Add some temporary basic CI tests

.ci/blacklist.txt

@@ -0,0 +1,17 @@
+ad.*
+ads.*
+banner.*
+banners.*
+creatives.*
+oas.*
+oascentral.*
+stats.*
+tag.*
+telemetry.*
+tracker.*
+*.local
+eth0.me
+*.workgroup
+
+*.youtube.*  @time-to-sleep
+facebook.com @work

.ci/ci-test.sh

@@ -0,0 +1,125 @@
+#! /bin/sh
+
+DNS_PORT=5300
+HTTP_PORT=3000
+TEST_COUNT=0
+
+exec 2>error.log
+
+t() {
+    TEST_COUNT=$((TEST_COUNT + 1))
+    echo "Test #${TEST_COUNT}..."
+    false
+}
+
+fail() (
+    echo "*** Test #${TEST_COUNT} FAILED ***" >&2
+)
+
+section() {
+    true
+}
+
+rm -f blocked.log ip-blocked.log query.log nx.log whitelisted.log
+
+t || (
+    cd ../dnscrypt-proxy
+    go build -mod vendor
+) || fail
+
+section
+sed -e "s/127.0.0.1:53/127.0.0.1:${DNS_PORT}/g" -e "s/# server_names =.*/server_names = ['scaleway-fr']/" ../dnscrypt-proxy/example-dnscrypt-proxy.toml >test-dnscrypt-proxy.toml
+../dnscrypt-proxy/dnscrypt-proxy -loglevel 3 -config test-dnscrypt-proxy.toml -pidfile /tmp/dnscrypt-proxy.pidfile &
+sleep 5
+
+t ||
+    dig -p${DNS_PORT} . @127.0.0.1 | grep -Fq 'root-servers.net.' || fail
+t || dig -p${DNS_PORT} +dnssec . @127.0.0.1 | grep -Fq 'root-servers.net.' || fail
+t || dig -p${DNS_PORT} +dnssec . @127.0.0.1 | grep -Fq 'flags: do;' || fail
+t || dig -p${DNS_PORT} +short one.one.one.one @127.0.0.1 | grep -Fq '1.1.1.1' || fail
+t || dig -p${DNS_PORT} +dnssec dnscrypt.info @127.0.0.1 | grep -Fq 'flags: qr rd ra ad' || fail
+t || dig -p${DNS_PORT} +dnssec dnscrypt.info @127.0.0.1 | grep -Fq 'flags: do;' || fail
+
+kill $(cat /tmp/dnscrypt-proxy.pidfile)
+sleep 5
+
+section
+../dnscrypt-proxy/dnscrypt-proxy -loglevel 3 -config test2-dnscrypt-proxy.toml -pidfile /tmp/dnscrypt-proxy.pidfile &
+sleep 5
+
+section
+t || dig -p${DNS_PORT} AAAA ipv6.google.com @127.0.0.1 | grep -Fq 'locally blocked' || fail
+
+section
+t || dig -p${DNS_PORT} invalid. @127.0.0.1 | grep -Fq NXDOMAIN || fail
+t || dig -p${DNS_PORT} +dnssec invalid. @127.0.0.1 | grep -Fq 'flags: do;' || fail
+t || dig -p${DNS_PORT} PTR 168.192.in-addr.arpa @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail
+t || dig -p${DNS_PORT} +dnssec PTR 168.192.in-addr.arpa @127.0.0.1 | grep -Fq 'flags: do;' || fail
+
+section
+t || dig -p${DNS_PORT} +dnssec darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' || fail
+t || dig -p${DNS_PORT} +dnssec www.darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG' || fail
+
+section
+t || dig -p${DNS_PORT} +short cloaked.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail
+t || dig -p${DNS_PORT} +short www.cloaked2.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail
+t || dig -p${DNS_PORT} +short www.dnscrypt-test @127.0.0.1 | grep -Fq '192.168.100.100' || fail
+t || dig -p${DNS_PORT} a.www.dnscrypt-test @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail
+
+section
+t || dig -p${DNS_PORT} telemetry.example @127.0.0.1 | grep -Fq 'locally blocked' || fail
+
+section
+t || dig -p${DNS_PORT} dns.google @127.0.0.1 | grep -Fq 'locally blocked' || fail
+
+section
+t || dig -p${DNS_PORT} tracker.xdebian.org @127.0.0.1 | grep -Fq 'locally blocked' || fail
+t || dig -p${DNS_PORT} tracker.debian.org @127.0.0.1 | grep -Fqv 'locally blocked' || fail
+
+section
+t || curl --insecure -siL https://127.0.0.1:3000/ | grep -Fq '404 Not Found' || fail
+t || curl --insecure -sL https://127.0.0.1:3000/dns-query | grep -Fq 'dnscrypt-proxy local DoH server' || fail
+
+kill $(cat /tmp/dnscrypt-proxy.pidfile)
+
+sleep 5
+
+section
+t || grep -Fq 'telemetry.example' blocked.log || fail
+t || grep -Fq 'telemetry.*' blocked.log || fail
+t || grep -Fq 'tracker.xdebian.org' blocked.log || fail
+t || grep -Fq 'tracker.*' blocked.log || fail
+
+section
+t || grep -Fq 'dns.google' ip-blocked.log || fail
+t || grep -Fq '8.8.8.8' ip-blocked.log || fail
+
+section
+t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail
+
+section
+t || grep -Fq 'a.www.dnscrypt-test' nx.log || fail
+
+section
+t || grep -Eq 'ipv6.google.com.*SYNTH' query.log || fail
+t || grep -Eq 'invalid.*SYNTH' query.log || fail
+t || grep -Eq '168.192.in-addr.arpa.*SYNTH' query.log || fail
+t || grep -Eq 'darpa.mil.*FORWARD' query.log || fail
+t || grep -Eq 'www.darpa.mil.*FORWARD' query.log || fail
+t || grep -Eq 'cloaked.com.*CLOAK' query.log || fail
+t || grep -Eq 'www.cloaked2.com.*CLOAK' query.log || fail
+t || grep -Eq 'www.dnscrypt-test.*CLOAK' query.log || fail
+t || grep -Eq 'a.www.dnscrypt-test.*NXDOMAIN' query.log || fail
+t || grep -Eq 'telemetry.example.*REJECT' query.log || fail
+t || grep -Eq 'dns.google.*REJECT' query.log || fail
+t || grep -Eq 'tracker.xdebian.org.*REJECT' query.log || fail
+t || grep -Eq 'tracker.debian.org.*PASS' query.log || fail
+
+section
+t || grep -Fq 'tracker.debian.org' whitelisted.log || fail
+t || grep -Fq '*.tracker.debian' whitelisted.log || fail
+
+if [ -s error.log ]; then
+    cat *.log
+    exit 1
+fi

.ci/cloaking-rules.txt

@@ -0,0 +1,3 @@
+cloaked.*                one.one.one.one
+*.cloaked2.*             one.one.one.one
+=www.dnscrypt-test       192.168.100.100

.ci/forwarding-rules.txt

@@ -0,0 +1,2 @@
+darpa.mil 208.67.222.222
+

.ci/ip-blacklist.txt

@@ -0,0 +1 @@
+8.8.8.8

.ci/test2-dnscrypt-proxy.toml

@@ -0,0 +1,67 @@
+server_names = ['public-scaleway-fr']
+listen_addresses = ['127.0.0.1:5300']
+require_dnssec = true
+dnscrypt_ephemeral_keys = true
+tls_disable_session_tickets = false
+ignore_system_dns = false
+block_ipv6 = true
+block_unqualified = true
+block_undelegated = true
+forwarding_rules = 'forwarding-rules.txt'
+cloaking_rules = 'cloaking-rules.txt'
+cache = true
+
+[local_doh]
+listen_addresses = ['127.0.0.1:3000']
+cert_file = "../dnscrypt-proxy/localhost.pem"
+cert_key_file = "../dnscrypt-proxy/localhost.pem"
+
+[query_log]
+file = 'query.log'
+
+[nx_log]
+file = 'nx.log'
+
+[blacklist]
+blacklist_file = 'blacklist.txt'
+log_file = 'blocked.log'
+
+[ip_blacklist]
+blacklist_file = 'ip-blacklist.txt'
+log_file = 'ip-blocked.log'
+
+[whitelist]
+whitelist_file = 'whitelist.txt'
+log_file = 'whitelisted.log'
+
+[schedules]
+
+  [schedules.'time-to-sleep']
+  mon = [{after='21:00', before='7:00'}]
+  tue = [{after='21:00', before='7:00'}]
+  wed = [{after='21:00', before='7:00'}]
+  thu = [{after='21:00', before='7:00'}]
+  fri = [{after='23:00', before='7:00'}]
+  sat = [{after='23:00', before='7:00'}]
+  sun = [{after='21:00', before='7:00'}]
+
+  [schedules.'work']
+  mon = [{after='9:00', before='18:00'}]
+  tue = [{after='9:00', before='18:00'}]
+  wed = [{after='9:00', before='18:00'}]
+  thu = [{after='9:00', before='18:00'}]
+  fri = [{after='9:00', before='17:00'}]
+
+[sources]
+  [sources.'public-resolvers']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
+  cache_file = 'public-resolvers.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  prefix = 'public-'
+
+  [sources.'relays']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
+  cache_file = 'relays.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  refresh_delay = 72
+  prefix = 'relay-'

.ci/whitelist.txt

@@ -0,0 +1 @@
+tracker.debian.org

.travis.yml

@@ -13,7 +13,10 @@ addons:
 script:
 - gimme --list
 - echo $TRAVIS_GO_VERSION
-- cd dnscrypt-proxy
+
+- cd .ci
+- ./ci-test.sh || travis_terminate 1
+- cd ../dnscrypt-proxy
 
 - go clean
 - env GOOS=windows GOARCH=386 go build -mod vendor -ldflags="-s -w"