3efbacc0d4
Rename
2021-03-30 11:53:59 +02:00
c748f93752
Add ODoH support. ( #1653 )
2021-03-30 11:53:51 +02:00
54d85d7298
Filters don't apply to static entries
2021-03-12 20:05:58 +01:00
b1e96b69fd
Save 1.4 MiB of memory
2021-03-08 15:36:42 +01:00
34909babfb
Typo
2021-02-20 19:11:06 +01:00
c500287498
Rename fallback_resolvers to bootstrap_resolvers
...
Clarify what they are used for.
Remove the legacy `fallback_resolver`.
2021-02-20 18:50:42 +01:00
96ba551836
Revert "The source tests are completely brok4n :("
...
This reverts commit a76ffb0143
2021-01-22 17:50:01 +01:00
a9cf16b33e
Fix: Randomize source URLs ( #1593 )
2021-01-22 15:06:49 +01:00
0ab9e30fa9
Merge branch 'master' of github.com:DNSCrypt/dnscrypt-proxy
...
* 'master' of github.com:DNSCrypt/dnscrypt-proxy:
The source tests are completely brok4n :(
Explain how to listen to all IP addresses
In the query log, consider everything that's not UDP as TCP
2021-01-22 09:16:56 +01:00
d0f981156b
Add the base inherited fd to the application logging fd
...
Fixes #1585
2021-01-22 09:15:40 +01:00
a76ffb0143
The source tests are completely brok4n :(
...
Fix at least the fact that URLs are now randomized
2021-01-21 14:59:34 +01:00
53c8e25352
Explain how to listen to all IP addresses
...
Fixes #1588
2021-01-21 14:38:36 +01:00
ac0b9cdfe8
In the query log, consider everything that's not UDP as TCP
...
Fixes #1589
2021-01-21 14:35:06 +01:00
fcd9225121
Threadsafe update ( #1579 )
...
* threadsafe update for relays
* locks around registeredRelays
2021-01-09 22:44:32 +01:00
85d268f2b9
Randomize source URLs
...
Fixes #1577
2021-01-04 16:41:39 +01:00
19dbd13c1b
Explain the example allowlist
2021-01-03 18:18:46 +01:00
daa1f3d3b1
Add a NOT_READY return code
2021-01-03 18:09:03 +01:00
f9ec0a9c09
Deep copy cached responses
2021-01-03 17:37:19 +01:00
3a5585f8a1
Remove test leftover
2021-01-03 17:16:04 +01:00
1f7b247138
Lower severity
2021-01-03 17:00:39 +01:00
bc42eda1c8
Shorten
2021-01-03 16:58:21 +01:00
5c3db0dcf5
Try to rely on proxy.serversInfo rather than proxy.registeredServers
...
With the introduction of background updates, I'm a little bit worried
about race conditions that can happen when a new server or relay is
registered (or even when a stamp changes).
2021-01-03 16:40:38 +01:00
fbd598f027
Nits
2021-01-03 16:22:23 +01:00
197f13ea0f
Fix typo and update message
2021-01-03 16:00:02 +01:00
5861a58089
Nits
2021-01-03 14:44:02 +01:00
7c6f0823ea
Doc update
2021-01-03 14:41:23 +01:00
7b962dff98
Nits
2021-01-03 13:58:08 +01:00
5a079a3eb9
Resolve: print host info
2021-01-03 13:49:43 +01:00
1e10251407
Only find the farthest route on wildcards
2021-01-03 13:33:51 +01:00
0f54b2b34c
Automatic relay selection
2021-01-03 13:01:44 +01:00
79cb9451bd
Remove log messages that are not really needed
2021-01-02 22:59:21 +01:00
662b4c0c62
Make staticcheck happier
2021-01-02 22:55:16 +01:00
af80f57a58
Increase timeouts on retry
2021-01-02 22:31:47 +01:00
996ea0dd89
Don't print the whole response
2021-01-02 22:28:00 +01:00
8a9e61d6cd
Fix typo ( #1571 )
2021-01-02 22:24:11 +01:00
fc82a6c05e
Revamp dnscrypt-proxy -resolve
2021-01-02 22:20:52 +01:00
a584effbe9
Remove HTTPS record creation
2021-01-02 19:05:18 +01:00
7ec5ed127e
Repair server randomization
2021-01-02 19:04:53 +01:00
5398dab58e
Lower log level
2021-01-02 17:04:59 +01:00
8f0b38f4c0
Double comments
2021-01-02 15:37:41 +01:00
9f5c034c3d
Add staticcheck.conf
2021-01-02 15:36:30 +01:00
ee5711fbd6
Disable captive portals by default
2021-01-02 15:22:58 +01:00
56acb7b5ab
Log when the ECS plugin is enabled
2021-01-02 15:10:30 +01:00
a713e1a517
Move captive portals config to a dedicated section
...
Add examples
2021-01-02 15:10:04 +01:00
3b18058ae5
Add IPv6 cleanbrowsing servers
2021-01-02 12:53:10 +01:00
5b8c9c495f
register servers after loading statics ( #1568 )
2021-01-02 11:57:18 +01:00
b8d17debfd
Remove final stops from errors
2021-01-02 11:16:12 +01:00
2cdafa4bb3
Remove debug leftover
2021-01-02 10:24:32 +01:00
f245189f02
Handle captive portal names after coldstart
2021-01-01 21:39:17 +01:00
87fb44a588
Run from in memory cache updates ( #1564 )
...
* ConfigFile change to allowlist and blocklist
* revised names and warnings
* consistent file naming in kebab case, and generic use of blocklist and allowlist in cmoments for clarity
* update ci files
* impose maximum delay and document
* live update of servers
* update for source prefixes
* fixup test
* stop registerServers being called twice at startup
* prevent double registration at startup
* tidy function signature for loadSource
Co-authored-by: Ian Bashford <ianbashford@gmail.com>
2021-01-01 14:04:12 +01:00
254a4a6532
Use , not | to match multiples items
...
Fixes #1558
2020-12-26 17:55:31 +01:00
77f81cc8c2
Add recommendation for fallback resolvers in the example config
...
This is the same recommendation as c4d9860577/dnscrypt-proxy/serversInfo.go (L429-L432)
2020-12-17 11:10:35 +01:00
c4d9860577
cloak plugin: return multiple the entire set of IPv4 or IPv6 addresses
...
Fixes #1547
2020-12-17 09:47:44 +01:00
a8a0677ea9
h1 -> http/1.x
2020-12-17 01:13:11 +01:00
7d851366bb
Do not only warn if the protocol is empty
2020-12-17 01:08:06 +01:00
85e7dddc9b
Move a few DNS things to dnsutils
2020-12-12 23:09:15 +01:00
a24b009667
Filler
2020-12-12 22:35:51 +01:00
d700ab6085
Nits
2020-12-12 22:19:09 +01:00
a384011e71
Support relays in static entries
2020-12-12 21:57:04 +01:00
7f46f4820c
Don't use distinct pointers for UDP and TCP relay addresses
2020-12-12 21:18:32 +01:00
ab8ebead34
Remove support for {ip|host}[:port] syntax for specifying a relay
...
It's very likely that no one ever used it.
2020-12-12 20:46:40 +01:00
fc785f9f69
Print details when an unsupported protocol is found
2020-12-11 12:26:05 +01:00
d6d8c37ef6
Format
2020-12-11 12:25:57 +01:00
0d260d0e2d
pattern_matcher: check exact matches first
2020-12-07 12:58:05 +01:00
1239e64cd9
Correctly check for HTTPS type
2020-12-01 16:08:33 +01:00
b7dfdb1372
Factorize
2020-12-01 16:08:10 +01:00
24a9539d08
Filter names on SVCB and HTTPS records in addition to CNAME
2020-12-01 16:00:18 +01:00
df8cfe3f3c
dnsdist has been fixed
2020-11-30 14:31:30 +01:00
f5827520d8
download mirror download.dnscrypt.net ( #1527 )
...
Files are locally hosted on download.dnscrypt.net. A cronjob updates the files every 3 hours, source is https://download.dnscrypt.info
download.dnscrypt.net has IPv4 and IPv6, DNSSEC, HTTPS
2020-11-27 22:35:27 +01:00
f9c11f0897
Allow arbitrary addresses to be set in listen_addresses
...
Only works on OpenBSD/FreeBSD/Linux (including Android)
Fixes #1362
2020-11-25 19:23:30 +01:00
02a6ca1098
Keep .home in forwarding rules
2020-11-25 01:39:11 +01:00
715c32f0fc
Change example forwarding rule to match recommended .home.arpa TLD ( #1523 )
...
The ".home" TLD was proposed at one point, and while it's probably not going to actually ever get delegated it's not best practice to just start using your own TLD. The .home.arpa domain has been specifically set aside for use in home networks (RFC 8375) and is probably the better example to put here.
2020-11-25 01:38:14 +01:00
9e4131c6f7
Add ipv6.download.dnscrypt.info for testing
2020-11-23 21:10:22 +01:00
90a9a9d992
allowed ips plugin ( #1510 )
2020-11-15 20:59:58 +01:00
6b6c6753aa
Revert struct packing changes for the configuration
...
structlop is nice, but strips renames
2020-11-14 15:34:03 +01:00
4fa643ef4d
Repack structures to save some memory
2020-11-14 14:46:59 +01:00
078f69357e
Update example-dnscrypt-proxy.toml ( #1489 )
...
* Update lb_strategy usage
* Update example-dnscrypt-proxy.toml
2020-10-21 14:21:39 +02:00
7a03369d01
Debug log certificate TTL
2020-10-12 17:58:08 +02:00
8b72e58656
Make key exchange behaviors consistent
2020-09-21 02:14:17 +02:00
687fe27371
Nits
2020-09-18 00:14:50 +02:00
272984a640
Add support for EDNS-client-subnet
...
Fixes #1471
2020-09-18 00:11:26 +02:00
4d7f253e6b
Don't spawn new connections if we are full
2020-09-17 00:49:49 +02:00
8411e5a91b
Revert "Error out if the dns64 plugin is enabled without listening sockets"
...
This reverts commit b02649f774
2020-09-17 00:45:48 +02:00
4eab88c017
plugin_dns64: don't send queries to self
...
Fixes #1477
2020-09-17 00:44:37 +02:00
b460ca9fa8
Simplify hasAAAAQuestion
2020-09-17 00:24:04 +02:00
b02649f774
Error out if the dns64 plugin is enabled without listening sockets
2020-09-17 00:19:00 +02:00
c74b993cbb
dns64: check the original question, not the returned one
2020-09-17 00:10:11 +02:00
26505ab560
Merge declaration and assignment
2020-09-13 20:24:06 +02:00
5a1b87130d
Use single quotes for strings
...
Fixes #1466
2020-09-03 21:21:05 +02:00
d175642df3
Quad9 seems to have upgraded their dnsdist version!
2020-08-31 17:13:14 +02:00
fa5c55c64a
Debug log query names
2020-08-09 13:09:37 +02:00
dadb38c32e
Lower severity
2020-08-05 15:50:48 +02:00
0ac96fec30
Add some logging back to fetchDoHServerInfo()
2020-08-05 15:39:30 +02:00
b583fb5314
Turns out that the "test." zone is directly served by the Tencent CDN
...
without hitting the actual resolvers.
So, we need to use a different test zone.
2020-08-05 15:03:16 +02:00
f3157b0a42
Check DoH servers with a query to a random name
...
The issue with benchmarking DoH servers is that some responses can
be directly served by a CDN, while others require a round trip to
the origin that can be significantly more expensive.
Random padding was an attempt at mitigating this. Unfortunately,
some servers (Tencent) ignore the padding. We end up with a query
for the root zone served by the Tencent CDN very quickly, but
anything else is orders of magnitude slower.
So, measure a query within the reserved "test." zone instead.
Caching resolvers should either know that "test." is undelegated,
or have it in their negative cache already, so this is unlikely to
trigger an actual query to authoritative servers.
Take it as an opportunity to check that we don't get anything but
a NXDOMAIN response for nonexistent domains.
2020-08-05 14:54:14 +02:00
60d4c98f31
Unbreak running without a captive portal configuration file
2020-08-04 00:50:59 +02:00
f7f84fd871
Add ipv4only.arpa
2020-08-03 18:20:12 +02:00
4424602e39
Start experimenting with better support for captive portals
...
MacOS (and probably Windows and other systems) tries to fetch a URL
before marking a network interface as available.
During this time, applications cannot use the interface at all, not
even bind their address.
When DNS queries are sent to dnscrypt-proxy, this causes the system
to wait for a response that can't come from the network, since we
hit a dead lock here.
The only option is to return hard-coded responses directly until
te interface is available.
The same captive portal configuration file can also serve a different
purpose.
Once the network is available, captive portal detection may not
work as expected if the answer is cached for too long. In fact, it
probably can't work at all since routers can't hijack DNS queries.
Once thing we can do is redirect the list of names used for captive
portal detection to the fallback resolvers. This may allow detection
to work as expected while still using a secure channel for all
other queries.
2020-08-03 18:05:42 +02:00
210ba8c60f
coldstart experiment
2020-08-03 15:40:39 +02:00
162b51c791
Remove confusing "Domain exists: probably not, or blocked by the proxy"
2020-07-30 19:25:17 +02:00
617629c180
initialize the log file before reporting config errors ( #1426 )
...
* initialize the log file before reporting config errors
* consistently return error instead of calling dlog.Fatal when parsing config
2020-07-27 16:01:44 +02:00
d3ff3a6bb1
Remove facebookgo/{atomicfile,pidfile}
...
Fixes #1411
2020-07-10 14:37:35 +02:00
1a34c8d5ff
Add max-stale cache control directive to requests
2020-07-09 21:42:35 +02:00
8dd4612ea7
Don't use Lumberjack for non-regular files
...
Fixes #1407
2020-07-08 13:48:04 +02:00
77a27a46a4
Rename the python script name in the example config
2020-07-08 12:05:42 +02:00
af564522ec
Further block/allow updates ( #1406 )
...
* ConfigFile change to allowlist and blocklist
* revised names and warnings
* consistent file naming in kebab case, and generic use of blocklist and allowlist in cmoments for clarity
* update ci files
* further allow/blocklist updates
* improve language in comments
Co-authored-by: Ian Bashford <ianbashford@gmail.com>
2020-07-08 12:01:06 +02:00
10710def50
Make loggers io.Writer implementations, not directly lumberjack objects
2020-07-08 11:36:58 +02:00
7bec554709
Remove fritz.box after all
2020-07-08 11:03:45 +02:00
038ebea0ed
Update broken_implementations with Quad9 -pri suffix ( #1398 )
2020-07-03 15:28:09 +02:00
63c8f0610f
Update broken_implementations list with updated Quad9 v3 names ( #1390 )
2020-07-03 14:05:39 +02:00
9bc5bb0e14
Clarify
2020-07-03 13:03:57 +02:00
90df0292c8
Remove unneeded brackets
2020-07-03 12:59:51 +02:00
7a6f1461f8
Add option to go direct for failed certificate retrieval via relay ( #1397 )
...
* Add option to go direct for failed certificate retrieval via relay
* add direct_cert_fallback to example config file
Co-authored-by: yofiji <you@example.com>
2020-07-03 12:58:36 +02:00
5e2f1c4146
Clarify that skipAnonIncompatbibleResolvers does what it says
2020-07-02 13:45:19 +02:00
ece0c76172
Add fritz.box IP to the cloaking rules example
...
Fixes #1392
2020-07-01 09:20:44 +02:00
7b1ccd1053
Issue #1380 : Reenable HTTP/2 for local DoH ( #1384 )
...
+Updated ci-test number 25 looking for invalid 404 to reflect changes here
2020-06-28 18:20:20 +02:00
b089d49d25
ConfigFile change to allowlist and blocklist ( #1375 )
...
* ConfigFile change to allowlist and blocklist
* revised names and warnings
* consistent file naming in kebab case, and generic use of blocklist and allowlist in cmoments for clarity
* update ci files
Co-authored-by: Ian Bashford <ianbashford@gmail.com>
2020-06-26 23:18:30 +02:00
19c0c3f7db
Add forward slashes to example stamp for consistency ( #1388 )
...
Seems to work with or without, but makes it consistent with the toml, the documentation and the stamp calculator.
2020-06-26 17:36:15 +02:00
8935fa454a
v2 -> v3
2020-06-21 22:20:34 +02:00
80942eb231
Don't forget Linux
2020-06-19 21:43:45 +02:00
55ce158e37
Do we need to duplicate descriptors twice?
2020-06-19 21:42:20 +02:00
80dfffc4ee
Unbreak CI
2020-06-19 20:16:21 +02:00
03746b76bf
Capitalize
2020-06-19 11:39:44 +02:00
6235c11c77
When forking, relocate descriptors higher up
...
Channels used by the `services` module may use descriptors, so we don't
want to overwrite them.
Maybe
fixes #1371
2020-06-19 00:04:54 +02:00
65f42918a1
Bump
2020-06-11 17:10:33 +02:00
d55421df96
Don't bind listening sockets with the -list/-list-all options
...
Fixes https://github.com/Homebrew/homebrew-core/pull/55998
2020-06-11 11:41:17 +02:00
9cce77cc53
No need to import the dnsstamps package twice
2020-06-11 11:13:41 +02:00
4f47cd0f4f
Avoid implicit memory aliasing in for loop
2020-06-11 11:10:33 +02:00
de6afd5a4c
Merge branch 'master' of github.com:jedisct1/dnscrypt-proxy
...
* 'master' of github.com:jedisct1/dnscrypt-proxy:
Create shiftleft-analysis.yml
Create codeql-analysis.yml
Revert "Fix unit tests on Win10 (attempts 1 and 2)"
sources_test: set bit 16 of the port instead of adding zeros (#1358 )
Fix unit tests on Win10 (attempt 2)
2020-06-11 11:03:30 +02:00
9f9a17ed6b
doh_client_x509_auth: don't ignore errors
2020-06-11 11:03:17 +02:00
2018945fdf
Revert "Fix unit tests on Win10 (attempts 1 and 2)"
...
This reverts commit 92dda0d55a5a1fdc8cd6
2020-06-10 19:45:11 +01:00
f4d519092b
sources_test: set bit 16 of the port instead of adding zeros ( #1358 )
...
Ok @welwood08
2020-06-10 20:24:41 +02:00
92dda0d55a
Fix unit tests on Win10 (attempt 2)
...
Thanks to @lifenjoiner for testing! Windows 10 behaves even more unexpectedly.
After it parses the "ip:port" string as a hostname, it attempts to upgrade from
http to https by appending `:443` and parsing that new URL again.
This seems to happen concurrently with the doomed DNS lookup and we see the
error from whichever fails first.
2020-06-10 12:10:51 +01:00
5416891056
Temporarily parse [tls_client_auth] for backward compatibility
...
Document the change.
Fixes #1355
2020-06-10 11:37:03 +02:00
d7f16f6be4
Uncomment sections for consistency
2020-06-10 11:04:50 +02:00
adcdcffdec
Skip netprobe & listeners when -show-cert or -check are used
...
Fixes #1354
2020-06-10 11:01:59 +02:00
5a1fdc8cd6
Fix unit tests on Win10
...
Untested attempt to fix unit tests that fail on Windows 10 build 1909.
From the test output mentioned in #1332 , it looks like this version of Windows
doesn't report an "invalid port" error when asked to connect to an invalid port,
instead it treats the port as part of the host name and attempts a DNS lookup.
Naturally, this fails because the colon character is not valid in a host name.
This change simply makes this inexplicable error an expected result since the
outcome is the same and we can't fix Windows.
2020-06-09 15:51:23 +01:00
506f727f1f
Another place worth force GC'ing
2020-06-09 09:52:59 +02:00
b794d47a76
Force GC where it seems to matter most
2020-06-09 09:42:09 +02:00
8945cb1b90
Add log_file_latest
2020-06-08 22:31:03 +02:00
87c161ab76
Clarify what log_file is
2020-06-08 20:07:24 +02:00
9c5cf611a4
Preliminary ChangeLog
2020-06-08 19:20:55 +02:00
b32ffbb807
Discourage from blindly using dns64
2020-06-08 18:59:39 +02:00
f48b13f7b8
Add DNS64 support
2020-06-08 18:42:54 +02:00
d766dc8bf7
doh_client_x509_auth: make it clear that root_ca is optional
2020-06-08 18:09:37 +02:00
5db4365540
Adding support for additional root CAs for DoH TLS Auth ( #1281 )
2020-06-08 18:01:40 +02:00
68ccd1410f
Support multiple stamps per resolver
...
For now, a single stamp is randomly chosen in order to spread the load,
but we may eventually want to also use this for failover mechanisms.
2020-06-08 17:54:49 +02:00
b0e883ebc6
Android: use getprop persist.sys.timezone to get and set the time zone
...
Untested. Maybe
fixes #1351
2020-06-06 15:32:27 +02:00
45628702b6
Add SANS lists
2020-06-02 13:03:41 +02:00
1f6d8cc53c
Nits
2020-05-31 13:46:44 +02:00
8ddd5fe36e
Merge branch 'master' of github.com:jedisct1/dnscrypt-proxy
...
* 'master' of github.com:jedisct1/dnscrypt-proxy:
Fallback to cache_file avoiding termination for not offline_mode (#1332 )
Minor update to GH Actions workflow (#1341 )
2020-05-31 13:27:28 +02:00
d59d9427b3
Don't wait for the whole server list before accepting connections
...
Blocking until all servers have been checked is safe, but significantly
increases startup times.
OTOH, we shouldn't accept connections unless we have at least one live
server.
So, a better approach may be to add the ability for `serversInfo.refresh()`
to write to a channel after a live server has been found, and block on
that channel in the main thread before accepting client connections.
2020-05-31 13:24:35 +02:00
c4a13d25ce
Fallback to cache_file avoiding termination for not offline_mode ( #1332 )
...
Ignore downloading error from `NewSource` when startup (cache loaded).
2020-05-30 07:38:04 +01:00
7e2404ffef
Use domain lists for energized.pro
2020-05-20 16:01:25 +02:00
82f78ef4fa
s/BrokenQueryPadding/FragmentsBlocked/
...
Maybe
fixes #1323
2020-05-19 15:57:56 +02:00
3e264b9da9
Rename tls_client_auth to doh_client_x509_auth
...
Maybe improves clarity? I can never remember what tls_client_auth does.
2020-04-26 21:21:00 +02:00
3775d59217
Add some comments for an obscure feature
2020-04-26 21:05:23 +02:00
c6b32e0590
Another example of an IP blocklist
2020-04-26 19:42:42 +02:00
80b95b1ba6
Use accessors for systemd things, too
2020-04-26 17:08:24 +02:00
436bce9edf
Define functions to register socket handles, to improve clarity
2020-04-26 16:52:50 +02:00
38cfa437db
Repair Local DoH; should fix CI tests
2020-04-26 16:34:26 +02:00
12219c7490
listener->pc
...
Spotted by @welwood08
2020-04-26 16:19:49 +02:00
52f87aee8e
Accept data from systemd sockets at the same time as everything else
2020-04-26 15:00:39 +02:00
4029d3d4f3
proxy.dropPrivilege() doesn't return on success
2020-04-26 14:49:43 +02:00
3c510b74bb
Start listeners as goroutines
2020-04-26 14:26:40 +02:00
4a50736457
Only start accepting connections after everyting has been initialized
...
Fixes #1295
And more. The estimator, key and servers list were not initialized either.
2020-04-26 12:52:55 +02:00
9519472bbe
Don't print the proxy version in the child
2020-04-20 12:34:59 +02:00
6f2dcb900a
Drop privileges early
...
Fixes #1265
2020-04-20 12:27:53 +02:00
b6b7ed3a67
Dropping privileges doesn't work reliably on MacOS
2020-04-20 11:50:27 +02:00
f71244ed74
use global 'timeout' option for forwarding queries ( #1284 )
...
* Update plugins.go
* Update plugin_forward.go
2020-04-17 20:57:23 +02:00
527764aba7
Upper case
2020-04-05 20:50:28 +02:00
d2602fd142
Respect proxy.mainProto in forward plugin ( #1259 )
...
* Respect proxy.mainProto in forward plugin
* Make the serverProtocol part of pluginsState instead
2020-04-05 20:49:30 +02:00
f4631b9121
Remove unreachable code
...
Spotted by @komapa
2020-04-05 20:48:00 +02:00
4ce28473f4
Update example-ip-blacklist.txt ( #1264 )
...
fix https://github.com/DNSCrypt/dnscrypt-proxy/issues/1261 . remove `[` & `]`.
2020-04-02 14:55:18 +02:00
f6b9706322
This reverts commit 876e389a0a.
...
April 1st is almost over :)
2020-04-01 21:55:17 +02:00
876e389a0a
Make doh.nsa.gov the default DNS server
2020-04-01 12:22:52 +02:00
1ff31f14f1
Remove the ct parameter from DoH queries
...
That was a workaround for Google, but Google doesn't seem to need
it any more.
2020-04-01 12:12:57 +02:00
3ca80afb19
packets -> client queries
2020-03-26 17:25:52 +01:00
74095d38ed
Remove LargerResponsesDropped
...
dnsdist drops DNSCrypt queries shorter than 256 bytes, interpreting them
as not being encrypted instead. This is surprising when doing ad-hoc
testing, but absolutely fine, and we will never send shorter encrypted
queries on normal circumstances.
So, remove a useless knob.
2020-03-26 17:20:34 +01:00
b3fbc2304d
All dnsdist servers exhibit the same behavior re: sending truncated responses
...
A 128 bytes query will not get a 200 bytes response (randomly tested on
3.tlu.dl.delivery.mp.microsoft.com), not even a truncated one.
It may be related to fragments being blocked on the server socket, or a
different issue. We can expect everything to be back to normal in dnsdist
1.5.0 no matter what.
2020-03-26 15:19:17 +01:00
5049516f53
Add an option to ignore servers incompatible with anonymization
2020-03-26 13:41:57 +01:00
7621737dde
Improve debugging
2020-03-26 13:30:39 +01:00
9542109d66
Cancel dnsExchange goroutines as soon as we have a best response
2020-03-26 12:53:22 +01:00
ad36321dc8
Add cleanbrowsing until dnsdist 1.5.0 is out
2020-03-26 12:31:12 +01:00
8896787e66
Add other dnsdist servers until the MTU issue is fixed
...
https://github.com/PowerDNS/pdns/pull/7410
2020-03-26 10:57:09 +01:00
9f65457b1c
Wait a little bit more between UDP attempts
2020-03-26 10:37:56 +01:00
7424f1a8b7
Try harder to work around Cisco and Quad9 bugs
2020-03-25 20:10:11 +01:00
64935c9b92
Bump
2020-03-25 18:24:25 +01:00
0860245c73
Nits
2020-03-25 18:24:03 +01:00
25b89e57ae
Add Quad9 back to the list of servers with broken padding
2020-03-25 18:11:16 +01:00
81c8d68462
Pad queries to 1472 bytes for implementations with broken padding
...
Quad9 doesn't return TC when responses are larger than the question;
it doesn't return anything instead :(
2020-03-25 18:06:02 +01:00
dd37eaed7c
Retry over TCP on UDP timeouts
2020-03-25 17:45:59 +01:00
4fe5929720
Typo
...
Fixes #1248
2020-03-25 09:11:10 +01:00
c13a69b040
Remove deepsource
2020-03-24 14:38:00 +01:00
a58044fed0
Bump
2020-03-24 14:37:35 +01:00
c4287c799f
Quad9 doesn't seem to block fragments on all networks
...
So, remove them from the static list and trust the runtime checks
for detection.
2020-03-24 14:32:23 +01:00
315f6f45ff
Certificates that can't be loaded are fatal
2020-03-24 14:31:43 +01:00
2670caa71e
Print the anonymization incompatibility message even if detected at runtime
2020-03-24 14:19:41 +01:00
3f07b6079a
No need to explicit ignore this variable
2020-03-24 12:45:17 +01:00
b328a9768f
Remove debugging code that prevented detection of fragmented UDP support
2020-03-24 12:38:23 +01:00
06ca9b01f0
Nits
2020-03-21 10:24:09 +01:00
d80af74300
Fix unit tests
2020-03-20 22:40:29 +01:00
0b87cc92b6
Fix data race
2020-03-20 21:45:09 +01:00
44db53f58b
Not dnsdist
2020-03-20 21:19:34 +01:00
d1710a4d2b
Use single quotes for consistency
2020-03-20 21:18:30 +01:00
094ea07dc2
Bump
2020-03-20 21:09:34 +01:00
d876c7b487
Keep the default LB strategy if an invalid p* one is used
2020-03-20 20:53:03 +01:00
34d83f027f
Support power-of-<arbitrary number>
2020-03-20 17:49:32 +01:00
b57cc19d70
Use an interface for load-balancing strategies
2020-03-20 17:37:34 +01:00
16708a0c20
Automatically detect servers blocking fragmented queries
2020-03-14 21:34:40 +01:00
49910d2f72
Localize some error values
2020-03-13 18:44:30 +01:00
19647e03a6
Overwrite the server name only when we need to send an upstream query
2020-03-13 17:52:09 +01:00
c17637c026
Don't log a server for blocked names by pattern ( #1218 )
...
* Update plugins.go
* reason update moved after reject confirmed
added boolean for direct rejects
* remove server with direct rejects
name pattern blocked cases
2020-03-13 17:50:38 +01:00
810f6043d2
People are used to seeing the [static] section at the end
2020-03-09 22:14:31 +01:00
c040b13d59
Adding the ability to do TLS client authentication for DoH ( #1203 )
...
* Adding the ability to do TLS client authentication for DoH
* whitespace nit
* Check for server specific creds before wildcard
* small comma ok idiom change
2020-03-09 22:11:53 +01:00
92e842126d
Skip the Firefox plugin for connections through the local_doh protocol
...
Fixes #1205
2020-02-26 15:29:28 +01:00
b2be617e6b
Update example-dnscrypt-proxy.toml
...
Fixes to grammar and other minor issues.
2020-02-26 15:13:49 +01:00
11b31dea4f
Update example-dnscrypt-proxy.toml
...
Attempt to clarify the behaviour of server_names.
2020-02-26 15:13:49 +01:00
aa0e7f42d3
Make the xTransport functions return the HTTP body directly
...
This simplifies things, but also make RTT computation way more reliable
2020-02-21 22:33:34 +01:00
a6d946c41f
Shorten the default broken_query_padding list
2020-02-21 20:33:13 +01:00
4608b6d18d
Add auad9 to the broken_query_padding list
...
Fixes #1169
2020-02-21 20:31:45 +01:00
673eea65af
Add random padding to the initial DoH query
...
Fixes #1199
2020-02-21 20:24:24 +01:00
0ef2737ffe
fix minor typos in comment
2020-02-14 18:48:48 +00:00
1fa26eec0a
gofmt whitespace
2020-02-14 18:48:48 +00:00
8c42609475
fix minor typoS in config file
2020-02-14 18:48:48 +00:00
323c4a4758
Don't explain the format of other config files in the main config file
...
This is confusing if you don't read the documentation.
Fixes #1179
2020-02-05 12:17:14 +01:00
824fa90f94
Forwarding plugin: force set the response ID to match the query ID
...
Shouldn't be necessary, but just to be safe in case `dns.Exchange()`
does something unexpected.
2020-02-05 02:52:54 +01:00
63d28fc9b2
Forwarding plugin: retry over TCP if a truncated response is received
...
dns.Exchange() doesn't do it automatically.
Fixes #1178
2020-02-05 02:44:43 +01:00
170c690996
Bump
2020-01-31 11:25:04 +01:00
2dda74647d
Don't add padding unless the query has padding
...
Or else Firefox craps out
2020-01-31 11:17:36 +01:00
70311614a0
Improve error message on DNSSEC failure
2020-01-31 10:58:07 +01:00
cf1498c9f4
Properly compute the padding length for local DoH
...
Fixes #1173
2020-01-31 10:58:03 +01:00
d14d2b613a
Bump
2020-01-30 16:19:38 +01:00
a6026ce48a
Ignore lines starting with '#'
...
Fixes #1171
2020-01-30 16:16:05 +01:00
3a94523d65
Bump the cache size a little bit
2020-01-30 15:08:23 +01:00
c84a394817
Bump
2020-01-30 13:23:03 +01:00
f34d7b60fa
Implement serve-stale
2020-01-30 13:15:29 +01:00
f22461374c
Retry UDP queries on timeout
2020-01-29 18:53:39 +01:00
f17ce1ae0d
Use constant, but arbitrary long padding
2020-01-29 17:57:59 +01:00
4d788aed85
Make UDP and TCP code similar when it comes to SOCKS proxying
...
Actually use the relay when both a relay and a SOCKS proxy are
configured.
Keep forcing TCP when SOCKS is enabled. I couldn't get UDP proxying
to work with Shadowsocks.
2020-01-27 16:07:08 +01:00
349320f291
Add support for inline comments in patterns lists
...
Fixes #1162
2020-01-25 15:45:23 +01:00
7ada3fcfb8
Support multiple fallback resolvers
2020-01-15 19:58:14 +01:00
7fb62d98ea
Use EDNS0 padding for local DoH
2020-01-05 21:12:29 -05:00
6fb42d0eae
Improve error message when local DoH is enabled without a certificate
...
Fixes #1136
2020-01-05 19:02:57 -05:00
19cebfdb0a
Mention that /dev/stdout is not for Windows systems
...
Fixes #1131
2020-01-03 21:13:04 -05:00
abd221738b
Explicit brackets
2019-12-23 23:17:46 +01:00
5ede397d33
Mention ipsum
2019-12-23 19:52:27 +01:00
0e644c4b86
Add -config <config file> to the service configuration arguments
...
Maybe
fixes #1122
2019-12-23 15:35:52 +01:00
7e45b50d58
Move things around
2019-12-23 15:33:57 +01:00
c27d41faa0
Avoid unneeded DNS packet unpacking
2019-12-23 11:37:45 +01:00
adb6dac420
Strip EDNS0 options in responses
2019-12-22 18:02:33 +01:00
5118ed21fd
Use dumb padding even for GET queries
...
Resolvers such as Cloudflare always add padding to DoH responses
Resolvers such as Google only do if the question had dumb padding
Resolvers such as Cisco blindly return a copy of the question's padding
Some resolvers don't return any padding no matter what's in the question
Finally, other resolvers return FORMERR
This is a mess. A bad design inherited from DoT, that didn't fix
anything from Unbound's original experiment.
Also, padding with zeros as recommended is a bad idea. When using
GET, escaping makes the actual padding size 3 times as big as needed.
2019-12-22 17:34:16 +01:00
1585ede954
Use EDNS0 padding when using DoH over POST
...
This mechanism is horrible, slow (requires re-unpacking and re-packing
the query), should be done at transport layer and not at content layer, and
of course, it is incompatible with some resolvers.
However, in spite of https://go-review.googlesource.com/c/go/+/114316/2/src/net/http/transfer.go ,
we may still end up sending the header and the content in distinct packets.
So, use that horror for POST queries only. For GET, this is not needed.
2019-12-22 15:31:02 +01:00
0454463539
Pad GET queries
2019-12-22 14:43:21 +01:00
48817a4642
Unbeta
2019-12-21 21:29:13 +01:00
a7922a81fb
add some nonexistent zones
2019-12-21 14:34:29 +01:00
80d45a2343
2.0.36-beta.1
2019-12-18 12:44:24 +01:00
3fce30d7a5
Rename PluginsActionForward to PluginsActionContinue
...
Set the correct response code when forwarding
2019-12-17 19:19:36 +01:00
daf6d5881d
The default return code must be PASS
2019-12-17 18:54:49 +01:00
b1c08f8931
Handle Drop/Synth actions the same way in query and response plugins
2019-12-17 16:28:12 +01:00
a23f07a93d
Add an IP blacklist example
2019-12-17 15:25:39 +01:00
d88995aac6
Minor comment fix
...
I noticed while writing the functionality tests that comments about relative paths disagreed with what the code was doing.
While the executable directory is used if the configuration file itself can't be found, `cdFileDir(foundConfigFile)` is always executed after the configuration file is found whether that's the same as the executable's directory or not.
Also a couple of punctuation nits.
2019-12-17 14:28:06 +01:00
3c6f87527f
Undelegated zones are not dot suffixed any more
2019-12-17 11:08:22 +01:00
4fd54a4919
Store the normalized qName in the plugin state
...
We now enforce the fact that a query always include a question.
It holds true for all practical use cases of dnscrypt-proxy.
This avoids quite a lot of redundant code in plugins, and is faster.
2019-12-17 10:11:41 +01:00
ee24bf0421
Bump
2019-12-16 23:06:56 +01:00
07e605e9f4
Add a note about dnsmasq
...
In the config file, so that it has more visibility than in the doc.
Synthetic responses cannot contain NSEC or RRSIG records, and that
seems to be confusing dnsmasq.
2019-12-16 17:23:22 +01:00
eedabcbd4a
Reverse
2019-12-16 17:05:05 +01:00
cba755b4d1
Lowercase the question
2019-12-16 17:03:16 +01:00
7066e53843
Pre-add the final dot
2019-12-16 16:39:30 +01:00
1b276be85d
Rewrite block_undelegated without the generic pattern matcher
2019-12-16 16:35:08 +01:00
2d25719a69
Reuse the same variable
2019-12-16 16:32:49 +01:00
66799c4159
Add the ability to block undelegated DNS zones
...
Using the generic pattern matcher as a first iteration, but we can
save some memory and CPU cycles by building and using a critbit tree
directly.
2019-12-16 16:18:47 +01:00
aa5350c7fd
Missed blockedName->xBlockedName renaming
...
Fixes #1116
2019-12-16 12:13:23 +01:00
c1202457bf
Json -> JSON
2019-12-11 14:08:48 +01:00
a7b7bdc11e
Compress synthetic responses
2019-12-11 14:02:56 +01:00
9553d7f8c5
Copy the DO bit from questions to synthetic responses
2019-12-11 13:56:25 +01:00
1674bb1742
Force clear the AD bit unless the DO bit was also set
2019-12-11 09:41:16 +01:00
ee1c0fed93
Properly set DNS flags when creating empty responses
2019-12-11 09:00:29 +01:00
3b4d6c532d
A URL path must start with a /
2019-12-10 16:04:37 +01:00
279d5619e3
Don't block '.'
2019-12-10 00:03:41 +01:00
548a439528
Bump
2019-12-09 20:56:59 +01:00
a635e92606
Add a new plugin to block unqualified host names
2019-12-09 20:25:38 +01:00
56d02597a6
Extend the grace period and log when it's used
2019-12-09 17:08:59 +01:00
21a5765527
Rename resolveWithCache() and make the comment match what the fn does
2019-12-09 17:03:16 +01:00
2d8fd40481
Don't use named return values just for one value, especially an error
...
Be consistent with the rest of the code
2019-12-09 16:59:02 +01:00
3e32d38f29
Explicit initialization
2019-12-09 16:56:43 +01:00
49460f1d6f
pidfile.Write() can fail if no pid file was configured, it's ok
2019-12-09 13:34:14 +01:00
7991b91f21
Downgrade error level of pidfile.Write() to Critical
2019-12-09 13:08:03 +01:00
b5bb0fd504
If we can't disconnect from the Service Manager, it's no big deal
2019-12-09 13:07:47 +01:00
bfd74185f5
Don't prevent DNS queries from being answered if the partition is full
2019-12-09 12:55:26 +01:00
8efbf401c8
add error checks
2019-12-09 12:50:30 +01:00
ba8565a59e
Shorten conditions
2019-12-09 10:07:05 +01:00
96d15771e2
add multiple error checks
2019-12-09 09:56:47 +01:00
59f2df6318
Recommend more names to be forwarded
2019-12-07 17:38:07 +01:00
62f0b80c66
Add a comment regarding forwarding and ipv6 blocking
2019-12-06 19:41:33 +01:00
db33c69fe5
Log the original qName when a CNAME pointer is blocked
2019-12-05 17:50:04 +01:00
4d0c5ad569
Merge branch 'master' of github.com:jedisct1/dnscrypt-proxy
...
* 'master' of github.com:jedisct1/dnscrypt-proxy:
Travis: use Ubuntu Bionic so we don't have to compile libsodium
Downcase wiki
Handle clientsCount in the local DoH handler, too
Remove beta
Bump deps
Fix typo
Bump
whitelist
Add some extra blacklists
2019-12-05 16:49:48 +01:00
57a88eda56
Add (indirect) to the logged pattern for indirect blocks
2019-12-05 16:49:08 +01:00
3a4bc98073
Handle clientsCount in the local DoH handler, too
2019-12-03 13:04:58 +01:00
0de2246af2
Remove beta
...
Fixes #1086
2019-12-03 12:34:42 +01:00
Frank Denis
Christopher Wood
lifenjoiner
Ian Bashford
glitsj16
mibere
petercooperjr
Alison Winters
Frank Denis
hugepants
yofiji
Krish De Souza
William Elwood
Frank Denis
s-s
Kevin O'Sullivan
29f
Kiril Angov
kimw
Dragonfir3
Will Elwood
unknown
milgradesec