On Wed, Oct 30, 2019 at 08:51:00PM +0000, Stuart Henderson wrote: > On 2019/10/30 15:57, Otto Moerbeek wrote: > > Hi, > > > > I got *very* little feedback on this request for testing. > > > > If not enough enough testing is done, I'll either abandon the diff or > > commit it as-is, introducing bugs that could have been prevented. Both > > are not good. So get going! > > > > -Otto > > > > I'm pointing it at a local dnsdist box via "forwarders { $ip_address }" > and querying unwind while watching tcpdump, I see it correctly using > TCP/853, and status correctly says > > $ unwindctl status > captive portal is unchecked > > selected type status > * forwarder validating (OppDoT) > recursor validating > > >
Thanks for testing. > Comments: > > - unwind doesn't have keepalives, so it's a new TCP session and TLS > handshake for every query, which can be bad in some cases (and could get > expensive with metered mobile data connections). for this reason it > would be helpful to have a way to disable it (though I suppose "block > out proto tcp to port 853" works at a pinch). unwind should cache thogh, can you observe that? > > - several of the public DNS providers do include their IP in the certificate > so they could be validated even when picking them up opportunistically. > though I suppose with unwind this doesn't make a lot of difference as > it's just going to fallback to cleartext if TLS fails. For any Dot mode the validity of the cert is checked, for OppDot the trust check is only: is the cert signed by a trusted CA. We do not know which DoT providers include a cert with an IP address, so we cannot force a check for that. Besides that, I could not get libunbound to accept a authentication IP like 9.9.9.9, only a name like "quad9.net". > > - might be useful to show OppDoT in the "best_resolver" line in debug logs? > > > > Sample config from the dnsdist server below for anyone interested, this > is for 1.40rc5 but I think it'll work with the current ports version > (1.3.3) if you remove the addDOHLocal line. > > --snip--------- > addACL('0.0.0.0/0') > addACL('::/0') > newServer({address="44.33.22.11", name="upstream"}) > addLocal('11.22.33.44:53',{doTCP=true, reusePort=true}) > addTLSLocal("11.22.33.44", "/etc/ssl/xx.fullchain.pem", > "/etc/ssl/private/xx.key",{ doTCP=true, reusePort=true }) > addDOHLocal("11.22.33.44:5343", "/etc/ssl/xx.fullchain.pem", > "/etc/ssl/private/xx.key", "/", {doTCP=true, reusePort=true}) > pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, > staleTTL=60, dontAge=false}) > getPool(""):setCache(pc) > --snip------ > Yes , that should work indeed. -Otto