[RFC] Add DNS over TLS option inside the Freifunk backbone

Submitted by Christian Dresel on Dec. 30, 2019, 1:02 p.m.

Details

Message ID 20191230130250.1303-1-fff@chrisi01.de
State New
Headers show

Commit Message

Christian Dresel Dec. 30, 2019, 1:02 p.m.
With this option it is possible to make DoT (DNS over TLS) from the layer3
router to the DoT DNS Server.

The DNS traffic from Client to the layer3 router is still uncryptet.

On the layer 3 router, dnsmasq forward the DNS to stubby.
Stubby use DoT to ask a resolver inside or outside the Freifunk backbone

For documentation for the options is here:
https://wiki.freifunk-franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCber_stubby

Signed-off-by: Christian Dresel <fff@chrisi01.de>
---
 src/packages/fff/fff-dhcp/Makefile                 |  3 +-
 .../fff/fff-dhcp/files/etc/gateway.d/35-dns        | 34 +++++++++++++++++-----
 2 files changed, 29 insertions(+), 8 deletions(-)

Patch hide | download patch | download mbox

diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-dhcp/Makefile
index c481d82..fed1a2b 100644
--- a/src/packages/fff/fff-dhcp/Makefile
+++ b/src/packages/fff/fff-dhcp/Makefile
@@ -12,7 +12,8 @@  define Package/fff-dhcp
 	CATEGORY:=Freifunk
 	TITLE:=Freifunk-Franken dhcp
 	URL:=http://www.freifunk-franken.de
-	DEPENDS:=+dnsmasq
+	DEPENDS:=+dnsmasq \
+	         +stubby
 endef
 
 define Package/fff-dhcp/description
diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
index ad9f1cd..20503bf 100644
--- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
+++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
@@ -1,21 +1,41 @@ 
 configure() {
 	## dns
 	uci -q del dhcp.@dnsmasq[0].server
-	if dnsservers=$(uci -q get gateway.@dns[0].server); then
-		for f in $dnsservers; do
-			uci add_list dhcp.@dnsmasq[0].server=$f
-			uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f"
-			uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f"
-		done
+	if [ $(uci -q get gateway.@dns[0].dnsdot) == 1 ]; then
+		uci add_list dhcp.@dnsmasq[0].server="::1#5453"
+		uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453"
+		uci set dhcp.@dnsmasq[0].noresolv="1"
+		while uci -q delete stubby.@resolver[0]; do :; done
+		if dnsservers=$(uci -q get gateway.@dns[0].server); then 
+			for f in $dnsservers; do
+				type="$(echo $f | cut -d "@" -f 1)"
+				uci set stubby.$type="resolver"
+				uci set stubby.$type.address=""$(echo $f | cut -d "@" -f 2)""
+				uci set stubby.$type.tls_auth_name=""$(echo $f | cut -d "@" -f 3)""
+			done
+		else
+			echo "WARNING: No DNS servers set!"
+		fi
+		
 	else
-		echo "WARNING: No DNS servers set!"
+		if dnsservers=$(uci -q get gateway.@dns[0].server); then
+			for f in $dnsservers; do
+				uci add_list dhcp.@dnsmasq[0].server=$f
+				uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f"
+				uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f"
+			done
+		else
+			echo "WARNING: No DNS servers set!"
+		fi
 	fi
 }
 
 apply() {
 	uci commit dhcp
+	uci commit stubby
 }
 
 revert() {
 	uci revert dhcp
+	uci revert stubby
 }

Comments

Adrian Schmutzler Dec. 30, 2019, 2:23 p.m.
Stubby scheint nicht ganz klein zu sein.

Sollte man vll. mal testen, was das beim fertig komprimierten Image ausmacht (inkl. der Dependencies).

Da es nur für die GW-Firmware und damit ohnehin nur für die 8MB+ Geräte ist, ist das aber wahrscheinlich wurscht.

Grüße

Adrian

> -----Original Message-----
> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf
> Of Christian Dresel
> Sent: Montag, 30. Dezember 2019 14:03
> To: franken-dev@freifunk.net
> Subject: [RFC PATCH] Add DNS over TLS option inside the Freifunk backbone
> 
> With this option it is possible to make DoT (DNS over TLS) from the layer3
> router to the DoT DNS Server.
> 
> The DNS traffic from Client to the layer3 router is still uncryptet.
> 
> On the layer 3 router, dnsmasq forward the DNS to stubby.
> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone
> 
> For documentation for the options is here:
> https://wiki.freifunk-
> franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb
> er_stubby
> 
> Signed-off-by: Christian Dresel <fff@chrisi01.de>
> ---
>  src/packages/fff/fff-dhcp/Makefile                 |  3 +-
>  .../fff/fff-dhcp/files/etc/gateway.d/35-dns        | 34 +++++++++++++++++---
> --
>  2 files changed, 29 insertions(+), 8 deletions(-)
> 
> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-
> dhcp/Makefile
> index c481d82..fed1a2b 100644
> --- a/src/packages/fff/fff-dhcp/Makefile
> +++ b/src/packages/fff/fff-dhcp/Makefile
> @@ -12,7 +12,8 @@ define Package/fff-dhcp
>  	CATEGORY:=Freifunk
>  	TITLE:=Freifunk-Franken dhcp
>  	URL:=http://www.freifunk-franken.de
> -	DEPENDS:=+dnsmasq
> +	DEPENDS:=+dnsmasq \
> +	         +stubby
>  endef
> 
>  define Package/fff-dhcp/description
> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> index ad9f1cd..20503bf 100644
> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> @@ -1,21 +1,41 @@
>  configure() {
>  	## dns
>  	uci -q del dhcp.@dnsmasq[0].server
> -	if dnsservers=$(uci -q get gateway.@dns[0].server); then
> -		for f in $dnsservers; do
> -			uci add_list dhcp.@dnsmasq[0].server=$f
> -			uci add_list dhcp.@dnsmasq[0].server="/in-
> addr.arpa/$f"
> -			uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f"
> -		done
> +	if [ $(uci -q get gateway.@dns[0].dnsdot) == 1 ]; then
> +		uci add_list dhcp.@dnsmasq[0].server="::1#5453"
> +		uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453"
> +		uci set dhcp.@dnsmasq[0].noresolv="1"
> +		while uci -q delete stubby.@resolver[0]; do :; done
> +		if dnsservers=$(uci -q get gateway.@dns[0].server); then
> +			for f in $dnsservers; do
> +				type="$(echo $f | cut -d "@" -f 1)"
> +				uci set stubby.$type="resolver"
> +				uci set stubby.$type.address=""$(echo $f |
> cut -d "@" -f 2)""
> +				uci set stubby.$type.tls_auth_name=""$(echo
> $f | cut -d "@" -f 3)""
> +			done
> +		else
> +			echo "WARNING: No DNS servers set!"
> +		fi
> +
>  	else
> -		echo "WARNING: No DNS servers set!"
> +		if dnsservers=$(uci -q get gateway.@dns[0].server); then
> +			for f in $dnsservers; do
> +				uci add_list dhcp.@dnsmasq[0].server=$f
> +				uci add_list dhcp.@dnsmasq[0].server="/in-
> addr.arpa/$f"
> +				uci add_list
> dhcp.@dnsmasq[0].server="/ip6.arpa/$f"
> +			done
> +		else
> +			echo "WARNING: No DNS servers set!"
> +		fi
>  	fi
>  }
> 
>  apply() {
>  	uci commit dhcp
> +	uci commit stubby
>  }
> 
>  revert() {
>  	uci revert dhcp
> +	uci revert stubby
>  }
> --
> 2.11.0
Christian Dresel Dec. 30, 2019, 2:28 p.m.
hi

fertig kompiliert auf einen wdr3600:

root@TestGW:/etc/gateway.d# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 4.0M      4.0M         0 100% /rom
tmpfs                    61.3M    120.0K     61.2M   0% /tmp
/dev/mtdblock3            2.9M    316.0K      2.6M  11% /overlay
overlayfs:/overlay        2.9M    316.0K      2.6M  11% /
tmpfs                   512.0K         0    512.0K   0% /dev

Hab dann nur einen mit der GW Firmware von dir da zum Vergleich da ist
gw_20190507 drauf:

root@fff-gw-wk:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 3.5M      3.5M         0 100% /rom
tmpfs                    61.1M     96.0K     61.0M   0% /tmp
/dev/mtdblock3            3.3M    408.0K      2.9M  12% /overlay
overlayfs:/overlay        3.3M    408.0K      2.9M  12% /
tmpfs                   512.0K         0    512.0K   0% /dev

wenn ich es richtig sehe, sind das etwas um die 400-500ḱbyte? Ja ist
nicht ganz wenig aber eigentlich haben wir auch noch genug Platz ;)

Und ja macht natürlich nur auf den Layer 3 Routerin Sinn das ganze.

Gruß

Christian

On 30.12.19 15:23, mail@adrianschmutzler.de wrote:
> Stubby scheint nicht ganz klein zu sein.
> 
> Sollte man vll. mal testen, was das beim fertig komprimierten Image ausmacht (inkl. der Dependencies).
> 
> Da es nur für die GW-Firmware und damit ohnehin nur für die 8MB+ Geräte ist, ist das aber wahrscheinlich wurscht.
> 
> Grüße
> 
> Adrian
> 
>> -----Original Message-----
>> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf
>> Of Christian Dresel
>> Sent: Montag, 30. Dezember 2019 14:03
>> To: franken-dev@freifunk.net
>> Subject: [RFC PATCH] Add DNS over TLS option inside the Freifunk backbone
>>
>> With this option it is possible to make DoT (DNS over TLS) from the layer3
>> router to the DoT DNS Server.
>>
>> The DNS traffic from Client to the layer3 router is still uncryptet.
>>
>> On the layer 3 router, dnsmasq forward the DNS to stubby.
>> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone
>>
>> For documentation for the options is here:
>> https://wiki.freifunk-
>> franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb
>> er_stubby
>>
>> Signed-off-by: Christian Dresel <fff@chrisi01.de>
>> ---
>>  src/packages/fff/fff-dhcp/Makefile                 |  3 +-
>>  .../fff/fff-dhcp/files/etc/gateway.d/35-dns        | 34 +++++++++++++++++---
>> --
>>  2 files changed, 29 insertions(+), 8 deletions(-)
>>
>> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-
>> dhcp/Makefile
>> index c481d82..fed1a2b 100644
>> --- a/src/packages/fff/fff-dhcp/Makefile
>> +++ b/src/packages/fff/fff-dhcp/Makefile
>> @@ -12,7 +12,8 @@ define Package/fff-dhcp
>>  	CATEGORY:=Freifunk
>>  	TITLE:=Freifunk-Franken dhcp
>>  	URL:=http://www.freifunk-franken.de
>> -	DEPENDS:=+dnsmasq
>> +	DEPENDS:=+dnsmasq \
>> +	         +stubby
>>  endef
>>
>>  define Package/fff-dhcp/description
>> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> index ad9f1cd..20503bf 100644
>> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> @@ -1,21 +1,41 @@
>>  configure() {
>>  	## dns
>>  	uci -q del dhcp.@dnsmasq[0].server
>> -	if dnsservers=$(uci -q get gateway.@dns[0].server); then
>> -		for f in $dnsservers; do
>> -			uci add_list dhcp.@dnsmasq[0].server=$f
>> -			uci add_list dhcp.@dnsmasq[0].server="/in-
>> addr.arpa/$f"
>> -			uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f"
>> -		done
>> +	if [ $(uci -q get gateway.@dns[0].dnsdot) == 1 ]; then
>> +		uci add_list dhcp.@dnsmasq[0].server="::1#5453"
>> +		uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453"
>> +		uci set dhcp.@dnsmasq[0].noresolv="1"
>> +		while uci -q delete stubby.@resolver[0]; do :; done
>> +		if dnsservers=$(uci -q get gateway.@dns[0].server); then
>> +			for f in $dnsservers; do
>> +				type="$(echo $f | cut -d "@" -f 1)"
>> +				uci set stubby.$type="resolver"
>> +				uci set stubby.$type.address=""$(echo $f |
>> cut -d "@" -f 2)""
>> +				uci set stubby.$type.tls_auth_name=""$(echo
>> $f | cut -d "@" -f 3)""
>> +			done
>> +		else
>> +			echo "WARNING: No DNS servers set!"
>> +		fi
>> +
>>  	else
>> -		echo "WARNING: No DNS servers set!"
>> +		if dnsservers=$(uci -q get gateway.@dns[0].server); then
>> +			for f in $dnsservers; do
>> +				uci add_list dhcp.@dnsmasq[0].server=$f
>> +				uci add_list dhcp.@dnsmasq[0].server="/in-
>> addr.arpa/$f"
>> +				uci add_list
>> dhcp.@dnsmasq[0].server="/ip6.arpa/$f"
>> +			done
>> +		else
>> +			echo "WARNING: No DNS servers set!"
>> +		fi
>>  	fi
>>  }
>>
>>  apply() {
>>  	uci commit dhcp
>> +	uci commit stubby
>>  }
>>
>>  revert() {
>>  	uci revert dhcp
>> +	uci revert stubby
>>  }
>> --
>> 2.11.0
lemmi Jan. 7, 2020, 12:52 p.m.
Hi,

also getestet habe ich das ganze nicht, zuhause verwende ich aber auch 
fast ausschliesslich verschluesseltes dns (mit dnscrypt-proxy). 
Grundsaetzlich faende ich sowas gut im Freifunk zu haben.

Gruesse,

lemmi

On 30.12.19 14:02, Christian Dresel wrote:
> With this option it is possible to make DoT (DNS over TLS) from the layer3
> router to the DoT DNS Server.
>
> The DNS traffic from Client to the layer3 router is still uncryptet.
>
> On the layer 3 router, dnsmasq forward the DNS to stubby.
> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone
>
> For documentation for the options is here:
> https://wiki.freifunk-franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCber_stubby
>
> Signed-off-by: Christian Dresel <fff@chrisi01.de>
> ---
>   src/packages/fff/fff-dhcp/Makefile                 |  3 +-
>   .../fff/fff-dhcp/files/etc/gateway.d/35-dns        | 34 +++++++++++++++++-----
>   2 files changed, 29 insertions(+), 8 deletions(-)
>
> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-dhcp/Makefile
> index c481d82..fed1a2b 100644
> --- a/src/packages/fff/fff-dhcp/Makefile
> +++ b/src/packages/fff/fff-dhcp/Makefile
> @@ -12,7 +12,8 @@ define Package/fff-dhcp
>   	CATEGORY:=Freifunk
>   	TITLE:=Freifunk-Franken dhcp
>   	URL:=http://www.freifunk-franken.de
> -	DEPENDS:=+dnsmasq
> +	DEPENDS:=+dnsmasq \
> +	         +stubby
>   endef
>   
>   define Package/fff-dhcp/description
> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> index ad9f1cd..20503bf 100644
> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> @@ -1,21 +1,41 @@
>   configure() {
>   	## dns
>   	uci -q del dhcp.@dnsmasq[0].server
> -	if dnsservers=$(uci -q get gateway.@dns[0].server); then
> -		for f in $dnsservers; do
> -			uci add_list dhcp.@dnsmasq[0].server=$f
> -			uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f"
> -			uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f"
> -		done
> +	if [ $(uci -q get gateway.@dns[0].dnsdot) == 1 ]; then
> +		uci add_list dhcp.@dnsmasq[0].server="::1#5453"
> +		uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453"
> +		uci set dhcp.@dnsmasq[0].noresolv="1"
> +		while uci -q delete stubby.@resolver[0]; do :; done
> +		if dnsservers=$(uci -q get gateway.@dns[0].server); then
> +			for f in $dnsservers; do
> +				type="$(echo $f | cut -d "@" -f 1)"
> +				uci set stubby.$type="resolver"
> +				uci set stubby.$type.address=""$(echo $f | cut -d "@" -f 2)""
> +				uci set stubby.$type.tls_auth_name=""$(echo $f | cut -d "@" -f 3)""
> +			done
> +		else
> +			echo "WARNING: No DNS servers set!"
> +		fi
> +		
>   	else
> -		echo "WARNING: No DNS servers set!"
> +		if dnsservers=$(uci -q get gateway.@dns[0].server); then
> +			for f in $dnsservers; do
> +				uci add_list dhcp.@dnsmasq[0].server=$f
> +				uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f"
> +				uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f"
> +			done
> +		else
> +			echo "WARNING: No DNS servers set!"
> +		fi
>   	fi
>   }
>   
>   apply() {
>   	uci commit dhcp
> +	uci commit stubby
>   }
>   
>   revert() {
>   	uci revert dhcp
> +	uci revert stubby
>   }