From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Kicking off DNS-over-TLS Date: Fri, 01 Feb 2019 16:50:10 +0000 Message-ID: In-Reply-To: =?utf-8?q?=3CAM0PR03MB493279D65311D6D17E4F8717B6910=40AM0PR03MB?= =?utf-8?q?4932=2Eeurprd03=2Eprod=2Eoutlook=2Ecom=3E?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0822426455777298649==" List-Id: --===============0822426455777298649== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey, > On 31 Jan 2019, at 20:28, Rachid Groeneveld = wrote: >=20 > Hi Michael, >=20 > I've tried to list the optimalisations for DNS in the DNS hardening topic: = https://forum.ipfire.org/viewtopic.php?f=3D27&t=3D21965 > At this moment I'm quite busy with additional studies, after works hours, s= o I haven't been tinkering much. > I did put some time and effort in the WUI, but this is definitely on my rad= ar. So if there's anything I can do to help, let me know. There is probably loads to do. Let=E2=80=99s first make a plan and collect wh= at we need to do and then assign those things to individual people. Definitel= y there is loads of testing and documentation to do as well. > As for configuration, I haven't even been tinkering much with Eriks UI page= (shame on me!), but I do concur a single point of configuration is preferabl= e. I got a bit lost a few months back, knowing which setting overrides what c= ould come in handy. This includes zone (domain) configuration and maybe even = block lists (ads/malware). Any blocking will break DNSSEC. I do not understand that someone wants to dis= able DNSSEC for this, but I guess that there is people out there who want to = do it. > As for the recursor switch, I thought that unbound was recursive by default= . I recall unbound to be partial authoritative, but not full (as in all funct= ionality). Yes, it is a recursor and only that. It has some authoritative features but t= hey are very very limited and just to make life a bit easier and not to host = an authoritative zone. However, we usually configure it with a couple of upstream name servers. Then= , it will only query those. If we do not give unbound any upstream servers (a= ka forwarders) it will contact the root DNS servers and walk down the tree to= resolve any names. I kind of like that because it does not require you to tr= ust anyone who operates one of those big resolvers out there. > So, apart from being busy, I still can do stuff. Bear in mind that I'm no p= rogrammer, but given the right keywords I can find my way around software and= be helpful in terms of testing/bug finding. I am sure that there is plenty of other things to do and fiddling a little bi= t with the scripting isn=E2=80=99t really programming :) I am happy for you t= o contribute. Best, -Michael > Cheers! Rachid >=20 > -----Oorspronkelijk bericht----- > Van: Development Namens Michael Tr= emer > Verzonden: donderdag 31 januari 2019 19:18 > Aan: IPFire: Development-List > Onderwerp: Kicking off DNS-over-TLS >=20 > Hello guys, >=20 > So we have had many many conversations about DNS-over-TLS on this list and = on the weekly phone calls, I would like to make a plan now to finally get thi= s into the distribution. We have already ticked some boxes: >=20 > * Unbound is there and compiled with support for DoT > * OpenSSL 1.1.1 is in next - has TLSv1.3 - not essentially necessary but ma= kes this faster > * We have TCP Fast Open enabled in next >=20 > Then there is a CGI from Erik which makes editing the upstream name servers= really nice. Last time we talked about how to actually get that integrated i= nto the whole lot of the other things. There is by now at least three differe= nt places where DNS servers are being configured. A fourth one will make thin= gs even more confusing as they are. I would like to get rid of the old ones a= nd only use the new one then. >=20 > We also will need some switches for some basic configuration: >=20 > * DNS-over-TLS enforced? I think everyone who uses DoT wants this enabled > * DNSSEC permissive mode - some requested this and I am still opposed to of= fer this, but hey > * QNAME minimisation > * Recursor mode?! >=20 > I guess this can all be on the same CGI with the list of servers to use. >=20 > Finally, we will have to update the initscript that checks DNS servers righ= t now. It needs to be stripped down as much us possible because it is otherwi= se unmaintainable. >=20 > This is my view on things right now. Status is about four weeks old. Maybe = more things have happened in the meantime. >=20 > I would like to coordinate how we are moving forward with this now. Hands u= p! :) >=20 > There is basically no pressure on us to deliver this as soon as possible, b= ut it is a nice feature and many have been asking for this. So maybe we can t= arget Core Update 131 or earlier! >=20 > -Michael --===============0822426455777298649==--