fb1fc14317
Revert "refactoring of pull 980"
...
This reverts commit 6fa420a8e0
2019-10-31 17:36:59 +01:00
6fa420a8e0
refactoring of pull 980
...
follow up on https://github.com/DNSCrypt/dnscrypt-proxy/pull/980#issuecomment-548153169
2019-10-31 15:04:12 +01:00
7f82c2504d
check error that was being erroneously shadowed
2019-10-31 09:52:05 +01:00
6680faf665
make sure tcp/udp Conn are closed on stop signal
2019-10-25 12:56:34 +02:00
ceed905196
Add a more explicit message when a user is set on Windows
2019-10-25 12:53:59 +02:00
a26b2b42f0
Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL
2019-10-21 18:26:49 +02:00
bb01595320
feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules
...
entries
Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
2019-10-21 18:12:49 +02:00
92e632daf1
Fail on failure :)
2019-10-20 23:07:36 +02:00
1cb9a360de
fix: proxy: Add missing logging in a case where flow does not return
2019-10-20 22:27:30 +02:00
74c1f4a00d
Use the relay for cert retrieval over TCP, tooo
...
But don't use a relay if a proxy has been specified already
2019-10-20 21:45:19 +02:00
fc9509a8c8
fix: proxy: Trigger query logging plugins using defer
...
This is more robust and uses lot less lines.
2019-10-20 21:30:24 +02:00
320197a00e
Accept relay names in routes, improve documentation
2019-10-20 14:19:21 +02:00
fbe9f225dd
Reencrypt on TCP retries
2019-10-20 02:04:32 +02:00
d6b63aaf15
Pad certificate requests and add support for proxies
2019-10-19 22:08:02 +02:00
ac6fd3db39
differentiate between timeout and other error for dnscrypt servers
2019-10-19 10:36:26 +02:00
0058bc063e
feature: service_linux: Support systemd watchdog
2019-10-19 09:36:39 +02:00
18ba5fe528
Add a SERVFAIL comment because miekg/dns names are a bit unusual
2019-10-18 20:51:11 +02:00
bcaf0bca96
proxy.certIgnoreTimestamp should only be downgradable
2019-10-18 20:30:41 +02:00
13e9c15212
cleanup: MinDNSPacketSize is checked next
2019-10-18 20:24:11 +02:00
5bf5fe6c1d
cleanup: main: simplify proxy handling
2019-10-18 20:24:11 +02:00
cab67ba5a9
cleanup: drop registerServer proxy as not used
2019-10-18 20:24:11 +02:00
9b019574a0
cleanup: serversInfo : Simplify liveServers handling
2019-10-18 20:24:11 +02:00
80fa99877f
cleanup: proxy: use symbolic code for SERVFAIL
2019-10-18 20:24:11 +02:00
322447aa91
Support multiple routes per destination
2019-10-14 12:08:47 +02:00
0e8ca9009e
Implement Anonymized DNS
2019-10-14 01:45:38 +02:00
d627a4bc58
Limit the number of required retries for local queries
2019-10-12 21:15:39 +02:00
20f48edc25
Truncated response over UDP -> immediately retry over TCP
...
This reduces latency, because when the client retries, or if the
query padding was large enough, we can reply from the cache or
even immediately.
2019-10-12 20:55:59 +02:00
1a06806477
Revert "Use CIRCL for X25519. That makes ephemeral key computation faster."
...
This reverts commit 5d130cdf0bdd9cf5cc9a
2019-09-09 17:43:30 +02:00
776e0d7ccc
New feature: query_meta
2019-09-07 16:19:47 +02:00
5812cb2fe4
fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response'
2019-07-17 12:12:28 +02:00
87bbfbfc10
add new option: 'respond_with_ip'
2019-07-17 12:12:28 +02:00
5d130cdf0b
Use CIRCL for X25519. That makes ephemeral key computation faster.
2019-06-24 14:17:00 +02:00
d2aa521369
Add a command-line option to print the server certificate hashes
2019-06-07 01:23:48 +02:00
aca031c2ec
Don't display sorted latencies if there is only one (or none)
2019-06-03 18:51:21 +02:00
30f2a4fd6b
Misc fixes
...
- Set LBEstimator to true by default
- Shuffle the servers list at startup
- Add the server name to the query log
2019-06-03 16:49:06 +02:00
9e2a945fff
Print the sorted list of latencies
...
Add an option to disable the load-balancing estimator
2019-06-03 13:04:59 +02:00
5b5b5ec583
Verify that ApplyQueryPlugins() doesn't blow the packet size
2019-06-03 00:47:39 +02:00
af096f8488
Remove request forwarding measurement from log
2019-05-28 23:14:28 +02:00
eab77ff871
Enhance logging ( #834 )
...
* Enhance query logging
Add request duration, and forward duration if applicable.
* Also measure requests forwarded based on forwarding_rules
2019-05-26 21:16:47 +02:00
25ac94e7b2
Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy"
...
This reverts commit 2d1dd7eaab
2019-04-02 01:57:48 +02:00
2d1dd7eaab
Add Stretch-Hash-and-Truncate option for extreme DNS privacy
...
This works over DNSCrypt and DoH, but requires a specifically configured
server.
Instead of sending the actual DNS queries, the SH-T system works as follows:
Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.
Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.
Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.
This feature is experimental.
2019-04-01 09:36:56 +02:00
a726a40dc5
Add refused_code_in_responses
...
Fixes #737
2019-02-23 00:58:25 +01:00
c043bd73dd
Ping the service manager early
...
Maybe
fixes #548
(untested)
2018-07-19 19:03:57 +02:00
9b5948d697
Do not ignore ReadPrefixed() errors
2018-07-09 15:49:36 +02:00
1019428ca0
username -> user_name
...
in case we want to add user_group and whatnot.
Remove the command-line option as it hides the caveats documented
in the configuration file.
Remove TODO. TODO statements always remain in that state forever.
2018-07-07 17:39:33 +02:00
6cb43f8e4d
Of course, dropping privileges breaks with systemd sockets
2018-07-07 15:21:21 +00:00
c73e95256d
Implement an offline mode
...
Fixes #528
2018-07-05 18:05:24 +02:00
a1c8012fc6
Error handling when TCP connections fail
2018-06-18 19:19:53 +02:00
aab7e6380f
Drop privileges with exec ( #467 )
...
* Drop privileges with exec and SysProcAttr
* Fix windows build
* Fix passing logfile fd
2018-06-13 16:52:41 +02:00
9135efcaec
Use net.Conn everywhere
...
I don't know how to use a TCPConn as a Conn.
2018-06-06 19:06:44 +02:00
0166f21b27
Add built-in support for Tor
2018-06-06 15:54:51 +02:00
977dcad826
Improved return codes
2018-06-04 23:18:28 +02:00
3bbdf93095
Log return codes in LTSV qeruylog files
...
DNS return codes are not enough; we need to change this to something
more expressive.
In particular, we can't use them to distinguish between a server block,
a blacklist block, and a plugin block such as the IPv6 blocker.
2018-06-04 21:35:07 +02:00
b6e6a19b50
Make logging plugins independent from query/response plugins
2018-06-04 20:52:16 +02:00
255423588c
REFUSED responses are fine for filtering resolvers
2018-05-11 03:31:25 +02:00
3d67c81697
Deps update
2018-04-18 18:58:39 +02:00
f63dc17f90
stamps -> dnsstamps
2018-04-18 18:47:10 +02:00
eb5f391fa6
Split stamps into package
2018-04-18 18:36:47 +02:00
b1447160a0
Add cache_neg_min_ttl and cache_neg_max_ttl
2018-04-17 00:24:49 +02:00
64d22dfc2b
Clarify
2018-04-12 11:07:34 +02:00
ca80b69b3a
Re-implement ephemeral keys for DNSCrypt
2018-04-09 03:12:34 +02:00
65e6b8569e
Implement whitelists
...
Fixes #293
2018-04-07 23:02:40 +02:00
8217170a7b
Revert "Do not consider SERVFAIL responses as server failures"
...
This reverts commit 0e65c50989
2018-04-06 13:43:09 +02:00
0e65c50989
Do not consider SERVFAIL responses as server failures
2018-04-06 02:47:58 +02:00
e210fc537e
Ignore the Cache-Control: max-age header
...
What's in the DNS packet is a better source of truth.
There was also an inconsistency between the TTL from the
max-age header (as returned in a response that wasn't cached) and
a response from the cache (using TTLs from the DNS packet).
So, just use what's in the packet.
Reported by @vavrusam, thanks!
2018-04-01 21:41:36 +02:00
adb0c94a61
April 1st is already over in some time zones :)
...
This reverts commit dac52ab42a
2018-04-01 16:35:32 +02:00
dac52ab42a
Completely remove support for the DNSCrypt protocol
2018-04-01 04:04:12 +02:00
2eac8d52d5
Revert the cache clear
...
Implementing this is going to be more complicated
2018-03-21 10:17:13 +01:00
d2805a19e4
DoH: only use the optional IP to bootstrap resolution
...
Fixes #100
2018-03-21 09:32:35 +01:00
817f2ff560
Don't pause the cert refresh timers if the host goes to hibernation
2018-03-07 18:29:58 +01:00
b643a816cc
Add automatic log files rotation
...
Fixes #172
2018-03-02 10:34:00 +01:00
97156c3ad3
Use atomic loads for the clients counter
2018-03-02 09:41:12 +01:00
519af2e532
Revert "Allow -test 0"
...
This reverts commit 1e2c175e19982f341de82158674d17
2018-02-27 07:55:10 +01:00
2158674d17
Implement -test to check certificates expiration
2018-02-27 02:52:45 +01:00
eac8732b2b
Log servers returning SERVFAIL
2018-02-22 14:48:08 +01:00
4ec5461b2f
Mark servers as failing more aggressively
2018-02-22 14:20:59 +01:00
e1e283ac23
Better (and, for DoH, fixed) RTT estimation
2018-02-19 18:30:26 +01:00
af0833387a
Close idle connections after an error; reduce idle connections timeout
2018-02-05 19:03:04 +01:00
43f3e64bd9
DoH: fallback to GET on servers that don't support POST
2018-02-05 11:30:10 +01:00
88434fc39f
Prepare support for multiple load balancing strategies
2018-02-04 21:13:54 +01:00
6f546b4c21
Use Cache-Control
2018-02-04 13:48:51 +01:00
ed60976dd2
Infer TTL from Date: and Expire: headers
...
Unfortunately, Google DNS sets Expire: to the same value as Date:
So we may want to use Cache-Control instead.
2018-02-04 13:35:40 +01:00
458da8fa77
DoH: use 0 as a transaction ID
...
Reject short TCP queries early by the way
2018-02-04 12:57:54 +01:00
9d69811de9
Add limits to HTTP requests
2018-02-04 11:33:04 +01:00
033931a13a
Add a new powerful plugin: DNS cloaking
2018-02-04 01:43:37 +01:00
41a73ccb03
Time access restrictions [WIP]
...
Because my daughter spends way too much time on Youtube
Because people have been asking OpenDNS to implement this for the past 10 years
Because existing tools suck
Because I want something flexible, where every rule can be assigned a schedule
2018-01-31 23:08:38 +01:00
ecaf18f614
Use a fallback resolver if the local DNS configuration doesn't work
...
This should fix all chicken-and-egg issues
2018-01-30 15:47:39 +01:00
24c21d5eb2
Start moving things to a custom transport
2018-01-30 13:29:47 +01:00
b6e5f55870
Move the proxy struct to its own file
2018-01-29 23:47:04 +01:00
Frank Denis
Vladimir Bauer
Eric Lagergren
Markus Linnala
Alison Winters
James Newell
Ferdinand Holzer
Ferdinand Holzer
Sebastian Schmidt
gdm85