From patchwork Sun Apr  5 12:20:47 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [v2] fff-dhcp: Add DNS over TLS option inside the Freifunk backbone
From: Christian Dresel <fff@chrisi01.de>
X-Patchwork-Id: 1331
Message-Id: <20200405122047.14784-1-fff@chrisi01.de>
To: franken-dev@freifunk.net
Date: Sun,  5 Apr 2020 14:20:47 +0200

With this option it is possible to make DoT (DNS over TLS) from the layer3
router to the DoT DNS Server.

The DNS traffic from Client to the layer3 router is still uncryptet.

On the layer 3 router, dnsmasq forward the DNS to stubby.
Stubby use DoT to ask a resolver inside or outside the Freifunk backbone

For documentation for the options is here:
https://wiki.freifunk-franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCber_stubby

Signed-off-by: Christian Dresel <fff@chrisi01.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
---

Changes in v2:
 - fix some quoting
 - increase PKG_RELEASE
---
 src/packages/fff/fff-dhcp/Makefile                 |  5 ++--
 .../fff/fff-dhcp/files/etc/gateway.d/35-dns        | 33 +++++++++++++++++-----
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-dhcp/Makefile
index 3f0d65c..62e6c25 100644
--- a/src/packages/fff/fff-dhcp/Makefile
+++ b/src/packages/fff/fff-dhcp/Makefile
@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-dhcp
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/fff-dhcp
 
@@ -12,7 +12,8 @@ define Package/fff-dhcp
 	CATEGORY:=Freifunk
 	TITLE:=Freifunk-Franken dhcp
 	URL:=http://www.freifunk-franken.de
-	DEPENDS:=+dnsmasq
+	DEPENDS:=+dnsmasq \
+		 +stubby
 endef
 
 define Package/fff-dhcp/description
diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
index ad9f1cd..89105f0 100644
--- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
+++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
@@ -1,21 +1,40 @@
 configure() {
 	## dns
 	uci -q del dhcp.@dnsmasq[0].server
-	if dnsservers=$(uci -q get gateway.@dns[0].server); then
-		for f in $dnsservers; do
-			uci add_list dhcp.@dnsmasq[0].server=$f
-			uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f"
-			uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f"
-		done
+	if [ $(uci -q get gateway.@dns[0].dnsdot) = 1 ]; then
+		uci add_list dhcp.@dnsmasq[0].server="::1#5453"
+		uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453"
+		uci set dhcp.@dnsmasq[0].noresolv="1"
+		while uci -q delete stubby.@resolver[0]; do :; done
+		if dnsservers=$(uci -q get gateway.@dns[0].server); then
+			for f in $dnsservers; do
+				type="$(echo $f | cut -d @ -f 1)"
+				uci set stubby.$type="resolver"
+				uci set stubby.$type.address="$(echo $f | cut -d @ -f 2)"
+				uci set stubby.$type.tls_auth_name="$(echo $f | cut -d @ -f 3)"
+			done
+		else
+			echo "WARNING: No DNS servers set!"
+		fi
 	else
-		echo "WARNING: No DNS servers set!"
+		if dnsservers=$(uci -q get gateway.@dns[0].server); then
+			for f in $dnsservers; do
+				uci add_list dhcp.@dnsmasq[0].server=$f
+				uci add_list dhcp.@dnsmasq[0].server="/in-addr.arpa/$f"
+				uci add_list dhcp.@dnsmasq[0].server="/ip6.arpa/$f"
+			done
+		else
+			echo "WARNING: No DNS servers set!"
+		fi
 	fi
 }
 
 apply() {
 	uci commit dhcp
+	uci commit stubby
 }
 
 revert() {
 	uci revert dhcp
+	uci revert stubby
 }