From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Planning on how to improve DNS in IPFire Date: Mon, 04 Nov 2019 12:12:37 +0000 Message-ID: <5A148BC3-C918-4148-B040-B39035A888E8@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8312828866580121787==" List-Id: --===============8312828866580121787== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 3 Nov 2019, at 18:52, Alexander Koch w= rote: >=20 > Hi, >=20 > your suggestions sound good to me. Thank you for starting this. I've got tw= o further suggestions / wishes: >=20 > * Add a switch to the GUI to force Unbound to run in local recursor mode The plan was to fall into recursor mode when no DNS servers are configured. Does that suffice? > * Is there any simple way to integrate a "PiHole"-functionality? I'm runnin= g this since a while: https://github.com/sfeakes/ipfire-scripts#dns_blockersh= (following this guide (in German): https://www.kuketz-blog.de/dns-adblocker-= skript-fuer-ipfire-ipfire-teil2/) I am not a fan on this. I do not get the problem this tries to solve. If you = want to filter malware use the IPS. If you want to filter ads, use the proxy = which has more insight and actual options to tell the clients that a website = has been censored instead of breaking DNSSEC to block horrible websites. The lists do not seem to be of a an acceptable quality in my opinion and this= breaks DNSSEC. How do we securely download these lists? There are no signatures on them, etc. It creates more problems for me than I think it solves. Is anyone else in favour of this? -Michael >=20 > I can't make any promises on supporting the development of this right now t= hough because of a lack of time ... :-( >=20 > Regards, Alex >=20 > Am 31.10.19 um 16:13 schrieb Michael Tremer: >> Hello, >> I just had a conversation with Arne about our DNS setup right now. >> We see are couple of problems which have been ongoing for a long time and = we have worked out how we are going to solve them. In this email, I would lik= e to involve everybody else in this conversation and hopefully you people hav= e some ideas how to make this even better! >> First of all we have some unreleased features: >> * Safe Search is implemented, but there is no UI to enable it >> * We can force unbound to only use TCP which circumvents some problems wit= h corrupted UDP packets. No UI either. >> Then we have our long test script which we have tweaked a lot but it is la= rgely a black box for users and therefore does not work. I am strongly believ= ing in that we need to get rid of it. Entirely. >> However, there is some other objectives that we would like to realise at t= he same time: >> * Being able to configure more than two name servers >> * Lay a foundation for DNS over TLS >> * Allow for users who really really really do not want any security to dis= able DNSSEC. For some reason they believe that the security is causing their = DNS problems when it is usually not. >> * Adopt some recommended configuration from DNS flag day (EDNS buffer size= =3D 1232) >> * Remove the many places where users can configure DNS servers depending o= n how they connect to the Internet (Static, DHCP, PPP, =E2=80=A6) >> So the solution that we have come up with is as follows: >> * Remove automatic fallback to recursor mode. This seems to confuse people= and they think that this is something bad. No idea why. People. >> * Remove the test script. >> * DNS servers can be configured on a new dns.cgi by the user. It will be a= list which can hold as many DNS servers as you like. >> * DNS servers will be stored in a CSV file and when we receive some from t= he ISP (via DHCP or PPP) we will add them and flag them as coming from the ISP >> * There will be a switch to enable/disable using the ISP DNS servers >> * We will remove the UI from the setup. That will result in people who use= static not being able to configure any DNS servers during setup. We will com= pensate for that by changing to recursor mode when no DNS servers are known. = That is the only thing we can do here since we do not want to ship a default = list of DNS servers. >> This will simplify the whole DNS problem by only providing one UI for ever= yone regardless of how they connect to the Internet. The user has a lot more = influence on what is being configured so there should be less of a chance of = useless DNS servers there. >> Does anybody have any objections or additions to this? >> Since this is going to be a huge project I am looking for people who would= like to join in and contribute their time :) Hands up! >> Best, >> -Michael >>=20 --===============8312828866580121787==--