Re: [PATCH] Add setting: UpdateResolvConf
On Thu, 2015-02-05 at 09:53 +0200, Patrik Flykt wrote: > Add 127.0.0.53 in the FallbackNameservers directive in main.conf as > this is the entry used when doing tethering with the --nodnsproxy > option set or if _no_ nameserver info has been provided via DHCP for > some utterly misconfigured server side reason or static IP address. Well, I apparently thought one thing and wrote something else. As FallbackNameservers will be used for tethering when --nodnsproxy is given, a loopback address cannot be used here. Hmm, it really seems that one should have ConnMan do the caching, as then the DNS server sent via DHCP when tethering is pointing to this device. With manually setting nameservers for each service and letting ConnMan do caching, ConnMan will receive all DNS queries for this and the tethered devices and forward them properly to the intended adsuck/unbound combo. The only remaining problem is to get the DNS servers from DHCP configured for unbound... Hmm, should we perhaps have a way of setting the location where resolv.conf is written...? Cheers, Patrik ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On Wed, 2015-02-04 at 17:11 +0200, Tomasz Bursztyka wrote: > No, afaik you need to disable dnsproxy. Or then you will end up with: > > dnsproxy configured to use 127.0.0.53 as nameserver, and resolv.conf > with 127.0.0.1 as nameserver. Duplicated local dns cache/forwarder. > > If dnsproxy is disable, resolv.conf will directly get the 127.0.0.53 To do this with the least amount of hassle with ConnMan while having adsuck listening on 127.0.0.53 and forwarding queries to unbound on 127.0.0.54 - which I strongly suggest should forward all queries to Google's name servers https://developers.google.com/speed/public-dns/ - do this for each service: 'connmanctl config XX nameservers 127.0.0.53', where X is the service id printed by connmanctl. Add --nodnsproxy to the systemd service file or init.d/ script as an argument to the connman executable. This prevents the device from doing double DNS caching by disabling ConnMan's caching. Add 127.0.0.53 in the FallbackNameservers directive in main.conf as this is the entry used when doing tethering with the --nodnsproxy option set or if _no_ nameserver info has been provided via DHCP for some utterly misconfigured server side reason or static IP address. Doing it this way is admittedly a bit more work but has the benefit of being a configuration supported by upstream :-). Cheers, Patrik ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On Wed, 2015-02-04 at 16:20 +0100, Martin Tournoij wrote: > It's not magic :-) But it queries the root server, then .com from > that, and then example.com from that, insofar as I understand DNS. Or > maybe I misunderstood something? > > I have no lines with forward-zone in /etc/unbound/unbound.conf > > I followed this guide btw: > https://wiki.archlinux.org/index.php/Unbound (but *not* section 2.6 > Forwarding queries). For a standard laptop setup, I advise against using the root servers directly. First of all it causes unwanted load if everybody forwards their queries all the way to the root. And sometimes it is not possible to make direct outbound queries from the networks connected to, every now and then one ends up in a network that drops DNS queries that do not go to the domain's designated DNS servers. Google's public DNS servers would suit you better in this case even though direct queries to those may be dropped by some of the networks. In addition, nameservers are known to provide more and "better" IP addressing when on the "inside" of the connected network. With the above in mind, ConnMan has the main.conf option FallbackNameservers, where one can specify backup nameservers should there be absolutely zero name server information otherwise. The only "safe" choice here is to add Google's servers, as they are reachable from a majority of networks. So for about 99% of ConnMan users, using the DNS servers provided via DHCP is the correct action to take in all connected networks. HTH, Patrik ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On Wed, Feb 4, 2015, at 16:06, Jukka Rissanen wrote: > You might be able to configure connman to use your 127.0.0.53 server by > configuring it to each service you are using (have not tested this > thou). Example: connmanctl config your_service_id --nameservers > 127.0.0.53 > and then running connman with dnsproxy enabled. Thanks Yeah, I saw some settings for this today, but then I need to do this for every network I connect with, not to mention setting might get "lost" on upgrades/reinstalls since they're not in /etc... Simply leaving /etc/resolv.conf alone seems like the simplest/most foolproof way to me. It gives the user control to do "exotic" (which my setup apparently is) and/or "smart" things; this fits well with my UNIX philosophy :-) But I don't know if it also fits with connman's philosophy ;-) Another way might be to add some way to (globally) control nameserver settings from connman, but that's more complicated... Or connman could be left as-is, and my esoteric setup would be considered "unsupported" (I would not prefer this, obviously :-) ). Cheers ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On Wed, Feb 4, 2015, at 16:06, Tomasz Bursztyka wrote: > Hi, > > > It makes sense to me to > > not use every random DNS server out there... > > Sure, but your ubound does not magically resolve names by itself: it > does forward the > DNS queries to whatever has been configured (check > /etc/unbound/unbound.conf keyword "forward-zone") > and cache the results relevantly. It's not magic :-) But it queries the root server, then .com from that, and then example.com from that, insofar as I understand DNS. Or maybe I misunderstood something? I have no lines with forward-zone in /etc/unbound/unbound.conf I followed this guide btw: https://wiki.archlinux.org/index.php/Unbound (but *not* section 2.6 Forwarding queries). ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
Hi, You might be able to configure connman to use your 127.0.0.53 server by configuring it to each service you are using (have not tested this thou). Example: connmanctl config your_service_id --nameservers 127.0.0.53 and then running connman with dnsproxy enabled. No, afaik you need to disable dnsproxy. Or then you will end up with: dnsproxy configured to use 127.0.0.53 as nameserver, and resolv.conf with 127.0.0.1 as nameserver. Duplicated local dns cache/forwarder. If dnsproxy is disable, resolv.conf will directly get the 127.0.0.53 Tomasz ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On ke, 2015-02-04 at 15:53 +0100, Martin Tournoij wrote: > On Wed, Feb 4, 2015, at 15:41, Jukka Rissanen wrote: > > Just wondering where do you get the nameserver IP addresses in this > > case? Are you manually updating resolv.conf? > > Not sure if I understand this question? I mean where does unbound gets its names resolved, are you using 8.8.8.8 or similar global service? > > Let me explain my setup in more detail: > > - Run unbound on 127.0.0.54 > > - Run adsuck on 127.0.0.53, this filters ad domains (spoofs reply with > 127.0.0.2), and forwards other queries to 127.0.0.42 (unbound). > > - Start connman with --nodnsproxy > > - For the root user, run a crontab with: > */5 * * * * echo 'nameserver 127.0.0.53' > /etc/resolv.conf > > unbound works as recursive resolver, no other DNS server required. > > This works, except for the first 0 to 5 minutes I connected to a new > network. It's also more than a bit ugly... > > Is this a very esoteric setup? I don't know ... It makes sense to me to This is very exotic setup :) You might be able to configure connman to use your 127.0.0.53 server by configuring it to each service you are using (have not tested this thou). Example: connmanctl config your_service_id --nameservers 127.0.0.53 and then running connman with dnsproxy enabled. > not use every random DNS server out there... DNSSEC should ensure I get > responses that haven't been tampered with... I don't know what random > DNS servers do at starbucks do... > > Thanks, > Martin Cheers, Jukka ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
Hi, It makes sense to me to not use every random DNS server out there... Sure, but your ubound does not magically resolve names by itself: it does forward the DNS queries to whatever has been configured (check /etc/unbound/unbound.conf keyword "forward-zone") and cache the results relevantly. DNSSEC should ensure I get responses that haven't been tampered with... Sure, as long as the configured DNS you use to forward to support it. Tomasz ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On Wed, Feb 4, 2015, at 15:41, Jukka Rissanen wrote: > Just wondering where do you get the nameserver IP addresses in this > case? Are you manually updating resolv.conf? Not sure if I understand this question? Let me explain my setup in more detail: - Run unbound on 127.0.0.54 - Run adsuck on 127.0.0.53, this filters ad domains (spoofs reply with 127.0.0.2), and forwards other queries to 127.0.0.42 (unbound). - Start connman with --nodnsproxy - For the root user, run a crontab with: */5 * * * * echo 'nameserver 127.0.0.53' > /etc/resolv.conf unbound works as recursive resolver, no other DNS server required. This works, except for the first 0 to 5 minutes I connected to a new network. It's also more than a bit ugly... Is this a very esoteric setup? I don't know ... It makes sense to me to not use every random DNS server out there... DNSSEC should ensure I get responses that haven't been tampered with... I don't know what random DNS servers do at starbucks do... Thanks, Martin ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
Hi Martin, On ke, 2015-02-04 at 15:34 +0100, Martin Tournoij wrote: > On Wed, Feb 4, 2015, at 15:28, Patrik Flykt wrote: > > > > Hi, > > > > On Wed, 2015-02-04 at 15:23 +0100, Martin Tournoij wrote: > > > > How do you pick up the DNS servers when changing networks if ConnMan > > > > never writes the ones obtained via DHCP anywhere? How do you update > > > the > > > > DNS servers at the moment when using your own resolver? > > > > > > I don't. I run unbound (& adsuck) on my laptop, so it works > > > everywhere. > > > > So if you do a lookup for 'slashdot.org', how is unbound configured to > > properly resolve that name from any network you visit? Google? > > It just works as a recursive resolver, I don't need to rely on any > "external" DNS resolvers (which is how unbound works by default). Just wondering where do you get the nameserver IP addresses in this case? Are you manually updating resolv.conf? Cheers, Jukka ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On Wed, Feb 4, 2015, at 15:28, Patrik Flykt wrote: > So if you do a lookup for 'slashdot.org', how is unbound configured to > properly resolve that name from any network you visit? Google? If you wanted to, you could still get the DNS servers the DHCP dishes out with: $ connmanctl services wifi_5c514f7cdc83_4c49434f_managed_psk | grep Nameserver And do something manually with it (by monitoring for changes to connman or /etc/resolv.conf maybe). ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On Wed, Feb 4, 2015, at 15:28, Patrik Flykt wrote: > > Hi, > > On Wed, 2015-02-04 at 15:23 +0100, Martin Tournoij wrote: > > > How do you pick up the DNS servers when changing networks if ConnMan > > > never writes the ones obtained via DHCP anywhere? How do you update > > the > > > DNS servers at the moment when using your own resolver? > > > > I don't. I run unbound (& adsuck) on my laptop, so it works > > everywhere. > > So if you do a lookup for 'slashdot.org', how is unbound configured to > properly resolve that name from any network you visit? Google? It just works as a recursive resolver, I don't need to rely on any "external" DNS resolvers (which is how unbound works by default). ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
Hi, On Wed, 2015-02-04 at 15:23 +0100, Martin Tournoij wrote: > > How do you pick up the DNS servers when changing networks if ConnMan > > never writes the ones obtained via DHCP anywhere? How do you update > the > > DNS servers at the moment when using your own resolver? > > I don't. I run unbound (& adsuck) on my laptop, so it works > everywhere. So if you do a lookup for 'slashdot.org', how is unbound configured to properly resolve that name from any network you visit? Google? Cheers, Patrik ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On Wed, Feb 4, 2015, at 14:59, Patrik Flykt wrote: > On Tue, 2015-01-06 at 05:01 +0100, Martin Tournoij wrote: > > This is useful because my laptop runs it's own resolver. Every time I > > connect, Connman overwrites /etc/resolv.conf, and I need to script > > around this by overwriting it again after this... > > How do you pick up the DNS servers when changing networks if ConnMan > never writes the ones obtained via DHCP anywhere? How do you update the > DNS servers at the moment when using your own resolver? I don't. I run unbound (& adsuck) on my laptop, so it works everywhere. ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On Tue, 2015-01-06 at 05:01 +0100, Martin Tournoij wrote: > This is useful because my laptop runs it's own resolver. Every time I > connect, Connman overwrites /etc/resolv.conf, and I need to script > around this by overwriting it again after this... How do you pick up the DNS servers when changing networks if ConnMan never writes the ones obtained via DHCP anywhere? How do you update the DNS servers at the moment when using your own resolver? Cheers, Patrik ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
Hi, Is there any response on this? I don't want to badger anyone, but I'm subscribed to the connman mail list just for this issue. It would like to give my INBOX a break ;-) Thanks a lot! Martin ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
Re: [PATCH] Add setting: UpdateResolvConf
On Tue, Jan 6, 2015, at 12:06, Pasi Sjöholm wrote: > Hi Martin, > > >This patch adds a new setting to main.conf, `UpdateResolvConf' (default > >true), which controls the updating of /etc/resolv.conf. > > > >If set to False, /etc/resolv.conf will not be updated. > > You know there is "--nodnsproxy" option when starting connman? Yup :-) And I enabled that, but it then updates /etc/resolv.conf with the settings from the DHCP server, ie.: # Generated by Connection Manager nameserver 8.8.8.8 nameserver 8.8.4.4 There is, as far as I've been able to determine, no easy way to prevent this. ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
RE: [PATCH] Add setting: UpdateResolvConf
Hi Martin, >This patch adds a new setting to main.conf, `UpdateResolvConf' (default >true), which controls the updating of /etc/resolv.conf. > >If set to False, /etc/resolv.conf will not be updated. You know there is "--nodnsproxy" option when starting connman? Br, Pasi ___ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
