From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexander Koch To: development@lists.ipfire.org Subject: Re: Planning on how to improve DNS in IPFire Date: Sun, 03 Nov 2019 19:52:07 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1225471502069057215==" List-Id: --===============1225471502069057215== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, your suggestions sound good to me. Thank you for starting this. I've got two = further suggestions / wishes: * Add a switch to the GUI to force Unbound to run in local recursor mode * Is there any simple way to integrate a "PiHole"-functionality? I'm running = this since a while: https://github.com/sfeakes/ipfire-scripts#dns_blockersh (= following this guide (in German): https://www.kuketz-blog.de/dns-adblocker-sk= ript-fuer-ipfire-ipfire-teil2/) I can't make any promises on supporting the development of this right now tho= ugh because of a lack of time ... :-( Regards, Alex Am 31.10.19 um 16:13 schrieb Michael Tremer: > Hello, >=20 > I just had a conversation with Arne about our DNS setup right now. >=20 > We see are couple of problems which have been ongoing for a long time and w= e have worked out how we are going to solve them. In this email, I would like= to involve everybody else in this conversation and hopefully you people have= some ideas how to make this even better! >=20 > First of all we have some unreleased features: >=20 > * Safe Search is implemented, but there is no UI to enable it >=20 > * We can force unbound to only use TCP which circumvents some problems with= corrupted UDP packets. No UI either. >=20 > Then we have our long test script which we have tweaked a lot but it is lar= gely a black box for users and therefore does not work. I am strongly believi= ng in that we need to get rid of it. Entirely. >=20 > However, there is some other objectives that we would like to realise at th= e same time: >=20 > * Being able to configure more than two name servers >=20 > * Lay a foundation for DNS over TLS >=20 > * Allow for users who really really really do not want any security to disa= ble DNSSEC. For some reason they believe that the security is causing their D= NS problems when it is usually not. >=20 > * Adopt some recommended configuration from DNS flag day (EDNS buffer size = =3D 1232) >=20 > * Remove the many places where users can configure DNS servers depending on= how they connect to the Internet (Static, DHCP, PPP, =E2=80=A6) >=20 > So the solution that we have come up with is as follows: >=20 > * Remove automatic fallback to recursor mode. This seems to confuse people = and they think that this is something bad. No idea why. People. >=20 > * Remove the test script. >=20 > * DNS servers can be configured on a new dns.cgi by the user. It will be a = list which can hold as many DNS servers as you like. >=20 > * DNS servers will be stored in a CSV file and when we receive some from th= e ISP (via DHCP or PPP) we will add them and flag them as coming from the ISP >=20 > * There will be a switch to enable/disable using the ISP DNS servers >=20 > * We will remove the UI from the setup. That will result in people who use = static not being able to configure any DNS servers during setup. We will comp= ensate for that by changing to recursor mode when no DNS servers are known. T= hat is the only thing we can do here since we do not want to ship a default l= ist of DNS servers. >=20 > This will simplify the whole DNS problem by only providing one UI for every= one regardless of how they connect to the Internet. The user has a lot more i= nfluence on what is being configured so there should be less of a chance of u= seless DNS servers there. >=20 > Does anybody have any objections or additions to this? >=20 > Since this is going to be a huge project I am looking for people who would = like to join in and contribute their time :) Hands up! >=20 > Best, > -Michael > --===============1225471502069057215==--