From e80f240fa0a8c826130aefb9c5c94a70b72205e9 Mon Sep 17 00:00:00 2001 From: T3slider Date: Fri, 21 Sep 2018 22:51:16 +0100 Subject: network/dnscrypt-proxy: Updated for version 2.0.16. Signed-off-by: David Spencer --- network/dnscrypt-proxy/README | 2 - network/dnscrypt-proxy/README.Slackware | 34 +- network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild | 72 ++-- network/dnscrypt-proxy/dnscrypt-proxy.conf | 244 ----------- network/dnscrypt-proxy/dnscrypt-proxy.default | 32 +- network/dnscrypt-proxy/dnscrypt-proxy.info | 10 +- network/dnscrypt-proxy/dnscrypt-proxy.logrotate | 9 - network/dnscrypt-proxy/dnscrypt-proxy.toml | 512 +++++++++++++++++++++++ network/dnscrypt-proxy/doinst.sh | 3 +- network/dnscrypt-proxy/poly1305.patch | 20 + network/dnscrypt-proxy/rc.dnscrypt-proxy | 53 +-- network/dnscrypt-proxy/slack-desc | 2 +- 12 files changed, 629 insertions(+), 364 deletions(-) delete mode 100644 network/dnscrypt-proxy/dnscrypt-proxy.conf delete mode 100644 network/dnscrypt-proxy/dnscrypt-proxy.logrotate create mode 100644 network/dnscrypt-proxy/dnscrypt-proxy.toml create mode 100644 network/dnscrypt-proxy/poly1305.patch diff --git a/network/dnscrypt-proxy/README b/network/dnscrypt-proxy/README index 5ec190cc0e..b55a58cae9 100644 --- a/network/dnscrypt-proxy/README +++ b/network/dnscrypt-proxy/README @@ -8,5 +8,3 @@ definitely want to change this. Be sure to read README.Slackware for information on configuring/running dnscrypt-proxy as a daemon! - -Optional dependency: ldns diff --git a/network/dnscrypt-proxy/README.Slackware b/network/dnscrypt-proxy/README.Slackware index 6af60acaab..b5a6388c56 100644 --- a/network/dnscrypt-proxy/README.Slackware +++ b/network/dnscrypt-proxy/README.Slackware @@ -1,21 +1,22 @@ A. Setup An init script and configuration file have been provided to run dnscrypt-proxy -as a daemon. To configure dnscrypt-proxy, edit /etc/dnscrypt-proxy.conf with -the desired settings. By default dnscrypt-proxy will use a random DNS server -and will run on localhost (127.0.0.1), port 53. +as a daemon. To configure dnscrypt-proxy, edit +/etc/dnscrypt-proxy/dnscrypt-proxy.toml with the desired settings. By default +dnscrypt-proxy will use a random DNS server and will run on localhost +(127.0.0.1), port 53. -The configuration file is setup to use a dnscrypt user by default, and to -chroot into that user's home directory to maximize security. In order to use -the default configuration you should create a dnscrypt user and group with the -following commands: +The configuration file is setup to use a dnscrypt user by default. In order to +use the default configuration you should create a dnscrypt user and group with +the following commands: groupadd -g 293 dnscrypt useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt -If you decide to use another user you should edit the CHROOTDIR option in -/etc/default/dnscrypt-proxy and the User setting in /etc/dnscrypt-proxy.conf -(there are example settings provided for the user 'nobody'). +If you decide to use another user you should edit the USER setting in +/etc/default/dnscrypt-proxy and the user_name setting in +/etc/dnscrypt-proxy/dnscrypt-proxy.toml (there are example settings provided +for the user 'nobody'). In order to send all DNS requests through dnscrypt-proxy, you will need to update /etc/resolv.conf to point to localhost. If using dhcpcd, the easiest way @@ -44,13 +45,14 @@ To properly stop dnscrypt-proxy on system shutdown, add the following to B. DNS Cache -dnscrypt-proxy provides limited control over how it caches DNS queries. In -order to minimize the number of external DNS lookups, you can also run a local -caching DNS server. A sample configuration for dnsmasq (included with -Slackware) is provided at /usr/doc/dnscrypt-proxy-@VERSION@/dnsmasq.conf. A -sample configuration for bind/named that also does local DNSSEC validation (if +dnscrypt-proxy provides control over how it caches DNS queries via its +configuration file. However, you can also run your own local caching DNS +server. A sample configuration for dnsmasq (included with Slackware) is +provided at /usr/doc/dnscrypt-proxy-@VERSION@/dnsmasq.conf. A sample +configuration for bind/named that also does local DNSSEC validation (if supported by the upstream DNS server) is also provided at /usr/doc/dnscrypt-proxy-@VERSION@/named.conf. Both configurations run on port 53, forwarding lookups to dnscrypt-proxy running on port 55. In order to use these configurations you will need to change the port dnscrypt-proxy runs on in -/etc/dnscrypt-proxy.conf. +/etc/dnscrypt-proxy/dnscrypt-proxy.toml. If you perform your own DNS caching, +it makes sense to disable dnscrypt-proxy's caching in its configuration file. diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild b/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild index 0c42db33b6..696bd0950e 100644 --- a/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild +++ b/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild @@ -2,7 +2,7 @@ # Slackware build script for dnscrypt-proxy -# Copyright 2017 T3slider +# Copyright 2018 T3slider # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -22,16 +22,18 @@ # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# Thanks to Larry Hajali for work on README.Slackware, some configure options, -# the basis for the sample dnsmasq configuration, the logrotate configuration, -# and the idea for an init script. His contributions significantly improved the -# value of this script! +# Thanks to Larry Hajali for work on README.Slackware, the basis for the sample +# dnsmasq configuration, and the idea for an init script. His contributions +# significantly improved the value of this script! PRGNAM=dnscrypt-proxy -VERSION=${VERSION:-1.9.5} +VERSION=${VERSION:-2.0.16} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} +DOMAIN=github.com +ORG=jedisct1 + if [ -z "$ARCH" ]; then case "$( uname -m )" in i?86) ARCH=i586 ;; @@ -46,16 +48,12 @@ PKG=$TMP/package-$PRGNAM OUTPUT=${OUTPUT:-/tmp} if [ "$ARCH" = "i586" ]; then - SLKCFLAGS="-O2 -march=i586 -mtune=i686" LIBDIRSUFFIX="" elif [ "$ARCH" = "i686" ]; then - SLKCFLAGS="-O2 -march=i686 -mtune=i686" LIBDIRSUFFIX="" elif [ "$ARCH" = "x86_64" ]; then - SLKCFLAGS="-O2 -fPIC" LIBDIRSUFFIX="64" else - SLKCFLAGS="-O2" LIBDIRSUFFIX="" fi @@ -65,8 +63,11 @@ rm -rf $PKG mkdir -p $TMP $PKG $OUTPUT cd $TMP rm -rf $PRGNAM-$VERSION -tar xvf $CWD/$PRGNAM-$VERSION.tar.bz2 -cd $PRGNAM-$VERSION +mkdir -p $PRGNAM-$VERSION/src/$DOMAIN/$ORG +cd $PRGNAM-$VERSION/src/$DOMAIN/$ORG +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +mv $PRGNAM-$VERSION $PRGNAM +cd $PRGNAM chown -R root:root . find -L . \ \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ @@ -74,39 +75,30 @@ find -L . \ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; -CFLAGS="$SLKCFLAGS" \ -CXXFLAGS="$SLKCFLAGS" \ -./configure \ - --prefix=/usr \ - --libdir=/usr/lib${LIBDIRSUFFIX} \ - --sysconfdir=/etc \ - --localstatedir=/var \ - --mandir=/usr/man \ - --docdir=/usr/doc/$PRGNAM-$VERSION \ - --enable-plugins \ - --enable-plugins-root \ - --enable-static=no \ - --disable-ltdl-install \ - --without-included-ltdl \ - --build=$ARCH-slackware-linux - -make -make install-strip DESTDIR=$PKG - -find $PKG/usr/man -type f -exec gzip -9 {} \; -for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done - -mkdir -p $PKG/var/{run,log}/$PRGNAM $PKG/etc/default -chmod 0700 $PKG/var/{run,log}/$PRGNAM +# Error compiling with go 1.11; fixed in dnscrypt-proxy master but not in the +# latest release +patch -p1 < $CWD/poly1305.patch + +export GOPATH="$TMP/$PRGNAM-$VERSION" + +go install -a -x ./... + +mkdir -p $PKG/usr/sbin + +install -m 755 "$TMP/$PRGNAM-$VERSION/bin/${PRGNAM}" $PKG/usr/sbin/${PRGNAM} + +find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +mkdir -p $PKG/var/log/$PRGNAM $PKG/etc/default $PKG/etc/$PRGNAM +chmod 0700 $PKG/var/log/$PRGNAM sed "s/@VERSION@/$VERSION/" $CWD/$PRGNAM.default > $PKG/etc/default/$PRGNAM.new install -D -m 0755 $CWD/rc.$PRGNAM $PKG/etc/rc.d/rc.$PRGNAM.new -rm -f $PKG/etc/$PRGNAM.conf -install -D -m 0644 $CWD/$PRGNAM.conf $PKG/etc/$PRGNAM.conf.new -install -D -m 0644 $CWD/$PRGNAM.logrotate $PKG/etc/logrotate.d/$PRGNAM.new +install -D -m 0644 $CWD/$PRGNAM.toml $PKG/etc/$PRGNAM/$PRGNAM.toml.new mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION cp -a \ - AUTHORS ChangeLog INSTALL NEWS README THANKS \ + ChangeLog LICENSE README.md utils $PRGNAM/example-* \ $PKG/usr/doc/$PRGNAM-$VERSION sed "s/@VERSION@/$VERSION/g" $CWD/README.Slackware > $PKG/usr/doc/$PRGNAM-$VERSION/README.Slackware cat $CWD/dnsmasq.conf > $PKG/usr/doc/$PRGNAM-$VERSION/dnsmasq.conf diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.conf b/network/dnscrypt-proxy/dnscrypt-proxy.conf deleted file mode 100644 index cfd6a750d5..0000000000 --- a/network/dnscrypt-proxy/dnscrypt-proxy.conf +++ /dev/null @@ -1,244 +0,0 @@ -###################################################### -# # -# Sample configuration file for dnscrypt-proxy # -# # -###################################################### - - -############## Resolver settings ############## - -## [CHANGE THIS] Short name of the resolver to use -## Usually the only thing you need to change in this configuration file. -## This corresponds to the first column in the dnscrypt-resolvers.csv file. -## Alternatively, "random" (without quotes) picks a random random resolver -## accessible over IPv4, that doesn't log and supports DNSSEC. - -ResolverName random - - -## Full path to the list of available DNSCrypt resolvers (dnscrypt-resolvers.csv) -## An up-to-date list is available here: -## https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv -## and the dnscrypt-update-resolvers.sh script can be used in order to -## automatically download and verify updates. - -# ResolversList /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv - - -## Manual settings, only for a custom resolver not present in the CSV file - -# ProviderName 2.dnscrypt.resolver.example -# ProviderKey E801:B84E:A606:BFB0:BAC0:CE43:445B:B15E:BA64:B02F:A3C4:AA31:AE10:636A:0790:324D -# ResolverAddress 203.0.113.1:443 - - - -############## Process options ############## - -## [NOT AVAILABLE ON WINDOWS] Run the proxy as a background process. -## Unless you are using systemd, you probably want to change this to "yes" -## after having verified that the rest of the configuration works as expected. - -Daemonize yes - - -## Write the PID number to a file - -PidFile /var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid - - -## [NOT AVAILABLE ON WINDOWS] Start the process, bind the required ports, and -## run the server as a less-privileged system user. -## The value for this parameter is a user name. - -# User nobody -User dnscrypt - - - -############## Network/protocol settings ############## - -## Local address and port to listen to. -## A 127.0.0.x address is recommended for local use, but 0.0.0.0 or -## a specific interface address can be used on a router, or to -## configure a single machine to act as a DNS proxy for different -## devices. -## If the socket is created by systemd, the proxy cannot change the address -## using this option. You should edit systemd's dnscrypt-proxy.socket file -## instead. - -LocalAddress 127.0.0.1:53 - - -## Cache DNS responses to avoid outgoing traffic when the same queries -## are repeated multiple times in a row. - -LocalCache on - - -## Creates a new key pair for every query. -## This prevents logging servers from correlating client public keys with -## IP addresses. However, this option implies extra CPU load, and is not -## very useful with trusted/non-logging servers. - -EphemeralKeys off - - -## Maximum number of active requests waiting for a response. -## Keep it reasonable relative to the expected number of clients. - -# MaxActiveRequests 250 - - -## This is the maximum payload size allowed when using the UDP protocol. -## The default is safe, and rarely needs to be changed. - -# EDNSPayloadSize 1252 - - -## Ignore the time stamps when checking the certificates -## Do not enable this option ever, unless you know that you need it. - -# IgnoreTimestamps no - - -## Do not send queries using UDP. Only use TCP. -## Even if some resolvers mitigate this, DNS over TCP is almost always slower -## than UDP and doesn't offer additional security. -## Only enable this option if UDP doesn't work on your network. - -# TCPOnly no - - -## Forward queries for specific zones to one or more non-DNSCrypt resolvers. -## For instance, this can be used to redirect queries for local domains to -## the router, or queries for an internal domain to an internal DNS server. -## Multiple whitespace-delimited zones and IP addresses can be specified. -## Do not enable this unless you absolutely know you need it. -## If you see useless queries to these zones, you'd better block them with -## the BlackList feature instead of sending them in clear text to the router. -## This uses a plugin that requires dnscrypt-proxy to be compiled with -## the ldns library. - -# Forward domains:"test private localdomain lan" to:"192.168.100.254" - - -############## Logging ############## - -## Log the received DNS queries to a file, so you can watch in real-time what -## is happening on the network. -## The value for this parameter is a full path to the log file. -## The file name can be prefixed with ltsv: in order to store logs using the -## LTSV format (ex: ltsv:/tmp/dns-queries.log). - -# QueryLogFile /tmp/dns-queries.log - - -## Log file to write server errors and information to. -## If you use this tool for privacy, keeping logs of any kind is usually not -## a good idea. - -LogFile /var/log/dnscrypt-proxy/dnscrypt-proxy.log - - -## Don't log events with priority above this log level after the service has -## been started up. Default is 6. -## Valid values are between 0 (critical) to 7 (debug-level messages). - -# LogLevel 6 - - -## [NOT AVAILABLE ON WINDOWS] Send server logs to the syslog daemon -## Log entries can optionally be prefixed with a string. - -# Syslog off -# SyslogPrefix dnscrypt - - - -############## Local filtering ############## - -## If your network doesn't support IPv6, chances are that your -## applications are still constantly trying to resolve IPv6 addresses, -## causing unnecessary slowdowns. -## This causes the proxy to immediately reply to IPv6 requests, -## without having to send a useless request to upstream resolvers, and -## having to wait for a response. -## This uses a plugin that requires dnscrypt-proxy to be compiled with -## the ldns library. - -BlockIPv6 no - - -## Want to filter ads, malware, sensitive or inappropriate websites and -## domain names? This feature can block lists of IP addresses and names -## matching a list of patterns. The list of rules remains private, and -## the filtering process directly happens on your own network. In order -## to filter IP addresses, the list of IPs has to be put into a text -## file, with one IP address per line. Lists of domain names can also be -## blocked as well. Put the list into a text file, one domain per line. -## Domains can include wildcards (*) in order to match patterns. For -## example *sex* will match any name that contains the sex substring, and -## ads.* will match anything starting with ads. The Internet has plenty -## of free feeds of IP addresses and domain names used for malware, -## phishing and spam that you can use with this feature. -## -## This uses a plugin that requires dnscrypt-proxy to be compiled with -## the ldns library. -## -## To enable, uncomment one of the following definitions: - -## Block query names matching the rules stored in that file: -# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" - -## Block responses whose IP addresses match IPs stored in that file: -# BlackList ips:"/etc/dnscrypt-blacklist-ips.txt" - -## Block both domain names and IP addresses: -# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" ips:"/etc/dnscrypt-blacklist-ips.txt" - -## Same as the above + log the blocked queries in a file. -## The log file can be prefixed with ltsv: (ex: ltsv:/tmp/log.txt) in order to -## store logs using the LTSV format. -# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" logfile:"/var/log/dnscrypt-blocked.log" -# BlackList ips:"/etc/dnscrypt-blacklist-ips.txt" logfile:"/var/log/dnscrypt-blocked.log" -# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" ips:"/etc/dnscrypt-blacklist-ips.txt" logfile:"/var/log/dnscrypt-blocked.log" - - - -############## User identification ############## - -## Use a client public key for identification -## By default, the client uses a randomized key pair in order to make tracking -## more difficult. This option does the opposite and uses a static key pair, so -## that DNS providers can offer premium services to queries signed with a known -## set of public keys. A client cannot decrypt the received responses without -## also knowing the secret key. -## The value for this property is the path to a file containing the secret key, -## encoded as a hexadecimal string. The corresponding public key is computed -## automatically. - -# ClientKey /etc/dnscrypt-client-secret.key - - - -############## Monitoring ############## - -## Do not actually start the proxy, but check that a valid certificate can be -## retrieved from the server and that it will remain valid for the specified -## time period. The process exit code is 0 if a valid certificate can be used, -## 2 if no valid certificates can be used, 3 if a timeout occurred, and 4 if a -## currently valid certificate is going to expire before the given margin. -## Useful in a cron job to monitor your own dnscrypt-servers. -## The margin is specified in minutes. - -# Test 2880 - - - -############## Recursive configuration ############## - -## A configuration file can include other configuration files by inserting -## the `Include` directive anywhere (the full path required, no quotes): - -# Include /etc/dnscrypt-proxy-common.conf diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.default b/network/dnscrypt-proxy/dnscrypt-proxy.default index 3979212ade..112202cc9e 100644 --- a/network/dnscrypt-proxy/dnscrypt-proxy.default +++ b/network/dnscrypt-proxy/dnscrypt-proxy.default @@ -3,20 +3,28 @@ # This file contains additional configuration settings for dnscrypt-proxy # (primary configuration belongs in the dnscrypt-proxy configuration file). # This file supports configuring and running multiple instances (see the bottom -# of this file for a sample secondary configuration). - -# CHROOTDIR should be the same path as the daemon user's home directory. For -# the standard dnscrypt user this should be "/run/dnscrypt". For nobody, this -# should be "/". -CHROOTDIR[0]="/run/dnscrypt" -#CHROOTDIR[0]="/" +# of this file for a sample secondary configuration). However, note that +# dnscrypt-proxy now automatically provides redundancy based on a pool of +# available servers in its own configuration file. Under normal circumstances +# you would only ever need one active configuration in this file, but support +# for multiple independent servers has been maintained in case you have a need +# for segregation of upstream servers. # DNSCRYPTCONFIG should be the path to the dnscrypt-proxy configuration file -# for the given instance. Note that PidFile must be defined in the config for -# the rc.dnscrypt start/stop script to function properly! -DNSCRYPTCONFIG[0]="/etc/dnscrypt-proxy.conf" +# for the given instance. +DNSCRYPTCONFIG[0]="/etc/dnscrypt-proxy/dnscrypt-proxy.toml" + +# The pid file for this instance. PIDFILE must always be specified for each +# instance! +PIDFILE[0]="/run/dnscrypt-proxy/dnscrypt-proxy-0.pid" + +# The user to run the daemon. This should be the same user specified in the +# config. +#USER[0]="nobody" +USER[0]="dnscrypt" # A simple example configuration for a second instance (note that this would # require a new dnscrypt-proxy configuration file) -#CHROOTDIR[1]="/run/dnscrypt" -#DNSCRYPTCONFIG[1]="/etc/dnscrypt-proxy-1.conf" +#DNSCRYPTCONFIG[1]="/etc/dnscrypt-proxy/dnscrypt-proxy-1.toml" +#PIDFILE[1]="/run/dnscrypt-proxy/dnscrypt-proxy-1.pid" +#USER[1]="dnscrypt" diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.info b/network/dnscrypt-proxy/dnscrypt-proxy.info index 67ec5b56e1..da40844bfa 100644 --- a/network/dnscrypt-proxy/dnscrypt-proxy.info +++ b/network/dnscrypt-proxy/dnscrypt-proxy.info @@ -1,10 +1,10 @@ PRGNAM="dnscrypt-proxy" -VERSION="1.9.5" -HOMEPAGE="https://www.opendns.com/" -DOWNLOAD="https://sources.lede-project.org/dnscrypt-proxy-1.9.5.tar.bz2" -MD5SUM="0c356411ae4b1d984eacc452d033ff76" +VERSION="2.0.16" +HOMEPAGE="https://github.com/jedisct1/dnscrypt-proxy" +DOWNLOAD="https://github.com/jedisct1/dnscrypt-proxy/archive/2.0.16/dnscrypt-proxy-2.0.16.tar.gz" +MD5SUM="2155eff38ed4062aa3dcbb823c840a69" DOWNLOAD_x86_64="" MD5SUM_x86_64="" -REQUIRES="libsodium" +REQUIRES="google-go-lang" MAINTAINER="T3slider" EMAIL="t3slider@gmail.com" diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.logrotate b/network/dnscrypt-proxy/dnscrypt-proxy.logrotate deleted file mode 100644 index 884ad989e1..0000000000 --- a/network/dnscrypt-proxy/dnscrypt-proxy.logrotate +++ /dev/null @@ -1,9 +0,0 @@ -/var/log/dnscrypt-proxy/*log { - weekly - rotate 7 - copytruncate - delaycompress - compress - notifempty - missingok -} diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.toml b/network/dnscrypt-proxy/dnscrypt-proxy.toml new file mode 100644 index 0000000000..0341cbed71 --- /dev/null +++ b/network/dnscrypt-proxy/dnscrypt-proxy.toml @@ -0,0 +1,512 @@ + +############################################## +# # +# dnscrypt-proxy configuration # +# # +############################################## + +## This is an example configuration file. +## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml" +## +## Online documentation is available here: https://dnscrypt.info/doc + + + +################################## +# Global settings # +################################## + +## List of servers to use +## +## Servers from the "public-resolvers" source (see down below) can +## be viewed here: https://dnscrypt.info/public-servers +## +## If this line is commented, all registered servers matching the require_* filters +## will be used. +## +## The proxy will automatically pick the fastest, working servers from the list. +## Remove the leading # first to enable this; lines starting with # are ignored. + +# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare'] + + +## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. +## Note: When using systemd socket activation, choose an empty set (i.e. [] ). + +listen_addresses = ['127.0.0.1:53', '[::1]:53'] + + +## Maximum number of simultaneous client connections to accept + +max_clients = 250 + + +## Switch to a non-privileged system user after listening sockets have been created. +## Two processes will be running. +## The first one will keep root privileges, but is only a supervisor, that does nothing +## except create the sockets, manage the service, and restart it if it crashes. +## The second process is the service itself, and that one will always run as a different +## user. +## Note (1): this feature is currently unsupported on Windows. +## Note (2): this feature is not compatible with systemd socket activation. + +# user_name = 'nobody' +user_name = 'dnscrypt' + + +## Require servers (from static + remote sources) to satisfy specific properties + +# Use servers reachable over IPv4 +ipv4_servers = true + +# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity +ipv6_servers = false + +# Use servers implementing the DNSCrypt protocol +dnscrypt_servers = true + +# Use servers implementing the DNS-over-HTTPS protocol +doh_servers = true + + +## Require servers defined by remote sources to satisfy specific properties + +# Server must support DNS security extensions (DNSSEC) +require_dnssec = false + +# Server must not log user queries (declarative) +require_nolog = true + +# Server must not enforce its own blacklist (for parental control, ads blocking...) +require_nofilter = true + + +## Always use TCP to connect to upstream servers. +## This can be can be useful if you need to route everything through Tor. +## Otherwise, leave this to `false`, as it doesn't improve security +## (dnscrypt-proxy will always encrypt everything even using UDP), and can +## only increase latency. + +force_tcp = false + + +## HTTP / SOCKS proxy +## Uncomment the following line to route all TCP connections to a local Tor node +## Tor doesn't support UDP, so set `force_tcp` to `true` as well. + +# proxy = "socks5://127.0.0.1:9050" + + + +## How long a DNS query will wait for a response, in milliseconds + +timeout = 2500 + + +## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds + +keepalive = 30 + + +## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random' + +# lb_strategy = 'p2' + + +## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors) + +# log_level = 2 + + +## log file for the application + +# log_file = 'dnscrypt-proxy.log' +log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log' + + +## Use the system logger (syslog on Unix, Event Log on Windows) + +# use_syslog = true + + +## Delay, in minutes, after which certificates are reloaded + +cert_refresh_delay = 240 + + +## DNSCrypt: Create a new, unique key for every single DNS query +## This may improve privacy but can also have a significant impact on CPU usage +## Only enable if you don't have a lot of network load + +# dnscrypt_ephemeral_keys = false + + +## DoH: Disable TLS session tickets - increases privacy but also latency + +# tls_disable_session_tickets = false + + +## DoH: Use a specific cipher suite instead of the server preference +## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 +## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 +## +## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...), +## the following suite improves performance. +## This may also help on Intel CPUs running 32-bit operating systems. +## +## Keep tls_cipher_suite empty if you have issues fetching sources or +## connecting to some DoH servers. Google and Cloudflare are fine with it. + +# tls_cipher_suite = [52392, 49199] + + +## Fallback resolver +## This is a normal, non-encrypted DNS resolver, that will be only used +## for one-shot queries when retrieving the initial resolvers list, and +## only if the system DNS configuration doesn't work. +## No user application queries will ever be leaked through this resolver, +## and it will not be used after IP addresses of resolvers URLs have been found. +## It will never be used if lists have already been cached, and if stamps +## don't include host names without IP addresses. +## It will not be used if the configured system DNS works. +## A resolver supporting DNSSEC is recommended. This may become mandatory. +## +## People in China may need to use 114.114.114.114:53 here. +## Other popular options include 8.8.8.8 and 1.1.1.1. + +fallback_resolver = '9.9.9.9:53' + + +## Never let dnscrypt-proxy try to use the system DNS settings; +## unconditionally use the fallback resolver. + +ignore_system_dns = false + + +## Maximum time (in seconds) to wait for network connectivity before +## initializing the proxy. +## Useful if the proxy is automatically started at boot, and network +## connectivity is not guaranteed to be immediately available. +## Use 0 to disable. + +netprobe_timeout = 30 + + +## Offline mode - Do not use any remote encrypted servers. +## The proxy will remain fully functional to respond to queries that +## plugins can handle directly (forwarding, cloaking, ...) + +# offline_mode = false + + +## Automatic log files rotation + +# Maximum log files size in MB +log_files_max_size = 10 + +# How long to keep backup files, in days +log_files_max_age = 7 + +# Maximum log files backups to keep (or 0 to keep all backups) +log_files_max_backups = 1 + + + +######################### +# Filters # +######################### + +## Immediately respond to IPv6-related queries with an empty response +## This makes things faster when there is no IPv6 connectivity, but can +## also cause reliability issues with some stub resolvers. +## Do not enable if you added a validating resolver such as dnsmasq in front +## of the proxy. + +block_ipv6 = false + + + +################################################################################## +# Route queries for specific domains to a dedicated set of servers # +################################################################################## + +## Example map entries (one entry per line): +## example.com 9.9.9.9 +## example.net 9.9.9.9,8.8.8.8,1.1.1.1 + +# forwarding_rules = 'forwarding-rules.txt' + + + +############################### +# Cloaking rules # +############################### + +## Cloaking returns a predefined address for a specific name. +## In addition to acting as a HOSTS file, it can also return the IP address +## of a different name. It will also do CNAME flattening. +## +## Example map entries (one entry per line) +## example.com 10.1.1.1 +## www.google.com forcesafesearch.google.com + +# cloaking_rules = 'cloaking-rules.txt' + + + +########################### +# DNS cache # +########################### + +## Enable a DNS cache to reduce latency and outgoing traffic + +cache = true + + +## Cache size + +cache_size = 512 + + +## Minimum TTL for cached entries + +cache_min_ttl = 600 + + +## Maximum TTL for cached entries + +cache_max_ttl = 86400 + + +## Minimum TTL for negatively cached entries + +cache_neg_min_ttl = 60 + + +## Maximum TTL for negatively cached entries + +cache_neg_max_ttl = 600 + + + +############################### +# Query logging # +############################### + +## Log client queries to a file + +[query_log] + + ## Path to the query log file (absolute, or relative to the same directory as the executable file) + + # file = 'query.log' + + + ## Query log format (currently supported: tsv and ltsv) + + format = 'tsv' + + + ## Do not log these query types, to reduce verbosity. Keep empty to log everything. + + # ignored_qtypes = ['DNSKEY', 'NS'] + + + +############################################ +# Suspicious queries logging # +############################################ + +## Log queries for nonexistent zones +## These queries can reveal the presence of malware, broken/obsolete applications, +## and devices signaling their presence to 3rd parties. + +[nx_log] + + ## Path to the query log file (absolute, or relative to the same directory as the executable file) + + # file = 'nx.log' + + + ## Query log format (currently supported: tsv and ltsv) + + format = 'tsv' + + + +###################################################### +# Pattern-based blocking (blacklists) # +###################################################### + +## Blacklists are made of one pattern per line. Example of valid patterns: +## +## example.com +## =example.com +## *sex* +## ads.* +## ads*.example.* +## ads*.example[0-9]*.com +## +## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/ +## A script to build blacklists from public feeds can be found in the +## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code. + +[blacklist] + + ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + + # blacklist_file = 'blacklist.txt' + + + ## Optional path to a file logging blocked queries + + # log_file = 'blocked.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + +########################################################### +# Pattern-based IP blocking (IP blacklists) # +########################################################### + +## IP blacklists are made of one pattern per line. Example of valid patterns: +## +## 127.* +## fe80:abcd:* +## 192.168.1.4 + +[ip_blacklist] + + ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + + # blacklist_file = 'ip-blacklist.txt' + + + ## Optional path to a file logging blocked queries + + # log_file = 'ip-blocked.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + +###################################################### +# Pattern-based whitelisting (blacklists bypass) # +###################################################### + +## Whitelists support the same patterns as blacklists +## If a name matches a whitelist entry, the corresponding session +## will bypass names and IP filters. +## +## Time-based rules are also supported to make some websites only accessible at specific times of the day. + +[whitelist] + + ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file) + + # whitelist_file = 'whitelist.txt' + + + ## Optional path to a file logging whitelisted queries + + # log_file = 'whitelisted.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + +########################################## +# Time access restrictions # +########################################## + +## One or more weekly schedules can be defined here. +## Patterns in the name-based blocklist can optionally be followed with @schedule_name +## to apply the pattern 'schedule_name' only when it matches a time range of that schedule. +## +## For example, the following rule in a blacklist file: +## *.youtube.* @time-to-sleep +## would block access to YouTube only during the days, and period of the days +## define by the 'time-to-sleep' schedule. +## +## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00 +## {after= '9:00', before='18:00'} matches 9:00-18:00 + +[schedules] + + # [schedules.'time-to-sleep'] + # mon = [{after='21:00', before='7:00'}] + # tue = [{after='21:00', before='7:00'}] + # wed = [{after='21:00', before='7:00'}] + # thu = [{after='21:00', before='7:00'}] + # fri = [{after='23:00', before='7:00'}] + # sat = [{after='23:00', before='7:00'}] + # sun = [{after='21:00', before='7:00'}] + + # [schedules.'work'] + # mon = [{after='9:00', before='18:00'}] + # tue = [{after='9:00', before='18:00'}] + # wed = [{after='9:00', before='18:00'}] + # thu = [{after='9:00', before='18:00'}] + # fri = [{after='9:00', before='17:00'}] + + + +######################### +# Servers # +######################### + +## Remote lists of available servers +## Multiple sources can be used simultaneously, but every source +## requires a dedicated cache file. +## +## Refer to the documentation for URLs of public sources. +## +## A prefix can be prepended to server names in order to +## avoid collisions if different sources share the same for +## different servers. In that case, names listed in `server_names` +## must include the prefixes. +## +## If the `urls` property is missing, cache files and valid signatures +## must be already present; This doesn't prevent these cache files from +## expiring after `refresh_delay` hours. + +[sources] + + ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers + + [sources.'public-resolvers'] + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] + cache_file = 'public-resolvers.md' + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + refresh_delay = 72 + prefix = '' + + ## Another example source, with resolvers censoring some websites not appropriate for children + ## This is a subset of the `public-resolvers` list, so enabling both is useless + + # [sources.'parental-control'] + # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md'] + # cache_file = 'parental-control.md' + # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + + + +## Optional, local, static list of additional servers +## Mostly useful for testing your own servers. + +[static] + + # [static.'google'] + # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA' diff --git a/network/dnscrypt-proxy/doinst.sh b/network/dnscrypt-proxy/doinst.sh index 0dffe8a4a8..e264e34a56 100644 --- a/network/dnscrypt-proxy/doinst.sh +++ b/network/dnscrypt-proxy/doinst.sh @@ -24,5 +24,4 @@ preserve_perms() { preserve_perms etc/rc.d/rc.dnscrypt-proxy.new config etc/default/dnscrypt-proxy.new -config etc/dnscrypt-proxy.conf.new -config etc/logrotate.d/dnscrypt-proxy.new +config etc/dnscrypt-proxy/dnscrypt-proxy.toml.new diff --git a/network/dnscrypt-proxy/poly1305.patch b/network/dnscrypt-proxy/poly1305.patch new file mode 100644 index 0000000000..f701d6ae21 --- /dev/null +++ b/network/dnscrypt-proxy/poly1305.patch @@ -0,0 +1,20 @@ +diff --git a/vendor/github.com/aead/poly1305/poly1305_amd64.go b/vendor/github.com/aead/poly1305/poly1305_amd64.go +index cd1a717..41b630f 100644 +--- a/vendor/github.com/aead/poly1305/poly1305_amd64.go ++++ b/vendor/github.com/aead/poly1305/poly1305_amd64.go +@@ -7,13 +7,11 @@ + package poly1305 + + import ( ++ "golang.org/x/sys/cpu" + "io" + ) + +-var useAVX2 = supportsAVX2() +- +-//go:noescape +-func supportsAVX2() bool ++var useAVX2 = cpu.X86.HasAVX2 + + //go:noescape + func initialize(state *[7]uint64, key *[32]byte) diff --git a/network/dnscrypt-proxy/rc.dnscrypt-proxy b/network/dnscrypt-proxy/rc.dnscrypt-proxy index fd747759d1..1aa68260b9 100644 --- a/network/dnscrypt-proxy/rc.dnscrypt-proxy +++ b/network/dnscrypt-proxy/rc.dnscrypt-proxy @@ -10,39 +10,28 @@ start_instance() { echo "No configuration for instance $1 found!" return fi - PIDFILE=$(grep -i "^[[:space:]]*PidFile[[:space:]]\+." ${DNSCRYPTCONFIG[$1]} | awk '{print $2}') - if [ -z ${PIDFILE} ]; then + if [ -z ${PIDFILE[$1]} ]; then echo "No PID configuration for instance $1 found!" return fi - if [ -r ${PIDFILE} ]; then + if [ -z ${USER[$1]} ]; then + echo "No user configuration for instance $1 found!" + return + fi + if [ -r ${PIDFILE[$1]} ]; then echo "dnscrypt-proxy (instance $1) already running!" return fi - # dnscrypt-proxy will work without this, but it drops privileges before - # seeding the PRNG. libevent tries to work around a missing /dev/urandom - # but it's safer just to make sure it is available in the chroot. - if [ -n "${CHROOTDIR[$1]}" ]; then - if [ "$(readlink -f ${CHROOTDIR[$1]})" != "/" ]; then - if [ ! -d ${CHROOTDIR[$1]} ]; then - mkdir -p ${CHROOTDIR[$1]} - chmod 755 ${CHROOTDIR[$1]} - fi - if [ ! -d ${CHROOTDIR[$1]}/dev ]; then - mkdir -p ${CHROOTDIR[$1]}/dev - chmod 755 ${CHROOTDIR[$1]}/dev - fi - if [ ! -c ${CHROOTDIR[$1]}/dev/urandom ]; then - mknod -m 666 ${CHROOTDIR[$1]}/dev/urandom c 1 9 - fi - if [ ! -c ${CHROOTDIR[$1]}/dev/random ]; then - mknod -m 666 ${CHROOTDIR[$1]}/dev/random c 1 8 - fi - fi - fi + mkdir -p $(dirname ${PIDFILE[$1]}) + # The child (unprivileged) process needs write access or the PID will not + # be written. + chmod 0700 $(dirname ${PIDFILE[$1]}) + chown ${USER[$1]} $(dirname ${PIDFILE[$1]}) - $DAEMON ${DNSCRYPTCONFIG[$1]} + # The new Go-based dnscrypt-proxy no longer has the ability to daemonize. + # In the absence of a standard Slackware daemon tool we'll use nohup. :( + nohup $DAEMON -config ${DNSCRYPTCONFIG[$1]} -pidfile ${PIDFILE[$1]} >> /dev/null 2>&1 & } stop_instance() { @@ -50,17 +39,16 @@ stop_instance() { echo "No configuration for instance $1 found!" return fi - PIDFILE=$(grep -i "^[[:space:]]*PidFile[[:space:]]\+." ${DNSCRYPTCONFIG[$1]} | awk '{print $2}') - if [ -z ${PIDFILE} ]; then + if [ -z ${PIDFILE[$1]} ]; then echo "No PID configuration for instance $1 found!" return fi - if [ ! -r ${PIDFILE} ]; then + if [ ! -r ${PIDFILE[$1]} ]; then echo "dnscrypt-proxy (instance $1) is not running!" return fi echo "Stopping dnscrypt-proxy (instance $1)..." - kill $(cat ${PIDFILE}) + kill $(cat ${PIDFILE[$1]}) } status_instance() { @@ -68,16 +56,15 @@ status_instance() { echo "No configuration for instance $1 found!" return fi - PIDFILE=$(grep -i "^[[:space:]]*PidFile[[:space:]]\+." ${DNSCRYPTCONFIG[$1]} | awk '{print $2}') - if [ -z ${PIDFILE} ]; then + if [ -z ${PIDFILE[$1]} ]; then echo "No PID configuration for instance $1 found!" return fi - if [ ! -r ${PIDFILE} ]; then + if [ ! -r ${PIDFILE[$1]} ]; then echo "dnscrypt-proxy (instance $1) is not running." return fi - PID=$(cat ${PIDFILE}) + PID=$(cat ${PIDFILE[$1]}) if [ -z "$PID" ]; then echo "PID file is empty! dnscrypt-proxy (instance $1) does not appear to be running, but there is a stale PID file." elif kill -0 $PID ; then diff --git a/network/dnscrypt-proxy/slack-desc b/network/dnscrypt-proxy/slack-desc index 182ed3682f..46cdd370c5 100644 --- a/network/dnscrypt-proxy/slack-desc +++ b/network/dnscrypt-proxy/slack-desc @@ -13,7 +13,7 @@ dnscrypt-proxy: your local resolver or as a DNS forwarder, encrypting and dnscrypt-proxy: authenticating requests using the DNSCrypt protocol and passing them dnscrypt-proxy: to an upstream DNSCrypt-enabled server. dnscrypt-proxy: -dnscrypt-proxy: https://www.opendns.com/ +dnscrypt-proxy: https://github.com/jedisct1/dnscrypt-proxy dnscrypt-proxy: dnscrypt-proxy: dnscrypt-proxy: -- cgit v1.2.3