Hi Otto,
On Wed, Oct 30, 2019 at 03:57:15PM +0100, Otto Moerbeek wrote:
> Hi,
>
> I got *very* little feedback on this request for testing.
>
> If not enough enough testing is done, I'll either abandon the diff or
> commit it as-is, introducing bugs that could have been prevented. Both
> are not good. So get going!
>
> -Otto
>
I applied your diff and tried with the following config:
$ unwind -nv
preference { recursor DoT forwarder dhcp }
forwarder {
9.9.9.9
}
captive portal {
url "http://captive.apple.com/";
expected status 200
expected response
"<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>"
auto yes
}
block list "/etc/unwind_blocklist.txt"
$
To force unwind to use 9.9.9.9 I tested with this pf rules:
$ doas pfctl -sr
doas (r...@typhoon.relo.ch) password:
block return log all
pass log all flags S/SA
pass out log on egress inet from (vether0:network) to any flags S/SA nat-to
(egress:0) round-robin
block return in on ! lo0 proto tcp from any to any port 6000:6010
block return out log inet proto tcp from any to ! 9.9.9.9 port = 53
block return out log inet proto udp from any to ! 9.9.9.9 port = 53
block return out log inet6 proto tcp from any to any port = 53
block return out log inet6 proto udp from any to any port = 53
block return out log proto tcp all user = 55
block return out log proto udp all user = 55
$
As expected I can now query 9.9.9.9 but 8.8.8.8 fails:
$ dig +short undeadly.org @9.9.9.9
94.142.241.173
typhoon ..c/examples$ dig +short undeadly.org @8.8.8.8
;; connection timed out; no servers could be reached
$
I expected that unwind would choose 9.9.9.9 with OppDoT. But unwind
selects dhcp which is correctly displayed as dead:
$ unwindctl status
captive portal is unknown
selected type status
recursor dead
forwarder validating
* dhcp dead
$
Port 853 on 9.9.9.9 is not blocked:
$ nc -zv 9.9.9.9 853
Connection to 9.9.9.9 853 port [tcp/domain-s] succeeded!
$ nc -zv -u 9.9.9.9 853
Connection to 9.9.9.9 853 port [udp/domain-s] succeeded!
$
Did I do something wrong in unwind.conf?
Remi
