From a589db8d23eaeabe93afc36fbb908a8d92a4b5f0 Mon Sep 17 00:00:00 2001 From: kevin Date: Fri, 7 Apr 2023 23:27:20 +0800 Subject: [PATCH] update dnscrypt-proxy --- dnscrypt/proxy/Dockerfile | 5 +- dnscrypt/proxy/README.md | 8 + dnscrypt/proxy/data/allowed-ips.txt | 0 dnscrypt/proxy/data/allowed-names.txt | 0 dnscrypt/proxy/data/blocked-ips.txt | 0 dnscrypt/proxy/data/blocked-names.txt | 0 dnscrypt/proxy/data/cloaking-rules.txt | 0 dnscrypt/proxy/data/dnscrypt-proxy.toml | 230 +++++++++++++---------- dnscrypt/proxy/data/forwarding-rules.txt | 0 9 files changed, 140 insertions(+), 103 deletions(-) create mode 100644 dnscrypt/proxy/data/allowed-ips.txt create mode 100644 dnscrypt/proxy/data/allowed-names.txt create mode 100644 dnscrypt/proxy/data/blocked-ips.txt create mode 100644 dnscrypt/proxy/data/blocked-names.txt create mode 100644 dnscrypt/proxy/data/cloaking-rules.txt create mode 100644 dnscrypt/proxy/data/forwarding-rules.txt diff --git a/dnscrypt/proxy/Dockerfile b/dnscrypt/proxy/Dockerfile index ad95f09..6eff4c9 100644 --- a/dnscrypt/proxy/Dockerfile +++ b/dnscrypt/proxy/Dockerfile @@ -5,8 +5,9 @@ FROM alpine:3 MAINTAINER EasyPi Software Foundation -ARG DNSCRYPT_PROXY_VERSION=2.1.2 -ARG DNSCRYPT_PROXY_FILE=dnscrypt-proxy-linux_x86_64-${DNSCRYPT_PROXY_VERSION}.tar.gz +ARG DNSCRYPT_PROXY_VERSION=2.1.4 +ARG DNSCRYPT_PROXY_ARCH=x86_64 +ARG DNSCRYPT_PROXY_FILE=dnscrypt-proxy-linux_${DNSCRYPT_PROXY_ARCH}-${DNSCRYPT_PROXY_VERSION}.tar.gz ARG DNSCRYPT_PROXY_URL=https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/${DNSCRYPT_PROXY_VERSION}/${DNSCRYPT_PROXY_FILE} WORKDIR /etc/dnscrypt-proxy diff --git a/dnscrypt/proxy/README.md b/dnscrypt/proxy/README.md index c357259..1bb645b 100644 --- a/dnscrypt/proxy/README.md +++ b/dnscrypt/proxy/README.md @@ -15,4 +15,12 @@ $ docker-compose up -d $ dig @127.0.0.1 www.youtube.com ``` +## [forwarding_rules][2] + +```bash +$ wget -P data https://github.com/felixonmars/dnsmasq-china-list/raw/master/accelerated-domains.china.conf +$ cat data/accelerated-domains.china.conf | sed -e 's@^server=/\(.*\)/@\1\t@' | column -t > data/forwarding-rules.txt +``` + [1]: https://github.com/DNSCrypt/dnscrypt-proxy +[2]: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Forwarding diff --git a/dnscrypt/proxy/data/allowed-ips.txt b/dnscrypt/proxy/data/allowed-ips.txt new file mode 100644 index 0000000..e69de29 diff --git a/dnscrypt/proxy/data/allowed-names.txt b/dnscrypt/proxy/data/allowed-names.txt new file mode 100644 index 0000000..e69de29 diff --git a/dnscrypt/proxy/data/blocked-ips.txt b/dnscrypt/proxy/data/blocked-ips.txt new file mode 100644 index 0000000..e69de29 diff --git a/dnscrypt/proxy/data/blocked-names.txt b/dnscrypt/proxy/data/blocked-names.txt new file mode 100644 index 0000000..e69de29 diff --git a/dnscrypt/proxy/data/cloaking-rules.txt b/dnscrypt/proxy/data/cloaking-rules.txt new file mode 100644 index 0000000..e69de29 diff --git a/dnscrypt/proxy/data/dnscrypt-proxy.toml b/dnscrypt/proxy/data/dnscrypt-proxy.toml index 75dfd72..eb64273 100644 --- a/dnscrypt/proxy/data/dnscrypt-proxy.toml +++ b/dnscrypt/proxy/data/dnscrypt-proxy.toml @@ -29,7 +29,7 @@ ## ## Remove the leading # first to enable this; lines starting with # are ignored. -# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare'] +server_names = ['google', 'cloudflare'] ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. @@ -97,6 +97,13 @@ disabled_server_names = [] force_tcp = false +## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC) +## Note that, like DNSCrypt but unlike other HTTP versions, this uses +## UDP and (usually) port 443 instead of TCP. + +http3 = false + + ## SOCKS proxy ## Uncomment the following line to route all TCP connections to a local Tor node ## Tor doesn't support UDP, so set `force_tcp` to `true` as well. @@ -118,7 +125,7 @@ force_tcp = false timeout = 5000 -## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds +## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds keepalive = 30 @@ -128,7 +135,7 @@ keepalive = 30 ## Multiple networks can be listed; they will be randomly chosen. ## These networks don't have to match your actual networks. -# edns_client_subnet = ["0.0.0.0/0", "2001:db8::/32"] +# edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32'] ## Response for blocked queries. Options are `refused`, `hinfo` (default) or @@ -181,6 +188,13 @@ keepalive = 30 cert_refresh_delay = 240 +## Initially don't check DNSCrypt server certificates for expiration, and +## only start checking them after a first successful connection to a resolver. +## This can be useful on routers with no battery-backed clock. + +# cert_ignore_timestamp = false + + ## DNSCrypt: Create a new, unique key for every single DNS query ## This may improve privacy but can also have a significant impact on CPU usage ## Only enable if you don't have a lot of network load @@ -241,10 +255,20 @@ cert_refresh_delay = 240 ## not be sent there. If you're using DNSCrypt or Anonymized DNS and your ## lists are up to date, these resolvers will not even be used. -bootstrap_resolvers = ['9.9.9.9:53', '8.8.8.8:53'] +bootstrap_resolvers = ['9.9.9.11:53', '8.8.8.8:53'] -## Always use the bootstrap resolver before the system DNS settings. +## When internal DNS resolution is required, for example to retrieve +## the resolvers list: +## +## - queries will be sent to dnscrypt-proxy itself, if it is already +## running with active servers (*) +## - or else, queries will be sent to fallback servers +## - finally, if `ignore_system_dns` is `false`, queries will be sent +## to the system DNS +## +## (*) this is incompatible with systemd sockets. +## `listen_addrs` must not be empty. ignore_system_dns = true @@ -341,7 +365,7 @@ reject_ttl = 10 ## See the `example-forwarding-rules.txt` file for an example -# forwarding_rules = 'forwarding-rules.txt' +forwarding_rules = 'forwarding-rules.txt' @@ -352,14 +376,17 @@ reject_ttl = 10 ## Cloaking returns a predefined address for a specific name. ## In addition to acting as a HOSTS file, it can also return the IP address ## of a different name. It will also do CNAME flattening. +## If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled +## for cloaking rules that do not contain wild cards. ## ## See the `example-cloaking-rules.txt` file for an example -# cloaking_rules = 'cloaking-rules.txt' +cloaking_rules = 'cloaking-rules.txt' ## TTL used when serving entries in cloaking-rules.txt # cloak_ttl = 600 +# cloak_ptr = false @@ -451,20 +478,20 @@ cache_neg_max_ttl = 600 [query_log] - ## Path to the query log file (absolute, or relative to the same directory as the config file) - ## Can be set to /dev/stdout in order to log to the standard output. +## Path to the query log file (absolute, or relative to the same directory as the config file) +## Can be set to /dev/stdout in order to log to the standard output. - # file = 'query.log' +# file = 'query.log' - ## Query log format (currently supported: tsv and ltsv) +## Query log format (currently supported: tsv and ltsv) - format = 'tsv' +format = 'tsv' - ## Do not log these query types, to reduce verbosity. Keep empty to log everything. +## Do not log these query types, to reduce verbosity. Keep empty to log everything. - # ignored_qtypes = ['DNSKEY', 'NS'] +# ignored_qtypes = ['DNSKEY', 'NS'] @@ -478,19 +505,19 @@ cache_neg_max_ttl = 600 [nx_log] - ## Path to the query log file (absolute, or relative to the same directory as the config file) +## Path to the query log file (absolute, or relative to the same directory as the config file) - # file = 'nx.log' +# file = 'nx.log' - ## Query log format (currently supported: tsv and ltsv) +## Query log format (currently supported: tsv and ltsv) - format = 'tsv' +format = 'tsv' ###################################################### -# Pattern-based blocking (blocklists) # +# Pattern-based blocking (blocklists) # ###################################################### ## Blocklists are made of one pattern per line. Example of valid patterns: @@ -508,19 +535,19 @@ cache_neg_max_ttl = 600 [blocked_names] - ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) +## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) - # blocked_names_file = 'blocked-names.txt' +blocked_names_file = 'blocked-names.txt' - ## Optional path to a file logging blocked queries +## Optional path to a file logging blocked queries - # log_file = 'blocked-names.log' +# log_file = 'blocked-names.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' @@ -536,24 +563,24 @@ cache_neg_max_ttl = 600 [blocked_ips] - ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) +## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) - # blocked_ips_file = 'blocked-ips.txt' +blocked_ips_file = 'blocked-ips.txt' - ## Optional path to a file logging blocked queries +## Optional path to a file logging blocked queries - # log_file = 'blocked-ips.log' +# log_file = 'blocked-ips.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' ###################################################### -# Pattern-based allow lists (blocklists bypass) # +# Pattern-based allow lists (blocklists bypass) # ###################################################### ## Allowlists support the same patterns as blocklists @@ -564,19 +591,19 @@ cache_neg_max_ttl = 600 [allowed_names] - ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) +## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) - # allowed_names_file = 'allowed-names.txt' +allowed_names_file = 'allowed-names.txt' - ## Optional path to a file logging allowed queries +## Optional path to a file logging allowed queries - # log_file = 'allowed-names.log' +# log_file = 'allowed-names.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' @@ -585,25 +612,25 @@ cache_neg_max_ttl = 600 ######################################################### ## Allowed IP lists support the same patterns as IP blocklists -## If an IP response matches an allow ip entry, the corresponding session +## If an IP response matches an allowed entry, the corresponding session ## will bypass IP filters. ## ## Time-based rules are also supported to make some websites only accessible at specific times of the day. [allowed_ips] - ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) +## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) - # allowed_ips_file = 'allowed-ips.txt' +allowed_ips_file = 'allowed-ips.txt' - ## Optional path to a file logging allowed queries +## Optional path to a file logging allowed queries - # log_file = 'allowed-ips.log' +# log_file = 'allowed-ips.log' - ## Optional log format: tsv or ltsv (default: tsv) +## Optional log format: tsv or ltsv (default: tsv) - # log_format = 'tsv' +# log_format = 'tsv' @@ -624,21 +651,21 @@ cache_neg_max_ttl = 600 [schedules] - # [schedules.'time-to-sleep'] - # mon = [{after='21:00', before='7:00'}] - # tue = [{after='21:00', before='7:00'}] - # wed = [{after='21:00', before='7:00'}] - # thu = [{after='21:00', before='7:00'}] - # fri = [{after='23:00', before='7:00'}] - # sat = [{after='23:00', before='7:00'}] - # sun = [{after='21:00', before='7:00'}] + # [schedules.time-to-sleep] + # mon = [{after='21:00', before='7:00'}] + # tue = [{after='21:00', before='7:00'}] + # wed = [{after='21:00', before='7:00'}] + # thu = [{after='21:00', before='7:00'}] + # fri = [{after='23:00', before='7:00'}] + # sat = [{after='23:00', before='7:00'}] + # sun = [{after='21:00', before='7:00'}] - # [schedules.'work'] - # mon = [{after='9:00', before='18:00'}] - # tue = [{after='9:00', before='18:00'}] - # wed = [{after='9:00', before='18:00'}] - # thu = [{after='9:00', before='18:00'}] - # fri = [{after='9:00', before='17:00'}] + # [schedules.work] + # mon = [{after='9:00', before='18:00'}] + # tue = [{after='9:00', before='18:00'}] + # wed = [{after='9:00', before='18:00'}] + # thu = [{after='9:00', before='18:00'}] + # fri = [{after='9:00', before='17:00'}] @@ -666,40 +693,40 @@ cache_neg_max_ttl = 600 [sources] - ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers + ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers - [sources.'public-resolvers'] - urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md'] + [sources.public-resolvers] + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] cache_file = 'public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = '' - ## Anonymized DNS relays + ### Anonymized DNS relays - [sources.'relays'] - urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md'] + [sources.relays] + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md'] cache_file = 'relays.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = '' - ## ODoH (Oblivious DoH) servers and relays + ### ODoH (Oblivious DoH) servers and relays - # [sources.'odoh-servers'] - # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh-servers.md'] + # [sources.odoh-servers] + # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md'] # cache_file = 'odoh-servers.md' # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' # refresh_delay = 24 # prefix = '' - # [sources.'odoh-relays'] - # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh-relays.md'] + # [sources.odoh-relays] + # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md'] # cache_file = 'odoh-relays.md' # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' # refresh_delay = 24 # prefix = '' - ## Quad9 + ### Quad9 # [sources.quad9-resolvers] # urls = ['https://www.quad9.net/quad9-resolvers.md'] @@ -707,13 +734,13 @@ cache_neg_max_ttl = 600 # cache_file = 'quad9-resolvers.md' # prefix = 'quad9-' - ## Another example source, with resolvers censoring some websites not appropriate for children - ## This is a subset of the `public-resolvers` list, so enabling both is useless + ### Another example source, with resolvers censoring some websites not appropriate for children + ### This is a subset of the `public-resolvers` list, so enabling both is useless. - # [sources.'parental-control'] - # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://download.dnscrypt.net/resolvers-list/v3/parental-control.md'] - # cache_file = 'parental-control.md' - # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + # [sources.parental-control] + # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md'] + # cache_file = 'parental-control.md' + # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' @@ -723,16 +750,16 @@ cache_neg_max_ttl = 600 [broken_implementations] -# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't -# truncate reponses larger than questions as expected by the DNSCrypt protocol. -# This prevents large responses from being received over UDP and over relays. -# -# Older versions of the `dnsdist` server software had a bug with queries larger -# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but -# some server may still run an outdated version. -# -# The list below enables workarounds to make non-relayed usage more reliable -# until the servers are fixed. +## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't +## truncate responses larger than questions as expected by the DNSCrypt protocol. +## This prevents large responses from being received over UDP and over relays. +## +## Older versions of the `dnsdist` server software had a bug with queries larger +## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but +## some server may still run an outdated version. +## +## The list below enables workarounds to make non-relayed usage more reliable +## until the servers are fixed. fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6'] @@ -742,15 +769,14 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys # Certificate-based client authentication for DoH # ################################################################# -# Use a X509 certificate to authenticate yourself when connecting to DoH servers. -# This is only useful if you are operating your own, private DoH server(s). -# 'creds' maps servers to certificates, and supports multiple entries. -# If you are not using the standard root CA, an optional "root_ca" -# property set to the path to a root CRT file can be added to a server entry. +## Use a X509 certificate to authenticate yourself when connecting to DoH servers. +## This is only useful if you are operating your own, private DoH server(s). +## 'creds' maps servers to certificates, and supports multiple entries. +## If you are not using the standard root CA, an optional "root_ca" +## property set to the path to a root CRT file can be added to a server entry. [doh_client_x509_auth] -# # creds = [ # { server_name='*', client_cert='client.crt', client_key='client.key' } # ] @@ -798,14 +824,14 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys # ] -# Skip resolvers incompatible with anonymization instead of using them directly +## Skip resolvers incompatible with anonymization instead of using them directly skip_incompatible = false -# If public server certificates for a non-conformant server cannot be -# retrieved via a relay, try getting them directly. Actual queries -# will then always go through relays. +## If public server certificates for a non-conformant server cannot be +## retrieved via a relay, try getting them directly. Actual queries +## will then always go through relays. # direct_cert_fallback = false @@ -833,13 +859,15 @@ skip_incompatible = false [dns64] -## (Option 1) Static prefix(es) as Pref64::/n CIDRs. +## Static prefix(es) as Pref64::/n CIDRs + # prefix = ['64:ff9b::/96'] -## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs. +## DNS64-enabled resolver(s) to discover Pref64::/n CIDRs ## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only. ## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96). ## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only. + # resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53'] @@ -853,5 +881,5 @@ skip_incompatible = false [static] - # [static.'myserver'] - # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' + # [static.myserver] + # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' diff --git a/dnscrypt/proxy/data/forwarding-rules.txt b/dnscrypt/proxy/data/forwarding-rules.txt new file mode 100644 index 0000000..e69de29