Commit Graph

226 Commits

Author SHA1 Message Date
Frank Denis 4608b6d18d Add auad9 to the broken_query_padding list
Fixes #1169
2020-02-21 20:31:45 +01:00
Alison Winters 8c42609475 fix minor typoS in config file 2020-02-14 18:48:48 +00:00
Frank Denis 323c4a4758 Don't explain the format of other config files in the main config file
This is confusing if you don't read the documentation.

Fixes #1179
2020-02-05 12:17:14 +01:00
Frank Denis 3a94523d65 Bump the cache size a little bit 2020-01-30 15:08:23 +01:00
Frank Denis 7ada3fcfb8 Support multiple fallback resolvers 2020-01-15 19:58:14 +01:00
Frank Denis 19cebfdb0a Mention that /dev/stdout is not for Windows systems
Fixes #1131
2020-01-03 21:13:04 -05:00
William Elwood d88995aac6 Minor comment fix
I noticed while writing the functionality tests that comments about relative paths disagreed with what the code was doing.
While the executable directory is used if the configuration file itself can't be found, `cdFileDir(foundConfigFile)` is always executed after the configuration file is found whether that's the same as the executable's directory or not.
Also a couple of punctuation nits.
2019-12-17 14:28:06 +01:00
Frank Denis 07e605e9f4 Add a note about dnsmasq
In the config file, so that it has more visibility than in the doc.

Synthetic responses cannot contain NSEC or RRSIG records, and that
seems to be confusing dnsmasq.
2019-12-16 17:23:22 +01:00
Frank Denis 66799c4159 Add the ability to block undelegated DNS zones
Using the generic pattern matcher as a first iteration, but we can
save some memory and CPU cycles by building and using a critbit tree
directly.
2019-12-16 16:18:47 +01:00
Frank Denis a635e92606 Add a new plugin to block unqualified host names 2019-12-09 20:25:38 +01:00
glitsj16 443bdce879 Fix typo 2019-12-01 23:38:05 +01:00
Frank Denis 53dd5cd6c5 Clarify 2019-11-29 14:18:48 +01:00
Frank Denis 4a613aa68d Explain what the path is in a URL 2019-11-29 13:42:35 +01:00
Frank Denis f18dbc71ec Make the local DoH path configurable 2019-11-28 23:49:28 +01:00
Frank Denis 6a679cc543 Move local DoH configuration to its own section 2019-11-28 17:04:29 +01:00
Frank Denis bc22f94eeb Don't listen to IPv6 in the example config file
Some hosts don't support IPv6, and the default (without anything in
the config file) is only the IPv4 address anyway.
2019-11-24 10:31:40 +01:00
Frank Denis ad40c6c54b Fallback to the system resolver if the fallback resolver doesn't work
This is useful if fallback_resolver has been set to random junk, or
to an external resolver, but port 53 is blocked.

At least, it may allow the server to start.
2019-11-17 22:00:08 +01:00
Frank Denis 6dcd872385 This is unlikely to become mandatory 2019-11-17 21:38:09 +01:00
Frank Denis faac6e2082 Set default ignore_system_dns to true 2019-11-17 20:30:04 +01:00
Frank Denis ca7e5e5bcb Rename a few things 2019-11-17 15:07:40 +01:00
Frank Denis 15b405b552 Support workarounds for ancient/broken implementations
Fixes #984
2019-11-16 18:51:16 +01:00
Will Elwood d063a7959e
Avoid redirect and extra DNS lookup in example
Also makes the URL consistent with the other lists.
2019-11-10 12:48:21 +00:00
Frank Denis 9852a289f8 Increase the default cache size and minimum TTL 2019-11-03 17:31:41 +01:00
Frank Denis 2add754f23 Don't use real server names, because this is apparently confusing 2019-10-27 23:36:08 +01:00
Frank Denis a26b2b42f0 Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL 2019-10-21 18:26:49 +02:00
Markus Linnala bb01595320 feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules
entries

Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
2019-10-21 18:12:49 +02:00
Frank Denis f565d3c7f5 Documentation 2019-10-20 19:30:33 +02:00
Frank Denis 5c28950578 Bump the default timeout up
Because, yes, some networks have a lot of latency
2019-10-20 19:22:02 +02:00
Frank Denis 320197a00e Accept relay names in routes, improve documentation 2019-10-20 14:19:21 +02:00
Frank Denis be86d1df27 Fetch the list of relays 2019-10-18 15:53:56 +02:00
Frank Denis 322447aa91 Support multiple routes per destination 2019-10-14 12:08:47 +02:00
Frank Denis ad5b2dc4f9 Mention that /dev/stdout can be used to log to the standard output 2019-09-23 10:33:57 +02:00
Frank Denis ed79bd7489 Deprecate systemd sockets 2019-09-16 15:46:39 +02:00
Frank Denis 776e0d7ccc New feature: query_meta 2019-09-07 16:19:47 +02:00
Frank Denis faa931585b Use single quotation marks everywhere in the example for consistency
Fixes #904
2019-08-04 09:04:01 +02:00
James Newell d3ab899f7b blocked_query_response takes the format 'a:<IPv4>,aaaa:<IPv6>' for IP responses 2019-07-17 12:12:28 +02:00
James Newell 5812cb2fe4 fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response' 2019-07-17 12:12:28 +02:00
James Newell 87bbfbfc10 add new option: 'respond_with_ip' 2019-07-17 12:12:28 +02:00
Frank Denis df24db9b9d Remove refresh_delay from the example configuration file
It is not implemented
2019-06-13 11:14:10 +02:00
Frank Denis 8933980121 netprobe_timeout=0 doesn't make much sense 2019-06-07 01:50:03 +02:00
Frank Denis 8def2d5edc Document TLS 1.3 cipher suite IDs 2019-06-07 01:39:35 +02:00
Frank Denis 9604b8b3e5 Use an example server instead of a real one in the static section 2019-06-04 12:17:47 +02:00
Frank Denis a060407db1 Use a different address than 255.255.255.0 for netprobes
Windows doesn't seem to like this address.

Also default to the fallback resolver IP if there is one and
no netprobe_address option in the configuration file.

Fix netprobe_timeout = -1 by the way
2019-06-04 01:37:59 +02:00
Frank Denis 9e2a945fff Print the sorted list of latencies
Add an option to disable the load-balancing estimator
2019-06-03 13:04:59 +02:00
Frank Denis a417f0d282 Use 255.255.255.0 as the default netprobe address 2019-06-03 12:22:53 +02:00
Frank Denis 2e89c8da01 Rename LbStrategyFastest to LbStrategyFirst 2019-06-02 13:24:24 +02:00
Frank Denis 3f2656dbe3 Document netprobe_address 2019-05-31 23:02:45 +02:00
Frank Denis 578c090890 Send an empty packet to the probe
This seems to be required on Windows.

Also add the ability to wait for up to an hour.
2019-05-28 13:22:11 +02:00
Frank Denis 25ac94e7b2 Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy"
This reverts commit 2d1dd7eaab.
2019-04-02 01:57:48 +02:00
Frank Denis 2d1dd7eaab Add Stretch-Hash-and-Truncate option for extreme DNS privacy
This works over DNSCrypt and DoH, but requires a specifically configured
server.

Instead of sending the actual DNS queries, the SH-T system works as follows:

Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.

Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.

Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.

This feature is experimental.
2019-04-01 09:36:56 +02:00
Frank Denis 5dc66adaa9 Move disabled_server_names down 2019-02-23 14:55:23 +01:00
Frank Denis c10fbb2aa7 + disabled_server_names
Fixes #735
2019-02-23 14:54:22 +01:00
Frank Denis 2aa0b7d6a7 Add `refused_code_in_responses` to the example.
Fixes #738
2019-02-23 12:34:59 +01:00
Frank Denis c52b3ef124 Bump the netprobe timeout up to 60 seconds 2018-11-22 17:24:41 +01:00
Frank Denis 2e147364e9 Add support for HTTP/HTTPS proxies
Fixes #638
2018-11-15 18:47:33 +01:00
iiic 4fe62bc7cc @typo in example-dnscrypt-proxy.toml (#628)
This can be can be useful… -> This can be useful…
2018-10-29 14:16:02 +01:00
Frank Denis dda3ca1ea3 Add dash 2018-10-10 19:38:24 +02:00
Frank Denis 4e9397d83e Revert "Remove Quad9 example until they remove prefixes"
This reverts commit 5cb7d8df35.
2018-10-10 16:32:39 +02:00
Frank Denis bfca70000e A note about pidfile 2018-10-03 18:17:39 +02:00
Frank Denis 5cb7d8df35 Remove Quad9 example until they remove prefixes 2018-10-03 16:36:23 +02:00
Frank Denis 9f1be6e079 killChild() is not needed any more; update config example by the way 2018-10-03 16:35:59 +02:00
Frank Denis 1019428ca0 username -> user_name
in case we want to add user_group and whatnot.

Remove the command-line option as it hides the caveats documented
in the configuration file.

Remove TODO. TODO statements always remain in that state forever.
2018-07-07 17:39:33 +02:00
Frank Denis 6cb43f8e4d Of course, dropping privileges breaks with systemd sockets 2018-07-07 15:21:21 +00:00
Frank Denis 9345958d16 Better description of what username does 2018-07-05 18:12:46 +02:00
Frank Denis c73e95256d Implement an offline mode
Fixes #528
2018-07-05 18:05:24 +02:00
John Spurlock 74093a65a2 Quick typo fix in example config. (#511) 2018-06-20 00:55:28 +02:00
Sebastian Schmidt 8f2972845d Note that Windows doesn't support username option (#494) 2018-06-14 09:35:13 +02:00
Frank Denis fe0aa52fba Make description more accessible in the example configuration file
Also don't enable this by default, as "nobody" may not exist everywhere
2018-06-13 16:54:57 +02:00
Sebastian Schmidt aab7e6380f Drop privileges with exec (#467)
* Drop privileges with exec and SysProcAttr

* Fix windows build

* Fix passing logfile fd
2018-06-13 16:52:41 +02:00
Frank Denis ae54a7aafc Revert "Do not mention systemd activation until #480 is solved"
This reverts commit 066345123b.
2018-06-13 16:49:57 +02:00
Frank Denis 066345123b Do not mention systemd activation until #480 is solved 2018-06-08 06:35:47 +02:00
Frank Denis 0166f21b27 Add built-in support for Tor 2018-06-06 15:54:51 +02:00
Frank Denis 7774d9cf05 Avoid long lines 2018-05-10 22:19:04 +02:00
Frank Denis 6f047e07b8 Bump 2018-05-10 22:17:57 +02:00
Frank Denis ce62981c44 Wait for network connectivity before starting the proxy 2018-05-10 21:59:25 +02:00
Frank Denis cdf5b9ce6b IPv6 issues on macOS should be gone 2018-05-10 10:46:11 +02:00
Frank Denis 7f999f59e1 Recommend against disable_ipv6 when using chained caches
Fixes #398
2018-04-27 16:20:24 +02:00
Frank Denis dd878d4c60 Clarify that UDP is no less secure than TCP 2018-04-20 23:17:48 +02:00
Frank Denis b1447160a0 Add cache_neg_min_ttl and cache_neg_max_ttl 2018-04-17 00:24:49 +02:00
Frank Denis 0f349c793e Clarify
Fixes #356
2018-04-16 22:24:45 +02:00
Frank Denis ace955fd9f More accurate description 2018-04-16 02:25:59 +02:00
Frank Denis c33ebd229b Avoid empty examples files
Fixes #348

Keep the ciphers list commented out by default to be safe
2018-04-11 14:03:25 +02:00
Frank Denis 6b3212d3d7 Note that the cipher suite also affects source retrieval 2018-04-11 11:42:10 +02:00
Frank Denis 3d34027aeb Double the example cache size 2018-04-10 13:23:51 +02:00
Frank Denis 40d492f93a Go has only X25519 optimized for x86_64 2018-04-10 11:28:59 +02:00
Zhuoyun Wei 6d2330eaf0 Minor typo fixes in config files (#338) 2018-04-10 09:06:19 +02:00
Frank Denis 8bebb50d49 Nits 2018-04-09 23:58:36 +02:00
Frank Denis 7d10628a5f New syntax for blocking/whitelisting rules: exact matching
Example: =example.com

Matches `example.com` but not `api.example.com`
2018-04-09 13:02:42 +02:00
Frank Denis de6a8d230e Use PolyChaCha, but more importantly, RSA by default
Even on non-ARM systems, this makes a difference in CPU usage/latency
2018-04-09 12:45:42 +02:00
Frank Denis ca80b69b3a Re-implement ephemeral keys for DNSCrypt 2018-04-09 03:12:34 +02:00
Frank Denis 70dca19326 Clarify 2018-04-09 02:57:30 +02:00
Frank Denis 10baa245b2 Clarify 2018-04-07 23:27:57 +02:00
Frank Denis 517538bdb2 Less ### 2018-04-07 23:05:29 +02:00
Frank Denis 65e6b8569e Implement whitelists
Fixes #293
2018-04-07 23:02:40 +02:00
Frank Denis dee7960be6 Bump keepalive up 2018-04-07 22:26:46 +02:00
Frank Denis 1fa3e5d7f3 Add options to set the cipher suite as well as disable session tickets 2018-04-07 22:23:29 +02:00
Frank Denis d4367393c4 Add some links 2018-04-02 01:55:22 +02:00
Frank Denis 308ffff739 Make the keepalive configurable
Fixes #300
2018-04-02 01:49:09 +02:00
Frank Denis 2dcf5fe01a Skip the signature in the example Google stamp
Example configuration files are updated less often than sources
2018-04-01 03:50:10 +02:00
Frank Denis d812a9bdc3 Revert to 9.9.9.9 as the example fallback resolver
Just in case some networks do stupid things with 1.1.1.1 already.
2018-03-30 22:24:19 +02:00
Frank Denis a2160189af Welcome to 1.1.1.1 2018-03-30 21:30:06 +02:00
Frank Denis ede564ccf7 Support multiple URLs for a given source
Fixes #265
2018-03-28 13:36:19 +02:00
Frank Denis 0983a86b40 Mention that log_files_max_backups = 0 means "keep all backups"
Fixes #268
2018-03-28 00:14:07 +02:00
David Runge fa2c95084e Adding DynamicUser to systemd service file, enhancing socket and service (#261)
* Adding nss-lookup.target to the socket Before and Wants directive. Adding current upstream wiki as documentation to service and socket file.
Adding DynamicUser=yes to the service file, alongside various hardening settings (Protect{ControlGroups,KernelModules}. Allowing the service to bind to ports below 1024 by setting CAP_NET_BIND_SERVICE. Adding {Cache,Logs,Runtime}Directory for dnscrypt-proxy. Removing (default) Type=simple. Adding a more default ExecStart location and usage of configuration.

* systemd/dnscrypt-proxy.socket: Adding back ipv6 functionality.

* systemd/dnscrypt-proxy.service: Updating Description to match project name.
Explicitely setting ProtectHome=yes. Adding information on the DynamicUser settings.

* systemd/dnscrypt-proxy.socket: Updating description to match project name.

* systemd/dnscrypt-proxy.service: Adding Requires= and Also= for dnscrypt-proxy.socket in favor of CAP_NET_BIND_SERVICE capabilities.

* dnscrypt-proxy/example-dnscrypt-proxy.toml: Clarifying how to set listen_addresses, when using systemd socket activation.
2018-03-26 20:48:22 +02:00
Frank Denis 0026a20e08 Mention that people in China may need to use Quad114 2018-03-22 07:44:06 +01:00
Frank Denis 2568ea0b0c Revert "Switch to Quad114 as the default resolver"
This reverts commit 91f97833a3.

The Internet has become a sad place.

People in China need to use resolvers in China.
People in the US would not trust resolvers in China.
People in the EU would not trust resolvers in the US.

Revert to Quad9 for now, and add some documentation about why
that might be changed (especially in China) later.
2018-03-22 02:43:03 +01:00
Frank Denis 91f97833a3 Switch to Quad114 as the default resolver
Quad9 current returns SERVFAIL for dnscrypt.info and there have
been reports of it not working as expected in some countries as well.
2018-03-21 08:30:36 +01:00
Frank Denis fd51ff8fb6 Clarify
Fixes #221
2018-03-11 08:15:02 -07:00
Frank Denis a6ce630897 log_files_max_backups 2018-03-02 10:49:21 +01:00
Frank Denis 38942f62b0 log file rotation example config 2018-03-02 10:38:31 +01:00
Frank Denis 82825f46e9 Typos 2018-02-26 19:38:02 +01:00
Frank Denis 2068975780 Clarify 2018-02-26 19:05:12 +01:00
Frank Denis db0ed1b67f Mention that urls are optional, but recommended 2018-02-24 19:35:37 +01:00
Frank Denis 8fc135ad79 ... 2018-02-19 15:15:20 +01:00
Frank Denis dfe68118c6 Don't suggest that URLs are optional in the example config file
This is confusing, and virtually everybody needs to specify
URLs no matter what.

Fixes #101
2018-02-07 10:48:41 +01:00
Frank Denis d644cf0c41 Move servers down 2018-02-06 16:11:53 +01:00
Frank Denis 404c21816e Use a more permanent URLm even if it's a redirect 2018-02-06 14:27:45 +01:00
Frank Denis f6b6d70615 Add knobs to filter by protocol 2018-02-06 14:11:58 +01:00
Frank Denis a43352e160 Make the load-balancing strategy configurable 2018-02-04 21:23:39 +01:00
Frank Denis 1e066e69b3 Import a cloaking example file 2018-02-04 01:57:18 +01:00
Frank Denis 033931a13a Add a new powerful plugin: DNS cloaking 2018-02-04 01:43:37 +01:00
Frank Denis e62dd27593 Use https for the remote source example
This can be changed back to http on platforms that don't have a clock
2018-02-03 22:01:09 +01:00
Frank Denis 93810e60d7 Set the default source refresh delay to 3 days 2018-02-03 18:55:46 +01:00
Frank Denis dc070d56a4 Add nofilter to Google 2018-02-02 15:08:33 +01:00
Frank Denis fe2bb3847b Update Travis for the new example file names 2018-02-01 19:01:02 +01:00
Frank Denis c2fb372112 Rename example files 2018-02-01 18:28:53 +01:00