Frank Denis
f18dbc71ec
Make the local DoH path configurable
2019-11-28 23:49:28 +01:00
Frank Denis
6a679cc543
Move local DoH configuration to its own section
2019-11-28 17:04:29 +01:00
Frank Denis
be996c486f
Local DoH support, continued
2019-11-28 16:46:25 +01:00
Frank Denis
f249813cc5
First bits towards providing access over DoH in addition to DNS
...
Mainly to deal with the Firefox+ESNI situation
2019-11-24 22:46:27 +01:00
Frank Denis
b03e7f993f
Add a default list of buggy servers
2019-11-17 21:44:46 +01:00
Frank Denis
ca7e5e5bcb
Rename a few things
2019-11-17 15:07:40 +01:00
Frank Denis
15b405b552
Support workarounds for ancient/broken implementations
...
Fixes #984
2019-11-16 18:51:16 +01:00
Frank Denis
a31e7c0c61
Avoid ridiculously low values for proxy.certRefreshDelay
2019-11-08 22:51:04 +01:00
William Elwood
f6f1a75884
Improve logging by keeping a Source's configured name on the struct
2019-11-08 10:17:12 +01:00
William Elwood
7e73a26a2f
Move most of the prefetching code into sources.go
...
The proxy shouldn't need to know how prefetching works, just that it needs to do it occasionally. Now the prefetching algorithm can be refactored without having to touch the proxy code.
2019-11-08 10:17:12 +01:00
William Elwood
78f2dead79
Move prefetch URLs onto Source struct
...
This is mostly in preparation for further refactoring, but does reduce the number of return values from `NewSource()` too.
2019-11-08 10:17:12 +01:00
Frank Denis
b30904f20b
lowercase
2019-11-01 23:06:42 +01:00
Frank Denis
8d191cdcf1
Rename CheckResolver to IsIPAndPort for clarity
2019-11-01 23:05:17 +01:00
Alison Winters
2f7e057996
move flags parsing into main()
2019-10-31 18:55:44 +01:00
Frank Denis
3a68f90c37
Back to 2.0.29 beta 3 ( ceed905196
)
2019-10-31 17:50:19 +01:00
Alison Winters
9eae8de902
fix the file not found error message when passing -config
2019-10-31 09:53:44 +01:00
Alison Winters
b80e4957d1
move flags parsing into main()
2019-10-31 09:53:44 +01:00
Frank Denis
778b2cccc1
Revert "move ConfigLoad into Start function when running as a service"
...
This reverts commit 9aeec3478f
.
2019-10-30 08:02:31 +01:00
Alison Winters
9aeec3478f
move ConfigLoad into Start function when running as a service
2019-10-28 15:29:02 +01:00
Vladimir Bauer
6680faf665
make sure tcp/udp Conn are closed on stop signal
2019-10-25 12:56:34 +02:00
Frank Denis
f60395390e
Typo
2019-10-23 23:30:39 +02:00
Frank Denis
e5f3eff760
Add DNS stamps to JSON output
2019-10-23 23:28:46 +02:00
Frank Denis
a26b2b42f0
Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL
2019-10-21 18:26:49 +02:00
Markus Linnala
bb01595320
feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules
...
entries
Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
2019-10-21 18:12:49 +02:00
Markus Linnala
d14d78e648
fix: xtransport: Check 'fallback_resolver'
...
And also DefaultFallbackResolver.
As far a I could see, value needs to have port defined
too. dns.Exchange does seem to use address as such.
2019-10-21 18:12:49 +02:00
Markus Linnala
6ba2ff4fdc
cleanup: config: rename static config as StaticsConfig
...
Naming similar as SourcesConfig.
2019-10-20 21:30:24 +02:00
Frank Denis
5c28950578
Bump the default timeout up
...
Because, yes, some networks have a lot of latency
2019-10-20 19:22:02 +02:00
Frank Denis
320197a00e
Accept relay names in routes, improve documentation
2019-10-20 14:19:21 +02:00
Frank Denis
94cf37dacf
Do the netprobe even in offline mode
...
This is likely to be required at least on Windows.
2019-10-18 20:34:26 +02:00
Markus Linnala
0d553a9fa7
cleanup: Drop ExtractPort ExtractHost, use ExtractHostAndPort instead
2019-10-18 20:24:11 +02:00
Markus Linnala
8c6a968e27
change: config: handle NetProbe fatal error and run only if not offline
...
All errors returned from NetProbe are managed as fatal later.
Decide, connection issues are not fatal but bad configuration is.
Without this configuration errors are silently ignored here.
2019-10-18 20:24:11 +02:00
Markus Linnala
32c387318a
cleanup: config: drop duplicate code in showCerts setup
2019-10-18 20:24:11 +02:00
Markus Linnala
5e5d1059d7
change: config: cache_max_expire default value from 8600 to 86400
2019-10-18 20:24:11 +02:00
Frank Denis
322447aa91
Support multiple routes per destination
2019-10-14 12:08:47 +02:00
Frank Denis
e9ec2aa801
Log anonymized DNS routes
2019-10-14 11:02:13 +02:00
Frank Denis
0e8ca9009e
Implement Anonymized DNS
2019-10-14 01:45:38 +02:00
Frank Denis
6513818cb3
Continue if some (but not all) server entries are invalid
...
Diff by @alisonatwork -- thanks!
Fixes #949
2019-10-06 09:13:37 +02:00
Frank Denis
776e0d7ccc
New feature: query_meta
2019-09-07 16:19:47 +02:00
Frank Denis
208c67b53b
Print the version before the netprobe
...
Fixes #901
2019-09-07 11:30:46 +02:00
James Newell
5812cb2fe4
fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response'
2019-07-17 12:12:28 +02:00
James Newell
87bbfbfc10
add new option: 'respond_with_ip'
2019-07-17 12:12:28 +02:00
Frank Denis
0569c75596
Propagate mainProto to xTransport
...
Fixes #880
2019-07-10 13:13:28 +02:00
Frank Denis
ad05fd6f21
Directly dlog.Fatalf() if an invalid static stamp is given
2019-07-06 18:04:02 +02:00
Frank Denis
d2aa521369
Add a command-line option to print the server certificate hashes
2019-06-07 01:23:48 +02:00
Frank Denis
a060407db1
Use a different address than 255.255.255.0 for netprobes
...
Windows doesn't seem to like this address.
Also default to the fallback resolver IP if there is one and
no netprobe_address option in the configuration file.
Fix netprobe_timeout = -1 by the way
2019-06-04 01:37:59 +02:00
Frank Denis
30f2a4fd6b
Misc fixes
...
- Set LBEstimator to true by default
- Shuffle the servers list at startup
- Add the server name to the query log
2019-06-03 16:49:06 +02:00
Frank Denis
9e2a945fff
Print the sorted list of latencies
...
Add an option to disable the load-balancing estimator
2019-06-03 13:04:59 +02:00
Frank Denis
a417f0d282
Use 255.255.255.0 as the default netprobe address
2019-06-03 12:22:53 +02:00
Frank Denis
2e89c8da01
Rename LbStrategyFastest to LbStrategyFirst
2019-06-02 13:24:24 +02:00
Frank Denis
b22d6dfc96
Send a byte to the netprobe IP only on Windows
2019-05-31 11:15:59 +02:00
Mathias Berchtold
cf261da79a
Fix netProbe write check
...
Write at least 1 byte. This ensures that sockets are ready to use for writing.
Windows specific: during the system startup, sockets can be created but the underlying buffers may not be setup yet. If this is the case Write fails with WSAENOBUFS: "An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full
This fixes: https://github.com/jedisct1/dnscrypt-proxy/issues/841
2019-05-31 11:05:22 +02:00
Mathias Berchtold
7c8e20a533
netProbe: Always log Network connectivity detected
...
In the netProb function, always log whether network connectivity is detected or not.
2019-05-30 22:28:57 +02:00
Frank Denis
578c090890
Send an empty packet to the probe
...
This seems to be required on Windows.
Also add the ability to wait for up to an hour.
2019-05-28 13:22:11 +02:00
Frank Denis
d143ae5279
Set the main protocol to TCP when using a SOCKS proxy
2019-04-14 13:41:43 +02:00
Frank Denis
25ac94e7b2
Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy"
...
This reverts commit 2d1dd7eaab
.
2019-04-02 01:57:48 +02:00
Frank Denis
2d1dd7eaab
Add Stretch-Hash-and-Truncate option for extreme DNS privacy
...
This works over DNSCrypt and DoH, but requires a specifically configured
server.
Instead of sending the actual DNS queries, the SH-T system works as follows:
Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.
Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.
Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.
This feature is experimental.
2019-04-01 09:36:56 +02:00
Frank Denis
c10fbb2aa7
+ disabled_server_names
...
Fixes #735
2019-02-23 14:54:22 +01:00
Frank Denis
a726a40dc5
Add refused_code_in_responses
...
Fixes #737
2019-02-23 00:58:25 +01:00
Frank Denis
c52b3ef124
Bump the netprobe timeout up to 60 seconds
2018-11-22 17:24:41 +01:00
Frank Denis
7174fdc8c8
Do not always override the netprobe_timeout option from config file
...
Fixes #641
2018-11-16 18:13:39 +01:00
Frank Denis
2e147364e9
Add support for HTTP/HTTPS proxies
...
Fixes #638
2018-11-15 18:47:33 +01:00
Frank Denis
e48779c2eb
Make the network timeout configuration via the command line
...
Fixes #619
2018-11-15 14:24:26 +01:00
Frank Denis
844057d9df
Revert "Revert "Remove pledge(2) support""
...
This reverts commit a24cb0d900
.
2018-08-23 00:44:32 +02:00
Frank Denis
a24cb0d900
Revert "Remove pledge(2) support"
...
This reverts commit bc3215a8a6
.
2018-08-15 17:56:33 +02:00
Frank Denis
bc3215a8a6
Remove pledge(2) support
...
Fixes #571
2018-08-15 17:53:36 +02:00
Frank Denis
dc602512ff
Don't call PledgeChild() too early
2018-07-07 21:03:08 +02:00
Frank Denis
09baa3c40b
Store the userName value again
2018-07-07 17:58:37 +00:00
Frank Denis
1019428ca0
username -> user_name
...
in case we want to add user_group and whatnot.
Remove the command-line option as it hides the caveats documented
in the configuration file.
Remove TODO. TODO statements always remain in that state forever.
2018-07-07 17:39:33 +02:00
Frank Denis
c73e95256d
Implement an offline mode
...
Fixes #528
2018-07-05 18:05:24 +02:00
Frank Denis
09e39c785a
Keep the process running in foreground to avoid a breaking change/allow monitoring
...
This currently doesn't replace the previous process. Maybe there is a way to achieve
this in Go. Need to look closer at os.exec
Also start-child -> child
2018-06-13 17:24:16 +02:00
Sebastian Schmidt
aab7e6380f
Drop privileges with exec ( #467 )
...
* Drop privileges with exec and SysProcAttr
* Fix windows build
* Fix passing logfile fd
2018-06-13 16:52:41 +02:00
Frank Denis
0166f21b27
Add built-in support for Tor
2018-06-06 15:54:51 +02:00
Frank Denis
33537be040
Use a netprobe address less likely to be blocked/considered invalid
2018-05-19 00:06:28 +02:00
Frank Denis
ce62981c44
Wait for network connectivity before starting the proxy
2018-05-10 21:59:25 +02:00
Frank Denis
3d67c81697
Deps update
2018-04-18 18:58:39 +02:00
Frank Denis
f63dc17f90
stamps -> dnsstamps
2018-04-18 18:47:10 +02:00
gdm85
eb5f391fa6
Split stamps into package
2018-04-18 18:36:47 +02:00
Frank Denis
b1447160a0
Add cache_neg_min_ttl and cache_neg_max_ttl
2018-04-17 00:24:49 +02:00
B00ze64
cbc9152f19
Tiny typo in error message ( #350 )
...
Tiny typo, missing TO in "Unable to use source"
2018-04-12 10:05:58 +02:00
Frank Denis
d559301377
Bump default cache size
2018-04-10 13:24:13 +02:00
Frank Denis
ca80b69b3a
Re-implement ephemeral keys for DNSCrypt
2018-04-09 03:12:34 +02:00
Frank Denis
65e6b8569e
Implement whitelists
...
Fixes #293
2018-04-07 23:02:40 +02:00
Frank Denis
77d1b6d075
Spacing
2018-04-07 22:33:40 +02:00
Frank Denis
fbe91ee58b
No need to initialize xTransport before we have all the parameters
2018-04-07 22:33:11 +02:00
Frank Denis
1fa3e5d7f3
Add options to set the cipher suite as well as disable session tickets
2018-04-07 22:23:29 +02:00
Frank Denis
2d27eabf95
Revert "Add a -v flag"
...
This reverts commit d8c95aaca8
.
2018-04-06 03:03:27 +02:00
Frank Denis
d8c95aaca8
Add a -v flag
...
Fixes #317
But makes me grumpy, because -v usually means `verbose` to me.
2018-04-06 03:01:42 +02:00
Frank Denis
a938eeff7b
Mainly revert 869d44c30e
...
Fixing #304 doesn't look trivial
The service module needs to know the arguments right away.
The arguments haven't been parsed yet. And if we do, we will prevent
further arguments to be added to the set. Including the ones added
by the service module itself.
So, we have quite of a circular dependency here.
If someone with some Go knowledge can fix that, that would be amazing.
But it's probably never going to happen.
Meanwhile, we can try to save the current directory and document
that we have to be in that directory when running the install command.
Which is not going to work on Windows, so this is a big fucking mess
2018-04-03 20:15:33 +02:00
Frank Denis
c88e480a15
Include the -config option in the installed service
...
Untested on Linux and Windows. Fear.
Fixes #304
2018-04-03 19:42:27 +02:00
Frank Denis
308ffff739
Make the keepalive configurable
...
Fixes #300
2018-04-02 01:49:09 +02:00
Frank Denis
adb0c94a61
April 1st is already over in some time zones :)
...
This reverts commit dac52ab42a
.
2018-04-01 16:35:32 +02:00
Frank Denis
dac52ab42a
Completely remove support for the DNSCrypt protocol
2018-04-01 04:04:12 +02:00
Frank Denis
ede564ccf7
Support multiple URLs for a given source
...
Fixes #265
2018-03-28 13:36:19 +02:00
Frank Denis
e09f0875c1
Add the list of addresses to the -list -json output
2018-03-28 12:22:37 +02:00
Frank Denis
7f221afeff
Don't assume that DoH servers use port 443
2018-03-28 11:52:04 +02:00
Frank Denis
577ac5c91a
When using a fallback resolver, favor IPv6 for DoH servers if use_ipv6 is set
...
Fixes #153
2018-03-21 09:05:30 +01:00
Frank Denis
22f69a475a
Don't assume IPv6 or IPv4 about DoH servers
2018-03-21 08:48:57 +01:00
Frank Denis
b643a816cc
Add automatic log files rotation
...
Fixes #172
2018-03-02 10:34:00 +01:00
Frank Denis
519af2e532
Revert "Allow -test 0"
...
This reverts commit 1e2c175e19
.
Revert "Don't bind any sockets when using -test"
This reverts commit 982f341de8
.
Revert "Implement -test to check certificates expiration"
This reverts commit 2158674d17
.
2018-02-27 07:55:10 +01:00
Frank Denis
1e2c175e19
Allow -test 0
2018-02-27 03:04:44 +01:00
Frank Denis
982f341de8
Don't bind any sockets when using -test
2018-02-27 03:00:11 +01:00
Frank Denis
2158674d17
Implement -test to check certificates expiration
2018-02-27 02:52:45 +01:00
Frank Denis
2e8699d483
Bump default MaxClient to match the config file
...
Fixes #158
2018-02-20 12:27:44 +01:00
Frank Denis
148a28141f
Add -check
2018-02-19 18:35:06 +01:00
Frank Denis
2f00ad5ff0
Error out if unknown properties are found in the config file
...
And thanks to this, an inconsistency in the example config file vs the parser
was found (`timeout` vs `timeout_ms`).
Fixes #113
2018-02-10 21:21:43 +01:00
Frank Denis
f6b6d70615
Add knobs to filter by protocol
2018-02-06 14:11:58 +01:00
Frank Denis
8a7569555c
Don't warn if lbStrategy is empty
2018-02-05 01:53:23 +01:00
Frank Denis
a43352e160
Make the load-balancing strategy configurable
2018-02-04 21:23:39 +01:00
Frank Denis
033931a13a
Add a new powerful plugin: DNS cloaking
2018-02-04 01:43:37 +01:00
Frank Denis
93810e60d7
Set the default source refresh delay to 3 days
2018-02-03 18:55:46 +01:00
Frank Denis
f513ab21fa
Check if the config file exists from the current directory
...
Try the executable directory if it fails
Then, go to that config file directory no matter what
Fixes #80
2018-02-03 10:46:47 +01:00
Frank Denis
e4e351b854
Clear ServerName for -list-all
...
Suggested by @glitsj16, thanks!
Fixes #71
2018-02-02 14:51:14 +01:00
Frank Denis
bf56644a49
Add a -list-all switch; add IPv6 & port number info to the JSON output
2018-02-01 21:48:46 +01:00
Frank Denis
13952ffb1a
Do not consider the absence a listening sockets an error
...
Because systemd.
Fixes #64
2018-02-01 16:59:48 +01:00
Frank Denis
1a34224c91
Rename time_ranges to schedules
2018-02-01 09:18:56 +01:00
Frank Denis
41a73ccb03
Time access restrictions [WIP]
...
Because my daughter spends way too much time on Youtube
Because people have been asking OpenDNS to implement this for the past 10 years
Because existing tools suck
Because I want something flexible, where every rule can be assigned a schedule
2018-01-31 23:08:38 +01:00
Frank Denis
ba2293149e
phew
2018-01-31 22:49:40 +01:00
Frank Denis
d575ec8beb
bleh
2018-01-31 22:18:11 +01:00
Frank Denis
d7ec318945
Accept sources without an URL; use v2 format by default for remote sources
2018-01-31 14:24:21 +01:00
Frank Denis
f8a6e56026
-list -json now prints the list of available servers as JSON
...
Can be useful for GUIs, especially since this includes the description
2018-01-31 09:42:56 +01:00
Frank Denis
d42ab83184
ServerConfig -> StaticConfig to match the config file
2018-01-31 08:43:49 +01:00
Frank Denis
cdb8faba75
Nits
2018-01-31 08:40:20 +01:00
Frank Denis
f6571af24f
Nits
2018-01-31 08:38:22 +01:00
Frank Denis
5e8925523f
Split ConfigLoad a bit more
2018-01-31 08:32:44 +01:00
Frank Denis
16fc6b74e9
Split ConfigLoad()
2018-01-31 08:27:59 +01:00
Frank Denis
86adb438e0
Set cert refresh delay default to 240 (4h)
2018-01-31 00:21:25 +01:00
Frank Denis
a364e51d9e
Increase the cert refresh delay; make D1n0Bot happy
...
Decrease this for more reliability.
2018-01-30 23:53:33 +01:00
Frank Denis
788e97cf86
Clarify
2018-01-30 19:47:26 +01:00
Frank Denis
a7d75c7923
Implement the nofilter filter
2018-01-30 19:16:38 +01:00
Frank Denis
3448b5b170
Add a -list option to display the list of available resolvers
2018-01-30 17:51:47 +01:00
Frank Denis
1d35e249c9
Add an option to always ignore the system resolver
...
This makes startup faster when DoH resolvers without a static IP
are used (Google).
2018-01-30 17:37:35 +01:00
Frank Denis
ecaf18f614
Use a fallback resolver if the local DNS configuration doesn't work
...
This should fix all chicken-and-egg issues
2018-01-30 15:47:39 +01:00
Frank Denis
375378c15b
Rename "servers" to "static" for clarity
2018-01-25 17:41:36 +01:00
Frank Denis
732c451dd4
Add max_clients to cap the maximum number of client queries
2018-01-24 16:51:26 +01:00
Frank Denis
c184ce1a03
systemd support
...
How does it work? I don't know. Does it work? I don't know.
Would I encourage its use? No.
2018-01-24 14:44:32 +01:00
Frank Denis
973b53afdc
Simplify
2018-01-22 10:02:06 +01:00
Frank Denis
8324b29b42
Require stamps in static server definitions
...
Provider names, etc. are not future-proof. In particular, they are
incompatible with other protocols such as DoH.
2018-01-22 09:59:32 +01:00
Frank Denis
1d18a230c0
Consistent casing
2018-01-21 22:18:20 +01:00
Frank Denis
8bcba92f97
Add an undocumented option to ignore cert timestamps
2018-01-21 18:10:38 +01:00
Frank Denis
05e07e8b69
Add a simple built-in DNS client for testing
2018-01-21 18:02:32 +01:00
Frank Denis
d9b5625226
IP blocking
2018-01-21 16:07:44 +01:00
Frank Denis
1e0e01e8e1
NXLOG: a new output plugin to log suspicious queries
2018-01-20 16:59:40 +01:00
Frank Denis
ed50798049
Preliminary implementation of stamps
2018-01-20 14:13:11 +01:00
Frank Denis
88414e1448
Print stamps; require an env variable for debug level
2018-01-20 13:56:26 +01:00
Frank Denis
066db6a080
Replace logged_qtypes with ignored_qtypes
2018-01-20 13:27:37 +01:00
Frank Denis
2ab29a43d6
Reduce the noise
2018-01-19 22:37:05 +01:00
Frank Denis
6e1eaf7b90
More flexible logging; add support for the Windows event log
2018-01-19 20:06:04 +01:00
Frank Denis
aac0078991
Choose if we want to use IPv6 and/or IPv4 servers
2018-01-19 16:38:43 +01:00
Frank Denis
7103229609
Add a logged_qtypes feature to log only some query types
2018-01-19 12:57:47 +01:00
Frank Denis
41d5de6e8d
Scheduling
2018-01-19 00:06:18 +01:00