diff --git a/.ci/blacklist.txt b/.ci/blacklist.txt new file mode 100644 index 00000000..6dc72795 --- /dev/null +++ b/.ci/blacklist.txt @@ -0,0 +1,17 @@ +ad.* +ads.* +banner.* +banners.* +creatives.* +oas.* +oascentral.* +stats.* +tag.* +telemetry.* +tracker.* +*.local +eth0.me +*.workgroup + +*.youtube.* @time-to-sleep +facebook.com @work diff --git a/.ci/ci-test.sh b/.ci/ci-test.sh new file mode 100755 index 00000000..ca0d103a --- /dev/null +++ b/.ci/ci-test.sh @@ -0,0 +1,125 @@ +#! /bin/sh + +DNS_PORT=5300 +HTTP_PORT=3000 +TEST_COUNT=0 + +exec 2>error.log + +t() { + TEST_COUNT=$((TEST_COUNT + 1)) + echo "Test #${TEST_COUNT}..." + false +} + +fail() ( + echo "*** Test #${TEST_COUNT} FAILED ***" >&2 +) + +section() { + true +} + +rm -f blocked.log ip-blocked.log query.log nx.log whitelisted.log + +t || ( + cd ../dnscrypt-proxy + go build -mod vendor +) || fail + +section +sed -e "s/127.0.0.1:53/127.0.0.1:${DNS_PORT}/g" -e "s/# server_names =.*/server_names = ['scaleway-fr']/" ../dnscrypt-proxy/example-dnscrypt-proxy.toml >test-dnscrypt-proxy.toml +../dnscrypt-proxy/dnscrypt-proxy -loglevel 3 -config test-dnscrypt-proxy.toml -pidfile /tmp/dnscrypt-proxy.pidfile & +sleep 5 + +t || + dig -p${DNS_PORT} . @127.0.0.1 | grep -Fq 'root-servers.net.' || fail +t || dig -p${DNS_PORT} +dnssec . @127.0.0.1 | grep -Fq 'root-servers.net.' || fail +t || dig -p${DNS_PORT} +dnssec . @127.0.0.1 | grep -Fq 'flags: do;' || fail +t || dig -p${DNS_PORT} +short one.one.one.one @127.0.0.1 | grep -Fq '1.1.1.1' || fail +t || dig -p${DNS_PORT} +dnssec dnscrypt.info @127.0.0.1 | grep -Fq 'flags: qr rd ra ad' || fail +t || dig -p${DNS_PORT} +dnssec dnscrypt.info @127.0.0.1 | grep -Fq 'flags: do;' || fail + +kill $(cat /tmp/dnscrypt-proxy.pidfile) +sleep 5 + +section +../dnscrypt-proxy/dnscrypt-proxy -loglevel 3 -config test2-dnscrypt-proxy.toml -pidfile /tmp/dnscrypt-proxy.pidfile & +sleep 5 + +section +t || dig -p${DNS_PORT} AAAA ipv6.google.com @127.0.0.1 | grep -Fq 'locally blocked' || fail + +section +t || dig -p${DNS_PORT} invalid. @127.0.0.1 | grep -Fq NXDOMAIN || fail +t || dig -p${DNS_PORT} +dnssec invalid. @127.0.0.1 | grep -Fq 'flags: do;' || fail +t || dig -p${DNS_PORT} PTR 168.192.in-addr.arpa @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail +t || dig -p${DNS_PORT} +dnssec PTR 168.192.in-addr.arpa @127.0.0.1 | grep -Fq 'flags: do;' || fail + +section +t || dig -p${DNS_PORT} +dnssec darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' || fail +t || dig -p${DNS_PORT} +dnssec www.darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' || fail + +section +t || dig -p${DNS_PORT} +short cloaked.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail +t || dig -p${DNS_PORT} +short www.cloaked2.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail +t || dig -p${DNS_PORT} +short www.dnscrypt-test @127.0.0.1 | grep -Fq '192.168.100.100' || fail +t || dig -p${DNS_PORT} a.www.dnscrypt-test @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail + +section +t || dig -p${DNS_PORT} telemetry.example @127.0.0.1 | grep -Fq 'locally blocked' || fail + +section +t || dig -p${DNS_PORT} dns.google @127.0.0.1 | grep -Fq 'locally blocked' || fail + +section +t || dig -p${DNS_PORT} tracker.xdebian.org @127.0.0.1 | grep -Fq 'locally blocked' || fail +t || dig -p${DNS_PORT} tracker.debian.org @127.0.0.1 | grep -Fqv 'locally blocked' || fail + +section +t || curl --insecure -siL https://127.0.0.1:3000/ | grep -Fq '404 Not Found' || fail +t || curl --insecure -sL https://127.0.0.1:3000/dns-query | grep -Fq 'dnscrypt-proxy local DoH server' || fail + +kill $(cat /tmp/dnscrypt-proxy.pidfile) + +sleep 5 + +section +t || grep -Fq 'telemetry.example' blocked.log || fail +t || grep -Fq 'telemetry.*' blocked.log || fail +t || grep -Fq 'tracker.xdebian.org' blocked.log || fail +t || grep -Fq 'tracker.*' blocked.log || fail + +section +t || grep -Fq 'dns.google' ip-blocked.log || fail +t || grep -Fq '8.8.8.8' ip-blocked.log || fail + +section +t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail + +section +t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail + +section +t || grep -Eq 'ipv6.google.com.*SYNTH' query.log || fail +t || grep -Eq 'invalid.*SYNTH' query.log || fail +t || grep -Eq '168.192.in-addr.arpa.*SYNTH' query.log || fail +t || grep -Eq 'darpa.mil.*FORWARD' query.log || fail +t || grep -Eq 'www.darpa.mil.*FORWARD' query.log || fail +t || grep -Eq 'cloaked.com.*CLOAK' query.log || fail +t || grep -Eq 'www.cloaked2.com.*CLOAK' query.log || fail +t || grep -Eq 'www.dnscrypt-test.*CLOAK' query.log || fail +t || grep -Eq 'a.www.dnscrypt-test.*NXDOMAIN' query.log || fail +t || grep -Eq 'telemetry.example.*REJECT' query.log || fail +t || grep -Eq 'dns.google.*REJECT' query.log || fail +t || grep -Eq 'tracker.xdebian.org.*REJECT' query.log || fail +t || grep -Eq 'tracker.debian.org.*PASS' query.log || fail + +section +t || grep -Fq 'tracker.debian.org' whitelisted.log || fail +t || grep -Fq '*.tracker.debian' whitelisted.log || fail + +if [ -s error.log ]; then + cat *.log + exit 1 +fi diff --git a/.ci/cloaking-rules.txt b/.ci/cloaking-rules.txt new file mode 100644 index 00000000..cbf0fba1 --- /dev/null +++ b/.ci/cloaking-rules.txt @@ -0,0 +1,3 @@ +cloaked.* one.one.one.one +*.cloaked2.* one.one.one.one +=www.dnscrypt-test 192.168.100.100 diff --git a/.ci/forwarding-rules.txt b/.ci/forwarding-rules.txt new file mode 100644 index 00000000..7a403110 --- /dev/null +++ b/.ci/forwarding-rules.txt @@ -0,0 +1,2 @@ +darpa.mil 208.67.222.222 + diff --git a/.ci/ip-blacklist.txt b/.ci/ip-blacklist.txt new file mode 100644 index 00000000..701e77ea --- /dev/null +++ b/.ci/ip-blacklist.txt @@ -0,0 +1 @@ +8.8.8.8 diff --git a/.ci/test2-dnscrypt-proxy.toml b/.ci/test2-dnscrypt-proxy.toml new file mode 100644 index 00000000..dc56ae9c --- /dev/null +++ b/.ci/test2-dnscrypt-proxy.toml @@ -0,0 +1,67 @@ +server_names = ['public-scaleway-fr'] +listen_addresses = ['127.0.0.1:5300'] +require_dnssec = true +dnscrypt_ephemeral_keys = true +tls_disable_session_tickets = false +ignore_system_dns = false +block_ipv6 = true +block_unqualified = true +block_undelegated = true +forwarding_rules = 'forwarding-rules.txt' +cloaking_rules = 'cloaking-rules.txt' +cache = true + +[local_doh] +listen_addresses = ['127.0.0.1:3000'] +cert_file = "../dnscrypt-proxy/localhost.pem" +cert_key_file = "../dnscrypt-proxy/localhost.pem" + +[query_log] +file = 'query.log' + +[nx_log] +file = 'nx.log' + +[blacklist] +blacklist_file = 'blacklist.txt' +log_file = 'blocked.log' + +[ip_blacklist] +blacklist_file = 'ip-blacklist.txt' +log_file = 'ip-blocked.log' + +[whitelist] +whitelist_file = 'whitelist.txt' +log_file = 'whitelisted.log' + +[schedules] + + [schedules.'time-to-sleep'] + mon = [{after='21:00', before='7:00'}] + tue = [{after='21:00', before='7:00'}] + wed = [{after='21:00', before='7:00'}] + thu = [{after='21:00', before='7:00'}] + fri = [{after='23:00', before='7:00'}] + sat = [{after='23:00', before='7:00'}] + sun = [{after='21:00', before='7:00'}] + + [schedules.'work'] + mon = [{after='9:00', before='18:00'}] + tue = [{after='9:00', before='18:00'}] + wed = [{after='9:00', before='18:00'}] + thu = [{after='9:00', before='18:00'}] + fri = [{after='9:00', before='17:00'}] + +[sources] + [sources.'public-resolvers'] + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] + cache_file = 'public-resolvers.md' + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + prefix = 'public-' + + [sources.'relays'] + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md'] + cache_file = 'relays.md' + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + refresh_delay = 72 + prefix = 'relay-' diff --git a/.ci/whitelist.txt b/.ci/whitelist.txt new file mode 100644 index 00000000..b030f061 --- /dev/null +++ b/.ci/whitelist.txt @@ -0,0 +1 @@ +tracker.debian.org diff --git a/.travis.yml b/.travis.yml index 591e3a35..604b018b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,7 +13,10 @@ addons: script: - gimme --list - echo $TRAVIS_GO_VERSION -- cd dnscrypt-proxy + +- cd .ci +- ./ci-test.sh || travis_terminate 1 +- cd ../dnscrypt-proxy - go clean - env GOOS=windows GOARCH=386 go build -mod vendor -ldflags="-s -w"