Contributed by rueda on from the relax-on-the-go dept.
Florian Obser (florian@) kindly wrote in with news on some recent work:
DNS is easy. You fire up your browser, enter undeadly.org in its address bar and sooner or later you reach your favourite OpenBSD journal.
Well, not quite.
The first question that arises is what to put into /etc/resolv.conf. The answer is usually whatever dhclient(8) puts there. This is probably fine if you find yourself in a well-run network.
But if you are moving around with your laptop a lot, sooner or later you will find yourself in a poorly administered network. The dhcp-provided nameserver might be slow or not answering at all or it might have its own ideas what DNS is all about and fiddles with the answers.
Maybe you are so mobile that you not only connect to different Wi-Fis but you are also on mobile data (umb(4)). There is no dhcp there, instead the kernel negotiates things and you can get your nameservers via an ioctl(2). So you have to fiddle with /etc/resolv.conf by hand.
You say you are already living in the future and you get your nameservers via IPv6 router advertisements? Tough luck, get out your editor again. And hope that you have root on the machine and are allowed to play around with /etc/resolv.conf
Proponents of the UNIX arts-and-crafts movement just run unbound(8) on localhost. Which works reasonably well until you are behind a captive portal and you have to use the dhcp-provided nameservers until you accept the terms and conditions. So you bring out your editor again…
I think we can do better here.
This is where unwind(8) comes in. It is intended to always run and be reachable from localhost. It has to be at least as good as what we currently have. If you are in a network where the dhcp-provided nameserver works, then adding unwind(8) to the mix must not break things. Unwind(8) achieves this by observing and actively probing the network to see what works.
Unbound(8) cannot do this and it does not try to do it. It is intended for a different problem. It requires a certain quality of the network it finds itself in. This is something you run on a server in a data center. If the network is not good you fix the network.
Unwind(8) is quite young, I started hacking on it December 13 2018. While it is already usable, it is under active development and progress is fast. Here are some of the features that already work or are being worked on:
- be able to always run,
- be at least as good as asking dhcp nameservers,
- opportunistic DNSSEC validation; once validation works do not allow a downgrade unless the laptop moves to a different network,
- knob for strict mode, always require working DNSSEC validation,
- detect captive portals,
- DNS over TLS
Thanks very much, Florian, for the report and the work (which is bound to be welcomed widely).
(Comments are closed)
By Alen Mistric (alenmeister) alen@mistric.no on
Two thumbs up, @florian!
By Peter J. Philipp (pjp) nospam@centroid.eu on https://centroid.eu
sounds very interesting. Is this in direct competition with rebound too? With DNS over TLS this seems to be taking a direction away from rebound where rudamentary DoH (DNS over HTTPS) support was added (unless I was dreaming that).
If I had the choice I'd probably take unwind over rebound. Perhaps the two projects (unwind and rebound) can aggregate energies to be even more rocking.
Comments
By Peter J. Philipp (pjp) nospam@centroid.eu on https://centroid.eu
Sorry I just realised I sounded political. That wasn't my intention, but what's said is said...:-(