From 57c80dc2a42280c1a8d1f2c7de8d73a3e03190bc Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Sun, 2 Jan 2022 22:21:20 +0100 Subject: introduce netwatch-dns --- README.md | 1 + doc/netwatch-dns.md | 71 +++++++++++++++++++++++++++++++++++++++++++++ doc/netwatch-notify.md | 12 ++++++++ global-config | 2 +- global-config-overlay | 2 +- global-config.changes | 1 + global-functions | 2 +- netwatch-dns | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 166 insertions(+), 3 deletions(-) create mode 100644 doc/netwatch-dns.md create mode 100644 netwatch-dns diff --git a/README.md b/README.md index 3c38b5b..f55a14b 100644 --- a/README.md +++ b/README.md @@ -208,6 +208,7 @@ Available scripts * [Manage LEDs dark mode](doc/leds-mode.md) * [Forward log messages via notification](doc/log-forward.md) * [Mode button with multiple presses](doc/mode-button.md) +* [Manage DNS and DoH servers from netwatch](doc/netwatch-dns.md) * [Notify on host up and down](doc/netwatch-notify.md) * [Manage remote logging](doc/netwatch-syslog.md) * [Visualize OSPF state via LEDs](doc/ospf-to-leds.md) diff --git a/doc/netwatch-dns.md b/doc/netwatch-dns.md new file mode 100644 index 0000000..96710a2 --- /dev/null +++ b/doc/netwatch-dns.md @@ -0,0 +1,71 @@ +Manage DNS and DoH servers from netwatch +======================================== + +[◀ Go back to main README](../README.md) + +🛈 This script can not be used on its own but requires the base installation. +See [main README](../README.md) for details. + +Description +----------- + +This script reads server state from netwatch and manages used DNS and +DoH (DNS over HTTPS) servers. + +Requirements and installation +----------------------------- + +Just install the script: + + $ScriptInstallUpdate netwatch-dns; + +Then add a scheduler to run it periodically: + + / system scheduler add interval=1m name=netwatch-dns on-event="/ system script run netwatch-dns;" start-time=startup; + +Configuration +------------- + +The DNS and DoH servers to be checked have to be added to netwatch with +specific comment: + + / tool netwatch add comment="doh, hostname=cloudflare-dns" host=1.1.1.1; + / tool netwatch add comment="dns, hostname=google-dns" host=8.8.8.8; + / tool netwatch add comment="doh, dns, hostname=quad-nine" host=9.9.9.10; + +This will configure *cloudflare-dns* for DoH (`https://1.1.1.1/dnsquery`), and +*google-dns* and *quad-nine* for regular DNS (`8.8.8.8,9.9.9.10`) if up. +If *cloudflare-dns* is down the script will fall back to *quad-nine* for DoH. + +Giving a specific query url for DoH is possible: + + / tool netwatch add comment="doh, hostname=nextdns, doh-url=https://dns.nextdns.io/dns-query" host=199.247.16.158; + +Note that using a name in DoH url may introduce a chicken-and-egg issue! + +Sometimes using just one specific (possibly internal) DNS server may be +desired, with fallback in case it fails. This is possible as well: + + / tool netwatch add comment="dns, hostname=pi-hole" host=10.0.0.10; + / tool netwatch add comment="dns-fallback, hostname=cloudflare-dns" host=1.1.1.1; + +Tips & Tricks +------------- + +### Use in combination with notifications + +Netwatch entries can be created to work with both - this script and +[netwatch-notify](netwatch-notify.md). Just give options for both: + + / tool netwatch add comment="doh, notify, hostname=cloudflare-dns" host=1.1.1.1; + +Also this allows to update host address, see option `resolve`. + +See also +-------- + +* [Notify on host up and down](netwatch-notify.md) + +--- +[◀ Go back to main README](../README.md) +[▲ Go back to top](#top) diff --git a/doc/netwatch-notify.md b/doc/netwatch-notify.md index ef6f37e..78a0eed 100644 --- a/doc/netwatch-notify.md +++ b/doc/netwatch-notify.md @@ -116,6 +116,18 @@ link failure this address is not available, so use something reliable but non-essential. In this example the address `1.0.0.1` is used, the same service (Cloudflare DNS) is available at `1.1.1.1`. +### Use in combination with DNS and DoH management + +Netwatch entries can be created to work with both - this script and +[netwatch-dns](netwatch-dns.md). Just give options for both: + + / tool netwatch add comment="doh, notify, hostname=cloudflare-dns" host=1.1.1.1; + +See also +-------- + +* [Manage DNS and DoH servers from netwatch](netwatch-dns.md) + --- [◀ Go back to main README](../README.md) [▲ Go back to top](#top) diff --git a/global-config b/global-config index 7196eb2..cd8ba58 100644 --- a/global-config +++ b/global-config @@ -8,7 +8,7 @@ # Make sure all configuration properties are up to date and this # value is in sync with value in script 'global-functions'! -:global GlobalConfigVersion 71; +:global GlobalConfigVersion 72; # This is used for DNS and backup file. :global Domain "example.com"; diff --git a/global-config-overlay b/global-config-overlay index f16a6a9..f94d082 100644 --- a/global-config-overlay +++ b/global-config-overlay @@ -8,7 +8,7 @@ # Make sure all configuration properties are up to date and this # value is in sync with value in script 'global-functions'! # Comment or remove to disable news and change notifications. -:global GlobalConfigVersion 71; +:global GlobalConfigVersion 72; # Copy configuration from global-config here and modify it. diff --git a/global-config.changes b/global-config.changes index 9a702a2..00c31fc 100644 --- a/global-config.changes +++ b/global-config.changes @@ -75,6 +75,7 @@ 69="Support hard lower limit for voltage in 'check-health'."; 70="MikroTik started pushing RouterOS v7. Changes are required if you run it, see https://git.eworm.de/cgit/routeros-scripts/about/#changes-for-routeros-v7"; 71="MikroTik is pushing RouterOS v7 even more, in parallel branches. If you want to keep RouterOS v6 for some time see https://git.eworm.de/cgit/routeros-scripts/about/#changes-for-routeros-v6"; + 72="Introduced new script 'netwatch-dns' to manage DNS and DoH servers from netwatch."; }; # Migration steps to be applied on script updates diff --git a/global-functions b/global-functions index 30463f1..de1aec6 100644 --- a/global-functions +++ b/global-functions @@ -8,7 +8,7 @@ # https://git.eworm.de/cgit/routeros-scripts/about/ # expected configuration version -:global ExpectedConfigVersion 71; +:global ExpectedConfigVersion 72; # global variables not to be changed by user :global GlobalFunctionsReady false; diff --git a/netwatch-dns b/netwatch-dns new file mode 100644 index 0000000..e731d95 --- /dev/null +++ b/netwatch-dns @@ -0,0 +1,78 @@ +#!rsc by RouterOS +# RouterOS script: netwatch-dns +# Copyright (c) 2022 Christian Hesse +# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md +# +# monitor and manage dns/doh with netwatch +# https://git.eworm.de/cgit/routeros-scripts/about/doc/netwatch-dns.md + +:local 0 "netwatch-dns"; +:global GlobalFunctionsReady; +:while ($GlobalFunctionsReady != true) do={ :delay 500ms; } + +:global EitherOr; +:global LogPrintExit2; +:global ParseKeyValueStore; +:global ScriptLock; + +$ScriptLock $0; + +:if ([ / system resource get uptime ] < 5m) do={ + $LogPrintExit2 info $0 ("System just booted, giving netwatch some time to settle.") true; +} + +:local DnsServers [ :toarray "" ]; +:local DnsFallback [ :toarray "" ]; +:local DnsCurrent [ / ip dns get servers ]; + +:foreach Host in=[ / tool netwatch find where comment~"dns" disabled=no ] do={ + :local HostVal [ / tool netwatch get $Host ]; + :local HostInfo [ $ParseKeyValueStore ($HostVal->"comment") ]; + + :if ($HostVal->"status" = "up" && $HostInfo->"disabled" != true) do={ + :if ($HostInfo->"dns" = true) do={ + :set DnsServers ($DnsServers, $HostVal->"host"); + } + :if ($HostInfo->"dns-fallback" = true) do={ + :set DnsFallback ($DnsFallback, $HostVal->"host"); + } + } +} + +:if ([ :len $DnsServers ] > 0) do={ + :if ($DnsServers != $DnsCurrent) do={ + $LogPrintExit2 info $0 ("Updating DNS servers: " . [ :tostr $DnsServers ]) false; + / ip dns set servers=$DnsServers; + } +} else={ + :if ([ :len $DnsFallback ] > 0) do={ + :if ($DnsFallback != $DnsCurrent) do={ + $LogPrintExit2 info $0 ("Updating DNS servers to fallback: " . [ :tostr $DnsFallback ]) false; + / ip dns set servers=$DnsFallback; + } + } +} + +:local DohServer ""; +:local DohCurrent [ / ip dns get use-doh-server ]; + +:foreach Host in=[ / tool netwatch find where comment~"doh" disabled=no ] do={ + :local HostVal [ / tool netwatch get $Host ]; + :local HostInfo [ $ParseKeyValueStore ($HostVal->"comment") ]; + + :if ($HostVal->"status" = "up" && $HostInfo->"doh" = true && $HostInfo->"disabled" != true && $DohServer = "") do={ + :set DohServer [ $EitherOr ($HostInfo->"doh-url") ("https://" . $HostVal->"host" . "/dns-query") ]; + } +} + +:if ($DohServer != "") do={ + :if ($DohServer != $DohCurrent) do={ + $LogPrintExit2 info $0 ("Updating DoH server: " . $DohServer) false; + / ip dns set use-doh-server=$DohServer; + } +} else={ + :if ($DohCurrent != "") do={ + $LogPrintExit2 info $0 ("DoH server (" . $DohCurrent . ") is down, disabling.") false; + / ip dns set use-doh-server=""; + } +} -- cgit v1.2.3-70-g09d2