unbound - DoT

Help on building IPFire & Feature Requests
ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » October 4th, 2019, 11:22 am

Hi dnl,
thanks for go into some testing rounds in here :-).
dnl wrote:
October 4th, 2019, 9:42 am
1. Consider renaming the installer. 'dot_in-uninstaller.sh' is confusing! The first time I read it I thought it was only the uninstaller. Why not call it 'dot-setup.sh'
If you copy and paste the installer code block from the starting site and execute it, the script name should not even be seen or recognized, but i can also rename (may in one of the next updates)...
dnl wrote:
October 4th, 2019, 9:42 am
2. None of the "DNS over TLS" servers were pre-configured you show in your screenshot. I had to manually add the service I wanted. Is there a reason they are not configured and disabled by default?
I wanted to leave it completely to the user which one to use. Even some of them sometimes do not work (DNSsec is off or they are simply not available). Also if more people go through the configuration process potential bugs can better be found. Nevertheless, you can find the complete config in the start topic under "Current /var/ipfire/dns/tlsconfig: " to simply copy and paste it into /var/ipfire/dns/tlsconfig.
dnl wrote:
October 4th, 2019, 9:42 am
3. In your instructions, please mention that the "DNS over TLS configuration" page added by this is in the "IPFire" menu and that the "Assign DNS-Server" screen (also called "Domain Name System") in the "Network" menu should not be used.
Did that now --> viewtopic.php?f=50&t=21954 good that you mentioned it.
dnl wrote:
October 4th, 2019, 9:42 am
4. Consider adding a 'test' function to the shell script which wraps 'knot' for beginners. This way people can install this, configure it in the UI then use the shell script to do a test without needing to know knot or tcpdump syntax.
This topic is now a kind of big meanwhile and some more development has been mad as time goes by so may you have overseen it.
Have added two scripts whereby
1) the first one gives you the raw kdig output for all active connections --> https://gitlab.com/ummeegge/dot-for-ipf ... est_tls.sh
2) the second one interprets and colorize the kdig output for better overview --> https://gitlab.com/ummeegge/dot-for-ipf ... nection.sh
but there is meanwhile a third possibility which delivers the current DoT state via index.cgi -->
Image
whereby red means not working - orange means no DNSsec - and green means all is good.
This version is currently highly experimental and not available in this topic here.

Some infos for you.

Best and again thanks for testing.

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1025
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » October 4th, 2019, 11:28 am

Hi,

and if you do some CGI-finetuning, it looks like this:

DoT.png
DoT.png (2.58 KiB) Viewed 2686 times

SCNR, Matthias ;)

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » October 4th, 2019, 5:13 pm

Guten Abend,
FischerM wrote:
October 4th, 2019, 11:28 am
Hi,

and if you do some CGI-finetuning, it looks like this:


DoT.png


SCNR, Matthias ;)
Merge request :D ?

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1025
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » October 4th, 2019, 6:56 pm

ummeegge wrote:Merge request :D ?
Yes.

Code: Select all

diff U3 a/index.cgi b/index.cgi
--- a/index.cgi	Fri Oct  4 20:50:22 2019
+++ b/index.cgi	Sat Sep 14 21:25:54 2019
@@ -213,6 +213,7 @@
 				<b><a href="netexternal.cgi">$Lang::tr{'dns servers'}</a>:</b>
 			</td>
 			<td style='text-align:center;'>
+			<br>
 				$dns_servers
 			</td>
 			<td></td>
@@ -232,6 +233,7 @@
 				<b><a href="dnsovertls.cgi">$Lang::tr{'dnsovertls'}</a>:</b>
 			</td>
 			<td style='text-align:center;'>
+			<br>
 				$dot_servers
 			</td>
 			<td></td>
Best,
Matthias

;)

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » October 18th, 2019, 2:33 pm

Hi all,
@Matthias
added that one. Have also updated en.pl and unbound init to Core 136 and partly to current origin/next of Core 137 (lang file).
Updates has been made for regular version and experimental version.

The experimental section which checks if DoT works and displays the DoT servers in color codes on index.cgi looks now like this:
Image
(green = DNSsec works - certificate is trusted and crypto works ; orange = DNSsec do NOT works but certificate is trusted and crypto works ; red = Nothing works DoT is off) is currently stable here and can be found in here --> https://gitlab.com/ummeegge/dot-for-ipf ... perimental for the interested ones.

Installation needs to be made manually (may this will change):
- 'dot-indexCGI-check' lives under /usr/bin . Needs to be made executable with a

Code: Select all

chmod +x /usr/bin/dot-indexCGI-check
- A symlink can be made under /etc/fcron.hourly via

Code: Select all

ln -s /usr/bin/dot-indexCGI-check /etc/fcron.hourly
so the configured DoT servers will be displayed actualized via index.cgi to check if there are problems or if everything is good and actions via unbound init are not needed in that way.
- unbound initscript has been modified and executes now '/usr/bin/dot-indexCGI-check' while start|restart and actualizes therefore also the DoT section in index.cgi.
- Changes on dnsovertls.cgi also executes '/usr/bin/dot-indexCGI-check' cause it restarts unbound init so new configured IPs should also be immediately checked and displayed on the starting page (index.cgi).

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1025
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » October 18th, 2019, 8:00 pm

Hi Erik,

Sounds great. But right now we're "packing". I'll take a closer look when we're "back from the island".

You'll find me here: ;-)

Sonnenuntergang_in_Utersum.png

Best,
Matthias

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » October 19th, 2019, 5:17 am

Hey Matthias,
FischerM wrote:
October 18th, 2019, 8:00 pm
Sounds great. But right now we're "packing". I'll take a closer look when we're "back from the island".
Nice one, geniesst in vollen Zügen O0 .
FischerM wrote:
October 18th, 2019, 8:00 pm
You'll find me here: ;-)
Alles klar, weiss bescheid ;) .

Best,

Erik
Image
Image

5589DB
Posts: 140
Joined: August 4th, 2014, 7:56 pm

Re: unbound - DoT

Post by 5589DB » December 5th, 2019, 9:48 am

Hello,

I am currently trying to configre DoT. But it doesn't work and I want to give some feedback and hopefully a little bit help.

I was on core 137 and installed the script with:

Code: Select all

cd /tmp
curl -O https://gitlab.com/ummeegge/dot-for-ipfire/raw/master/DoT_in-uninstaller.sh
chmod +x DoT_in-uninstaller.sh
./DoT_in-uninstaller.sh
as described on gitlab.

First I noticed that I was not able to access ipfire with DNS anymore, only with IP. I noticed then that there was no new GUI menu. So I decided to update to core 138. GUI Menu was still not shown.

Then I tried to uninstall it and I get the notice:
There is no DoT installation available on this system. Install it first...
Need to quit

I tried to install it again and get the notice:
You are currently using own FORWARDERS. Won´t change this.
Will quit now.

What are my own FORWARDERS? Changes made by my first installation?

I assigned my own DNS Server at "Network/Assign DNS Server". Is that maybe a problem?

Then I deleted my assigned DNS Server but I can't still (un)install DoT.

I am also using two other scripts: Maybe the scripts interfere with each other?

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » December 5th, 2019, 10:49 am

Hi 5589DB,
you´ve used an old development script. Please checkout the starting topic --> viewtopic.php?f=50&t=21954 in there you can find the correct address (code block).

Best,

UE
Image
Image

5589DB
Posts: 140
Joined: August 4th, 2014, 7:56 pm

Re: unbound - DoT

Post by 5589DB » December 5th, 2019, 11:11 am

Hello UE,

thanks for your answer! I thought the gitlab script is newer then the forst post in this thread ;)

OK, tried the new script. But before I noticed while booting ipfire:

Code: Select all

...
Use Custom Forwarders in local.d
. IN forward 145.100.185.18 145.100.185.17 185.49.141.37 199.58.81.218 146.185.167.43 89.234.186.112 159.69.198.101 108.61.201.119 89.233.43.71 99.192.182.200

Will check for DNSSEC validation, this can take some seconds... 
There is a problem with DNSSEC since it do NOT vaildating correctly!!! 
These changes are made from the older script I used?!

When I now run the install script and check "unbound-control list_forwards" I see the nearly same IPs as above. In your video there's only one IP you configured in the new GUI Menu. My configured IP 46.182.19.48 (dns2.digitalcourage.de) is not listed there.

Should I empty local.d (dot.conf, where the forwarders are configured)?

Thanks for your help.

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » December 5th, 2019, 11:31 am

Yes it is a little messy in here since i hold all development steps but the starting topic includes currently the newest infos. I think your individual settings in local.d are respected, so local.d will be preferred to forward.conf, in that case i think you would need to empty it. Haven´t used your mentioned blocking scripts so am not sure what/if it interferes with the DoT installation.

Best,

UE
Image
Image

5589DB
Posts: 140
Joined: August 4th, 2014, 7:56 pm

Re: unbound - DoT

Post by 5589DB » December 5th, 2019, 12:24 pm

UE, thanks for your help. I deleted the file dot.conf and installed DoT again. Now it workes great. It does not interfere with the other scripts.

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » January 28th, 2020, 2:41 pm

Hi all,
with Core 140 DNS-over-TLS comes to IPFires Core system which brings this development to an end.
I would suggest to uninstall this development via the uninstaller from the starting thread before the installation of Core 140 !!!

I would also thank all the involved people for their help, we could bring a lot of important information to light with this here :)
Well done !

With the release of Core 140 i will close this topic here.

Best regards,

UE
Image
Image

Locked