[PATCH v2] fff-dhcp: Add DNS over TLS option inside the Freifunk backbone
mail at adrianschmutzler.de
mail at adrianschmutzler.de
Mo Apr 6 19:59:07 CEST 2020
Hallo Christian,
nur ein paar dumme Kommentare/Fragen:
> -----Original Message-----
> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On Behalf
> Of Christian Dresel
> Sent: Sonntag, 5. April 2020 14:21
> To: franken-dev at freifunk.net
> Subject: [PATCH v2] fff-dhcp: Add DNS over TLS option inside the Freifunk
> backbone
>
> With this option it is possible to make DoT (DNS over TLS) from the layer3
> router to the DoT DNS Server.
>
> The DNS traffic from Client to the layer3 router is still uncryptet.
uncryptet -> unencrypted
>
> On the layer 3 router, dnsmasq forward the DNS to stubby.
forward -> forwards
> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone
use -> uses; "ask a" -> "ask for a"
>
> For documentation for the options is here:
"of the options"
> https://wiki.freifunk-
> franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb
> er_stubby
>
> Signed-off-by: Christian Dresel <fff at chrisi01.de>
>
> ---
>
> Changes in v2:
> - fix some quoting
> - increase PKG_RELEASE
> ---
> src/packages/fff/fff-dhcp/Makefile | 5 ++--
> .../fff/fff-dhcp/files/etc/gateway.d/35-dns | 33 +++++++++++++++++---
> --
> 2 files changed, 29 insertions(+), 9 deletions(-)
>
> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-
> dhcp/Makefile
> index 3f0d65c..62e6c25 100644
> --- a/src/packages/fff/fff-dhcp/Makefile
> +++ b/src/packages/fff/fff-dhcp/Makefile
> @@ -1,7 +1,7 @@
> include $(TOPDIR)/rules.mk
>
> PKG_NAME:=fff-dhcp
> -PKG_RELEASE:=2
> +PKG_RELEASE:=3
>
> PKG_BUILD_DIR:=$(BUILD_DIR)/fff-dhcp
>
> @@ -12,7 +12,8 @@ define Package/fff-dhcp
> CATEGORY:=Freifunk
> TITLE:=Freifunk-Franken dhcp
> URL:=http://www.freifunk-franken.de
> - DEPENDS:=+dnsmasq
> + DEPENDS:=+dnsmasq \
> + +stubby
> endef
>
> define Package/fff-dhcp/description
> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> index ad9f1cd..89105f0 100644
> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
> @@ -1,21 +1,40 @@
> configure() {
> ## dns
> uci -q del dhcp. at dnsmasq[0].server
> - if dnsservers=$(uci -q get gateway. at dns[0].server); then
> - for f in $dnsservers; do
> - uci add_list dhcp. at dnsmasq[0].server=$f
> - uci add_list dhcp. at dnsmasq[0].server="/in-
> addr.arpa/$f"
> - uci add_list dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
> - done
> + if [ $(uci -q get gateway. at dns[0].dnsdot) = 1 ]; then
Ich würde beide zu vergleichende Werte in Anführungszeichen setzen, damit sicher Strings verglichen werden, und keine Zahlen:
[ "$(uci -q get gateway. at dns[0].dnsdot)" = "1" ]
Ist aber in der Praxis wahrscheinlich ziemlich wurscht.
> + uci add_list dhcp. at dnsmasq[0].server="::1#5453"
> + uci add_list dhcp. at dnsmasq[0].server="127.0.0.1#5453"
> + uci set dhcp. at dnsmasq[0].noresolv="1"
> + while uci -q delete stubby. at resolver[0]; do :; done
Diese Zeile ist eigentlich der Grund, warum ich überhaupt eine Mail geschrieben habe:
Was tut die?
Für mich sieht das aus wie ein kompliziertes Äquivalent von
uci -q delete stubby. at resolver[0]
Beste Grüße
Adrian
> + if dnsservers=$(uci -q get gateway. at dns[0].server); then
> + for f in $dnsservers; do
> + type="$(echo $f | cut -d @ -f 1)"
> + uci set stubby.$type="resolver"
> + uci set stubby.$type.address="$(echo $f | cut
> -d @ -f 2)"
> + uci set stubby.$type.tls_auth_name="$(echo
> $f | cut -d @ -f 3)"
> + done
> + else
> + echo "WARNING: No DNS servers set!"
> + fi
> else
> - echo "WARNING: No DNS servers set!"
> + if dnsservers=$(uci -q get gateway. at dns[0].server); then
> + for f in $dnsservers; do
> + uci add_list dhcp. at dnsmasq[0].server=$f
> + uci add_list dhcp. at dnsmasq[0].server="/in-
> addr.arpa/$f"
> + uci add_list
> dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
> + done
> + else
> + echo "WARNING: No DNS servers set!"
> + fi
> fi
> }
>
> apply() {
> uci commit dhcp
> + uci commit stubby
> }
>
> revert() {
> uci revert dhcp
> + uci revert stubby
> }
> --
> 2.11.0
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname : openpgp-digital-signature.asc
Dateityp : application/pgp-signature
Dateigröße : 834 bytes
Beschreibung: nicht verfügbar
URL : <https://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20200406/ba88d29f/attachment.sig>
Mehr Informationen über die Mailingliste franken-dev