Remove LargerResponsesDropped
dnsdist drops DNSCrypt queries shorter than 256 bytes, interpreting them as not being encrypted instead. This is surprising when doing ad-hoc testing, but absolutely fine, and we will never send shorter encrypted queries on normal circumstances. So, remove a useless knob.
This commit is contained in:
parent
fb04a62470
commit
74095d38ed
|
@ -2,11 +2,10 @@
|
||||||
- Version 1.4.0 of the dnsdist load balancer (presumably used by
|
- Version 1.4.0 of the dnsdist load balancer (presumably used by
|
||||||
quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net,
|
quad9, cleanbrowsing, qualityology, freetsa.org, ffmuc.net,
|
||||||
opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more)
|
opennic-bongobow, sth-dnscrypt-se, ams-dnscrypt-nl and more)
|
||||||
unintentionally introduced a regression preventing large queries
|
is preventing queries over 1500 bytes from being received over UDP.
|
||||||
from being received over UDP. Temporary workarounds have been
|
Temporary workarounds have been introduced to improve reliability
|
||||||
introduced to improve reliability with these resolvers for regular
|
with these resolvers for regular DNSCrypt. Unfortunately, anonymized
|
||||||
DNSCrypt. Unfortunately, anonymized DNS cannot be reliable until
|
DNS cannot be reliable until dnsdist is updated on these servers.
|
||||||
dnsdist is updated on these servers.
|
|
||||||
- New option in the `[anonymized_dns]` section: `skip_incompatible`,
|
- New option in the `[anonymized_dns]` section: `skip_incompatible`,
|
||||||
to ignore resolvers incompatible with Anonymized DNS instead of
|
to ignore resolvers incompatible with Anonymized DNS instead of
|
||||||
using them without a relay.
|
using them without a relay.
|
||||||
|
|
|
@ -139,10 +139,6 @@ func newConfig() Config {
|
||||||
"quad9-dnscrypt-ip4-filter-alt", "quad9-dnscrypt-ip4-filter-pri", "quad9-dnscrypt-ip4-nofilter-alt", "quad9-dnscrypt-ip4-nofilter-pri", "quad9-dnscrypt-ip6-filter-alt", "quad9-dnscrypt-ip6-filter-pri", "quad9-dnscrypt-ip6-nofilter-alt", "quad9-dnscrypt-ip6-nofilter-pri",
|
"quad9-dnscrypt-ip4-filter-alt", "quad9-dnscrypt-ip4-filter-pri", "quad9-dnscrypt-ip4-nofilter-alt", "quad9-dnscrypt-ip4-nofilter-pri", "quad9-dnscrypt-ip6-filter-alt", "quad9-dnscrypt-ip6-filter-pri", "quad9-dnscrypt-ip6-nofilter-alt", "quad9-dnscrypt-ip6-nofilter-pri",
|
||||||
"cleanbrowsing-adult", "cleanbrowsing-family-ipv6", "cleanbrowsing-family", "cleanbrowsing-security",
|
"cleanbrowsing-adult", "cleanbrowsing-family-ipv6", "cleanbrowsing-family", "cleanbrowsing-security",
|
||||||
},
|
},
|
||||||
LargerResponsesDropped: []string{
|
|
||||||
"quad9-dnscrypt-ip4-filter-alt", "quad9-dnscrypt-ip4-filter-pri", "quad9-dnscrypt-ip4-nofilter-alt", "quad9-dnscrypt-ip4-nofilter-pri", "quad9-dnscrypt-ip6-filter-alt", "quad9-dnscrypt-ip6-filter-pri", "quad9-dnscrypt-ip6-nofilter-alt", "quad9-dnscrypt-ip6-nofilter-pri",
|
|
||||||
"cleanbrowsing-adult", "cleanbrowsing-family-ipv6", "cleanbrowsing-family", "cleanbrowsing-security",
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -201,9 +197,8 @@ type AnonymizedDNSConfig struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type BrokenImplementationsConfig struct {
|
type BrokenImplementationsConfig struct {
|
||||||
BrokenQueryPadding []string `toml:"broken_query_padding"`
|
BrokenQueryPadding []string `toml:"broken_query_padding"`
|
||||||
FragmentsBlocked []string `toml:"fragments_blocked"`
|
FragmentsBlocked []string `toml:"fragments_blocked"`
|
||||||
LargerResponsesDropped []string `toml:"larger_responses_dropped"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type LocalDoHConfig struct {
|
type LocalDoHConfig struct {
|
||||||
|
@ -517,10 +512,8 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
|
||||||
|
|
||||||
// Backwards compatibility
|
// Backwards compatibility
|
||||||
config.BrokenImplementations.FragmentsBlocked = append(config.BrokenImplementations.FragmentsBlocked, config.BrokenImplementations.BrokenQueryPadding...)
|
config.BrokenImplementations.FragmentsBlocked = append(config.BrokenImplementations.FragmentsBlocked, config.BrokenImplementations.BrokenQueryPadding...)
|
||||||
config.BrokenImplementations.LargerResponsesDropped = append(config.BrokenImplementations.LargerResponsesDropped, config.BrokenImplementations.BrokenQueryPadding...)
|
|
||||||
|
|
||||||
proxy.serversBlockingFragments = config.BrokenImplementations.FragmentsBlocked
|
proxy.serversBlockingFragments = config.BrokenImplementations.BrokenQueryPadding
|
||||||
proxy.serversDroppingLargerResponses = config.BrokenImplementations.LargerResponsesDropped
|
|
||||||
|
|
||||||
if *flags.ListAll {
|
if *flags.ListAll {
|
||||||
config.ServerNames = nil
|
config.ServerNames = nil
|
||||||
|
|
|
@ -87,12 +87,8 @@ func (proxy *Proxy) Encrypt(serverInfo *ServerInfo, packet []byte, proto string)
|
||||||
minQuestionSize += int(xpad[0])
|
minQuestionSize += int(xpad[0])
|
||||||
}
|
}
|
||||||
paddedLength := Min(MaxDNSUDPPacketSize, (Max(minQuestionSize, QueryOverhead)+1+63) & ^63)
|
paddedLength := Min(MaxDNSUDPPacketSize, (Max(minQuestionSize, QueryOverhead)+1+63) & ^63)
|
||||||
if proto == "udp" {
|
if proto == "udp" && serverInfo.knownBugs.fragmentsBlocked {
|
||||||
if serverInfo.knownBugs.fragmentsBlocked {
|
paddedLength = MaxDNSUDPSafePacketSize
|
||||||
paddedLength = MaxDNSUDPSafePacketSize
|
|
||||||
} else if serverInfo.knownBugs.largerQueriesDropped {
|
|
||||||
paddedLength = MaxDNSUDPPacketSize
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
if serverInfo.RelayUDPAddr != nil && proto == "tcp" {
|
if serverInfo.RelayUDPAddr != nil && proto == "tcp" {
|
||||||
paddedLength = MaxDNSPacketSize
|
paddedLength = MaxDNSPacketSize
|
||||||
|
|
|
@ -626,21 +626,14 @@ cache_neg_max_ttl = 600
|
||||||
# truncate reponses larger than questions as expected by the DNSCrypt protocol.
|
# truncate reponses larger than questions as expected by the DNSCrypt protocol.
|
||||||
# This prevents large responses from being received over UDP and over relays.
|
# This prevents large responses from being received over UDP and over relays.
|
||||||
#
|
#
|
||||||
# The `dnsdist` server software properly truncates DNSCrypt responses, but
|
# The `dnsdist` server software drops incoming packets larger than 1500 bytes.
|
||||||
# introduced a change in version 1.4.0 that inadvertently broke relaying for the
|
# They are aware of it and are working on a fix.
|
||||||
# same reason. They are aware of it and are working on a fix.
|
|
||||||
#
|
#
|
||||||
# The list below enables workarounds to make non-relayed usage more reliable
|
# The list below enables workarounds to make non-relayed usage more reliable
|
||||||
# until the servers are fixed.
|
# until the servers are fixed.
|
||||||
|
|
||||||
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
|
fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
|
||||||
|
|
||||||
# Quad9 ignores the query instead of sending a truncated response when the
|
|
||||||
# response is larger than the question.
|
|
||||||
# Do not change that list until the bugs are fixed server-side.
|
|
||||||
|
|
||||||
larger_responses_dropped = ['quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -76,7 +76,6 @@ type Proxy struct {
|
||||||
queryMeta []string
|
queryMeta []string
|
||||||
routes *map[string][]string
|
routes *map[string][]string
|
||||||
serversBlockingFragments []string
|
serversBlockingFragments []string
|
||||||
serversDroppingLargerResponses []string
|
|
||||||
showCerts bool
|
showCerts bool
|
||||||
dohCreds *map[string]DOHClientCreds
|
dohCreds *map[string]DOHClientCreds
|
||||||
skipAnonIncompatbibleResolvers bool
|
skipAnonIncompatbibleResolvers bool
|
||||||
|
|
|
@ -32,8 +32,7 @@ type RegisteredServer struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type ServerBugs struct {
|
type ServerBugs struct {
|
||||||
fragmentsBlocked bool
|
fragmentsBlocked bool
|
||||||
largerQueriesDropped bool
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type DOHClientCreds struct {
|
type DOHClientCreds struct {
|
||||||
|
@ -327,13 +326,6 @@ func fetchDNSCryptServerInfo(proxy *Proxy, name string, stamp stamps.ServerStamp
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for _, buggyServerName := range proxy.serversDroppingLargerResponses {
|
|
||||||
if buggyServerName == name {
|
|
||||||
knownBugs.largerQueriesDropped = true
|
|
||||||
dlog.Infof("Known bug in [%v]: truncated responses are not sent when a response is larger than the query", name)
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
relayUDPAddr, relayTCPAddr, err := route(proxy, name)
|
relayUDPAddr, relayTCPAddr, err := route(proxy, name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return ServerInfo{}, err
|
return ServerInfo{}, err
|
||||||
|
|
Loading…
Reference in New Issue