From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [Fwd: Re: request for info: unbound via https / tls] Date: Tue, 11 Dec 2018 21:09:39 +0100 Message-ID: <5eeac2fe88cc4a956a4ef0ca680e2c08f2a222d6.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5543474288787060197==" List-Id: --===============5543474288787060197== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi Paul, Am Montag, den 10.12.2018, 20:01 -0600 schrieb Paul Simmons: > > Greetings, Erik. > > I am VERY pleased that you are pursuing DoT. > Your welcome, like that feature too. > I have a test environment prepared, and hope to test your changes on > top of Core125 in the next few days. > Great. There are meanwhile two branches here. The first one is the sysconfig "USE_FORWARDER=0" one which is fully working and in my opinion also easier/faster to test DoT/unbound for, let´s say, best practice configuration. Current state can be found under the already linked Gitlab address. The second one incl. now the WUI (have stolen/missused dnsforward.cgi for this ;) but also DoT integration in the already existing /etc/unbound/forward.conf . In there, i patched now the already existing 'write_forward_conf' function like Michael suggested --> @@ -192,6 +195,27 @@ ( config_header + # Add DNS-over-TLS forwarder configuration + + if [ -n "/var/ipfire/dnsforward/tlsconfig" ]; then + echo "# DNS-over-TLS configuration block" + echo "server:" + echo " tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt" + echo + echo "forward-zone:" + echo " name: \".\"" + echo " forward-tls-upstream: yes" + fi + + local enabled domain ip port remark + while IFS="," read -r enabled domain ip port remark; do + # Line must be enabled + [ "${enabled}" = "on" ] || continue + echo " forward-addr: ${ip}@${port}#${domain}" + done < /var/ipfire/dnsforward/tlsconfig + + # DNS Forwarding + local insecure_zones="${INSECURE_ZONES}" local enabled zone server remark as a first one, this one is currently highly experimental but do works until now and might be a possible way further.?. > I started this thread because my (one and only available) ISP mangles > DNS on port 53, preventing DNSSEC with IPFire. I want to use my > IPFire > machine without applying https://gitlab.com/snippets/1706804 on each > update. > Please check in general if DoT works for your use case. > Please continue with your pursuits and development. I will schedule > down time to test. > Let´s see what we can all stick together in here :-) . Great that you test all that too. > Thanks, and best regards, > Paul > Thank you too. Best, Erik --===============5543474288787060197==--