[PATCH] Add DNS over TLS option inside the Freifunk backbone

Robert Langhammer rlanghammer at web.de
Fr Apr 3 21:31:59 CEST 2020 

hallo Christian,

find ich gut, das rein zu nehmen.

Zur Syntax hab ich noch was: s.u.

Am 03.04.20 um 19:29 schrieb Christian Dresel:
> With this option it is possible to make DoT (DNS over TLS) from the layer3
> router to the DoT DNS Server.
>
> The DNS traffic from Client to the layer3 router is still uncryptet.
>
> On the layer 3 router, dnsmasq forward the DNS to stubby.
> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone
>
> For documentation for the options is here:
> https://wiki.freifunk-franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCber_stubby
>
> Signed-off-by: Christian Dresel <fff at chrisi01.de>
> ---
>  src/packages/fff/fff-dhcp/Makefile                 |  3 +-
>  .../fff/fff-dhcp/files/etc/gateway.d/35-dns        | 34 +++++++++++++++++-----
>  2 files changed, 29 insertions(+), 8 deletions(-)
>
> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-dhcp/Makefile
> index c481d82..fed1a2b 100644
> --- a/src/packages/fff/fff-dhcp/Makefile
> +++ b/src/packages/fff/fff-dhcp/Makefile
> @@ -12,7 +12,8 @@ define Package/fff-dhcp
>  	CATEGORY:=Freifunk
>  	TITLE:=Freifunk-Franken dhcp
>  	URL:=http://www.freifunk-franken.de
> -	DEPENDS:=+dnsmasq
> +	DEPENDS:=+dnsmasq \
> +	         +stubby
>  endef
>  
>  define Package/fff-dhcp/description
> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> index ad9f1cd..20503bf 100644
> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> @@ -1,21 +1,41 @@
>  configure() {
>  	## dns
>  	uci -q del dhcp. at dnsmasq[0].server
> -	if dnsservers=$(uci -q get gateway. at dns[0].server); then
> -		for f in $dnsservers; do
> -			uci add_list dhcp. at dnsmasq[0].server=$f
> -			uci add_list dhcp. at dnsmasq[0].server="/in-addr.arpa/$f"
> -			uci add_list dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
> -		done
> +	if [ $(uci -q get gateway. at dns[0].dnsdot) == 1 ]; then
hier keine doppelten == ist nicht bash.
> +		uci add_list dhcp. at dnsmasq[0].server="::1#5453"
> +		uci add_list dhcp. at dnsmasq[0].server="127.0.0.1#5453"
> +		uci set dhcp. at dnsmasq[0].noresolv="1"
> +		while uci -q delete stubby. at resolver[0]; do :; done
> +		if dnsservers=$(uci -q get gateway. at dns[0].server); then
Hier braucht es " um die Substitution sonst wordsplitting wenn mehrere
dns und die Var-zuweisung kracht.
>  
> +			for f in $dnsservers; do
> +				type="$(echo $f | cut -d "@" -f 1)"
> +				uci set stubby.$type="resolver"
> +				uci set stubby.$type.address=""$(echo $f | cut -d "@" -f 2)""
> +				uci set stubby.$type.tls_auth_name=""$(echo $f | cut -d "@" -f 3)""
Doppelte "" willst du nicht das 2. schaltet das erste wieder aus. Dann
kannst du die auch weglassen. Das @ ist ein normales Zeichen und
bräuchte die " nicht. aber egal.
> +			done
> +		else
> +			echo "WARNING: No DNS servers set!"
> +		fi
> +		
>  	else
> -		echo "WARNING: No DNS servers set!"
> +		if dnsservers=$(uci -q get gateway. at dns[0].server); then
> +			for f in $dnsservers; do
> +				uci add_list dhcp. at dnsmasq[0].server=$f

Hier auch "$f"

Viele Grüße
Robert

> +				uci add_list dhcp. at dnsmasq[0].server="/in-addr.arpa/$f"
> +				uci add_list dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
> +			done
> +		else
> +			echo "WARNING: No DNS servers set!"
> +		fi
>  	fi
>  }
>  
>  apply() {
>  	uci commit dhcp
> +	uci commit stubby
>  }
>  
>  revert() {
>  	uci revert dhcp
> +	uci revert stubby
>  }

Mehr Informationen über die Mailingliste franken-dev