Commit Graph

1339 Commits

Author SHA1 Message Date
Frank Denis d42ab83184 ServerConfig -> StaticConfig to match the config file 2018-01-31 08:43:49 +01:00
Frank Denis cdb8faba75 Nits 2018-01-31 08:40:20 +01:00
Frank Denis f6571af24f Nits 2018-01-31 08:38:22 +01:00
Frank Denis 5e8925523f Split ConfigLoad a bit more 2018-01-31 08:32:44 +01:00
Frank Denis 16fc6b74e9 Split ConfigLoad() 2018-01-31 08:27:59 +01:00
Frank Denis bbfcb0c5bd nits 2018-01-31 00:37:56 +01:00
Frank Denis c3414329b3 Warn about certificates that are about to expire 2018-01-31 00:33:00 +01:00
Frank Denis 86adb438e0 Set cert refresh delay default to 240 (4h) 2018-01-31 00:21:25 +01:00
Frank Denis 0cc76b8a77 Lower the log level for already registered servers 2018-01-31 00:19:53 +01:00
Frank Denis a364e51d9e Increase the cert refresh delay; make D1n0Bot happy
Decrease this for more reliability.
2018-01-30 23:53:33 +01:00
Frank Denis 76e5a99a5c Move "refreshing certificates" to debug, display RTT even for 1 server 2018-01-30 23:50:42 +01:00
Frank Denis 8f72a82b13 Don't forget to prepend prefixes to names in v2 lists 2018-01-30 19:47:29 +01:00
Frank Denis 788e97cf86 Clarify 2018-01-30 19:47:26 +01:00
Frank Denis a7d75c7923 Implement the nofilter filter 2018-01-30 19:16:38 +01:00
Frank Denis 3448b5b170 Add a -list option to display the list of available resolvers 2018-01-30 17:51:47 +01:00
Frank Denis 330d265dc2 CRLF 2018-01-30 17:43:15 +01:00
Frank Denis e9b3a0e0b0 Space 2018-01-30 17:40:38 +01:00
Frank Denis 1d35e249c9 Add an option to always ignore the system resolver
This makes startup faster when DoH resolvers without a static IP
are used (Google).
2018-01-30 17:37:35 +01:00
Frank Denis 931916097e Remove daemonize, at least from the configuration file example
daemonize only works on Linux so far, and it might not be secure not reliable
2018-01-30 16:12:36 +01:00
Frank Denis ce2a730ab7 Remove unneeded port numbers 2018-01-30 16:10:46 +01:00
Frank Denis c39197f7b2 Prepare for beta12 2018-01-30 15:58:13 +01:00
Frank Denis 61bad01726 Import xtransport 2018-01-30 15:51:07 +01:00
Frank Denis ecaf18f614 Use a fallback resolver if the local DNS configuration doesn't work
This should fix all chicken-and-egg issues
2018-01-30 15:47:39 +01:00
Frank Denis 24c21d5eb2 Start moving things to a custom transport 2018-01-30 13:29:47 +01:00
Frank Denis c2494cfc40 Make file paths relative to the path of the configuration file 2018-01-29 23:57:20 +01:00
Frank Denis b6e5f55870 Move the proxy struct to its own file 2018-01-29 23:47:04 +01:00
Frank Denis 479d9d14fd Reduce verbosity 2018-01-29 04:03:59 +01:00
Frank Denis cf12fb170a Use a custom transport and a host->ip cache
maybe
Fixes #45
2018-01-29 03:58:39 +01:00
Frank Denis 7acc38663b Add Yandex to show that explicit server_names override require_* 2018-01-27 19:46:50 +01:00
Frank Denis 7a5484d983 Include Google cert hash 2018-01-27 19:14:08 +01:00
Frank Denis 9eeb68f3a1 beta11 2018-01-27 18:18:28 +01:00
Frank Denis a7fe2aacb8 Show how to use two servers 2018-01-27 18:16:55 +01:00
Frank Denis 3c2cf2a1dc Validate DoH certificate hashes 2018-01-27 17:48:53 +01:00
Frank Denis 5e3e66ac71 Of course Google DNS supports DNSSEC 2018-01-27 17:05:39 +01:00
Frank Denis d2f6c69a2c More checks on the response 2018-01-27 16:59:45 +01:00
Frank Denis 7dde2f4a37 Request DNSSEC signature in the DoH probe 2018-01-27 16:53:57 +01:00
Frank Denis be1e99ea32 DoH: send a dummy query before measuring the RTT to ignore the handshake 2018-01-27 16:48:22 +01:00
Frank Denis 50d0c0449f Initial support for DNS-over-HTTP2 -- Yes, it works with Google. 2018-01-27 15:26:08 +01:00
Frank Denis 85f8aa1000 Fix stamp proto initialization 2018-01-26 22:59:16 +01:00
Frank Denis e16155e22a DoHstamps 2018-01-26 20:38:31 +01:00
Frank Denis 3bbecdcde7 up 2018-01-26 20:16:45 +01:00
Frank Denis 29f1b083a0 Rename a few things to prepare for DoH support 2018-01-26 02:25:38 +01:00
Frank Denis 375378c15b Rename "servers" to "static" for clarity 2018-01-25 17:41:36 +01:00
Frank Denis 1164dd4d4d Comment the additional list of servers in the example 2018-01-25 15:59:22 +01:00
Frank Denis ff5bba1ba4 up 2018-01-25 15:55:27 +01:00
Frank Denis 803bc18027 Use a v2 list 2018-01-25 15:17:46 +01:00
Frank Denis 79193e6ee3 Add support for V2 source format -- Goodbye, CSV. 2018-01-25 15:02:18 +01:00
Frank Denis 78e8abeebc Use http:// 2018-01-25 14:34:55 +01:00
Frank Denis 054461e240 Reserve identifiers for traditional nonencrypted DNS and for DoH 2018-01-25 14:31:18 +01:00
Adrián Laviós Gomis 023c3e78ee Fix systemd socket support 2018-01-25 10:24:28 +01:00
Frank Denis 996d9be4e3 Improve message if /proc/self/exe doesn't exist (?)
Fixes #26
2018-01-24 16:55:28 +01:00
Frank Denis 732c451dd4 Add max_clients to cap the maximum number of client queries 2018-01-24 16:51:26 +01:00
Frank Denis 1dbc765fd7 crlf 2018-01-24 15:23:03 +01:00
Frank Denis 94f9c14ad7 Only attempt to use systemd on linux
Remove plan9 builds
2018-01-24 15:14:48 +01:00
Frank Denis 0b52211fa3 Update dnsc:// leftovers 2018-01-24 14:48:48 +01:00
Frank Denis c184ce1a03 systemd support
How does it work? I don't know. Does it work? I don't know.
Would I encourage its use? No.
2018-01-24 14:44:32 +01:00
Frank Denis 0ce20518db Make the UDP and TCP listeners more generic 2018-01-24 14:22:56 +01:00
Frank Denis 1bcb791270 up 2018-01-24 14:13:29 +01:00
Frank Denis abb659eed2 Nits 2018-01-23 15:51:57 +01:00
Frank Denis 3a3535dcbc Still tolerate hex-encoded pks, but emit a warning 2018-01-23 15:42:22 +01:00
Frank Denis ccbdd41f5d Add support for shorter stamps with binary public keys 2018-01-23 15:23:11 +01:00
Frank Denis 2d7920af22 Prefer sdns:// which is less application-tainted 2018-01-22 12:00:42 +01:00
Frank Denis d7b8217018 Only cache specific Rcodes 2018-01-22 11:19:57 +01:00
Frank Denis 973b53afdc Simplify 2018-01-22 10:02:06 +01:00
Frank Denis 8324b29b42 Require stamps in static server definitions
Provider names, etc. are not future-proof. In particular, they are
incompatible with other protocols such as DoH.
2018-01-22 09:59:32 +01:00
Frank Denis 1d18a230c0 Consistent casing 2018-01-21 22:18:20 +01:00
Frank Denis 3dcedac390 beta8 2018-01-21 19:52:51 +01:00
Frank Denis 29fee1585f abc.ex.com should be rejected if both ex.com and bc.ex.com are listed in a blacklist
With the following ruleset:

ex.com
bc.ex.com

"abc.ex.com" finds "bc.ex.com" as the longest suffix. However, since it's
not at a label boundary, it is not rejected.

However, there is a more general rule that should be considered, ex.com.

So we need to perform at least two lookups in that case.
2018-01-21 19:47:19 +01:00
Frank Denis 6ca2697128 Clear certIgnoreTimestamp if we found at live 1 live server 2018-01-21 18:14:37 +01:00
Frank Denis 8bcba92f97 Add an undocumented option to ignore cert timestamps 2018-01-21 18:10:38 +01:00
Frank Denis 05e07e8b69 Add a simple built-in DNS client for testing 2018-01-21 18:02:32 +01:00
Frank Denis d9b5625226 IP blocking 2018-01-21 16:07:44 +01:00
Frank Denis 1c80e80a0d Do not recommend block_ipv6 2018-01-21 00:54:20 +01:00
Frank Denis f80c16ed2a Slightly change the way we block ipv6 2018-01-20 22:30:36 +01:00
Frank Denis f7b8b70322 Revert "AAAA filter: Reject instead of sending an empty response"
This reverts commit aceb8b30f7.
2018-01-20 22:06:40 +01:00
Frank Denis aceb8b30f7 AAAA filter: Reject instead of sending an empty response
Empty responses can cause issues with CNAME records
2018-01-20 20:37:02 +01:00
Frank Denis 4f0c36ac27 Don't log blocked suffixes in reverse 2018-01-20 17:25:16 +01:00
Frank Denis a1461f3452 Remove unused variable 2018-01-20 17:14:21 +01:00
Frank Denis 5dd08fe56b Fix swapped out arguments in substring check
*example.com* was matching ample.com, not xxxexample.comxxx

Fixes #14
2018-01-20 17:11:46 +01:00
Frank Denis 4f42dd01a4 nxlog 2018-01-20 17:03:48 +01:00
Frank Denis 1e0e01e8e1 NXLOG: a new output plugin to log suspicious queries 2018-01-20 16:59:40 +01:00
Frank Denis 47fdc45b2d beta5 2018-01-20 14:15:20 +01:00
Frank Denis ed50798049 Preliminary implementation of stamps 2018-01-20 14:13:11 +01:00
Frank Denis 88414e1448 Print stamps; require an env variable for debug level 2018-01-20 13:56:26 +01:00
Frank Denis 0fe21b2d57 Shortcut filters for the root zone 2018-01-20 13:30:19 +01:00
Frank Denis 066db6a080 Replace logged_qtypes with ignored_qtypes 2018-01-20 13:27:37 +01:00
Frank Denis 5080502381 " -> ' \because\people\still\use\backslahes\to\separate\path\components 2018-01-20 13:20:30 +01:00
Frank Denis 475d7edb2a Fix suffix matching so that www.example is rejected if example is filtered 2018-01-20 13:18:54 +01:00
Frank Denis b9e89d2278 megacheck 2018-01-20 01:00:19 +01:00
Frank Denis 187de17396 Don't prefetch more frequently than 1/min 2018-01-20 00:31:54 +01:00
Frank Denis 1c27d6c230 Improved error handling 2018-01-20 00:30:33 +01:00
Frank Denis 7fbb4c5428 Improve the prefetcher; run a dedicated goroutine 2018-01-19 23:43:45 +01:00
Frank Denis 2ab29a43d6 Reduce the noise 2018-01-19 22:37:05 +01:00
Frank Denis 6e1eaf7b90 More flexible logging; add support for the Windows event log 2018-01-19 20:06:04 +01:00
Frank Denis 4b4bf36633 Unreachable -> Timeout 2018-01-19 16:40:35 +01:00
Frank Denis aac0078991 Choose if we want to use IPv6 and/or IPv4 servers 2018-01-19 16:38:43 +01:00
Frank Denis 3006a6f2b4 Print server names instead of provider names 2018-01-19 15:50:44 +01:00
Frank Denis 7103229609 Add a logged_qtypes feature to log only some query types 2018-01-19 12:57:47 +01:00
Frank Denis 414d366cb2 Print the root zone as a dot rather than an empty string
Fixes #7
2018-01-19 12:33:27 +01:00
Frank Denis 41d5de6e8d Scheduling 2018-01-19 00:06:18 +01:00
Frank Denis 43e5689387 Schedule a prefetch if we got a set or its signature from a backup cache
This is not pretty, and has to be rewritten for the next beta
2018-01-18 23:54:53 +01:00
Frank Denis 008d2d9093 Increase refresh delay for server sets 2018-01-18 23:54:37 +01:00
Frank Denis 1b5e36432e Remove cache files if we stored corrupted data 2018-01-18 23:33:30 +01:00
Frank Denis f745eb578a Check HTTP error codes 2018-01-18 23:31:14 +01:00
Frank Denis a85d012a2b Prefetch previously unreachable sources URLs after a server is reachable
Partial fix for #4

Pave the way for regular, background updates as well
2018-01-18 23:19:14 +01:00
Frank Denis c4bd6eb9f0 Make the distinction between a usable cache and a hot cache
A hot cache is still fresh. A usable cache exists, and can act as a
backup solution is we can't fetch a list from a remote server.
2018-01-18 22:23:40 +01:00
Frank Denis 6c67739b56 bump 2018-01-18 22:23:37 +01:00
Frank Denis 35a65bc2fd Use single quotes in the TOML file, mention that paths are relative
Fixes #5
2018-01-18 20:41:33 +01:00
Frank Denis 0fcbbfda1f Add systemd readiness notification 2018-01-18 15:31:08 +01:00
Frank Denis 941a7b6f4f Bring FS info level down to INFO, but store this information with the cert 2018-01-18 14:58:57 +01:00
Frank Denis 25664b9a99 Be more tolerant 2018-01-18 14:49:51 +01:00
Frank Denis ed352cc28c Reduce verbosity 2018-01-18 14:46:19 +01:00
Frank Denis 7e86477a7d Make megacheck happier 2018-01-18 14:28:05 +01:00
Frank Denis 0a63975d48 Logs can now be sent to files or syslog in addition to stderr 2018-01-18 14:25:45 +01:00
Frank Denis b0f6a04dc4 Reserve require_nofilter 2018-01-18 13:04:50 +01:00
Frank Denis 41a9bf5bf3 Add require_nolog and require_dnssec filters 2018-01-18 13:01:16 +01:00
Frank Denis fd7838ee58 Add a -version command-line switch to print the version
Fixes #2
2018-01-18 12:22:25 +01:00
Frank Denis 0e03f684b2 Hotfix for OpenBSD and other OS whose init system is not supported yet 2018-01-18 02:08:08 +01:00
Frank Denis 8429df82fd Perform an initial benchmark to use servers with the lowest latency
(initially according to the certificate rtt)
2018-01-17 22:12:34 +01:00
Frank Denis 9dcd37093d Use all resolvers simultaneously, even the ones from remote sources.
Fireworks!
2018-01-17 21:41:36 +01:00
Frank Denis df3a5f608d Improve management of multiple servers, and unreachable-at-boot servers 2018-01-17 21:23:01 +01:00
Frank Denis c46498c1d3 Nits 2018-01-17 17:25:43 +01:00
Frank Denis 1140e067ad Retry more frequently if we don't have any useable certificates
This will ahve to be done at startup time as well.
2018-01-17 17:22:29 +01:00
Frank Denis b9c43c8ef3 Add the ability to log blocked queries 2018-01-17 17:03:42 +01:00
Frank Denis 9f8bce28a4 Fix forwarding of subdomains 2018-01-17 16:16:22 +01:00
Frank Denis f35357ef88 Simplify the forwarding syntax 2018-01-17 16:06:30 +01:00
Frank Denis 203cfafe35 Add a forwarding rules example 2018-01-17 12:34:05 +01:00
Frank Denis adcdb94d99 Allow comments in the fowarding rules 2018-01-17 12:27:29 +01:00
Frank Denis 3fffbaa2a2 Support installation as a service 2018-01-17 11:28:43 +01:00
Frank Denis 3fe6dbd740 Preliminary support for running as a Windows service 2018-01-17 10:58:19 +01:00
Frank Denis 6ba5749c91 Freformat 2018-01-17 09:50:21 +01:00
Frank Denis 96dadc7aca Forwarding plugin 2018-01-17 09:44:03 +01:00
Frank Denis 1b38364e48 Another example 2018-01-17 08:47:47 +01:00
Frank Denis 404fcea50b Pattern matching in blacklists: done 2018-01-17 08:46:42 +01:00
Frank Denis 548d97989b Comment 2018-01-17 02:42:01 +01:00
Frank Denis 170e2e816e Implement blocking, fully compatible with rules from version 1 2018-01-17 02:40:47 +01:00
Frank Denis 0dcf2c9e06 Split plugins into individual files 2018-01-16 18:21:17 +01:00
Frank Denis 796186a078 Add support for LTSV query logging 2018-01-16 18:10:04 +01:00
Frank Denis 004fbef395 Fix source cache 2018-01-16 00:37:04 +01:00
Frank Denis 5685844f43 Implement query logging 2018-01-16 00:23:16 +01:00
Frank Denis 3ffad7be44 Add Init/Drop/Update methods to plugins
Eventually, we may want to provide a specific structure for plugin
initialization. Sending the whole Proxy structure doesn't scale well.
2018-01-15 23:07:41 +01:00
Frank Denis b945e23101 Use time.Since() 2018-01-14 23:53:17 +01:00
Frank Denis fee0a42dec Plugins can now access the client IP. Useful for logging and ACLs. 2018-01-14 23:47:49 +01:00
Frank Denis 5e252372d5 Pass the client protocol around, don't infer it from clientAddr 2018-01-14 23:39:55 +01:00
Frank Denis b2d297fb17 cd to the path of the executable file 2018-01-14 00:56:46 +01:00
Frank Denis 9640a38ff8 More explicit example name 2018-01-14 00:47:22 +01:00
Frank Denis c3edfb0637 Don't print server public keys 2018-01-14 00:43:57 +01:00
Frank Denis 32b72f3eb3 up 2018-01-14 00:36:46 +01:00
Frank Denis c90befd5a8 Fix getOne() 2018-01-14 00:34:28 +01:00
Frank Denis 9b6d527045 Better explain what cache_file should be set to 2018-01-14 00:24:05 +01:00
Frank Denis 4fef1a705c Fix source cache 2018-01-14 00:20:22 +01:00
Frank Denis 5a65a3a084 Correct format 2018-01-14 00:17:46 +01:00
Frank Denis 01d424a942 Use net.ParseIP() to add missing port numbers 2018-01-14 00:15:01 +01:00
Frank Denis 1b7b6418f1 Restrict the set of resolvers used from a remote source 2018-01-14 00:10:20 +01:00
Frank Denis 13e30ade2b Skip empty lines in the CSV file 2018-01-13 23:53:33 +01:00
Frank Denis a361aa52f3 Preliminary support for remote sources 2018-01-13 23:52:44 +01:00
Frank Denis e9faf4368c Load the toml file from the current directory by default 2018-01-13 00:14:12 +01:00
Frank Denis 9a3cd91cd7 Use dlog for everything 2018-01-11 11:50:54 +01:00
Frank Denis 735213f45a Use glog 2018-01-11 02:11:54 +01:00
Frank Denis 822ae27a46 Always use negative caching except on srvfail (and obviously on success) 2018-01-10 23:26:03 +01:00
Frank Denis 1527d6ed5e Improve caching 2018-01-10 22:47:29 +01:00
Frank Denis 3dd473910b Doc 2018-01-10 19:49:39 +01:00
Frank Denis 3fe60f64c4 So, daemonization only works on linux :/ 2018-01-10 19:49:02 +01:00
Frank Denis 99c5273e3a Add configuration cache size and other parameters 2018-01-10 19:32:56 +01:00
Frank Denis b60c728067 If computeCacheKey ever returns an error, bubble it up 2018-01-10 19:23:24 +01:00
Frank Denis 132add7955 Use a LRU for the cache 2018-01-10 19:02:43 +01:00
Frank Denis 8e73bb4a2c Working DNS cache 2018-01-10 18:53:09 +01:00
Frank Denis 77cdc1db78 Start implementing a basic cache 2018-01-10 18:32:05 +01:00
Frank Denis f283105866 Implement the IPv6 block plugin 2018-01-10 17:23:20 +01:00
Frank Denis fb16eadb24 Single entry for now 2018-01-10 16:43:11 +01:00
Frank Denis fa22cc32d7 Basic load balancing/failover
Try to send queries to one of the two fastest servers
2018-01-10 16:42:14 +01:00
Frank Denis 9eeb799d6e Many improvements 2018-01-10 16:01:29 +01:00
Frank Denis 32a8a3d3e2 Get the path to the config file from the command line 2018-01-10 13:40:50 +01:00
Frank Denis 6dfcb659d4 Handle daemonization 2018-01-10 13:33:06 +01:00
Frank Denis b86e7f268e Use more things from the config file 2018-01-10 12:09:59 +01:00
Frank Denis 2822a9781b Add a config file 2018-01-10 12:02:09 +01:00
Frank Denis 20e3182692 Improve the plugins interface 2018-01-10 10:11:59 +01:00
Frank Denis efd0477c2b Implement an actual estimator for the response size
Scale back the minimum question size when relevant.

Did I mention that this is yet another thing that was never properly
implemented in dnscrypt-proxy 1.x?
2018-01-10 09:46:27 +01:00
Frank Denis f4346691bc Transform queries via an initial edns mangling plugin
Yet another thing that was utterly broken in dnscrypt-proxy v1.x
2018-01-10 09:04:03 +01:00
Frank Denis 705cf440b1 Skip queries without a question 2018-01-10 03:04:13 +01:00
Frank Denis d8f8d561c8 Synthesize a truncated response if the response wouldn't fit the local MSS 2018-01-10 02:52:09 +01:00
Frank Denis ab9006e74c Be more tolerant with invalid/unsupported certificates 2018-01-10 00:38:37 +01:00
Frank Denis 3049f43bc7 Nits 2018-01-10 00:32:16 +01:00
Frank Denis 72a6963f2e Cleanups 2018-01-10 00:31:12 +01:00
Frank Denis 35ec5bd044 We can now receive queries on UDP and forward them on TCP
Something that had never been possible with the old implementation
2018-01-09 20:10:06 +01:00
Frank Denis 1a59d93192 Support TCP connection to the backend 2018-01-09 19:47:24 +01:00
Frank Denis 888db6a8fb The preferred protocol will be a global (for Tor users) 2018-01-09 18:42:24 +01:00
Frank Denis ce5e0c8031 Try to retrieve the certificates using UDP before TCP 2018-01-09 18:37:37 +01:00
Frank Denis 841bf65d61 Reorganize 2018-01-09 18:32:14 +01:00