Re: [Fwd: Re: request for info: unbound via https / tls]

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2274 bytes --]

Hi Paul,

Am Montag, den 10.12.2018, 20:01 -0600 schrieb Paul Simmons:
> 
> Greetings, Erik.
> 
> I am VERY pleased that you are pursuing DoT.
> 
Your welcome, like that feature too.

> I have a test environment prepared, and hope to test your changes on
> top of Core125 in the next few days.
> 
Great. There are meanwhile two branches here.

The first one is the sysconfig "USE_FORWARDER=0" one which is fully
working and in my opinion also easier/faster to test DoT/unbound for,
let´s say, best practice configuration. Current state can be found
under the already linked Gitlab address.

The second one incl. now the WUI (have stolen/missused dnsforward.cgi
for this ;) but also DoT integration in the already existing
/etc/unbound/forward.conf . In there, i patched now the already
existing 'write_forward_conf' function like Michael suggested --> 

@@ -192,6 +195,27 @@
 	(
 		config_header
 
+		# Add DNS-over-TLS forwarder configuration
+
+		if [ -n "/var/ipfire/dnsforward/tlsconfig" ]; then
+			echo "# DNS-over-TLS configuration block"
+			echo "server:"
+			echo "    tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt"
+			echo
+			echo "forward-zone:"
+			echo "    name: \".\""
+			echo "    forward-tls-upstream: yes"
+		fi
+
+		local enabled domain ip port remark
+		while IFS="," read -r enabled domain ip port remark; do
+			# Line must be enabled
+			[ "${enabled}" = "on"  ] || continue
+			echo "    forward-addr: ${ip}@${port}#${domain}"
+		done < /var/ipfire/dnsforward/tlsconfig
+
+		# DNS Forwarding
+
 		local insecure_zones="${INSECURE_ZONES}"
 
 		local enabled zone server remark


as a first one, this one is currently highly experimental but do works
until now and might be a possible way further.?.


> I started this thread because my (one and only available) ISP mangles
> DNS on port 53, preventing DNSSEC with IPFire.  I want to use my
> IPFire
> machine without applying https://gitlab.com/snippets/1706804 on each
> update.
> 
Please check in general if DoT works for your use case.


> Please continue with your pursuits and development. I will schedule
> down time to test.
> 
Let´s see what we can all stick together in here :-) . Great that you
test all that too.


> Thanks, and best regards,
> Paul
> 

Thank you too. 

Best,

Erik