Use constant, but arbitrary long padding

dnscrypt-proxy/dnsutils.go

@@ -224,7 +224,10 @@ func addEDNS0PaddingIfNoneFound(msg *dns.Msg, unpaddedPacket []byte, paddingLen
 		}
 	}
 	ext := new(dns.EDNS0_PADDING)
-	padding := []byte("dnscrypt-proxy.padding:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmno")
+	padding := make([]byte, paddingLen)
+	for i := range padding {
+		padding[i] = 'X'
+	}
 	ext.Padding = padding[:paddingLen]
 	edns0.Option = append(edns0.Option, ext)
 	return msg.Pack()

dnscrypt-proxy/local-doh.go

@@ -57,7 +57,9 @@ func (handler localDoHHandler) ServeHTTP(writer http.ResponseWriter, request *ht
 		writer.WriteHeader(500)
 		return
 	}
-	padLen := 127 - (len(response)+127)&127
+	responseLen := len(response)
+	paddedLen := dohPaddedLen(responseLen)
+	padLen := responseLen - paddedLen
 	paddedResponse, err := addEDNS0PaddingIfNoneFound(&msg, response, padLen)
 	if err != nil {
 		return
@@ -84,3 +86,13 @@ func (proxy *Proxy) localDoHListener(acceptPc *net.TCPListener) {
 		dlog.Fatal(err)
 	}
 }
+
+func dohPaddedLen(unpaddedLen int) int {
+	boundaries := [...]int{64, 128, 192, 256, 320, 384, 512, 704, 768, 896, 960, 1024, 1088, 1152, 2688, 4080, MaxDNSPacketSize}
+	for _, boundary := range boundaries {
+		if boundary >= unpaddedLen {
+			return boundary
+		}
+	}
+	return unpaddedLen
+}