yofiji
7a6f1461f8
Add option to go direct for failed certificate retrieval via relay ( #1397 )
...
* Add option to go direct for failed certificate retrieval via relay
* add direct_cert_fallback to example config file
Co-authored-by: yofiji <you@example.com>
2020-07-03 12:58:36 +02:00
Frank Denis
03746b76bf
Capitalize
2020-06-19 11:39:44 +02:00
Frank Denis
6235c11c77
When forking, relocate descriptors higher up
...
Channels used by the `services` module may use descriptors, so we don't
want to overwrite them.
Maybe
fixes #1371
2020-06-19 00:04:54 +02:00
Frank Denis
506f727f1f
Another place worth force GC'ing
2020-06-09 09:52:59 +02:00
Frank Denis
b794d47a76
Force GC where it seems to matter most
2020-06-09 09:42:09 +02:00
s-s
f48b13f7b8
Add DNS64 support
2020-06-08 18:42:54 +02:00
Frank Denis
d59d9427b3
Don't wait for the whole server list before accepting connections
...
Blocking until all servers have been checked is safe, but significantly
increases startup times.
OTOH, we shouldn't accept connections unless we have at least one live
server.
So, a better approach may be to add the ability for `serversInfo.refresh()`
to write to a channel after a live server has been found, and block on
that channel in the main thread before accepting client connections.
2020-05-31 13:24:35 +02:00
Frank Denis
436bce9edf
Define functions to register socket handles, to improve clarity
2020-04-26 16:52:50 +02:00
Frank Denis
38cfa437db
Repair Local DoH; should fix CI tests
2020-04-26 16:34:26 +02:00
Frank Denis
3c510b74bb
Start listeners as goroutines
2020-04-26 14:26:40 +02:00
Frank Denis
4a50736457
Only start accepting connections after everyting has been initialized
...
Fixes #1295
And more. The estimator, key and servers list were not initialized either.
2020-04-26 12:52:55 +02:00
Frank Denis
6f2dcb900a
Drop privileges early
...
Fixes #1265
2020-04-20 12:27:53 +02:00
Kiril Angov
d2602fd142
Respect proxy.mainProto in forward plugin ( #1259 )
...
* Respect proxy.mainProto in forward plugin
* Make the serverProtocol part of pluginsState instead
2020-04-05 20:49:30 +02:00
Frank Denis
f4631b9121
Remove unreachable code
...
Spotted by @komapa
2020-04-05 20:48:00 +02:00
Frank Denis
74095d38ed
Remove LargerResponsesDropped
...
dnsdist drops DNSCrypt queries shorter than 256 bytes, interpreting them
as not being encrypted instead. This is surprising when doing ad-hoc
testing, but absolutely fine, and we will never send shorter encrypted
queries on normal circumstances.
So, remove a useless knob.
2020-03-26 17:20:34 +01:00
Frank Denis
5049516f53
Add an option to ignore servers incompatible with anonymization
2020-03-26 13:41:57 +01:00
Frank Denis
7621737dde
Improve debugging
2020-03-26 13:30:39 +01:00
Frank Denis
7424f1a8b7
Try harder to work around Cisco and Quad9 bugs
2020-03-25 20:10:11 +01:00
Frank Denis
81c8d68462
Pad queries to 1472 bytes for implementations with broken padding
...
Quad9 doesn't return TC when responses are larger than the question;
it doesn't return anything instead :(
2020-03-25 18:06:02 +01:00
Frank Denis
dd37eaed7c
Retry over TCP on UDP timeouts
2020-03-25 17:45:59 +01:00
Frank Denis
49910d2f72
Localize some error values
2020-03-13 18:44:30 +01:00
Frank Denis
19647e03a6
Overwrite the server name only when we need to send an upstream query
2020-03-13 17:52:09 +01:00
Kevin O'Sullivan
c040b13d59
Adding the ability to do TLS client authentication for DoH ( #1203 )
...
* Adding the ability to do TLS client authentication for DoH
* whitespace nit
* Check for server specific creds before wildcard
* small comma ok idiom change
2020-03-09 22:11:53 +01:00
Frank Denis
aa0e7f42d3
Make the xTransport functions return the HTTP body directly
...
This simplifies things, but also make RTT computation way more reliable
2020-02-21 22:33:34 +01:00
Frank Denis
70311614a0
Improve error message on DNSSEC failure
2020-01-31 10:58:07 +01:00
Frank Denis
f34d7b60fa
Implement serve-stale
2020-01-30 13:15:29 +01:00
Frank Denis
f22461374c
Retry UDP queries on timeout
2020-01-29 18:53:39 +01:00
Frank Denis
4d788aed85
Make UDP and TCP code similar when it comes to SOCKS proxying
...
Actually use the relay when both a relay and a SOCKS proxy are
configured.
Keep forcing TCP when SOCKS is enabled. I couldn't get UDP proxying
to work with Shadowsocks.
2020-01-27 16:07:08 +01:00
Frank Denis
c27d41faa0
Avoid unneeded DNS packet unpacking
2019-12-23 11:37:45 +01:00
Frank Denis
b1c08f8931
Handle Drop/Synth actions the same way in query and response plugins
2019-12-17 16:28:12 +01:00
Frank Denis
66799c4159
Add the ability to block undelegated DNS zones
...
Using the generic pattern matcher as a first iteration, but we can
save some memory and CPU cycles by building and using a critbit tree
directly.
2019-12-16 16:18:47 +01:00
Frank Denis
a635e92606
Add a new plugin to block unqualified host names
2019-12-09 20:25:38 +01:00
milgradesec
8efbf401c8
add error checks
2019-12-09 12:50:30 +01:00
Frank Denis
3a4bc98073
Handle clientsCount in the local DoH handler, too
2019-12-03 13:04:58 +01:00
Frank Denis
3b50caf4cd
Add a default local DoH path, print the URLs
2019-11-29 08:53:13 +01:00
Frank Denis
f18dbc71ec
Make the local DoH path configurable
2019-11-28 23:49:28 +01:00
Frank Denis
6a679cc543
Move local DoH configuration to its own section
2019-11-28 17:04:29 +01:00
Frank Denis
be996c486f
Local DoH support, continued
2019-11-28 16:46:25 +01:00
Frank Denis
1966a8604b
up
2019-11-26 01:36:35 +01:00
Frank Denis
f249813cc5
First bits towards providing access over DoH in addition to DNS
...
Mainly to deal with the Firefox+ESNI situation
2019-11-24 22:46:27 +01:00
Frank Denis
30b5507bf4
Make the part that creates or gets sockets more readable
2019-11-24 22:12:23 +01:00
Frank Denis
45cb7b48df
Format
2019-11-17 21:28:26 +01:00
Frank Denis
06c0fbb65b
Add NETWORK_ERROR
2019-11-17 19:48:15 +01:00
Frank Denis
ca7e5e5bcb
Rename a few things
2019-11-17 15:07:40 +01:00
Frank Denis
15b405b552
Support workarounds for ancient/broken implementations
...
Fixes #984
2019-11-16 18:51:16 +01:00
William Elwood
7e73a26a2f
Move most of the prefetching code into sources.go
...
The proxy shouldn't need to know how prefetching works, just that it needs to do it occasionally. Now the prefetching algorithm can be refactored without having to touch the proxy code.
2019-11-08 10:17:12 +01:00
William Elwood
78f2dead79
Move prefetch URLs onto Source struct
...
This is mostly in preparation for further refactoring, but does reduce the number of return values from `NewSource()` too.
2019-11-08 10:17:12 +01:00
Frank Denis
da3f30871f
Revert "fix: proxy: Trigger query logging plugins using defer"
...
This reverts commit fc9509a8c8
.
2019-11-05 00:54:03 +01:00
Eric Lagergren
1c9924e055
check error that was being erroneously shadowed
2019-10-31 17:55:26 +01:00
Frank Denis
3a68f90c37
Back to 2.0.29 beta 3 ( ceed905196
)
2019-10-31 17:50:19 +01:00
Frank Denis
fb1fc14317
Revert "refactoring of pull 980"
...
This reverts commit 6fa420a8e0
.
2019-10-31 17:36:59 +01:00
Vladimir Bauer
6fa420a8e0
refactoring of pull 980
...
follow up on https://github.com/DNSCrypt/dnscrypt-proxy/pull/980#issuecomment-548153169
2019-10-31 15:04:12 +01:00
Eric Lagergren
7f82c2504d
check error that was being erroneously shadowed
2019-10-31 09:52:05 +01:00
Vladimir Bauer
6680faf665
make sure tcp/udp Conn are closed on stop signal
2019-10-25 12:56:34 +02:00
Frank Denis
ceed905196
Add a more explicit message when a user is set on Windows
2019-10-25 12:53:59 +02:00
Frank Denis
a26b2b42f0
Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL
2019-10-21 18:26:49 +02:00
Markus Linnala
bb01595320
feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules
...
entries
Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
2019-10-21 18:12:49 +02:00
Frank Denis
92e632daf1
Fail on failure :)
2019-10-20 23:07:36 +02:00
Markus Linnala
1cb9a360de
fix: proxy: Add missing logging in a case where flow does not return
2019-10-20 22:27:30 +02:00
Frank Denis
74c1f4a00d
Use the relay for cert retrieval over TCP, tooo
...
But don't use a relay if a proxy has been specified already
2019-10-20 21:45:19 +02:00
Markus Linnala
fc9509a8c8
fix: proxy: Trigger query logging plugins using defer
...
This is more robust and uses lot less lines.
2019-10-20 21:30:24 +02:00
Frank Denis
320197a00e
Accept relay names in routes, improve documentation
2019-10-20 14:19:21 +02:00
Frank Denis
fbe9f225dd
Reencrypt on TCP retries
2019-10-20 02:04:32 +02:00
Frank Denis
d6b63aaf15
Pad certificate requests and add support for proxies
2019-10-19 22:08:02 +02:00
Alison Winters
ac6fd3db39
differentiate between timeout and other error for dnscrypt servers
2019-10-19 10:36:26 +02:00
Markus Linnala
0058bc063e
feature: service_linux: Support systemd watchdog
2019-10-19 09:36:39 +02:00
Frank Denis
18ba5fe528
Add a SERVFAIL comment because miekg/dns names are a bit unusual
2019-10-18 20:51:11 +02:00
Frank Denis
bcaf0bca96
proxy.certIgnoreTimestamp should only be downgradable
2019-10-18 20:30:41 +02:00
Markus Linnala
13e9c15212
cleanup: MinDNSPacketSize is checked next
2019-10-18 20:24:11 +02:00
Markus Linnala
5bf5fe6c1d
cleanup: main: simplify proxy handling
2019-10-18 20:24:11 +02:00
Markus Linnala
cab67ba5a9
cleanup: drop registerServer proxy as not used
2019-10-18 20:24:11 +02:00
Markus Linnala
9b019574a0
cleanup: serversInfo : Simplify liveServers handling
2019-10-18 20:24:11 +02:00
Markus Linnala
80fa99877f
cleanup: proxy: use symbolic code for SERVFAIL
2019-10-18 20:24:11 +02:00
Frank Denis
322447aa91
Support multiple routes per destination
2019-10-14 12:08:47 +02:00
Frank Denis
0e8ca9009e
Implement Anonymized DNS
2019-10-14 01:45:38 +02:00
Frank Denis
d627a4bc58
Limit the number of required retries for local queries
2019-10-12 21:15:39 +02:00
Frank Denis
20f48edc25
Truncated response over UDP -> immediately retry over TCP
...
This reduces latency, because when the client retries, or if the
query padding was large enough, we can reply from the cache or
even immediately.
2019-10-12 20:55:59 +02:00
Frank Denis
1a06806477
Revert "Use CIRCL for X25519. That makes ephemeral key computation faster."
...
This reverts commit 5d130cdf0b
.
Revert "Kill nacl/box"
This reverts commit dd9cf5cc9a
.
2019-09-09 17:43:30 +02:00
Frank Denis
776e0d7ccc
New feature: query_meta
2019-09-07 16:19:47 +02:00
James Newell
5812cb2fe4
fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response'
2019-07-17 12:12:28 +02:00
James Newell
87bbfbfc10
add new option: 'respond_with_ip'
2019-07-17 12:12:28 +02:00
Frank Denis
5d130cdf0b
Use CIRCL for X25519. That makes ephemeral key computation faster.
2019-06-24 14:17:00 +02:00
Frank Denis
d2aa521369
Add a command-line option to print the server certificate hashes
2019-06-07 01:23:48 +02:00
Frank Denis
aca031c2ec
Don't display sorted latencies if there is only one (or none)
2019-06-03 18:51:21 +02:00
Frank Denis
30f2a4fd6b
Misc fixes
...
- Set LBEstimator to true by default
- Shuffle the servers list at startup
- Add the server name to the query log
2019-06-03 16:49:06 +02:00
Frank Denis
9e2a945fff
Print the sorted list of latencies
...
Add an option to disable the load-balancing estimator
2019-06-03 13:04:59 +02:00
Frank Denis
5b5b5ec583
Verify that ApplyQueryPlugins() doesn't blow the packet size
2019-06-03 00:47:39 +02:00
Ferdinand Holzer
af096f8488
Remove request forwarding measurement from log
2019-05-28 23:14:28 +02:00
Ferdinand Holzer
eab77ff871
Enhance logging ( #834 )
...
* Enhance query logging
Add request duration, and forward duration if applicable.
* Also measure requests forwarded based on forwarding_rules
2019-05-26 21:16:47 +02:00
Frank Denis
25ac94e7b2
Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy"
...
This reverts commit 2d1dd7eaab
.
2019-04-02 01:57:48 +02:00
Frank Denis
2d1dd7eaab
Add Stretch-Hash-and-Truncate option for extreme DNS privacy
...
This works over DNSCrypt and DoH, but requires a specifically configured
server.
Instead of sending the actual DNS queries, the SH-T system works as follows:
Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.
Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.
Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.
This feature is experimental.
2019-04-01 09:36:56 +02:00
Frank Denis
a726a40dc5
Add refused_code_in_responses
...
Fixes #737
2019-02-23 00:58:25 +01:00
Frank Denis
c043bd73dd
Ping the service manager early
...
Maybe
fixes #548
(untested)
2018-07-19 19:03:57 +02:00
Frank Denis
9b5948d697
Do not ignore ReadPrefixed() errors
2018-07-09 15:49:36 +02:00
Frank Denis
1019428ca0
username -> user_name
...
in case we want to add user_group and whatnot.
Remove the command-line option as it hides the caveats documented
in the configuration file.
Remove TODO. TODO statements always remain in that state forever.
2018-07-07 17:39:33 +02:00
Frank Denis
6cb43f8e4d
Of course, dropping privileges breaks with systemd sockets
2018-07-07 15:21:21 +00:00
Frank Denis
c73e95256d
Implement an offline mode
...
Fixes #528
2018-07-05 18:05:24 +02:00
Frank Denis
a1c8012fc6
Error handling when TCP connections fail
2018-06-18 19:19:53 +02:00
Sebastian Schmidt
aab7e6380f
Drop privileges with exec ( #467 )
...
* Drop privileges with exec and SysProcAttr
* Fix windows build
* Fix passing logfile fd
2018-06-13 16:52:41 +02:00
Frank Denis
9135efcaec
Use net.Conn everywhere
...
I don't know how to use a TCPConn as a Conn.
2018-06-06 19:06:44 +02:00