Add option to go direct for failed certificate retrieval via relay (#1397)
* Add option to go direct for failed certificate retrieval via relay * add direct_cert_fallback to example config file Co-authored-by: yofiji <you@example.com>
This commit is contained in:
parent
5e2f1c4146
commit
7a6f1461f8
|
@ -220,6 +220,7 @@ type AnonymizedDNSRouteConfig struct {
|
|||
type AnonymizedDNSConfig struct {
|
||||
Routes []AnonymizedDNSRouteConfig `toml:"routes"`
|
||||
SkipIncompatible bool `toml:"skip_incompatible"`
|
||||
DirectCertFallback bool `toml:"direct_cert_fallback"`
|
||||
}
|
||||
|
||||
type BrokenImplementationsConfig struct {
|
||||
|
@ -558,6 +559,7 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
|
|||
proxy.routes = &routes
|
||||
}
|
||||
proxy.skipAnonIncompatbibleResolvers = config.AnonymizedDNS.SkipIncompatible
|
||||
proxy.anonDirectCertFallback = config.AnonymizedDNS.DirectCertFallback
|
||||
|
||||
if config.DoHClientX509AuthLegacy.Creds != nil {
|
||||
dlog.Fatal("[tls_client_auth] has been renamed to [doh_client_x509_auth] - Update your config file.")
|
||||
|
|
|
@ -34,9 +34,13 @@ func FetchCurrentDNSCryptCert(proxy *Proxy, serverName *string, proto string, pk
|
|||
query := dns.Msg{}
|
||||
query.SetQuestion(providerName, dns.TypeTXT)
|
||||
if !strings.HasPrefix(providerName, "2.dnscrypt-cert.") {
|
||||
if (relayUDPAddr != nil && !proxy.anonDirectCertFallback) {
|
||||
dlog.Warnf("[%v] uses a non-standard provider name, enable direct cert fallback to use with a relay ('%v' doesn't start with '2.dnscrypt-cert.')", *serverName, providerName)
|
||||
} else {
|
||||
dlog.Warnf("[%v] uses a non-standard provider name ('%v' doesn't start with '2.dnscrypt-cert.')", *serverName, providerName)
|
||||
relayUDPAddr, relayTCPAddr = nil, nil
|
||||
}
|
||||
}
|
||||
tryFragmentsSupport := true
|
||||
if knownBugs.fragmentsBlocked {
|
||||
tryFragmentsSupport = false
|
||||
|
@ -256,7 +260,7 @@ func dnsExchange(proxy *Proxy, proto string, query *dns.Msg, serverAddress strin
|
|||
return bestOption.response, bestOption.rtt, bestOption.fragmentsBlocked, nil
|
||||
}
|
||||
|
||||
if relayUDPAddr == nil {
|
||||
if (relayUDPAddr == nil || !proxy.anonDirectCertFallback) {
|
||||
if err == nil {
|
||||
err = errors.New("Unable to reach the server")
|
||||
}
|
||||
|
|
|
@ -702,7 +702,9 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
|
|||
|
||||
skip_incompatible = false
|
||||
|
||||
# If unable to get the certificate for a server via the relay fallback to getting it directly
|
||||
|
||||
# direct_cert_fallback = false
|
||||
|
||||
###############################
|
||||
# DNS64 #
|
||||
|
|
|
@ -83,6 +83,7 @@ type Proxy struct {
|
|||
showCerts bool
|
||||
dohCreds *map[string]DOHClientCreds
|
||||
skipAnonIncompatbibleResolvers bool
|
||||
anonDirectCertFallback bool
|
||||
dns64Prefixes []string
|
||||
dns64Resolvers []string
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue