On 2019/10/30 15:57, Otto Moerbeek wrote:
> Hi,
>
> I got *very* little feedback on this request for testing.
>
> If not enough enough testing is done, I'll either abandon the diff or
> commit it as-is, introducing bugs that could have been prevented. Both
> are not good. So get going!
>
> -Otto
>
I'm pointing it at a local dnsdist box via "forwarders { $ip_address }"
and querying unwind while watching tcpdump, I see it correctly using
TCP/853, and status correctly says
$ unwindctl status
captive portal is unchecked
selected type status
* forwarder validating (OppDoT)
recursor validating
Comments:
- unwind doesn't have keepalives, so it's a new TCP session and TLS
handshake for every query, which can be bad in some cases (and could get
expensive with metered mobile data connections). for this reason it
would be helpful to have a way to disable it (though I suppose "block
out proto tcp to port 853" works at a pinch).
- several of the public DNS providers do include their IP in the certificate
so they could be validated even when picking them up opportunistically.
though I suppose with unwind this doesn't make a lot of difference as
it's just going to fallback to cleartext if TLS fails.
- might be useful to show OppDoT in the "best_resolver" line in debug logs?
Sample config from the dnsdist server below for anyone interested, this
is for 1.40rc5 but I think it'll work with the current ports version
(1.3.3) if you remove the addDOHLocal line.
--snip---------
addACL('0.0.0.0/0')
addACL('::/0')
newServer({address="44.33.22.11", name="upstream"})
addLocal('11.22.33.44:53',{doTCP=true, reusePort=true})
addTLSLocal("11.22.33.44", "/etc/ssl/xx.fullchain.pem",
"/etc/ssl/private/xx.key",{ doTCP=true, reusePort=true })
addDOHLocal("11.22.33.44:5343", "/etc/ssl/xx.fullchain.pem",
"/etc/ssl/private/xx.key", "/", {doTCP=true, reusePort=true})
pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60,
staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
--snip------
