From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Rymes To: development@lists.ipfire.org Subject: Re: Planning on how to improve DNS in IPFire Date: Mon, 04 Nov 2019 12:23:54 -0500 Message-ID: In-Reply-To: <5A148BC3-C918-4148-B040-B39035A888E8@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4971460513536766713==" List-Id: --===============4971460513536766713== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable I do like the functionality and feature, though I can't speak to your=20 concerns about list quality and such. Tom On 11/04/2019 7:12 AM, Michael Tremer wrote: > Hi, >=20 >> On 3 Nov 2019, at 18:52, Alexander Koch = wrote: >> >> Hi, >> >> your suggestions sound good to me. Thank you for starting this. I've got t= wo further suggestions / wishes: >> >> * Add a switch to the GUI to force Unbound to run in local recursor mode >=20 > The plan was to fall into recursor mode when no DNS servers are configured. >=20 > Does that suffice? >=20 >> * Is there any simple way to integrate a "PiHole"-functionality? I'm runni= ng this since a while: https://github.com/sfeakes/ipfire-scripts#dns_blockers= h (following this guide (in German): https://www.kuketz-blog.de/dns-adblocker= -skript-fuer-ipfire-ipfire-teil2/) >=20 > I am not a fan on this. I do not get the problem this tries to solve. If yo= u want to filter malware use the IPS. If you want to filter ads, use the prox= y which has more insight and actual options to tell the clients that a websit= e has been censored instead of breaking DNSSEC to block horrible websites. >=20 > The lists do not seem to be of a an acceptable quality in my opinion and th= is breaks DNSSEC. >=20 > How do we securely download these lists? There are no signatures on them, e= tc. >=20 > It creates more problems for me than I think it solves. >=20 > Is anyone else in favour of this? >=20 > -Michael >=20 >> >> I can't make any promises on supporting the development of this right now = though because of a lack of time ... :-( >> >> Regards, Alex >> >> Am 31.10.19 um 16:13 schrieb Michael Tremer: >>> Hello, >>> I just had a conversation with Arne about our DNS setup right now. >>> We see are couple of problems which have been ongoing for a long time and= we have worked out how we are going to solve them. In this email, I would li= ke to involve everybody else in this conversation and hopefully you people ha= ve some ideas how to make this even better! >>> First of all we have some unreleased features: >>> * Safe Search is implemented, but there is no UI to enable it >>> * We can force unbound to only use TCP which circumvents some problems wi= th corrupted UDP packets. No UI either. >>> Then we have our long test script which we have tweaked a lot but it is l= argely a black box for users and therefore does not work. I am strongly belie= ving in that we need to get rid of it. Entirely. >>> However, there is some other objectives that we would like to realise at = the same time: >>> * Being able to configure more than two name servers >>> * Lay a foundation for DNS over TLS >>> * Allow for users who really really really do not want any security to di= sable DNSSEC. For some reason they believe that the security is causing their= DNS problems when it is usually not. >>> * Adopt some recommended configuration from DNS flag day (EDNS buffer siz= e =3D 1232) >>> * Remove the many places where users can configure DNS servers depending = on how they connect to the Internet (Static, DHCP, PPP, =E2=80=A6) >>> So the solution that we have come up with is as follows: >>> * Remove automatic fallback to recursor mode. This seems to confuse peopl= e and they think that this is something bad. No idea why. People. >>> * Remove the test script. >>> * DNS servers can be configured on a new dns.cgi by the user. It will be = a list which can hold as many DNS servers as you like. >>> * DNS servers will be stored in a CSV file and when we receive some from = the ISP (via DHCP or PPP) we will add them and flag them as coming from the I= SP >>> * There will be a switch to enable/disable using the ISP DNS servers >>> * We will remove the UI from the setup. That will result in people who us= e static not being able to configure any DNS servers during setup. We will co= mpensate for that by changing to recursor mode when no DNS servers are known.= That is the only thing we can do here since we do not want to ship a default= list of DNS servers. >>> This will simplify the whole DNS problem by only providing one UI for eve= ryone regardless of how they connect to the Internet. The user has a lot more= influence on what is being configured so there should be less of a chance of= useless DNS servers there. >>> Does anybody have any objections or additions to this? >>> Since this is going to be a huge project I am looking for people who woul= d like to join in and contribute their time :) Hands up! >>> Best, >>> -Michael >>> >=20 --===============4971460513536766713==--