britannic/blacklist

Problem with booting without present internet connection

acejacek opened this issue · 5 comments

EdgeRouter ERLite-3, with EdgeOS 1.10.11

In situation when booting router and internet connenction is not fully ready yet (in my case caused by not ready DNS resolver) blacklist update fails:

NOTI[001]2020-11-21 12:21:34.815: Starting blacklist update...
CRIT[002]2020-11-21 12:21:37.816: No internet access, aborting blacklist update!

This is quite normal. The problem is, that existing blacklist configuration is not saved and router is wide open.

When running update (or waiting for cron/task scheduler to do that):

root@edge:/config/scripts# ./update-dnsmasq 
Removing stale dnsmasq blacklist files, because no blacklist configuration has been detected

Still, no blackllist active. Addig -safe switch changes nothig. Manually pointing to config file:

root@edge:/config/scripts# ./update-dnsmasq -f /config/config.boot

makes all updates:

root@edge:/config/scripts# tail /var/log/update-dnsmasq.log
INFO[022]2020-11-21 12:42:59.807: openphish: extracted: 3130
INFO[023]2020-11-21 12:42:59.808: openphish: dropped: 1430
INFO[024]2020-11-21 12:43:18.893: githubSteveBlack: downloaded: 57865
INFO[025]2020-11-21 12:43:18.894: githubSteveBlack: extracted: 43834
INFO[026]2020-11-21 12:43:18.895: githubSteveBlack: dropped: 14031
NOTI[027]2020-11-21 12:43:20.010: Total entries found: 126632
NOTI[028]2020-11-21 12:43:20.011: Total entries extracted 109280
NOTI[029]2020-11-21 12:43:20.011: Total entries dropped 17352
INFO[02a]2020-11-21 12:43:45.860: Successfully restarted dnsmasq
NOTI[02b]2020-11-21 12:43:45.860: Blacklist update completed......

However, the configuration is not active anyway. There is no blacklist branch in show services dns resolver.

The only method I foud to bring back backlist is full reconfiguration with sudo dpkg-reconfigure edgeos-dnsmasq-blacklist. This means all custiomizations and exception lists go to waste.

Am I doing something wrong?

Since the config file still contains all of your configuration, it seems that the integration templates are missing from your router under the conditions you describe above. Also, the configure path to check is:

show service dns forwarding blacklist

Did you switch images?

I made typo, of curse I ment show service dns forwarding blacklist.

The problem is that I force router to use locally run name-server. Efectivelly, there is a short period of time between boot and when dnsmasq gets connection to locally run dns-proxy (it's dnscrypt-proxy). This period is long enough, that other services don't have connention to network, for a short time (excepition is ntpd, as it's pointed to IP address, and does not care if nameserver is present or not).

I think the easiest way to reproduce is:

  1. remove system name server: delete system name-server
  2. make sure router is not geting one from ISP: set interfaces ethernet eth0 dhcp-options name-server no-update
  3. save config and reboot
  4. when router is back to life, set system nameserver back to life set system name-server 1.1.1.1
  5. now router should have proper connection to internet
  6. blacklist should be empty, update is not helping, only reinstall helps.

From the other hand, if I keep system nameserver pointed to 1.1.1.1, all works fantastically, no issue, every reboot brings blacklist operational.

Your use case is unusual, so not sure if I can provide a solution. However, I have fixed the bug with the safe switch. If you're using the debian packup upgrade to update edgeos-dnsmasq-blacklist, you will need to make a change to your system package repository. See the README.md.

The repository URL has changed:

configure
set system package repository blacklist components main
set system package repository blacklist description 'Britannic blacklist debian stretch repository'
set system package repository blacklist distribution stretch
set system package repository blacklist url 'https://raw.githubusercontent.com/britannic/debian-repo/master/blacklist/public/'
commit;save;exit

I rest my case. No matter what I tried, when DNS in time of boot is not fully operational, blacklist branch in show service dns forwarding becomes non existent. When internet connenction is finally restored, running sudo /config/scripts/update-dnsmasq (with all possible switches) does not resolve the issue. Only full sudo dpkg-reconfigure edgeos-dnsmasq-blacklist brings back things to life. Until next reboot.

@acejacek, so the edgerouter boot sequence rebuilds the entire configuration tree from the config.boot file each boot. Each layer of the config tree references a node.def file to see what its boot order is. The blacklist node is 9999 and sits at the end of the service dns forwarding node chain. If anything upstream doesn't complete, then it won't get to the blacklist node and build complete its config.

You will need to figure out what breaks upstream that prevents the blacklisting node buildout from completing. Or, you could add a script to /config/scripts/post-config.d to run update-dnsmasq -safe to ensure you have blacklisting configured after each boot for your use case.

You don't even need to use /config/config.boot, instead you can extract the blacklist stanza from it and run update-dnsmasq -f /config/user-data/<your_config.boot> from /config/scripts/post-config.d and additionally use task scheduler for a standalone setup.