public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
* Re: resolv.conf and gnupg2
@ 2022-08-09  6:17 Brian Inglis
  2022-08-09 12:58 ` Christian Franke
  0 siblings, 1 reply; 7+ messages in thread
From: Brian Inglis @ 2022-08-09  6:17 UTC (permalink / raw)
  To: cygwin

[-- Attachment #1: Type: text/plain, Size: 1865 bytes --]

I've been running with /etc/resolv.conf for a few years now, generated 
from the ISP info from ipconfig and lists of public DNS servers and 
suffixes.

The attached postinstall script 0p_l_etc_resolv_conf.dash generates a 
new resolv.conf and replaces the current if different every update.
It is also run at cron startup and that covers system startup.

The AWK script collects names and addresses from ipconfig ouput and adds 
lists of public DNS servers and public suffixes in the proper order.

How this works with other ISPs or in other network environments is not 
anything I ever thought of testing externally.
Feel feel to try it and change it if curious or interested.


I'be been shuffling my keyservers since keyserver public key certificate 
poisoning started; currently I have the following formerly "safe" 
servers configured in ~/gnupg/dirmngr.conf:

#keyserver hkp://pool.sks-keyservers.net
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver hkp://keys.gnupg.net
keyserver hkps://keyserver.ubuntu.com
keyserver hkps://keys.openpgp.org
keyserver hkp://pgp.mit.edu
keyserver hkp://pgp.surf.nl

also in ~/.gnupg/gpg.conf:

#keyserver hkp://pool.sks-keyservers.net
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver hkp://keys.gnupg.net
keyserver hkp://keyserver.ubuntu.com
keyserver hkps://keys.openpgp.org
keyserver hkp://pgp.mit.edu
keyserver hkp://pgp.surf.nl
#keyserver mailto:pgp-public-keys@keys.nl.pgp.net
#keyserver ldap://keyserver.pgp.com

I've also installed US DoD (for USNO data) and LE root CA certs and sub 
CA certs to extend access where not provided in Windows and/or Cygwin.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

[-- Attachment #2: 0p_l_etc_resolv_conf.dash --]
[-- Type: text/plain, Size: 527 bytes --]

#!/bin/dash
# 0p_l_etc_resolv_conf.dash - update /etc/resolv.conf if changed

r=resolv
cr=/usr/local/bin/cyg-$r.awk
run=/var/run/${r}conf
rrc=$run/$r.conf
SYSCONFDIR=${SYSCONFDIR:-/etc}
conf=$SYSCONFDIR/$r.conf

/bin/mkdir -pv		-- $run/		&& \
ip=$(/usr/bin/which	-- ipconfig)		&& \
tmp=$(/bin/mktemp -t	-- .XXXXXXXX.)		&& \
$ip /all | $cr	 > $tmp				&& \
[ -s $tmp ]					&& \
[ -w $rrc ]	|| : > $rrc
if ! /usr/bin/cmp -s	-- $tmp $rrc; then
    /bin/cp -fv		-- $tmp $rrc
    /bin/ln -frsTv	-- $rrc $conf
fi

/bin/rm -f		-- $tmp

[-- Attachment #3: cyg-resolv.awk --]
[-- Type: text/plain, Size: 4673 bytes --]

#!/usr/bin/awk -f
# cyg-resolv.awk - create Cygwin resolv.conf from Windows ipconfig /all output

function nextaddr( addr, name, ns, nameserveraddr, nameserverhostname	,private,n) {
    if (DEBUG) print addr, name, ns > DEBUG

    # private subnets
    private = (addr ~ p10 || addr ~ p172 || addr ~ p192)

    # default name
    if (private && !name)  { name = "private" }

    # private subnets come first if unoccupied
    if (private && !(0 in nameserveraddr)) {
	n = 0
    } else {
	n = ++ns
    }

    if (addr)   { nameserveraddr[n]	= addr }

    if (name)   { nameserverhostname[n] = name }

    if (DEBUG) print addr, name, ns > DEBUG

    return ns
}


function addrs( NS, nameserveraddr, ns,   c, l) {
# $ getent ahostsv4 $NS
# 1.0.0.1         STREAM      one.one.one.one
# 1.0.0.1         DGRAM       one.one.one.one
# 1.1.1.1         STREAM
# 1.1.1.1         DGRAM
# 149.112.112.112 0      dns.quad9.net
# 9.9.9.9         0
# 208.67.220.220  0      resolver2.opendns.com
# 208.67.222.222  0      resolver1.opendns.com
# 8.8.4.4         0      google-public-dns-b.google.com
# 8.8.8.8         0      google-public-dns-a.google.com
# 149.112.122.20  0      CAshieldProtected      
# 149.112.121.20  0
    l = 0
    c = "/usr/bin/getent ahostsv4 " NS

    while ((c | getline) > 0) {
	if ($1 != l) {
	    ns = nextaddr( $1, $3, ns, nameserveraddr, nameserverhostname)
	}

	l = $1
    }

    return ns
}


BEGIN {
# private subnets
    # digit patterns: .[0[0]]0-255, .[0]16-31
    d0_255	= "(.(0{0,2}[0-9]|0{0,1}[1-9][0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5])))"
    d16_31	= ".0?(1[6-9]|2[0-9]|3[01])"
    # 10.0.0.0-.255.255.255
    p10		= "^10" d0_255 "{3}$"
    # 172.16.0.0-.31.255.255
    p172	= "^172" d16_31 d0_255 "{2}$"
    # 192.168.0.0-.255.255
    p192	= "^192.168" d0_255 "{2}$"
# public name servers
# CIRA Canadian Shield Protected+malware+phishing
    NS   = "dns.quad9.net. one.one.one.one. "				\
	    "resolver2.opendns.com. resolver1.opendns.com. "		\
	    "google-public-dns-b.google.com. google-public-dns-a.google.com. " \
	    "CAshieldProtected"
    SUF  = "ca. org. com. net."
    CFHD = "# /etc/resolv.conf"
    CFHD = CFHD " - Internet Domain Name System resolver configuration file"
    CDS  = "# domain suffix"
    CSSL = "# suffix search list"
}


/\r/				{ sub( /\r/, "", $NF) }	# trim \r


# collect DNS domain suffixes
/D[Nn][Ss]\sSuffix[^:]*:\s\S/	{
    last = $NF
    if (last ~ /\./ && last !~ /\.$/)	last = last ".";	# add root dot

    if (!(last in domain)) {
	domain[last] = last
	domains = domains " " last
    }

    while (last ~ /\..+\..+/) {	# strip labels if more than two for domain
	sub(/^[^.]+./, "", last)
	if (last ~ /\./ && last !~ /\.$/)	last = last "."; # add root dot

	if (!(last in domain)) {
	    domain[last] = last
	    domains = domains " " last
	}
    }
}


# collect DNS search suffixes
/Search\sList[^:]*:\s\S/	{
    for (d in domain) {
	if (!(d in search))	search[d] = d

	if (d ~ /shaw[^.]+./) {
	    last = "shaw.ca."

	    if (!(last in search)) {
		search[last] = last
		domains = domains " " last
	    }
	}
    }

    last = $NF
    if (last ~ /\./ && last !~ /\.$/)	last = last ".";	# add root dot

    if (!(last in search)) {
	search[last] = last
	domains = domains " " last
    }

    while (last ~ /\..+\..+/) {	# strip labels if more than two for domain
	sub(/^[^.]+./, "", last)
	if (last ~ /\./ && last !~ /\.$/)	last = last "."; # add root dot

	if (!(last in search)) {
	    search[last] = last
	    domains = domains " " last
	}
    }

    ns = split( SUF, sa)

    for (s = 1; s <= ns; ++s) {
	last = sa[s]
	if (last ~ /\./ && last !~ /\.$/)	last = last "."; # add root dot

	if (!(last in search)) {
	    search[last] = last
	    domains = domains " " last
	}
    }
}


# collect DNS server IP V4 addresses
/DNS\sServers[^:]*:\s\S/	{ dns = 1 }		# start - enable

dns && $NF ~ /^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{0,4}$/ { next } # skip IP V6


dns && $NF ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}$/	{		# collect IP V4
    ns = nextaddr( $NF, last, ns, nameserveraddr, nameserverhostname)
    last = ""
}

dns && $NF !~ /^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{0,4}$/ && \
	$NF !~ /^([0-9]{1,3}\.){3}[0-9]{1,3}$/	{ dns = 0 }	# non-IP disable


# output unique resolv.conf entries
END {
    print CFHD

    ns = addrs( NS, nameserveraddr, ns)

    for (n = 0; n <= ns; ++n)	{
	if (n in nameserverhostname && nameserverhostname[n]) {
	    print "#", nameserverhostname[n]
	}

	if (n in nameserveraddr && nameserveraddr[n]) {
	    print "nameserver", nameserveraddr[n]
	}
    }

    print CDS

    for (d in domain)		{ print "domain " d }

    print CSSL
    if (domains)	print "search" domains
}


[-- Attachment #4: resolv.conf --]
[-- Type: text/plain, Size: 690 bytes --]

# /etc/resolv.conf - Internet Domain Name System resolver configuration file
# shawcable.net.
nameserver 64.59.135.148
nameserver 64.59.128.114
# dns.quad9.net
nameserver 9.9.9.9
nameserver 149.112.112.112
# one.one.one.one
nameserver 1.1.1.1
nameserver 1.0.0.1
# resolver2.opendns.com
nameserver 208.67.220.220
# resolver1.opendns.com
nameserver 208.67.222.222
# google-public-dns-b.google.com
nameserver 8.8.4.4
# google-public-dns-a.google.com
nameserver 8.8.8.8
# CAshieldProtected
nameserver 149.112.121.20
nameserver 149.112.122.20
# domain suffix
domain shawcable.net.
domain cg.shawcable.net.
# suffix search list
search cg.shawcable.net. shawcable.net. shaw.ca. ca. org. com. net.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2022-08-19  9:20 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-09  6:17 resolv.conf and gnupg2 Brian Inglis
2022-08-09 12:58 ` Christian Franke
2022-08-09 14:51   ` Lee
2022-08-09 16:07     ` Christian Franke
2022-08-10 14:40   ` Andrey Repin
2022-08-11 13:36     ` Christian Franke
2022-08-19  9:13       ` Andrey Repin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).