7a6f1461f8
Add option to go direct for failed certificate retrieval via relay ( #1397 )
...
* Add option to go direct for failed certificate retrieval via relay
* add direct_cert_fallback to example config file
Co-authored-by: yofiji <you@example.com>
2020-07-03 12:58:36 +02:00
03746b76bf
Capitalize
2020-06-19 11:39:44 +02:00
6235c11c77
When forking, relocate descriptors higher up
...
Channels used by the `services` module may use descriptors, so we don't
want to overwrite them.
Maybe
fixes #1371
2020-06-19 00:04:54 +02:00
506f727f1f
Another place worth force GC'ing
2020-06-09 09:52:59 +02:00
b794d47a76
Force GC where it seems to matter most
2020-06-09 09:42:09 +02:00
f48b13f7b8
Add DNS64 support
2020-06-08 18:42:54 +02:00
d59d9427b3
Don't wait for the whole server list before accepting connections
...
Blocking until all servers have been checked is safe, but significantly
increases startup times.
OTOH, we shouldn't accept connections unless we have at least one live
server.
So, a better approach may be to add the ability for `serversInfo.refresh()`
to write to a channel after a live server has been found, and block on
that channel in the main thread before accepting client connections.
2020-05-31 13:24:35 +02:00
436bce9edf
Define functions to register socket handles, to improve clarity
2020-04-26 16:52:50 +02:00
38cfa437db
Repair Local DoH; should fix CI tests
2020-04-26 16:34:26 +02:00
3c510b74bb
Start listeners as goroutines
2020-04-26 14:26:40 +02:00
4a50736457
Only start accepting connections after everyting has been initialized
...
Fixes #1295
And more. The estimator, key and servers list were not initialized either.
2020-04-26 12:52:55 +02:00
6f2dcb900a
Drop privileges early
...
Fixes #1265
2020-04-20 12:27:53 +02:00
d2602fd142
Respect proxy.mainProto in forward plugin ( #1259 )
...
* Respect proxy.mainProto in forward plugin
* Make the serverProtocol part of pluginsState instead
2020-04-05 20:49:30 +02:00
f4631b9121
Remove unreachable code
...
Spotted by @komapa
2020-04-05 20:48:00 +02:00
74095d38ed
Remove LargerResponsesDropped
...
dnsdist drops DNSCrypt queries shorter than 256 bytes, interpreting them
as not being encrypted instead. This is surprising when doing ad-hoc
testing, but absolutely fine, and we will never send shorter encrypted
queries on normal circumstances.
So, remove a useless knob.
2020-03-26 17:20:34 +01:00
5049516f53
Add an option to ignore servers incompatible with anonymization
2020-03-26 13:41:57 +01:00
7621737dde
Improve debugging
2020-03-26 13:30:39 +01:00
7424f1a8b7
Try harder to work around Cisco and Quad9 bugs
2020-03-25 20:10:11 +01:00
81c8d68462
Pad queries to 1472 bytes for implementations with broken padding
...
Quad9 doesn't return TC when responses are larger than the question;
it doesn't return anything instead :(
2020-03-25 18:06:02 +01:00
dd37eaed7c
Retry over TCP on UDP timeouts
2020-03-25 17:45:59 +01:00
49910d2f72
Localize some error values
2020-03-13 18:44:30 +01:00
19647e03a6
Overwrite the server name only when we need to send an upstream query
2020-03-13 17:52:09 +01:00
c040b13d59
Adding the ability to do TLS client authentication for DoH ( #1203 )
...
* Adding the ability to do TLS client authentication for DoH
* whitespace nit
* Check for server specific creds before wildcard
* small comma ok idiom change
2020-03-09 22:11:53 +01:00
aa0e7f42d3
Make the xTransport functions return the HTTP body directly
...
This simplifies things, but also make RTT computation way more reliable
2020-02-21 22:33:34 +01:00
70311614a0
Improve error message on DNSSEC failure
2020-01-31 10:58:07 +01:00
f34d7b60fa
Implement serve-stale
2020-01-30 13:15:29 +01:00
f22461374c
Retry UDP queries on timeout
2020-01-29 18:53:39 +01:00
4d788aed85
Make UDP and TCP code similar when it comes to SOCKS proxying
...
Actually use the relay when both a relay and a SOCKS proxy are
configured.
Keep forcing TCP when SOCKS is enabled. I couldn't get UDP proxying
to work with Shadowsocks.
2020-01-27 16:07:08 +01:00
c27d41faa0
Avoid unneeded DNS packet unpacking
2019-12-23 11:37:45 +01:00
b1c08f8931
Handle Drop/Synth actions the same way in query and response plugins
2019-12-17 16:28:12 +01:00
66799c4159
Add the ability to block undelegated DNS zones
...
Using the generic pattern matcher as a first iteration, but we can
save some memory and CPU cycles by building and using a critbit tree
directly.
2019-12-16 16:18:47 +01:00
a635e92606
Add a new plugin to block unqualified host names
2019-12-09 20:25:38 +01:00
8efbf401c8
add error checks
2019-12-09 12:50:30 +01:00
3a4bc98073
Handle clientsCount in the local DoH handler, too
2019-12-03 13:04:58 +01:00
3b50caf4cd
Add a default local DoH path, print the URLs
2019-11-29 08:53:13 +01:00
f18dbc71ec
Make the local DoH path configurable
2019-11-28 23:49:28 +01:00
6a679cc543
Move local DoH configuration to its own section
2019-11-28 17:04:29 +01:00
be996c486f
Local DoH support, continued
2019-11-28 16:46:25 +01:00
1966a8604b
up
2019-11-26 01:36:35 +01:00
f249813cc5
First bits towards providing access over DoH in addition to DNS
...
Mainly to deal with the Firefox+ESNI situation
2019-11-24 22:46:27 +01:00
30b5507bf4
Make the part that creates or gets sockets more readable
2019-11-24 22:12:23 +01:00
45cb7b48df
Format
2019-11-17 21:28:26 +01:00
06c0fbb65b
Add NETWORK_ERROR
2019-11-17 19:48:15 +01:00
ca7e5e5bcb
Rename a few things
2019-11-17 15:07:40 +01:00
15b405b552
Support workarounds for ancient/broken implementations
...
Fixes #984
2019-11-16 18:51:16 +01:00
7e73a26a2f
Move most of the prefetching code into sources.go
...
The proxy shouldn't need to know how prefetching works, just that it needs to do it occasionally. Now the prefetching algorithm can be refactored without having to touch the proxy code.
2019-11-08 10:17:12 +01:00
78f2dead79
Move prefetch URLs onto Source struct
...
This is mostly in preparation for further refactoring, but does reduce the number of return values from `NewSource()` too.
2019-11-08 10:17:12 +01:00
da3f30871f
Revert "fix: proxy: Trigger query logging plugins using defer"
...
This reverts commit fc9509a8c8
2019-11-05 00:54:03 +01:00
1c9924e055
check error that was being erroneously shadowed
2019-10-31 17:55:26 +01:00
3a68f90c37
Back to 2.0.29 beta 3 ( ceed905196)
2019-10-31 17:50:19 +01:00
fb1fc14317
Revert "refactoring of pull 980"
...
This reverts commit 6fa420a8e0
2019-10-31 17:36:59 +01:00
6fa420a8e0
refactoring of pull 980
...
follow up on https://github.com/DNSCrypt/dnscrypt-proxy/pull/980#issuecomment-548153169
2019-10-31 15:04:12 +01:00
7f82c2504d
check error that was being erroneously shadowed
2019-10-31 09:52:05 +01:00
6680faf665
make sure tcp/udp Conn are closed on stop signal
2019-10-25 12:56:34 +02:00
ceed905196
Add a more explicit message when a user is set on Windows
2019-10-25 12:53:59 +02:00
a26b2b42f0
Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL
2019-10-21 18:26:49 +02:00
bb01595320
feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules
...
entries
Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
2019-10-21 18:12:49 +02:00
92e632daf1
Fail on failure :)
2019-10-20 23:07:36 +02:00
1cb9a360de
fix: proxy: Add missing logging in a case where flow does not return
2019-10-20 22:27:30 +02:00
74c1f4a00d
Use the relay for cert retrieval over TCP, tooo
...
But don't use a relay if a proxy has been specified already
2019-10-20 21:45:19 +02:00
fc9509a8c8
fix: proxy: Trigger query logging plugins using defer
...
This is more robust and uses lot less lines.
2019-10-20 21:30:24 +02:00
320197a00e
Accept relay names in routes, improve documentation
2019-10-20 14:19:21 +02:00
fbe9f225dd
Reencrypt on TCP retries
2019-10-20 02:04:32 +02:00
d6b63aaf15
Pad certificate requests and add support for proxies
2019-10-19 22:08:02 +02:00
ac6fd3db39
differentiate between timeout and other error for dnscrypt servers
2019-10-19 10:36:26 +02:00
0058bc063e
feature: service_linux: Support systemd watchdog
2019-10-19 09:36:39 +02:00
18ba5fe528
Add a SERVFAIL comment because miekg/dns names are a bit unusual
2019-10-18 20:51:11 +02:00
bcaf0bca96
proxy.certIgnoreTimestamp should only be downgradable
2019-10-18 20:30:41 +02:00
13e9c15212
cleanup: MinDNSPacketSize is checked next
2019-10-18 20:24:11 +02:00
5bf5fe6c1d
cleanup: main: simplify proxy handling
2019-10-18 20:24:11 +02:00
cab67ba5a9
cleanup: drop registerServer proxy as not used
2019-10-18 20:24:11 +02:00
9b019574a0
cleanup: serversInfo : Simplify liveServers handling
2019-10-18 20:24:11 +02:00
80fa99877f
cleanup: proxy: use symbolic code for SERVFAIL
2019-10-18 20:24:11 +02:00
322447aa91
Support multiple routes per destination
2019-10-14 12:08:47 +02:00
0e8ca9009e
Implement Anonymized DNS
2019-10-14 01:45:38 +02:00
d627a4bc58
Limit the number of required retries for local queries
2019-10-12 21:15:39 +02:00
20f48edc25
Truncated response over UDP -> immediately retry over TCP
...
This reduces latency, because when the client retries, or if the
query padding was large enough, we can reply from the cache or
even immediately.
2019-10-12 20:55:59 +02:00
1a06806477
Revert "Use CIRCL for X25519. That makes ephemeral key computation faster."
...
This reverts commit 5d130cdf0bdd9cf5cc9a
2019-09-09 17:43:30 +02:00
776e0d7ccc
New feature: query_meta
2019-09-07 16:19:47 +02:00
5812cb2fe4
fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response'
2019-07-17 12:12:28 +02:00
87bbfbfc10
add new option: 'respond_with_ip'
2019-07-17 12:12:28 +02:00
5d130cdf0b
Use CIRCL for X25519. That makes ephemeral key computation faster.
2019-06-24 14:17:00 +02:00
d2aa521369
Add a command-line option to print the server certificate hashes
2019-06-07 01:23:48 +02:00
aca031c2ec
Don't display sorted latencies if there is only one (or none)
2019-06-03 18:51:21 +02:00
30f2a4fd6b
Misc fixes
...
- Set LBEstimator to true by default
- Shuffle the servers list at startup
- Add the server name to the query log
2019-06-03 16:49:06 +02:00
9e2a945fff
Print the sorted list of latencies
...
Add an option to disable the load-balancing estimator
2019-06-03 13:04:59 +02:00
5b5b5ec583
Verify that ApplyQueryPlugins() doesn't blow the packet size
2019-06-03 00:47:39 +02:00
af096f8488
Remove request forwarding measurement from log
2019-05-28 23:14:28 +02:00
eab77ff871
Enhance logging ( #834 )
...
* Enhance query logging
Add request duration, and forward duration if applicable.
* Also measure requests forwarded based on forwarding_rules
2019-05-26 21:16:47 +02:00
25ac94e7b2
Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy"
...
This reverts commit 2d1dd7eaab
2019-04-02 01:57:48 +02:00
2d1dd7eaab
Add Stretch-Hash-and-Truncate option for extreme DNS privacy
...
This works over DNSCrypt and DoH, but requires a specifically configured
server.
Instead of sending the actual DNS queries, the SH-T system works as follows:
Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.
Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.
Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.
This feature is experimental.
2019-04-01 09:36:56 +02:00
a726a40dc5
Add refused_code_in_responses
...
Fixes #737
2019-02-23 00:58:25 +01:00
c043bd73dd
Ping the service manager early
...
Maybe
fixes #548
(untested)
2018-07-19 19:03:57 +02:00
9b5948d697
Do not ignore ReadPrefixed() errors
2018-07-09 15:49:36 +02:00
1019428ca0
username -> user_name
...
in case we want to add user_group and whatnot.
Remove the command-line option as it hides the caveats documented
in the configuration file.
Remove TODO. TODO statements always remain in that state forever.
2018-07-07 17:39:33 +02:00
6cb43f8e4d
Of course, dropping privileges breaks with systemd sockets
2018-07-07 15:21:21 +00:00
c73e95256d
Implement an offline mode
...
Fixes #528
2018-07-05 18:05:24 +02:00
a1c8012fc6
Error handling when TCP connections fail
2018-06-18 19:19:53 +02:00
aab7e6380f
Drop privileges with exec ( #467 )
...
* Drop privileges with exec and SysProcAttr
* Fix windows build
* Fix passing logfile fd
2018-06-13 16:52:41 +02:00
9135efcaec
Use net.Conn everywhere
...
I don't know how to use a TCPConn as a Conn.
2018-06-06 19:06:44 +02:00
yofiji
Frank Denis
s-s
Kiril Angov
Kevin O'Sullivan
milgradesec
William Elwood
Eric Lagergren
Vladimir Bauer
Markus Linnala
Alison Winters
James Newell
Ferdinand Holzer
Ferdinand Holzer
Sebastian Schmidt