-adding DNS exit-from-mesh functionality to gnunet-service-dns

author: Christian Grothoff <christian@grothoff.org> 2012-01-18 20:43:25 +0000
committer: Christian Grothoff <christian@grothoff.org> 2012-01-18 20:43:25 +0000
commit: c37fba0bd9febb11297ebca62a58935276130244 (patch)
tree: 45cf17c2f0f4ffd0daa2b77181f8cc63a3445ffa /src/dns/dns.conf.in
parent: 6b2fb63de633b086a91e7733ca0dd5591198c20c (diff)
download: gnunet-c37fba0bd9febb11297ebca62a58935276130244.tar.gz
gnunet-c37fba0bd9febb11297ebca62a58935276130244.zip
1 files changed, 24 insertions, 1 deletions
diff --git a/src/dns/dns.conf.in b/src/dns/dns.conf.in
index a99f7fec3..d2c67958a 100644
--- a/src/dns/dns.conf.in
+++ b/src/dns/dns.conf.in
@@ -1,17 +1,34 @@
 [dns]
 AUTOSTART = YES
-@UNIXONLY@ PORT = 0
 HOSTNAME = localhost
 HOME = $SERVICEHOME
 CONFIG = $DEFAULTCONFIG
 BINARY = gnunet-service-dns
 UNIXPATH = /tmp/gnunet-service-dns.sock
+# Access to this service can compromise all DNS queries in this
+# system.  Thus access should be restricted to the same UID.
+# (see https://gnunet.org/gnunet-access-control-model)
 UNIX_MATCH_UID = YES
 UNIX_MATCH_GID = YES
+# As there is no sufficiently restrictive access control for TCP, 
+# we never use it, even if @UNIXONLY@ is not set (just to be safe)
+@UNIXONLY@ PORT = 0
+# This option should be set to YES to allow the DNS service to 
+# perform lookups against the locally configured DNS resolver.
+# (set to "NO" if no normal ISP is locally available and thus
+# requests for normal ".com"/".org"/etc. must be routed via 
+# the GNUnet VPN (the GNUNET PT daemon then needs to be configured
+# to intercept and route DNS queries via mesh).
 PROVIDE_EXIT = YES
+# Name of the virtual interface we use to intercept DNS traffic.
 IFNAME = gnunet-dns
 # Use RFC 3849-style documentation IPv6 address (RFC 4773 might provide an alternative in the future)
+# FIXME: or just default to a site-local address scope as we do for VPN!?
 IPV6ADDR = 2001:DB8::1
 IPV6PREFIX = 126
@@ -19,3 +36,9 @@ IPV6PREFIX = 126
 IPV4ADDR = 169.254.1.1
 IPV4MASK = 255.255.0.0
+# Enable GNUnet-wide DNS-EXIT service by setting this value to the IP address (IPv4 or IPv6)
+# of a DNS resolver to use.  Only works if "PROVIDE_EXIT" is also set to YES.  Must absolutely
+# NOT be an address of any of GNUnet's virtual tunnel interfaces.  Use a well-known
+# public DNS resolver or your ISP's resolver from /etc/resolv.conf.
+# DNS_EXIT = 8.8.8.8
author	Christian Grothoff <christian@grothoff.org>	2012-01-18 20:43:25 +0000
committer	Christian Grothoff <christian@grothoff.org>	2012-01-18 20:43:25 +0000
commit	c37fba0bd9febb11297ebca62a58935276130244 (patch)
tree	45cf17c2f0f4ffd0daa2b77181f8cc63a3445ffa /src/dns/dns.conf.in
parent	6b2fb63de633b086a91e7733ca0dd5591198c20c (diff)
download	gnunet-c37fba0bd9febb11297ebca62a58935276130244.tar.gz gnunet-c37fba0bd9febb11297ebca62a58935276130244.zip

diff --git a/src/dns/dns.conf.in b/src/dns/dns.conf.in index a99f7fec3..d2c67958a 100644 --- a/src/dns/dns.conf.in +++ b/src/dns/dns.conf.in
@@ -1,17 +1,34 @@
1	[dns]	1	[dns]
2	AUTOSTART = YES	2	AUTOSTART = YES
3	@UNIXONLY@ PORT = 0
4	HOSTNAME = localhost	3	HOSTNAME = localhost
5	HOME = $SERVICEHOME	4	HOME = $SERVICEHOME
6	CONFIG = $DEFAULTCONFIG	5	CONFIG = $DEFAULTCONFIG
7	BINARY = gnunet-service-dns	6	BINARY = gnunet-service-dns
8	UNIXPATH = /tmp/gnunet-service-dns.sock	7	UNIXPATH = /tmp/gnunet-service-dns.sock
		8
		9	# Access to this service can compromise all DNS queries in this
		10	# system. Thus access should be restricted to the same UID.
		11	# (see https://gnunet.org/gnunet-access-control-model)
9	UNIX_MATCH_UID = YES	12	UNIX_MATCH_UID = YES
10	UNIX_MATCH_GID = YES	13	UNIX_MATCH_GID = YES
		14
		15	# As there is no sufficiently restrictive access control for TCP,
		16	# we never use it, even if @UNIXONLY@ is not set (just to be safe)
		17	@UNIXONLY@ PORT = 0
		18
		19	# This option should be set to YES to allow the DNS service to
		20	# perform lookups against the locally configured DNS resolver.
		21	# (set to "NO" if no normal ISP is locally available and thus
		22	# requests for normal ".com"/".org"/etc. must be routed via
		23	# the GNUnet VPN (the GNUNET PT daemon then needs to be configured
		24	# to intercept and route DNS queries via mesh).
11	PROVIDE_EXIT = YES	25	PROVIDE_EXIT = YES
		26
		27	# Name of the virtual interface we use to intercept DNS traffic.
12	IFNAME = gnunet-dns	28	IFNAME = gnunet-dns
13		29
14	# Use RFC 3849-style documentation IPv6 address (RFC 4773 might provide an alternative in the future)	30	# Use RFC 3849-style documentation IPv6 address (RFC 4773 might provide an alternative in the future)
		31	# FIXME: or just default to a site-local address scope as we do for VPN!?
15	IPV6ADDR = 2001:DB8::1	32	IPV6ADDR = 2001:DB8::1
16	IPV6PREFIX = 126	33	IPV6PREFIX = 126
17		34
@@ -19,3 +36,9 @@ IPV6PREFIX = 126
19	IPV4ADDR = 169.254.1.1	36	IPV4ADDR = 169.254.1.1
20	IPV4MASK = 255.255.0.0	37	IPV4MASK = 255.255.0.0
21		38
		39	# Enable GNUnet-wide DNS-EXIT service by setting this value to the IP address (IPv4 or IPv6)
		40	# of a DNS resolver to use. Only works if "PROVIDE_EXIT" is also set to YES. Must absolutely
		41	# NOT be an address of any of GNUnet's virtual tunnel interfaces. Use a well-known
		42	# public DNS resolver or your ISP's resolver from /etc/resolv.conf.
		43	# DNS_EXIT = 8.8.8.8
		44