[RFC PATCH] Add DNS over TLS option inside the Freifunk backbone
Christian Dresel
fff at chrisi01.de
Mo Dez 30 15:28:21 CET 2019
hi
fertig kompiliert auf einen wdr3600:
root at TestGW:/etc/gateway.d# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 4.0M 4.0M 0 100% /rom
tmpfs 61.3M 120.0K 61.2M 0% /tmp
/dev/mtdblock3 2.9M 316.0K 2.6M 11% /overlay
overlayfs:/overlay 2.9M 316.0K 2.6M 11% /
tmpfs 512.0K 0 512.0K 0% /dev
Hab dann nur einen mit der GW Firmware von dir da zum Vergleich da ist
gw_20190507 drauf:
root at fff-gw-wk:~# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 3.5M 3.5M 0 100% /rom
tmpfs 61.1M 96.0K 61.0M 0% /tmp
/dev/mtdblock3 3.3M 408.0K 2.9M 12% /overlay
overlayfs:/overlay 3.3M 408.0K 2.9M 12% /
tmpfs 512.0K 0 512.0K 0% /dev
wenn ich es richtig sehe, sind das etwas um die 400-500ḱbyte? Ja ist
nicht ganz wenig aber eigentlich haben wir auch noch genug Platz ;)
Und ja macht natürlich nur auf den Layer 3 Routerin Sinn das ganze.
Gruß
Christian
On 30.12.19 15:23, mail at adrianschmutzler.de wrote:
> Stubby scheint nicht ganz klein zu sein.
>
> Sollte man vll. mal testen, was das beim fertig komprimierten Image ausmacht (inkl. der Dependencies).
>
> Da es nur für die GW-Firmware und damit ohnehin nur für die 8MB+ Geräte ist, ist das aber wahrscheinlich wurscht.
>
> Grüße
>
> Adrian
>
>> -----Original Message-----
>> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On Behalf
>> Of Christian Dresel
>> Sent: Montag, 30. Dezember 2019 14:03
>> To: franken-dev at freifunk.net
>> Subject: [RFC PATCH] Add DNS over TLS option inside the Freifunk backbone
>>
>> With this option it is possible to make DoT (DNS over TLS) from the layer3
>> router to the DoT DNS Server.
>>
>> The DNS traffic from Client to the layer3 router is still uncryptet.
>>
>> On the layer 3 router, dnsmasq forward the DNS to stubby.
>> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone
>>
>> For documentation for the options is here:
>> https://wiki.freifunk-
>> franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb
>> er_stubby
>>
>> Signed-off-by: Christian Dresel <fff at chrisi01.de>
>> ---
>> src/packages/fff/fff-dhcp/Makefile | 3 +-
>> .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 34 +++++++++++++++++---
>> --
>> 2 files changed, 29 insertions(+), 8 deletions(-)
>>
>> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-
>> dhcp/Makefile
>> index c481d82..fed1a2b 100644
>> --- a/src/packages/fff/fff-dhcp/Makefile
>> +++ b/src/packages/fff/fff-dhcp/Makefile
>> @@ -12,7 +12,8 @@ define Package/fff-dhcp
>> CATEGORY:=Freifunk
>> TITLE:=Freifunk-Franken dhcp
>> URL:=http://www.freifunk-franken.de
>> - DEPENDS:=+dnsmasq
>> + DEPENDS:=+dnsmasq \
>> + +stubby
>> endef
>>
>> define Package/fff-dhcp/description
>> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> index ad9f1cd..20503bf 100644
>> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> @@ -1,21 +1,41 @@
>> configure() {
>> ## dns
>> uci -q del dhcp. at dnsmasq[0].server
>> - if dnsservers=$(uci -q get gateway. at dns[0].server); then
>> - for f in $dnsservers; do
>> - uci add_list dhcp. at dnsmasq[0].server=$f
>> - uci add_list dhcp. at dnsmasq[0].server="/in-
>> addr.arpa/$f"
>> - uci add_list dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
>> - done
>> + if [ $(uci -q get gateway. at dns[0].dnsdot) == 1 ]; then
>> + uci add_list dhcp. at dnsmasq[0].server="::1#5453"
>> + uci add_list dhcp. at dnsmasq[0].server="127.0.0.1#5453"
>> + uci set dhcp. at dnsmasq[0].noresolv="1"
>> + while uci -q delete stubby. at resolver[0]; do :; done
>> + if dnsservers=$(uci -q get gateway. at dns[0].server); then
>> + for f in $dnsservers; do
>> + type="$(echo $f | cut -d "@" -f 1)"
>> + uci set stubby.$type="resolver"
>> + uci set stubby.$type.address=""$(echo $f |
>> cut -d "@" -f 2)""
>> + uci set stubby.$type.tls_auth_name=""$(echo
>> $f | cut -d "@" -f 3)""
>> + done
>> + else
>> + echo "WARNING: No DNS servers set!"
>> + fi
>> +
>> else
>> - echo "WARNING: No DNS servers set!"
>> + if dnsservers=$(uci -q get gateway. at dns[0].server); then
>> + for f in $dnsservers; do
>> + uci add_list dhcp. at dnsmasq[0].server=$f
>> + uci add_list dhcp. at dnsmasq[0].server="/in-
>> addr.arpa/$f"
>> + uci add_list
>> dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
>> + done
>> + else
>> + echo "WARNING: No DNS servers set!"
>> + fi
>> fi
>> }
>>
>> apply() {
>> uci commit dhcp
>> + uci commit stubby
>> }
>>
>> revert() {
>> uci revert dhcp
>> + uci revert stubby
>> }
>> --
>> 2.11.0
Mehr Informationen über die Mailingliste franken-dev