[conspire] Unbound + dnsmasqd on openwrt

[Ivan Sergio Borgonovo]

On 04/05/2017 02:21 AM, Rick Moen wrote:
> Quoting Ivan Sergio Borgonovo (mail at webthatworks.it):
>
>> Ok dnsmasqd and unbound are working.
>
> Yay.  I'll assume you know how to use dig (or delv[1], or nslookup) to
> verify correct operation through throwing queries at stuff.

>> luci (the web interface of openwrt) doesn't let you change server=
>> configuration option. Fortunately luci doesn't mess up with
>> /etc/dnsmasqd.conf but it just source it with
>>
>> conf-file=/etc/dnsmasq.conf
>
> Just to make sure I didn't mislead, I was going by vague recollection
> and a couple of Web-search hits about what Dnsmasq file to tweak.  You
> may notice that I said just 'dnsmasq.conf' without claiming to know
> where it is -- because I'd be wrong if I said that.  ;->  Point is,
> please don't take what I wrote as a Word of God recipe details, but
> rather as 'I guesstimate that something like this will work fine, or
> ought to.'  (I've tested exactly nothing in that discussion, except
> where I said otherwise.)

> OTOH, you said 'are working'.  ;->

Yeah, I discovered it was working in a more convoluted way.
Clearly it was resolving in my lan, I wiped resolv.conf so apparently 
there was no way other than asking to a recursive DNS to resolve.
But strangely /etc/dnsmasqd.conf didn't contain ANY other relevant 
option I set through the web interface.
So I killed unbound and the lan was not resolving DNS anymore.
Not really that satisfied I grep the /etc directory to see where the 
other options were. No trace.
ps told me what configuration file dnsmasqd was actually using.
What I found started to make sense.

>> Potentially I'm planning to serve up real _public_ authoritative DNS
>> records.  It depends on if I'll be able to get a/some static IP and a
>> fatter upstream.
>
> Realistically speaking for most Internet domains' authoritative DNS in
> most situations, it's not even necessary to have gigabit ethernet ports
> in order to avoid being bottlenecked on bandwidth.  (Of course, all

Current 30Mbit/3Mbit contract costs the same as a 1Gbit contract now.
I'm planning to change contract just for that and if I'll succeed to get 
a public IP I may consider to maintain my zone on my LAN DNS.
It depends on what I'm able to get.

Now here they sell IP connection and VoIP bundled. Getting just IP 
connection without VoIP is inexplicably more expensive even if they give 
you VoIP flat rates.
I'd like to keep my old phone number, but my phone number is personal 
and not associated with my business.
They generally give public IP to business contracts.

Now it seems they are unable/unwilling to move a personal contract to a 
business contract keeping the same phone number.
So I should move the phone number to a personal contract and then 
convert the personal contract into a business one.

It has costs and it takes time. And yeah... it doesn't make sense.
Not to mention that I may lose my IPv6.
«Porco Giuda» «Devo lavorare con persone idiota!» [1]

Now if I'll be very lucky I'll have a 1Gbit pipe and a *single* static 
IP. For a single static IP I could continue to delegate the management 
of my lan zone to my ISP (someone that manage a cloud server for me, not 
the telco).

But if I'll be able to get more than 1 static IP it could make sense to 
delegate my home zone to my infrastructure at home, it could be fun.

I think I've a couple of books about BIND. I've read them and I think 
I've understood enough to try some simple setup.
Managing DNS is delicate but I can afford errors learning in this case.

> This is my being stubbornly careful, but:  When commodity ARM SoCs can
> run the kernel.org armhf (etc.) kernel, though, that's the day I'll no
> longer rule them out for Internet-facing or security-sensitive
> deployments.  (The fact that each ARM board needs a special-snowflake
> bootloader is also something that gives me pause.)

Up to my understanding there are enough (not too many) boards on that 
can run debian.
The problem is "not too many". If you'd like to replace a server you'd 
like to have at least a couple of Gigabit eth and reliable storage.
That still imply SATA.
That's enough to turn "not too many" into "none".

For routers you don't need SATA, you'd like to have as much as possible 
in (nearly) read only storage and just few bits in r/w.
This requirement change the hardware "layout" enough, you're not going 
to be able to install a "general purpose" distribution.

Them you may be interested aes-ini for vpn -> x86 route.

>> I'm looking around for something more powerful but still the best
>> option seems some kind of x86 board from pc-engines.

> You've pointed to these before, and they look really good.

Well working in embedded business it still looks so unsatisfactory.

>> If I'll really set up a publicly exposed authoritative DNS some kind
>> of containerization would come handy and I'm worried performance
>> will be terrible on ARM.

> Agreed.  Based on what I know of the current state of the product space,
> I'd consider ARM too risky as to performance and too funky about
> software support to bet a key production service on.  Something very
> standard and very fungible seems a much better bet.

As said, it is not as bad as it may seem, but at the end of the day it 
is bad enough ;)

[1] Dr. Emilio Lizardo (BTW s/idiota/idiote/)
Lizardo sounds more as a Spanish surname rather than Italian. Still 
we've been invaded by Spanish. I'd still say his accent is not Italian 
nor Spanish, but fun.

The way Latin neutral plural/singular accusative moved back into Italian 
vs English is fun and has strange effects on English speaking people 
trying to decline words that are completely unrelated with 
plural/singular accusative in Italian.

-- 
Ivan Sergio Borgonovo
http://www.webthatworks.it http://www.borgonovo.net