unbound - DoT

Help on building IPFire & Feature Requests
ummeegge
Community Developer
Community Developer
Posts: 4981
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » October 4th, 2019, 11:22 am

Hi dnl,
thanks for go into some testing rounds in here :-).
dnl wrote:
October 4th, 2019, 9:42 am
1. Consider renaming the installer. 'dot_in-uninstaller.sh' is confusing! The first time I read it I thought it was only the uninstaller. Why not call it 'dot-setup.sh'
If you copy and paste the installer code block from the starting site and execute it, the script name should not even be seen or recognized, but i can also rename (may in one of the next updates)...
dnl wrote:
October 4th, 2019, 9:42 am
2. None of the "DNS over TLS" servers were pre-configured you show in your screenshot. I had to manually add the service I wanted. Is there a reason they are not configured and disabled by default?
I wanted to leave it completely to the user which one to use. Even some of them sometimes do not work (DNSsec is off or they are simply not available). Also if more people go through the configuration process potential bugs can better be found. Nevertheless, you can find the complete config in the start topic under "Current /var/ipfire/dns/tlsconfig: " to simply copy and paste it into /var/ipfire/dns/tlsconfig.
dnl wrote:
October 4th, 2019, 9:42 am
3. In your instructions, please mention that the "DNS over TLS configuration" page added by this is in the "IPFire" menu and that the "Assign DNS-Server" screen (also called "Domain Name System") in the "Network" menu should not be used.
Did that now --> viewtopic.php?f=50&t=21954 good that you mentioned it.
dnl wrote:
October 4th, 2019, 9:42 am
4. Consider adding a 'test' function to the shell script which wraps 'knot' for beginners. This way people can install this, configure it in the UI then use the shell script to do a test without needing to know knot or tcpdump syntax.
This topic is now a kind of big meanwhile and some more development has been mad as time goes by so may you have overseen it.
Have added two scripts whereby
1) the first one gives you the raw kdig output for all active connections --> https://gitlab.com/ummeegge/dot-for-ipf ... est_tls.sh
2) the second one interprets and colorize the kdig output for better overview --> https://gitlab.com/ummeegge/dot-for-ipf ... nection.sh
but there is meanwhile a third possibility which delivers the current DoT state via index.cgi -->
Image
whereby red means not working - orange means no DNSsec - and green means all is good.
This version is currently highly experimental and not available in this topic here.

Some infos for you.

Best and again thanks for testing.

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1018
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » October 4th, 2019, 11:28 am

Hi,

and if you do some CGI-finetuning, it looks like this:

DoT.png
DoT.png (2.58 KiB) Viewed 418 times

SCNR, Matthias ;)

ummeegge
Community Developer
Community Developer
Posts: 4981
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » October 4th, 2019, 5:13 pm

Guten Abend,
FischerM wrote:
October 4th, 2019, 11:28 am
Hi,

and if you do some CGI-finetuning, it looks like this:


DoT.png


SCNR, Matthias ;)
Merge request :D ?

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1018
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » October 4th, 2019, 6:56 pm

ummeegge wrote:Merge request :D ?
Yes.

Code: Select all

diff U3 a/index.cgi b/index.cgi
--- a/index.cgi	Fri Oct  4 20:50:22 2019
+++ b/index.cgi	Sat Sep 14 21:25:54 2019
@@ -213,6 +213,7 @@
 				<b><a href="netexternal.cgi">$Lang::tr{'dns servers'}</a>:</b>
 			</td>
 			<td style='text-align:center;'>
+			<br>
 				$dns_servers
 			</td>
 			<td></td>
@@ -232,6 +233,7 @@
 				<b><a href="dnsovertls.cgi">$Lang::tr{'dnsovertls'}</a>:</b>
 			</td>
 			<td style='text-align:center;'>
+			<br>
 				$dot_servers
 			</td>
 			<td></td>
Best,
Matthias

;)

ummeegge
Community Developer
Community Developer
Posts: 4981
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » October 18th, 2019, 2:33 pm

Hi all,
@Matthias
added that one. Have also updated en.pl and unbound init to Core 136 and partly to current origin/next of Core 137 (lang file).
Updates has been made for regular version and experimental version.

The experimental section which checks if DoT works and displays the DoT servers in color codes on index.cgi looks now like this:
Image
(green = DNSsec works - certificate is trusted and crypto works ; orange = DNSsec do NOT works but certificate is trusted and crypto works ; red = Nothing works DoT is off) is currently stable here and can be found in here --> https://gitlab.com/ummeegge/dot-for-ipf ... perimental for the interested ones.

Installation needs to be made manually (may this will change):
- 'dot-indexCGI-check' lives under /usr/bin . Needs to be made executable with a

Code: Select all

chmod +x /usr/bin/dot-indexCGI-check
- A symlink can be made under /etc/fcron.hourly via

Code: Select all

ln -s /usr/bin/dot-indexCGI-check /etc/fcron.hourly
so the configured DoT servers will be displayed actualized via index.cgi to check if there are problems or if everything is good and actions via unbound init are not needed in that way.
- unbound initscript has been modified and executes now '/usr/bin/dot-indexCGI-check' while start|restart and actualizes therefore also the DoT section in index.cgi.
- Changes on dnsovertls.cgi also executes '/usr/bin/dot-indexCGI-check' cause it restarts unbound init so new configured IPs should also be immediately checked and displayed on the starting page (index.cgi).

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1018
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » October 18th, 2019, 8:00 pm

Hi Erik,

Sounds great. But right now we're "packing". I'll take a closer look when we're "back from the island".

You'll find me here: ;-)

Sonnenuntergang_in_Utersum.png

Best,
Matthias

ummeegge
Community Developer
Community Developer
Posts: 4981
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » October 19th, 2019, 5:17 am

Hey Matthias,
FischerM wrote:
October 18th, 2019, 8:00 pm
Sounds great. But right now we're "packing". I'll take a closer look when we're "back from the island".
Nice one, geniesst in vollen Zügen O0 .
FischerM wrote:
October 18th, 2019, 8:00 pm
You'll find me here: ;-)
Alles klar, weiss bescheid ;) .

Best,

Erik
Image
Image

Post Reply