From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] unbound: Add option to force using TCP for upstream servers
Date: Tue, 01 Oct 2019 12:37:52 +0100
Message-ID: <63B37C05-1BE2-4868-9CEB-36ADE4654883@ipfire.org>
In-Reply-To: <20191001113259.17455-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6175590724183058728=="
List-Id: <development.lists.ipfire.org>

--===============6175590724183058728==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Please ignore this patch.

Version 2 has been submitted which fixes an incorrect variable name.

-Michael

> On 1 Oct 2019, at 12:32, Michael Tremer <michael.tremer(a)ipfire.org> wrote:
>=20
> Some users have problems to reach DNS servers. This change adds an option
> which allows to force using TCP for upstream name servers.
>=20
> This is a good workaround for users behind a broken Fritz!Box in modem
> mode which does not allow resolving any records of the root zone.
>=20
> The name server tests in the script will also only use TCP.
>=20
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> src/initscripts/system/unbound | 40 ++++++++++++++++++++++++++++++----------
> 1 file changed, 30 insertions(+), 10 deletions(-)
>=20
> diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
> index dbcfc951f..bec2ab6ef 100644
> --- a/src/initscripts/system/unbound
> +++ b/src/initscripts/system/unbound
> @@ -15,6 +15,7 @@ TEST_DOMAIN_FAIL=3D"dnssec-failed.org"
> INSECURE_ZONES=3D
> USE_FORWARDERS=3D1
> ENABLE_SAFE_SEARCH=3Doff
> +FORCE_TCP=3Doff
>=20
> # Cache any local zones for 60 seconds
> LOCAL_TTL=3D60
> @@ -25,6 +26,12 @@ EDNS_DEFAULT_BUFFER_SIZE=3D4096
> # Load optional configuration
> [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
>=20
> +DIG_ARGS=3D()
> +
> +if [ "${FORCE_TCP}" =3D "on" ]; then
> +	DIG_ARGS+=3D( "+tcp" )
> +fi
> +
> ip_address_revptr() {
> 	local addr=3D${1}
>=20
> @@ -199,6 +206,14 @@ write_forward_conf() {
> 	(
> 		config_header
>=20
> +		# Force using TCP for upstream servers only
> +		if [ "${FORCE_TCP}" =3D "on" ]; then
> +			echo "# Force using TCP for upstream servers only"
> +			echo "server:"
> +			echo "	tcp-upstream: yes"
> +			echo
> +		fi
> +
> 		local insecure_zones=3D"${INSECURE_ZONES}"
>=20
> 		local enabled zone server servers remark disable_dnssec rest
> @@ -391,7 +406,7 @@ ns_is_online() {
> 	local ns=3D${1}
> 	shift
>=20
> -	dig @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
> +	dig "${DIG_ARGS[@]}" @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
> }
>=20
> # Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
> @@ -399,11 +414,11 @@ ns_is_validating() {
> 	local ns=3D${1}
> 	shift
>=20
> -	if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
> +	if ! dig "${DIG_ARGS[@]}" @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVF=
AIL; then
> 		return 1
> 	else
> 		# Determine if NS replies with "ad" data flag if DNSSEC enabled
> -		dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=
=3D1; if (/\ ad/) s=3D0; exit s }'
> +		dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;=
\;\ flags\:/ { s=3D1; if (/\ ad/) s=3D0; exit s }'
> 	fi
> }
>=20
> @@ -413,28 +428,33 @@ ns_forwards_DNSKEY() {
> 	local ns=3D${1}
> 	shift
>=20
> -	dig @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
> +	dig "${DIG_ARGS[@]}" @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
> }
>=20
> ns_forwards_DS() {
> 	local ns=3D${1}
> 	shift
>=20
> -	dig @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
> +	dig "${DIG_ARGS[@]}" @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
> }
>=20
> ns_forwards_RRSIG() {
> 	local ns=3D${1}
> 	shift
>=20
> -	dig @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
> +	dig "${DIG_ARGS[@]}" @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
> }
>=20
> ns_supports_tcp() {
> 	local ns=3D${1}
> 	shift
>=20
> -	dig @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
> +	# If TCP is forced we know by now if the server responds to it
> +	if [ "${TCP_TUNNEL}" =3D "on" ]; then
> +		return 0
> +	fi
> +
> +	dig "${DIG_ARGS[@]}" @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return=
 1
> }
>=20
> ns_determine_edns_buffer_size() {
> @@ -443,7 +463,7 @@ ns_determine_edns_buffer_size() {
>=20
> 	local b
> 	for b in 4096 2048 1500 1480 1464 1400 1280 512; do
> -		if dig @${ns} +dnssec +bufsize=3D${b} A ${TEST_DOMAIN} $@ >/dev/null; th=
en
> +		if dig "${DIG_ARGS[@]}" @${ns} +dnssec +bufsize=3D${b} A ${TEST_DOMAIN} =
$@ >/dev/null; then
> 			echo "${b}"
> 			return 0
> 		fi
> @@ -464,7 +484,7 @@ get_root_nameservers() {
> can_resolve_root() {
> 	local ns
> 	for ns in $(get_root_nameservers); do
> -		if dig @${ns} +dnssec SOA . $@ >/dev/null; then
> +		if dig "${DIG_ARGS[@]}" @${ns} +dnssec SOA . $@ >/dev/null; then
> 			return 0
> 		fi
> 	done
> @@ -514,7 +534,7 @@ resolve() {
> 	local ns
> 	for ns in $(read_name_servers); do
> 		local answer
> -		for answer in $(dig +short "@${ns}" A "${hostname}"); do
> +		for answer in $(dig "${DIG_ARGS[@]}" +short "@${ns}" A "${hostname}"); do
> 			found=3D1
>=20
> 			# Filter out non-IP addresses
> --=20
> 2.12.2
>=20


--===============6175590724183058728==--