[PATCH v2] fff-dhcp: Add DNS over TLS option inside the Freifunk backbone

Christian Dresel fff at chrisi01.de
Mo Apr 6 22:23:20 CEST 2020 

Hallo Adrian

On 06.04.20 19:59, mail at adrianschmutzler.de wrote:
> Hallo Christian,
> 
> nur ein paar dumme Kommentare/Fragen:
> 
>> -----Original Message-----
>> From: franken-dev [mailto:franken-dev-bounces at freifunk.net] On Behalf
>> Of Christian Dresel
>> Sent: Sonntag, 5. April 2020 14:21
>> To: franken-dev at freifunk.net
>> Subject: [PATCH v2] fff-dhcp: Add DNS over TLS option inside the Freifunk
>> backbone
>>
>> With this option it is possible to make DoT (DNS over TLS) from the layer3
>> router to the DoT DNS Server.
>>
>> The DNS traffic from Client to the layer3 router is still uncryptet.
> 
> uncryptet -> unencrypted
> 
>>
>> On the layer 3 router, dnsmasq forward the DNS to stubby.
> 
> forward -> forwards
> 
>> Stubby use DoT to ask a resolver inside or outside the Freifunk backbone
> 
> use -> uses; "ask a" -> "ask for a"
> 
>>
>> For documentation for the options is here:
> 
> "of the options"
> 
>> https://wiki.freifunk-
>> franken.de/w/Gatewayfirmware_Config/mit_stubby#dns_mit_DoT_.C3.BCb
>> er_stubby
>>
>> Signed-off-by: Christian Dresel <fff at chrisi01.de>
>>
>> ---
>>
>> Changes in v2:
>>  - fix some quoting
>>  - increase PKG_RELEASE
>> ---
>>  src/packages/fff/fff-dhcp/Makefile                 |  5 ++--
>>  .../fff/fff-dhcp/files/etc/gateway.d/35-dns        | 33 +++++++++++++++++---
>> --
>>  2 files changed, 29 insertions(+), 9 deletions(-)
>>
>> diff --git a/src/packages/fff/fff-dhcp/Makefile b/src/packages/fff/fff-
>> dhcp/Makefile
>> index 3f0d65c..62e6c25 100644
>> --- a/src/packages/fff/fff-dhcp/Makefile
>> +++ b/src/packages/fff/fff-dhcp/Makefile
>> @@ -1,7 +1,7 @@
>>  include $(TOPDIR)/rules.mk
>>
>>  PKG_NAME:=fff-dhcp
>> -PKG_RELEASE:=2
>> +PKG_RELEASE:=3
>>
>>  PKG_BUILD_DIR:=$(BUILD_DIR)/fff-dhcp
>>
>> @@ -12,7 +12,8 @@ define Package/fff-dhcp
>>  	CATEGORY:=Freifunk
>>  	TITLE:=Freifunk-Franken dhcp
>>  	URL:=http://www.freifunk-franken.de
>> -	DEPENDS:=+dnsmasq
>> +	DEPENDS:=+dnsmasq \
>> +		 +stubby
>>  endef
>>
>>  define Package/fff-dhcp/description
>> diff --git a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> index ad9f1cd..89105f0 100644
>> --- a/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> +++ b/src/packages/fff/fff-dhcp/files/etc/gateway.d/35-dns
>> @@ -1,21 +1,40 @@
>>  configure() {
>>  	## dns
>>  	uci -q del dhcp. at dnsmasq[0].server
>> -	if dnsservers=$(uci -q get gateway. at dns[0].server); then
>> -		for f in $dnsservers; do
>> -			uci add_list dhcp. at dnsmasq[0].server=$f
>> -			uci add_list dhcp. at dnsmasq[0].server="/in-
>> addr.arpa/$f"
>> -			uci add_list dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
>> -		done
>> +	if [ $(uci -q get gateway. at dns[0].dnsdot) = 1 ]; then
> 
> Ich würde beide zu vergleichende Werte in Anführungszeichen setzen, damit sicher Strings verglichen werden, und keine Zahlen:
> 
> [ "$(uci -q get gateway. at dns[0].dnsdot)" = "1" ]
> 
> Ist aber in der Praxis wahrscheinlich ziemlich wurscht.

am Ende gibts viele Möglichkeiten, ich hab ja sogar über ein

if uci -q get gateway. at dns[0].dnsdot; then

nachgedacht aber am Ende... wurscht.

> 
>> +		uci add_list dhcp. at dnsmasq[0].server="::1#5453"
>> +		uci add_list dhcp. at dnsmasq[0].server="127.0.0.1#5453"
>> +		uci set dhcp. at dnsmasq[0].noresolv="1"
>> +		while uci -q delete stubby. at resolver[0]; do :; done
> 
> Diese Zeile ist eigentlich der Grund, warum ich überhaupt eine Mail geschrieben habe:
> Was tut die?
> Für mich sieht das aus wie ein kompliziertes Äquivalent von
> uci -q delete stubby. at resolver[0]

tja sagen wir so, meine Programmierkenntnisse sind in etwa so gut wie
meine Englischkenntnisse (scheiße was kann ich eigentlich überhaupt?
Deutsch klappt ja auch nie... ah Fränkisch wäre was ;)) hab ich mich
hier einfach aus dem OpenWRT Wiki bedient:

https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby#dot_provider

also ja, vermutlich macht sie genau das gleiche.

Gruß

Christian

> 
> Beste Grüße
> 
> Adrian
> 
>> +		if dnsservers=$(uci -q get gateway. at dns[0].server); then
>> +			for f in $dnsservers; do
>> +				type="$(echo $f | cut -d @ -f 1)"
>> +				uci set stubby.$type="resolver"
>> +				uci set stubby.$type.address="$(echo $f | cut
>> -d @ -f 2)"
>> +				uci set stubby.$type.tls_auth_name="$(echo
>> $f | cut -d @ -f 3)"
>> +			done
>> +		else
>> +			echo "WARNING: No DNS servers set!"
>> +		fi
>>  	else
>> -		echo "WARNING: No DNS servers set!"
>> +		if dnsservers=$(uci -q get gateway. at dns[0].server); then
>> +			for f in $dnsservers; do
>> +				uci add_list dhcp. at dnsmasq[0].server=$f
>> +				uci add_list dhcp. at dnsmasq[0].server="/in-
>> addr.arpa/$f"
>> +				uci add_list
>> dhcp. at dnsmasq[0].server="/ip6.arpa/$f"
>> +			done
>> +		else
>> +			echo "WARNING: No DNS servers set!"
>> +		fi
>>  	fi
>>  }
>>
>>  apply() {
>>  	uci commit dhcp
>> +	uci commit stubby
>>  }
>>
>>  revert() {
>>  	uci revert dhcp
>> +	uci revert stubby
>>  }
>> --
>> 2.11.0

Mehr Informationen über die Mailingliste franken-dev