4608b6d18d
Add auad9 to the broken_query_padding list
...
Fixes #1169
2020-02-21 20:31:45 +01:00
8c42609475
fix minor typoS in config file
2020-02-14 18:48:48 +00:00
323c4a4758
Don't explain the format of other config files in the main config file
...
This is confusing if you don't read the documentation.
Fixes #1179
2020-02-05 12:17:14 +01:00
3a94523d65
Bump the cache size a little bit
2020-01-30 15:08:23 +01:00
7ada3fcfb8
Support multiple fallback resolvers
2020-01-15 19:58:14 +01:00
19cebfdb0a
Mention that /dev/stdout is not for Windows systems
...
Fixes #1131
2020-01-03 21:13:04 -05:00
d88995aac6
Minor comment fix
...
I noticed while writing the functionality tests that comments about relative paths disagreed with what the code was doing.
While the executable directory is used if the configuration file itself can't be found, `cdFileDir(foundConfigFile)` is always executed after the configuration file is found whether that's the same as the executable's directory or not.
Also a couple of punctuation nits.
2019-12-17 14:28:06 +01:00
07e605e9f4
Add a note about dnsmasq
...
In the config file, so that it has more visibility than in the doc.
Synthetic responses cannot contain NSEC or RRSIG records, and that
seems to be confusing dnsmasq.
2019-12-16 17:23:22 +01:00
66799c4159
Add the ability to block undelegated DNS zones
...
Using the generic pattern matcher as a first iteration, but we can
save some memory and CPU cycles by building and using a critbit tree
directly.
2019-12-16 16:18:47 +01:00
a635e92606
Add a new plugin to block unqualified host names
2019-12-09 20:25:38 +01:00
443bdce879
Fix typo
2019-12-01 23:38:05 +01:00
53dd5cd6c5
Clarify
2019-11-29 14:18:48 +01:00
4a613aa68d
Explain what the path is in a URL
2019-11-29 13:42:35 +01:00
f18dbc71ec
Make the local DoH path configurable
2019-11-28 23:49:28 +01:00
6a679cc543
Move local DoH configuration to its own section
2019-11-28 17:04:29 +01:00
bc22f94eeb
Don't listen to IPv6 in the example config file
...
Some hosts don't support IPv6, and the default (without anything in
the config file) is only the IPv4 address anyway.
2019-11-24 10:31:40 +01:00
ad40c6c54b
Fallback to the system resolver if the fallback resolver doesn't work
...
This is useful if fallback_resolver has been set to random junk, or
to an external resolver, but port 53 is blocked.
At least, it may allow the server to start.
2019-11-17 22:00:08 +01:00
6dcd872385
This is unlikely to become mandatory
2019-11-17 21:38:09 +01:00
faac6e2082
Set default ignore_system_dns to true
2019-11-17 20:30:04 +01:00
ca7e5e5bcb
Rename a few things
2019-11-17 15:07:40 +01:00
15b405b552
Support workarounds for ancient/broken implementations
...
Fixes #984
2019-11-16 18:51:16 +01:00
d063a7959e
Avoid redirect and extra DNS lookup in example
...
Also makes the URL consistent with the other lists.
2019-11-10 12:48:21 +00:00
9852a289f8
Increase the default cache size and minimum TTL
2019-11-03 17:31:41 +01:00
2add754f23
Don't use real server names, because this is apparently confusing
2019-10-27 23:36:08 +01:00
a26b2b42f0
Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL
2019-10-21 18:26:49 +02:00
bb01595320
feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules
...
entries
Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
2019-10-21 18:12:49 +02:00
f565d3c7f5
Documentation
2019-10-20 19:30:33 +02:00
5c28950578
Bump the default timeout up
...
Because, yes, some networks have a lot of latency
2019-10-20 19:22:02 +02:00
320197a00e
Accept relay names in routes, improve documentation
2019-10-20 14:19:21 +02:00
be86d1df27
Fetch the list of relays
2019-10-18 15:53:56 +02:00
322447aa91
Support multiple routes per destination
2019-10-14 12:08:47 +02:00
ad5b2dc4f9
Mention that /dev/stdout can be used to log to the standard output
2019-09-23 10:33:57 +02:00
ed79bd7489
Deprecate systemd sockets
2019-09-16 15:46:39 +02:00
776e0d7ccc
New feature: query_meta
2019-09-07 16:19:47 +02:00
faa931585b
Use single quotation marks everywhere in the example for consistency
...
Fixes #904
2019-08-04 09:04:01 +02:00
d3ab899f7b
blocked_query_response takes the format 'a:<IPv4>,aaaa:<IPv6>' for IP responses
2019-07-17 12:12:28 +02:00
5812cb2fe4
fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response'
2019-07-17 12:12:28 +02:00
87bbfbfc10
add new option: 'respond_with_ip'
2019-07-17 12:12:28 +02:00
df24db9b9d
Remove refresh_delay from the example configuration file
...
It is not implemented
2019-06-13 11:14:10 +02:00
8933980121
netprobe_timeout=0 doesn't make much sense
2019-06-07 01:50:03 +02:00
8def2d5edc
Document TLS 1.3 cipher suite IDs
2019-06-07 01:39:35 +02:00
9604b8b3e5
Use an example server instead of a real one in the static section
2019-06-04 12:17:47 +02:00
a060407db1
Use a different address than 255.255.255.0 for netprobes
...
Windows doesn't seem to like this address.
Also default to the fallback resolver IP if there is one and
no netprobe_address option in the configuration file.
Fix netprobe_timeout = -1 by the way
2019-06-04 01:37:59 +02:00
9e2a945fff
Print the sorted list of latencies
...
Add an option to disable the load-balancing estimator
2019-06-03 13:04:59 +02:00
a417f0d282
Use 255.255.255.0 as the default netprobe address
2019-06-03 12:22:53 +02:00
2e89c8da01
Rename LbStrategyFastest to LbStrategyFirst
2019-06-02 13:24:24 +02:00
3f2656dbe3
Document netprobe_address
2019-05-31 23:02:45 +02:00
578c090890
Send an empty packet to the probe
...
This seems to be required on Windows.
Also add the ability to wait for up to an hour.
2019-05-28 13:22:11 +02:00
25ac94e7b2
Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy"
...
This reverts commit 2d1dd7eaab
2019-04-02 01:57:48 +02:00
2d1dd7eaab
Add Stretch-Hash-and-Truncate option for extreme DNS privacy
...
This works over DNSCrypt and DoH, but requires a specifically configured
server.
Instead of sending the actual DNS queries, the SH-T system works as follows:
Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.
Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.
Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.
This feature is experimental.
2019-04-01 09:36:56 +02:00
5dc66adaa9
Move disabled_server_names down
2019-02-23 14:55:23 +01:00
c10fbb2aa7
+ disabled_server_names
...
Fixes #735
2019-02-23 14:54:22 +01:00
2aa0b7d6a7
Add `refused_code_in_responses` to the example.
...
Fixes #738
2019-02-23 12:34:59 +01:00
c52b3ef124
Bump the netprobe timeout up to 60 seconds
2018-11-22 17:24:41 +01:00
2e147364e9
Add support for HTTP/HTTPS proxies
...
Fixes #638
2018-11-15 18:47:33 +01:00
4fe62bc7cc
@typo in example-dnscrypt-proxy.toml ( #628 )
...
This can be can be useful… -> This can be useful…
2018-10-29 14:16:02 +01:00
dda3ca1ea3
Add dash
2018-10-10 19:38:24 +02:00
4e9397d83e
Revert "Remove Quad9 example until they remove prefixes"
...
This reverts commit 5cb7d8df35
2018-10-10 16:32:39 +02:00
bfca70000e
A note about pidfile
2018-10-03 18:17:39 +02:00
5cb7d8df35
Remove Quad9 example until they remove prefixes
2018-10-03 16:36:23 +02:00
9f1be6e079
killChild() is not needed any more; update config example by the way
2018-10-03 16:35:59 +02:00
1019428ca0
username -> user_name
...
in case we want to add user_group and whatnot.
Remove the command-line option as it hides the caveats documented
in the configuration file.
Remove TODO. TODO statements always remain in that state forever.
2018-07-07 17:39:33 +02:00
6cb43f8e4d
Of course, dropping privileges breaks with systemd sockets
2018-07-07 15:21:21 +00:00
9345958d16
Better description of what username does
2018-07-05 18:12:46 +02:00
c73e95256d
Implement an offline mode
...
Fixes #528
2018-07-05 18:05:24 +02:00
74093a65a2
Quick typo fix in example config. ( #511 )
2018-06-20 00:55:28 +02:00
8f2972845d
Note that Windows doesn't support username option ( #494 )
2018-06-14 09:35:13 +02:00
fe0aa52fba
Make description more accessible in the example configuration file
...
Also don't enable this by default, as "nobody" may not exist everywhere
2018-06-13 16:54:57 +02:00
aab7e6380f
Drop privileges with exec ( #467 )
...
* Drop privileges with exec and SysProcAttr
* Fix windows build
* Fix passing logfile fd
2018-06-13 16:52:41 +02:00
ae54a7aafc
Revert "Do not mention systemd activation until #480 is solved"
...
This reverts commit 066345123b
2018-06-13 16:49:57 +02:00
066345123b
Do not mention systemd activation until #480 is solved
2018-06-08 06:35:47 +02:00
0166f21b27
Add built-in support for Tor
2018-06-06 15:54:51 +02:00
7774d9cf05
Avoid long lines
2018-05-10 22:19:04 +02:00
6f047e07b8
Bump
2018-05-10 22:17:57 +02:00
ce62981c44
Wait for network connectivity before starting the proxy
2018-05-10 21:59:25 +02:00
cdf5b9ce6b
IPv6 issues on macOS should be gone
2018-05-10 10:46:11 +02:00
7f999f59e1
Recommend against disable_ipv6 when using chained caches
...
Fixes #398
2018-04-27 16:20:24 +02:00
dd878d4c60
Clarify that UDP is no less secure than TCP
2018-04-20 23:17:48 +02:00
b1447160a0
Add cache_neg_min_ttl and cache_neg_max_ttl
2018-04-17 00:24:49 +02:00
0f349c793e
Clarify
...
Fixes #356
2018-04-16 22:24:45 +02:00
ace955fd9f
More accurate description
2018-04-16 02:25:59 +02:00
c33ebd229b
Avoid empty examples files
...
Fixes #348
Keep the ciphers list commented out by default to be safe
2018-04-11 14:03:25 +02:00
6b3212d3d7
Note that the cipher suite also affects source retrieval
2018-04-11 11:42:10 +02:00
3d34027aeb
Double the example cache size
2018-04-10 13:23:51 +02:00
40d492f93a
Go has only X25519 optimized for x86_64
2018-04-10 11:28:59 +02:00
6d2330eaf0
Minor typo fixes in config files ( #338 )
2018-04-10 09:06:19 +02:00
8bebb50d49
Nits
2018-04-09 23:58:36 +02:00
7d10628a5f
New syntax for blocking/whitelisting rules: exact matching
...
Example: =example.com
Matches `example.com` but not `api.example.com`
2018-04-09 13:02:42 +02:00
de6a8d230e
Use PolyChaCha, but more importantly, RSA by default
...
Even on non-ARM systems, this makes a difference in CPU usage/latency
2018-04-09 12:45:42 +02:00
ca80b69b3a
Re-implement ephemeral keys for DNSCrypt
2018-04-09 03:12:34 +02:00
70dca19326
Clarify
2018-04-09 02:57:30 +02:00
10baa245b2
Clarify
2018-04-07 23:27:57 +02:00
517538bdb2
Less ###
2018-04-07 23:05:29 +02:00
65e6b8569e
Implement whitelists
...
Fixes #293
2018-04-07 23:02:40 +02:00
dee7960be6
Bump keepalive up
2018-04-07 22:26:46 +02:00
1fa3e5d7f3
Add options to set the cipher suite as well as disable session tickets
2018-04-07 22:23:29 +02:00
d4367393c4
Add some links
2018-04-02 01:55:22 +02:00
308ffff739
Make the keepalive configurable
...
Fixes #300
2018-04-02 01:49:09 +02:00
2dcf5fe01a
Skip the signature in the example Google stamp
...
Example configuration files are updated less often than sources
2018-04-01 03:50:10 +02:00
d812a9bdc3
Revert to 9.9.9.9 as the example fallback resolver
...
Just in case some networks do stupid things with 1.1.1.1 already.
2018-03-30 22:24:19 +02:00
a2160189af
Welcome to 1.1.1.1
2018-03-30 21:30:06 +02:00
ede564ccf7
Support multiple URLs for a given source
...
Fixes #265
2018-03-28 13:36:19 +02:00
0983a86b40
Mention that log_files_max_backups = 0 means "keep all backups"
...
Fixes #268
2018-03-28 00:14:07 +02:00
fa2c95084e
Adding DynamicUser to systemd service file, enhancing socket and service ( #261 )
...
* Adding nss-lookup.target to the socket Before and Wants directive. Adding current upstream wiki as documentation to service and socket file.
Adding DynamicUser=yes to the service file, alongside various hardening settings (Protect{ControlGroups,KernelModules}. Allowing the service to bind to ports below 1024 by setting CAP_NET_BIND_SERVICE. Adding {Cache,Logs,Runtime}Directory for dnscrypt-proxy. Removing (default) Type=simple. Adding a more default ExecStart location and usage of configuration.
* systemd/dnscrypt-proxy.socket: Adding back ipv6 functionality.
* systemd/dnscrypt-proxy.service: Updating Description to match project name.
Explicitely setting ProtectHome=yes. Adding information on the DynamicUser settings.
* systemd/dnscrypt-proxy.socket: Updating description to match project name.
* systemd/dnscrypt-proxy.service: Adding Requires= and Also= for dnscrypt-proxy.socket in favor of CAP_NET_BIND_SERVICE capabilities.
* dnscrypt-proxy/example-dnscrypt-proxy.toml: Clarifying how to set listen_addresses, when using systemd socket activation.
2018-03-26 20:48:22 +02:00
0026a20e08
Mention that people in China may need to use Quad114
2018-03-22 07:44:06 +01:00
2568ea0b0c
Revert "Switch to Quad114 as the default resolver"
...
This reverts commit 91f97833a3
2018-03-22 02:43:03 +01:00
91f97833a3
Switch to Quad114 as the default resolver
...
Quad9 current returns SERVFAIL for dnscrypt.info and there have
been reports of it not working as expected in some countries as well.
2018-03-21 08:30:36 +01:00
fd51ff8fb6
Clarify
...
Fixes #221
2018-03-11 08:15:02 -07:00
a6ce630897
log_files_max_backups
2018-03-02 10:49:21 +01:00
38942f62b0
log file rotation example config
2018-03-02 10:38:31 +01:00
82825f46e9
Typos
2018-02-26 19:38:02 +01:00
2068975780
Clarify
2018-02-26 19:05:12 +01:00
db0ed1b67f
Mention that urls are optional, but recommended
2018-02-24 19:35:37 +01:00
8fc135ad79
...
2018-02-19 15:15:20 +01:00
dfe68118c6
Don't suggest that URLs are optional in the example config file
...
This is confusing, and virtually everybody needs to specify
URLs no matter what.
Fixes #101
2018-02-07 10:48:41 +01:00
d644cf0c41
Move servers down
2018-02-06 16:11:53 +01:00
404c21816e
Use a more permanent URLm even if it's a redirect
2018-02-06 14:27:45 +01:00
f6b6d70615
Add knobs to filter by protocol
2018-02-06 14:11:58 +01:00
a43352e160
Make the load-balancing strategy configurable
2018-02-04 21:23:39 +01:00
1e066e69b3
Import a cloaking example file
2018-02-04 01:57:18 +01:00
033931a13a
Add a new powerful plugin: DNS cloaking
2018-02-04 01:43:37 +01:00
e62dd27593
Use https for the remote source example
...
This can be changed back to http on platforms that don't have a clock
2018-02-03 22:01:09 +01:00
93810e60d7
Set the default source refresh delay to 3 days
2018-02-03 18:55:46 +01:00
dc070d56a4
Add nofilter to Google
2018-02-02 15:08:33 +01:00
fe2bb3847b
Update Travis for the new example file names
2018-02-01 19:01:02 +01:00
c2fb372112
Rename example files
2018-02-01 18:28:53 +01:00
Frank Denis
Alison Winters
William Elwood
glitsj16
Will Elwood
Markus Linnala
James Newell
iiic
John Spurlock
Sebastian Schmidt
Zhuoyun Wei
David Runge