From 07e64764546ad69e7fd7dbb31fda5afe34d80872 Mon Sep 17 00:00:00 2001 From: David Mora Date: Sun, 30 Dec 2018 09:50:39 -0500 Subject: [PATCH 01/16] getdns: Remove iamperson347 from maintainer I am no longer able to support maintaining the getdns lib for openwrt. I suggest Jonathan Underwood as a replacement. --- libs/getdns/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/getdns/Makefile b/libs/getdns/Makefile index 4992b088f..73f5b425d 100644 --- a/libs/getdns/Makefile +++ b/libs/getdns/Makefile @@ -10,7 +10,7 @@ PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE -PKG_MAINTAINER:=David Mora +PKG_MAINTAINER:=Jonathan Underwood PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://getdnsapi.net/dist/ From ccf0c71acef452046e033072ab9d0e261f279fc0 Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Thu, 3 Jan 2019 01:16:23 +0000 Subject: [PATCH 02/16] getdns: update to version 1.5.0 Signed-off-by: Jonathan G. Underwood --- libs/getdns/Makefile | 20 +++++++-------- ...lude-linux-sysctl.h-in-getentropy_li.patch | 25 ------------------- 2 files changed, 10 insertions(+), 35 deletions(-) delete mode 100644 libs/getdns/patches/001-Bugfix-399-Reinclude-linux-sysctl.h-in-getentropy_li.patch diff --git a/libs/getdns/Makefile b/libs/getdns/Makefile index 73f5b425d..a7f957619 100644 --- a/libs/getdns/Makefile +++ b/libs/getdns/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=getdns -PKG_VERSION:=1.4.2 -PKG_RELEASE:=2 +PKG_VERSION:=1.5.0 +PKG_RELEASE:=1 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE @@ -14,7 +14,7 @@ PKG_MAINTAINER:=Jonathan Underwood PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://getdnsapi.net/dist/ -PKG_HASH:=1685b82dfe297cffc4bae08a773cdc88a3edf9a4e5a1ea27d8764bb5affc0e80 +PKG_HASH:=577182c3ace919ee70cee5629505581a10dc530bd53fe5c241603ea91c84fa84 PKG_FIXUP:=autoreconf @@ -22,8 +22,8 @@ PKG_INSTALL:=1 PKG_CONFIG_DEPENDS:= \ CONFIG_GETDNS_ENABLE_STUB_ONLY \ - CONFIG_GETDNS_ENABLE_IDN_LIBIDN2 - + CONFIG_GETDNS_ENABLE_IDN_LIBIDN2 + include $(INCLUDE_DIR)/package.mk define Package/getdns/Default @@ -41,7 +41,7 @@ define Package/getdns endef define Package/getdns/description - This package contains the getdns library (libgetdns). + This package contains the getdns library (libgetdns). This package also contains the "getdns_query" command line wrapper for getdns exposing the features of this implementation (both in the official API and the additional API functions). endef @@ -56,7 +56,7 @@ CONFIGURE_ARGS += \ --with-ssl="$(STAGING_DIR)/usr" \ # This will make 'configure' think that our libbsd.so is missing the -# functions inet_pton, inet_ntop, strlcpy and use the builtin. This +# functions inet_pton, inet_ntop, strlcpy and use the builtin. This # removes the libbsd dependency CONFIGURE_VARS += LIBBSD_LIBS=-lc @@ -68,12 +68,12 @@ define Build/InstallDev $(INSTALL_DIR) $(1)/usr/lib/pkgconfig $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/getdns*.pc $(1)/usr/lib/pkgconfig/ endef - - + + define Package/getdns/install $(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libgetdns.so.* $(1)/usr/lib/ - $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/getdns_query $(1)/usr/sbin/getdns_query endef diff --git a/libs/getdns/patches/001-Bugfix-399-Reinclude-linux-sysctl.h-in-getentropy_li.patch b/libs/getdns/patches/001-Bugfix-399-Reinclude-linux-sysctl.h-in-getentropy_li.patch deleted file mode 100644 index 72997d4f5..000000000 --- a/libs/getdns/patches/001-Bugfix-399-Reinclude-linux-sysctl.h-in-getentropy_li.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 05bce5263735b77f91078a930ec55b9cf181d999 Mon Sep 17 00:00:00 2001 -From: Willem Toorop -Date: Sun, 13 May 2018 11:59:14 +0200 -Subject: [PATCH] Bugfix #399: Reinclude in getentropy_linux.c - ---- - src/compat/getentropy_linux.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/compat/getentropy_linux.c b/src/compat/getentropy_linux.c -index 744783c..abb28f4 100644 ---- a/src/compat/getentropy_linux.c -+++ b/src/compat/getentropy_linux.c -@@ -62,6 +62,7 @@ - - #include - #include -+#include - #ifdef HAVE_GETAUXVAL - #include - #endif --- -2.14.1 - - From a3a73ef7bc88be7120c91acc1f9895958ecb5da5 Mon Sep 17 00:00:00 2001 From: Tony Ambardar Date: Tue, 7 Aug 2018 06:21:11 -0700 Subject: [PATCH 03/16] stubby: add missing dependency on ca-certificates Signed-off-by: Tony Ambardar --- net/stubby/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index 3cc8dae6e..3f3df9c12 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -42,7 +42,7 @@ define Package/stubby SUBMENU:=IP Addresses and Names TITLE+= - (daemon that uses getdns) USERID:=stubby=410:stubby=410 - DEPENDS:= +libyaml +getdns + DEPENDS:= +libyaml +getdns +ca-certificates endef define Package/stubby/install From d3b090a311370bf522574fefead67346e99cf212 Mon Sep 17 00:00:00 2001 From: Tony Ambardar Date: Tue, 7 Aug 2018 02:03:08 -0700 Subject: [PATCH 04/16] stubby: rearrange Makefile for clarity Signed-off-by: Tony Ambardar --- net/stubby/Makefile | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index 3f3df9c12..6ff93162d 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -29,12 +29,6 @@ define Package/stubby/Default URL:=https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby endef -define Package/stubby/description - This package contains the Stubby daemon (which utilizes the getdns library). - - See https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md for more details. -endef - define Package/stubby $(call Package/stubby/Default) SECTION:=net @@ -45,6 +39,16 @@ define Package/stubby DEPENDS:= +libyaml +getdns +ca-certificates endef +define Package/stubby/description + This package contains the Stubby daemon (which utilizes the getdns library). + + See https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md for more details. +endef + +define Package/stubby/conffiles + /etc/stubby/stubby.yml +endef + define Package/stubby/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/stubby $(1)/usr/sbin/stubby @@ -55,9 +59,4 @@ define Package/stubby/install $(INSTALL_DATA) ./files/stubby.yml $(1)/etc/stubby/stubby.yml endef - -define Package/stubby/conffiles - /etc/stubby/stubby.yml -endef - $(eval $(call BuildPackage,stubby)) From 93512663281bc63fc369b3278e16a3af331666b4 Mon Sep 17 00:00:00 2001 From: Tony Ambardar Date: Tue, 7 Aug 2018 02:04:42 -0700 Subject: [PATCH 05/16] stubby: fix config file definition The config file /etc/stubby/stubby.yml is not registered properly and any local changes are being overwritten on upgrade or reinstall. Signed-off-by: Tony Ambardar --- net/stubby/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index 6ff93162d..f855a1e37 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -46,7 +46,7 @@ define Package/stubby/description endef define Package/stubby/conffiles - /etc/stubby/stubby.yml +/etc/stubby/stubby.yml endef define Package/stubby/install From 3f17c54f2654d05dac33ffaf4b8e2ba0fc434ab3 Mon Sep 17 00:00:00 2001 From: Tony Ambardar Date: Tue, 7 Aug 2018 02:23:34 -0700 Subject: [PATCH 06/16] stubby: use EDNS client-subnet privacy by default Retain the upstream value since privacy is usually the key user motivation for using DNS-over-TLS, and simply note that those encountering sub-optimal routing may consider disabling the setting. Signed-off-by: Tony Ambardar --- net/stubby/files/README.md | 6 +++--- net/stubby/files/stubby.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md index 14b7bbf92..38e05071f 100644 --- a/net/stubby/files/README.md +++ b/net/stubby/files/README.md @@ -20,10 +20,10 @@ This package has some modifications that makes it differ from the default upstre ### General Cleanup Comments are removed, etc. -### EDNS Client-Subnet Option Changed to 0 +### EDNS Client-Subnet Option The value of "edns_client_subnet_private" is '1' in the upstream default config. This informs the upstream resolver to NOT forward your connection's IP to any other upstream servers. This is good for privacy, but could result in sub-optimal routing to CDNs, etc. -To give a more "comparable" DNS experience similar to google/opendns, this package disables this option. +We retain the upstream value since privacy is a key user motivation for using DNS-over-TLS, but note users encountering poor routing may consider changing it. ### Default Listening Ports Changed The value of "listen_addresses" in the default config does not list port numbers, which will cause stubby to default to port 53. However, Openwrt defaults to dnsmasq as the main name server daemon, which runs on port 53. By setting the listening ports to non-standard values, this allows users to keep the main name server daemon in place (dnsmasq/unbound/etc.) and have that name server forward to stubby. @@ -43,4 +43,4 @@ Cloudflare is an Anycast DNS service. This should take care of any needed "failo Most of the default resolvers for stubby are in Europe. To provide a better experience for a larger number of users, this package defaults to using Cloudflare's DNS service. Cloudflare's DNS service has been ranked number one in speed against many other top resolvers. https://developers.Cloudflare.com/1.1.1.1/commitment-to-privacy/ -https://www.dnsperf.com/dns-resolver/1-1-1-1 \ No newline at end of file +https://www.dnsperf.com/dns-resolver/1-1-1-1 diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml index 278fa2ee3..7db041966 100644 --- a/net/stubby/files/stubby.yml +++ b/net/stubby/files/stubby.yml @@ -9,7 +9,7 @@ tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 -edns_client_subnet_private : 0 +edns_client_subnet_private : 1 round_robin_upstreams: 0 From b77053d35083daeb95ba7a6ddef4994958366302 Mon Sep 17 00:00:00 2001 From: Tony Ambardar Date: Tue, 7 Aug 2018 02:35:31 -0700 Subject: [PATCH 07/16] stubby: add Cloudflare 1.0.0.1 and ::1001 servers Signed-off-by: Tony Ambardar --- net/stubby/files/stubby.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml index 7db041966..71af185b2 100644 --- a/net/stubby/files/stubby.yml +++ b/net/stubby/files/stubby.yml @@ -24,6 +24,8 @@ upstream_recursive_servers: # # Cloudflare IPv6 - address_data: 2606:4700:4700::1111 tls_auth_name: "cloudflare-dns.com" + - address_data: 2606:4700:4700::1001 + tls_auth_name: "cloudflare-dns.com" # # Quad 9 IPv6 # - address_data: 2620:fe::10 @@ -33,6 +35,8 @@ upstream_recursive_servers: # # Cloudflare servers - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" + - address_data: 1.0.0.1 + tls_auth_name: "cloudflare-dns.com" # Quad 9 service # - address_data: 9.9.9.10 From fd8505f76021a21b3ab619019622d4d50dbddeb2 Mon Sep 17 00:00:00 2001 From: Tony Ambardar Date: Tue, 7 Aug 2018 03:11:19 -0700 Subject: [PATCH 08/16] stubby: add SPKI pin set for Cloudflare cert Add an SPKI pin for Cloudflare to help prevent MITM and downgrade attacks, as described in RFC7858 (DNS over TLS). The setup of SPKI and the specific SHA256 certificate hash are taken from Cloudflare's DoT configuration guide published at https://developers.cloudflare.com/1.1.1.1/dns-over-tls/. Note that the certificate is valid to March 25th 2020, 13:00 CET, which provides ample time for issuance of a backup pin to support future key rollover. Signed-off-by: Tony Ambardar --- net/stubby/files/stubby.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml index 71af185b2..012b1d6fb 100644 --- a/net/stubby/files/stubby.yml +++ b/net/stubby/files/stubby.yml @@ -24,8 +24,14 @@ upstream_recursive_servers: # # Cloudflare IPv6 - address_data: 2606:4700:4700::1111 tls_auth_name: "cloudflare-dns.com" + tls_pubkey_pinset: + - digest: "sha256" + value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - address_data: 2606:4700:4700::1001 tls_auth_name: "cloudflare-dns.com" + tls_pubkey_pinset: + - digest: "sha256" + value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= # # Quad 9 IPv6 # - address_data: 2620:fe::10 @@ -35,8 +41,14 @@ upstream_recursive_servers: # # Cloudflare servers - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" + tls_pubkey_pinset: + - digest: "sha256" + value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - address_data: 1.0.0.1 tls_auth_name: "cloudflare-dns.com" + tls_pubkey_pinset: + - digest: "sha256" + value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= # Quad 9 service # - address_data: 9.9.9.10 From 304596d21c0652fd717f6acf94744f15a3e12cc7 Mon Sep 17 00:00:00 2001 From: Tony Ambardar Date: Tue, 7 Aug 2018 04:08:29 -0700 Subject: [PATCH 09/16] stubby: remove unnecessary core limit Remove the limit setting core="unlimited", since this shouldn't be needed in production use (i.e. non-debug) and on an embedded platform, which is why it's rarely used by any existing packages. Signed-off-by: Tony Ambardar --- net/stubby/files/stubby.init | 2 -- 1 file changed, 2 deletions(-) diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init index 1f2ce16e2..19743f15d 100644 --- a/net/stubby/files/stubby.init +++ b/net/stubby/files/stubby.init @@ -13,8 +13,6 @@ start_service() { procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5} - procd_set_param limits core="unlimited" - procd_set_param file /etc/stubby/stubby.yml procd_set_param stdout 1 From 7a2b9df89b5fb8c72da60e6fe2f49e0bf07c2a35 Mon Sep 17 00:00:00 2001 From: Tony Ambardar Date: Tue, 18 Sep 2018 01:06:32 -0700 Subject: [PATCH 10/16] stubby: bump PKG_RELEASE Signed-off-by: Tony Ambardar --- net/stubby/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index f855a1e37..f3b33e0e7 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=stubby PKG_VERSION:=0.2.3 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=COPYING From 6e2451dd00598480e8d6f95d1a27f7f6b85d03dc Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Sun, 30 Sep 2018 14:59:57 +0100 Subject: [PATCH 11/16] stubby: add uci support to init file This commit brings UCI support to the stubby package. o All options are documented in the README.md file. o The README.md file has been re-written to include a short usage manual. o The default configuration now includes more Cloudflare addresses. o The stubby service is (re)started using procd triggers from a specified interface with a configurable time delay. o Round robin use of upstream resolvers is now activated by default. o Client privacy is now activated by default. o Options are added for specifying the log level of the daemon and command line options passed to the stubby command. Signed-off-by: Jonathan G. Underwood --- net/stubby/Makefile | 10 +- net/stubby/files/README.md | 392 ++++++++++++++++++++++++++++++++--- net/stubby/files/stubby.conf | 41 ++++ net/stubby/files/stubby.init | 217 +++++++++++++++++-- net/stubby/files/stubby.yml | 52 +---- 5 files changed, 634 insertions(+), 78 deletions(-) create mode 100644 net/stubby/files/stubby.conf mode change 100644 => 100755 net/stubby/files/stubby.init diff --git a/net/stubby/Makefile b/net/stubby/Makefile index f3b33e0e7..cc21d48d1 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=stubby PKG_VERSION:=0.2.3 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=COPYING @@ -57,6 +57,14 @@ define Package/stubby/install $(INSTALL_DIR) $(1)/etc/stubby $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/stubby/stubby.yml $(1)/etc/stubby/stubby.yml.default $(INSTALL_DATA) ./files/stubby.yml $(1)/etc/stubby/stubby.yml + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DATA) ./files/stubby.conf $(1)/etc/config/stubby +endef + + +define Package/stubby/conffiles + /etc/stubby/stubby.yml + /etc/config/stubby endef $(eval $(call BuildPackage,stubby)) diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md index 38e05071f..cb40b5ea5 100644 --- a/net/stubby/files/README.md +++ b/net/stubby/files/README.md @@ -1,46 +1,390 @@ # Stubby for OpenWRT ## Stubby Description -[Stubby](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby) is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. + +[Stubby](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby) is +an application that acts as a local DNS Privacy stub resolver (using +DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine to a DNS +Privacy resolver increasing end user privacy. + +Stubby is useful on an OpenWRT device, because it can sit between the usual DNS +resolver (dnsmasq by default) and the upstream DNS resolver and be used to +ensure that DNS traffic is encrypted between the OpenWRT device and the +resolver. Stubby is developed by the [getdns](http://getdnsapi.net/) project. -For more background and FAQ see our [About Stubby](https://dnsprivacy.org/wiki/display/DP/About+Stubby) page. Stubby is in the early stages of development but is suitable for technical/advanced users. A more generally user-friendly version is on the way! +For more background and FAQ see the [About +Stubby](https://dnsprivacy.org/wiki/display/DP/About+Stubby) page. -## Prerequisites -You must have a ca cert bundle installed on your device for stubby to make the TLS enabled connections. +## Installation -- You can install this by running the following: opkg install ca-certificates -- You can also install this through the LUCI web interface +Installation of this package can be achieved at the command line using `opkg +install stubby`, or via the LUCI Web Interface. Installing the stubby package +will also install the required dependency packages, including the +`ca-certificates` package. -## Package Overview -This package has some modifications that makes it differ from the default upstream configuration. They are outlined below. +## Configuration -### General Cleanup -Comments are removed, etc. +The default configuration of the package has been chosen to ensure that stubby +should work after installation. -### EDNS Client-Subnet Option -The value of "edns_client_subnet_private" is '1' in the upstream default config. This informs the upstream resolver to NOT forward your connection's IP to any other upstream servers. This is good for privacy, but could result in sub-optimal routing to CDNs, etc. +By default, configuration of stubby is integrated with the OpenWRT UCI system +using the file `/etc/config/stubby`. The configuration options available are +also documented in that file. If for some reason you wish to configure stubby +using the `/etc/stubby/stubby.yml` file, then you simply need to set `option +manual '1'` in `/etc/config/stubby` and all other settings in +`/etc/config/stubby` will be ignored. -We retain the upstream value since privacy is a key user motivation for using DNS-over-TLS, but note users encountering poor routing may consider changing it. +### Stubby port and addresses -### Default Listening Ports Changed -The value of "listen_addresses" in the default config does not list port numbers, which will cause stubby to default to port 53. However, Openwrt defaults to dnsmasq as the main name server daemon, which runs on port 53. By setting the listening ports to non-standard values, this allows users to keep the main name server daemon in place (dnsmasq/unbound/etc.) and have that name server forward to stubby. +The default configuration ensures that stubby listens on port 5453 on the +loopback interfaces for IPv4 and IPv6. As such, by default, stubby will respond +only to lookups from the OpenWRT device itself. -Additionally, due to the slight overhead involved with DNS-over-TLS, it is recommended to have a caching name server on the network. +By setting the listening ports to non-standard values, this allows users to keep +the main name server daemon in place (dnsmasq/unbound/etc.) and have that name +server forward to stubby. -### Round Robin Upstream Setting Changed +### Upstream resolvers -The default stubby config list multiple upstream resolvers, and because of this, it makes sense to "load balance" between them. However, in this package's default stubby config, the only upstream service listed is Cloudflare. One entry is for ipv6 and one for ipv4. +The default package configuration uses the CloudFlare resolvers, configured for +both IPv4 and IPv6. -By setting the "round_robin_upstreams" value to 0, we are simply forcing stubby to try and use ipv6 connectivity to Cloudflare first, and if not available, simply use the ipv4 service. +CloudFlare have not published SPKI pinsets, and even though they are available, +they have made no commitment to maintaining them. Using the currently known SPKI +pinsets for CloudFlare brings the risk that in the future they may be changed by +CloudFlare, and DNS would stop working. The default configuration has those SPKI +entries commented out for this reason. -Cloudflare is an Anycast DNS service. This should take care of any needed "failover" in the event that one of Cloudflare's nodes goes down. +[CloudFlare's privacy +statement](https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/) +details how they treat data from DNS requests. -### Upstream Resolvers Changed +More resolvers are available in the [upstream stubby example +configuration](https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example) +and the [DNS Privacy +list](https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers). -Most of the default resolvers for stubby are in Europe. To provide a better experience for a larger number of users, this package defaults to using Cloudflare's DNS service. Cloudflare's DNS service has been ranked number one in speed against many other top resolvers. +## Integration of stubby with dnsmasq -https://developers.Cloudflare.com/1.1.1.1/commitment-to-privacy/ -https://www.dnsperf.com/dns-resolver/1-1-1-1 +The recommended way to use stubby on an OpenWRT device is to integrate it with a +caching resolver. The default caching resolver in OpenWRT is dnsmasq. + +### Set dnsmasq to send DNS requests to stubby + +Since dnsmasq responds to LAN DNS requests on port 53 of the OpenWRT device by +default, all that is required is to have dnsmasq forward those requests to +stubby which is listening on port 5453 of the OpenWRT device. To achieve this, +we need to set the `server` option in the dnsmasq configuration in the +`/etc/config/dhcp` file to `'127.0.0.1#5453'`. We also need to tell dnsmasq not +to use resolvers found in `/etc/resolv.conf` by setting the dnsmasq option +`noresolv` to `1` in the same file. This can be achieved by editing the +`/etc/config/dhcp` file directly or executing the following commands at the +command line: + + uci add_list dhcp.@dnsmasq[-1].server='127.0.0.1#5453' + uci dhcp.@dnsmasq[-1].noresolv=1 + uci commit + +The same outcome can be achieved in the LUCI web interface as follows: + +1. Select the Network->DHCP and DNS menu entry. +2. In the "General Settings" tab, enter the address `127.0.0.1#5453` as the only + entry in the "DNS Forwardings" dialogue. +3. In the "Resolv and Host files" tab tick the "Ignore resolve file" checkbox. + +### Disable sending DNS requests to ISP provided DNS servers + +The configuration changes in the previous section ensure that DNS queries are +sent over TLS encrypted connections *once dnsmasq and stubby are started*. When +the OpenWRT device is first brought up, there is a possibility that DNS queries +can go to ISP provided DNS servers ahead of dnsmasq and stubby being active. In +order to mitigate this leakage, it's necessary to ensure that upstream resolvers +aren't available, and the only DNS resolver used by the system is +dnsmasq+stubby. + +This requires setting the option `peerdns` to `0` and the option `dns` to the +loopback address for both the `wan` and `wan6` interfaces in the +`/etc/config/network` file. This can be achieved by editing the +`/etc/config/network` file directly, or by executing the following commands: + + uci set network.wan.peerdns='0' + uci set network.wan.dns='127.0.0.1' + uci set network.wan6.peerdns='0' + uci set network.wan6.dns='0::1' + uci commit + +The same outcome can also be achieved using the LUCI web interface as follows: + +1. Select the Network->Interfaces menu entry. +2. Click on Edit for the WAN interfaces. +3. Choose the Advanced Settings tab. +4. Unselect the "Use DNS servers advertised by peer" checkbox +5. Enter `127.0.0.1` in the "Use custom DNS servers" dialogue box. +6. Repeat the above steps for the WAN6 interface, but use the address `0::1` + instead of `127.0.0.1`. + +### Enabling DNSSEC + +The configuration described above ensures that DNS queries are executed over TLS +encrypted links. However, the responses themselves are not validated; DNSSEC +provides the ability to validate returned DNS responses, and mitigate against +DNS poisoning risks. + +With the combination of stubby+dnsmasq there are two possible ways to enable +DNSSEC: + +1. Configure stubby to perform DNSSEC validation, and configure dnsmasq to proxy + the DNSSEC data to clients. +2. Configure stubby not to perform DNSSEC validation and configure dnsmasq to + require DNSSEC validation. + +Either option achieves the same outcome, and there appears to be little reason +for choosing one over the other other than that the second option is easier to +configure in the LUCI web interface. Both options are detailed below, and both +require that the `dnsmasq` package on the OpenWRT device is replaced with the +`dnsmasq-full` package. That can be achieved by running the following command: + + opkg install dnsmasq-full --download-only && opkg remove dnsmasq && opkg install dnsmasq-full --cache . && rm *.ipk + +#### DNSSEC by stubby + +Configuring stubby to perform DNSSEC validation requires setting the stubby +configuration option `dnssec_return_status` to `'1'` in `/etc/config/stubby`, +which can be done by editing the file directly or by executing the commands: + + uci set stubby.global.dnssec_return_status=1 + uci commit + +With stubby performing DNSSEC validation, dnsmasq needs to be configured to +proxy the DNSSEC data to clients. This requires setting the option `proxydnssec` +to 1 in the dnsmasq configuration in `/etc/config/dhcp`. That can be achieved by +the following commands: + + uci set dhcp.@dnsmasq[-1].proxydnssec=1 + uci commit + +#### DNSSEC by dnsmasq + +Configuring dnsmasq to perform DNSSEC validation requires setting the dnsmasq +option `dnssec` to `1` in the `/etc/config/dhcp` file. In addition, it is +advisable to also set the dnsmasq option `dnsseccheckunsigned` to `1`. this can +be achieved by editing the file `/etc/config/dhcp` or by executing the following +commands: + + uci set dhcp.@dnsmasq[-1].dnssec=1 + uci set dhcp.@dnsmasq[-1].dnsseccheckunsigned=1 + uci commit + +The same options can be set in the LUCI web interface as follows: + +1. Select the "Network->DHCP and DNS" menu entry. +2. Select the "Advanced Settings" tab. +3. Ensure both the "DNSSEC" and "DNSSEC check unsigned" check boxes are ticked. + +#### Validating DNSSEC operation + +Having configured DNSSEC validation using one of the two approaches above, it's +important to check it's actually working. The following command can be used: + + dig dnssectest.sidn.nl +dnssec +multi @192.168.1.1 + +This command should return output like the following: + + ; <<>> DiG 9.11.4-P1-RedHat-9.11.4-5.P1.fc28 <<>> dnssectest.sidn.nl +dnssec +multi @192.168.1.1 + ;; global options: +cmd + ;; Got answer: + ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26579 + ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 + + ;; OPT PSEUDOSECTION: + ; EDNS: version: 0, flags: do; udp: 512 + ;; QUESTION SECTION: + ;dnssectest.sidn.nl. IN A + + ;; ANSWER SECTION: + dnssectest.sidn.nl. 14399 IN A 213.136.9.12 + dnssectest.sidn.nl. 14399 IN RRSIG A 8 3 14400 ( + 20181104071058 20181005071058 42033 sidn.nl. + YAQl3tef36M9EQUOmCneHKCCkxox3csLpfUOql5i/6ND + zPrQFsNr3g32HPoxOsi+hD2BE5+bEsnARayDSVLyx0qU + 6Hpi2rzQ0zGNZZkCJhCsdp3wnM1BWlMgPrCD0iIsJDok + +DH5zu+yYufVUdSLQrMqA3MZDFUIqDUqSZuYDF4= ) + + ;; Query time: 77 msec + ;; SERVER: 192.168.1.1#53(192.168.1.1) + ;; WHEN: Sat Oct 06 20:36:25 BST 2018 + ;; MSG SIZE rcvd: 230 + +The key thing to note is the `flags: qr rd ra ad` part - the `ad` flag signifies +that DNSSEC validation is working. If that flag is absent DNSSEC validation is +not working. + +## Appendix: stubby configuration options + +This section details the options available for use in the `/etc/config/stubby` +file. The `global` configuration section specifies the configuration parameters +for the stubby daemon. One or more `resolver` sections are used to configure +upstream resolvers for the stubby daemon to use. + +### `global` section options + +#### `option manual` + +Specify whether to use this file to configure the stubby service. If this is set +to `'1'` stubby will be configured using the file `/etc/stubby/stubby.yml`. If this +is set to `'0'`, configuration options will be taken from this file, and the service +will be managed through UCI. + +#### `option trigger` + +This specifies an interface to trigger stubby start up on; stubby startup will +be triggered by a procd signal associated with this interface being ready. If +this interface is restarted, stubby will also be restarted. + +This option can also be set to `'timed'`, in which case a time, specified by the +option `triggerdelay`, will be waited before starting stubby. + + +#### `option triggerdelay` + +If the `trigger` option specifies an interface, this option sets the time that +is waited after the procd signal is received before starting stubby. + +If `trigger` is set to `'timed'` then this is the delay before starting stubby. +This option is specified in seconds and defaults to the value `'2'`. + +#### `list dns_transport` + +The `dns_transport` list specifies the allowed transports. Allowed values are: +`GETDNS_TRANSPORT_UDP`, `GETDNS_TRANSPORT_TCP` and `GETDNS_TRANSPORT_TLS`. The +transports are tried in the order listed. + +#### `option tls_authentication` + +This option specifies whether TLS authentication is mandatory. A value of `'1'` +mandates TLS authentication, and is the default. + +If this is set to `'0'`, and `GETDNS_TRANSPORT_TCP` or `GETDNS_TRANSPORT_UDP` +appears in the `dns_transport` list, stubby is allowed to fall back to non-TLS +authenticated lookups. You probably don't want this though. + +#### `option tls_query_padding_blocksize` + +This option specifies the block size to pad DNS queries to. You shouldn't need +to set this to anything but `'128'` (the default), as recommended by +https://tools.ietf.org/html/draft-ietf-dprive-padding-policy-03 + +#### `option tls_connection_retries` + +This option specifies the number of connection failures stubby permits before +Stubby backs-off from using an individual upstream resolver. You shouldn't need +to change this from the default value of `'2'`. + +#### `option tls_backoff_time` + +This option specifies the maximum time in seconds Stubby will back-off from +using an individual upstream after failures. You shouldn't need to change this +from the default value of `'3600'`. + +#### `option timeout` + +This option specifies the timeout on getting a response to an individual +request. This is specified in milliseconds. You shouldn't need to change this +from the default value of ` '5000'`. + +#### `option dnssec_return_status` + +This option specifies whether stubby should require DNSSEC validation. Specify +to `'1'` to turn on validation, and `'0'` to turn it off. By default it is off. + +#### `option appdata_dir` + +This option specifies the location for storing stubby runtime data. In +particular, if DNSSEC is turned on, stubby will store its automatically +retrieved trust anchor data here. The default value is `'/var/lib/stubby'`. + +#### `option dnssec_trust_anchors` + +This option sets the location of the file containing the trust anchor data used +for DNSSEC validation. If this is not specified, stubby will automatically +retrieve a trust anchor at startup. It's unlikely you'll want to manage the +trust anchor data manually, so in most cases this is not needed. By default, +this is unset. + +#### `option edns_client_subnet_private` + +This option specifies whether to enforce ECS client privacy. The default is +`'1'`. Set to `'0'` to disable client privacy. + +For more details see Section 7.1.2 [here](https://tools.ietf.org/html/rfc7871). + +#### `option idle_timeout` + +This option specifies the time (in milliseconds) to hold TLS connections open to +avoid the overhead of opening a new connection for every query. You should not +normally need to change this from the default value (currently `'10000'`). + +See [here](https://tools.ietf.org/html/rfc7828) for more details. + +#### `option round_robin_upstreams` + +This option specifies how stubby will use the upstream DNS resolvers. Set to +`'1'` (the default) to instruct stubby to distribute queries across all +available name servers - this will use multiple simultaneous connections which +can give better performance in most (but not all) cases. Set to `'0'` to treat +the upstream resolvers as an ordered list and use a single upstream resolver +until it becomes unavailable, then use the next one. + +#### `list listen_address` + +This list sets the addresses and ports for the stubby daemon to listen for +requests on. the default configuration configures stubby to listen on port 5453 +on the loopback interface for both IPv4 and IPv6. + +#### `option log_level` + +If set, this option specifies the level of logging from the stubby +daemon. By default, this option is not set. + +The possible levels are: + + '0': EMERG - System is unusable + '1': ALERT - Action must be taken immediately + '2': CRIT - Critical conditions + '3': ERROR - Error conditions + '4': WARN - Warning conditions + '5': NOTICE - Normal, but significant, condition + '6': INFO - Informational message + '7': DEBUG - Debug-level message + +#### `option command_line_arguments` + +This option specifies additional command line arguments for +stubby daemon. By default, this is an empty string. + +### `resolver` section options + +#### `option address` + +This option specifies the resolver IP address, and can either be an IPv4 or an +IPv6 address. + +#### `option tls_auth_name` + +This option specifies the upstream domain name used for TLS authentication with +the supplied server certificate + +#### `list spki` + +This list specifies the SPKI pinset which is verified against the keys in the +server cerrtificate. The values takes the form `'/value>'`, where +the `digest type` is the hashing algorithm used, and the value is the Base64 +encoded hash of the public key. At present, only `sha256` is +supported for the digest type. + +This should ONLY be used if the upstream resolver has committed to maintaining +the pinset. CloudFlare have made no such commitment, and so we do not specify +the SPKI values in the default configuration, even though they are available. diff --git a/net/stubby/files/stubby.conf b/net/stubby/files/stubby.conf new file mode 100644 index 000000000..a4eed1509 --- /dev/null +++ b/net/stubby/files/stubby.conf @@ -0,0 +1,41 @@ +config stubby 'global' + option manual '0' + option trigger 'wan' + # option triggerdelay '2' + list dns_transport 'GETDNS_TRANSPORT_TLS' + option tls_authentication '1' + option tls_query_padding_blocksize '128' + # option tls_connection_retries '2' + # option tls_backoff_time '3600' + # option timeout '5000' + # option dnssec_return_status '0' + option appdata_dir '/var/lib/stubby' + # option dnssec_trust_anchors '/var/lib/stubby/getdns-root.key' + option edns_client_subnet_private '1' + option idle_timeout '10000' + option round_robin_upstreams '1' + list listen_address '127.0.0.1@5453' + list listen_address '0::1@5453' + # option log_level '7' + # option command_line_arguments '' + +# Upstream resolvers are specified using 'resolver' sections. +config resolver + option address '2606:4700:4700::1111' + option tls_auth_name 'cloudflare-dns.com' + # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + +config resolver + option address '2606:4700:4700::1001' + option tls_auth_name 'cloudflare-dns.com' + # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + +config resolver + option address '1.1.1.1' + option tls_auth_name 'cloudflare-dns.com' + # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + +config resolver + option address '1.0.0.1' + option tls_auth_name 'cloudflare-dns.com' + # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init old mode 100644 new mode 100755 index 19743f15d..af75770a7 --- a/net/stubby/files/stubby.init +++ b/net/stubby/files/stubby.init @@ -5,19 +5,212 @@ USE_PROCD=1 START=50 STOP=51 -PROG=/usr/sbin/stubby +PROG="/usr/sbin/stubby" -start_service() { - procd_open_instance stubby - procd_set_param command /usr/sbin/stubby +stubby="/usr/sbin/stubby" +stubby_init="/etc/init.d/stubby" +stubby_config_dir="/var/etc/stubby" +stubby_config="$stubby_config_dir/stubby.yml" +stubby_pid_file="/var/run/stubby.pid" +stubby_manual_config="/etc/stubby/stubby.yml" - procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5} - - procd_set_param file /etc/stubby/stubby.yml - - procd_set_param stdout 1 - procd_set_param stderr 1 - procd_set_param user stubby - procd_close_instance +boot() +{ + stubby_boot=1 + rc_procd start_service } +generate_config() +{ + local config_file="$1" + local round_robin + local tls_authentication + local tls_query_padding_blocksize + local edns_client_subnet_private + local idle_timeout + local appdata_dir + local tls_connection_retries + local tls_backoff_time + local timeout + local dnssec_return_status + local dnssec_trust_anchors + local listen_addresses_section=0 + local dns_transport_list_section=0 + local upstream_recursive_servers_section=0 + local stubby_args + local command_line_arguments + local log_level + + # Generate configuration. See: https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example + echo "# Autogenerated configuration from uci data" > "$config_file" + echo "resolution_type: GETDNS_RESOLUTION_STUB" >> "$config_file" + + config_get round_robin "global" round_robin_upstreams "1" + echo "round_robin_upstreams: $round_robin" >> "$config_file" + + config_get appdata_dir "global" appdata_dir "/var/lib/stubby" + echo "appdata_dir: \"$appdata_dir\"" >> "$config_file" + + config_get tls_connection_retries "global" tls_connection_retries "" + if [ -n "$tls_connection_retries" ]; then + echo "tls_connection_retries: $tls_connection_retries" >> "$config_file" + fi + + config_get tls_backoff_time "global" tls_backoff_time "" + if [ -n "$tls_backoff_time" ]; then + echo "tls_backoff_time: $tls_backoff_time" >> "$config_file" + fi + + config_get timeout "global" timeout "" + if [ -n "$timeout" ]; then + echo "timeout: $timeout" >> "$config_file" + fi + + config_get_bool tls_authentication "global" tls_authentication "1" + if [ "$tls_authentication" = "1" ]; then + echo "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" >> "$config_file" + else + echo "tls_authentication: GETDNS_AUTHENTICATION_NONE" >> "$config_file" + fi + + config_get_bool dnssec_return_status "global" dnssec_return_status "0" + if [ "$dnssec_return_status" = "1" ]; then + echo "dnssec_return_status: GETDNS_EXTENSION_TRUE" >> "$config_file" + fi + + config_get dnssec_trust_anchors "global" dnssec_trust_anchors "" + if [ -n "$dnssec_trust_anchors" ]; then + echo "dnssec_trust_anchors: \"$dnssec_trust_anchors\"" >> "$config_file" + fi + + config_get tls_query_padding_blocksize "global" tls_query_padding_blocksize "128" + echo "tls_query_padding_blocksize: $tls_query_padding_blocksize" >> "$config_file" + + config_get_bool edns_client_subnet_private "global" edns_client_subnet_private "1" + echo "edns_client_subnet_private: $edns_client_subnet_private" >> "$config_file" + + config_get idle_timeout "global" idle_timeout "10000" + echo "idle_timeout: $idle_timeout" >> "$config_file" + + handle_listen_address_value() + { + local value="$1" + + if [ "$listen_addresses_section" = 0 ]; then + echo "listen_addresses:" >> "$config_file" + listen_addresses_section=1 + fi + echo " - $value" >> "$config_file" + } + config_list_foreach "global" listen_address handle_listen_address_value + + handle_dns_transport_list_value() + { + local value="$1" + + if [ "$dns_transport_list_section" = 0 ]; then + echo "dns_transport_list:" >> "$config_file" + dns_transport_list_section=1 + fi + echo " - $value" >> "$config_file" + } + config_list_foreach "global" dns_transport handle_dns_transport_list_value + + handle_resolver() + { + local config=$1 + local address + local tls_auth_name + local spki + local tls_pubkey_pinset_section=0 + + if [ "$upstream_recursive_servers_section" = 0 ]; then + echo "upstream_recursive_servers:" >> "$config_file" + upstream_recursive_servers_section=1 + fi + config_get address "$config" address + config_get tls_auth_name "$config" tls_auth_name + echo " - address_data: $address" >> "$config_file" + echo " tls_auth_name: \"$tls_auth_name\"" >> "$config_file" + + handle_resolver_spki() + { + local val="$1" + local digest="${val%/*}" + local value="${val#*/}" + + if [ "$tls_pubkey_pinset_section" = 0 ]; then + echo " tls_pubkey_pinset:" >> "$config_file" + tls_pubkey_pinset_section=1 + fi + echo " - digest: \"$digest\"" >> "$config_file" + echo " value: $value" >> "$config_file" + } + config_list_foreach "$config" spki handle_resolver_spki + } + + config_foreach handle_resolver resolver +} + +start_service() { + local config_file_tmp + local manual + local log_level + local command_line_arguments + local stubby_args + + mkdir -p "$stubby_config_dir" + + config_load "stubby" + + config_get_bool manual "global" manual "0" + + if [ "$manual" = "1" ]; then + cp "$stubby_manual_config" "$stubby_config" + else + config_file_tmp="$stubby_config.$$" + generate_config "$config_file_tmp" + mv "$config_file_tmp" "$stubby_config" + fi + + stubby_args="" + config_get command_line_arguments "global" command_line_arguments "" + if [ -n "$command_line_arguments" ]; then + stubby_args="$command_line_arguments" + fi + + config_get log_level "global" log_level "" + if [ -n "$log_level" ]; then + stubby_args="$stubby_args -v$log_level" + fi + + if [ $("${stubby_init}" enabled; printf "%u" ${?}) -eq 0 ]; then + if [ -n "${stubby_boot}" ]; then + local trigger="$(uci_get stubby global trigger)" + if [ "${trigger}" != "timed" ]; then + return 0 + fi + fi + procd_open_instance "stubby" + procd_set_param command "$stubby" "$stubby_args" -C "$stubby_config" + procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5} + procd_set_param file "$stubby_config" + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_set_param pidfile "$stubby_pid_file" + procd_set_param user stubby + procd_close_instance + fi +} + +service_triggers() +{ + local trigger="$(uci_get stubby global trigger)" + local delay="$(uci_get stubby global triggerdelay "2")" + + if [ "${trigger}" != "none" ] && [ "${trigger}" != "timed" ]; then + PROCD_RELOAD_DELAY=$((${delay:-2} * 1000)) + procd_add_interface_trigger "interface.*.up" "${trigger}" "${stubby_init}" start + fi + procd_add_reload_trigger "stubby" +} diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml index 012b1d6fb..655352deb 100644 --- a/net/stubby/files/stubby.yml +++ b/net/stubby/files/stubby.yml @@ -1,55 +1,25 @@ -#NOTE: See '/etc/stubby/stubby.yml.default' for original config file and descriptions - +# Note: by default on OpenWRT stubby configuration is handled via +# the UCI system and the file /etc/config/stubby. If you want to +# use this file to configure stubby, then set "option manual '1'" +# in /etc/config/stubby. resolution_type: GETDNS_RESOLUTION_STUB - -dns_transport_list: - - GETDNS_TRANSPORT_TLS - +round_robin_upstreams: 1 +appdata_dir: "/var/lib/stubby" tls_authentication: GETDNS_AUTHENTICATION_REQUIRED - tls_query_padding_blocksize: 128 - -edns_client_subnet_private : 1 - -round_robin_upstreams: 0 - +edns_client_subnet_private: 1 idle_timeout: 10000 - listen_addresses: - 127.0.0.1@5453 - - 0::1@5453 - + - 0::1@5453 +dns_transport_list: + - GETDNS_TRANSPORT_TLS upstream_recursive_servers: -# IPv6 addresses -# # Cloudflare IPv6 - address_data: 2606:4700:4700::1111 tls_auth_name: "cloudflare-dns.com" - tls_pubkey_pinset: - - digest: "sha256" - value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - - address_data: 2606:4700:4700::1001 + - address_data: 2606:4700:4700::1111 tls_auth_name: "cloudflare-dns.com" - tls_pubkey_pinset: - - digest: "sha256" - value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - -# # Quad 9 IPv6 -# - address_data: 2620:fe::10 -# tls_auth_name: "dns.quad9.net" - -# IPv4 addresses -# # Cloudflare servers - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" - tls_pubkey_pinset: - - digest: "sha256" - value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - address_data: 1.0.0.1 tls_auth_name: "cloudflare-dns.com" - tls_pubkey_pinset: - - digest: "sha256" - value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - -# Quad 9 service -# - address_data: 9.9.9.10 -# tls_auth_name: "dns.quad9.net" From aa8380721bff3bb8b28d72d60da57aaf97eed6b9 Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Sat, 27 Oct 2018 11:29:22 +0100 Subject: [PATCH 12/16] stubby: fix loading of config file Signed-off-by: Jonathan G. Underwood --- net/stubby/files/stubby.init | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init index af75770a7..104248acb 100755 --- a/net/stubby/files/stubby.init +++ b/net/stubby/files/stubby.init @@ -157,7 +157,6 @@ start_service() { local manual local log_level local command_line_arguments - local stubby_args mkdir -p "$stubby_config_dir" @@ -173,16 +172,9 @@ start_service() { mv "$config_file_tmp" "$stubby_config" fi - stubby_args="" config_get command_line_arguments "global" command_line_arguments "" - if [ -n "$command_line_arguments" ]; then - stubby_args="$command_line_arguments" - fi config_get log_level "global" log_level "" - if [ -n "$log_level" ]; then - stubby_args="$stubby_args -v$log_level" - fi if [ $("${stubby_init}" enabled; printf "%u" ${?}) -eq 0 ]; then if [ -n "${stubby_boot}" ]; then @@ -192,7 +184,13 @@ start_service() { fi fi procd_open_instance "stubby" - procd_set_param command "$stubby" "$stubby_args" -C "$stubby_config" + procd_set_param command "$stubby" -C "$stubby_config" + if [ -n "$log_level" ]; then + procd_append_param command -v "$log_level" + fi + if [ -n "$command_line_arguments" ]; then + procd_append_param command "$command_line_arguments" + fi procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5} procd_set_param file "$stubby_config" procd_set_param stdout 1 From 709a7360435bf96b35f32511b1f3f6a0e83587c6 Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Sat, 27 Oct 2018 18:28:29 +0100 Subject: [PATCH 13/16] stubby: add reload_config to documentation Signed-off-by: Jonathan G. Underwood --- net/stubby/files/README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md index cb40b5ea5..771d2534c 100644 --- a/net/stubby/files/README.md +++ b/net/stubby/files/README.md @@ -1,3 +1,4 @@ + # Stubby for OpenWRT ## Stubby Description @@ -86,7 +87,7 @@ command line: uci add_list dhcp.@dnsmasq[-1].server='127.0.0.1#5453' uci dhcp.@dnsmasq[-1].noresolv=1 - uci commit + uci commit && reload_config The same outcome can be achieved in the LUCI web interface as follows: @@ -114,7 +115,7 @@ loopback address for both the `wan` and `wan6` interfaces in the uci set network.wan.dns='127.0.0.1' uci set network.wan6.peerdns='0' uci set network.wan6.dns='0::1' - uci commit + uci commit && reload_config The same outcome can also be achieved using the LUCI web interface as follows: @@ -156,7 +157,7 @@ configuration option `dnssec_return_status` to `'1'` in `/etc/config/stubby`, which can be done by editing the file directly or by executing the commands: uci set stubby.global.dnssec_return_status=1 - uci commit + uci commit && reload_config With stubby performing DNSSEC validation, dnsmasq needs to be configured to proxy the DNSSEC data to clients. This requires setting the option `proxydnssec` @@ -164,7 +165,7 @@ to 1 in the dnsmasq configuration in `/etc/config/dhcp`. That can be achieved by the following commands: uci set dhcp.@dnsmasq[-1].proxydnssec=1 - uci commit + uci commit && reload_config #### DNSSEC by dnsmasq @@ -176,7 +177,7 @@ commands: uci set dhcp.@dnsmasq[-1].dnssec=1 uci set dhcp.@dnsmasq[-1].dnsseccheckunsigned=1 - uci commit + uci commit && reload_config The same options can be set in the LUCI web interface as follows: From 2cf2210d8386dfb095d259f3545e54ae3c34aac8 Mon Sep 17 00:00:00 2001 From: jonathanunderwood Date: Sun, 4 Nov 2018 10:49:52 +0000 Subject: [PATCH 14/16] stubby: add Jonathan Underwood as co-maintainer (#7307) Signed-off-by: Jonathan G. Underwood --- net/stubby/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index cc21d48d1..4a005b8b4 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -10,7 +10,7 @@ PKG_RELEASE:=3 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=COPYING -PKG_MAINTAINER:=David Mora +PKG_MAINTAINER:=David Mora , Jonathan Underwood PKG_SOURCE_PROTO:=git PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz From 41c4f82f8ddbac6c1c530a7e6cbea3fb9abe268d Mon Sep 17 00:00:00 2001 From: David Mora Date: Sun, 30 Dec 2018 09:50:36 -0500 Subject: [PATCH 15/16] stubby: Remove iamperson347 from maintainer I am no longer able to support maintaining the stubby daemon for openwrt. I suggest Jonathan Underwood as a replacement. --- net/stubby/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index 4a005b8b4..f582587c4 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -10,7 +10,7 @@ PKG_RELEASE:=3 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=COPYING -PKG_MAINTAINER:=David Mora , Jonathan Underwood +PKG_MAINTAINER:=Jonathan Underwood PKG_SOURCE_PROTO:=git PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz From 09b794eccc378850381bf5bdaea6b0bbab5a8575 Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Thu, 3 Jan 2019 15:10:47 +0000 Subject: [PATCH 16/16] stubby: update to version 0.2.4 This upstream release adds support for trust_anchors_backoff_time configuration parameter. UCI support has been added for this. This commit also includes a number of clean-ups: o change START=50 to START=30 in init file Starting earlier in the boot means less chance of missing interface trigger events. See: https://github.com/openwrt/packages/pull/4675 o remove unused variables from init file o separate local declarations and assignments in init file o add defensive quoting in init file o use default values for procd respawn in init file o make use of {} in variables consistent in init file o remove unused variable from init file Signed-off-by: Jonathan G. Underwood --- net/stubby/Makefile | 8 ++++---- net/stubby/files/README.md | 7 +++++++ net/stubby/files/stubby.conf | 1 + net/stubby/files/stubby.init | 32 ++++++++++++++++++-------------- 4 files changed, 30 insertions(+), 18 deletions(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index f582587c4..afda53ed8 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=stubby -PKG_VERSION:=0.2.3 -PKG_RELEASE:=3 +PKG_VERSION:=0.2.4 +PKG_RELEASE:=1 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=COPYING @@ -15,8 +15,8 @@ PKG_MAINTAINER:=Jonathan Underwood PKG_SOURCE_PROTO:=git PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://github.com/getdnsapi/$(PKG_NAME) -PKG_SOURCE_VERSION:=8fb853ac8d6148fd9b53fdcbc107ecd375071ec5 -PKG_MIRROR_HASH:=db736f4a728970d2441009ac19716d6129700eab3f441a5db3a0c26d41bf162c +PKG_SOURCE_VERSION:=58200cadec6371f95e31a7f3735225c5a46ecf75 +PKG_MIRROR_HASH:=28c46f4464cb41cf59264d10da63dc25ece9a1d00b4dfb05a9276594658e5eb9 PKG_FIXUP:=autoreconf diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md index 771d2534c..9703573ec 100644 --- a/net/stubby/files/README.md +++ b/net/stubby/files/README.md @@ -307,6 +307,13 @@ This option specifies the location for storing stubby runtime data. In particular, if DNSSEC is turned on, stubby will store its automatically retrieved trust anchor data here. The default value is `'/var/lib/stubby'`. +#### `option trust_anchors_backoff_time` + +When Zero configuration DNSSEC failed, because of network unavailability or +failure to write to the appdata directory, stubby will backoff trying to refetch +the DNSSEC trust-anchor for a specified amount of time expressed in milliseconds +(which defaults to two and a half seconds). + #### `option dnssec_trust_anchors` This option sets the location of the file containing the trust anchor data used diff --git a/net/stubby/files/stubby.conf b/net/stubby/files/stubby.conf index a4eed1509..a02936da1 100644 --- a/net/stubby/files/stubby.conf +++ b/net/stubby/files/stubby.conf @@ -10,6 +10,7 @@ config stubby 'global' # option timeout '5000' # option dnssec_return_status '0' option appdata_dir '/var/lib/stubby' + # option trust_anchors_backoff_time 2500 # option dnssec_trust_anchors '/var/lib/stubby/getdns-root.key' option edns_client_subnet_private '1' option idle_timeout '10000' diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init index 104248acb..4a975e39d 100755 --- a/net/stubby/files/stubby.init +++ b/net/stubby/files/stubby.init @@ -2,11 +2,9 @@ USE_PROCD=1 -START=50 +START=30 STOP=51 -PROG="/usr/sbin/stubby" - stubby="/usr/sbin/stubby" stubby_init="/etc/init.d/stubby" stubby_config_dir="/var/etc/stubby" @@ -29,6 +27,7 @@ generate_config() local edns_client_subnet_private local idle_timeout local appdata_dir + local trust_anchors_backoff_time local tls_connection_retries local tls_backoff_time local timeout @@ -37,7 +36,6 @@ generate_config() local listen_addresses_section=0 local dns_transport_list_section=0 local upstream_recursive_servers_section=0 - local stubby_args local command_line_arguments local log_level @@ -51,6 +49,9 @@ generate_config() config_get appdata_dir "global" appdata_dir "/var/lib/stubby" echo "appdata_dir: \"$appdata_dir\"" >> "$config_file" + config_get trust_anchors_backoff_time "global" trust_anchors_backoff_time "2500" + echo "trust_anchors_backoff_time: $trust_anchors_backoff_time" >> "$config_file" + config_get tls_connection_retries "global" tls_connection_retries "" if [ -n "$tls_connection_retries" ]; then echo "tls_connection_retries: $tls_connection_retries" >> "$config_file" @@ -121,7 +122,6 @@ generate_config() local config=$1 local address local tls_auth_name - local spki local tls_pubkey_pinset_section=0 if [ "$upstream_recursive_servers_section" = 0 ]; then @@ -176,10 +176,11 @@ start_service() { config_get log_level "global" log_level "" - if [ $("${stubby_init}" enabled; printf "%u" ${?}) -eq 0 ]; then - if [ -n "${stubby_boot}" ]; then - local trigger="$(uci_get stubby global trigger)" - if [ "${trigger}" != "timed" ]; then + if [ "$("$stubby_init" enabled; printf "%u" $?)" -eq 0 ]; then + if [ -n "$stubby_boot" ]; then + local trigger + trigger="$(uci_get stubby global trigger)" + if [ "$trigger" != "timed" ]; then return 0 fi fi @@ -191,7 +192,7 @@ start_service() { if [ -n "$command_line_arguments" ]; then procd_append_param command "$command_line_arguments" fi - procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5} + procd_set_param respawn procd_set_param file "$stubby_config" procd_set_param stdout 1 procd_set_param stderr 1 @@ -203,12 +204,15 @@ start_service() { service_triggers() { - local trigger="$(uci_get stubby global trigger)" - local delay="$(uci_get stubby global triggerdelay "2")" + local trigger + local delay - if [ "${trigger}" != "none" ] && [ "${trigger}" != "timed" ]; then + trigger="$(uci_get stubby global trigger)" + delay="$(uci_get stubby global triggerdelay "2")" + + if [ "$trigger" != "none" ] && [ "$trigger" != "timed" ]; then PROCD_RELOAD_DELAY=$((${delay:-2} * 1000)) - procd_add_interface_trigger "interface.*.up" "${trigger}" "${stubby_init}" start + procd_add_interface_trigger "interface.*.up" "$trigger" "$stubby_init" start fi procd_add_reload_trigger "stubby" }