Commit Graph

1569 Commits

Author SHA1 Message Date
Frank Denis fa5c55c64a Debug log query names 2020-08-09 13:09:37 +02:00
Frank Denis dadb38c32e Lower severity 2020-08-05 15:50:48 +02:00
Frank Denis 0ac96fec30 Add some logging back to fetchDoHServerInfo() 2020-08-05 15:39:30 +02:00
Frank Denis b583fb5314 Turns out that the "test." zone is directly served by the Tencent CDN
without hitting the actual resolvers.

So, we need to use a different test zone.
2020-08-05 15:03:16 +02:00
Frank Denis f3157b0a42 Check DoH servers with a query to a random name
The issue with benchmarking DoH servers is that some responses can
be directly served by a CDN, while others require a round trip to
the origin that can be significantly more expensive.

Random padding was an attempt at mitigating this. Unfortunately,
some servers (Tencent) ignore the padding. We end up with a query
for the root zone served by the Tencent CDN very quickly, but
anything else is orders of magnitude slower.

So, measure a query within the reserved "test." zone instead.
Caching resolvers should either know that "test." is undelegated,
or have it in their negative cache already, so this is unlikely to
trigger an actual query to authoritative servers.

Take it as an opportunity to check that we don't get anything but
a NXDOMAIN response for nonexistent domains.
2020-08-05 14:54:14 +02:00
Frank Denis 60d4c98f31 Unbreak running without a captive portal configuration file 2020-08-04 00:50:59 +02:00
Frank Denis 5843e49188 Sync vendor 2020-08-03 18:23:57 +02:00
dependabot-preview[bot] 1ed325b5c5
Bump github.com/miekg/dns from 1.1.30 to 1.1.31 (#1432)
Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.30 to 1.1.31.
- [Release notes](https://github.com/miekg/dns/releases)
- [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release)
- [Commits](https://github.com/miekg/dns/compare/v1.1.30...v1.1.31)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-08-03 18:23:09 +02:00
Frank Denis f7f84fd871 Add ipv4only.arpa 2020-08-03 18:20:12 +02:00
Frank Denis 4424602e39 Start experimenting with better support for captive portals
MacOS (and probably Windows and other systems) tries to fetch a URL
before marking a network interface as available.

During this time, applications cannot use the interface at all, not
even bind their address.

When DNS queries are sent to dnscrypt-proxy, this causes the system
to wait for a response that can't come from the network, since we
hit a dead lock here.

The only option is to return hard-coded responses directly until
te interface is available.

The same captive portal configuration file can also serve a different
purpose.

Once the network is available, captive portal detection may not
work as expected if the answer is cached for too long. In fact, it
probably can't work at all since routers can't hijack DNS queries.

Once thing we can do is redirect the list of names used for captive
portal detection to the fallback resolvers. This may allow detection
to work as expected while still using a secure channel for all
other queries.
2020-08-03 18:05:42 +02:00
Frank Denis 210ba8c60f coldstart experiment 2020-08-03 15:40:39 +02:00
Frank Denis 1c52451025 Minor deps update 2020-07-31 16:01:41 +02:00
Frank Denis 162b51c791 Remove confusing "Domain exists: probably not, or blocked by the proxy" 2020-07-30 19:25:17 +02:00
Alison Winters 617629c180
initialize the log file before reporting config errors (#1426)
* initialize the log file before reporting config errors

* consistently return error instead of calling dlog.Fatal when parsing config
2020-07-27 16:01:44 +02:00
Frank Denis d3ff3a6bb1 Remove facebookgo/{atomicfile,pidfile}
Fixes #1411
2020-07-10 14:37:35 +02:00
Frank Denis 1a34c8d5ff Add max-stale cache control directive to requests 2020-07-09 21:42:35 +02:00
Frank Denis 8dd4612ea7 Don't use Lumberjack for non-regular files
Fixes #1407
2020-07-08 13:48:04 +02:00
Frank Denis 04b49fd355 Rename the generate-domains-blacklists folder
This is going to break all the scripts using this in a cron job
after an update :/
2020-07-08 12:07:23 +02:00
Frank Denis 77a27a46a4 Rename the python script name in the example config 2020-07-08 12:05:42 +02:00
Ian Bashford af564522ec
Further block/allow updates (#1406)
* ConfigFile change to allowlist and blocklist

* revised names and warnings

* consistent file naming in kebab case, and generic use of blocklist and allowlist in cmoments for clarity

* update ci files

* further allow/blocklist updates

* improve language in comments

Co-authored-by: Ian Bashford <ianbashford@gmail.com>
2020-07-08 12:01:06 +02:00
Frank Denis 10710def50 Make loggers io.Writer implementations, not directly lumberjack objects 2020-07-08 11:36:58 +02:00
Frank Denis 7bec554709 Remove fritz.box after all 2020-07-08 11:03:45 +02:00
Frank Denis 45b915882a Update deps 2020-07-07 14:12:02 +02:00
dependabot-preview[bot] 29c2b76edd
Bump github.com/miekg/dns from 1.1.29 to 1.1.30 (#1403)
Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.29 to 1.1.30.
- [Release notes](https://github.com/miekg/dns/releases)
- [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release)
- [Commits](https://github.com/miekg/dns/compare/v1.1.29...v1.1.30)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-07-07 13:27:53 +02:00
hugepants 038ebea0ed
Update broken_implementations with Quad9 -pri suffix (#1398) 2020-07-03 15:28:09 +02:00
hugepants 63c8f0610f
Update broken_implementations list with updated Quad9 v3 names (#1390) 2020-07-03 14:05:39 +02:00
Frank Denis 9bc5bb0e14 Clarify 2020-07-03 13:03:57 +02:00
Frank Denis 90df0292c8 Remove unneeded brackets 2020-07-03 12:59:51 +02:00
yofiji 7a6f1461f8
Add option to go direct for failed certificate retrieval via relay (#1397)
* Add option to go direct for failed certificate retrieval via relay

* add direct_cert_fallback to example config file

Co-authored-by: yofiji <you@example.com>
2020-07-03 12:58:36 +02:00
Frank Denis 5e2f1c4146 Clarify that skipAnonIncompatbibleResolvers does what it says 2020-07-02 13:45:19 +02:00
Frank Denis ece0c76172 Add fritz.box IP to the cloaking rules example
Fixes #1392
2020-07-01 09:20:44 +02:00
Krish De Souza 7b1ccd1053
Issue #1380: Reenable HTTP/2 for local DoH (#1384)
+Updated ci-test number 25 looking for invalid 404 to reflect changes here
2020-06-28 18:20:20 +02:00
Ian Bashford b089d49d25
ConfigFile change to allowlist and blocklist (#1375)
* ConfigFile change to allowlist and blocklist

* revised names and warnings

* consistent file naming in kebab case, and generic use of blocklist and allowlist in cmoments for clarity

* update ci files

Co-authored-by: Ian Bashford <ianbashford@gmail.com>
2020-06-26 23:18:30 +02:00
hugepants 19c0c3f7db
Add forward slashes to example stamp for consistency (#1388)
Seems to work with or without, but makes it consistent with the toml, the documentation and the stamp calculator.
2020-06-26 17:36:15 +02:00
Frank Denis 8935fa454a v2 -> v3 2020-06-21 22:20:34 +02:00
Frank Denis 239b00b624 Add ShiftLeft scan badge 2020-06-20 19:38:58 +02:00
Frank Denis 80942eb231 Don't forget Linux 2020-06-19 21:43:45 +02:00
Frank Denis 55ce158e37 Do we need to duplicate descriptors twice? 2020-06-19 21:42:20 +02:00
Frank Denis 539924f85f Downgrade x/text to a single version 2020-06-19 20:56:21 +02:00
Frank Denis 1124b8304e Remove dependency 2020-06-19 20:16:37 +02:00
Frank Denis 80dfffc4ee Unbreak CI 2020-06-19 20:16:21 +02:00
Frank Denis 03746b76bf Capitalize 2020-06-19 11:39:44 +02:00
IceCodeNew c8d099735b
Disable Sysctl list and AdAway, introduce GameIndustry.eu; Remove Chinese IT companies' top domain from whitelist. (#1365)
* Disable Sysctl list, Introduce GameIndustry.eu

* The host file from http://sysctl.org/cameleon/ is no longer updated, therefore it should be disabled.

* Introduce a new rule maintained by GameIndustry.eu. I only pick the rule sets that NextDNS provides to its customers of their choice, as these rule sets are generally seen as stable and reliable.
However I don't play game so much, there is no way to perform a fully test on my side. There is no FP detected during the couple of days while I using this rule set. And I've gone through the entire contents of the host file in roughly, the entries all seem reasonable to me.

* Disable rule set from AdAway by default

~~It doesn't take long for jedisct1 add baidu.com, and 163.com into whitelist after I introduced this rule into the configuration file, so I guess that the AdAway rule set must have presented a lot of false positives.~~
~~However, these Chinese IT companies are notorious for their extensive user-tracking tactics. Whitelist their top domain may not a good idea.~~
~~My suggestion is to simply disable the ruleset present FP, and let software like ABP or AdGuard do the most elaborate work. - Blocking on the DNS level has its limitations.~~
2020-06-19 00:32:01 +02:00
Prabhu Subramanian 6ee8a14deb
Add shiftleft scan (#1372)
* Create shiftleft-analysis.yml

* Remove comments

Co-authored-by: Frank Denis <124872+jedisct1@users.noreply.github.com>
2020-06-19 00:30:59 +02:00
Frank Denis 6235c11c77 When forking, relocate descriptors higher up
Channels used by the `services` module may use descriptors, so we don't
want to overwrite them.

Maybe
fixes #1371
2020-06-19 00:04:54 +02:00
Frank Denis 6dc484c177 Update deps 2020-06-18 23:19:28 +02:00
Frank Denis e1d6e27a8a Add CodeQL scan result 2020-06-15 20:25:52 +02:00
Frank Denis 5f3b568de3
Add CodeQL scan 2020-06-15 20:02:22 +02:00
Frank Denis 703059922f Easylist has false positives 2020-06-14 15:25:45 +02:00
Frank Denis 06705a6d14 Merge branch 'master' of github.com:jedisct1/dnscrypt-proxy
* 'master' of github.com:jedisct1/dnscrypt-proxy:
  Bump
2020-06-12 14:24:31 +02:00