[RFC PATCH] Add DNS over TLS option inside the Freifunk backbone
mail at adrianschmutzler.de
mail at adrianschmutzler.de
Mo Dez 30 15:23:49 CET 2019
Stubby scheint nicht ganz klein zu sein.
Sollte man vll. mal testen, was das beim fertig komprimierten Image ausmacht (inkl. der Dependencies).
Da es nur für die GW-Firmware und damit ohnehin nur für die 8MB+ Geräte ist, ist das aber wahrscheinlich wurscht.
Grüße
Adrian
> -----Original Message-----
> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On Behalf
> Of Christian Dresel
> Sent: Montag, 30. Dezember 2019 14:03
> To: franken-dev at freifunk.net
> Subject: [RFC PATCH] Add DNS over TLS option inside the Freifunk backbone
>
> With this option it is possible to make DoT (DNS over TLS) from the layer3
> router to the DoT DNS Server.
>
> The DNS traffic from Client to the layer3 router is still uncryptet.
>
> On the layer 3 router, dnsmasq forward the DNS to stubby.
> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone
>
> For documentation for the options is here:
> https://wiki.freifunk-
> franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb
> er_stubby
>
> Signed-off-by: Christian Dresel <fff at chrisi01.de>
> ---
> src/packages/fff/fff-dhcp/Makefile | 3 +-
> .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 34 +++++++++++++++++---
> --
> 2 files changed, 29 insertions(+), 8 deletions(-)
>
> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-
> dhcp/Makefile
> index c481d82..fed1a2b 100644
> --- a/src/packages/fff/fff-dhcp/Makefile
> +++ b/src/packages/fff/fff-dhcp/Makefile
> @@ -12,7 +12,8 @@ define Package/fff-dhcp
> CATEGORY:=Freifunk
> TITLE:=Freifunk-Franken dhcp
> URL:=http://www.freifunk-franken.de
> - DEPENDS:=+dnsmasq
> + DEPENDS:=+dnsmasq \
> + +stubby
> endef
>
> define Package/fff-dhcp/description
> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> index ad9f1cd..20503bf 100644
> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> @@ -1,21 +1,41 @@
> configure() {
> ## dns
> uci -q del dhcp. at dnsmasq[0].server
> - if dnsservers=$(uci -q get gateway. at dns[0].server); then
> - for f in $dnsservers; do
> - uci add_list dhcp. at dnsmasq[0].server=$f
> - uci add_list dhcp. at dnsmasq[0].server="/in-
> addr.arpa/$f"
> - uci add_list dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
> - done
> + if [ $(uci -q get gateway. at dns[0].dnsdot) == 1 ]; then
> + uci add_list dhcp. at dnsmasq[0].server="::1#5453"
> + uci add_list dhcp. at dnsmasq[0].server="127.0.0.1#5453"
> + uci set dhcp. at dnsmasq[0].noresolv="1"
> + while uci -q delete stubby. at resolver[0]; do :; done
> + if dnsservers=$(uci -q get gateway. at dns[0].server); then
> + for f in $dnsservers; do
> + type="$(echo $f | cut -d "@" -f 1)"
> + uci set stubby.$type="resolver"
> + uci set stubby.$type.address=""$(echo $f |
> cut -d "@" -f 2)""
> + uci set stubby.$type.tls_auth_name=""$(echo
> $f | cut -d "@" -f 3)""
> + done
> + else
> + echo "WARNING: No DNS servers set!"
> + fi
> +
> else
> - echo "WARNING: No DNS servers set!"
> + if dnsservers=$(uci -q get gateway. at dns[0].server); then
> + for f in $dnsservers; do
> + uci add_list dhcp. at dnsmasq[0].server=$f
> + uci add_list dhcp. at dnsmasq[0].server="/in-
> addr.arpa/$f"
> + uci add_list
> dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
> + done
> + else
> + echo "WARNING: No DNS servers set!"
> + fi
> fi
> }
>
> apply() {
> uci commit dhcp
> + uci commit stubby
> }
>
> revert() {
> uci revert dhcp
> + uci revert stubby
> }
> --
> 2.11.0
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname : openpgp-digital-signature.asc
Dateityp : application/pgp-signature
Dateigröße : 834 bytes
Beschreibung: nicht verfügbar
URL : <https://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20191230/5d479048/attachment.sig>
Mehr Informationen über die Mailingliste franken-dev