DNS name resolution should not be done during configuration parsing.
Lonnie Abelbeck
lists at lonnie.abelbeck.com
Tue Feb 19 15:26:29 CET 2019
> On Feb 19, 2019, at 1:22 AM, Matthias Urlichs <matthias at urlichs.de> wrote:
>
> We don't even need call-outs. We already have a netlink interface which
> a userspace client can use to monitor WG. Teach that client to
> re-resolve the name and to update the peer.
> --
> -- Matthias Urlichs
Agreed. For example Jason's "reresolve-dns.sh" script. [1]
The missing piece is to keep "wg setconf" (et al.) from failing given a DNS failure on any peer.
Per this trivial patch.
https://raw.githubusercontent.com/astlinux-project/astlinux/master/package/wireguard/wireguard-0001-ignore-endpoint-dns-failure.patch
Peers without DNS endpoints (or successful DNS) would be allowed to start promptly as expected, and any failed DNS endpoints would be filled in later via a userspace WG monitor (ex. reresolve-dns.sh).
Lonnie
[1] https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns
More information about the WireGuard
mailing list