Because the ISP-assigned nameservers do not have any TLS-hostname
information they cannot be used, when TLS is activated.
They only can be used if they will be added as "regular" DNS servers
with a TLS-hostname.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This is no longer required since we have a new CGI script
that takes care of all DNS settings and stores things in
another format.
Fixes: #12235
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
I do not know why perl when using "le" which means "less-or-equal"
defines a "10" as "1".
This commit fixes the issue that it was not possible to add more than 8
nameservers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Otherwise it may happen, that the created config files have wrong
permissions and the WUI will break.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
When the DNS configuration of the system is changed,
we need to re-generate the file which contains the DNS Server
details for suricata and to restart the service.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The function now uses the newly introduced get_nameservers() function
while generating the DNS servers file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function simply return an array of all used nameservers.
It also takes care if the usage of ISP assigned nameservers
is enabled or not and if user-added nameservers are enabled or not.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
In the past this code was used to add the DNS servers
to the ignore list and prevent them from being blocked by
guardian.
Because of the switch to suricata as IPS, guardian now prevents
from password brute-forcing on SSH and/or the webserver, so this
code is not longer needed and safly can be removed.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
For this, a test query to the local unbound instance will be
sent and if the DNS system work properly can be answerd.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Since DNSSEC relies on time to validate its signatures,
a common problem is that some systems (usually those without
a working RTC) are not being able to reach their time server.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When the system comes online, we must update entries
in the unbound cache to point to the "safe" IP addresses.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Those checks have caused us a lot of trouble and are now being dropped.
Users must make sure to choose servers that support DNSSEC or enable
any of the tunneling mechanisms to be able to reach them.
Fixes: #12239
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The old configuration file in /etc/sysconfig/unbound is no
longer being used and all settings should be in
/var/ipfire/dns/settings.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It was incorrect to use forward zones here, because that
assumes that unbound is talking a recursive resolver here.
The feature is however designed to be talking to an authoritative
server.
Fixes: #12230
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
