Frank Denis
4608b6d18d
Add auad9 to the broken_query_padding list
...
Fixes #1169
2020-02-21 20:31:45 +01:00
Alison Winters
8c42609475
fix minor typoS in config file
2020-02-14 18:48:48 +00:00
Frank Denis
323c4a4758
Don't explain the format of other config files in the main config file
...
This is confusing if you don't read the documentation.
Fixes #1179
2020-02-05 12:17:14 +01:00
Frank Denis
3a94523d65
Bump the cache size a little bit
2020-01-30 15:08:23 +01:00
Frank Denis
7ada3fcfb8
Support multiple fallback resolvers
2020-01-15 19:58:14 +01:00
Frank Denis
19cebfdb0a
Mention that /dev/stdout is not for Windows systems
...
Fixes #1131
2020-01-03 21:13:04 -05:00
William Elwood
d88995aac6
Minor comment fix
...
I noticed while writing the functionality tests that comments about relative paths disagreed with what the code was doing.
While the executable directory is used if the configuration file itself can't be found, `cdFileDir(foundConfigFile)` is always executed after the configuration file is found whether that's the same as the executable's directory or not.
Also a couple of punctuation nits.
2019-12-17 14:28:06 +01:00
Frank Denis
07e605e9f4
Add a note about dnsmasq
...
In the config file, so that it has more visibility than in the doc.
Synthetic responses cannot contain NSEC or RRSIG records, and that
seems to be confusing dnsmasq.
2019-12-16 17:23:22 +01:00
Frank Denis
66799c4159
Add the ability to block undelegated DNS zones
...
Using the generic pattern matcher as a first iteration, but we can
save some memory and CPU cycles by building and using a critbit tree
directly.
2019-12-16 16:18:47 +01:00
Frank Denis
a635e92606
Add a new plugin to block unqualified host names
2019-12-09 20:25:38 +01:00
glitsj16
443bdce879
Fix typo
2019-12-01 23:38:05 +01:00
Frank Denis
53dd5cd6c5
Clarify
2019-11-29 14:18:48 +01:00
Frank Denis
4a613aa68d
Explain what the path is in a URL
2019-11-29 13:42:35 +01:00
Frank Denis
f18dbc71ec
Make the local DoH path configurable
2019-11-28 23:49:28 +01:00
Frank Denis
6a679cc543
Move local DoH configuration to its own section
2019-11-28 17:04:29 +01:00
Frank Denis
bc22f94eeb
Don't listen to IPv6 in the example config file
...
Some hosts don't support IPv6, and the default (without anything in
the config file) is only the IPv4 address anyway.
2019-11-24 10:31:40 +01:00
Frank Denis
ad40c6c54b
Fallback to the system resolver if the fallback resolver doesn't work
...
This is useful if fallback_resolver has been set to random junk, or
to an external resolver, but port 53 is blocked.
At least, it may allow the server to start.
2019-11-17 22:00:08 +01:00
Frank Denis
6dcd872385
This is unlikely to become mandatory
2019-11-17 21:38:09 +01:00
Frank Denis
faac6e2082
Set default ignore_system_dns to true
2019-11-17 20:30:04 +01:00
Frank Denis
ca7e5e5bcb
Rename a few things
2019-11-17 15:07:40 +01:00
Frank Denis
15b405b552
Support workarounds for ancient/broken implementations
...
Fixes #984
2019-11-16 18:51:16 +01:00
Will Elwood
d063a7959e
Avoid redirect and extra DNS lookup in example
...
Also makes the URL consistent with the other lists.
2019-11-10 12:48:21 +00:00
Frank Denis
9852a289f8
Increase the default cache size and minimum TTL
2019-11-03 17:31:41 +01:00
Frank Denis
2add754f23
Don't use real server names, because this is apparently confusing
2019-10-27 23:36:08 +01:00
Frank Denis
a26b2b42f0
Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL
2019-10-21 18:26:49 +02:00
Markus Linnala
bb01595320
feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules
...
entries
Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
2019-10-21 18:12:49 +02:00
Frank Denis
f565d3c7f5
Documentation
2019-10-20 19:30:33 +02:00
Frank Denis
5c28950578
Bump the default timeout up
...
Because, yes, some networks have a lot of latency
2019-10-20 19:22:02 +02:00
Frank Denis
320197a00e
Accept relay names in routes, improve documentation
2019-10-20 14:19:21 +02:00
Frank Denis
be86d1df27
Fetch the list of relays
2019-10-18 15:53:56 +02:00
Frank Denis
322447aa91
Support multiple routes per destination
2019-10-14 12:08:47 +02:00
Frank Denis
ad5b2dc4f9
Mention that /dev/stdout can be used to log to the standard output
2019-09-23 10:33:57 +02:00
Frank Denis
ed79bd7489
Deprecate systemd sockets
2019-09-16 15:46:39 +02:00
Frank Denis
776e0d7ccc
New feature: query_meta
2019-09-07 16:19:47 +02:00
Frank Denis
faa931585b
Use single quotation marks everywhere in the example for consistency
...
Fixes #904
2019-08-04 09:04:01 +02:00
James Newell
d3ab899f7b
blocked_query_response takes the format 'a:<IPv4>,aaaa:<IPv6>' for IP responses
2019-07-17 12:12:28 +02:00
James Newell
5812cb2fe4
fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response'
2019-07-17 12:12:28 +02:00
James Newell
87bbfbfc10
add new option: 'respond_with_ip'
2019-07-17 12:12:28 +02:00
Frank Denis
df24db9b9d
Remove refresh_delay from the example configuration file
...
It is not implemented
2019-06-13 11:14:10 +02:00
Frank Denis
8933980121
netprobe_timeout=0 doesn't make much sense
2019-06-07 01:50:03 +02:00
Frank Denis
8def2d5edc
Document TLS 1.3 cipher suite IDs
2019-06-07 01:39:35 +02:00
Frank Denis
9604b8b3e5
Use an example server instead of a real one in the static section
2019-06-04 12:17:47 +02:00
Frank Denis
a060407db1
Use a different address than 255.255.255.0 for netprobes
...
Windows doesn't seem to like this address.
Also default to the fallback resolver IP if there is one and
no netprobe_address option in the configuration file.
Fix netprobe_timeout = -1 by the way
2019-06-04 01:37:59 +02:00
Frank Denis
9e2a945fff
Print the sorted list of latencies
...
Add an option to disable the load-balancing estimator
2019-06-03 13:04:59 +02:00
Frank Denis
a417f0d282
Use 255.255.255.0 as the default netprobe address
2019-06-03 12:22:53 +02:00
Frank Denis
2e89c8da01
Rename LbStrategyFastest to LbStrategyFirst
2019-06-02 13:24:24 +02:00
Frank Denis
3f2656dbe3
Document netprobe_address
2019-05-31 23:02:45 +02:00
Frank Denis
578c090890
Send an empty packet to the probe
...
This seems to be required on Windows.
Also add the ability to wait for up to an hour.
2019-05-28 13:22:11 +02:00
Frank Denis
25ac94e7b2
Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy"
...
This reverts commit 2d1dd7eaab
.
2019-04-02 01:57:48 +02:00
Frank Denis
2d1dd7eaab
Add Stretch-Hash-and-Truncate option for extreme DNS privacy
...
This works over DNSCrypt and DoH, but requires a specifically configured
server.
Instead of sending the actual DNS queries, the SH-T system works as follows:
Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.
Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.
Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.
This feature is experimental.
2019-04-01 09:36:56 +02:00
Frank Denis
5dc66adaa9
Move disabled_server_names down
2019-02-23 14:55:23 +01:00
Frank Denis
c10fbb2aa7
+ disabled_server_names
...
Fixes #735
2019-02-23 14:54:22 +01:00
Frank Denis
2aa0b7d6a7
Add `refused_code_in_responses` to the example.
...
Fixes #738
2019-02-23 12:34:59 +01:00
Frank Denis
c52b3ef124
Bump the netprobe timeout up to 60 seconds
2018-11-22 17:24:41 +01:00
Frank Denis
2e147364e9
Add support for HTTP/HTTPS proxies
...
Fixes #638
2018-11-15 18:47:33 +01:00
iiic
4fe62bc7cc
@typo in example-dnscrypt-proxy.toml ( #628 )
...
This can be can be useful… -> This can be useful…
2018-10-29 14:16:02 +01:00
Frank Denis
dda3ca1ea3
Add dash
2018-10-10 19:38:24 +02:00
Frank Denis
4e9397d83e
Revert "Remove Quad9 example until they remove prefixes"
...
This reverts commit 5cb7d8df35
.
2018-10-10 16:32:39 +02:00
Frank Denis
bfca70000e
A note about pidfile
2018-10-03 18:17:39 +02:00
Frank Denis
5cb7d8df35
Remove Quad9 example until they remove prefixes
2018-10-03 16:36:23 +02:00
Frank Denis
9f1be6e079
killChild() is not needed any more; update config example by the way
2018-10-03 16:35:59 +02:00
Frank Denis
1019428ca0
username -> user_name
...
in case we want to add user_group and whatnot.
Remove the command-line option as it hides the caveats documented
in the configuration file.
Remove TODO. TODO statements always remain in that state forever.
2018-07-07 17:39:33 +02:00
Frank Denis
6cb43f8e4d
Of course, dropping privileges breaks with systemd sockets
2018-07-07 15:21:21 +00:00
Frank Denis
9345958d16
Better description of what username does
2018-07-05 18:12:46 +02:00
Frank Denis
c73e95256d
Implement an offline mode
...
Fixes #528
2018-07-05 18:05:24 +02:00
John Spurlock
74093a65a2
Quick typo fix in example config. ( #511 )
2018-06-20 00:55:28 +02:00
Sebastian Schmidt
8f2972845d
Note that Windows doesn't support username option ( #494 )
2018-06-14 09:35:13 +02:00
Frank Denis
fe0aa52fba
Make description more accessible in the example configuration file
...
Also don't enable this by default, as "nobody" may not exist everywhere
2018-06-13 16:54:57 +02:00
Sebastian Schmidt
aab7e6380f
Drop privileges with exec ( #467 )
...
* Drop privileges with exec and SysProcAttr
* Fix windows build
* Fix passing logfile fd
2018-06-13 16:52:41 +02:00
Frank Denis
ae54a7aafc
Revert "Do not mention systemd activation until #480 is solved"
...
This reverts commit 066345123b
.
2018-06-13 16:49:57 +02:00
Frank Denis
066345123b
Do not mention systemd activation until #480 is solved
2018-06-08 06:35:47 +02:00
Frank Denis
0166f21b27
Add built-in support for Tor
2018-06-06 15:54:51 +02:00
Frank Denis
7774d9cf05
Avoid long lines
2018-05-10 22:19:04 +02:00
Frank Denis
6f047e07b8
Bump
2018-05-10 22:17:57 +02:00
Frank Denis
ce62981c44
Wait for network connectivity before starting the proxy
2018-05-10 21:59:25 +02:00
Frank Denis
cdf5b9ce6b
IPv6 issues on macOS should be gone
2018-05-10 10:46:11 +02:00
Frank Denis
7f999f59e1
Recommend against disable_ipv6 when using chained caches
...
Fixes #398
2018-04-27 16:20:24 +02:00
Frank Denis
dd878d4c60
Clarify that UDP is no less secure than TCP
2018-04-20 23:17:48 +02:00
Frank Denis
b1447160a0
Add cache_neg_min_ttl and cache_neg_max_ttl
2018-04-17 00:24:49 +02:00
Frank Denis
0f349c793e
Clarify
...
Fixes #356
2018-04-16 22:24:45 +02:00
Frank Denis
ace955fd9f
More accurate description
2018-04-16 02:25:59 +02:00
Frank Denis
c33ebd229b
Avoid empty examples files
...
Fixes #348
Keep the ciphers list commented out by default to be safe
2018-04-11 14:03:25 +02:00
Frank Denis
6b3212d3d7
Note that the cipher suite also affects source retrieval
2018-04-11 11:42:10 +02:00
Frank Denis
3d34027aeb
Double the example cache size
2018-04-10 13:23:51 +02:00
Frank Denis
40d492f93a
Go has only X25519 optimized for x86_64
2018-04-10 11:28:59 +02:00
Zhuoyun Wei
6d2330eaf0
Minor typo fixes in config files ( #338 )
2018-04-10 09:06:19 +02:00
Frank Denis
8bebb50d49
Nits
2018-04-09 23:58:36 +02:00
Frank Denis
7d10628a5f
New syntax for blocking/whitelisting rules: exact matching
...
Example: =example.com
Matches `example.com` but not `api.example.com`
2018-04-09 13:02:42 +02:00
Frank Denis
de6a8d230e
Use PolyChaCha, but more importantly, RSA by default
...
Even on non-ARM systems, this makes a difference in CPU usage/latency
2018-04-09 12:45:42 +02:00
Frank Denis
ca80b69b3a
Re-implement ephemeral keys for DNSCrypt
2018-04-09 03:12:34 +02:00
Frank Denis
70dca19326
Clarify
2018-04-09 02:57:30 +02:00
Frank Denis
10baa245b2
Clarify
2018-04-07 23:27:57 +02:00
Frank Denis
517538bdb2
Less ###
2018-04-07 23:05:29 +02:00
Frank Denis
65e6b8569e
Implement whitelists
...
Fixes #293
2018-04-07 23:02:40 +02:00
Frank Denis
dee7960be6
Bump keepalive up
2018-04-07 22:26:46 +02:00
Frank Denis
1fa3e5d7f3
Add options to set the cipher suite as well as disable session tickets
2018-04-07 22:23:29 +02:00
Frank Denis
d4367393c4
Add some links
2018-04-02 01:55:22 +02:00
Frank Denis
308ffff739
Make the keepalive configurable
...
Fixes #300
2018-04-02 01:49:09 +02:00
Frank Denis
2dcf5fe01a
Skip the signature in the example Google stamp
...
Example configuration files are updated less often than sources
2018-04-01 03:50:10 +02:00
Frank Denis
d812a9bdc3
Revert to 9.9.9.9 as the example fallback resolver
...
Just in case some networks do stupid things with 1.1.1.1 already.
2018-03-30 22:24:19 +02:00
Frank Denis
a2160189af
Welcome to 1.1.1.1
2018-03-30 21:30:06 +02:00
Frank Denis
ede564ccf7
Support multiple URLs for a given source
...
Fixes #265
2018-03-28 13:36:19 +02:00
Frank Denis
0983a86b40
Mention that log_files_max_backups = 0 means "keep all backups"
...
Fixes #268
2018-03-28 00:14:07 +02:00
David Runge
fa2c95084e
Adding DynamicUser to systemd service file, enhancing socket and service ( #261 )
...
* Adding nss-lookup.target to the socket Before and Wants directive. Adding current upstream wiki as documentation to service and socket file.
Adding DynamicUser=yes to the service file, alongside various hardening settings (Protect{ControlGroups,KernelModules}. Allowing the service to bind to ports below 1024 by setting CAP_NET_BIND_SERVICE. Adding {Cache,Logs,Runtime}Directory for dnscrypt-proxy. Removing (default) Type=simple. Adding a more default ExecStart location and usage of configuration.
* systemd/dnscrypt-proxy.socket: Adding back ipv6 functionality.
* systemd/dnscrypt-proxy.service: Updating Description to match project name.
Explicitely setting ProtectHome=yes. Adding information on the DynamicUser settings.
* systemd/dnscrypt-proxy.socket: Updating description to match project name.
* systemd/dnscrypt-proxy.service: Adding Requires= and Also= for dnscrypt-proxy.socket in favor of CAP_NET_BIND_SERVICE capabilities.
* dnscrypt-proxy/example-dnscrypt-proxy.toml: Clarifying how to set listen_addresses, when using systemd socket activation.
2018-03-26 20:48:22 +02:00
Frank Denis
0026a20e08
Mention that people in China may need to use Quad114
2018-03-22 07:44:06 +01:00
Frank Denis
2568ea0b0c
Revert "Switch to Quad114 as the default resolver"
...
This reverts commit 91f97833a3
.
The Internet has become a sad place.
People in China need to use resolvers in China.
People in the US would not trust resolvers in China.
People in the EU would not trust resolvers in the US.
Revert to Quad9 for now, and add some documentation about why
that might be changed (especially in China) later.
2018-03-22 02:43:03 +01:00
Frank Denis
91f97833a3
Switch to Quad114 as the default resolver
...
Quad9 current returns SERVFAIL for dnscrypt.info and there have
been reports of it not working as expected in some countries as well.
2018-03-21 08:30:36 +01:00
Frank Denis
fd51ff8fb6
Clarify
...
Fixes #221
2018-03-11 08:15:02 -07:00
Frank Denis
a6ce630897
log_files_max_backups
2018-03-02 10:49:21 +01:00
Frank Denis
38942f62b0
log file rotation example config
2018-03-02 10:38:31 +01:00
Frank Denis
82825f46e9
Typos
2018-02-26 19:38:02 +01:00
Frank Denis
2068975780
Clarify
2018-02-26 19:05:12 +01:00
Frank Denis
db0ed1b67f
Mention that urls are optional, but recommended
2018-02-24 19:35:37 +01:00
Frank Denis
8fc135ad79
...
2018-02-19 15:15:20 +01:00
Frank Denis
dfe68118c6
Don't suggest that URLs are optional in the example config file
...
This is confusing, and virtually everybody needs to specify
URLs no matter what.
Fixes #101
2018-02-07 10:48:41 +01:00
Frank Denis
d644cf0c41
Move servers down
2018-02-06 16:11:53 +01:00
Frank Denis
404c21816e
Use a more permanent URLm even if it's a redirect
2018-02-06 14:27:45 +01:00
Frank Denis
f6b6d70615
Add knobs to filter by protocol
2018-02-06 14:11:58 +01:00
Frank Denis
a43352e160
Make the load-balancing strategy configurable
2018-02-04 21:23:39 +01:00
Frank Denis
1e066e69b3
Import a cloaking example file
2018-02-04 01:57:18 +01:00
Frank Denis
033931a13a
Add a new powerful plugin: DNS cloaking
2018-02-04 01:43:37 +01:00
Frank Denis
e62dd27593
Use https for the remote source example
...
This can be changed back to http on platforms that don't have a clock
2018-02-03 22:01:09 +01:00
Frank Denis
93810e60d7
Set the default source refresh delay to 3 days
2018-02-03 18:55:46 +01:00
Frank Denis
dc070d56a4
Add nofilter to Google
2018-02-02 15:08:33 +01:00
Frank Denis
fe2bb3847b
Update Travis for the new example file names
2018-02-01 19:01:02 +01:00
Frank Denis
c2fb372112
Rename example files
2018-02-01 18:28:53 +01:00