Frank Denis
6b6c6753aa
Revert struct packing changes for the configuration
...
structlop is nice, but strips renames
2020-11-14 15:34:03 +01:00
Frank Denis
4fa643ef4d
Repack structures to save some memory
2020-11-14 14:46:59 +01:00
Frank Denis
272984a640
Add support for EDNS-client-subnet
...
Fixes #1471
2020-09-18 00:11:26 +02:00
Frank Denis
8411e5a91b
Revert "Error out if the dns64 plugin is enabled without listening sockets"
...
This reverts commit b02649f774
.
2020-09-17 00:45:48 +02:00
Frank Denis
b02649f774
Error out if the dns64 plugin is enabled without listening sockets
2020-09-17 00:19:00 +02:00
Frank Denis
d175642df3
Quad9 seems to have upgraded their dnsdist version!
2020-08-31 17:13:14 +02:00
Frank Denis
4424602e39
Start experimenting with better support for captive portals
...
MacOS (and probably Windows and other systems) tries to fetch a URL
before marking a network interface as available.
During this time, applications cannot use the interface at all, not
even bind their address.
When DNS queries are sent to dnscrypt-proxy, this causes the system
to wait for a response that can't come from the network, since we
hit a dead lock here.
The only option is to return hard-coded responses directly until
te interface is available.
The same captive portal configuration file can also serve a different
purpose.
Once the network is available, captive portal detection may not
work as expected if the answer is cached for too long. In fact, it
probably can't work at all since routers can't hijack DNS queries.
Once thing we can do is redirect the list of names used for captive
portal detection to the fallback resolvers. This may allow detection
to work as expected while still using a secure channel for all
other queries.
2020-08-03 18:05:42 +02:00
Alison Winters
617629c180
initialize the log file before reporting config errors ( #1426 )
...
* initialize the log file before reporting config errors
* consistently return error instead of calling dlog.Fatal when parsing config
2020-07-27 16:01:44 +02:00
Frank Denis
d3ff3a6bb1
Remove facebookgo/{atomicfile,pidfile}
...
Fixes #1411
2020-07-10 14:37:35 +02:00
yofiji
7a6f1461f8
Add option to go direct for failed certificate retrieval via relay ( #1397 )
...
* Add option to go direct for failed certificate retrieval via relay
* add direct_cert_fallback to example config file
Co-authored-by: yofiji <you@example.com>
2020-07-03 12:58:36 +02:00
Ian Bashford
b089d49d25
ConfigFile change to allowlist and blocklist ( #1375 )
...
* ConfigFile change to allowlist and blocklist
* revised names and warnings
* consistent file naming in kebab case, and generic use of blocklist and allowlist in cmoments for clarity
* update ci files
Co-authored-by: Ian Bashford <ianbashford@gmail.com>
2020-06-26 23:18:30 +02:00
Frank Denis
d55421df96
Don't bind listening sockets with the -list/-list-all options
...
Fixes https://github.com/Homebrew/homebrew-core/pull/55998
2020-06-11 11:41:17 +02:00
Frank Denis
4f47cd0f4f
Avoid implicit memory aliasing in for loop
2020-06-11 11:10:33 +02:00
Frank Denis
5416891056
Temporarily parse [tls_client_auth] for backward compatibility
...
Document the change.
Fixes #1355
2020-06-10 11:37:03 +02:00
Frank Denis
adcdcffdec
Skip netprobe & listeners when -show-cert or -check are used
...
Fixes #1354
2020-06-10 11:01:59 +02:00
Frank Denis
8945cb1b90
Add log_file_latest
2020-06-08 22:31:03 +02:00
s-s
f48b13f7b8
Add DNS64 support
2020-06-08 18:42:54 +02:00
Kevin O'Sullivan
5db4365540
Adding support for additional root CAs for DoH TLS Auth ( #1281 )
2020-06-08 18:01:40 +02:00
Frank Denis
1f6d8cc53c
Nits
2020-05-31 13:46:44 +02:00
lifenjoiner
c4a13d25ce
Fallback to cache_file avoiding termination for not offline_mode ( #1332 )
...
Ignore downloading error from `NewSource` when startup (cache loaded).
2020-05-30 07:38:04 +01:00
Frank Denis
82f78ef4fa
s/BrokenQueryPadding/FragmentsBlocked/
...
Maybe
fixes #1323
2020-05-19 15:57:56 +02:00
Frank Denis
3e264b9da9
Rename tls_client_auth to doh_client_x509_auth
...
Maybe improves clarity? I can never remember what tls_client_auth does.
2020-04-26 21:21:00 +02:00
Frank Denis
52f87aee8e
Accept data from systemd sockets at the same time as everything else
2020-04-26 15:00:39 +02:00
Frank Denis
4029d3d4f3
proxy.dropPrivilege() doesn't return on success
2020-04-26 14:49:43 +02:00
Frank Denis
9519472bbe
Don't print the proxy version in the child
2020-04-20 12:34:59 +02:00
Frank Denis
6f2dcb900a
Drop privileges early
...
Fixes #1265
2020-04-20 12:27:53 +02:00
Frank Denis
74095d38ed
Remove LargerResponsesDropped
...
dnsdist drops DNSCrypt queries shorter than 256 bytes, interpreting them
as not being encrypted instead. This is surprising when doing ad-hoc
testing, but absolutely fine, and we will never send shorter encrypted
queries on normal circumstances.
So, remove a useless knob.
2020-03-26 17:20:34 +01:00
Frank Denis
b3fbc2304d
All dnsdist servers exhibit the same behavior re: sending truncated responses
...
A 128 bytes query will not get a 200 bytes response (randomly tested on
3.tlu.dl.delivery.mp.microsoft.com), not even a truncated one.
It may be related to fragments being blocked on the server socket, or a
different issue. We can expect everything to be back to normal in dnsdist
1.5.0 no matter what.
2020-03-26 15:19:17 +01:00
Frank Denis
5049516f53
Add an option to ignore servers incompatible with anonymization
2020-03-26 13:41:57 +01:00
Frank Denis
ad36321dc8
Add cleanbrowsing until dnsdist 1.5.0 is out
2020-03-26 12:31:12 +01:00
Frank Denis
8896787e66
Add other dnsdist servers until the MTU issue is fixed
...
https://github.com/PowerDNS/pdns/pull/7410
2020-03-26 10:57:09 +01:00
Frank Denis
7424f1a8b7
Try harder to work around Cisco and Quad9 bugs
2020-03-25 20:10:11 +01:00
Frank Denis
25b89e57ae
Add Quad9 back to the list of servers with broken padding
2020-03-25 18:11:16 +01:00
Frank Denis
c4287c799f
Quad9 doesn't seem to block fragments on all networks
...
So, remove them from the static list and trust the runtime checks
for detection.
2020-03-24 14:32:23 +01:00
Frank Denis
d876c7b487
Keep the default LB strategy if an invalid p* one is used
2020-03-20 20:53:03 +01:00
Frank Denis
34d83f027f
Support power-of-<arbitrary number>
2020-03-20 17:49:32 +01:00
Frank Denis
b57cc19d70
Use an interface for load-balancing strategies
2020-03-20 17:37:34 +01:00
Frank Denis
49910d2f72
Localize some error values
2020-03-13 18:44:30 +01:00
Kevin O'Sullivan
c040b13d59
Adding the ability to do TLS client authentication for DoH ( #1203 )
...
* Adding the ability to do TLS client authentication for DoH
* whitespace nit
* Check for server specific creds before wildcard
* small comma ok idiom change
2020-03-09 22:11:53 +01:00
Frank Denis
a6d946c41f
Shorten the default broken_query_padding list
2020-02-21 20:33:13 +01:00
Frank Denis
4608b6d18d
Add auad9 to the broken_query_padding list
...
Fixes #1169
2020-02-21 20:31:45 +01:00
Frank Denis
7ada3fcfb8
Support multiple fallback resolvers
2020-01-15 19:58:14 +01:00
Frank Denis
66799c4159
Add the ability to block undelegated DNS zones
...
Using the generic pattern matcher as a first iteration, but we can
save some memory and CPU cycles by building and using a critbit tree
directly.
2019-12-16 16:18:47 +01:00
Frank Denis
c1202457bf
Json -> JSON
2019-12-11 14:08:48 +01:00
Frank Denis
3b4d6c532d
A URL path must start with a /
2019-12-10 16:04:37 +01:00
Frank Denis
a635e92606
Add a new plugin to block unqualified host names
2019-12-09 20:25:38 +01:00
milgradesec
8efbf401c8
add error checks
2019-12-09 12:50:30 +01:00
Frank Denis
ba8565a59e
Shorten conditions
2019-12-09 10:07:05 +01:00
milgradesec
96d15771e2
add multiple error checks
2019-12-09 09:56:47 +01:00
Frank Denis
3b50caf4cd
Add a default local DoH path, print the URLs
2019-11-29 08:53:13 +01:00
Frank Denis
f18dbc71ec
Make the local DoH path configurable
2019-11-28 23:49:28 +01:00
Frank Denis
6a679cc543
Move local DoH configuration to its own section
2019-11-28 17:04:29 +01:00
Frank Denis
be996c486f
Local DoH support, continued
2019-11-28 16:46:25 +01:00
Frank Denis
f249813cc5
First bits towards providing access over DoH in addition to DNS
...
Mainly to deal with the Firefox+ESNI situation
2019-11-24 22:46:27 +01:00
Frank Denis
b03e7f993f
Add a default list of buggy servers
2019-11-17 21:44:46 +01:00
Frank Denis
ca7e5e5bcb
Rename a few things
2019-11-17 15:07:40 +01:00
Frank Denis
15b405b552
Support workarounds for ancient/broken implementations
...
Fixes #984
2019-11-16 18:51:16 +01:00
Frank Denis
a31e7c0c61
Avoid ridiculously low values for proxy.certRefreshDelay
2019-11-08 22:51:04 +01:00
William Elwood
f6f1a75884
Improve logging by keeping a Source's configured name on the struct
2019-11-08 10:17:12 +01:00
William Elwood
7e73a26a2f
Move most of the prefetching code into sources.go
...
The proxy shouldn't need to know how prefetching works, just that it needs to do it occasionally. Now the prefetching algorithm can be refactored without having to touch the proxy code.
2019-11-08 10:17:12 +01:00
William Elwood
78f2dead79
Move prefetch URLs onto Source struct
...
This is mostly in preparation for further refactoring, but does reduce the number of return values from `NewSource()` too.
2019-11-08 10:17:12 +01:00
Frank Denis
b30904f20b
lowercase
2019-11-01 23:06:42 +01:00
Frank Denis
8d191cdcf1
Rename CheckResolver to IsIPAndPort for clarity
2019-11-01 23:05:17 +01:00
Alison Winters
2f7e057996
move flags parsing into main()
2019-10-31 18:55:44 +01:00
Frank Denis
3a68f90c37
Back to 2.0.29 beta 3 ( ceed905196
)
2019-10-31 17:50:19 +01:00
Alison Winters
9eae8de902
fix the file not found error message when passing -config
2019-10-31 09:53:44 +01:00
Alison Winters
b80e4957d1
move flags parsing into main()
2019-10-31 09:53:44 +01:00
Frank Denis
778b2cccc1
Revert "move ConfigLoad into Start function when running as a service"
...
This reverts commit 9aeec3478f
.
2019-10-30 08:02:31 +01:00
Alison Winters
9aeec3478f
move ConfigLoad into Start function when running as a service
2019-10-28 15:29:02 +01:00
Vladimir Bauer
6680faf665
make sure tcp/udp Conn are closed on stop signal
2019-10-25 12:56:34 +02:00
Frank Denis
f60395390e
Typo
2019-10-23 23:30:39 +02:00
Frank Denis
e5f3eff760
Add DNS stamps to JSON output
2019-10-23 23:28:46 +02:00
Frank Denis
a26b2b42f0
Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL
2019-10-21 18:26:49 +02:00
Markus Linnala
bb01595320
feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules
...
entries
Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
2019-10-21 18:12:49 +02:00
Markus Linnala
d14d78e648
fix: xtransport: Check 'fallback_resolver'
...
And also DefaultFallbackResolver.
As far a I could see, value needs to have port defined
too. dns.Exchange does seem to use address as such.
2019-10-21 18:12:49 +02:00
Markus Linnala
6ba2ff4fdc
cleanup: config: rename static config as StaticsConfig
...
Naming similar as SourcesConfig.
2019-10-20 21:30:24 +02:00
Frank Denis
5c28950578
Bump the default timeout up
...
Because, yes, some networks have a lot of latency
2019-10-20 19:22:02 +02:00
Frank Denis
320197a00e
Accept relay names in routes, improve documentation
2019-10-20 14:19:21 +02:00
Frank Denis
94cf37dacf
Do the netprobe even in offline mode
...
This is likely to be required at least on Windows.
2019-10-18 20:34:26 +02:00
Markus Linnala
0d553a9fa7
cleanup: Drop ExtractPort ExtractHost, use ExtractHostAndPort instead
2019-10-18 20:24:11 +02:00
Markus Linnala
8c6a968e27
change: config: handle NetProbe fatal error and run only if not offline
...
All errors returned from NetProbe are managed as fatal later.
Decide, connection issues are not fatal but bad configuration is.
Without this configuration errors are silently ignored here.
2019-10-18 20:24:11 +02:00
Markus Linnala
32c387318a
cleanup: config: drop duplicate code in showCerts setup
2019-10-18 20:24:11 +02:00
Markus Linnala
5e5d1059d7
change: config: cache_max_expire default value from 8600 to 86400
2019-10-18 20:24:11 +02:00
Frank Denis
322447aa91
Support multiple routes per destination
2019-10-14 12:08:47 +02:00
Frank Denis
e9ec2aa801
Log anonymized DNS routes
2019-10-14 11:02:13 +02:00
Frank Denis
0e8ca9009e
Implement Anonymized DNS
2019-10-14 01:45:38 +02:00
Frank Denis
6513818cb3
Continue if some (but not all) server entries are invalid
...
Diff by @alisonatwork -- thanks!
Fixes #949
2019-10-06 09:13:37 +02:00
Frank Denis
776e0d7ccc
New feature: query_meta
2019-09-07 16:19:47 +02:00
Frank Denis
208c67b53b
Print the version before the netprobe
...
Fixes #901
2019-09-07 11:30:46 +02:00
James Newell
5812cb2fe4
fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response'
2019-07-17 12:12:28 +02:00
James Newell
87bbfbfc10
add new option: 'respond_with_ip'
2019-07-17 12:12:28 +02:00
Frank Denis
0569c75596
Propagate mainProto to xTransport
...
Fixes #880
2019-07-10 13:13:28 +02:00
Frank Denis
ad05fd6f21
Directly dlog.Fatalf() if an invalid static stamp is given
2019-07-06 18:04:02 +02:00
Frank Denis
d2aa521369
Add a command-line option to print the server certificate hashes
2019-06-07 01:23:48 +02:00
Frank Denis
a060407db1
Use a different address than 255.255.255.0 for netprobes
...
Windows doesn't seem to like this address.
Also default to the fallback resolver IP if there is one and
no netprobe_address option in the configuration file.
Fix netprobe_timeout = -1 by the way
2019-06-04 01:37:59 +02:00
Frank Denis
30f2a4fd6b
Misc fixes
...
- Set LBEstimator to true by default
- Shuffle the servers list at startup
- Add the server name to the query log
2019-06-03 16:49:06 +02:00
Frank Denis
9e2a945fff
Print the sorted list of latencies
...
Add an option to disable the load-balancing estimator
2019-06-03 13:04:59 +02:00
Frank Denis
a417f0d282
Use 255.255.255.0 as the default netprobe address
2019-06-03 12:22:53 +02:00
Frank Denis
2e89c8da01
Rename LbStrategyFastest to LbStrategyFirst
2019-06-02 13:24:24 +02:00
Frank Denis
b22d6dfc96
Send a byte to the netprobe IP only on Windows
2019-05-31 11:15:59 +02:00