miracle091/dnscrypt-proxy
miracle091
/
dnscrypt-proxy
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git
1
0
Fork 0
Code Issues Releases Wiki Activity
1,145 Commits 11 Branches 89 Tags 58 MiB
Commit Graph

113 Commits

Author SHA1 Message Date
Frank Denis f18dbc71ec Make the local DoH path configurable 2019-11-28 23:49:28 +01:00
Frank Denis 6a679cc543 Move local DoH configuration to its own section 2019-11-28 17:04:29 +01:00
Frank Denis bc22f94eeb Don't listen to IPv6 in the example config file 
Some hosts don't support IPv6, and the default (without anything in
the config file) is only the IPv4 address anyway.
 2019-11-24 10:31:40 +01:00
Frank Denis ad40c6c54b Fallback to the system resolver if the fallback resolver doesn't work 
This is useful if fallback_resolver has been set to random junk, or
to an external resolver, but port 53 is blocked.

At least, it may allow the server to start.
 2019-11-17 22:00:08 +01:00
Frank Denis 6dcd872385 This is unlikely to become mandatory 2019-11-17 21:38:09 +01:00
Frank Denis faac6e2082 Set default ignore_system_dns to true 2019-11-17 20:30:04 +01:00
Frank Denis ca7e5e5bcb Rename a few things 2019-11-17 15:07:40 +01:00
Frank Denis 15b405b552 Support workarounds for ancient/broken implementations 
Fixes #984
 2019-11-16 18:51:16 +01:00
Will Elwood d063a7959e
Avoid redirect and extra DNS lookup in example 
Also makes the URL consistent with the other lists.
 2019-11-10 12:48:21 +00:00
Frank Denis 9852a289f8 Increase the default cache size and minimum TTL 2019-11-03 17:31:41 +01:00
Frank Denis 2add754f23 Don't use real server names, because this is apparently confusing 2019-10-27 23:36:08 +01:00
Frank Denis a26b2b42f0 Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL 2019-10-21 18:26:49 +02:00
Markus Linnala bb01595320 feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules 
entries

Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
 2019-10-21 18:12:49 +02:00
Frank Denis f565d3c7f5 Documentation 2019-10-20 19:30:33 +02:00
Frank Denis 5c28950578 Bump the default timeout up 
Because, yes, some networks have a lot of latency
 2019-10-20 19:22:02 +02:00
Frank Denis 320197a00e Accept relay names in routes, improve documentation 2019-10-20 14:19:21 +02:00
Frank Denis be86d1df27 Fetch the list of relays 2019-10-18 15:53:56 +02:00
Frank Denis 322447aa91 Support multiple routes per destination 2019-10-14 12:08:47 +02:00
Frank Denis ad5b2dc4f9 Mention that /dev/stdout can be used to log to the standard output 2019-09-23 10:33:57 +02:00
Frank Denis ed79bd7489 Deprecate systemd sockets 2019-09-16 15:46:39 +02:00
Frank Denis 776e0d7ccc New feature: query_meta 2019-09-07 16:19:47 +02:00
Frank Denis faa931585b Use single quotation marks everywhere in the example for consistency 
Fixes #904
 2019-08-04 09:04:01 +02:00
James Newell d3ab899f7b blocked_query_response takes the format 'a:<IPv4>,aaaa:<IPv6>' for IP responses 2019-07-17 12:12:28 +02:00
James Newell 5812cb2fe4 fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response' 2019-07-17 12:12:28 +02:00
James Newell 87bbfbfc10 add new option: 'respond_with_ip' 2019-07-17 12:12:28 +02:00
Frank Denis df24db9b9d Remove refresh_delay from the example configuration file 
It is not implemented
 2019-06-13 11:14:10 +02:00
Frank Denis 8933980121 netprobe_timeout=0 doesn't make much sense 2019-06-07 01:50:03 +02:00
Frank Denis 8def2d5edc Document TLS 1.3 cipher suite IDs 2019-06-07 01:39:35 +02:00
Frank Denis 9604b8b3e5 Use an example server instead of a real one in the static section 2019-06-04 12:17:47 +02:00
Frank Denis a060407db1 Use a different address than 255.255.255.0 for netprobes 
Windows doesn't seem to like this address.

Also default to the fallback resolver IP if there is one and
no netprobe_address option in the configuration file.

Fix netprobe_timeout = -1 by the way
 2019-06-04 01:37:59 +02:00
Frank Denis 9e2a945fff Print the sorted list of latencies 
Add an option to disable the load-balancing estimator
 2019-06-03 13:04:59 +02:00
Frank Denis a417f0d282 Use 255.255.255.0 as the default netprobe address 2019-06-03 12:22:53 +02:00
Frank Denis 2e89c8da01 Rename LbStrategyFastest to LbStrategyFirst 2019-06-02 13:24:24 +02:00
Frank Denis 3f2656dbe3 Document netprobe_address 2019-05-31 23:02:45 +02:00
Frank Denis 578c090890 Send an empty packet to the probe 
This seems to be required on Windows.

Also add the ability to wait for up to an hour.
 2019-05-28 13:22:11 +02:00
Frank Denis 25ac94e7b2 Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy" 
This reverts commit 2d1dd7eaab.
 2019-04-02 01:57:48 +02:00
Frank Denis 2d1dd7eaab Add Stretch-Hash-and-Truncate option for extreme DNS privacy 
This works over DNSCrypt and DoH, but requires a specifically configured
server.

Instead of sending the actual DNS queries, the SH-T system works as follows:

Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.

Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.

Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.

This feature is experimental.
 2019-04-01 09:36:56 +02:00
Frank Denis 5dc66adaa9 Move disabled_server_names down 2019-02-23 14:55:23 +01:00
Frank Denis c10fbb2aa7 + disabled_server_names 
Fixes #735
 2019-02-23 14:54:22 +01:00
Frank Denis 2aa0b7d6a7 Add `refused_code_in_responses` to the example. 
Fixes #738
 2019-02-23 12:34:59 +01:00
Frank Denis c52b3ef124 Bump the netprobe timeout up to 60 seconds 2018-11-22 17:24:41 +01:00
Frank Denis 2e147364e9 Add support for HTTP/HTTPS proxies 
Fixes #638
 2018-11-15 18:47:33 +01:00
iiic 4fe62bc7cc @typo in example-dnscrypt-proxy.toml (#628) 
This can be can be useful… -> This can be useful…
 2018-10-29 14:16:02 +01:00
Frank Denis dda3ca1ea3 Add dash 2018-10-10 19:38:24 +02:00
Frank Denis 4e9397d83e Revert "Remove Quad9 example until they remove prefixes" 
This reverts commit 5cb7d8df35.
 2018-10-10 16:32:39 +02:00
Frank Denis bfca70000e A note about pidfile 2018-10-03 18:17:39 +02:00
Frank Denis 5cb7d8df35 Remove Quad9 example until they remove prefixes 2018-10-03 16:36:23 +02:00
Frank Denis 9f1be6e079 killChild() is not needed any more; update config example by the way 2018-10-03 16:35:59 +02:00
Frank Denis 1019428ca0 username -> user_name 
in case we want to add user_group and whatnot.

Remove the command-line option as it hides the caveats documented
in the configuration file.

Remove TODO. TODO statements always remain in that state forever.
 2018-07-07 17:39:33 +02:00
Frank Denis 6cb43f8e4d Of course, dropping privileges breaks with systemd sockets 2018-07-07 15:21:21 +00:00