Re: Kicking off DNS-over-TLS

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5024 bytes --]

Hi all,

Am Donnerstag, den 31.01.2019, 18:17 +0000 schrieb Michael Tremer:
> Hello guys,
> 
> So we have had many many conversations about DNS-over-TLS on this
> list and on the weekly phone calls, I would like to make a plan now
> to finally get this into the distribution. We have already ticked
> some boxes:
> 
> * Unbound is there and compiled with support for DoT
> * OpenSSL 1.1.1 is in next - has TLSv1.3 - not essentially necessary
> but makes this faster
> * We have TCP Fast Open enabled in next
should we integrate knot (kdig) too ? Have compiled a minimal version
with kdig only. The only needed dependency was libedit (no need for
userspace and libmaxminddb). unbound serves also log entries for
authentication but this only in verb 5 which makes the logs a lot
bigger and some informations are also not available in that way.
Have pushed already the minimal version to Git which can be found in
here -->
https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=726479fcf08f9f9d8f042c08b1ac98ca1a5ad182

> 
> Then there is a CGI from Erik which makes editing the upstream name
> servers really nice. Last time we talked about how to actually get
> that integrated into the whole lot of the other things. There is by
> now at least three different places where DNS servers are being
> configured. A fourth one will make things even more confusing as they
> are. I would like to get rid of the old ones and only use the new one
> then.
May this can be solved via an selection menu at the top of the CGI ? 
If yes what menu names should there be used ? May different CGI config
files can be produced but it might be nice if all are in one place, may
under /var/ipfire/dns ? 

> 
> We also will need some switches for some basic configuration:
> 
> * DNS-over-TLS enforced? I think everyone who uses DoT wants this
> enabled
There is always the need to know beneath the IP also the hostname while
configuration which is used for the verification of the TLS
certificate.

Syntax:
forward-addr: ip(a)port#hostname


> * DNSSEC permissive mode - some requested this and I am still opposed
> to offer this, but hey
> * QNAME minimisation
> * Recursor mode?!
> 
> I guess this can all be on the same CGI with the list of servers to
> use.
Via settings file under /var/ipfire/dns ?

> 
> Finally, we will have to update the initscript that checks DNS
> servers right now. It needs to be stripped down as much us possible
> because it is otherwise unmaintainable.
In the current version the whole update_forwarders() function is
disabled if DoT is active which might be a startpoint for that...

> 
> This is my view on things right now. Status is about four weeks old.
> Maybe more things have happened in the meantime.
Have pushed the current development state which can be found in here 
-->
https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=ae1bc6ec1ffd0cf273d4bd016916bcf7e7d0be82

have had not that much time the last days and it is currently also not
that much available but i was working on a in- uninstaller for the
whole 'DoT with WUI' thing in hope to get some more testers which can
be found in here -->
https://gitlab.com/ummeegge/dot-for-ipfire/tree/master/dot_wui 
this one is also announced in the IPFire forum -->
https://forum.ipfire.org/viewtopic.php?f=50&t=21954
and a fast made video of howto in- uninstall all that can be found in 
here -->
https://people.ipfire.org/~ummeegge/videos/dnsovertls.mp4 
it´s not a Holywood movie :D but i thought may somethings getting a
little clearer also for NON-programmers or NON-admins.


Another thing which i was working on was a possiblity to test also the
configuered servers for
1) Encryption
2) Authentication
3) Query time
4) DNSSEC validation
where kdig was needed for -->
https://gitlab.com/ummeegge/dot-for-ipfire/blob/master/dot_wui/check_connection.sh
. Thinking a little further it might be nice to have some colour codes
explained via 'Legend' in the WUI. So for example:
Green = Encryption, authentication, DNSSEC works.
Orange = Encryption, authentication, No DNSSEC.
Blue = Encryption works but no authentication and no DNSSEC.
RED = No Encryption --> no connection.

Just as a first idea on how the users can also see what is happening
with their DNS servers ?
The query time might also be nice to see... 


> 
> I would like to coordinate how we are moving forward with this now.
> Hands up! :)
> 
> There is basically no pressure on us to deliver this as soon as
> possible, but it is a nice feature and many have been asking for
> this. So maybe we can target Core Update 131 or earlier!
> 
> -Michael

Some thoughts from here.

@Michael,
Are their plans to enable DoT also for ns2.lightningwirelabs.com and
ns3.lightningwirelabs.com ?
Have seen that on ns1.lightningwirelabs.com the ED25519 curve is mostly
not available but instead SECP256R1, just to inform you :-).

Best,

Erik