Merge pull request #2759 from mweinelt/dnsmasq-dnssec-caching

Restore local DNS caching

docs/features/dns-cache.rst

@@ -0,0 +1,51 @@
+DNS caching
+===========
+
+User experience may be greatly improved when dns is accelerated. Also, it
+seems like a good idea to keep the number of packages being exchanged
+between node and gateway as small as possible. In order to do this, a
+DNS cache may be used on a node. The dnsmasq instance listening on port
+53 on the node will be reconfigured to answer requests, use a list of
+upstream servers and a specific cache size if the options listed below are
+added to site.conf. Upstream servers are the DNS servers which are normally
+used by the nodes to resolve hostnames (e.g. gateways/supernodes).
+
+There are the following settings:
+    servers
+    cacheentries
+
+To use the node's DNS server, both options should be set. The node will cache at
+most 'cacheentries' many DNS records in RAM. The 'servers' list will be used to
+resolve the received DNS queries if the request cannot be answered from
+cache. Gateways should announce the "next node" address via DHCP and RDNSS (if
+any). Note that not setting 'servers' here will lead to DNS not working: Once
+the gateways all announce the "next node" address for DNS, there is no way for
+nodes to automatically determine DNS servers. They have to be baked into the
+firmware.
+
+If these settings do not exist, the cache is not initialized and RAM usage will
+not increase.
+
+When next_node.name is set, an A record and an AAAA record for the
+next-node IP address are placed in the dnsmasq configuration. This means that
+the content of next_node.name may be resolved even without upstream connectivity.
+It is suggested to use the same name as the DNS server provides:
+e.g. nextnode.location.community.example.org (This way the name also works if a
+client uses static DNS Servers). Hint: If next_node.name does not contain a dot
+some browsers would open the searchpage instead.
+
+::
+
+  dns = {
+    cacheentries = 5000,
+    servers = { '2001:db8::1', },
+  },
+
+  next_node = {
+    name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
+    ip6 = '2001:db8:8::1',
+    ip4 = '198.51.100.1',
+  }
+
+
+Each cache entry will occupy about 90 bytes of RAM.

docs/features/dns-forwarder.rst

@@ -1,26 +0,0 @@
-DNS forwarder
-=============
-
-A Gluon node can be configured to act as a DNS forwarder. Requests for the
-next-node hostname(s) can be answered locally, without querying the upstream
-resolver.
-
-**Note:** While this reduces answer time and allows to use the next-node
-hostname without upstream connectivity, this feature should not be used for
-next-node hostnames that are FQDN when the zone uses DNSSEC.
-
-One or more upstream resolvers can be configured in the *dns.servers* setting.
-When *next_node.name* is set, A and/or AAAA records for the next-node IP
-addresses are placed in the dnsmasq configuration.
-
-::
-
-  dns = {
-    servers = { '2001:db8::1', },
-  },
-
-  next_node = {
-    name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
-    ip6 = '2001:db8:8::1',
-    ip4 = '198.51.100.1',
-  }

docs/index.rst

@@ -25,7 +25,7 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre
   features/wlan-configuration
   features/private-wlan
   features/wired-mesh
-  features/dns-forwarder
+  features/dns-cache
   features/monitoring
   features/multidomain
   features/authorized-keys

docs/releases/v2017.1.rst

@@ -88,6 +88,8 @@ New features
 * Add support for making nodes a DNS cache for clients
   (`#1000 <https://github.com/freifunk-gluon/gluon/pull/1000>`_)
 
+  See also: :doc:`../features/dns-cache`
+
 * Add L2TP via tunneldigger as an alternative VPN system
   (`#978 <https://github.com/freifunk-gluon/gluon/pull/978>`_)
 

package/gluon-core/check_site.lua

@@ -66,6 +66,7 @@ need_boolean(in_site({'poe_passthrough'}), false)
 
 if need_table({'dns'}, nil, false) then
 	need_string_array_match({'dns', 'servers'}, '^[%x:]+$')
+	need_number({'dns', 'cacheentries'}, false)
 end
 
 need_string_array(in_domain({'next_node', 'name'}), false)

package/gluon-core/luasrc/lib/gluon/upgrade/820-dns-config

@@ -12,7 +12,7 @@ uci:set('dhcp', dnsmasq, 'localise_queries', true)
 uci:set('dhcp', dnsmasq, 'localservice', false)
 
 uci:set('dhcp', dnsmasq, 'server', dns.servers)
-uci:delete('dhcp', dnsmasq, 'cachesize')
+uci:set('dhcp', dnsmasq, 'cachesize', dns.cacheentries)
 
 uci:delete('firewall', 'client_dns')
 if dns.servers then

package/gluon-setup-mode/Makefile

@@ -9,7 +9,7 @@ include ../gluon.mk
 
 define Package/gluon-setup-mode
   TITLE:=Setup mode
-  DEPENDS:=+gluon-core +gluon-lock-password +ubus +dnsmasq
+  DEPENDS:=+gluon-core +gluon-lock-password +ubus +dnsmasq-full
 endef
 
 define Package/gluon-setup-mode/description

package/gluon-wan-dnsmasq/Makefile

@@ -6,7 +6,7 @@ include ../gluon.mk
 
 define Package/gluon-wan-dnsmasq
   TITLE:=Support for a secondary DNS server using the WAN interface
-  DEPENDS:=+gluon-core +libubus-lua +dnsmasq +libpacketmark
+  DEPENDS:=+gluon-core +libubus-lua +dnsmasq-full +libpacketmark
 endef
 
 define Package/gluon-wan-dnsmasq/description

targets/generic

@@ -42,6 +42,15 @@ try_config('PACKAGE_usbip', false) -- fails to build
 
 try_config('PACKAGE_ATH_DEBUG', true)
 
+try_config('PACKAGE_dnsmasq_full_dhcpv6', false)
+try_config('PACKAGE_dnsmasq_full_auth', false)
+try_config('PACKAGE_dnsmasq_full_ipset', false)
+try_config('PACKAGE_dnsmasq_full_nftset', false)
+try_config('PACKAGE_dnsmasq_full_conntrack', false)
+try_config('PACKAGE_dnsmasq_full_noid', false)
+try_config('PACKAGE_dnsmasq_full_broken_rtc', false)
+try_config('PACKAGE_dnsmasq_full_rtc', false)
+
 try_config('TARGET_SQUASHFS_BLOCK_SIZE', 256)
 
 config('KERNEL_PROC_STRIPPED', true)
@@ -81,6 +90,7 @@ config('GLUON_MINIFY', istrue(env.GLUON_MINIFY))
 
 packages {
 	'-ca-bundle',
+	'-dnsmasq',
 	'-kmod-ipt-offload',
 	'-kmod-nft-offload',
 	'-libustream-wolfssl',