[RFC PATCH] Add DNS over TLS option inside the Freifunk backbone

[Christian Dresel]

With this option it is possible to make DoT (DNS over TLS) from the layer3
router to the DoT DNS Server.

The DNS traffic from Client to the layer3 router is still uncryptet.

On the layer 3 router, dnsmasq forward the DNS to stubby.
Stubby use DoT to ask a resolver inside or outside the Freifunk backbone

For documentation for the options is here:
https://wiki.freifunk-franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCber_stubby

Signed-off-by: Christian Dresel <fff at chrisi01.de>
---
 src/packages/fff/fff-dhcp/Makefile                 |  3 +-
 .../fff/fff-dhcp/files/etc/gateway.d/35-dns        | 34 +++++++++++++++++-----
 2 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-dhcp/Makefile
index c481d82..fed1a2b 100644
--- a/src/packages/fff/fff-dhcp/Makefile
+++ b/src/packages/fff/fff-dhcp/Makefile
@@ -12,7 +12,8 @@ define Package/fff-dhcp
 	CATEGORY:=Freifunk
 	TITLE:=Freifunk-Franken dhcp
 	URL:=http://www.freifunk-franken.de
-	DEPENDS:=+dnsmasq
+	DEPENDS:=+dnsmasq \
+	         +stubby
 endef
 
 define Package/fff-dhcp/description
diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
index ad9f1cd..20503bf 100644
--- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
+++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
@@ -1,21 +1,41 @@
 configure() {
 	## dns
 	uci -q del dhcp. at dnsmasq[0].server
-	if dnsservers=$(uci -q get gateway. at dns[0].server); then
-		for f in $dnsservers; do
-			uci add_list dhcp. at dnsmasq[0].server=$f
-			uci add_list dhcp. at dnsmasq[0].server="/in-addr.arpa/$f"
-			uci add_list dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
-		done
+	if [ $(uci -q get gateway. at dns[0].dnsdot) == 1 ]; then
+		uci add_list dhcp. at dnsmasq[0].server="::1#5453"
+		uci add_list dhcp. at dnsmasq[0].server="127.0.0.1#5453"
+		uci set dhcp. at dnsmasq[0].noresolv="1"
+		while uci -q delete stubby. at resolver[0]; do :; done
+		if dnsservers=$(uci -q get gateway. at dns[0].server); then 
+			for f in $dnsservers; do
+				type="$(echo $f | cut -d "@" -f 1)"
+				uci set stubby.$type="resolver"
+				uci set stubby.$type.address=""$(echo $f | cut -d "@" -f 2)""
+				uci set stubby.$type.tls_auth_name=""$(echo $f | cut -d "@" -f 3)""
+			done
+		else
+			echo "WARNING: No DNS servers set!"
+		fi
+		
 	else
-		echo "WARNING: No DNS servers set!"
+		if dnsservers=$(uci -q get gateway. at dns[0].server); then
+			for f in $dnsservers; do
+				uci add_list dhcp. at dnsmasq[0].server=$f
+				uci add_list dhcp. at dnsmasq[0].server="/in-addr.arpa/$f"
+				uci add_list dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
+			done
+		else
+			echo "WARNING: No DNS servers set!"
+		fi
 	fi
 }
 
 apply() {
 	uci commit dhcp
+	uci commit stubby
 }
 
 revert() {
 	uci revert dhcp
+	uci revert stubby
 }
-- 
2.11.0