From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Planning on how to improve DNS in IPFire Date: Tue, 12 Nov 2019 13:42:08 +0000 Message-ID: <6B486AC5-225D-421D-BC41-79AECB77788B@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3480895495676113569==" List-Id: --===============3480895495676113569== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello boys and girls, Since conversation about this has calmed down, I assume that everyone has put= in their two cents. Great! I have now created a new umbrella bug on BZ to coordinate work on this featur= e, because I want to do as little as possible. Not because I am lazy, but I h= ave a long TODO list which keeps getting longer and longer. And this is somet= hing that does not require me anyways. So I have create many smaller tickets to break down the work and here is a li= ttle graph of them: https://bugzilla.ipfire.org/showdependencygraph.cgi?id=3D12233&display=3Dwe= b&rankdir=3DTB As you can see by those lines, they have dependencies and we should work on t= he bugs from top to bottom. Bugs that are on the same level can be worked on = in parallel. That way, we break the work down to split across multiple people= and everyone can work as independently as possible which will save us time. If you prefer a list view, click here: https://bugzilla.ipfire.org/showdepend= encytree.cgi?id=3D12233&hide_resolved=3D0 I have not assigned any bugs to anyone yet, apart from some where I already d= id the work. The rest is open for grabs. So go ahead and have a look what you can do. I suppose building the CGI file is Erik=E2=80=99s task because he has basical= ly done that already and we might only need to modify that. But before we com= e to that, we need to close some other bugs first. I have a branch on my personal Git repository with my patches and would like = to merge everything into that before we send the whole patchset to the develo= pment mailing list. It gets too confusing when there are too many revisions o= f the same patch. Please let me know if I forgot to create a ticket for something and go and gr= ab them! Best, -Michael > On 4 Nov 2019, at 17:23, Tom Rymes wrote: >=20 > I do like the functionality and feature, though I can't speak to your conce= rns about list quality and such. >=20 > Tom >=20 > On 11/04/2019 7:12 AM, Michael Tremer wrote: >> Hi, >>> On 3 Nov 2019, at 18:52, Alexander Koch = wrote: >>>=20 >>> Hi, >>>=20 >>> your suggestions sound good to me. Thank you for starting this. I've got = two further suggestions / wishes: >>>=20 >>> * Add a switch to the GUI to force Unbound to run in local recursor mode >> The plan was to fall into recursor mode when no DNS servers are configured. >> Does that suffice? >>> * Is there any simple way to integrate a "PiHole"-functionality? I'm runn= ing this since a while: https://github.com/sfeakes/ipfire-scripts#dns_blocker= sh (following this guide (in German): https://www.kuketz-blog.de/dns-adblocke= r-skript-fuer-ipfire-ipfire-teil2/) >> I am not a fan on this. I do not get the problem this tries to solve. If y= ou want to filter malware use the IPS. If you want to filter ads, use the pro= xy which has more insight and actual options to tell the clients that a websi= te has been censored instead of breaking DNSSEC to block horrible websites. >> The lists do not seem to be of a an acceptable quality in my opinion and t= his breaks DNSSEC. >> How do we securely download these lists? There are no signatures on them, = etc. >> It creates more problems for me than I think it solves. >> Is anyone else in favour of this? >> -Michael >>>=20 >>> I can't make any promises on supporting the development of this right now= though because of a lack of time ... :-( >>>=20 >>> Regards, Alex >>>=20 >>> Am 31.10.19 um 16:13 schrieb Michael Tremer: >>>> Hello, >>>> I just had a conversation with Arne about our DNS setup right now. >>>> We see are couple of problems which have been ongoing for a long time an= d we have worked out how we are going to solve them. In this email, I would l= ike to involve everybody else in this conversation and hopefully you people h= ave some ideas how to make this even better! >>>> First of all we have some unreleased features: >>>> * Safe Search is implemented, but there is no UI to enable it >>>> * We can force unbound to only use TCP which circumvents some problems w= ith corrupted UDP packets. No UI either. >>>> Then we have our long test script which we have tweaked a lot but it is = largely a black box for users and therefore does not work. I am strongly beli= eving in that we need to get rid of it. Entirely. >>>> However, there is some other objectives that we would like to realise at= the same time: >>>> * Being able to configure more than two name servers >>>> * Lay a foundation for DNS over TLS >>>> * Allow for users who really really really do not want any security to d= isable DNSSEC. For some reason they believe that the security is causing thei= r DNS problems when it is usually not. >>>> * Adopt some recommended configuration from DNS flag day (EDNS buffer si= ze =3D 1232) >>>> * Remove the many places where users can configure DNS servers depending= on how they connect to the Internet (Static, DHCP, PPP, =E2=80=A6) >>>> So the solution that we have come up with is as follows: >>>> * Remove automatic fallback to recursor mode. This seems to confuse peop= le and they think that this is something bad. No idea why. People. >>>> * Remove the test script. >>>> * DNS servers can be configured on a new dns.cgi by the user. It will be= a list which can hold as many DNS servers as you like. >>>> * DNS servers will be stored in a CSV file and when we receive some from= the ISP (via DHCP or PPP) we will add them and flag them as coming from the = ISP >>>> * There will be a switch to enable/disable using the ISP DNS servers >>>> * We will remove the UI from the setup. That will result in people who u= se static not being able to configure any DNS servers during setup. We will c= ompensate for that by changing to recursor mode when no DNS servers are known= . That is the only thing we can do here since we do not want to ship a defaul= t list of DNS servers. >>>> This will simplify the whole DNS problem by only providing one UI for ev= eryone regardless of how they connect to the Internet. The user has a lot mor= e influence on what is being configured so there should be less of a chance o= f useless DNS servers there. >>>> Does anybody have any objections or additions to this? >>>> Since this is going to be a huge project I am looking for people who wou= ld like to join in and contribute their time :) Hands up! >>>> Best, >>>> -Michael >>>>=20 --===============3480895495676113569==--