Crash_Override/routeros-scripts
1
0
Fork 0
mirror of https://github.com/eworm-de/routeros-scripts synced 2024-05-14 08:04:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

netwatch-dns: support downloading / importing certificate

Browse source
This commit is contained in:
Christian Hesse 2022-09-13 09:01:40 +02:00
parent 3988c70290
commit 220dd8f892
2 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
doc/netwatch-dns.md
View file

@ -43,6 +43,13 @@ Giving a specific query url for DoH is possible:
Note that using a name in DoH url may introduce a chicken-and-egg issue! Note that using a name in DoH url may introduce a chicken-and-egg issue!
Importing a certificate automatically is possible, at least if available in
the repository (see `certs` sub directory).
/tool/netwatch/add comment="doh, doh-cert=DigiCert TLS Hybrid ECC SHA384 2020 CA1" host=1.1.1.1;
/tool/netwatch/add comment="doh, doh-cert=DigiCert TLS Hybrid ECC SHA384 2020 CA1" host=9.9.9.9;
/tool/netwatch/add comment="doh, doh-cert=GTS CA 1C3" host=8.8.8.8;
Sometimes using just one specific (possibly internal) DNS server may be Sometimes using just one specific (possibly internal) DNS server may be
desired, with fallback in case it fails. This is possible as well: desired, with fallback in case it fails. This is possible as well:

9
netwatch-dns
View file

@ -10,6 +10,7 @@
:global GlobalFunctionsReady; :global GlobalFunctionsReady;
:while ($GlobalFunctionsReady != true) do={ :delay 500ms; } :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
:global CertificateAvailable;
:global EitherOr; :global EitherOr;
:global LogPrintExit2; :global LogPrintExit2;
:global ParseKeyValueStore; :global ParseKeyValueStore;
@ -58,6 +59,7 @@ $ScriptLock $0;
:local DohServer ""; :local DohServer "";
:local DohCurrent [ /ip/dns/get use-doh-server ]; :local DohCurrent [ /ip/dns/get use-doh-server ];
:local DohCert "";
:foreach Host in=[ /tool/netwatch/find where comment~"doh" !disabled ] do={ :foreach Host in=[ /tool/netwatch/find where comment~"doh" !disabled ] do={
:local HostVal [ /tool/netwatch/get $Host ]; :local HostVal [ /tool/netwatch/get $Host ];
@ -67,12 +69,19 @@ $ScriptLock $0;
$HostInfo->"disabled" != true && $DohServer = "") do={ $HostInfo->"disabled" != true && $DohServer = "") do={
:set DohServer [ $EitherOr ($HostInfo->"doh-url") \ :set DohServer [ $EitherOr ($HostInfo->"doh-url") \
("https://" . $HostVal->"host" . "/dns-query") ]; ("https://" . $HostVal->"host" . "/dns-query") ];
:set DohCert ($HostInfo->"doh-cert");
} }
} }
:if ($DohServer != "") do={ :if ($DohServer != "") do={
:if ($DohServer != $DohCurrent) do={ :if ($DohServer != $DohCurrent) do={
$LogPrintExit2 info $0 ("Updating DoH server: " . $DohServer) false; $LogPrintExit2 info $0 ("Updating DoH server: " . $DohServer) false;
:if ([ :len $DohCert ] > 0) do={
/ip/dns/set use-doh-server="";
:if ([ $CertificateAvailable $DohCert ] = false) do={
$LogPrintExit2 warning $0 ("Downloading certificate failed, trying without.") false;
}
}
/ip/dns/set use-doh-server=$DohServer; /ip/dns/set use-doh-server=$DohServer;
/ip/dns/cache/flush; /ip/dns/cache/flush;
} }