Hey,
On 31 Jan 2019, at 20:28, Rachid Groeneveld rachidgroeneveld@hotmail.nl wrote:
Hi Michael,
I've tried to list the optimalisations for DNS in the DNS hardening topic: https://forum.ipfire.org/viewtopic.php?f=27&t=21965 At this moment I'm quite busy with additional studies, after works hours, so I haven't been tinkering much. I did put some time and effort in the WUI, but this is definitely on my radar. So if there's anything I can do to help, let me know.
There is probably loads to do. Let’s first make a plan and collect what we need to do and then assign those things to individual people. Definitely there is loads of testing and documentation to do as well.
As for configuration, I haven't even been tinkering much with Eriks UI page (shame on me!), but I do concur a single point of configuration is preferable. I got a bit lost a few months back, knowing which setting overrides what could come in handy. This includes zone (domain) configuration and maybe even block lists (ads/malware).
Any blocking will break DNSSEC. I do not understand that someone wants to disable DNSSEC for this, but I guess that there is people out there who want to do it.
As for the recursor switch, I thought that unbound was recursive by default. I recall unbound to be partial authoritative, but not full (as in all functionality).
Yes, it is a recursor and only that. It has some authoritative features but they are very very limited and just to make life a bit easier and not to host an authoritative zone.
However, we usually configure it with a couple of upstream name servers. Then, it will only query those. If we do not give unbound any upstream servers (aka forwarders) it will contact the root DNS servers and walk down the tree to resolve any names. I kind of like that because it does not require you to trust anyone who operates one of those big resolvers out there.
So, apart from being busy, I still can do stuff. Bear in mind that I'm no programmer, but given the right keywords I can find my way around software and be helpful in terms of testing/bug finding.
I am sure that there is plenty of other things to do and fiddling a little bit with the scripting isn’t really programming :) I am happy for you to contribute.
Best, -Michael
Cheers! Rachid
-----Oorspronkelijk bericht----- Van: Development development-bounces@lists.ipfire.org Namens Michael Tremer Verzonden: donderdag 31 januari 2019 19:18 Aan: IPFire: Development-List development@lists.ipfire.org Onderwerp: Kicking off DNS-over-TLS
Hello guys,
So we have had many many conversations about DNS-over-TLS on this list and on the weekly phone calls, I would like to make a plan now to finally get this into the distribution. We have already ticked some boxes:
- Unbound is there and compiled with support for DoT
- OpenSSL 1.1.1 is in next - has TLSv1.3 - not essentially necessary but makes this faster
- We have TCP Fast Open enabled in next
Then there is a CGI from Erik which makes editing the upstream name servers really nice. Last time we talked about how to actually get that integrated into the whole lot of the other things. There is by now at least three different places where DNS servers are being configured. A fourth one will make things even more confusing as they are. I would like to get rid of the old ones and only use the new one then.
We also will need some switches for some basic configuration:
- DNS-over-TLS enforced? I think everyone who uses DoT wants this enabled
- DNSSEC permissive mode - some requested this and I am still opposed to offer this, but hey
- QNAME minimisation
- Recursor mode?!
I guess this can all be on the same CGI with the list of servers to use.
Finally, we will have to update the initscript that checks DNS servers right now. It needs to be stripped down as much us possible because it is otherwise unmaintainable.
This is my view on things right now. Status is about four weeks old. Maybe more things have happened in the meantime.
I would like to coordinate how we are moving forward with this now. Hands up! :)
There is basically no pressure on us to deliver this as soon as possible, but it is a nice feature and many have been asking for this. So maybe we can target Core Update 131 or earlier!
-Michael