[PATCH v2] fff-dhcp: Add DNS over TLS option inside the Freifunk backbone

mail at adrianschmutzler.de mail at adrianschmutzler.de
Mo Apr 6 19:59:07 CEST 2020 

Hallo Christian,

nur ein paar dumme Kommentare/Fragen:

> -----Original Message-----
> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On Behalf
> Of Christian Dresel
> Sent: Sonntag, 5. April 2020 14:21
> To: franken-dev at freifunk.net
> Subject: [PATCH v2] fff-dhcp: Add DNS over TLS option inside the Freifunk
> backbone
> 
> With this option it is possible to make DoT (DNS over TLS) from the layer3
> router to the DoT DNS Server.
> 
> The DNS traffic from Client to the layer3 router is still uncryptet.

uncryptet -> unencrypted

> 
> On the layer 3 router, dnsmasq forward the DNS to stubby.

forward -> forwards

> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone

use -> uses; "ask a" -> "ask for a"

> 
> For documentation for the options is here:

"of the options"

> https://wiki.freifunk-
> franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb
> er_stubby
> 
> Signed-off-by: Christian Dresel <fff at chrisi01.de>
> 
> ---
> 
> Changes in v2:
>  - fix some quoting
>  - increase PKG_RELEASE
> ---
>  src/packages/fff/fff-dhcp/Makefile                 |  5 ++--
>  .../fff/fff-dhcp/files/etc/gateway.d/35-dns        | 33 +++++++++++++++++---
> --
>  2 files changed, 29 insertions(+), 9 deletions(-)
> 
> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-
> dhcp/Makefile
> index 3f0d65c..62e6c25 100644
> --- a/src/packages/fff/fff-dhcp/Makefile
> +++ b/src/packages/fff/fff-dhcp/Makefile
> @@ -1,7 +1,7 @@
>  include $(TOPDIR)/rules.mk
> 
>  PKG_NAME:=fff-dhcp
> -PKG_RELEASE:=2
> +PKG_RELEASE:=3
> 
>  PKG_BUILD_DIR:=$(BUILD_DIR)/fff-dhcp
> 
> @@ -12,7 +12,8 @@ define Package/fff-dhcp
>  	CATEGORY:=Freifunk
>  	TITLE:=Freifunk-Franken dhcp
>  	URL:=http://www.freifunk-franken.de
> -	DEPENDS:=+dnsmasq
> +	DEPENDS:=+dnsmasq \
> +		 +stubby
>  endef
> 
>  define Package/fff-dhcp/description
> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> index ad9f1cd..89105f0 100644
> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> @@ -1,21 +1,40 @@
>  configure() {
>  	## dns
>  	uci -q del dhcp. at dnsmasq[0].server
> -	if dnsservers=$(uci -q get gateway. at dns[0].server); then
> -		for f in $dnsservers; do
> -			uci add_list dhcp. at dnsmasq[0].server=$f
> -			uci add_list dhcp. at dnsmasq[0].server="/in-
> addr.arpa/$f"
> -			uci add_list dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
> -		done
> +	if [ $(uci -q get gateway. at dns[0].dnsdot) = 1 ]; then

Ich würde beide zu vergleichende Werte in Anführungszeichen setzen, damit sicher Strings verglichen werden, und keine Zahlen:

[ "$(uci -q get gateway. at dns[0].dnsdot)" = "1" ]

Ist aber in der Praxis wahrscheinlich ziemlich wurscht.

> +		uci add_list dhcp. at dnsmasq[0].server="::1#5453"
> +		uci add_list dhcp. at dnsmasq[0].server="127.0.0.1#5453"
> +		uci set dhcp. at dnsmasq[0].noresolv="1"
> +		while uci -q delete stubby. at resolver[0]; do :; done

Diese Zeile ist eigentlich der Grund, warum ich überhaupt eine Mail geschrieben habe:
Was tut die?
Für mich sieht das aus wie ein kompliziertes Äquivalent von
uci -q delete stubby. at resolver[0]

Beste Grüße

Adrian

> +		if dnsservers=$(uci -q get gateway. at dns[0].server); then
> +			for f in $dnsservers; do
> +				type="$(echo $f | cut -d @ -f 1)"
> +				uci set stubby.$type="resolver"
> +				uci set stubby.$type.address="$(echo $f | cut
> -d @ -f 2)"
> +				uci set stubby.$type.tls_auth_name="$(echo
> $f | cut -d @ -f 3)"
> +			done
> +		else
> +			echo "WARNING: No DNS servers set!"
> +		fi
>  	else
> -		echo "WARNING: No DNS servers set!"
> +		if dnsservers=$(uci -q get gateway. at dns[0].server); then
> +			for f in $dnsservers; do
> +				uci add_list dhcp. at dnsmasq[0].server=$f
> +				uci add_list dhcp. at dnsmasq[0].server="/in-
> addr.arpa/$f"
> +				uci add_list
> dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
> +			done
> +		else
> +			echo "WARNING: No DNS servers set!"
> +		fi
>  	fi
>  }
> 
>  apply() {
>  	uci commit dhcp
> +	uci commit stubby
>  }
> 
>  revert() {
>  	uci revert dhcp
> +	uci revert stubby
>  }
> --
> 2.11.0
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : openpgp-digital-signature.asc
Dateityp    : application/pgp-signature
Dateigröße  : 834 bytes
Beschreibung: nicht verfügbar
URL         : <https://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20200406/ba88d29f/attachment.sig>

Mehr Informationen über die Mailingliste franken-dev