gluon-core: remove DNS cache feature
dnsmasq's caching is severly broken and does not handle all answer records equally. In particular, its cached answers are missing DNSKEY and DS records, breaking DNSSEC validation on clients. Remove the cache for now. It may return if dnsmasq is fixed or we switch to a different resolver.
This commit is contained in:
parent
d06427d469
commit
d02735041e
@ -1,41 +0,0 @@
|
|||||||
DNS caching
|
|
||||||
===========
|
|
||||||
|
|
||||||
User experience may be greatly improved when dns is accelerated. Also, it
|
|
||||||
seems like a good idea to keep the number of packages being exchanged
|
|
||||||
between node and gateway as small as possible. In order to do this, a
|
|
||||||
DNS cache may be used on a node. The dnsmasq instance listening on port
|
|
||||||
53 on the node will be reconfigured to answer requests, use a list of
|
|
||||||
upstream servers and a specific cache size if the options listed below are
|
|
||||||
added to site.conf. Upstream servers are the DNS servers which are normally
|
|
||||||
used by the nodes to resolve hostnames (e.g. gateways/supernodes).
|
|
||||||
|
|
||||||
There are the following settings:
|
|
||||||
servers
|
|
||||||
cacheentries
|
|
||||||
|
|
||||||
If both options are set the node will cache as much DNS records as set with
|
|
||||||
'cacheentries' in RAM. The 'servers' list will be used to resolve the received
|
|
||||||
DNS queries if the request cannot be answered from cache.
|
|
||||||
If these settings do not exist, the cache is not intialized and RAM usage will not increase.
|
|
||||||
|
|
||||||
When next_node.name is set, an A record and an AAAA record for the
|
|
||||||
next-node IP address are placed in the dnsmasq configuration. This means that the content
|
|
||||||
of next_node.name may be resolved even without upstream connectivity.
|
|
||||||
|
|
||||||
::
|
|
||||||
|
|
||||||
dns = {
|
|
||||||
cacheentries = 5000,
|
|
||||||
servers = { '2001:db8::1', },
|
|
||||||
},
|
|
||||||
|
|
||||||
next_node = {
|
|
||||||
name = 'nextnode',
|
|
||||||
ip6 = '2001:db8:8::1',
|
|
||||||
ip4 = '198.51.100.1',
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
The cache will be initialized during startup.
|
|
||||||
Each cache entry will occupy about 90 bytes of RAM.
|
|
26
docs/features/dns-forwarder.rst
Normal file
26
docs/features/dns-forwarder.rst
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
DNS forwarder
|
||||||
|
=============
|
||||||
|
|
||||||
|
A Gluon node can be configured to act as a DNS forwarder. Requests for the
|
||||||
|
next-node hostname(s) can be answered locally, without querying the upstream
|
||||||
|
resolver.
|
||||||
|
|
||||||
|
**Note:** While this reduces answer time and allows to use the next-node
|
||||||
|
hostname without upstream connectivity, this feature should not be used for
|
||||||
|
next-node hostnames that are FQDN when the zone uses DNSSEC.
|
||||||
|
|
||||||
|
One or more upstream resolvers can be configured in the *dns.servers* setting.
|
||||||
|
When *next_node.name* is set, A and/or AAAA records for the next-node IP
|
||||||
|
addresses are placed in the dnsmasq configuration.
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
dns = {
|
||||||
|
servers = { '2001:db8::1', },
|
||||||
|
},
|
||||||
|
|
||||||
|
next_node = {
|
||||||
|
name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
|
||||||
|
ip6 = '2001:db8:8::1',
|
||||||
|
ip4 = '198.51.100.1',
|
||||||
|
}
|
@ -23,7 +23,7 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre
|
|||||||
features/wlan-configuration
|
features/wlan-configuration
|
||||||
features/private-wlan
|
features/private-wlan
|
||||||
features/wired-mesh
|
features/wired-mesh
|
||||||
features/dns-cache
|
features/dns-forwarder
|
||||||
features/monitoring
|
features/monitoring
|
||||||
features/authorized-keys
|
features/authorized-keys
|
||||||
features/roles
|
features/roles
|
||||||
|
@ -88,8 +88,6 @@ New features
|
|||||||
* Add support for making nodes a DNS cache for clients
|
* Add support for making nodes a DNS cache for clients
|
||||||
(`#1000 <https://github.com/freifunk-gluon/gluon/issues/1000>`_)
|
(`#1000 <https://github.com/freifunk-gluon/gluon/issues/1000>`_)
|
||||||
|
|
||||||
See also: :doc:`../features/dns-cache`
|
|
||||||
|
|
||||||
* Add L2TP via tunneldigger as an alternative VPN system
|
* Add L2TP via tunneldigger as an alternative VPN system
|
||||||
(`#978 <https://github.com/freifunk-gluon/gluon/issues/978>`_)
|
(`#978 <https://github.com/freifunk-gluon/gluon/issues/978>`_)
|
||||||
|
|
||||||
|
@ -40,7 +40,6 @@ end
|
|||||||
|
|
||||||
need_boolean('poe_passthrough', false)
|
need_boolean('poe_passthrough', false)
|
||||||
if need_table('dns', nil, false) then
|
if need_table('dns', nil, false) then
|
||||||
need_number('dns.cacheentries', false)
|
|
||||||
need_string_array_match('dns.servers', '^[%x:]+$', false)
|
need_string_array_match('dns.servers', '^[%x:]+$', false)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -13,11 +13,7 @@ else
|
|||||||
uci:delete('dhcp', dnsmasq, 'server')
|
uci:delete('dhcp', dnsmasq, 'server')
|
||||||
end
|
end
|
||||||
|
|
||||||
if site.dns and site.dns.cacheentries then
|
|
||||||
uci:set('dhcp', dnsmasq, 'cachesize', site.dns.cacheentries)
|
|
||||||
else
|
|
||||||
uci:delete('dhcp', dnsmasq, 'cachesize')
|
uci:delete('dhcp', dnsmasq, 'cachesize')
|
||||||
end
|
|
||||||
|
|
||||||
if site.next_node and site.next_node.name and site.next_node.ip4 then
|
if site.next_node and site.next_node.name and site.next_node.ip4 then
|
||||||
uci:section('dhcp','domain','nextnode4',{
|
uci:section('dhcp','domain','nextnode4',{
|
||||||
|
Loading…
Reference in New Issue
Block a user