[RFC PATCH] Add DNS over TLS option inside the Freifunk backbone

Christian Dresel fff at chrisi01.de
Mo Dez 30 15:28:21 CET 2019 

hi

fertig kompiliert auf einen wdr3600:

root at TestGW:/etc/gateway.d# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 4.0M      4.0M         0 100% /rom
tmpfs                    61.3M    120.0K     61.2M   0% /tmp
/dev/mtdblock3            2.9M    316.0K      2.6M  11% /overlay
overlayfs:/overlay        2.9M    316.0K      2.6M  11% /
tmpfs                   512.0K         0    512.0K   0% /dev

Hab dann nur einen mit der GW Firmware von dir da zum Vergleich da ist
gw_20190507 drauf:

root at fff-gw-wk:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 3.5M      3.5M         0 100% /rom
tmpfs                    61.1M     96.0K     61.0M   0% /tmp
/dev/mtdblock3            3.3M    408.0K      2.9M  12% /overlay
overlayfs:/overlay        3.3M    408.0K      2.9M  12% /
tmpfs                   512.0K         0    512.0K   0% /dev

wenn ich es richtig sehe, sind das etwas um die 400-500ḱbyte? Ja ist
nicht ganz wenig aber eigentlich haben wir auch noch genug Platz ;)

Und ja macht natürlich nur auf den Layer 3 Routerin Sinn das ganze.

Gruß

Christian

On 30.12.19 15:23, mail at adrianschmutzler.de wrote:
> Stubby scheint nicht ganz klein zu sein.
> 
> Sollte man vll. mal testen, was das beim fertig komprimierten Image ausmacht (inkl. der Dependencies).
> 
> Da es nur für die GW-Firmware und damit ohnehin nur für die 8MB+ Geräte ist, ist das aber wahrscheinlich wurscht.
> 
> Grüße
> 
> Adrian
> 
>> -----Original Message-----
>> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On Behalf
>> Of Christian Dresel
>> Sent: Montag, 30. Dezember 2019 14:03
>> To: franken-dev at freifunk.net
>> Subject: [RFC PATCH] Add DNS over TLS option inside the Freifunk backbone
>>
>> With this option it is possible to make DoT (DNS over TLS) from the layer3
>> router to the DoT DNS Server.
>>
>> The DNS traffic from Client to the layer3 router is still uncryptet.
>>
>> On the layer 3 router, dnsmasq forward the DNS to stubby.
>> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone
>>
>> For documentation for the options is here:
>> https://wiki.freifunk-
>> franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb
>> er_stubby
>>
>> Signed-off-by: Christian Dresel <fff at chrisi01.de>
>> ---
>>  src/packages/fff/fff-dhcp/Makefile                 |  3 +-
>>  .../fff/fff-dhcp/files/etc/gateway.d/35-dns        | 34 +++++++++++++++++---
>> --
>>  2 files changed, 29 insertions(+), 8 deletions(-)
>>
>> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-
>> dhcp/Makefile
>> index c481d82..fed1a2b 100644
>> --- a/src/packages/fff/fff-dhcp/Makefile
>> +++ b/src/packages/fff/fff-dhcp/Makefile
>> @@ -12,7 +12,8 @@ define Package/fff-dhcp
>>  	CATEGORY:=Freifunk
>>  	TITLE:=Freifunk-Franken dhcp
>>  	URL:=http://www.freifunk-franken.de
>> -	DEPENDS:=+dnsmasq
>> +	DEPENDS:=+dnsmasq \
>> +	         +stubby
>>  endef
>>
>>  define Package/fff-dhcp/description
>> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> index ad9f1cd..20503bf 100644
>> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> @@ -1,21 +1,41 @@
>>  configure() {
>>  	## dns
>>  	uci -q del dhcp. at dnsmasq[0].server
>> -	if dnsservers=$(uci -q get gateway. at dns[0].server); then
>> -		for f in $dnsservers; do
>> -			uci add_list dhcp. at dnsmasq[0].server=$f
>> -			uci add_list dhcp. at dnsmasq[0].server="/in-
>> addr.arpa/$f"
>> -			uci add_list dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
>> -		done
>> +	if [ $(uci -q get gateway. at dns[0].dnsdot) == 1 ]; then
>> +		uci add_list dhcp. at dnsmasq[0].server="::1#5453"
>> +		uci add_list dhcp. at dnsmasq[0].server="127.0.0.1#5453"
>> +		uci set dhcp. at dnsmasq[0].noresolv="1"
>> +		while uci -q delete stubby. at resolver[0]; do :; done
>> +		if dnsservers=$(uci -q get gateway. at dns[0].server); then
>> +			for f in $dnsservers; do
>> +				type="$(echo $f | cut -d "@" -f 1)"
>> +				uci set stubby.$type="resolver"
>> +				uci set stubby.$type.address=""$(echo $f |
>> cut -d "@" -f 2)""
>> +				uci set stubby.$type.tls_auth_name=""$(echo
>> $f | cut -d "@" -f 3)""
>> +			done
>> +		else
>> +			echo "WARNING: No DNS servers set!"
>> +		fi
>> +
>>  	else
>> -		echo "WARNING: No DNS servers set!"
>> +		if dnsservers=$(uci -q get gateway. at dns[0].server); then
>> +			for f in $dnsservers; do
>> +				uci add_list dhcp. at dnsmasq[0].server=$f
>> +				uci add_list dhcp. at dnsmasq[0].server="/in-
>> addr.arpa/$f"
>> +				uci add_list
>> dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
>> +			done
>> +		else
>> +			echo "WARNING: No DNS servers set!"
>> +		fi
>>  	fi
>>  }
>>
>>  apply() {
>>  	uci commit dhcp
>> +	uci commit stubby
>>  }
>>
>>  revert() {
>>  	uci revert dhcp
>> +	uci revert stubby
>>  }
>> --
>> 2.11.0

Mehr Informationen über die Mailingliste franken-dev