Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: DNS Cache and Encryption

  1. #11
    Join Date
    Mar 2005
    Beans
    211

    Re: DNS Cache and Encryption

    Quote Originally Posted by quequotion View Post
    I think this number should be extracted from dnsmasq's configuration however, and not arbitrarily specified in the init script. If this number is not the same as the number in the configuration file, and users do not specify the correct number in /etc/resolvconf/resolv.conf.d/head then DNS queries will be sent to into a black hole. #note to self: make a bug report
    Perhaps add your comment to the existing bug report https://bugs.launchpad.net/ubuntu/+s...q/+bug/1042275

  2. #12
    Join Date
    Mar 2005
    Beans
    211

    Re: DNS Cache and Encryption

    Quote Originally Posted by quequotion View Post
    This does not work. 127.0.0.2 will not be added to /etc/resolv.conf and DNS will not resolve. I tried this from the command line as well as by init script; dnscrypt-proxy and dnsmasq both run, but DNS requests never get forwarded to dnscrypt-proxy.
    Resolvconf won't normally add 127.0.0.2 to resolv.conf if there is an earlier line "nameserver 127.0.1.1". It isn't needed there because the glibc resolver should contact dnsmasq (at 127.0.1.1) and not dnscrypt-proxy.

    However, dnsmasq *should* contact dnscrypt-proxy.

    Let's debug. Please comment out "dns=dnsmasq"; reboot; ensure that dnsmasq is listening at 127.0.1.1; ensure that dnscrypt-proxy is listening at 127.0.0.2; run

    Code:
    echo "nameserver 127.0.0.2" | resolvconf -a lo.dnscrypt-proxy
    and then post the output of

    Code:
    ls -l /etc/resolv.conf
    cat /etc/resolv.conf
    ls -l /run/resolvconf
    ls -l /run/resolvconf/interface
    for F in /run/resolvconf/interface/* ; do echo "=== $F ===" ; cat "$F" ; done
    ls -l /etc/resolvconf/resolv.conf.d
    for F in /etc/resolvconf/resolv.conf.d/* ; do echo "=== $F ===" ; cat "$F" ; done
    cat /etc/default/resolvconf
    ls -l /var/run/dnsmasq
    cat /var/run/dnsmasq/resolv.conf
    Last edited by jdthood; May 18th, 2013 at 07:46 PM. Reason: Add a couple of commands to run

  3. #13
    Join Date
    Nov 2008
    Location
    Oita, Japan
    Beans
    424
    Distro
    Ubuntu

    Re: DNS Cache and Encryption

    Quote Originally Posted by jdthood View Post
    Long ago when Debian contained the "dhcp-client" package (version 2), /etc/dhcp/ was used. When "dhcp3-client" was introduced it used /etc/dhcp3/ so that it could be installed alongside dhcp-client. After dhcp-client was dropped from Debian, dhcp3-client was renamed to "isc-dhcp-client" and stuff was moved from /etc/dhcp3/ to /etc/dhcp/. So either new, or very old, systems use /etc/dhcp/.
    So what we need are for the transitional packages to install symlinks to the config files and then purge them on uninstall. #note to self: still need to make that bug report / feature request.

    Quote Originally Posted by jdthood View Post
    This indicates that resolvconf is either absent, or is non-standardly configured on your machine. Because resolvconf normally doesn't include any "nameserver" lines after a "nameserver 127.0.0.1" line. See my next post.
    I think you are looking at this discussion from the wrong angle. resolvconf is present and configured as default (except for the head file).
    If /etc/resolv.conf contains "nameserver 127.0.1.1" because dnsmasq is running then (in the standard resolvconf configuration) you won't see any changes in /etc/resolv.conf because resolvconf doesn't list nameserver addresses after any loopback address.
    I think this is the key point. There should be a "correct" way to get resolvconf to add a second line to this file, but I can't find any documentation on it.
    (This doesn't mean that adding nameserver information via the connection editor is ineffective, though. If things are working properly, then, if the NetworkManager-controlled nameserver is running, nameserver information added via the connection editor is transmitted to the NetworkManager-controlled nameserver that is listening at that loopback address. This goes via /run/nm-dns-dnsmasq.conf in Ubuntu 12.04, or via D-Bus in Ubuntu 12.10 or later.)
    As I pointed out, it is necessary to disable to the NetworkManager-controlled dnsmasq and install a separate dnsmasq in order to have a custom configuration in 12.04. My initial two posts are a how-to guide for getting dnsmasq and dnscrypt-proxy to work together in 12.04; it is not possible to use the NetworkManager-controlled dnsmasq with DNSCrypt in 12.04.

    Quote Originally Posted by jdthood View Post
    Perhaps add your comment to the existing bug report https://bugs.launchpad.net/ubuntu/+s...q/+bug/1042275
    That's not exactly the right bug, although your last comment in it is relevant. It's not just a matter of listening on "lo" or not, but that the IP address assigned in the initscript is not bound to be the same as the address in dnsmasq's config file and that could create a black hole for DNS queries to fall into. Communicating directly with resolvconf would be an efficient way of solving both problems.

    Quote Originally Posted by jdthood View Post
    Resolvconf won't normally add 127.0.0.2 to resolv.conf if there is an earlier line "nameserver 127.0.1.1".
    As I said before, there must be a "correct" way of getting resolvconf to add a second line. It is necessary because:
    It isn't needed there because the glibc resolver should contact dnsmasq (at 127.0.1.1) and not dnscrypt-proxy.

    However, dnsmasq *should* contact dnscrypt-proxy.
    It should, when configured to do so (it cannot auto-magically do so), but it doesn't. There is a place in dnsmasq's config file to add other DNS servers, but then it never actually forwards queries to them. So, it is necessary to have two lines in resolv.conf: one for the DNS cache (dnsmasq) and another for the secure DNS resolver (dnscrypt-proxy). There is no other way for this to work in 12.04.

    Let's debug. Please comment out "dns=dnsmasq"; reboot; ensure that dnsmasq is listening at 127.0.1.1; ensure that dnscrypt-proxy is listening at 127.0.0.2; run

    Code:
    echo "nameserver 127.0.0.2" | resolvconf -a lo.dnscrypt-proxy
    Please go over what I've posted again; this is exactly what I recommended. Commenting out "dns=dnsmasq" and installing a separate, configurable, dsnmasq is the only way to get dnsmasq and dnscrypt-proxy working together in 12.04, which is why I wrote a how-to guide on setting them up as such.

    When I ran that command, nothing was added to resolv.conf and DNS queries do not resolve. There should be a "correct" way to get resolvconf to add a second line to /etc/resolv.conf.

    and then post the output of

    Code:
    ls -l /etc/resolv.conf
    cat /etc/resolv.conf
    ls -l /run/resolvconf
    ls -l /run/resolvconf/interface
    for F in /run/resolvconf/interface/* ; do echo "=== $F ===" ; cat "$F" ; done
    ls -l /etc/resolvconf/resolv.conf.d
    for F in /etc/resolvconf/resolv.conf.d/* ; do echo "=== $F ===" ; cat "$F" ; done
    cat /etc/default/resolvconf
    I'll get you that output next time I'm at home. I think it's important to note here: I posted my how-to guide after doing considerable testing and diagnostics myself. The things I said don't work, really don't work in 12.04; if someone wants to use dnsmasq with dnscrypt in 12.04 they will (most likely) have do it as I posted. From what you've posted, I take it that much more of the "new way" is properly implemented in 12.10, which means users of 12.10 need a different (and much shorter) guide.

    There's only really one point that needs debugging for me:

    Why doesn't dnsmasq use DNS servers specified in it's configuration file?

    An answer to that question would resolve everything else you are asking me about, and possibly shorten my how-to for 12.04.

  4. #14
    Join Date
    Nov 2008
    Location
    Oita, Japan
    Beans
    424
    Distro
    Ubuntu

    Re: DNS Cache and Encryption

    I've edited and annotated the how-to guide to note the discrepancies between 12.04 and 12.10. Hopefully this will clear up any confusion.

  5. #15
    Join Date
    Nov 2008
    Location
    Oita, Japan
    Beans
    424
    Distro
    Ubuntu

    Re: DNS Cache and Encryption

    ls -l /etc/resolv.conf
    Code:
    lrwxrwxrwx 1 root root 29 Apr 14  2012 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
    Symlinked where it should be.

    cat /etc/resolv.conf
    Code:
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 127.0.1.1 #dnsmasq
    nameserver 127.0.0.2 #dnscrypt-proxy 
    nameserver 127.0.1.1
    Just like it is in my how-to.

    ls -l /run/resolvconf
    Code:
    total 4
    -rw-r--r-- 1 root root   0 May 19 15:26 enable-updates
    drwxr-xr-x 2 root root 100 May 19 15:26 interface
    -rw-r--r-- 1 root root 240 May 19 15:26 resolv.conf
    Nothing unusual here.

    ls -l /run/resolvconf/interface
    Code:
    total 8
    -rw-r--r-- 1 root root 21 May 19 15:26 lo.dnsmasq
    -rw-r--r-- 1 root root 42 May 19 15:26 NetworkManager
    Looks ok to me.

    for F in /run/resolvconf/interface/* ; do echo "=== $F ===" ; cat "$F" ; done
    Code:
    === /run/resolvconf/interface/lo.dnsmasq ===
    nameserver 127.0.1.1
    === /run/resolvconf/interface/NetworkManager ===
    nameserver 127.0.1.1
    nameserver 127.0.0.2
    NetworkManager probably extracts those from resolv.conf, as they are not specified anywhere else.

    ls -l /etc/resolvconf/resolv.conf.d
    Code:
    total 8
    -rw-r--r-- 1 root root   0 May 13 12:34 base
    -rw-r--r-- 1 root root 219 May 16 05:44 head
    -rw-r--r-- 1 root root 221 May 16 05:41 head~
    -rw-r--r-- 1 root root   0 Jan  4 06:31 tail
    I modified head with gedit, so there's a backup file.

    for F in /etc/resolvconf/resolv.conf.d/* ; do echo "=== $F ===" ; cat "$F" ; done
    Code:
    === /etc/resolvconf/resolv.conf.d/base ===
    === /etc/resolvconf/resolv.conf.d/head ===
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 127.0.1.1 #dnsmasq
    nameserver 127.0.0.2 #dnscrypt-proxy 
    === /etc/resolvconf/resolv.conf.d/head~ ===
    === /etc/resolvconf/resolv.conf.d/tail ===
    Nothing to see here really, except the changes I made to head to get DNS to resolve.

    cat /etc/default/resolvconf
    Code:
    cat: /etc/default/resolvconf: No such file or directory
    Nothing there.

    ls -l /var/run/dnsmasq
    Code:
    total 8
    -rw-r--r-- 1 root root  5 May 19 15:26 dnsmasq.pid
    -rw-r--r-- 1 root root 42 May 19 15:26 resolv.conf
    As expected.

    cat /var/run/dnsmasq/resolv.conf
    Code:
    nameserver 127.0.0.2
    nameserver 127.0.1.1
    The servers are not in the same order as the real resolv.conf they've been extracted from. My understanding is that it doesn't matter unless I specifiy the "strict-order" option for dnsmasq.

  6. #16
    Join Date
    Mar 2005
    Beans
    211

    Re: DNS Cache and Encryption

    First let me say that I appreciate what you are trying to do. It's good that you were able to get dnsmasq and dnscrypt working together in daisy chain with the former (dnsmasq, first stage) caching and forwarding queries to the latter (dnscrypt, second stage).

    I believe, however, that the way you implemented things was less than ideal, regardless of whether the base system is Ubuntu 12.04 or 12.10. What I would like to do is continue to work with you to implement things as well as the base system allows. When we have done this we will know exactly how to package dnscrypt properly for Ubuntu.

    When I replied to your original post I just tried to address a few parenthetical remarks you made and to answer the questions that you asked in your post. The discussion that followed was a bit confusing, but now I think I know why. I have just gone back and re-read the whole thread and I now realize that I overlooked the most important problem of all. You are under the impression that the NetworkManager-controlled dnsmasq instance can be used in the "first stage", in the same role as dnsmasq server — or, rather, could be used as the first stage if it were possible to customize its configuration (as it is possible in Ubuntu 12.10). But this is not supported, even in Ubuntu 12.10. NetworkManager feeds its slave dnsmasq instance with the nameserver addresses it knows about that are associated with external network connections. When you enter addresses into the "DNS servers" field in the connection editor, those addresses are meant to be external addresses accessible over the connection in question. Entering loopback addresses into the "DNS servers" field is not supported.

    Note that daisy chaining dnsmasq server instance to the NetworkManager-controlled dnsmasq instance is supported. Obtaining this in Ubuntu 12.04 requires some manual configuration of dnsmasq server because in Ubuntu 12.04 the NetworkManager-controlled dnsmasq instance listens at 127.0.0.1 which conflicts with dnsmasq server in its default configuration. Obtaining the dnsmasq-dnsmasq daisy chain in Ubuntu 12.10 requires only the installation of the dnsmasq package; after it's installed, dnsmasq server listens at 127.0.0.1 in bind-interfaces mode and forwards queries to nm-dnsmasq at 127.0.1.1.

    Now let's turn to your debugging output. It looks as if you didn't follow my instructions exactly — you didn't run the line with "resolvconf -a lo.dnscrypt-proxy", otherwise there would be a file named "lo.dnscrypt-proxy" in /run/resolvconf/interface/ — but this probably doesn't matter because I think we have found the most important problem.

    Looking at the debugging output I see that DNS queries will follow paths like the following.
    Code:
    glibc resolver -------------> 127.0.1.1 dnsmasq server -------------> 127.0.0.2 dnscrypt ----> OpenDNS
                      \      /                                  \     /
                       \     \-----------------<--------------- /    /
                        ------------------------>-------------------
    I assume that dnscrypt is somehow configured to know the OpenDNS nameserver addresses. Is that right? (I have no experience with dnscrypt.)

    Update: I have started reading the dnscrypt docs and found:
    DNSCrypt comes pre-configured for OpenDNS, although the --resolver-address=<ip>:<port>, --provider-name=<certificate provider FQDN> and --provider-key=<provider public key> can be specified in order to change the default settings.
    So dnscrypt-proxy can forward to servers other than OpenDNS — but those servers would of course have to support the DNSCrypt protocol.

    That dnsmasq server has 127.0.1.1 as both a forwarding address and as its listen address is bad. This tells dnsmasq to loop queries back to itself. This is a consequence of 127.0.1.1 being included in a "DNS servers" field for a connection.

    You should have something like the following instead.
    Code:
    glibc resolver -------> 127.0.0.1 dnsmasq server --------> 127.0.0.2 dnscrypt ----> OpenDNS
    (127.0.0.1 is the IPv4 address of the loopback device and one of the addresses that dnsmasq server listens at by default. For dnscrypt you can choose any address in 127/8 but 127.0.1.1 is not a particularly good choice since that the address used by nm-dnsmasq.)

    To achieve this:
    * Configure the external network connection with the NetworkManager connection editor. Select "Method: Automatic (DHCP) addresses only" and ensure that all the "DNS server" fields are empty.
    * Back up any dnsmasq configuration files you changed and don't want to lose. Purge the dnsmasq package (which will delete those configuration files) and reinstall it. This will restore dnsmasq server to the factory configuration wherein it listens at all addresses.
    * Enable dnsmasq "bind-interfaces" mode: uncomment the "bind-interfaces" line in /etc/dnsmasq.conf.
    * Also set "cache-size=1000" in dnsmasq if desired.
    * Back up any resolvconf configuration files you changed and don't want to lose. Purge the resolvconf package (which will delete those configuration files) and reinstall it. This will restore resolvconf to the factory configuration where it contains no non-comment lines in /etc/resolvconf/resolv.conf.d/head.
    * Configure dnscrypt to listen at 127.0.0.2.
    * Reboot
    * Ensure that dnscrypt is listening at 127.0.0.2 and forwards queries to the OpenDNS nameservers.
    Code:
    host www.google.com 127.0.0.2
    * Do
    Code:
    echo "nameserver 127.0.0.2" | resolvconf -a lo.dnscrypt-proxy
    * Check that you can now resolve names via dnsmasq at 127.0.0.1.
    Code:
    host www.microsoft.com 127.0.0.1
    Code:
    host www.ubuntu.com
    After doing all this, please post the debugging output again.

    Code:
    cat /etc/NetworkManager/NetworkManager.conf
    ls -l /etc/resolv.conf
    cat /etc/resolv.conf
    ls -l /run/resolvconf
    ls -l /run/resolvconf/interface
    for F in /run/resolvconf/interface/* ; do echo "=== $F ===" ; cat "$F" ; done
    ls -l /etc/resolvconf/resolv.conf.d
    for F in /etc/resolvconf/resolv.conf.d/* ; do echo "=== $F ===" ; cat "$F" ; done
    cat /etc/default/resolvconf
    ls -l /var/run/dnsmasq
    cat /var/run/dnsmasq/resolv.conf
    Even if this works then we aren't finished quite yet. We need to change the dnscrypt initscript to run "resolvconf -a lo.dnscrypt-proxy" on start and "resolvconf -d lo.dnscrypt-proxy" on stop. And we should probably enhance dnsmasq's resolvconf hook script to be dnscrypt-aware.

    P.S. You should probably delete the updates in your original post where you say that in Ubuntu 12.10 you can configure the NetworkManager-controlled dnsmasq instance to play the same role as the dnsmasq server instance.
    Last edited by jdthood; May 19th, 2013 at 07:40 PM.

  7. #17
    Join Date
    Nov 2008
    Location
    Oita, Japan
    Beans
    424
    Distro
    Ubuntu

    Re: DNS Cache and Encryption

    Oh, i see. Yeah, we could be discussing a refit for the currently supplied dnsmasq. I hoped it had happened in 12.10, as it has in Arch, but alas no. I will get on straightening out those notes after work. I will re-lable them as "theoretical configuration"

    I'll also get that last output; i guess i missed a line!

    I don't really understand about dnsmasq looping into itself: shouldn't it do so as a cache? The path is similar to what you said:
    DNSQuery->out; ->dnsmasq: in cache?; yes-> return ip; no-> forward to dnscrypt-proxy; ->dnscrypt-proxy->OpenDNS(mutex communication over the proxy;->return ip;

  8. #18
    Join Date
    Mar 2005
    Beans
    211

    Re: DNS Cache and Encryption

    I have filed a report in the Debian bug tracking system where I wish for automagic integration of dnsmasq with dnscrypt-proxy: http://bugs.debian.org/709179. The Debian maintainer has already agreed to implement this integration. This means that we should have the integration implemented within, say, a month, in Debian unstable. The support will appear in Ubuntu the next time after that that Ubuntu syncs from Debian unstable, which means 13.10 or 14.04.
    Last edited by jdthood; May 21st, 2013 at 04:44 PM.

  9. #19
    Join Date
    Nov 2008
    Location
    Oita, Japan
    Beans
    424
    Distro
    Ubuntu

    Re: DNS Cache and Encryption

    Open Source Development Process to the rescue again!

    I love it when things work out this well

  10. #20
    Join Date
    Mar 2005
    Beans
    211

    Re: DNS Cache and Encryption

    I just noticed that there's an ITP for dnscrypt-proxy in the Debian BTS (http://bugs.debian.org/692320). I have submitted a request that this future package support resolvconf.

    Once this is done and resolvconf/dnscrypt-proxy support has been added to dnsmasq (http://bugs.debian.org/709179) everything should just work.

    Resolvconf itself doesn't need to be changed (http://bugs.debian.org/709258).

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •