From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Kicking off DNS-over-TLS Date: Fri, 01 Feb 2019 16:56:18 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1717314600663964679==" List-Id: --===============1717314600663964679== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey Tom, > On 31 Jan 2019, at 20:50, Tom Rymes wrote: >=20 > This is somewhat off-topic, No it is not. I have raised that before that I want some things to be cleaned up first befo= re we add more features. It makes things easier. > but the discussion has reminded me of two related things that still need to= be dealt with (though not before this topic is dealt with) are: >=20 > 1.) Configuration of Adapters and IP Address settings should be moved to th= e WUI, along with the DNS - having to go to the CLI for some things, but not = others, is unintuitive. This is slightly off-topic. I do not think that we will do this for IPFire 2 = any more. It is a little bit complicated. It would be nice to have though. I would rather prefer to move more towards IPFire 3 where this is working a l= ot better and we do not have any spaghetti code. DNS should definitely move into the web UI - potentially only there. What are= everyone=E2=80=99s thoughts on this? > 2.) Unbound startup is still super-ugly if the configuration is wrong, or i= f the WAN link is down. God forbid you reboot a router to see if it resolves = a no-internet situation - unbound hangs for multiple minutes (I think) while = it tries every possible permutation of settings - this cannot be normal. Yes, the initscript is basically not working. It works superb in 90% of all c= ases. It is okay for another 5% because it is just slow, but it is just plain= shit for the rest. That percentage is a little bit too high. I have been try= ing to work with people who ran into these problems, but I did not get anythi= ng back. They applied a quick workaround (which usually involved disabling DN= SSEC) and that was it. There is nothing I can do. DNS is terribly broken on some networks. ISPs do not pay much attention which= is probably why we have Google=E2=80=99s 8.8.8.8 in the first place. The script needs to become shorter and perform less checks. However, some are= just necessary do make sure that unbound does not fail later. Hopefully unbo= und has been improved in this regard lately and we can drop some of the check= s. However, I do not have a good test environment where I can find out what t= hat could be what we can drop. Is anyone able to test this better than me? Best, -Michael > Tom >=20 > On 01/31/2019 3:28 PM, Rachid Groeneveld wrote: >> Hi Michael, >> I've tried to list the optimalisations for DNS in the DNS hardening topic:= https://forum.ipfire.org/viewtopic.php?f=3D27&t=3D21965 >> At this moment I'm quite busy with additional studies, after works hours, = so I haven't been tinkering much. >> I did put some time and effort in the WUI, but this is definitely on my ra= dar. So if there's anything I can do to help, let me know. >> As for configuration, I haven't even been tinkering much with Eriks UI pag= e (shame on me!), but I do concur a single point of configuration is preferab= le. I got a bit lost a few months back, knowing which setting overrides what = could come in handy. This includes zone (domain) configuration and maybe even= block lists (ads/malware). >> As for the recursor switch, I thought that unbound was recursive by defaul= t. I recall unbound to be partial authoritative, but not full (as in all func= tionality). >> So, apart from being busy, I still can do stuff. Bear in mind that I'm no = programmer, but given the right keywords I can find my way around software an= d be helpful in terms of testing/bug finding. >> Cheers! Rachid >> -----Oorspronkelijk bericht----- >> Van: Development Namens Michael T= remer >> Verzonden: donderdag 31 januari 2019 19:18 >> Aan: IPFire: Development-List >> Onderwerp: Kicking off DNS-over-TLS >> Hello guys, >> So we have had many many conversations about DNS-over-TLS on this list and= on the weekly phone calls, I would like to make a plan now to finally get th= is into the distribution. We have already ticked some boxes: >> * Unbound is there and compiled with support for DoT >> * OpenSSL 1.1.1 is in next - has TLSv1.3 - not essentially necessary but m= akes this faster >> * We have TCP Fast Open enabled in next >> Then there is a CGI from Erik which makes editing the upstream name server= s really nice. Last time we talked about how to actually get that integrated = into the whole lot of the other things. There is by now at least three differ= ent places where DNS servers are being configured. A fourth one will make thi= ngs even more confusing as they are. I would like to get rid of the old ones = and only use the new one then. >> We also will need some switches for some basic configuration: >> * DNS-over-TLS enforced? I think everyone who uses DoT wants this enabled >> * DNSSEC permissive mode - some requested this and I am still opposed to o= ffer this, but hey >> * QNAME minimisation >> * Recursor mode?! >> I guess this can all be on the same CGI with the list of servers to use. >> Finally, we will have to update the initscript that checks DNS servers rig= ht now. It needs to be stripped down as much us possible because it is otherw= ise unmaintainable. >> This is my view on things right now. Status is about four weeks old. Maybe= more things have happened in the meantime. >> I would like to coordinate how we are moving forward with this now. Hands = up! :) >> There is basically no pressure on us to deliver this as soon as possible, = but it is a nice feature and many have been asking for this. So maybe we can = target Core Update 131 or earlier! >> -Michael --===============1717314600663964679==--