile +++ b/src/packages/fff/fff-dhcp/Makefile @@ -12,7 +12,8 @@ define Package/fff-dhcp CATEGORY:=Freifunk TITLE:=Freifunk-Franken dhcp URL:=http://www.freifunk-franken.de - DEPENDS:=+dnsmasq + DEPENDS:=+dnsmasq \ + +stubby endef define Package/fff-dhcp/description diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns index ad9f1cd..20503bf 100644 --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns @@ -1,21 +1,41 @@ configure() { ## dns uci -q del dhcp.@dnsmasq[0].server - if dnsservers=$(uci -q get gateway.@dns[0].server); then - for f in $dnsservers; do - uci add_list dhcp.@dnsmasq[0].server=$f - uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f" - uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" - done + if [ $(uci -q get gateway.@dns[0].dnsdot) == 1 ]; then + uci add_list dhcp.@dnsmasq[0].server="::1#5453" + uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" + uci set dhcp.@dnsmasq[0].noresolv="1" + while uci -q delete stubby.@resolver[0]; do :; done + if dnsservers=$(uci -q get gateway.@dns[0].server); then + for f in $dnsservers; do + type="$(echo $f | cut -d "@" -f 1)" + uci set stubby.$type="resolver" + uci set stubby.$type.address=""$(echo $f | cut -d "@" -f 2)"" + uci set stubby.$type.tls_auth_name=""$(echo $f | cut -d "@" -f 3)"" + done + else + echo "WARNING: No DNS servers set!" + fi + else - echo "WARNING: No DNS servers set!" + if dnsservers=$(uci -q get gateway.@dns[0].server); then + for f in $dnsservers; do + uci add_list dhcp.@dnsmasq[0].server=$f + uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f" + uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" + done + else + echo "WARNING: No DNS servers set!" + fi fi } apply() { uci commit dhcp + uci commit stubby } revert() { uci revert dhcp + uci revert stubby }
Stubby scheint nicht ganz klein zu sein. Sollte man vll. mal testen, was das beim fertig komprimierten Image ausmacht (inkl. der Dependencies). Da es nur für die GW-Firmware und damit ohnehin nur für die 8MB+ Geräte ist, ist das aber wahrscheinlich wurscht. Grüße Adrian > -----Original Message----- > From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf > Of Christian Dresel > Sent: Montag, 30. Dezember 2019 14:03 > To: franken-dev@freifunk.net > Subject: [RFC PATCH] Add DNS over TLS option inside the Freifunk backbone > > With this option it is possible to make DoT (DNS over TLS) from the layer3 > router to the DoT DNS Server. > > The DNS traffic from Client to the layer3 router is still uncryptet. > > On the layer 3 router, dnsmasq forward the DNS to stubby. > Stubby use DoT to ask a resolver inside or outside the Freifunk backbone > > For documentation for the options is here: > https://wiki.freifunk- > franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb > er_stubby > > Signed-off-by: Christian Dresel <fff@chrisi01.de> > --- > src/packages/fff/fff-dhcp/Makefile | 3 +- > .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 34 +++++++++++++++++--- > -- > 2 files changed, 29 insertions(+), 8 deletions(-) > > diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff- > dhcp/Makefile > index c481d82..fed1a2b 100644 > --- a/src/packages/fff/fff-dhcp/Makefile > +++ b/src/packages/fff/fff-dhcp/Makefile > @@ -12,7 +12,8 @@ define Package/fff-dhcp > CATEGORY:=Freifunk > TITLE:=Freifunk-Franken dhcp > URL:=http://www.freifunk-franken.de > - DEPENDS:=+dnsmasq > + DEPENDS:=+dnsmasq \ > + +stubby > endef > > define Package/fff-dhcp/description > diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > index ad9f1cd..20503bf 100644 > --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > @@ -1,21 +1,41 @@ > configure() { > ## dns > uci -q del dhcp.@dnsmasq[0].server > - if dnsservers=$(uci -q get gateway.@dns[0].server); then > - for f in $dnsservers; do > - uci add_list dhcp.@dnsmasq[0].server=$f > - uci add_list dhcp.@dnsmasq[0].server="/in- > addr.arpa/$f" > - uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" > - done > + if [ $(uci -q get gateway.@dns[0].dnsdot) == 1 ]; then > + uci add_list dhcp.@dnsmasq[0].server="::1#5453" > + uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" > + uci set dhcp.@dnsmasq[0].noresolv="1" > + while uci -q delete stubby.@resolver[0]; do :; done > + if dnsservers=$(uci -q get gateway.@dns[0].server); then > + for f in $dnsservers; do > + type="$(echo $f | cut -d "@" -f 1)" > + uci set stubby.$type="resolver" > + uci set stubby.$type.address=""$(echo $f | > cut -d "@" -f 2)"" > + uci set stubby.$type.tls_auth_name=""$(echo > $f | cut -d "@" -f 3)"" > + done > + else > + echo "WARNING: No DNS servers set!" > + fi > + > else > - echo "WARNING: No DNS servers set!" > + if dnsservers=$(uci -q get gateway.@dns[0].server); then > + for f in $dnsservers; do > + uci add_list dhcp.@dnsmasq[0].server=$f > + uci add_list dhcp.@dnsmasq[0].server="/in- > addr.arpa/$f" > + uci add_list > dhcp.@dnsmasq[0].server="/ip6.arpa/$f" > + done > + else > + echo "WARNING: No DNS servers set!" > + fi > fi > } > > apply() { > uci commit dhcp > + uci commit stubby > } > > revert() { > uci revert dhcp > + uci revert stubby > } > -- > 2.11.0
hi fertig kompiliert auf einen wdr3600: root@TestGW:/etc/gateway.d# df -h Filesystem Size Used Available Use% Mounted on /dev/root 4.0M 4.0M 0 100% /rom tmpfs 61.3M 120.0K 61.2M 0% /tmp /dev/mtdblock3 2.9M 316.0K 2.6M 11% /overlay overlayfs:/overlay 2.9M 316.0K 2.6M 11% / tmpfs 512.0K 0 512.0K 0% /dev Hab dann nur einen mit der GW Firmware von dir da zum Vergleich da ist gw_20190507 drauf: root@fff-gw-wk:~# df -h Filesystem Size Used Available Use% Mounted on /dev/root 3.5M 3.5M 0 100% /rom tmpfs 61.1M 96.0K 61.0M 0% /tmp /dev/mtdblock3 3.3M 408.0K 2.9M 12% /overlay overlayfs:/overlay 3.3M 408.0K 2.9M 12% / tmpfs 512.0K 0 512.0K 0% /dev wenn ich es richtig sehe, sind das etwas um die 400-500ḱbyte? Ja ist nicht ganz wenig aber eigentlich haben wir auch noch genug Platz ;) Und ja macht natürlich nur auf den Layer 3 Routerin Sinn das ganze. Gruß Christian On 30.12.19 15:23, mail@adrianschmutzler.de wrote: > Stubby scheint nicht ganz klein zu sein. > > Sollte man vll. mal testen, was das beim fertig komprimierten Image ausmacht (inkl. der Dependencies). > > Da es nur für die GW-Firmware und damit ohnehin nur für die 8MB+ Geräte ist, ist das aber wahrscheinlich wurscht. > > Grüße > > Adrian > >> -----Original Message----- >> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf >> Of Christian Dresel >> Sent: Montag, 30. Dezember 2019 14:03 >> To: franken-dev@freifunk.net >> Subject: [RFC PATCH] Add DNS over TLS option inside the Freifunk backbone >> >> With this option it is possible to make DoT (DNS over TLS) from the layer3 >> router to the DoT DNS Server. >> >> The DNS traffic from Client to the layer3 router is still uncryptet. >> >> On the layer 3 router, dnsmasq forward the DNS to stubby. >> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone >> >> For documentation for the options is here: >> https://wiki.freifunk- >> franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb >> er_stubby >> >> Signed-off-by: Christian Dresel <fff@chrisi01.de> >> --- >> src/packages/fff/fff-dhcp/Makefile | 3 +- >> .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 34 +++++++++++++++++--- >> -- >> 2 files changed, 29 insertions(+), 8 deletions(-) >> >> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff- >> dhcp/Makefile >> index c481d82..fed1a2b 100644 >> --- a/src/packages/fff/fff-dhcp/Makefile >> +++ b/src/packages/fff/fff-dhcp/Makefile >> @@ -12,7 +12,8 @@ define Package/fff-dhcp >> CATEGORY:=Freifunk >> TITLE:=Freifunk-Franken dhcp >> URL:=http://www.freifunk-franken.de >> - DEPENDS:=+dnsmasq >> + DEPENDS:=+dnsmasq \ >> + +stubby >> endef >> >> define Package/fff-dhcp/description >> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns >> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns >> index ad9f1cd..20503bf 100644 >> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns >> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns >> @@ -1,21 +1,41 @@ >> configure() { >> ## dns >> uci -q del dhcp.@dnsmasq[0].server >> - if dnsservers=$(uci -q get gateway.@dns[0].server); then >> - for f in $dnsservers; do >> - uci add_list dhcp.@dnsmasq[0].server=$f >> - uci add_list dhcp.@dnsmasq[0].server="/in- >> addr.arpa/$f" >> - uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" >> - done >> + if [ $(uci -q get gateway.@dns[0].dnsdot) == 1 ]; then >> + uci add_list dhcp.@dnsmasq[0].server="::1#5453" >> + uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" >> + uci set dhcp.@dnsmasq[0].noresolv="1" >> + while uci -q delete stubby.@resolver[0]; do :; done >> + if dnsservers=$(uci -q get gateway.@dns[0].server); then >> + for f in $dnsservers; do >> + type="$(echo $f | cut -d "@" -f 1)" >> + uci set stubby.$type="resolver" >> + uci set stubby.$type.address=""$(echo $f | >> cut -d "@" -f 2)"" >> + uci set stubby.$type.tls_auth_name=""$(echo >> $f | cut -d "@" -f 3)"" >> + done >> + else >> + echo "WARNING: No DNS servers set!" >> + fi >> + >> else >> - echo "WARNING: No DNS servers set!" >> + if dnsservers=$(uci -q get gateway.@dns[0].server); then >> + for f in $dnsservers; do >> + uci add_list dhcp.@dnsmasq[0].server=$f >> + uci add_list dhcp.@dnsmasq[0].server="/in- >> addr.arpa/$f" >> + uci add_list >> dhcp.@dnsmasq[0].server="/ip6.arpa/$f" >> + done >> + else >> + echo "WARNING: No DNS servers set!" >> + fi >> fi >> } >> >> apply() { >> uci commit dhcp >> + uci commit stubby >> } >> >> revert() { >> uci revert dhcp >> + uci revert stubby >> } >> -- >> 2.11.0
Hi, also getestet habe ich das ganze nicht, zuhause verwende ich aber auch fast ausschliesslich verschluesseltes dns (mit dnscrypt-proxy). Grundsaetzlich faende ich sowas gut im Freifunk zu haben. Gruesse, lemmi On 30.12.19 14:02, Christian Dresel wrote: > With this option it is possible to make DoT (DNS over TLS) from the layer3 > router to the DoT DNS Server. > > The DNS traffic from Client to the layer3 router is still uncryptet. > > On the layer 3 router, dnsmasq forward the DNS to stubby. > Stubby use DoT to ask a resolver inside or outside the Freifunk backbone > > For documentation for the options is here: > https://wiki.freifunk-franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCber_stubby > > Signed-off-by: Christian Dresel <fff@chrisi01.de> > --- > src/packages/fff/fff-dhcp/Makefile | 3 +- > .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 34 +++++++++++++++++----- > 2 files changed, 29 insertions(+), 8 deletions(-) > > diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-dhcp/Makefile > index c481d82..fed1a2b 100644 > --- a/src/packages/fff/fff-dhcp/Makefile > +++ b/src/packages/fff/fff-dhcp/Makefile > @@ -12,7 +12,8 @@ define Package/fff-dhcp > CATEGORY:=Freifunk > TITLE:=Freifunk-Franken dhcp > URL:=http://www.freifunk-franken.de > - DEPENDS:=+dnsmasq > + DEPENDS:=+dnsmasq \ > + +stubby > endef > > define Package/fff-dhcp/description > diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > index ad9f1cd..20503bf 100644 > --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > @@ -1,21 +1,41 @@ > configure() { > ## dns > uci -q del dhcp.@dnsmasq[0].server > - if dnsservers=$(uci -q get gateway.@dns[0].server); then > - for f in $dnsservers; do > - uci add_list dhcp.@dnsmasq[0].server=$f > - uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f" > - uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" > - done > + if [ $(uci -q get gateway.@dns[0].dnsdot) == 1 ]; then > + uci add_list dhcp.@dnsmasq[0].server="::1#5453" > + uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" > + uci set dhcp.@dnsmasq[0].noresolv="1" > + while uci -q delete stubby.@resolver[0]; do :; done > + if dnsservers=$(uci -q get gateway.@dns[0].server); then > + for f in $dnsservers; do > + type="$(echo $f | cut -d "@" -f 1)" > + uci set stubby.$type="resolver" > + uci set stubby.$type.address=""$(echo $f | cut -d "@" -f 2)"" > + uci set stubby.$type.tls_auth_name=""$(echo $f | cut -d "@" -f 3)"" > + done > + else > + echo "WARNING: No DNS servers set!" > + fi > + > else > - echo "WARNING: No DNS servers set!" > + if dnsservers=$(uci -q get gateway.@dns[0].server); then > + for f in $dnsservers; do > + uci add_list dhcp.@dnsmasq[0].server=$f > + uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f" > + uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" > + done > + else > + echo "WARNING: No DNS servers set!" > + fi > fi > } > > apply() { > uci commit dhcp > + uci commit stubby > } > > revert() { > uci revert dhcp > + uci revert stubby > }
With this option it is possible to make DoT (DNS over TLS) from the layer3 router to the DoT DNS Server. The DNS traffic from Client to the layer3 router is still uncryptet. On the layer 3 router, dnsmasq forward the DNS to stubby. Stubby use DoT to ask a resolver inside or outside the Freifunk backbone For documentation for the options is here: https://wiki.freifunk-franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCber_stubby Signed-off-by: Christian Dresel <fff@chrisi01.de> --- src/packages/fff/fff-dhcp/Makefile | 3 +- .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 34 +++++++++++++++++----- 2 files changed, 29 insertions(+), 8 deletions(-)