Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fallback blocklist-source #313

Open
GitUser200607 opened this issue May 16, 2023 · 12 comments
Open

Fallback blocklist-source #313

GitUser200607 opened this issue May 16, 2023 · 12 comments

Comments

@GitUser200607
Copy link

GitUser200607 commented May 16, 2023
edited
Loading

We have blocklist-remote.toml:

[groups.cloudflare-blocklist]
type = "blocklist-v2"
resolvers = ["cloudflare-dot"]
blocklist-refresh = 86400
blocklist-source = [
   {format = "domain", source = "https://raw.githubusercontent.com/cbuijs/accomplist/master/deugniets/routedns.blocklist.domain.list", allow-failure = true},
]

But if I use my web-server as source and it goes to maintenance, AND my router tries to get this BLOCKING-rules file, it will not use it and I dont want it.

Can I mix rules or use some FALLBACK option to use LOCAL source like:

blocklist-source  = [
  {format = "domain", source = "./example-config/domains.txt"},
]

Is there any way to reach this:

[groups.cloudflare-blocklist]
type = "blocklist-v2"
resolvers = ["cloudflare-dot"]
blocklist-refresh = 86400
blocklist-source = [
   {format = "domain", source = "https://raw.githubusercontent.com/cbuijs/accomplist/master/deugniets/routedns.blocklist.domain.list", use-fallback = true},
   {format = "domain", source = "./example-config/domains.txt"},
]

I will explain: if the file routedns.blocklist.domain.list is not available, routeDNS will use local domains.txt.
@cbuijs
Copy link
Contributor

cbuijs commented May 16, 2023

Add cache-dir to the config per list.

@GitUser200607
Copy link
Author 

[groups.cloudflare-blocklist]
type      = "blocklist-v2"
resolvers = ["cloudflare-dot"]
blocklist-refresh = 86400 # Time to refresh the blocklist(s) in seconds
blocklist-source = [
   {format = "domain", source = "https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt", cache-dir = "tmp/shares/sda/A", allow-failure = true},
]

In this case I get the error:
WARN[0480] failed to load blocklist, continuing with previous ruleset error="Get \"https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt\": tls: failed to verify certificate: x509: certificate signed by unknown authority" url="https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt"

@GitUser200607
Copy link
Author

GitUser200607 commented May 16, 2023
edited
Loading

By the way, I pointed to CA:

[resolvers.cloudflare-dot]
address = "1.1.1.1:853"
protocol = "dot"
ca = "/tmp/shares/sda/A/ca-bundle.crt"

@cbuijs
Copy link
Contributor

cbuijs commented May 17, 2023

In this case I get the error: WARN[0480] failed to load blocklist, continuing with previous ruleset error="Get \"https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

The ruleset-error is normal, and the previous version in the cache-dir will be used. The error is there because the list cannot be downloaded and shows the fallback actually works.

The TLS error I didn't see before, and not sure if this breaks the process or not. Maybe @folbricht can shed some light on this.

@GitUser200607
Copy link
Author

GitUser200607 commented May 18, 2023
edited
Loading

Can I use ca ="/tmp/shares/sda/A/ca-bundle.crt" in [groups.cloudflare-blocklist]? or this key is only for resolvers like [resolvers.cloudflare-dot]?

@GitUser200607
Copy link
Author

I tried this config:

[groups.cloudflare-blocklist]
type      = "blocklist-v2"
resolvers = ["cloudflare-dot"]
blocklist-refresh = 86400 # Time to refresh the blocklist(s) in seconds
blocklist-source = [
   {format = "domain", source = "/tmp/shares/sda/A/domains.txt"},
   {format = "domain", source = "https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt"},
]

But got the error: Error: cloudflare-blocklist: Get "https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt": dial tcp: lookup raw.githubusercontent.com on 127.0.0.1:53: read udp 127.0.0.1:57866->127.0.0.1:53: read: connection refused

@folbricht
Copy link
Owner

The ca= setting only works when used for resolvers that use TLS. It won't affect blocklist downloads via TLS. There's currently no config option to control what CAs are trusted during blocklist download. It just uses the operating system's trust store. This means that the error you saw

WARN[0480] failed to load blocklist, continuing with previous ruleset  error="Get \"https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt\": tls: failed to verify certificate: x509: certificate signed by unknown authority" url="https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt"

indicates that your OS doesn't trust the CA that was used to sign raw.githubusercontent.com for some reason. Is that expected? Does the host (or container?) you're running this on not have a CA-pack installed? You can try to run curl -v https://raw.githubusercontent.com on the same machine to confirm.

The 2nd error dial tcp: lookup raw.githubusercontent.com on 127.0.0.1:53: read udp 127.0.0.1:57866->127.0.0.1:53: read: connection refused looks like a name resolution issue. It's trying to resolve the hostname on 127.0.0.1:53 but there's nothing listening there. This looks like a simple misconfiguration. Do you have any bootstrap resolvers setup in your config?

@GitUser200607
Copy link
Author

GitUser200607 commented May 27, 2023
edited
Loading

  1. I use rooted router Sercomm, but I dont have access to trust store, that's why I used ca option.
~ # curl -v https://raw.githubusercontent.com
* Rebuilt URL to: https://raw.githubusercontent.com/
* Protocol "https" not supported or disabled in libcurl
* Closing connection -1
curl: (1) Protocol "https" not supported or disabled in libcurl

My full config is:

[resolvers.adguard-doh-post-bootstrap]
address = "https://family.adguard-dns.com/dns-query"
protocol = "doh"
bootstrap-address = "94.140.14.15"
ca = "/tmp/shares/sda/A/ca-bundle.crt"

[groups.adguard-blocklist]
type      = "blocklist-v2"
resolvers = ["adguard-doh-post-bootstrap"]
blocklist-refresh = 86400 # Time to refresh the blocklist(s) in seconds
blocklist-source = [
   {format = "domain", source = "/tmp/shares/sda/A/domains.txt"},
  {format = "domain", source = "https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt"},
]

[listeners.local-udp]
address = ":53"
protocol = "udp"
resolver = "adguard-blocklist"

[listeners.local-tcp]
address = ":53"
protocol = "tcp"
resolver = "adguard-blocklist"

And with this config I get the error:
Error: adguard-blocklist: Get "https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt": dial tcp: lookup raw.githubusercontent.com on 127.0.0.1:53: read udp 127.0.0.1:42047->127.0.0.1:53: read: connection refused

@folbricht
Copy link
Owner

This config looks good. The issue is that the process on your router doesn't trust public certificates either because it doesn't have those CAs in the OS, or you don't have access to them (likely the former).

There a few options to deal with this:

  1. You don't pull the blocklist via https, so source = "https://raw.githubusercontent.com/... would have to reference like a local file, or a non-TLS URL (http://) Not sure this is an option for you though, if the blocklist is available via plain HTTP somewhere
  2. You download the DigiCert Global Root CA and DigiCert TLS RSA SHA256 2020 CA1 from https://www.digicert.com/kb/digicert-root-certificates.htm manually and install them on your router (somewhere like /etc/ssl/certs).
  3. I add a flag to ignore TLS name mismatches in routedns for blocklist downloads. Not ideal since that'd make the connection insecure.
  4. A new option so set a CA for blocklist downloads, similar to how it's done for resolvers. You'd still need the 2 certs from point 2 in your CA file though.

@folbricht
Copy link
Owner

Also can you check your router has DNS working at all? The error above isn't actually about cert-mismatches, but a resolution failure. Something like dig raw.githubusercontent.com, nslookup raw.githubusercontent.com, or ping raw.githubusercontent.com maybe should tell you.

@GitUser200607
Copy link
Author

nslookup is working with commented string:
{format = "domain", source = "https://raw.githubusercontent.com/GitUser200607/RouteDNS-BlockLists/main/domains.txt"},
The result is:

/mnt/shares/sda/A> nslookup raw.githubusercontent.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost

Name:      raw.githubusercontent.com
Address 1: 2606:50c0:8003::154
Address 2: 185.199.108.133 cdn-185-199-108-133.github.com
Address 3: 185.199.109.133 cdn-185-199-109-133.github.com
Address 4: 185.199.110.133 cdn-185-199-110-133.github.com
Address 5: 185.199.111.133 cdn-185-199-111-133.github.com
Response : 87ms

@GitUser200607
Copy link
Author

GitUser200607 commented May 27, 2023
edited
Loading

And I prefer option 4 to point to local certs from my USB.
What version of RouteDNS will have it?

@GitUser200607 GitUser200607 reopened this May 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@folbricht @cbuijs @GitUser200607