Re: Kicking off DNS-over-TLS

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5534 bytes --]

Hey Tom,

> On 31 Jan 2019, at 20:50, Tom Rymes <trymes(a)rymes.com> wrote:
> 
> This is somewhat off-topic,

No it is not.

I have raised that before that I want some things to be cleaned up first before we add more features. It makes things easier.

> but the discussion has reminded me of two related things that still need to be dealt with (though not before this topic is dealt with) are:
> 
> 1.) Configuration of Adapters and IP Address settings should be moved to the WUI, along with the DNS - having to go to the CLI for some things, but not others, is unintuitive.

This is slightly off-topic. I do not think that we will do this for IPFire 2 any more. It is a little bit complicated. It would be nice to have though.

I would rather prefer to move more towards IPFire 3 where this is working a lot better and we do not have any spaghetti code.

DNS should definitely move into the web UI - potentially only there. What are everyone’s thoughts on this?

> 2.) Unbound startup is still super-ugly if the configuration is wrong, or if the WAN link is down. God forbid you reboot a router to see if it resolves a no-internet situation - unbound hangs for multiple minutes (I think) while it tries every possible permutation of settings - this cannot be normal.

Yes, the initscript is basically not working. It works superb in 90% of all cases. It is okay for another 5% because it is just slow, but it is just plain shit for the rest. That percentage is a little bit too high. I have been trying to work with people who ran into these problems, but I did not get anything back. They applied a quick workaround (which usually involved disabling DNSSEC) and that was it. There is nothing I can do.

DNS is terribly broken on some networks. ISPs do not pay much attention which is probably why we have Google’s 8.8.8.8 in the first place.

The script needs to become shorter and perform less checks. However, some are just necessary do make sure that unbound does not fail later. Hopefully unbound has been improved in this regard lately and we can drop some of the checks. However, I do not have a good test environment where I can find out what that could be what we can drop. Is anyone able to test this better than me?

Best,
-Michael

> Tom
> 
> On 01/31/2019 3:28 PM, Rachid Groeneveld wrote:
>> Hi Michael,
>> I've tried to list the optimalisations for DNS in the DNS hardening topic: https://forum.ipfire.org/viewtopic.php?f=27&t=21965
>> At this moment I'm quite busy with additional studies, after works hours, so I haven't been tinkering much.
>> I did put some time and effort in the WUI, but this is definitely on my radar. So if there's anything I can do to help, let me know.
>> As for configuration, I haven't even been tinkering much with Eriks UI page (shame on me!), but I do concur a single point of configuration is preferable. I got a bit lost a few months back, knowing which setting overrides what could come in handy. This includes zone (domain) configuration and maybe even block lists (ads/malware).
>> As for the recursor switch, I thought that unbound was recursive by default. I recall unbound to be partial authoritative, but not full (as in all functionality).
>> So, apart from being busy, I still can do stuff. Bear in mind that I'm no programmer, but given the right keywords I can find my way around software and be helpful in terms of testing/bug finding.
>> Cheers! Rachid
>> -----Oorspronkelijk bericht-----
>> Van: Development <development-bounces(a)lists.ipfire.org> Namens Michael Tremer
>> Verzonden: donderdag 31 januari 2019 19:18
>> Aan: IPFire: Development-List <development(a)lists.ipfire.org>
>> Onderwerp: Kicking off DNS-over-TLS
>> Hello guys,
>> So we have had many many conversations about DNS-over-TLS on this list and on the weekly phone calls, I would like to make a plan now to finally get this into the distribution. We have already ticked some boxes:
>> * Unbound is there and compiled with support for DoT
>> * OpenSSL 1.1.1 is in next - has TLSv1.3 - not essentially necessary but makes this faster
>> * We have TCP Fast Open enabled in next
>> Then there is a CGI from Erik which makes editing the upstream name servers really nice. Last time we talked about how to actually get that integrated into the whole lot of the other things. There is by now at least three different places where DNS servers are being configured. A fourth one will make things even more confusing as they are. I would like to get rid of the old ones and only use the new one then.
>> We also will need some switches for some basic configuration:
>> * DNS-over-TLS enforced? I think everyone who uses DoT wants this enabled
>> * DNSSEC permissive mode - some requested this and I am still opposed to offer this, but hey
>> * QNAME minimisation
>> * Recursor mode?!
>> I guess this can all be on the same CGI with the list of servers to use.
>> Finally, we will have to update the initscript that checks DNS servers right now. It needs to be stripped down as much us possible because it is otherwise unmaintainable.
>> This is my view on things right now. Status is about four weeks old. Maybe more things have happened in the meantime.
>> I would like to coordinate how we are moving forward with this now. Hands up! :)
>> There is basically no pressure on us to deliver this as soon as possible, but it is a nice feature and many have been asking for this. So maybe we can target Core Update 131 or earlier!
>> -Michael