Frank Denis
fb1fc14317
Revert "refactoring of pull 980"
...
This reverts commit 6fa420a8e0
.
2019-10-31 17:36:59 +01:00
Vladimir Bauer
6fa420a8e0
refactoring of pull 980
...
follow up on https://github.com/DNSCrypt/dnscrypt-proxy/pull/980#issuecomment-548153169
2019-10-31 15:04:12 +01:00
Eric Lagergren
7f82c2504d
check error that was being erroneously shadowed
2019-10-31 09:52:05 +01:00
Vladimir Bauer
6680faf665
make sure tcp/udp Conn are closed on stop signal
2019-10-25 12:56:34 +02:00
Frank Denis
ceed905196
Add a more explicit message when a user is set on Windows
2019-10-25 12:53:59 +02:00
Frank Denis
a26b2b42f0
Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL
2019-10-21 18:26:49 +02:00
Markus Linnala
bb01595320
feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules
...
entries
Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
2019-10-21 18:12:49 +02:00
Frank Denis
92e632daf1
Fail on failure :)
2019-10-20 23:07:36 +02:00
Markus Linnala
1cb9a360de
fix: proxy: Add missing logging in a case where flow does not return
2019-10-20 22:27:30 +02:00
Frank Denis
74c1f4a00d
Use the relay for cert retrieval over TCP, tooo
...
But don't use a relay if a proxy has been specified already
2019-10-20 21:45:19 +02:00
Markus Linnala
fc9509a8c8
fix: proxy: Trigger query logging plugins using defer
...
This is more robust and uses lot less lines.
2019-10-20 21:30:24 +02:00
Frank Denis
320197a00e
Accept relay names in routes, improve documentation
2019-10-20 14:19:21 +02:00
Frank Denis
fbe9f225dd
Reencrypt on TCP retries
2019-10-20 02:04:32 +02:00
Frank Denis
d6b63aaf15
Pad certificate requests and add support for proxies
2019-10-19 22:08:02 +02:00
Alison Winters
ac6fd3db39
differentiate between timeout and other error for dnscrypt servers
2019-10-19 10:36:26 +02:00
Markus Linnala
0058bc063e
feature: service_linux: Support systemd watchdog
2019-10-19 09:36:39 +02:00
Frank Denis
18ba5fe528
Add a SERVFAIL comment because miekg/dns names are a bit unusual
2019-10-18 20:51:11 +02:00
Frank Denis
bcaf0bca96
proxy.certIgnoreTimestamp should only be downgradable
2019-10-18 20:30:41 +02:00
Markus Linnala
13e9c15212
cleanup: MinDNSPacketSize is checked next
2019-10-18 20:24:11 +02:00
Markus Linnala
5bf5fe6c1d
cleanup: main: simplify proxy handling
2019-10-18 20:24:11 +02:00
Markus Linnala
cab67ba5a9
cleanup: drop registerServer proxy as not used
2019-10-18 20:24:11 +02:00
Markus Linnala
9b019574a0
cleanup: serversInfo : Simplify liveServers handling
2019-10-18 20:24:11 +02:00
Markus Linnala
80fa99877f
cleanup: proxy: use symbolic code for SERVFAIL
2019-10-18 20:24:11 +02:00
Frank Denis
322447aa91
Support multiple routes per destination
2019-10-14 12:08:47 +02:00
Frank Denis
0e8ca9009e
Implement Anonymized DNS
2019-10-14 01:45:38 +02:00
Frank Denis
d627a4bc58
Limit the number of required retries for local queries
2019-10-12 21:15:39 +02:00
Frank Denis
20f48edc25
Truncated response over UDP -> immediately retry over TCP
...
This reduces latency, because when the client retries, or if the
query padding was large enough, we can reply from the cache or
even immediately.
2019-10-12 20:55:59 +02:00
Frank Denis
1a06806477
Revert "Use CIRCL for X25519. That makes ephemeral key computation faster."
...
This reverts commit 5d130cdf0b
.
Revert "Kill nacl/box"
This reverts commit dd9cf5cc9a
.
2019-09-09 17:43:30 +02:00
Frank Denis
776e0d7ccc
New feature: query_meta
2019-09-07 16:19:47 +02:00
James Newell
5812cb2fe4
fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response'
2019-07-17 12:12:28 +02:00
James Newell
87bbfbfc10
add new option: 'respond_with_ip'
2019-07-17 12:12:28 +02:00
Frank Denis
5d130cdf0b
Use CIRCL for X25519. That makes ephemeral key computation faster.
2019-06-24 14:17:00 +02:00
Frank Denis
d2aa521369
Add a command-line option to print the server certificate hashes
2019-06-07 01:23:48 +02:00
Frank Denis
aca031c2ec
Don't display sorted latencies if there is only one (or none)
2019-06-03 18:51:21 +02:00
Frank Denis
30f2a4fd6b
Misc fixes
...
- Set LBEstimator to true by default
- Shuffle the servers list at startup
- Add the server name to the query log
2019-06-03 16:49:06 +02:00
Frank Denis
9e2a945fff
Print the sorted list of latencies
...
Add an option to disable the load-balancing estimator
2019-06-03 13:04:59 +02:00
Frank Denis
5b5b5ec583
Verify that ApplyQueryPlugins() doesn't blow the packet size
2019-06-03 00:47:39 +02:00
Ferdinand Holzer
af096f8488
Remove request forwarding measurement from log
2019-05-28 23:14:28 +02:00
Ferdinand Holzer
eab77ff871
Enhance logging ( #834 )
...
* Enhance query logging
Add request duration, and forward duration if applicable.
* Also measure requests forwarded based on forwarding_rules
2019-05-26 21:16:47 +02:00
Frank Denis
25ac94e7b2
Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy"
...
This reverts commit 2d1dd7eaab
.
2019-04-02 01:57:48 +02:00
Frank Denis
2d1dd7eaab
Add Stretch-Hash-and-Truncate option for extreme DNS privacy
...
This works over DNSCrypt and DoH, but requires a specifically configured
server.
Instead of sending the actual DNS queries, the SH-T system works as follows:
Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.
Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.
Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.
This feature is experimental.
2019-04-01 09:36:56 +02:00
Frank Denis
a726a40dc5
Add refused_code_in_responses
...
Fixes #737
2019-02-23 00:58:25 +01:00
Frank Denis
c043bd73dd
Ping the service manager early
...
Maybe
fixes #548
(untested)
2018-07-19 19:03:57 +02:00
Frank Denis
9b5948d697
Do not ignore ReadPrefixed() errors
2018-07-09 15:49:36 +02:00
Frank Denis
1019428ca0
username -> user_name
...
in case we want to add user_group and whatnot.
Remove the command-line option as it hides the caveats documented
in the configuration file.
Remove TODO. TODO statements always remain in that state forever.
2018-07-07 17:39:33 +02:00
Frank Denis
6cb43f8e4d
Of course, dropping privileges breaks with systemd sockets
2018-07-07 15:21:21 +00:00
Frank Denis
c73e95256d
Implement an offline mode
...
Fixes #528
2018-07-05 18:05:24 +02:00
Frank Denis
a1c8012fc6
Error handling when TCP connections fail
2018-06-18 19:19:53 +02:00
Sebastian Schmidt
aab7e6380f
Drop privileges with exec ( #467 )
...
* Drop privileges with exec and SysProcAttr
* Fix windows build
* Fix passing logfile fd
2018-06-13 16:52:41 +02:00
Frank Denis
9135efcaec
Use net.Conn everywhere
...
I don't know how to use a TCPConn as a Conn.
2018-06-06 19:06:44 +02:00
Frank Denis
0166f21b27
Add built-in support for Tor
2018-06-06 15:54:51 +02:00
Frank Denis
977dcad826
Improved return codes
2018-06-04 23:18:28 +02:00
Frank Denis
3bbdf93095
Log return codes in LTSV qeruylog files
...
DNS return codes are not enough; we need to change this to something
more expressive.
In particular, we can't use them to distinguish between a server block,
a blacklist block, and a plugin block such as the IPv6 blocker.
2018-06-04 21:35:07 +02:00
Frank Denis
b6e6a19b50
Make logging plugins independent from query/response plugins
2018-06-04 20:52:16 +02:00
Frank Denis
255423588c
REFUSED responses are fine for filtering resolvers
2018-05-11 03:31:25 +02:00
Frank Denis
3d67c81697
Deps update
2018-04-18 18:58:39 +02:00
Frank Denis
f63dc17f90
stamps -> dnsstamps
2018-04-18 18:47:10 +02:00
gdm85
eb5f391fa6
Split stamps into package
2018-04-18 18:36:47 +02:00
Frank Denis
b1447160a0
Add cache_neg_min_ttl and cache_neg_max_ttl
2018-04-17 00:24:49 +02:00
Frank Denis
64d22dfc2b
Clarify
2018-04-12 11:07:34 +02:00
Frank Denis
ca80b69b3a
Re-implement ephemeral keys for DNSCrypt
2018-04-09 03:12:34 +02:00
Frank Denis
65e6b8569e
Implement whitelists
...
Fixes #293
2018-04-07 23:02:40 +02:00
Frank Denis
8217170a7b
Revert "Do not consider SERVFAIL responses as server failures"
...
This reverts commit 0e65c50989
.
2018-04-06 13:43:09 +02:00
Frank Denis
0e65c50989
Do not consider SERVFAIL responses as server failures
2018-04-06 02:47:58 +02:00
Frank Denis
e210fc537e
Ignore the Cache-Control: max-age header
...
What's in the DNS packet is a better source of truth.
There was also an inconsistency between the TTL from the
max-age header (as returned in a response that wasn't cached) and
a response from the cache (using TTLs from the DNS packet).
So, just use what's in the packet.
Reported by @vavrusam, thanks!
2018-04-01 21:41:36 +02:00
Frank Denis
adb0c94a61
April 1st is already over in some time zones :)
...
This reverts commit dac52ab42a
.
2018-04-01 16:35:32 +02:00
Frank Denis
dac52ab42a
Completely remove support for the DNSCrypt protocol
2018-04-01 04:04:12 +02:00
Frank Denis
2eac8d52d5
Revert the cache clear
...
Implementing this is going to be more complicated
2018-03-21 10:17:13 +01:00
Frank Denis
d2805a19e4
DoH: only use the optional IP to bootstrap resolution
...
Fixes #100
2018-03-21 09:32:35 +01:00
Frank Denis
817f2ff560
Don't pause the cert refresh timers if the host goes to hibernation
2018-03-07 18:29:58 +01:00
Frank Denis
b643a816cc
Add automatic log files rotation
...
Fixes #172
2018-03-02 10:34:00 +01:00
Frank Denis
97156c3ad3
Use atomic loads for the clients counter
2018-03-02 09:41:12 +01:00
Frank Denis
519af2e532
Revert "Allow -test 0"
...
This reverts commit 1e2c175e19
.
Revert "Don't bind any sockets when using -test"
This reverts commit 982f341de8
.
Revert "Implement -test to check certificates expiration"
This reverts commit 2158674d17
.
2018-02-27 07:55:10 +01:00
Frank Denis
2158674d17
Implement -test to check certificates expiration
2018-02-27 02:52:45 +01:00
Frank Denis
eac8732b2b
Log servers returning SERVFAIL
2018-02-22 14:48:08 +01:00
Frank Denis
4ec5461b2f
Mark servers as failing more aggressively
2018-02-22 14:20:59 +01:00
Frank Denis
e1e283ac23
Better (and, for DoH, fixed) RTT estimation
2018-02-19 18:30:26 +01:00
Frank Denis
af0833387a
Close idle connections after an error; reduce idle connections timeout
2018-02-05 19:03:04 +01:00
Frank Denis
43f3e64bd9
DoH: fallback to GET on servers that don't support POST
2018-02-05 11:30:10 +01:00
Frank Denis
88434fc39f
Prepare support for multiple load balancing strategies
2018-02-04 21:13:54 +01:00
Frank Denis
6f546b4c21
Use Cache-Control
2018-02-04 13:48:51 +01:00
Frank Denis
ed60976dd2
Infer TTL from Date: and Expire: headers
...
Unfortunately, Google DNS sets Expire: to the same value as Date:
So we may want to use Cache-Control instead.
2018-02-04 13:35:40 +01:00
Frank Denis
458da8fa77
DoH: use 0 as a transaction ID
...
Reject short TCP queries early by the way
2018-02-04 12:57:54 +01:00
Frank Denis
9d69811de9
Add limits to HTTP requests
2018-02-04 11:33:04 +01:00
Frank Denis
033931a13a
Add a new powerful plugin: DNS cloaking
2018-02-04 01:43:37 +01:00
Frank Denis
41a73ccb03
Time access restrictions [WIP]
...
Because my daughter spends way too much time on Youtube
Because people have been asking OpenDNS to implement this for the past 10 years
Because existing tools suck
Because I want something flexible, where every rule can be assigned a schedule
2018-01-31 23:08:38 +01:00
Frank Denis
ecaf18f614
Use a fallback resolver if the local DNS configuration doesn't work
...
This should fix all chicken-and-egg issues
2018-01-30 15:47:39 +01:00
Frank Denis
24c21d5eb2
Start moving things to a custom transport
2018-01-30 13:29:47 +01:00
Frank Denis
b6e5f55870
Move the proxy struct to its own file
2018-01-29 23:47:04 +01:00