On Wed, Oct 30, 2019 at 11:46:36PM +0100, Remi Locherer wrote:
> Hi Otto,
>
> On Wed, Oct 30, 2019 at 03:57:15PM +0100, Otto Moerbeek wrote:
> > Hi,
> >
> > I got *very* little feedback on this request for testing.
> >
> > If not enough enough testing is done, I'll either abandon the diff or
> > commit it as-is, introducing bugs that could have been prevented. Both
> > are not good. So get going!
> >
> > -Otto
> >
>
> I applied your diff and tried with the following config:
>
> $ unwind -nv
> preference { recursor DoT forwarder dhcp }
> forwarder {
> 9.9.9.9
> }
> captive portal {
> url "http://captive.apple.com/";
> expected status 200
> expected response
> "<HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>"
> auto yes
> }
> block list "/etc/unwind_blocklist.txt"
> $
>
> To force unwind to use 9.9.9.9 I tested with this pf rules:
>
> $ doas pfctl -sr
> doas (r...@typhoon.relo.ch) password:
> block return log all
> pass log all flags S/SA
> pass out log on egress inet from (vether0:network) to any flags S/SA nat-to
> (egress:0) round-robin
> block return in on ! lo0 proto tcp from any to any port 6000:6010
> block return out log inet proto tcp from any to ! 9.9.9.9 port = 53
> block return out log inet proto udp from any to ! 9.9.9.9 port = 53
> block return out log inet6 proto tcp from any to any port = 53
> block return out log inet6 proto udp from any to any port = 53
> block return out log proto tcp all user = 55
> block return out log proto udp all user = 55
> $
>
> As expected I can now query 9.9.9.9 but 8.8.8.8 fails:
>
> $ dig +short undeadly.org @9.9.9.9
> 94.142.241.173
> typhoon ..c/examples$ dig +short undeadly.org @8.8.8.8
> ;; connection timed out; no servers could be reached
> $
>
> I expected that unwind would choose 9.9.9.9 with OppDoT. But unwind
> selects dhcp which is correctly displayed as dead:
>
> $ unwindctl status
> captive portal is unknown
>
> selected type status
> recursor dead
> forwarder validating
> * dhcp dead
> $
>
> Port 853 on 9.9.9.9 is not blocked:
>
> $ nc -zv 9.9.9.9 853
> Connection to 9.9.9.9 853 port [tcp/domain-s] succeeded!
> $ nc -zv -u 9.9.9.9 853
> Connection to 9.9.9.9 853 port [udp/domain-s] succeeded!
> $
>
> Did I do something wrong in unwind.conf?
>
> Remi
No, you found a bug that happens if the recursor is found dead. In
that case it would switch off OppDot for forwarders as well. Next
version of the diff will have a fix.
As for the unwindctl thing, I could not reproduce that one. Dould it
be that you did not build and install usr.sbin/unwindctl? It looks
like the messaging between unwind and unwindctl is off.
-Otto
