Hi Paul,
Am Montag, den 10.12.2018, 20:01 -0600 schrieb Paul Simmons:
Greetings, Erik.
I am VERY pleased that you are pursuing DoT.
Your welcome, like that feature too.
I have a test environment prepared, and hope to test your changes on top of Core125 in the next few days.
Great. There are meanwhile two branches here.
The first one is the sysconfig "USE_FORWARDER=0" one which is fully working and in my opinion also easier/faster to test DoT/unbound for, let´s say, best practice configuration. Current state can be found under the already linked Gitlab address.
The second one incl. now the WUI (have stolen/missused dnsforward.cgi for this ;) but also DoT integration in the already existing /etc/unbound/forward.conf . In there, i patched now the already existing 'write_forward_conf' function like Michael suggested -->
@@ -192,6 +195,27 @@ ( config_header
+ # Add DNS-over-TLS forwarder configuration + + if [ -n "/var/ipfire/dnsforward/tlsconfig" ]; then + echo "# DNS-over-TLS configuration block" + echo "server:" + echo " tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt" + echo + echo "forward-zone:" + echo " name: "."" + echo " forward-tls-upstream: yes" + fi + + local enabled domain ip port remark + while IFS="," read -r enabled domain ip port remark; do + # Line must be enabled + [ "${enabled}" = "on" ] || continue + echo " forward-addr: ${ip}@${port}#${domain}" + done < /var/ipfire/dnsforward/tlsconfig + + # DNS Forwarding + local insecure_zones="${INSECURE_ZONES}"
local enabled zone server remark
as a first one, this one is currently highly experimental but do works until now and might be a possible way further.?.
I started this thread because my (one and only available) ISP mangles DNS on port 53, preventing DNSSEC with IPFire. I want to use my IPFire machine without applying https://gitlab.com/snippets/1706804 on each update.
Please check in general if DoT works for your use case.
Please continue with your pursuits and development. I will schedule down time to test.
Let´s see what we can all stick together in here :-) . Great that you test all that too.
Thanks, and best regards, Paul
Thank you too.
Best,
Erik