unbound - DoT

Help on building IPFire & Feature Requests
ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » February 10th, 2019, 8:26 pm

Was able to reproduce this. Have uploaded a fix, please use the in- uninstaller from above, execute it wait 3-5 seconds and you will see on the left side that there is an update available. You can update by using 'u' [ENTER] . There is also an update for the CGI available.

Please check also if the hosts.cgi (local resolution) is working.

UE
Image
Image

firewell
Posts: 14
Joined: May 31st, 2018, 12:36 pm

Re: unbound - DoT

Post by firewell » February 11th, 2019, 1:31 am

Thanks for the quick update. I applied this on a test VM and it appears to be working. Rebooting the VM results in DoT being used immediately after it restarts, I do not have to manually re-save a DoT entry in the WUI for changes to take effect.

I also created a host alias after applying this latest DoT update and the local host aliases are resolving in my test environment. My static DHCP entries are still resolving too, so this appears to be working normally.

I'll continue to run this and report if I notice anything else. Thanks again for all of your efforts so far!

User avatar
FischerM
Community Developer
Community Developer
Posts: 940
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » February 11th, 2019, 9:01 am

Hi,

ok, you got me - you made me curious... ::)

Only one glitch: since I'm still running 32bit (yes, I know...) I'll have to build 'knot' and 'libedit' from scratch.

But that's no problem, 'Devel' is running.

I'll see how far I can get.

Best,
Matthias

User avatar
FischerM
Community Developer
Community Developer
Posts: 940
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » February 11th, 2019, 1:57 pm

Hi,

The 'Devel' is still running so I looked at 'DoT_in-uninstaller.sh' and found something that could give me trouble:

"CONF="/etc/unbound/local.d"" is not empty on my machine. There's a blocklist which gets updated daily.

Because of this, line 32 "if [ -s "${f}" ]; then" will probably state that "echo "${CONF} is not empty.".

If I have read you correctly, the 'dnsovertls.cgi', 'EX-dnsovertls.menu' and 'en.pl' have to be installed manually anyway - is there anything speaking against a complete manual installation - and leaving my blocklist file in place?

Best,
Matthias

P.S.: Great work! ;)

ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » February 11th, 2019, 2:13 pm

Hi Matthias,
nice to see you here ^-^ .
FischerM wrote:
February 11th, 2019, 1:57 pm
The 'Devel' is still running so I looked at 'DoT_in-uninstaller.sh' and found something that could give me trouble:

"CONF="/etc/unbound/local.d"" is not empty on my machine. There's a blocklist which gets updated daily.

Because of this, line 32 "if [ -s "${f}" ]; then" will probably state that "echo "${CONF} is not empty.".
this should be no problem since this is now since a couple of weeks the 'dot_wui' --> https://gitlab.com/ummeegge/dot-for-ipf ... er/dot_wui development. The linked in- uninstaller (updater too) from the starting topic is linked to this one --> https://gitlab.com/ummeegge/dot-for-ipf ... staller.sh . So local.d is not needed or used anymore with this installation, all goes via /etc/unbound/forward.conf.

Are you using unbound-1.9.0 and OpenSSL-1.1.1a already (origin/next) ?

Thanks for coming in here.

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 940
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » February 11th, 2019, 2:41 pm

Hi,
ummeeggee wrote:nice to see you here...
Thanks - caught a flu, so I have some time. If you hear someone cough: its me... ;)
ummeeggee wrote:The linked in- uninstaller (updater too) from the starting topic is linked to this one...
Ah, I see! That explains the differences I saw: your film (nice!) didn't quite match the script from the 'dot-for-ipfire-master.tar.gz' I downloaded today. All right, we'll see. I'll take a look at that.

Since I 'm running a heavily modified system (langs / cgis) I'll have to make some - personal - modifications. Should be no problem, it'll just take some time.
ummeeggee wrote:Are you using unbound-1.9.0 and OpenSSL-1.1.1a already (origin/next) ?
Sorry - 'unbound 1.9.0': YES. OpenSSL 1.1.1a: NO. I'm on Core 128 "with one foot". I read your post on the list... ;) And I'm not sure at the moment if I can update to OpenSSL 1.1.1.a without problems!?

Best,
Matthias

EDIT: I meant Core 128. Corrected.

ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » February 11th, 2019, 4:33 pm

Oh,
this f......g flu seems to be widely spread, wish you a good recovery...
Core 128 should already include OpenSSL-1.1.1a --> https://git.ipfire.org/?p=ipfire-2.x.gi ... heads/next , did you made a

Code: Select all

git checkout -b next -t origin/next
?
unbound-1.9.0 do have a lot of usable stuff on board especially DoT seems to be in a kind of focus in this update but have also seen some news causing the TFO thing.

Let´s see...

Grüssle,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 940
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » February 11th, 2019, 4:52 pm

Hi,
ummeegge wrote:wish you a good recovery
Thanks - I need that. Half of the family got it (except the cat...).

But I don't know if we "got us right". ;)

Right now I'm running Core 127, with some elements of Core 128.

'unbound 1.9.0' is running fine, TFO is enabled (how to test if this is really working!?).

But I still got 'openss 7.8p1' and 'openssl 1.1.0j' - from Core 127 - running.

I made a clean 'next' build (Core 128) today and created two archives: 'openssh-7.9p1-for-ipfire.tar.gz' and 'openssl-1.1.1a-for-ipfire.tar.gz'. But I don't know if I can just extract these two on my Core 127 machine and still have a running and responding system afterwards. My last experiment with an libcrypto.so.1.1'-lib-update ended in a capital crash, so I became a bit careful...

Best,
Matthias

ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » February 11th, 2019, 5:30 pm

Ah OK i see.
FischerM wrote:
February 11th, 2019, 4:52 pm
I made a clean 'next' build (Core 128) today and created two archives: 'openssh-7.9p1-for-ipfire.tar.gz' and 'openssl-1.1.1a-for-ipfire.tar.gz'. But I don't know if I can just extract these two on my Core 127 machine and still have a running and responding system afterwards. My last experiment with an libcrypto.so.1.1'-lib-update ended in a capital crash, so I became a bit careful...
i won´t do that simply because a lot of other packages are linked to OpenSSL, even the libs named similar but compat has been dropped and a new ciphersuite TLSv1.3 is available. I build all together and did a fresh install...
FischerM wrote:
February 11th, 2019, 4:52 pm
'unbound 1.9.0' is running fine, TFO is enabled (how to test if this is really working!?).
Yes here too, TFO is such a thing to test, haven´t had until now luck with this. The first one i checked was

Code: Select all

cat /proc/sys/net/ipv4/tcp_fastopen_key 
which should deliver the key (is OK here).

Another one goes via IP metrics:

Code: Select all

ip tcp_metrics
which should deliver somewhere a fo_cookie --> https://blog.wasin.io/blog/2016/12/26/h ... buntu.html (no fun with this).

Another one is not that nice formatted even we do not have column on IPFire and i would spare some awk magic with this,

Code: Select all

grep '^TcpExt:' /proc/net/netstat | cut -d ' ' -f 85-91
different cut command to the posted example (also no fun with this).

Did made also the sysctl entry which is currently missing in Core 128 but at that time where i was testing it i think it simply did not worked.
Another thing which is not that nice, with the fresh install of origin/next TLSv1.3 do not work either.

Am currently not that happy with this here...

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 940
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » February 11th, 2019, 8:02 pm

Hi,
ummeegge wrote:i won´t do that simply because a lot of other packages are linked to OpenSSL...
Yep. "Burned child shying away from the fire." ;)

There are too many changes around these two for a fast update.

Regarding TFO, I made exactly the same experiences as you. Same websites, same results.

The 'tcp_fastopen_key'-value is existent - but that's it.

And

Code: Select all

ip tcp_metrics
doesn't find a single entry with 'fo_cookie'.

We'll have to wait and see...

Best,
Matthias

User avatar
FischerM
Community Developer
Community Developer
Posts: 940
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » February 12th, 2019, 7:43 am

Hi,

some feedback after a few PMs:

DoT is all up and running with Core 127 / 32bit.

One has to be (very) careful with the CN-Names, but even a manual installation was full functional in less time than I thought, although I had to install it manually.

Great work! 8)

Best,
Matthias

ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » February 12th, 2019, 5:57 pm

Thanks for the feedback and flowers Matthias O0 .

Have checked the TFO thing now a little deeper but also in another way just to check if it works in general.
Have executed a

Code: Select all

ip tcp_metrics flush
curl --tcp-fastopen cloudflare-dns.com
which delivers the 'fo_cookie':

Code: Select all

$ ip tcp_metrics show | grep 'fo_cookie'
104.16.111.25 age 216.950sec cwnd 10 rtt 14292us rttvar 11664us fo_mss 1452 fo_cookie 8eec92f0a43826c3 source 192.168.123.234
an interessting one is

Code: Select all

curl -v --tcp-fastopen https://cloudflare-dns.com
checking the output before DOCTYPE with OpenSSL-1.1.1a looks like this:

Code: Select all

$ curl -v --tcp-fastopen https://cloudflare-dns.com 
*   Trying 104.16.111.25...
* TCP_NODELAY set
* TCP_FASTOPEN_CONNECT set
* Connected to cloudflare-dns.com () port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
*  start date: Jan 28 00:00:00 2019 GMT
*  expire date: Feb  1 12:00:00 2021 GMT
*  subjectAltName: host "cloudflare-dns.com" matched cert's "cloudflare-dns.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: cloudflare-dns.com
> User-Agent: curl/7.63.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 200 OK
< Date: Tue, 12 Feb 2019 17:51:25 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Last-Modified: Wed, 30 Jan 2019 21:16:38 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Cache-Control: max-age=600
< X-Content-Type-Options: nosniff
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 4a80e7328c0563e5-FRA
< 
Works also with google or facebook:

Code: Select all

$ grep '^TcpExt:' /proc/net/netstat | cut -d ' ' -f 85-91
TCPFastOpenActive TCPFastOpenActiveFail TCPFastOpenPassive TCPFastOpenPassiveFail TCPFastOpenListenOverflow TCPFastOpenCookieReqd TCPFastOpenBlackhole
15 0 0 0 0 0 0
Preliminary conclusion:
TFO works in general, TLSv1.3 too, what´s happen with unbound now ?

This one is a little OT but let´s take a fast view to the complete picture.

May someone have other info´s, testings, ideas ?

Best,

UE

EDIT: DoT do not participate currently from TFO --> https://www.mail-archive.com/unbound-us ... 00523.html seems like this is a OpenSSL problem with Linux this topics are older ones but still actual as far as i can see --> https://github.com/openssl/openssl/issues/4783 --> http://openssl.6102.n7.nabble.com/Re-Us ... 62516.html <-- there is more, but may things has been/can change there too ?! Am hopeful with this :) , let´s see...
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 4860
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » February 18th, 2019, 7:23 pm

Hi all,
new version of unbound init is up. Have added now 'qname-minimisation strict' to forward.conf if DoT is in usage which works here smooth, feedback if something went other ways might be great.
unbound init is also Core 128 ready so --> https://git.ipfire.org/?p=ipfire-2.x.gi ... 02fdc8e6b4 is included.

Update can be applied via in- uninstaller --> viewtopic.php?f=50&t=21954#p120691 .

Best,

UE

EDIT: kdig comes with Core 128 --> https://git.ipfire.org/?p=ipfire-2.x.gi ... heads/next .
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 940
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » February 18th, 2019, 7:49 pm

Hi,
ummeegge wrote:...feedback if something went other ways might be great.
I'll give feedback anyway: Updated. Works. ;-)

Best,
Matthias

firewell
Posts: 14
Joined: May 31st, 2018, 12:36 pm

Re: unbound - DoT

Post by firewell » February 22nd, 2019, 12:08 am

ummeegge wrote:
February 18th, 2019, 7:23 pm
Hi all,
new version of unbound init is up.
I have this update running on one of the LAB VMs. So far so good, it survives reboots and continues working as planned. Doesn't seem to have any impact on static lease DNS lookups on the local LAN. Looking forward to C128 release!

Post Reply