From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rachid Groeneveld To: development@lists.ipfire.org Subject: RE: Kicking off DNS-over-TLS Date: Fri, 01 Feb 2019 20:59:13 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2203006795345746679==" List-Id: --===============2203006795345746679== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi all, So DNS blocking will break DNSSEC, can anyone educate me a little bit more on= this? I thought that blocking requests would be pre-validation of the signat= ures. Schematically I thought it would like this: Client -> query name -> resolver checks if it should resolve Then there are two options: 1. refuse -> domain is blocked, because it's in the block list 2. allow -> cache is tried, else the whole resolution flow will occur (either= forwarder or root servers) Just thinking out loud here, since I found some sites where people are using = blocklists with unbound and they claim to be having DNSSEC enabled as well. M= aybe that's something I can test, shouldn't be too hard to setup I think. Also, since I moved to an APU2 I have my Banana Pi as lab material, so I woul= d be able to setup a thing or two without interrupting my network. Finally I now get what you mean with the recursor mode switch, I can imagine = people would want to use the (fast) open forwarders, but it should be "fairly= " easy to switch back to querying the root servers. As said, tell me what's needed and I'll give it my best. Cheers! -----Original Message----- From: Michael Tremer =20 Sent: vrijdag 1 februari 2019 17:50 To: Rachid Groeneveld Cc: IPFire: Development-List Subject: Re: Kicking off DNS-over-TLS Hey, > On 31 Jan 2019, at 20:28, Rachid Groeneveld = wrote: >=20 > Hi Michael, >=20 > I've tried to list the optimalisations for DNS in the DNS hardening topic: = https://forum.ipfire.org/viewtopic.php?f=3D27&t=3D21965 > At this moment I'm quite busy with additional studies, after works hours, s= o I haven't been tinkering much. > I did put some time and effort in the WUI, but this is definitely on my rad= ar. So if there's anything I can do to help, let me know. There is probably loads to do. Let=E2=80=99s first make a plan and collect wh= at we need to do and then assign those things to individual people. Definitel= y there is loads of testing and documentation to do as well. > As for configuration, I haven't even been tinkering much with Eriks UI page= (shame on me!), but I do concur a single point of configuration is preferabl= e. I got a bit lost a few months back, knowing which setting overrides what c= ould come in handy. This includes zone (domain) configuration and maybe even = block lists (ads/malware). Any blocking will break DNSSEC. I do not understand that someone wants to dis= able DNSSEC for this, but I guess that there is people out there who want to = do it. > As for the recursor switch, I thought that unbound was recursive by default= . I recall unbound to be partial authoritative, but not full (as in all funct= ionality). Yes, it is a recursor and only that. It has some authoritative features but t= hey are very very limited and just to make life a bit easier and not to host = an authoritative zone. However, we usually configure it with a couple of upstream name servers. Then= , it will only query those. If we do not give unbound any upstream servers (a= ka forwarders) it will contact the root DNS servers and walk down the tree to= resolve any names. I kind of like that because it does not require you to tr= ust anyone who operates one of those big resolvers out there. > So, apart from being busy, I still can do stuff. Bear in mind that I'm no p= rogrammer, but given the right keywords I can find my way around software and= be helpful in terms of testing/bug finding. I am sure that there is plenty of other things to do and fiddling a little bi= t with the scripting isn=E2=80=99t really programming :) I am happy for you t= o contribute. Best, -Michael > Cheers! Rachid >=20 > -----Oorspronkelijk bericht----- > Van: Development Namens Michael Tr= emer > Verzonden: donderdag 31 januari 2019 19:18 > Aan: IPFire: Development-List > Onderwerp: Kicking off DNS-over-TLS >=20 > Hello guys, >=20 > So we have had many many conversations about DNS-over-TLS on this list and = on the weekly phone calls, I would like to make a plan now to finally get thi= s into the distribution. We have already ticked some boxes: >=20 > * Unbound is there and compiled with support for DoT > * OpenSSL 1.1.1 is in next - has TLSv1.3 - not essentially necessary but ma= kes this faster > * We have TCP Fast Open enabled in next >=20 > Then there is a CGI from Erik which makes editing the upstream name servers= really nice. Last time we talked about how to actually get that integrated i= nto the whole lot of the other things. There is by now at least three differe= nt places where DNS servers are being configured. A fourth one will make thin= gs even more confusing as they are. I would like to get rid of the old ones a= nd only use the new one then. >=20 > We also will need some switches for some basic configuration: >=20 > * DNS-over-TLS enforced? I think everyone who uses DoT wants this enabled > * DNSSEC permissive mode - some requested this and I am still opposed to of= fer this, but hey > * QNAME minimisation > * Recursor mode?! >=20 > I guess this can all be on the same CGI with the list of servers to use. >=20 > Finally, we will have to update the initscript that checks DNS servers righ= t now. It needs to be stripped down as much us possible because it is otherwi= se unmaintainable. >=20 > This is my view on things right now. Status is about four weeks old. Maybe = more things have happened in the meantime. >=20 > I would like to coordinate how we are moving forward with this now. Hands u= p! :) >=20 > There is basically no pressure on us to deliver this as soon as possible, b= ut it is a nice feature and many have been asking for this. So maybe we can t= arget Core Update 131 or earlier! >=20 > -Michael --===============2203006795345746679==--