On Wed, Oct 30, 2019 at 08:51:00PM +0000, Stuart Henderson wrote:
> On 2019/10/30 15:57, Otto Moerbeek wrote:
> > Hi,
> >
> > I got *very* little feedback on this request for testing.
> >
> > If not enough enough testing is done, I'll either abandon the diff or
> > commit it as-is, introducing bugs that could have been prevented. Both
> > are not good. So get going!
> >
> > -Otto
> >
>
> I'm pointing it at a local dnsdist box via "forwarders { $ip_address }"
> and querying unwind while watching tcpdump, I see it correctly using
> TCP/853, and status correctly says
>
> $ unwindctl status
> captive portal is unchecked
>
> selected type status
> * forwarder validating (OppDoT)
> recursor validating
>
>
>
Thanks for testing.
> Comments:
>
> - unwind doesn't have keepalives, so it's a new TCP session and TLS
> handshake for every query, which can be bad in some cases (and could get
> expensive with metered mobile data connections). for this reason it
> would be helpful to have a way to disable it (though I suppose "block
> out proto tcp to port 853" works at a pinch).
unwind should cache thogh, can you observe that?
>
> - several of the public DNS providers do include their IP in the certificate
> so they could be validated even when picking them up opportunistically.
> though I suppose with unwind this doesn't make a lot of difference as
> it's just going to fallback to cleartext if TLS fails.
For any Dot mode the validity of the cert is checked, for OppDot the
trust check is only: is the cert signed by a trusted CA. We do not
know which DoT providers include a cert with an IP address, so we
cannot force a check for that. Besides that, I could not get
libunbound to accept a authentication IP like 9.9.9.9, only a name
like "quad9.net".
>
> - might be useful to show OppDoT in the "best_resolver" line in debug logs?
>
>
>
> Sample config from the dnsdist server below for anyone interested, this
> is for 1.40rc5 but I think it'll work with the current ports version
> (1.3.3) if you remove the addDOHLocal line.
>
> --snip---------
> addACL('0.0.0.0/0')
> addACL('::/0')
> newServer({address="44.33.22.11", name="upstream"})
> addLocal('11.22.33.44:53',{doTCP=true, reusePort=true})
> addTLSLocal("11.22.33.44", "/etc/ssl/xx.fullchain.pem",
> "/etc/ssl/private/xx.key",{ doTCP=true, reusePort=true })
> addDOHLocal("11.22.33.44:5343", "/etc/ssl/xx.fullchain.pem",
> "/etc/ssl/private/xx.key", "/", {doTCP=true, reusePort=true})
> pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60,
> staleTTL=60, dontAge=false})
> getPool(""):setCache(pc)
> --snip------
>
Yes , that should work indeed.
-Otto
