From 543eb178824e8ed8a6f385fe1ebdf0d7ca709be3 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Fri, 13 Apr 2018 15:15:40 +0200
Subject: [PATCH] gluon-core: remove DNS cache feature
dnsmasq's caching is severly broken and does not handle all answer records
equally. In particular, its cached answers are missing DNSKEY and DS
records, breaking DNSSEC validation on clients.
Remove the cache for now. It may return if dnsmasq is fixed or we switch to
a different resolver.
---
docs/features/dns-cache.rst | 52 -------------------
docs/features/dns-forwarder.rst | 26 ++++++++++
docs/index.rst | 2 +-
docs/releases/v2017.1.rst | 2 -
package/gluon-core/check_site.lua | 1 -
.../luasrc/lib/gluon/upgrade/820-dns-config | 2 +-
6 files changed, 28 insertions(+), 57 deletions(-)
delete mode 100644 docs/features/dns-cache.rst
create mode 100644 docs/features/dns-forwarder.rst
diff --git a/docs/features/dns-cache.rst b/docs/features/dns-cache.rst
deleted file mode 100644
index 0a42e1104..000000000
--- a/docs/features/dns-cache.rst
+++ /dev/null
@@ -1,52 +0,0 @@
-DNS caching
-===========
-
-User experience may be greatly improved when dns is accelerated. Also, it
-seems like a good idea to keep the number of packages being exchanged
-between node and gateway as small as possible. In order to do this, a
-DNS cache may be used on a node. The dnsmasq instance listening on port
-53 on the node will be reconfigured to answer requests, use a list of
-upstream servers and a specific cache size if the options listed below are
-added to site.conf. Upstream servers are the DNS servers which are normally
-used by the nodes to resolve hostnames (e.g. gateways/supernodes).
-
-There are the following settings:
- servers
- cacheentries
-
-To use the node's DNS server, both options should be set. The node will cache at
-most 'cacheentries' many DNS records in RAM. The 'servers' list will be used to
-resolve the received DNS queries if the request cannot be answered from
-cache. Gateways should announce the "next node" address via DHCP and RDNSS (if
-any). Note that not setting 'servers' here will lead to DNS not working: Once
-the gateways all announce the "next node" address for DNS, there is no way for
-nodes to automatically determine DNS servers. They have to be baked into the
-firmware.
-
-If these settings do not exist, the cache is not initialized and RAM usage will
-not increase.
-
-When next_node.name is set, an A record and an AAAA record for the
-next-node IP address are placed in the dnsmasq configuration. This means that
-the content of next_node.name may be resolved even without upstream connectivity.
-It is suggested to use the same name as the DNS server provides:
-e.g. nextnode.location.community.example.org (This way the name also works if a
-client uses static DNS Servers). Hint: If next_node.name does not contain a dot
-some browsers would open the searchpage instead.
-
-::
-
- dns = {
- cacheentries = 5000,
- servers = { '2001:db8::1', },
- },
-
- next_node = {
- name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
- ip6 = '2001:db8:8::1',
- ip4 = '198.51.100.1',
- }
-
-
-The cache will be initialized during startup.
-Each cache entry will occupy about 90 bytes of RAM.
diff --git a/docs/features/dns-forwarder.rst b/docs/features/dns-forwarder.rst
new file mode 100644
index 000000000..d74f9618f
--- /dev/null
+++ b/docs/features/dns-forwarder.rst
@@ -0,0 +1,26 @@
+DNS forwarder
+=============
+
+A Gluon node can be configured to act as a DNS forwarder. Requests for the
+next-node hostname(s) can be answered locally, without querying the upstream
+resolver.
+
+**Note:** While this reduces answer time and allows to use the next-node
+hostname without upstream connectivity, this feature should not be used for
+next-node hostnames that are FQDN when the zone uses DNSSEC.
+
+One or more upstream resolvers can be configured in the *dns.servers* setting.
+When *next_node.name* is set, A and/or AAAA records for the next-node IP
+addresses are placed in the dnsmasq configuration.
+
+::
+
+ dns = {
+ servers = { '2001:db8::1', },
+ },
+
+ next_node = {
+ name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
+ ip6 = '2001:db8:8::1',
+ ip4 = '198.51.100.1',
+ }
diff --git a/docs/index.rst b/docs/index.rst
index 5bc7229a7..3f4d78a87 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -23,7 +23,7 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre
features/wlan-configuration
features/private-wlan
features/wired-mesh
- features/dns-cache
+ features/dns-forwarder
features/monitoring
features/authorized-keys
features/roles
diff --git a/docs/releases/v2017.1.rst b/docs/releases/v2017.1.rst
index 5c5b48bb4..cc445933a 100644
--- a/docs/releases/v2017.1.rst
+++ b/docs/releases/v2017.1.rst
@@ -88,8 +88,6 @@ New features
* Add support for making nodes a DNS cache for clients
(`#1000 <https://github.com/freifunk-gluon/gluon/issues/1000>`_)
- See also: :doc:`../features/dns-cache`
-
* Add L2TP via tunneldigger as an alternative VPN system
(`#978 <https://github.com/freifunk-gluon/gluon/issues/978>`_)
diff --git a/package/gluon-core/check_site.lua b/package/gluon-core/check_site.lua
index e2f2e69b6..06840eb0c 100644
--- a/package/gluon-core/check_site.lua
+++ b/package/gluon-core/check_site.lua
@@ -67,7 +67,6 @@ need_boolean(in_site({'poe_passthrough'}), false)
if need_table({'dns'}, nil, false) then
need_string_array_match({'dns', 'servers'}, '^[%x:]+$')
- need_number({'dns', 'cacheentries'}, false)
end
need_string_array(in_domain({'next_node', 'name'}), false)
diff --git a/package/gluon-core/luasrc/lib/gluon/upgrade/820-dns-config b/package/gluon-core/luasrc/lib/gluon/upgrade/820-dns-config
index ea0bf4ac4..18b44d3f3 100755
--- a/package/gluon-core/luasrc/lib/gluon/upgrade/820-dns-config
+++ b/package/gluon-core/luasrc/lib/gluon/upgrade/820-dns-config
@@ -12,7 +12,7 @@ uci:set('dhcp', dnsmasq, 'localise_queries', true)
uci:set('dhcp', dnsmasq, 'localservice', false)
uci:set('dhcp', dnsmasq, 'server', dns.servers)
-uci:set('dhcp', dnsmasq, 'cachesize', dns.cacheentries)
+uci:delete('dhcp', dnsmasq, 'cachesize')
uci:delete('firewall', 'client_dns')
if dns.servers then
--
GitLab