Message ID | 20200405122047.14784-1-fff@chrisi01.de |
---|---|
State | New |
Headers | show |
diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-dhcp/Makefile index 3f0d65c..62e6c25 100644 --- a/src/packages/fff/fff-dhcp/Makefile +++ b/src/packages/fff/fff-dhcp/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-dhcp -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_BUILD_DIR:=$(BUILD_DIR)/fff-dhcp @@ -12,7 +12,8 @@ define Package/fff-dhcp CATEGORY:=Freifunk TITLE:=Freifunk-Franken dhcp URL:=http://www.freifunk-franken.de - DEPENDS:=+dnsmasq + DEPENDS:=+dnsmasq \ + +stubby endef define Package/fff-dhcp/description diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns index ad9f1cd..89105f0 100644 --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns @@ -1,21 +1,40 @@ configure() { ## dns uci -q del dhcp.@dnsmasq[0].server - if dnsservers=$(uci -q get gateway.@dns[0].server); then - for f in $dnsservers; do - uci add_list dhcp.@dnsmasq[0].server=$f - uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f" - uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" - done + if [ $(uci -q get gateway.@dns[0].dnsdot) = 1 ]; then + uci add_list dhcp.@dnsmasq[0].server="::1#5453" + uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" + uci set dhcp.@dnsmasq[0].noresolv="1" + while uci -q delete stubby.@resolver[0]; do :; done + if dnsservers=$(uci -q get gateway.@dns[0].server); then + for f in $dnsservers; do + type="$(echo $f | cut -d @ -f 1)" + uci set stubby.$type="resolver" + uci set stubby.$type.address="$(echo $f | cut -d @ -f 2)" + uci set stubby.$type.tls_auth_name="$(echo $f | cut -d @ -f 3)" + done + else + echo "WARNING: No DNS servers set!" + fi else - echo "WARNING: No DNS servers set!" + if dnsservers=$(uci -q get gateway.@dns[0].server); then + for f in $dnsservers; do + uci add_list dhcp.@dnsmasq[0].server=$f + uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f" + uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" + done + else + echo "WARNING: No DNS servers set!" + fi fi } apply() { uci commit dhcp + uci commit stubby } revert() { uci revert dhcp + uci revert stubby }
Hi Christian, Reviewed-by: Robert Langhammer <rlanghammer@web.de> und sogar an das PKG_RELEASE gedacht! Am 05.04.20 um 14:20 schrieb Christian Dresel: > With this option it is possible to make DoT (DNS over TLS) from the layer3 > router to the DoT DNS Server. > > The DNS traffic from Client to the layer3 router is still uncryptet. > > On the layer 3 router, dnsmasq forward the DNS to stubby. > Stubby use DoT to ask a resolver inside or outside the Freifunk backbone > > For documentation for the options is here: > https://wiki.freifunk-franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCber_stubby > > Signed-off-by: Christian Dresel <fff@chrisi01.de> > > --- > > Changes in v2: > - fix some quoting > - increase PKG_RELEASE > ---
Hallo Christian, nur ein paar dumme Kommentare/Fragen: > -----Original Message----- > From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf > Of Christian Dresel > Sent: Sonntag, 5. April 2020 14:21 > To: franken-dev@freifunk.net > Subject: [PATCH v2] fff-dhcp: Add DNS over TLS option inside the Freifunk > backbone > > With this option it is possible to make DoT (DNS over TLS) from the layer3 > router to the DoT DNS Server. > > The DNS traffic from Client to the layer3 router is still uncryptet. uncryptet -> unencrypted > > On the layer 3 router, dnsmasq forward the DNS to stubby. forward -> forwards > Stubby use DoT to ask a resolver inside or outside the Freifunk backbone use -> uses; "ask a" -> "ask for a" > > For documentation for the options is here: "of the options" > https://wiki.freifunk- > franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb > er_stubby > > Signed-off-by: Christian Dresel <fff@chrisi01.de> > > --- > > Changes in v2: > - fix some quoting > - increase PKG_RELEASE > --- > src/packages/fff/fff-dhcp/Makefile | 5 ++-- > .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 33 +++++++++++++++++--- > -- > 2 files changed, 29 insertions(+), 9 deletions(-) > > diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff- > dhcp/Makefile > index 3f0d65c..62e6c25 100644 > --- a/src/packages/fff/fff-dhcp/Makefile > +++ b/src/packages/fff/fff-dhcp/Makefile > @@ -1,7 +1,7 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=fff-dhcp > -PKG_RELEASE:=2 > +PKG_RELEASE:=3 > > PKG_BUILD_DIR:=$(BUILD_DIR)/fff-dhcp > > @@ -12,7 +12,8 @@ define Package/fff-dhcp > CATEGORY:=Freifunk > TITLE:=Freifunk-Franken dhcp > URL:=http://www.freifunk-franken.de > - DEPENDS:=+dnsmasq > + DEPENDS:=+dnsmasq \ > + +stubby > endef > > define Package/fff-dhcp/description > diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > index ad9f1cd..89105f0 100644 > --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > @@ -1,21 +1,40 @@ > configure() { > ## dns > uci -q del dhcp.@dnsmasq[0].server > - if dnsservers=$(uci -q get gateway.@dns[0].server); then > - for f in $dnsservers; do > - uci add_list dhcp.@dnsmasq[0].server=$f > - uci add_list dhcp.@dnsmasq[0].server="/in- > addr.arpa/$f" > - uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" > - done > + if [ $(uci -q get gateway.@dns[0].dnsdot) = 1 ]; then Ich würde beide zu vergleichende Werte in Anführungszeichen setzen, damit sicher Strings verglichen werden, und keine Zahlen: [ "$(uci -q get gateway.@dns[0].dnsdot)" = "1" ] Ist aber in der Praxis wahrscheinlich ziemlich wurscht. > + uci add_list dhcp.@dnsmasq[0].server="::1#5453" > + uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" > + uci set dhcp.@dnsmasq[0].noresolv="1" > + while uci -q delete stubby.@resolver[0]; do :; done Diese Zeile ist eigentlich der Grund, warum ich überhaupt eine Mail geschrieben habe: Was tut die? Für mich sieht das aus wie ein kompliziertes Äquivalent von uci -q delete stubby.@resolver[0] Beste Grüße Adrian > + if dnsservers=$(uci -q get gateway.@dns[0].server); then > + for f in $dnsservers; do > + type="$(echo $f | cut -d @ -f 1)" > + uci set stubby.$type="resolver" > + uci set stubby.$type.address="$(echo $f | cut > -d @ -f 2)" > + uci set stubby.$type.tls_auth_name="$(echo > $f | cut -d @ -f 3)" > + done > + else > + echo "WARNING: No DNS servers set!" > + fi > else > - echo "WARNING: No DNS servers set!" > + if dnsservers=$(uci -q get gateway.@dns[0].server); then > + for f in $dnsservers; do > + uci add_list dhcp.@dnsmasq[0].server=$f > + uci add_list dhcp.@dnsmasq[0].server="/in- > addr.arpa/$f" > + uci add_list > dhcp.@dnsmasq[0].server="/ip6.arpa/$f" > + done > + else > + echo "WARNING: No DNS servers set!" > + fi > fi > } > > apply() { > uci commit dhcp > + uci commit stubby > } > > revert() { > uci revert dhcp > + uci revert stubby > } > -- > 2.11.0
Hallo Adrian On 06.04.20 19:59, mail@adrianschmutzler.de wrote: > Hallo Christian, > > nur ein paar dumme Kommentare/Fragen: > >> -----Original Message----- >> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On Behalf >> Of Christian Dresel >> Sent: Sonntag, 5. April 2020 14:21 >> To: franken-dev@freifunk.net >> Subject: [PATCH v2] fff-dhcp: Add DNS over TLS option inside the Freifunk >> backbone >> >> With this option it is possible to make DoT (DNS over TLS) from the layer3 >> router to the DoT DNS Server. >> >> The DNS traffic from Client to the layer3 router is still uncryptet. > > uncryptet -> unencrypted > >> >> On the layer 3 router, dnsmasq forward the DNS to stubby. > > forward -> forwards > >> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone > > use -> uses; "ask a" -> "ask for a" > >> >> For documentation for the options is here: > > "of the options" > >> https://wiki.freifunk- >> franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb >> er_stubby >> >> Signed-off-by: Christian Dresel <fff@chrisi01.de> >> >> --- >> >> Changes in v2: >> - fix some quoting >> - increase PKG_RELEASE >> --- >> src/packages/fff/fff-dhcp/Makefile | 5 ++-- >> .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 33 +++++++++++++++++--- >> -- >> 2 files changed, 29 insertions(+), 9 deletions(-) >> >> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff- >> dhcp/Makefile >> index 3f0d65c..62e6c25 100644 >> --- a/src/packages/fff/fff-dhcp/Makefile >> +++ b/src/packages/fff/fff-dhcp/Makefile >> @@ -1,7 +1,7 @@ >> include $(TOPDIR)/rules.mk >> >> PKG_NAME:=fff-dhcp >> -PKG_RELEASE:=2 >> +PKG_RELEASE:=3 >> >> PKG_BUILD_DIR:=$(BUILD_DIR)/fff-dhcp >> >> @@ -12,7 +12,8 @@ define Package/fff-dhcp >> CATEGORY:=Freifunk >> TITLE:=Freifunk-Franken dhcp >> URL:=http://www.freifunk-franken.de >> - DEPENDS:=+dnsmasq >> + DEPENDS:=+dnsmasq \ >> + +stubby >> endef >> >> define Package/fff-dhcp/description >> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns >> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns >> index ad9f1cd..89105f0 100644 >> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns >> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns >> @@ -1,21 +1,40 @@ >> configure() { >> ## dns >> uci -q del dhcp.@dnsmasq[0].server >> - if dnsservers=$(uci -q get gateway.@dns[0].server); then >> - for f in $dnsservers; do >> - uci add_list dhcp.@dnsmasq[0].server=$f >> - uci add_list dhcp.@dnsmasq[0].server="/in- >> addr.arpa/$f" >> - uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" >> - done >> + if [ $(uci -q get gateway.@dns[0].dnsdot) = 1 ]; then > > Ich würde beide zu vergleichende Werte in Anführungszeichen setzen, damit sicher Strings verglichen werden, und keine Zahlen: > > [ "$(uci -q get gateway.@dns[0].dnsdot)" = "1" ] > > Ist aber in der Praxis wahrscheinlich ziemlich wurscht. am Ende gibts viele Möglichkeiten, ich hab ja sogar über ein if uci -q get gateway.@dns[0].dnsdot; then nachgedacht aber am Ende... wurscht. > >> + uci add_list dhcp.@dnsmasq[0].server="::1#5453" >> + uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" >> + uci set dhcp.@dnsmasq[0].noresolv="1" >> + while uci -q delete stubby.@resolver[0]; do :; done > > Diese Zeile ist eigentlich der Grund, warum ich überhaupt eine Mail geschrieben habe: > Was tut die? > Für mich sieht das aus wie ein kompliziertes Äquivalent von > uci -q delete stubby.@resolver[0] tja sagen wir so, meine Programmierkenntnisse sind in etwa so gut wie meine Englischkenntnisse (scheiße was kann ich eigentlich überhaupt? Deutsch klappt ja auch nie... ah Fränkisch wäre was ;)) hab ich mich hier einfach aus dem OpenWRT Wiki bedient: https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby#dot_provider also ja, vermutlich macht sie genau das gleiche. Gruß Christian > > Beste Grüße > > Adrian > >> + if dnsservers=$(uci -q get gateway.@dns[0].server); then >> + for f in $dnsservers; do >> + type="$(echo $f | cut -d @ -f 1)" >> + uci set stubby.$type="resolver" >> + uci set stubby.$type.address="$(echo $f | cut >> -d @ -f 2)" >> + uci set stubby.$type.tls_auth_name="$(echo >> $f | cut -d @ -f 3)" >> + done >> + else >> + echo "WARNING: No DNS servers set!" >> + fi >> else >> - echo "WARNING: No DNS servers set!" >> + if dnsservers=$(uci -q get gateway.@dns[0].server); then >> + for f in $dnsservers; do >> + uci add_list dhcp.@dnsmasq[0].server=$f >> + uci add_list dhcp.@dnsmasq[0].server="/in- >> addr.arpa/$f" >> + uci add_list >> dhcp.@dnsmasq[0].server="/ip6.arpa/$f" >> + done >> + else >> + echo "WARNING: No DNS servers set!" >> + fi >> fi >> } >> >> apply() { >> uci commit dhcp >> + uci commit stubby >> } >> >> revert() { >> uci revert dhcp >> + uci revert stubby >> } >> -- >> 2.11.0
Hallo Christian, > -----Original Message----- > From: Christian Dresel [mailto:fff@chrisi01.de] > Sent: Montag, 6. April 2020 22:23 > To: mail@adrianschmutzler.de; franken-dev@freifunk.net > Subject: Re: [PATCH v2] fff-dhcp: Add DNS over TLS option inside the > Freifunk backbone > > Hallo Adrian > > On 06.04.20 19:59, mail@adrianschmutzler.de wrote: > > Hallo Christian, > > > > nur ein paar dumme Kommentare/Fragen: > > > >> -----Original Message----- > >> From: franken-dev [mailto:franken-dev-bounces@freifunk.net] On > Behalf > >> Of Christian Dresel > >> Sent: Sonntag, 5. April 2020 14:21 > >> To: franken-dev@freifunk.net > >> Subject: [PATCH v2] fff-dhcp: Add DNS over TLS option inside the > >> Freifunk backbone > >> > >> With this option it is possible to make DoT (DNS over TLS) from the > >> layer3 router to the DoT DNS Server. > >> > >> The DNS traffic from Client to the layer3 router is still uncryptet. > > > > uncryptet -> unencrypted > > > >> > >> On the layer 3 router, dnsmasq forward the DNS to stubby. > > > > forward -> forwards > > > >> Stubby use DoT to ask a resolver inside or outside the Freifunk > >> backbone > > > > use -> uses; "ask a" -> "ask for a" > > > >> > >> For documentation for the options is here: > > > > "of the options" > > > >> https://wiki.freifunk- > >> > franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb > >> er_stubby > >> > >> Signed-off-by: Christian Dresel <fff@chrisi01.de> > >> > >> --- > >> > >> Changes in v2: > >> - fix some quoting > >> - increase PKG_RELEASE > >> --- > >> src/packages/fff/fff-dhcp/Makefile | 5 ++-- > >> .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 33 > +++++++++++++++++--- > >> -- > >> 2 files changed, 29 insertions(+), 9 deletions(-) > >> > >> diff --git a/src/packages/fff/fff-dhcp/Makefile > >> b/src/packages/fff/fff- dhcp/Makefile index 3f0d65c..62e6c25 100644 > >> --- a/src/packages/fff/fff-dhcp/Makefile > >> +++ b/src/packages/fff/fff-dhcp/Makefile > >> @@ -1,7 +1,7 @@ > >> include $(TOPDIR)/rules.mk > >> > >> PKG_NAME:=fff-dhcp > >> -PKG_RELEASE:=2 > >> +PKG_RELEASE:=3 > >> > >> PKG_BUILD_DIR:=$(BUILD_DIR)/fff-dhcp > >> > >> @@ -12,7 +12,8 @@ define Package/fff-dhcp > >> CATEGORY:=Freifunk > >> TITLE:=Freifunk-Franken dhcp > >> URL:=http://www.freifunk-franken.de > >> - DEPENDS:=+dnsmasq > >> + DEPENDS:=+dnsmasq \ > >> + +stubby > >> endef > >> > >> define Package/fff-dhcp/description > >> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > >> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > >> index ad9f1cd..89105f0 100644 > >> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > >> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns > >> @@ -1,21 +1,40 @@ > >> configure() { > >> ## dns > >> uci -q del dhcp.@dnsmasq[0].server > >> - if dnsservers=$(uci -q get gateway.@dns[0].server); then > >> - for f in $dnsservers; do > >> - uci add_list dhcp.@dnsmasq[0].server=$f > >> - uci add_list dhcp.@dnsmasq[0].server="/in- > >> addr.arpa/$f" > >> - uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f" > >> - done > >> + if [ $(uci -q get gateway.@dns[0].dnsdot) = 1 ]; then > > > > Ich würde beide zu vergleichende Werte in Anführungszeichen setzen, > damit sicher Strings verglichen werden, und keine Zahlen: > > > > [ "$(uci -q get gateway.@dns[0].dnsdot)" = "1" ] > > > > Ist aber in der Praxis wahrscheinlich ziemlich wurscht. > > am Ende gibts viele Möglichkeiten, ich hab ja sogar über ein > > if uci -q get gateway.@dns[0].dnsdot; then > > nachgedacht aber am Ende... wurscht. > > > > >> + uci add_list dhcp.@dnsmasq[0].server="::1#5453" > >> + uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" > >> + uci set dhcp.@dnsmasq[0].noresolv="1" > >> + while uci -q delete stubby.@resolver[0]; do :; done > > > > Diese Zeile ist eigentlich der Grund, warum ich überhaupt eine Mail > geschrieben habe: > > Was tut die? > > Für mich sieht das aus wie ein kompliziertes Äquivalent von uci -q > > delete stubby.@resolver[0] > > tja sagen wir so, meine Programmierkenntnisse sind in etwa so gut wie > meine Englischkenntnisse (scheiße was kann ich eigentlich überhaupt? > Deutsch klappt ja auch nie... ah Fränkisch wäre was ;)) hab ich mich hier > einfach aus dem OpenWRT Wiki bedient: > > https://openwrt.org/docs/guide- > user/services/dns/dot_dnsmasq_stubby#dot_provider > > also ja, vermutlich macht sie genau das gleiche. Kommando zurück, ich habe das jetzt erst wirklich verstanden: Sobald ein Eintrag gelöscht ist, wird der bisherige @resolver[1] zum neuen @resolver[0]. Damit cyclest du doch tatsächlich über alle Einträge, ich dachte nur zunächst, dass das [0] ja statisch wäre. Aber die Daten sind nicht statisch.... Also unbedingt die Schleife belassen und einen Kommentar ergänzen, damit das nicht jemand wie ich in nem halben Jahr rausoptimieren will. Beste Grüße Adrian > > Gruß > > Christian > > > > > Beste Grüße > > > > Adrian > > > >> + if dnsservers=$(uci -q get gateway.@dns[0].server); then > >> + for f in $dnsservers; do > >> + type="$(echo $f | cut -d @ -f 1)" > >> + uci set stubby.$type="resolver" > >> + uci set stubby.$type.address="$(echo $f | cut > >> -d @ -f 2)" > >> + uci set stubby.$type.tls_auth_name="$(echo > >> $f | cut -d @ -f 3)" > >> + done > >> + else > >> + echo "WARNING: No DNS servers set!" > >> + fi > >> else > >> - echo "WARNING: No DNS servers set!" > >> + if dnsservers=$(uci -q get gateway.@dns[0].server); then > >> + for f in $dnsservers; do > >> + uci add_list dhcp.@dnsmasq[0].server=$f > >> + uci add_list dhcp.@dnsmasq[0].server="/in- > >> addr.arpa/$f" > >> + uci add_list > >> dhcp.@dnsmasq[0].server="/ip6.arpa/$f" > >> + done > >> + else > >> + echo "WARNING: No DNS servers set!" > >> + fi > >> fi > >> } > >> > >> apply() { > >> uci commit dhcp > >> + uci commit stubby > >> } > >> > >> revert() { > >> uci revert dhcp > >> + uci revert stubby > >> } > >> -- > >> 2.11.0
Hallo nochmal, stubby ist aus den Packages, d.h. man muss das in „buildscript“ hier mit auflisten: https://github.com/FreifunkFranken/firmware/blob/master/buildscript#L27 Außerdem braucht man die dependency auch für deinen dnssec patch? Grüße Adrian
With this option it is possible to make DoT (DNS over TLS) from the layer3 router to the DoT DNS Server. The DNS traffic from Client to the layer3 router is still uncryptet. On the layer 3 router, dnsmasq forward the DNS to stubby. Stubby use DoT to ask a resolver inside or outside the Freifunk backbone For documentation for the options is here: https://wiki.freifunk-franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCber_stubby Signed-off-by: Christian Dresel <fff@chrisi01.de> --- Changes in v2: - fix some quoting - increase PKG_RELEASE --- src/packages/fff/fff-dhcp/Makefile | 5 ++-- .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 33 +++++++++++++++++----- 2 files changed, 29 insertions(+), 9 deletions(-)