Add option to go direct for failed certificate retrieval via relay (#1397)

* Add option to go direct for failed certificate retrieval via relay

* add direct_cert_fallback to example config file

Co-authored-by: yofiji <you@example.com>
This commit is contained in:
yofiji 2020-07-03 10:58:36 +00:00 committed by GitHub
parent 5e2f1c4146
commit 7a6f1461f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 14 additions and 5 deletions

View File

@ -220,6 +220,7 @@ type AnonymizedDNSRouteConfig struct {
type AnonymizedDNSConfig struct {
Routes []AnonymizedDNSRouteConfig `toml:"routes"`
SkipIncompatible bool `toml:"skip_incompatible"`
DirectCertFallback bool `toml:"direct_cert_fallback"`
}
type BrokenImplementationsConfig struct {
@ -558,6 +559,7 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
proxy.routes = &routes
}
proxy.skipAnonIncompatbibleResolvers = config.AnonymizedDNS.SkipIncompatible
proxy.anonDirectCertFallback = config.AnonymizedDNS.DirectCertFallback
if config.DoHClientX509AuthLegacy.Creds != nil {
dlog.Fatal("[tls_client_auth] has been renamed to [doh_client_x509_auth] - Update your config file.")

View File

@ -34,9 +34,13 @@ func FetchCurrentDNSCryptCert(proxy *Proxy, serverName *string, proto string, pk
query := dns.Msg{}
query.SetQuestion(providerName, dns.TypeTXT)
if !strings.HasPrefix(providerName, "2.dnscrypt-cert.") {
if (relayUDPAddr != nil && !proxy.anonDirectCertFallback) {
dlog.Warnf("[%v] uses a non-standard provider name, enable direct cert fallback to use with a relay ('%v' doesn't start with '2.dnscrypt-cert.')", *serverName, providerName)
} else {
dlog.Warnf("[%v] uses a non-standard provider name ('%v' doesn't start with '2.dnscrypt-cert.')", *serverName, providerName)
relayUDPAddr, relayTCPAddr = nil, nil
}
}
tryFragmentsSupport := true
if knownBugs.fragmentsBlocked {
tryFragmentsSupport = false
@ -256,7 +260,7 @@ func dnsExchange(proxy *Proxy, proto string, query *dns.Msg, serverAddress strin
return bestOption.response, bestOption.rtt, bestOption.fragmentsBlocked, nil
}
if relayUDPAddr == nil {
if (relayUDPAddr == nil || !proxy.anonDirectCertFallback) {
if err == nil {
err = errors.New("Unable to reach the server")
}

View File

@ -702,7 +702,9 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
skip_incompatible = false
# If unable to get the certificate for a server via the relay fallback to getting it directly
# direct_cert_fallback = false
###############################
# DNS64 #

View File

@ -83,6 +83,7 @@ type Proxy struct {
showCerts bool
dohCreds *map[string]DOHClientCreds
skipAnonIncompatbibleResolvers bool
anonDirectCertFallback bool
dns64Prefixes []string
dns64Resolvers []string
}