Frank Denis
f18dbc71ec
Make the local DoH path configurable
2019-11-28 23:49:28 +01:00
Frank Denis
6a679cc543
Move local DoH configuration to its own section
2019-11-28 17:04:29 +01:00
Frank Denis
bc22f94eeb
Don't listen to IPv6 in the example config file
...
Some hosts don't support IPv6, and the default (without anything in
the config file) is only the IPv4 address anyway.
2019-11-24 10:31:40 +01:00
Frank Denis
ad40c6c54b
Fallback to the system resolver if the fallback resolver doesn't work
...
This is useful if fallback_resolver has been set to random junk, or
to an external resolver, but port 53 is blocked.
At least, it may allow the server to start.
2019-11-17 22:00:08 +01:00
Frank Denis
6dcd872385
This is unlikely to become mandatory
2019-11-17 21:38:09 +01:00
Frank Denis
faac6e2082
Set default ignore_system_dns to true
2019-11-17 20:30:04 +01:00
Frank Denis
ca7e5e5bcb
Rename a few things
2019-11-17 15:07:40 +01:00
Frank Denis
15b405b552
Support workarounds for ancient/broken implementations
...
Fixes #984
2019-11-16 18:51:16 +01:00
Will Elwood
d063a7959e
Avoid redirect and extra DNS lookup in example
...
Also makes the URL consistent with the other lists.
2019-11-10 12:48:21 +00:00
Frank Denis
9852a289f8
Increase the default cache size and minimum TTL
2019-11-03 17:31:41 +01:00
Frank Denis
2add754f23
Don't use real server names, because this is apparently confusing
2019-10-27 23:36:08 +01:00
Frank Denis
a26b2b42f0
Rename negTTL to rejectTTL to avoid confusion with cacheNegTTL
2019-10-21 18:26:49 +02:00
Markus Linnala
bb01595320
feature: Add neg_ttl for rejected entries and cloak_ttl for cloaking-rules
...
entries
Previously cache_min_ttl was used. But one can certainly set
cache_min_ttl to 0, but still ensure synthetic values have ttl.
Hence new config file options.
2019-10-21 18:12:49 +02:00
Frank Denis
f565d3c7f5
Documentation
2019-10-20 19:30:33 +02:00
Frank Denis
5c28950578
Bump the default timeout up
...
Because, yes, some networks have a lot of latency
2019-10-20 19:22:02 +02:00
Frank Denis
320197a00e
Accept relay names in routes, improve documentation
2019-10-20 14:19:21 +02:00
Frank Denis
be86d1df27
Fetch the list of relays
2019-10-18 15:53:56 +02:00
Frank Denis
322447aa91
Support multiple routes per destination
2019-10-14 12:08:47 +02:00
Frank Denis
ad5b2dc4f9
Mention that /dev/stdout can be used to log to the standard output
2019-09-23 10:33:57 +02:00
Frank Denis
ed79bd7489
Deprecate systemd sockets
2019-09-16 15:46:39 +02:00
Frank Denis
776e0d7ccc
New feature: query_meta
2019-09-07 16:19:47 +02:00
Frank Denis
faa931585b
Use single quotation marks everywhere in the example for consistency
...
Fixes #904
2019-08-04 09:04:01 +02:00
James Newell
d3ab899f7b
blocked_query_response takes the format 'a:<IPv4>,aaaa:<IPv6>' for IP responses
2019-07-17 12:12:28 +02:00
James Newell
5812cb2fe4
fold 'refused_code_in_responses' and 'respond_with_ip' options into a new option 'blocked_query_response'
2019-07-17 12:12:28 +02:00
James Newell
87bbfbfc10
add new option: 'respond_with_ip'
2019-07-17 12:12:28 +02:00
Frank Denis
df24db9b9d
Remove refresh_delay from the example configuration file
...
It is not implemented
2019-06-13 11:14:10 +02:00
Frank Denis
8933980121
netprobe_timeout=0 doesn't make much sense
2019-06-07 01:50:03 +02:00
Frank Denis
8def2d5edc
Document TLS 1.3 cipher suite IDs
2019-06-07 01:39:35 +02:00
Frank Denis
9604b8b3e5
Use an example server instead of a real one in the static section
2019-06-04 12:17:47 +02:00
Frank Denis
a060407db1
Use a different address than 255.255.255.0 for netprobes
...
Windows doesn't seem to like this address.
Also default to the fallback resolver IP if there is one and
no netprobe_address option in the configuration file.
Fix netprobe_timeout = -1 by the way
2019-06-04 01:37:59 +02:00
Frank Denis
9e2a945fff
Print the sorted list of latencies
...
Add an option to disable the load-balancing estimator
2019-06-03 13:04:59 +02:00
Frank Denis
a417f0d282
Use 255.255.255.0 as the default netprobe address
2019-06-03 12:22:53 +02:00
Frank Denis
2e89c8da01
Rename LbStrategyFastest to LbStrategyFirst
2019-06-02 13:24:24 +02:00
Frank Denis
3f2656dbe3
Document netprobe_address
2019-05-31 23:02:45 +02:00
Frank Denis
578c090890
Send an empty packet to the probe
...
This seems to be required on Windows.
Also add the ability to wait for up to an hour.
2019-05-28 13:22:11 +02:00
Frank Denis
25ac94e7b2
Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy"
...
This reverts commit 2d1dd7eaab
.
2019-04-02 01:57:48 +02:00
Frank Denis
2d1dd7eaab
Add Stretch-Hash-and-Truncate option for extreme DNS privacy
...
This works over DNSCrypt and DoH, but requires a specifically configured
server.
Instead of sending the actual DNS queries, the SH-T system works as follows:
Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.
Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.
Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.
This feature is experimental.
2019-04-01 09:36:56 +02:00
Frank Denis
5dc66adaa9
Move disabled_server_names down
2019-02-23 14:55:23 +01:00
Frank Denis
c10fbb2aa7
+ disabled_server_names
...
Fixes #735
2019-02-23 14:54:22 +01:00
Frank Denis
2aa0b7d6a7
Add `refused_code_in_responses` to the example.
...
Fixes #738
2019-02-23 12:34:59 +01:00
Frank Denis
c52b3ef124
Bump the netprobe timeout up to 60 seconds
2018-11-22 17:24:41 +01:00
Frank Denis
2e147364e9
Add support for HTTP/HTTPS proxies
...
Fixes #638
2018-11-15 18:47:33 +01:00
iiic
4fe62bc7cc
@typo in example-dnscrypt-proxy.toml ( #628 )
...
This can be can be useful… -> This can be useful…
2018-10-29 14:16:02 +01:00
Frank Denis
dda3ca1ea3
Add dash
2018-10-10 19:38:24 +02:00
Frank Denis
4e9397d83e
Revert "Remove Quad9 example until they remove prefixes"
...
This reverts commit 5cb7d8df35
.
2018-10-10 16:32:39 +02:00
Frank Denis
bfca70000e
A note about pidfile
2018-10-03 18:17:39 +02:00
Frank Denis
5cb7d8df35
Remove Quad9 example until they remove prefixes
2018-10-03 16:36:23 +02:00
Frank Denis
9f1be6e079
killChild() is not needed any more; update config example by the way
2018-10-03 16:35:59 +02:00
Frank Denis
1019428ca0
username -> user_name
...
in case we want to add user_group and whatnot.
Remove the command-line option as it hides the caveats documented
in the configuration file.
Remove TODO. TODO statements always remain in that state forever.
2018-07-07 17:39:33 +02:00
Frank Denis
6cb43f8e4d
Of course, dropping privileges breaks with systemd sockets
2018-07-07 15:21:21 +00:00