Changeset 32055


Ignore:
Timestamp:
May 14, 2017, 7:23:38 PM (6 weeks ago)
Author:
brainslayer
Message:

update dnscrypt

Location:
src/router/dnscrypt
Files:
59 edited

Legend:

Unmodified
Added
Removed
  • src/router/dnscrypt/ChangeLog

    r31742 r32055  
     1* Sat May 6 19:38:35 2017 +0200
     2
     3    Cache plugin: fix the way items are moved from recent to frequent lists
     4   
     5    In addition to making the cache work as expected, this prevents
     6    `CacheEntry` items from becoming orphans.
     7
     8* Fri May 5 09:59:10 2017 +0200
     9
     10    Sign
     11
     12* Fri May 5 09:54:22 2017 +0200
     13
     14    Adding Babylon Network resolvers (#647)
     15
     16* Sat Apr 29 20:13:13 2017 +0200
     17
     18    Add support for adding the vendor name to the version string
     19
     20* Thu Apr 27 11:36:40 2017 +0200
     21
     22    Remove dead resolvers, sign
     23
     24* Thu Apr 27 11:36:32 2017 +0200
     25
     26    Reduce the margin even more in resolvers-check
     27
     28* Thu Apr 27 11:12:40 2017 +0200
     29
     30    Revert "Hopefully temporary: adguard-dns-ns2, d0wn-random-ns1 down"
     31   
     32
     33* Thu Apr 27 11:12:15 2017 +0200
     34
     35    sign
     36
     37* Thu Apr 27 11:11:08 2017 +0200
     38
     39    Replacing port 443 with 5353 due to incompatibility with HTTPS services (#639)
     40
     41* Wed Apr 19 10:03:03 2017 +0200
     42
     43    Revert "Temporarily remove dnscrypt.org-fr"
     44   
     45
     46* Tue Apr 18 23:32:11 2017 +0200
     47
     48    Temporarily remove dnscrypt.org-fr
     49
     50* Tue Apr 18 22:43:19 2017 +0200
     51
     52    Hopefully temporary: adguard-dns-ns2, d0wn-random-ns1 down
     53
     54* Sun Apr 9 21:43:20 2017 +0200
     55
     56    sign
     57
     58* Mon Apr 10 02:40:04 2017 +0700
     59
     60    d0wn servers update (#625)
     61   
     62    Update some d0wn servers.
     63   
     64    Up : ns1.au , ns1.hk
     65    IPv4 only (IPv6 unreachable), no port 443 : ns1.fr
     66    No port 443 : ns2.nl
     67    Add IPv6, IPv4 already listed : ns1.ro
     68    Add all the rest with no special treatment : ns1.cr, ns1.dk, ns3.hk, ns2.is, ns1.mx, ns4.nl, ns2.se, ns2.sg, ns4.us, ns1.za
     69   
     70    All added servers tested via IPv4. For IPv6, only tested for open port via online web check.
     71
     72* Sun Apr 9 21:20:15 2017 +0200
     73
     74    Add a couple domains to the whitelist
     75
     76* Wed Apr 5 21:44:59 2017 -0700
     77
     78    Remove down d0wn servers
     79
     80* Thu Apr 6 14:39:50 2017 +1000
     81
     82    Add second d0wn AU server (#622)
     83
     84* Thu Mar 30 14:42:53 2017 +0200
     85
     86    Revert "Add the DNS Spy public resolver (#619)"
     87   
     88
     89* Thu Mar 30 14:40:29 2017 +0200
     90
     91    Add the DNS Spy public resolver (#619)
     92
     93* Tue Mar 28 10:53:28 2017 +0200
     94
     95    Doc: mention that timestamps are encoded in big-endian
     96
     97* Mon Mar 27 22:01:32 2017 +0200
     98
     99    Invert
     100
     101* Mon Mar 27 22:00:55 2017 +0200
     102
     103    Try the flat style
     104
     105* Mon Mar 27 21:58:17 2017 +0200
     106
     107    + donate button
     108
     109* Sat Mar 25 12:46:53 2017 +0100
     110
     111    Sign
     112
     113* Sat Mar 25 04:46:03 2017 -0700
     114
     115    adding nxd.ist resolver (#618)
     116   
     117    * adding nxd.ist
     118   
     119    * changing description of nxd.ist
     120
     121* Mon Mar 20 22:28:37 2017 +0100
     122
     123    cs-ch2 is unresponsive
     124
     125* Mon Mar 20 22:27:49 2017 +0100
     126
     127    contrib/resolvers-check.sh: allow a lower margin for the certificate
     128
     129* Mon Mar 6 22:53:44 2017 +0100
     130
     131    Sign
     132
     133* Mon Mar 6 22:52:43 2017 +0100
     134
     135    Update dnscrypt-resolvers.csv (#612)
     136   
     137    Previously mistakenly added the wrong IPv6 address. Added the correct one for dnscrypt.nl-ns0-ipv6
     138
     139* Mon Mar 6 20:04:58 2017 +0100
     140
     141    Sign
     142
     143* Mon Mar 6 20:04:45 2017 +0100
     144
     145    Amsterdan -> Amsterdam
     146
     147* Mon Mar 6 20:04:07 2017 +0100
     148
     149    Temporarily remove dnscrypt.nl-ns0-ipv6
     150
     151* Mon Mar 6 20:01:35 2017 +0100
     152
     153    Update dnscrypt-resolvers.csv (#611)
     154   
     155    Added dnscrypt.nl
     156
     157* Mon Mar 6 08:38:28 2017 +0100
     158
     159    Use unified headers on Android
     160
     161* Sat Mar 4 19:37:35 2017 +0100
     162
     163    Keep variables sorted by size
     164
     165* Sat Mar 4 13:36:04 2017 -0500
     166
     167    Reset the reachability of nameservers if all are unreachable (#609)
     168   
     169    If all nameservers have been marked unreachable, they will not be queried
     170    again until dnscrypt-proxy is restarted. This fix allows for queries to be
     171    retried without restarting dnscrypt-proxy.
     172   
     173    Fixes jedisct1/dnscrypt-proxy#608
     174   
     175    Signed-off-by: Mitchel Haan <mitchel@mhstud.io>
     176
     177* Wed Feb 22 13:45:54 2017 +0100
     178
     179    Doc error: client-pk is the client' public key.
     180   
     181    Spotted by @willnix
     182   
     183    Fixes #603
     184
     185* Sat Feb 18 18:54:52 2017 +0100
     186
     187    - d0wn-lt-ns1
     188
     189* Sat Feb 18 10:45:16 2017 +0100
     190
     191    Whitelist some TLDs typically used on local networks
     192
     193* Thu Feb 16 09:58:12 2017 +0100
     194
     195    whitelist << "j.mp"
     196
     197* Tue Feb 14 08:33:53 2017 +0100
     198
     199    Whitelist a-msedge.net and l-msedge.net
     200   
     201    Fixes #596
     202
     203* Mon Feb 13 19:42:45 2017 +0100
     204
     205    soltysiak-ipv6 is back
     206
     207* Sun Feb 12 22:42:48 2017 +0100
     208
     209    Compile for macOS >= 10.10
     210
     211* Sat Feb 11 20:50:20 2017 +0100
     212
     213    cs-es is temporarily down
     214
     215* Thu Feb 9 22:25:39 2017 +0100
     216
     217    Avoid clock_gettime() usage on MacOS
     218   
     219    The function is present in Sierra, but not on previous OS versions,
     220    although the linker doesn't complain when `-mmacosx-version-min=`
     221    mentions that we want to support OSX < 10.12.
     222   
     223    So, just pretend it doesn't exist, and remember to remove that
     224    hack the day everyone is running OSX >= 10.12.
     225   
     226    Via an issue from @Thireus
     227
     228* Thu Feb 9 17:35:57 2017 +0100
     229
     230    Looks like this is being renamed
     231
     232* Thu Feb 9 13:56:11 2017 +0100
     233
     234    Sign
     235
     236* Thu Feb 9 16:25:51 2017 +0330
     237
     238    Remove iFreeNet (#591)
     239
     240* Thu Feb 9 12:58:48 2017 +0100
     241
     242    domains -> zones
     243
     244* Tue Feb 7 14:25:26 2017 +0100
     245
     246    libevent test/dns: run async resolving after sync one (to avoid timeouts)
     247
     248* Tue Feb 7 12:33:55 2017 +0100
     249
     250    Normalize the dnscrypt-resolvers.csv format
     251   
     252    Also remove the namecoin tag from servers that don't support it any more.
     253
     254* Tue Feb 7 12:03:43 2017 +0100
     255
     256    Remove unresponsive resolvers
     257
     258* Sun Jan 29 00:46:04 2017 +0100
     259
     260    Travis is too slow :(
     261
     262* Sat Jan 28 16:38:43 2017 +0100
     263
     264    ldns-blocking: fix another corner case with suffix matching
     265   
     266    Ruleset:
     267    ```
     268    *.example.com
     269    ru.example.com
     270    ```
     271   
     272    A query for `xru.example.com` would find `ru.example.com` as the longest
     273    suffix. The expression didn't match since this is neither an exact match
     274    nor a match that stops at a label.
     275   
     276    However, this was ignoring the fact that there a different, shorter rule
     277    could match.
     278   
     279    This is pretty annoying, as keeping our promise to log the longest match
     280    means that we need at least yet another lookup in that specific case.
     281    Alternatively, the fpst lookup function could be specialized to stop at
     282    labels, but that would defeat the point of this example plugin. So,
     283    perform an extra lookup after striping the first (last, once the name is
     284    reversed) label.
     285
     286* Fri Jan 27 00:37:21 2017 +0100
     287
     288    Sort, re-add resolvers that were temporarily down
     289
     290* Fri Jan 27 00:26:14 2017 +0100
     291
     292
     293* Sun Jan 22 16:54:03 2017 +0100
     294
     295    Use the PID file to kill the service on Android
     296
     297* Sun Jan 22 16:51:41 2017 +0100
     298
     299    Update 99dnscrypt (#580)
     300   
     301    Added pidfile
     302
     303* Sun Jan 22 13:00:28 2017 +0100
     304
     305    Android 99dnscrypt: do not sleep before trying the next resolver
     306
     307* Sun Jan 22 12:55:11 2017 +0100
     308
     309    Android 99dnscrypt: reduce the margin to 700
     310
     311* Sun Jan 22 12:48:59 2017 +0100
     312
     313    Android's 99dnscrypt: use a random resolver
     314
     315* Sat Jan 21 11:52:49 2017 +0100
     316
     317
     318* Sat Jan 21 11:51:05 2017 +0100
     319
     320    Quotes
     321
     322* Sat Jan 21 11:48:28 2017 +0100
     323
     324    Update ChangeLog
     325
     326* Sat Jan 21 11:10:33 2017 +0100
     327
     328    Ignore *.exe
     329
     330* Sat Jan 21 11:08:14 2017 +0100
     331
     332    Update permissions on dnscrypt-update-resolvers.sh
     333
     334* Sat Jan 21 10:15:48 2017 +0100
     335
     336    Remove cd.. leftover
     337
     338* Sat Jan 21 10:10:37 2017 +0100
     339
     340    Reduce the number of CI builds
     341
     342* Sat Jan 21 09:18:11 2017 +0100
     343
     344    Check that everything builds with minimal libsodium builds
     345
     346* Sat Jan 21 09:13:09 2017 +0100
     347
     348    Update NEWS/ChangeLog
     349
     350* Sat Jan 21 09:09:07 2017 +0100
     351
     352    "make clean" is not super interesting to log
     353
     354* Sat Jan 21 08:55:34 2017 +0100
     355
     356    Revert "New resolver in Tokyo, Japan: LifeTyper"
     357   
     358
     359* Sat Jan 21 08:55:16 2017 +0100
     360
     361    Trusty is old
     362
     363* Sat Jan 21 08:49:23 2017 +0100
     364
     365    Travis doesn't support IPv6 yet
     366
     367* Sat Jan 21 08:48:56 2017 +0100
     368
     369    Travis: attempt install/uninstall + ./contrib/resolvers-check.sh
     370
     371* Sat Jan 21 08:45:58 2017 +0100
     372
     373    resolvers-check.sh: IPV4_ONLY can be set to probe only IPv4 resolvers
     374
     375* Sat Jan 21 08:12:53 2017 +0100
     376
     377    Move dnscrypt-update-resolvers.sh.in and resolvers-check.sh to contrib/
     378
     379* Sat Jan 21 08:11:41 2017 +0100
     380
     381    Update .gitignore
     382
     383* Sat Jan 21 08:05:08 2017 +0100
     384
     385    Use printunl/archlinux for the Windows builds
     386
     387* Sat Jan 21 02:59:46 2017 +0100
     388
     389    New resolver in Tokyo, Japan: LifeTyper
     390
     391* Sat Jan 21 02:54:08 2017 +0100
     392
     393    Use a random resolver in the tests
     394
     395* Sat Jan 21 02:48:59 2017 +0100
     396
     397    Indent
     398
     399* Sat Jan 21 02:45:03 2017 +0100
     400
     401    win32-win64-xcompile.sh: always compile from the script's directory
     402
     403* Sat Jan 21 01:52:27 2017 +0100
     404
     405    In the Windows dist, remove the sample conf, add WINDOWS doc
     406
     407* Sat Jan 21 00:00:55 2017 +0100
     408
     409    Update NEWS
     410
     411* Sat Jan 21 00:00:10 2017 +0100
     412
     413    Update ChangeLog
     414
     415* Fri Jan 20 23:58:24 2017 +0100
     416
     417    Fix libsodium warning
     418
     419* Fri Jan 20 23:45:33 2017 +0100
     420
     421    CLEANFILES += dnscrypt-update-resolvers.sh
     422
     423* Fri Jan 20 23:43:58 2017 +0100
     424
     425    Do not install the systemd files
     426   
     427    Package maintainers will do a way better job with these
     428
     429* Fri Jan 20 23:40:21 2017 +0100
     430
     431    Generate org.dnscrypt.osx.DNSCryptProxy.plist from a template
     432
     433* Fri Jan 20 23:29:26 2017 +0100
     434
     435    Reduce the difference between Android and iOS builds
     436
     437* Fri Jan 20 23:13:18 2017 +0100
     438
     439    Always include stdlib.h in evutil_rand.c
     440
     441* Fri Jan 20 23:09:26 2017 +0100
     442
     443    Make the builds a little bit more silent
     444
     445* Fri Jan 20 22:57:16 2017 +0100
     446
     447    Split
     448
     449* Fri Jan 20 22:40:54 2017 +0100
     450
     451    Regen the man page
     452
     453* Fri Jan 20 22:39:50 2017 +0100
     454
     455    Update ChangeLog
     456
     457* Fri Jan 20 22:37:01 2017 +0100
     458
     459    Support "random" as a resolver name to pick a random resolver
     460
     461* Fri Jan 20 21:32:03 2017 +0100
     462
     463    Install examples in @docdir@, create systemd files from templates
     464
     465* Fri Jan 20 21:31:42 2017 +0100
     466
     467    Pay attention to @datarootdir@ in dnscrypt-update-resolvers.sh.in
     468
     469* Fri Jan 20 13:58:37 2017 +0100
     470
     471    Print when the configuration file did not change
     472
     473* Fri Jan 20 13:30:42 2017 +0100
     474
     475    1.9.4
     476
     477* Fri Jan 20 13:30:57 2017 +0100
     478
     479    soltysiak down :( cs-lt up, cs-ua down.
     480
     481* Fri Jan 20 13:08:02 2017 +0100
     482
     483    Overwrite conf if the installed one is the vanilla example
     484
     485* Fri Jan 20 12:52:21 2017 +0100
     486
     487    Fix inverted logic in the installation of the example config file
     488
     489* Wed Jan 18 10:52:53 2017 +0100
     490
     491    cs-lt and d0wn-us-ns3 are temporarily unresponsive
     492
     493* Wed Jan 18 08:59:36 2017 +0100
     494
     495    Update ChangeLog
     496
     497* Wed Jan 18 08:46:40 2017 +0100
     498
     499    On Linux, warn when we are running low on entropy
     500
     501* Wed Jan 18 08:18:57 2017 +0100
     502
     503    Print even more details in test mode
     504
     505* Wed Jan 18 08:15:48 2017 +0100
     506
     507    Improve the test mode output and print the validity period
     508
     509* Wed Jan 18 03:15:58 2017 +0100
     510
     511    Travis: increase the margin for the certificate check
     512
     513* Wed Jan 18 03:15:46 2017 +0100
     514
     515    Recommend installing pkg-config and libsystemd-dev for systemd
     516
     517* Wed Jan 18 01:59:11 2017 +0100
     518
     519    Mention that NO_REUSEPORT is not required any more
     520
     521* Tue Jan 17 22:48:18 2017 +0100
     522
     523    build-base should be enough to build the package
     524
     525* Tue Jan 17 22:40:38 2017 +0100
     526
     527    d0wn-us-ns3 and soltysiak-ipv6 are temporarily down
     528
     529* Tue Jan 17 22:37:45 2017 +0100
     530
     531    1.9.3
     532
     533* Tue Jan 17 22:34:53 2017 +0100
     534
     535    Update ChangeLog
     536
     537* Tue Jan 17 21:50:02 2017 +0100
     538
     539    Travis: actually try to install the proxy
     540
     541* Tue Jan 17 21:41:29 2017 +0100
     542
     543    Fix the Plugin directive in config files; add a CI test for it as well
     544
     545* Tue Jan 17 20:00:22 2017 +0100
     546
     547    Ignore ldconfig errors
     548
     549* Tue Jan 17 19:52:50 2017 +0100
     550
     551    Restore -e, ignore make install errors
     552
     553* Tue Jan 17 15:33:24 2017 +0100
     554
     555    Switch Travis builds to multiarch/alpine
     556
     557* Tue Jan 17 15:30:38 2017 +0100
     558
     559    Update NEWS
     560
     561* Tue Jan 17 15:27:01 2017 +0100
     562
     563    apt is not present on Travis
     564
     565* Tue Jan 17 15:22:04 2017 +0100
     566
     567    Travis: try to compile for multiple Linux architectures
     568
     569* Tue Jan 17 12:34:37 2017 +0100
     570
     571    If binding a TCP socket with SO_REUSEPORT fails, retry without it
     572   
     573    This is required at least on alpine/armhf
     574
     575* Tue Jan 17 12:09:45 2017 +0100
     576
     577    Check for linux/filter.h presence -- Allows compilation on musl libc
     578
     579* Tue Jan 17 01:37:11 2017 +0100
     580
     581    Mention that the Include path does not require quotes
     582
     583* Tue Jan 17 01:18:10 2017 +0100
     584
     585    --with-ttl was renamed --min-ttl
     586
     587* Tue Jan 17 00:38:42 2017 +0100
     588
     589    Fix casing
     590
     591* Mon Jan 16 23:52:20 2017 +0100
     592
     593    Do not print the plugins root directory on Windows
     594
     595* Mon Jan 16 20:01:34 2017 +0100
     596
     597    It's called "tracker.debian.org", but it's not a tracker
     598
     599* Mon Jan 16 14:10:30 2017 +0100
     600
     601    Do not install dnscrypt-proxy.conf.example if no dnscrypt-proxy.conf file exists
     602
     603* Sun Jan 15 18:56:07 2017 +0100
     604
     605    Update ChangeLog
     606
     607* Sun Jan 15 18:55:28 2017 +0100
     608
     609    Do not include <sys/socket.h> on WIN32
     610
     611* Sun Jan 15 18:23:42 2017 +0100
     612
     613    --version now reports useful information about how the server was compiled
     614
     615* Sun Jan 15 18:11:08 2017 +0100
     616
     617    Update ChangeLog
     618
     619* Sun Jan 15 17:51:10 2017 +0100
     620
     621    Remove the fpm package
     622   
     623    fpm is awesome, but apparently, nobody's using this script.
     624
     625* Sun Jan 15 17:42:07 2017 +0100
     626
     627    Prepare for version 1.9.2
     628
     629* Sun Jan 15 17:19:09 2017 +0100
     630
     631    Fix KX when using xchacha20poly1305 and non-ephemeral keys
     632
     633* Sun Jan 15 16:27:38 2017 +0100
     634
     635    Warn when an obsolete libsodium version is found
     636
     637* Sun Jan 15 15:45:02 2017 +0100
     638
     639    Log the system error message when the TCP listener cannot be created
     640
     641* Sun Jan 15 15:12:19 2017 +0100
     642
     643    Update simpleconf
     644
     645* Sun Jan 15 10:03:17 2017 +0100
     646
     647    Indent
     648
     649* Sun Jan 15 09:58:32 2017 +0100
     650
     651    Move the !Include definition down
     652
     653* Sun Jan 15 01:56:38 2017 +0100
     654
     655    Document that recursive configuration files are now supported
     656
     657* Sun Jan 15 01:48:58 2017 +0100
     658
     659    Comment marktron's list in the sample domains-blacklist configuration
     660
     661* Sun Jan 15 01:40:56 2017 +0100
     662
     663    Shorten
     664
     665* Sun Jan 15 01:37:13 2017 +0100
     666
     667    simpleconf: support a handler for "special" keywords
     668
     669* Sun Jan 15 00:11:39 2017 +0100
     670
     671    Preliminary support for recursive configuration files
     672
     673* Sat Jan 14 23:59:25 2017 +0100
     674
     675    Improve the domains-blacklist.conf header
     676
     677* Sat Jan 14 23:55:22 2017 +0100
     678
     679    simpleconf: detach the code responsible for loading a config file
     680
     681* Fri Jan 13 22:13:54 2017 +0100
     682
     683    Improve the ProviderName example
     684
     685* Fri Jan 13 02:54:07 2017 +0100
     686
     687    Nits
     688
     689* Thu Jan 12 20:38:35 2017 +0100
     690
     691    Remove Quidsup Notrack by default -- too many FPs such as pusher
     692
     693* Thu Jan 12 20:31:15 2017 +0100
     694
     695    Do not block elasticbeanstalk.com
     696
     697* Wed Jan 11 10:04:25 2017 -0800
     698
     699    Add Dan Pollock's list
     700
     701* Wed Jan 11 00:48:36 2017 -0800
     702
     703    Use bounce buffers for crypto_box_detached_afternm emulation
     704   
     705    Required for ancient libsodium versions (stock Debian Jessie, Raspbian)
     706
     707* Tue Jan 10 13:26:52 2017 -0800
     708
     709    Include \0 in the key equality test
     710
     711* Tue Jan 10 10:48:50 2017 -0800
     712
     713    Iterate over the \0 terminator when inserting a new key
     714
     715* Tue Jan 10 00:28:34 2017 -0800
     716
     717    Mention how to run the python script
     718
     719* Sat Jan 7 15:24:35 2017 +0100
     720
     721    Unfortunately, blocking *.spotify.com breaks the app :/
     722
     723* Sat Jan 7 10:53:44 2017 +0100
     724
     725    Nits
     726
     727* Sat Jan 7 10:37:56 2017 +0100
     728
     729    IgnoreTimeStamps weakens security -- do not enable blindly
     730
     731* Sat Jan 7 16:33:28 2017 +0700
     732
     733    Add Windows service properties IgnoreTimestamps and LogLevel
     734   
     735    Add "IgnoreTimestamps (--ignore-timestamps)" and "LogLevel (--loglevel)" for windows service parameter registry.
     736    So windows service parameter registry had the same option with the main program option.
     737
     738* Sat Jan 7 16:32:45 2017 +0700
     739
     740    Update README-WINDOWS.markdown (#548)
     741   
     742    * Update README-WINDOWS.markdown
     743   
     744    Fixed.
     745    Documentation for `windows_service.c` change.
     746   
     747    * Update README-WINDOWS.markdown
     748
     749* Sat Jan 7 10:30:14 2017 +0100
     750
     751    Redirect log messages whose level is < LOG_NOTICE to stderr
     752
     753* Fri Jan 6 18:14:18 2017 +0100
     754
     755    Attach a BPF filter to the client-side UDP socket
     756
     757* Fri Jan 6 16:02:10 2017 +0100
     758
     759    Typo
     760
     761* Fri Jan 6 15:18:09 2017 +0100
     762
     763    Do not enable SO_REUSEPORT is NO_REUSEPORT is defined
     764   
     765    `SO_REUSEPORT` is apparently buggy on older linux-sunxi kernels
     766
     767* Thu Jan 5 23:46:37 2017 +0100
     768
     769    Avoid the redefinition of the FPST type
     770   
     771    This fixes compilation on Debian 6
     772
     773* Tue Jan 3 15:29:04 2017 +0100
     774
     775    Blocking tagcommander.com causes popular mobile apps to freeze :(
     776
     777* Tue Jan 3 15:17:40 2017 +0100
     778
     779    Whitelist some entries
     780
     781* Tue Jan 3 15:11:17 2017 +0100
     782
     783    Print the number of entries ignored because of the whitelist
     784
     785* Tue Jan 3 15:08:13 2017 +0100
     786
     787    Support a whitelist
     788
     789* Tue Jan 3 14:09:23 2017 +0100
     790
     791    Add TXT records
     792
     793* Tue Jan 3 07:21:08 2017 +0100
     794
     795    Don't assume that ## or #@ is an inline comment
     796
     797* Mon Jan 2 22:39:03 2017 +0100
     798
     799    Read the domains-blacklist.conf file from the command line if supplied
     800
     801* Mon Jan 2 22:10:10 2017 +0100
     802
     803    Refine the inline-comments macro
     804
     805* Mon Jan 2 21:56:17 2017 +0100
     806
     807    Add a few optional categories to domains-blacklist.conf
     808
     809* Mon Jan 2 21:35:02 2017 +0100
     810
     811    Add more spam/fraud/ads sources
     812
     813* Mon Jan 2 21:23:27 2017 +0100
     814
     815    Remove inline comments from blacklist entries
     816
     817* Mon Jan 2 13:41:00 2017 +0100
     818
     819    Keep daemonize uncommented
     820
     821* Mon Jan 2 13:40:17 2017 +0100
     822
     823    Mention that Daemonize is not for Windows
     824
     825* Mon Jan 2 12:35:30 2017 +0100
     826
     827    Re-remove resolvers that are still down:
     828   
     829    - cs-uswest - Failed
     830    - d0wn-dk-ns1 - Failed
     831    - d0wn-dk-ns1 - Failed
     832    - d0wn-fr-ns1 - Failed
     833    - d0wn-fr-ns1-ipv6 - Failed
     834    - d0wn-nl-ns2 - Failed
     835
     836* Mon Jan 2 06:29:50 2017 -0500
     837
     838    Update dnscrypt-resolvers.csv (#540)
     839   
     840    Removed original listing of Cryptostorm's DNS resolvers and added Cryptostorm's updated DNS resolvers from their github
     841    https://github.com/cryptostorm/cstorm_deepDNS/blob/master/dnscrypt-resolvers.csv
     842   
     843    Updated D0wn's list of DNS resolvers
     844    - According to https://dns.d0wn.biz/ "All servers are supporting DNSSEC." Updated d0wn's DNS resolvers to yes under DNSSEC column.
     845    - Added Austria, Bulgaria, Canada, Czech Republic, Denmark, France, Germany, Greece, Hong Kong, Lithuania, Moldova, Netherlands, Romania, Singapore, South Korea, Switzerland, Tanzania, United States of America
     846    - Rearranged Germany, Moldova, Spain, Sweden to coincide better Alphabetically
     847   
     848    Added Tumabox IPv6 DNS Resolver
     849
     850* Sun Jan 1 17:49:10 2017 +0100
     851
     852    Remove some d0wn resolver that are temporarily down
     853
     854* Sun Jan 1 17:31:55 2017 +0100
     855
     856    Update ChangeLog
     857
    1858* Sun Jan 1 17:30:16 2017 +0100
    2859
  • src/router/dnscrypt/DNSCRYPT-V2-PROTOCOL.txt

    r31742 r32055  
    178178<client-nonce> ::= the nonce sent by the client in the related query.
    179179
    180 <client-pk> ::= the client's secret key.
     180<client-pk> ::= the client's public key.
    181181
    182182<resolver-sk> ::= the resolver's public key.
     
    363363with a higher serial number.
    364364
    365 <ts-start> ::= the date the certificate is valid from, as a 4-byte
    366 unsigned Unix timestamp.
     365<ts-start> ::= the date the certificate is valid from, as a big-endian
     3664-byte unsigned Unix timestamp.
    367367
    368368<ts-end> ::= the date the certificate is valid until (inclusive), as a
    369 4-byte unsigned Unix timestamp.
     369big-endian 4-byte unsigned Unix timestamp.
    370370
    371371<extensions> ::= empty in the current protocol version, but may
  • src/router/dnscrypt/Makefile.am

    r31742 r32055  
    1111        autogen.sh \
    1212        dnscrypt-proxy.conf \
    13         dnscrypt-proxy.service \
     13        dnscrypt-proxy.service.in \
    1414        dnscrypt-proxy.socket \
    15         org.dnscrypt.osx.DNSCryptProxy.plist \
    16         resolvers-check.sh
     15        org.dnscrypt.osx.DNSCryptProxy.plist.in
    1716
    1817SUBDIRS = \
     
    3433        minisign.pub
    3534
     35doc_DATA = \
     36        README.markdown \
     37        COPYING \
     38        DNSCRYPT-V2-PROTOCOL.txt \
     39        dnscrypt-proxy.conf
     40
     41if PLUGINS
     42doc_DATA += \
     43        README-PLUGINS.markdown
     44endif
     45
     46noinst_DATA = \
     47        org.dnscrypt.osx.DNSCryptProxy.plist
     48
     49if HAVE_SYSTEMD
     50noinst_DATA += \
     51        dnscrypt-proxy.service
     52endif
     53
     54dnscrypt-proxy.service: dnscrypt-proxy.service.in
     55        $(SED) \
     56        -e 's|[@]sbindir@|$(sbindir)|g' \
     57        -e 's|[@]sysconfdir@|$(sysconfdir)|g' \
     58        < dnscrypt-proxy.service.in > dnscrypt-proxy.service
     59
     60org.dnscrypt.osx.DNSCryptProxy.plist: org.dnscrypt.osx.DNSCryptProxy.plist.in
     61        $(SED) \
     62        -e 's|[@]sbindir@|$(sbindir)|g' \
     63        -e 's|[@]sysconfdir@|$(sysconfdir)|g' \
     64        < org.dnscrypt.osx.DNSCryptProxy.plist.in > org.dnscrypt.osx.DNSCryptProxy.plist
     65
     66CLEANFILES = \
     67        dnscrypt-proxy.service \
     68        dnscrypt-update-resolvers.sh \
     69        org.dnscrypt.osx.DNSCryptProxy.plist
     70
    3671install-data-local:
    37         $(mkinstalldirs) $(DESTDIR)$(sysconfdir); \
    38         if [ ! -f $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf ]; then \
     72        @$(mkinstalldirs) $(DESTDIR)$(sysconfdir); \
     73        if [ -f $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf ]; then \
     74                if cmp -s $(srcdir)/dnscrypt-proxy.conf $(docdir)/dnscrypt-proxy.conf; then \
     75                        echo "Configuration file unchanged"; \
     76                else \
     77                        echo "The example configuration file [$(docdir)/dnscrypt-proxy.conf] has been updated."; \
     78                        echo "You may want to compare it with the one at [$(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf]."; \
     79                fi; \
     80        else \
    3981                $(INSTALL_DATA) $(srcdir)/dnscrypt-proxy.conf $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf; \
    40         fi; \
    41         $(INSTALL_DATA) $(srcdir)/dnscrypt-proxy.conf $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf.example
     82        fi
    4283
    4384uninstall-local:
    44         if cmp -s $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf $(srcdir)/dnscrypt-proxy.conf; then \
    45                 echo "$(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf is not changed and will be removed."; \
     85        @if cmp -s $(srcdir)/dnscrypt-proxy.conf $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf; then \
     86                echo "$(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf has not changed and will be removed."; \
    4687                rm -f $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf; \
    47         fi; \
    48         rm -f $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf.example
     88        rmdir $(DESTDIR)$(sysconfdir) 2> /dev/null ||:; \
     89        fi
  • src/router/dnscrypt/Makefile.in

    r31742 r32055  
    9292@PLUGINS_TRUE@  libltdl
    9393
     94@PLUGINS_TRUE@am__append_2 = \
     95@PLUGINS_TRUE@  README-PLUGINS.markdown
     96
     97@HAVE_SYSTEMD_TRUE@am__append_3 = \
     98@HAVE_SYSTEMD_TRUE@     dnscrypt-proxy.service
     99
    94100subdir = .
    95101ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
     
    108114mkinstalldirs = $(install_sh) -d
    109115CONFIG_HEADER = config.h
    110 CONFIG_CLEAN_FILES = dnscrypt-update-resolvers.sh \
    111         src/include/dnscrypt/version.h test/Makefile
     116CONFIG_CLEAN_FILES = src/include/dnscrypt/version.h test/Makefile
    112117CONFIG_CLEAN_VPATH_FILES =
    113118AM_V_P = $(am__v_P_@AM_V@)
     
    165170         $(am__cd) "$$dir" && rm -f $$files; }; \
    166171  }
    167 am__installdirs = "$(DESTDIR)$(pkgdatadir)"
    168 DATA = $(dist_pkgdata_DATA)
     172am__installdirs = "$(DESTDIR)$(pkgdatadir)" "$(DESTDIR)$(docdir)"
     173DATA = $(dist_pkgdata_DATA) $(doc_DATA) $(noinst_DATA)
    169174RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
    170175  distclean-recursive maintainer-clean-recursive
     
    198203DIST_SUBDIRS = dist-build man libltdl contrib src test
    199204am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
    200         $(srcdir)/dnscrypt-update-resolvers.sh.in \
    201205        $(top_srcdir)/libltdl/config/compile \
    202206        $(top_srcdir)/libltdl/config/config.guess \
     
    412416        autogen.sh \
    413417        dnscrypt-proxy.conf \
    414         dnscrypt-proxy.service \
     418        dnscrypt-proxy.service.in \
    415419        dnscrypt-proxy.socket \
    416         org.dnscrypt.osx.DNSCryptProxy.plist \
    417         resolvers-check.sh
     420        org.dnscrypt.osx.DNSCryptProxy.plist.in
    418421
    419422SUBDIRS = dist-build man $(am__append_1) contrib src test
     
    421424        dnscrypt-resolvers.csv \
    422425        minisign.pub
     426
     427doc_DATA = README.markdown COPYING DNSCRYPT-V2-PROTOCOL.txt \
     428        dnscrypt-proxy.conf $(am__append_2)
     429noinst_DATA = org.dnscrypt.osx.DNSCryptProxy.plist $(am__append_3)
     430CLEANFILES = \
     431        dnscrypt-proxy.service \
     432        dnscrypt-update-resolvers.sh \
     433        org.dnscrypt.osx.DNSCryptProxy.plist
    423434
    424435all: config.h
     
    474485distclean-hdr:
    475486        -rm -f config.h stamp-h1
    476 dnscrypt-update-resolvers.sh: $(top_builddir)/config.status $(srcdir)/dnscrypt-update-resolvers.sh.in
    477         cd $(top_builddir) && $(SHELL) ./config.status $@
    478487src/include/dnscrypt/version.h: $(top_builddir)/config.status $(top_srcdir)/src/include/dnscrypt/version.h.in
    479488        cd $(top_builddir) && $(SHELL) ./config.status $@
     
    510519        files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
    511520        dir='$(DESTDIR)$(pkgdatadir)'; $(am__uninstall_files_from_dir)
     521install-docDATA: $(doc_DATA)
     522        @$(NORMAL_INSTALL)
     523        @list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
     524        if test -n "$$list"; then \
     525          echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
     526          $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
     527        fi; \
     528        for p in $$list; do \
     529          if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
     530          echo "$$d$$p"; \
     531        done | $(am__base_list) | \
     532        while read files; do \
     533          echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \
     534          $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \
     535        done
     536
     537uninstall-docDATA:
     538        @$(NORMAL_UNINSTALL)
     539        @list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
     540        files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
     541        dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
    512542
    513543# This directory's subdirectories are mostly independent; you can cd
     
    809839installdirs: installdirs-recursive
    810840installdirs-am:
    811         for dir in "$(DESTDIR)$(pkgdatadir)"; do \
     841        for dir in "$(DESTDIR)$(pkgdatadir)" "$(DESTDIR)$(docdir)"; do \
    812842          test -z "$$dir" || $(MKDIR_P) "$$dir"; \
    813843        done
     
    834864
    835865clean-generic:
     866        -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
    836867
    837868distclean-generic:
     
    864895info-am:
    865896
    866 install-data-am: install-data-local install-dist_pkgdataDATA
     897install-data-am: install-data-local install-dist_pkgdataDATA \
     898        install-docDATA
    867899
    868900install-dvi: install-dvi-recursive
     
    910942ps-am:
    911943
    912 uninstall-am: uninstall-dist_pkgdataDATA uninstall-local
     944uninstall-am: uninstall-dist_pkgdataDATA uninstall-docDATA \
     945        uninstall-local
    913946
    914947.MAKE: $(am__recursive_targets) all install-am install-strip
     
    922955        distdir distuninstallcheck dvi dvi-am html html-am info \
    923956        info-am install install-am install-data install-data-am \
    924         install-data-local install-dist_pkgdataDATA install-dvi \
    925         install-dvi-am install-exec install-exec-am install-html \
    926         install-html-am install-info install-info-am install-man \
    927         install-pdf install-pdf-am install-ps install-ps-am \
    928         install-strip installcheck installcheck-am installdirs \
    929         installdirs-am maintainer-clean maintainer-clean-generic \
    930         mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
    931         ps ps-am tags tags-am uninstall uninstall-am \
    932         uninstall-dist_pkgdataDATA uninstall-local
     957        install-data-local install-dist_pkgdataDATA install-docDATA \
     958        install-dvi install-dvi-am install-exec install-exec-am \
     959        install-html install-html-am install-info install-info-am \
     960        install-man install-pdf install-pdf-am install-ps \
     961        install-ps-am install-strip installcheck installcheck-am \
     962        installdirs installdirs-am maintainer-clean \
     963        maintainer-clean-generic mostlyclean mostlyclean-generic \
     964        mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
     965        uninstall-am uninstall-dist_pkgdataDATA uninstall-docDATA \
     966        uninstall-local
    933967
    934968.PRECIOUS: Makefile
    935969
    936970
     971dnscrypt-proxy.service: dnscrypt-proxy.service.in
     972        $(SED) \
     973        -e 's|[@]sbindir@|$(sbindir)|g' \
     974        -e 's|[@]sysconfdir@|$(sysconfdir)|g' \
     975        < dnscrypt-proxy.service.in > dnscrypt-proxy.service
     976
     977org.dnscrypt.osx.DNSCryptProxy.plist: org.dnscrypt.osx.DNSCryptProxy.plist.in
     978        $(SED) \
     979        -e 's|[@]sbindir@|$(sbindir)|g' \
     980        -e 's|[@]sysconfdir@|$(sysconfdir)|g' \
     981        < org.dnscrypt.osx.DNSCryptProxy.plist.in > org.dnscrypt.osx.DNSCryptProxy.plist
     982
    937983install-data-local:
    938         $(mkinstalldirs) $(DESTDIR)$(sysconfdir); \
    939         if [ ! -f $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf ]; then \
     984        @$(mkinstalldirs) $(DESTDIR)$(sysconfdir); \
     985        if [ -f $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf ]; then \
     986                if cmp -s $(srcdir)/dnscrypt-proxy.conf $(docdir)/dnscrypt-proxy.conf; then \
     987                        echo "Configuration file unchanged"; \
     988                else \
     989                        echo "The example configuration file [$(docdir)/dnscrypt-proxy.conf] has been updated."; \
     990                        echo "You may want to compare it with the one at [$(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf]."; \
     991                fi; \
     992        else \
    940993                $(INSTALL_DATA) $(srcdir)/dnscrypt-proxy.conf $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf; \
    941         fi; \
    942         $(INSTALL_DATA) $(srcdir)/dnscrypt-proxy.conf $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf.example
     994        fi
    943995
    944996uninstall-local:
    945         if cmp -s $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf $(srcdir)/dnscrypt-proxy.conf; then \
    946                 echo "$(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf is not changed and will be removed."; \
     997        @if cmp -s $(srcdir)/dnscrypt-proxy.conf $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf; then \
     998                echo "$(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf has not changed and will be removed."; \
    947999                rm -f $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf; \
    948         fi; \
    949         rm -f $(DESTDIR)$(sysconfdir)/dnscrypt-proxy.conf.example
     1000        rmdir $(DESTDIR)$(sysconfdir) 2> /dev/null ||:; \
     1001        fi
    9501002
    9511003# Tell versions [3.59,3.63) of GNU make to not export all variables.
  • src/router/dnscrypt/NEWS

    r31742 r32055  
     1
     2* Version 1.9.5
     3 - The cache plugin didn't properly move cached entries between the
     4recent and frequent lists, resulting is suboptimal performance and
     5memory not being properly freed. This has been fixed.
     6 - Many updates were made to the default list of resolvers.
     7 - The forwarding plugin can now recover after all name servers have
     8temporarily been unreachable.
     9 - Compatibility with older versions of MacOS has been restored.
     10 - Official precompiled packages for Linux are now available.
     11
     12* Version 1.9.4
     13 - The default installation script in version 1.9.3 unconditionally replaced
     14the configuration file with the example one. This has been fixed.
     15 - The resolver name can be set to `random` in order to pick a random resolver.
     16 - Paths are not hardcoded any more in the sample systemd and plist files.
     17 - The `dnscrypt-update-resolvers.sh` and `resolvers-check.sh` scripts have been
     18moved to the contrib/ directory.
     19 - An `IPV4_ONLY` environment variable can be set to skip IPv6-only entries in
     20`resolvers-check.sh`.
     21 - Precompiled iOS/Android/Windows packages have become more consistent, and
     22now include basic documentation.
     23 - Tests are now run using random resolvers.
     24
     25* Version 1.9.3
     26 - This version can be compiled on Linux distributions using the musl C
     27library.
     28 - Version 1.9.3 also restores compatibility with ancient Linux kernels that
     29didn't support `SO_REUSEPORT`, without having to explicitly compile the package
     30with `NO_REUSEPORT`.
     31 - On Linux, the service now prints when the system doesn't have enough entropy
     32to initialize the PRNG.
     33
     34* Version 1.9.2
     35 - Compatibility with ancient libsodium versions (1.0.0, as still shipped
     36in Debian Jessie) has been restored.
     37 - With newer libsodium versions, the XChaCha20-Poly1305 can now actually
     38be used on servers supporting this construction.
     39 - The configuration file can now recursively include other configuration
     40files, with the `Include` keyword.
     41 - Error messages were improved.
     42 - The generate-domains-blacklist.py script now supports whitelists in
     43addition to blacklists, and provides more example feeds.
     44 - The blocking plugin sometimes didn't match overlapping rules. This should
     45have been fixed for good.
     46 - The `IgnoreTimestamps` and `LogLevel` options can now be controlled using
     47Windows registry keys.
     48 - Log error messages whose level is lower than `LOG_NOTICE` now go to
     49`stderr` instead of `stdout`.
     50 - On Linux, a BPF filter is attached to the client-side UDP socket in order
     51to drop invalid DNS queries right away.
     52 - The `NO_REUSEPORT` preprocessor macro can be defined in order to avoid
     53enabling `SO_REUSEPORT` on older linux-sunxi kernels.
     54 - The package can be compiled on Debian 6.
     55 - `--version` now reports useful information about the way the server was
     56compiled.
    157
    258* Version 1.9.1
     
    460handle overlapping rules. This has been fixed.
    561 - The documentation and examples were updated.
    6  - The mimimum time to keep a record in cache can be specified in the
    7 cache plugin, with the `--with-ttl` option (config file: `with-ttl:...`).
     62 - The minimum time to keep a record in cache can be specified in the
     63cache plugin, with the `--min-ttl` option.
    864 - The example generate-domains-blacklist.py script produces a more
    965optimized list, without overlapping names.
  • src/router/dnscrypt/README-WINDOWS.markdown

    r31742 r32055  
    225225with the `--service-name` command-line switch when installing the service.
    226226
    227 The following subkeys are recognized and should be self-explanatory:
    228 
    229     ConfigFile        (REG_SZ)
    230     Plugins           (REG_MULTI_SZ)
    231     LocalAddress      (REG_SZ)
    232     ProviderKey       (REG_SZ)
    233     ProviderName      (REG_SZ)
    234     ResolverAddress   (REG_SZ)
    235     ResolverName      (REG_SZ)
    236     ResolversList     (REG_SZ)
    237     LogFile           (REG_SZ)
    238     EDNSPayloadSize   (DWORD)
    239     MaxActiveRequests (DWORD)
    240     TCPOnly           (DWORD)
    241     ClientKeyFile     (REG_SZ)
    242     EphemeralKeys     (DWORD)
    243 
    244 For example, in order to listen to local address that is not the default
    245 `127.0.0.1`, the key to put the custom IP address is
     227The following registry values are recognized:
     228
     229Registry Value    | Type
     230----------------- | --------------
     231ConfigFile        | REG_SZ
     232ResolversList     | REG_SZ
     233ResolverName      | REG_SZ
     234LocalAddress      | REG_SZ
     235ProviderKey       | REG_SZ
     236ProviderName      | REG_SZ
     237ResolverAddress   | REG_SZ
     238EDNSPayloadSize   | REG_DWORD
     239MaxActiveRequests | REG_DWORD
     240TCPOnly           | REG_DWORD
     241EphemeralKeys     | REG_DWORD
     242IgnoreTimestamps  | REG_DWORD
     243ClientKeyFile     | REG_SZ
     244LogFile           | REG_SZ
     245LogLevel          | REG_DWORD
     246Plugins           | REG_MULTI_SZ
     247
     248Detail of registry values:
     249
     250    ResolversList     : Full path to the `dnscrypt-resolvers.csv` file.
     251                        Equivalent to the `resolvers-list` parameter.
     252    ResolverName      : Resolver name in the `dnscrypt-resolvers.csv` file.
     253                        This is the first column (`Name`) in that CSV file.
     254                        Equivalent to the `resolver-name` parameter.
     255    LocalAddress      : IP address where `dnscrypt-proxy` listen for DNS request.
     256                        Equivalent to the `local-address` parameter.
     257    ProviderKey       : DNS server key.
     258                        `Provider public key` column in the `dnscrypt-resolvers.csv` file.
     259                        Equivalent to the `provider-key` parameter.
     260    ProviderName      : DNS server name.
     261                        `Provider name` column in the `dnscrypt-resolvers.csv` file.
     262                        Equivalent to the `provider-name` parameter.
     263    ResolverAddress   : DNS server IP.
     264                        `Resolver address` column in the `dnscrypt-resolvers.csv` file.
     265                        Equivalent to the `resolver-address` parameter.
     266    EDNSPayloadSize   : EDNS size.
     267                        Must be between `1` and `65507` (IPv4) or `65535` (IPv6-only).
     268                        Equivalent to the `edns-payload-size` parameter.
     269    MaxActiveRequests : Maximum number of client DNS requests to process concurrently.
     270                        Must be equal or greater than `1`.
     271                        Equivalent to the `max-active-requests` parameter.
     272    TCPOnly           : Send DNS queries to upstream servers using only TCP if set to `1`.
     273                        Must be `1` or `0`.
     274                        Equivalent to the `tcp-only` parameter.
     275    EphemeralKeys     : Create a new key pair for every query.
     276                        Must be `1` or `0`.
     277                        Equivalent to the `ephemeral-keys` parameter.
     278    IgnoreTimestamps  : Must be `1` or `0`.
     279                        Equivalent to the `ignore-timestamps` parameter. Do not enable blindly.
     280    ClientKeyFile     : Use a static key pair. This is the path to a file storing the secret key.
     281                        Equivalent to the `client-key` parameter.
     282    LogFile           : Log file for `dnscrypt-proxy`.
     283                        Equivalent to the `logfile` parameter.
     284    LogLevel          : Maximum log level.
     285                        Equivalent to the `loglevel` parameter.
     286    Plugins           : Set of plugins to be loaded by `dnscrypt-proxy`.
     287                        Equivalent to one or more `plugin` command-line arguments.
     288
     289Plugins Example (INF):
     290
     291````
     292HKLM,"SYSTEM\CurrentControlSet\services\dnscrypt-proxy\Parameters",0x10000,"C:\Program Files\DNSCrypt\libdcplugin_example_ldns_blocking.dll,--domains=C:\Program Files\DNSCrypt\Names.txt,--ips=C:\Program Files\DNSCrypt\IPs.txt,--logfile=C:\DNSCrypt-Block.log"
     293````
     294
     295For example, in order to listen to a local address different from the default
     296`127.0.0.1`, the key to put the custom IP address in is
    246297`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dnscrypt-proxy\Parameters\LocalAddress`.
    247298
  • src/router/dnscrypt/README.markdown

    r31742 r32055  
    11[![Build Status](https://travis-ci.org/jedisct1/dnscrypt-proxy.png?branch=master)](https://travis-ci.org/jedisct1/dnscrypt-proxy?branch=master)
     2[![Make a donation to support this project](https://img.shields.io/badge/donate-PayPal-green.svg?style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=paypalrecovery-a@pureftpd.org&lc=US&item_name=Donation+to+the+DNSCrypt+project)
    23
    34[![DNSCrypt](https://raw.github.com/jedisct1/dnscrypt-proxy/master/dnscrypt-small.png)](https://dnscrypt.org)
    45============
    56
    6 DNScrypt is a protocol for securing communications between a client
     7DNSCrypt is a protocol for securing communications between a client
    78and a DNS resolver, using high-speed high-security elliptic-curve
    89cryptography.
     
    2930Signatures can be verified with [Minisign](https://jedisct1.github.io/minisign/):
    3031
    31     $ minisign -VP RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3 -m dnscrypt-proxy-1.9.1.tar.bz2
     32    $ minisign -VP RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3 -m dnscrypt-proxy-1.9.5.tar.bz2
    3233
    3334Plugins
  • src/router/dnscrypt/aclocal.m4

    r31742 r32055  
    2121To do so, use the procedure documented by the package, typically 'autoreconf'.])])
    2222
    23 dnl pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
    24 dnl serial 11 (pkg-config-0.29.1)
    25 dnl
     23# pkg.m4 - Macros to locate and utilise pkg-config.   -*- Autoconf -*-
     24# serial 12 (pkg-config-0.29.2)
     25
    2626dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
    2727dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
     
    6464dnl of the macros you require.
    6565m4_defun([PKG_PREREQ],
    66 [m4_define([PKG_MACROS_VERSION], [0.29.1])
     66[m4_define([PKG_MACROS_VERSION], [0.29.2])
    6767m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
    6868    [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])])
     
    165165
    166166pkg_failed=no
    167 AC_MSG_CHECKING([for $1])
     167AC_MSG_CHECKING([for $2])
    168168
    169169_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
     
    175175
    176176if test $pkg_failed = yes; then
    177         AC_MSG_RESULT([no])
     177        AC_MSG_RESULT([no])
    178178        _PKG_SHORT_ERRORS_SUPPORTED
    179179        if test $_pkg_short_errors_supported = yes; then
    180180                $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
    181         else 
     181        else
    182182                $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
    183183        fi
     
    196196        ])
    197197elif test $pkg_failed = untried; then
    198         AC_MSG_RESULT([no])
     198        AC_MSG_RESULT([no])
    199199        m4_default([$4], [AC_MSG_FAILURE(
    200200[The pkg-config script could not be found or is too old.  Make sure it
  • src/router/dnscrypt/config.h.in

    r31742 r32055  
    110110/* Define to 1 if you have the `ws2_32' library (-lws2_32). */
    111111#undef HAVE_LIBWS2_32
     112
     113/* Define to 1 if you have the <linux/filter.h> header file. */
     114#undef HAVE_LINUX_FILTER_H
     115
     116/* Define to 1 if you have the <linux/random.h> header file. */
     117#undef HAVE_LINUX_RANDOM_H
    112118
    113119/* Define this if a modern libltdl is already installed */
  • src/router/dnscrypt/configure

    r31742 r32055  
    11#! /bin/sh
    22# Guess values for system-dependent variables and create Makefiles.
    3 # Generated by GNU Autoconf 2.69 for dnscrypt-proxy 1.9.1.
     3# Generated by GNU Autoconf 2.69 for dnscrypt-proxy 1.9.5.
    44#
    55# Report bugs to <https://dnscrypt.org>.
     
    595595PACKAGE_NAME='dnscrypt-proxy'
    596596PACKAGE_TARNAME='dnscrypt-proxy'
    597 PACKAGE_VERSION='1.9.1'
    598 PACKAGE_STRING='dnscrypt-proxy 1.9.1'
     597PACKAGE_VERSION='1.9.5'
     598PACKAGE_STRING='dnscrypt-proxy 1.9.5'
    599599PACKAGE_BUGREPORT='https://dnscrypt.org'
    600600PACKAGE_URL=''
     
    13951395  # This message is too long to be a string in the A/UX 3.1 sh.
    13961396  cat <<_ACEOF
    1397 \`configure' configures dnscrypt-proxy 1.9.1 to adapt to many kinds of systems.
     1397\`configure' configures dnscrypt-proxy 1.9.5 to adapt to many kinds of systems.
    13981398
    13991399Usage: $0 [OPTION]... [VAR=VALUE]...
     
    14651465if test -n "$ac_init_help"; then
    14661466  case $ac_init_help in
    1467      short | recursive ) echo "Configuration of dnscrypt-proxy 1.9.1:";;
     1467     short | recursive ) echo "Configuration of dnscrypt-proxy 1.9.5:";;
    14681468   esac
    14691469  cat <<\_ACEOF
     
    16131613if $ac_init_version; then
    16141614  cat <<\_ACEOF
    1615 dnscrypt-proxy configure 1.9.1
     1615dnscrypt-proxy configure 1.9.5
    16161616generated by GNU Autoconf 2.69
    16171617
     
    20822082running configure, to aid debugging if configure makes a mistake.
    20832083
    2084 It was created by dnscrypt-proxy $as_me 1.9.1, which was
     2084It was created by dnscrypt-proxy $as_me 1.9.5, which was
    20852085generated by GNU Autoconf 2.69.  Invocation command line was
    20862086
     
    30243024# Define the identity of the package.
    30253025 PACKAGE='dnscrypt-proxy'
    3026  VERSION='1.9.1'
     3026 VERSION='1.9.5'
    30273027
    30283028
     
    32333233fi
    32343234
     3235# Check whether --enable-silent-rules was given.
     3236if test "${enable_silent_rules+set}" = set; then :
     3237  enableval=$enable_silent_rules;
     3238fi
     3239
     3240case $enable_silent_rules in # (((
     3241  yes) AM_DEFAULT_VERBOSITY=0;;
     3242   no) AM_DEFAULT_VERBOSITY=1;;
     3243    *) AM_DEFAULT_VERBOSITY=0;;
     3244esac
     3245am_make=${MAKE-make}
     3246{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5
     3247$as_echo_n "checking whether $am_make supports nested variables... " >&6; }
     3248if ${am_cv_make_support_nested_variables+:} false; then :
     3249  $as_echo_n "(cached) " >&6
     3250else
     3251  if $as_echo 'TRUE=$(BAR$(V))
     3252BAR0=false
     3253BAR1=true
     3254V=1
     3255am__doit:
     3256        @$(TRUE)
     3257.PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then
     3258  am_cv_make_support_nested_variables=yes
     3259else
     3260  am_cv_make_support_nested_variables=no
     3261fi
     3262fi
     3263{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5
     3264$as_echo "$am_cv_make_support_nested_variables" >&6; }
     3265if test $am_cv_make_support_nested_variables = yes; then
     3266    AM_V='$(V)'
     3267  AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)'
     3268else
     3269  AM_V=$AM_DEFAULT_VERBOSITY
     3270  AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY
     3271fi
     3272AM_BACKSLASH='\'
     3273
    32353274
    32363275{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable maintainer-specific portions of Makefiles" >&5
     
    35743613
    35753614pkg_failed=no
    3576 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD" >&5
    3577 $as_echo_n "checking for SYSTEMD... " >&6; }
     3615{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libsystemd" >&5
     3616$as_echo_n "checking for libsystemd... " >&6; }
    35783617
    35793618if test -n "$SYSTEMD_CFLAGS"; then
     
    36153654
    36163655if test $pkg_failed = yes; then
    3617         { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
     3656        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
    36183657$as_echo "no" >&6; }
    36193658
     
    36343673
    36353674pkg_failed=no
    3636 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD_DAEMON" >&5
    3637 $as_echo_n "checking for SYSTEMD_DAEMON... " >&6; }
     3675{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libsystemd-daemon" >&5
     3676$as_echo_n "checking for libsystemd-daemon... " >&6; }
    36383677
    36393678if test -n "$SYSTEMD_DAEMON_CFLAGS"; then
     
    36753714
    36763715if test $pkg_failed = yes; then
    3677         { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
     3716        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
    36783717$as_echo "no" >&6; }
    36793718
     
    36933732        have_systemd=no
    36943733elif test $pkg_failed = untried; then
    3695         { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
     3734        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
    36963735$as_echo "no" >&6; }
    36973736        have_systemd=no
     
    37053744
    37063745elif test $pkg_failed = untried; then
    3707         { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
     3746        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
    37083747$as_echo "no" >&6; }
    37093748
    37103749
    37113750pkg_failed=no
    3712 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD_DAEMON" >&5
    3713 $as_echo_n "checking for SYSTEMD_DAEMON... " >&6; }
     3751{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libsystemd-daemon" >&5
     3752$as_echo_n "checking for libsystemd-daemon... " >&6; }
    37143753
    37153754if test -n "$SYSTEMD_DAEMON_CFLAGS"; then
     
    37513790
    37523791if test $pkg_failed = yes; then
    3753         { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
     3792        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
    37543793$as_echo "no" >&6; }
    37553794
     
    37693808        have_systemd=no
    37703809elif test $pkg_failed = untried; then
    3771         { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
     3810        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
    37723811$as_echo "no" >&6; }
    37733812        have_systemd=no
     
    37893828  case $with_systemd:$have_systemd in #(
    37903829  yes:no) :
    3791     as_fn_error $? "systemd expected but libsystemd not found" "$LINENO" 5 ;; #(
     3830    as_fn_error $? "systemd expected but libsystemd not found -- maybe you need to install the pkg-config and libsystemd-dev packages" "$LINENO" 5 ;; #(
    37923831  *:yes) :
    37933832
     
    1509415133done
    1509515134
    15096 for ac_header in sandbox.h
     15135for ac_header in sandbox.h linux/filter.h linux/random.h
    1509715136do :
    15098   ac_fn_c_check_header_mongrel "$LINENO" "sandbox.h" "ac_cv_header_sandbox_h" "$ac_includes_default"
    15099 if test "x$ac_cv_header_sandbox_h" = xyes; then :
     15137  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
     15138ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
     15139if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
    1510015140  cat >>confdefs.h <<_ACEOF
    15101 #define HAVE_SANDBOX_H 1
     15141#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
    1510215142_ACEOF
    1510315143
     
    1575215792fi
    1575315793
    15754 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
     15794
     15795if test "$host_vendor" = "apple"; then :
     15796
     15797else
     15798
     15799  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
    1575515800$as_echo_n "checking for library containing clock_gettime... " >&6; }
    1575615801if ${ac_cv_search_clock_gettime+:} false; then :
     
    1581015855fi
    1581115856
     15857
     15858fi
    1581215859
    1581315860{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing backtrace" >&5
     
    1744117488
    1744217489
    17443 ac_config_files="$ac_config_files Makefile contrib/Makefile dist-build/Makefile dnscrypt-update-resolvers.sh man/Makefile src/Makefile src/hostip/Makefile src/proxy/Makefile src/ext/Makefile src/include/Makefile src/include/dnscrypt/version.h src/plugins/Makefile src/plugins/example/Makefile src/plugins/example-cache/Makefile src/plugins/example-logging/Makefile src/plugins/example-ldns-aaaa-blocking/Makefile src/plugins/example-ldns-blocking/Makefile src/plugins/example-ldns-forwarding/Makefile src/plugins/vendor-specific/example-ldns-opendns-deviceid/Makefile src/plugins/vendor-specific/example-ldns-opendns-set-client-ip/Makefile test/Makefile"
     17490ac_config_files="$ac_config_files Makefile contrib/Makefile dist-build/Makefile man/Makefile src/Makefile src/hostip/Makefile src/proxy/Makefile src/ext/Makefile src/include/Makefile src/include/dnscrypt/version.h src/plugins/Makefile src/plugins/example/Makefile src/plugins/example-cache/Makefile src/plugins/example-logging/Makefile src/plugins/example-ldns-aaaa-blocking/Makefile src/plugins/example-ldns-blocking/Makefile src/plugins/example-ldns-forwarding/Makefile src/plugins/vendor-specific/example-ldns-opendns-deviceid/Makefile src/plugins/vendor-specific/example-ldns-opendns-set-client-ip/Makefile test/Makefile"
    1744417491
    1744517492
     
    1802418071# values after options handling.
    1802518072ac_log="
    18026 This file was extended by dnscrypt-proxy $as_me 1.9.1, which was
     18073This file was extended by dnscrypt-proxy $as_me 1.9.5, which was
    1802718074generated by GNU Autoconf 2.69.  Invocation command line was
    1802818075
     
    1809018137ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
    1809118138ac_cs_version="\\
    18092 dnscrypt-proxy config.status 1.9.1
     18139dnscrypt-proxy config.status 1.9.5
    1809318140configured by $0, generated by GNU Autoconf 2.69,
    1809418141  with options \\"\$ac_cs_config\\"
     
    1850818555    "contrib/Makefile") CONFIG_FILES="$CONFIG_FILES contrib/Makefile" ;;
    1850918556    "dist-build/Makefile") CONFIG_FILES="$CONFIG_FILES dist-build/Makefile" ;;
    18510     "dnscrypt-update-resolvers.sh") CONFIG_FILES="$CONFIG_FILES dnscrypt-update-resolvers.sh" ;;
    1851118557    "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile" ;;
    1851218558    "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
  • src/router/dnscrypt/configure.ac

    r31742 r32055  
    11AC_PREREQ([2.65])
    2 AC_INIT([dnscrypt-proxy],[1.9.1],[https://dnscrypt.org])
     2AC_INIT([dnscrypt-proxy],[1.9.5],[https://dnscrypt.org])
    33AC_CONFIG_MACRO_DIR([m4])
    44AC_CONFIG_AUX_DIR([libltdl/config])
     
    77AC_CONFIG_SUBDIRS([src/libevent-modified])
    88AC_CANONICAL_HOST
    9 AM_INIT_AUTOMAKE([1.9 dist-bzip2 tar-ustar gnu subdir-objects])
     9AM_INIT_AUTOMAKE([1.11 dist-bzip2 tar-ustar gnu subdir-objects])
     10m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
    1011AM_MAINTAINER_MODE
    1112AM_DEP_TRACK
     
    118119  AS_CASE([$with_systemd:$have_systemd],
    119120    [yes:no],
    120       [AC_MSG_ERROR([systemd expected but libsystemd not found])],
     121      [AC_MSG_ERROR([systemd expected but libsystemd not found -- maybe you need to install the pkg-config and libsystemd-dev packages])],
    121122    [*:yes],
    122123       AC_DEFINE([HAVE_LIBSYSTEMD], [1], [Define if libsystemd is available])
     
    273274AC_CHECK_HEADERS([sys/cdefs.h sys/feature_tests.h])
    274275AC_CHECK_HEADERS([execinfo.h paths.h pwd.h grp.h uuid/uuid.h])
    275 AC_CHECK_HEADERS([sandbox.h])
     276AC_CHECK_HEADERS([sandbox.h linux/filter.h linux/random.h])
    276277AC_CHECK_HEADERS([ws2tcpip.h])
    277278
     
    401402AC_SEARCH_LIBS(pow, [m])
    402403AC_SEARCH_LIBS(dlopen, [dl])
    403 AC_SEARCH_LIBS(clock_gettime, [rt],
    404   [AC_DEFINE(HAVE_CLOCK_GETTIME,[1],[define if you have clock_gettime()])])
     404
     405AS_IF([test "$host_vendor" = "apple"], [],[
     406  AC_SEARCH_LIBS(clock_gettime, [rt],
     407    [AC_DEFINE(HAVE_CLOCK_GETTIME,[1],[define if you have clock_gettime()])])
     408])
    405409
    406410AC_SEARCH_LIBS(backtrace, [execinfo],
     
    476480                 contrib/Makefile
    477481                 dist-build/Makefile
    478                  dnscrypt-update-resolvers.sh
    479482                 man/Makefile
    480483                 src/Makefile
  • src/router/dnscrypt/contrib/Makefile.am

    r31742 r32055  
    11EXTRA_DIST = \
     2        dnscrypt-update-resolvers.sh.in \
     3        domains-blacklist-local-additions.txt \
    24        domains-blacklist.conf \
    35        generate-domains-blacklist.py \
    4         domains-blacklist-local-additions.txt
     6        resolvers-check.sh
     7
     8noinst_SCRIPTS = \
     9        dnscrypt-update-resolvers.sh
     10
     11dnscrypt-update-resolvers.sh: dnscrypt-update-resolvers.sh.in
     12        $(SED) \
     13        -e 's|[@]datadir@|$(datadir)|g' \
     14        -e 's|[@]PACKAGE@|$(PACKAGE)|g' \
     15        < dnscrypt-update-resolvers.sh.in > dnscrypt-update-resolvers.sh
     16        chmod u+rwx,go+rx dnscrypt-update-resolvers.sh
  • src/router/dnscrypt/contrib/Makefile.in

    r31742 r32055  
    1414
    1515@SET_MAKE@
     16
    1617VPATH = @srcdir@
    1718am__is_gnu_make = { \
     
    103104CONFIG_CLEAN_FILES =
    104105CONFIG_CLEAN_VPATH_FILES =
     106SCRIPTS = $(noinst_SCRIPTS)
    105107AM_V_P = $(am__v_P_@AM_V@)
    106108am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
     
    274276top_srcdir = @top_srcdir@
    275277EXTRA_DIST = \
     278        dnscrypt-update-resolvers.sh.in \
     279        domains-blacklist-local-additions.txt \
    276280        domains-blacklist.conf \
    277281        generate-domains-blacklist.py \
    278         domains-blacklist-local-additions.txt
     282        resolvers-check.sh
     283
     284noinst_SCRIPTS = \
     285        dnscrypt-update-resolvers.sh
    279286
    280287all: all-am
     
    355362check-am: all-am
    356363check: check-am
    357 all-am: Makefile
     364all-am: Makefile $(SCRIPTS)
    358365installdirs:
    359366install: install-am
     
    470477
    471478
     479dnscrypt-update-resolvers.sh: dnscrypt-update-resolvers.sh.in
     480        $(SED) \
     481        -e 's|[@]datadir@|$(datadir)|g' \
     482        -e 's|[@]PACKAGE@|$(PACKAGE)|g' \
     483        < dnscrypt-update-resolvers.sh.in > dnscrypt-update-resolvers.sh
     484        chmod u+rwx,go+rx dnscrypt-update-resolvers.sh
     485
    472486# Tell versions [3.59,3.63) of GNU make to not export all variables.
    473487# Otherwise a system limit (for SysV at least) may be exceeded.
  • src/router/dnscrypt/contrib/domains-blacklist.conf

    r31742 r32055  
    55#   domains-blacklist-local-additions.txt file.                                  #
    66#                                                                                #
    7 #   Comment the URLs of the sources you want to disable, and run the script to   #
    8 #   build the dnscrypt-blacklist-domains.txt file:                               #
     7#   The default configuration is just indicative, and corresponds to the one     #
     8#   used to produce the public "mybase" set.                                     #
     9#                                                                                #
     10#   Comment the URLs of the sources you want to disable, comment out the one     #
     11#   you would like to enable, and run the script to build the                    #
     12#   dnscrypt-blacklist-domains.txt file:                                         #
    913#                                                                                #
    1014#   $  generate-domains-blacklist.py > dnscrypt-blacklist-domains.txt            #
     15#                                                                                #
     16#   Domains that should never be blocked can be put into a file named            #
     17#   domains-whitelist.txt.                                                       #
    1118#                                                                                #
    1219#   That blacklist file can then be used in the dnscrypt-proxy configuration:    #
     
    6673# Basic tracking list by Disconnect
    6774https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
     75
     76# Sysctl list (ads)
     77http://sysctl.org/cameleon/hosts
     78
     79# KAD host file (fraud/adware) - https://github.com/azet12/KADhosts
     80https://raw.githubusercontent.com/azet12/KADhosts/master/KADhosts.txt
     81
     82# Dan Pollock's hosts list
     83http://someonewhocares.org/hosts/hosts
     84
     85# Websites potentially publishing fake news
     86# https://raw.githubusercontent.com/marktron/fakenews/master/fakenews
     87
     88# Quidsup NoTrack - Contains too many false positives to be enabled by default
     89# https://raw.githubusercontent.com/quidsup/notrack/master/trackers.txt
     90
     91# Dynamic DNS services, sadly often used by malware
     92# http://mirror2.malwaredomains.com/files/dynamic_dns.txt
     93
     94# Block pornography
     95# https://raw.githubusercontent.com/Clefspeare13/pornhosts/master/0.0.0.0/hosts
     96# https://raw.githubusercontent.com/Sinfonietta/hostfiles/master/pornography-hosts
     97# http://securemecca.com/Downloads/hosts.txt
     98
     99# Block gambling sites
     100# https://raw.githubusercontent.com/Sinfonietta/hostfiles/master/gambling-hosts
     101
     102# Block social media sites
     103# https://raw.githubusercontent.com/Sinfonietta/hostfiles/master/social-hosts
  • src/router/dnscrypt/contrib/generate-domains-blacklist.py

    r31742 r32055  
    11#! /usr/bin/env python
    22
     3# run with python generate-domains-blacklist.py > list.txt.tmp && mv -f list.txt.tmp list
     4
     5import argparse
    36import re
    47import sys
     
    811def parse_blacklist(content, trusted=False):
    912    rx_comment = re.compile(r'^(#|$)')
     13    rx_inline_comment = re.compile(r'\s*#\s*[a-z0-9-].*$')
    1014    rx_u = re.compile(r'^@*\|\|([a-z0-9.-]+[.][a-z]{2,})\^?(\$(popup|third-party))?$')
    1115    rx_l = re.compile(r'^([a-z0-9.-]+[.][a-z]{2,})$')
     
    2327        if rx_comment.match(line):
    2428            continue
     29        line = rx_inline_comment.sub('', line)
    2530        for rx in rx_set:
    2631            matches = rx.match(line)
     
    3237
    3338
    34 def blacklist_from_url(url):
     39def list_from_url(url):
    3540    sys.stderr.write("Loading data from [{}]\n".format(url))
    3641    req = urllib2.Request(url)
     
    4247        response = urllib2.urlopen(req, timeout=10)
    4348    except urllib2.URLError as err:
    44         sys.stderr.write("[{}] could not be loaded: {}\n".format(err))
     49        sys.stderr.write("[{}] could not be loaded: {}\n".format(url, err))
    4550        exit(1)
    4651    if trusted is False and response.getcode() != 200:
     
    4853        exit(1)
    4954    content = response.read()
     55
    5056    return parse_blacklist(content, trusted)
    5157
    5258
    5359def name_cmp(name):
    54     parts = name.split('.')
     60    parts = name.split(".")
    5561    parts.reverse()
    56     return str.join('.', parts)
     62    return str.join(".", parts)
    5763
    5864
     
    6773
    6874
    69 def blacklists_from_config_file(file):
     75def whitelist_from_url(url):
     76    if not url:
     77        return set()
     78
     79    return list_from_url(url)
     80
     81
     82def blacklists_from_config_file(file, whitelist):
    7083    blacklists = {}
    7184    all_names = set()
    7285    unique_names = set()
     86
     87    if whitelist and not re.match(r'^[a-z0-9]+:', whitelist):
     88        whitelist = "file:" + whitelist
     89
     90    whitelisted_names = whitelist_from_url(whitelist)
    7391
    7492    with open(file) as fd:
     
    7896                continue
    7997            url = line
    80             names = blacklist_from_url(url)
     98            names = list_from_url(url)
    8199            blacklists[url] = names
    82100            all_names |= names
     
    84102    for url, names in blacklists.items():
    85103        print("\n\n########## Blacklist from {} ##########\n".format(url))
    86         ignored = 0
     104        ignored, whitelisted = 0, 0
    87105        list_names = list()
    88106        for name in names:
    89107            if has_suffix(all_names, name) or name in unique_names:
    90108                ignored = ignored + 1
     109            elif has_suffix(whitelisted_names, name) or name in whitelisted_names:
     110                whitelisted = whitelisted + 1
    91111            else:
    92112                list_names.append(name)
     
    96116        if ignored:
    97117            print("# Ignored duplicates: {}\n".format(ignored))
     118        if whitelisted:
     119            print("# Ignored entries due to the whitelist: {}\n".format(whitelisted))
    98120        for name in list_names:
    99121            print(name)
    100122
    101123
    102 blacklists_from_config_file("domains-blacklist.conf")
     124argp = argparse.ArgumentParser(description="Create a unified blacklist from a set of local and remote files")
     125argp.add_argument("-c", "--config", default="domains-blacklist.conf",
     126    help="file containing blacklist sources")
     127argp.add_argument("-w", "--whitelist", default="domains-whitelist.txt",
     128    help="file containing a set of names to exclude from the blacklist")
     129args = argp.parse_args()
     130
     131conf = args.config
     132whitelist = args.whitelist
     133
     134blacklists_from_config_file(conf, whitelist)
  • src/router/dnscrypt/dist-build/android-build.sh

    r31742 r32055  
    1 # dnscrypt ---------
    21#! /bin/sh
    32
     
    87  export NDK_PLATFORM_COMPAT="${NDK_PLATFORM_COMPAT:-${NDK_PLATFORM}}"
    98fi
     9
     10export NDK_API_VERSION=$(echo "$NDK_PLATFORM" | sed 's/^android-//')
     11export NDK_API_VERSION_COMPAT=$(echo "$NDK_PLATFORM_COMPAT" | sed 's/^android-//')
    1012
    1113if [ -z "$ANDROID_NDK_HOME" ]; then
     
    2527fi
    2628
    27 export MAKE_TOOLCHAIN="${ANDROID_NDK_HOME}/build/tools/make-standalone-toolchain.sh"
     29export MAKE_TOOLCHAIN="${ANDROID_NDK_HOME}/build/tools/make_standalone_toolchain.py"
    2830
    2931export PREFIX="$(pwd)/dnscrypt-proxy-android-${TARGET_ARCH}"
     
    5355fi
    5456
    55 bash $MAKE_TOOLCHAIN --platform="${NDK_PLATFORM:-android-16}" \
    56     --arch="$ARCH" --install-dir="$TOOLCHAIN_DIR" && \
     57env - PATH="$PATH" \
     58    $MAKE_TOOLCHAIN --force --api="$NDK_API_VERSION_COMPAT" \
     59    --unified-headers --arch="$ARCH" --install-dir="$TOOLCHAIN_DIR" && \
    5760./configure \
    5861    --bindir="${PREFIX}/system/xbin" \
     
    6063    --disable-soname-versions \
    6164    --disable-plugins \
     65    --disable-shared \
    6266    --enable-relaxed-plugins-permissions \
    6367    --host="${HOST_COMPILER}" \
    6468    --prefix="${PREFIX}/system" \
    6569    --sbindir="${PREFIX}/system/xbin" \
    66     --sysconfdir="${PREFIX}/system/etc" \
     70    --sysconfdir="${PREFIX}/system/etc/dnscrypt-proxy" \
    6771    --with-sysroot="${TOOLCHAIN_DIR}/sysroot" && \
    6872make clean && \
  • src/router/dnscrypt/dist-build/android-files/system/etc/init.d/99dnscrypt

    r31742 r32055  
    22
    33while :; do
    4 #check first server
     4# check first server
    55        RESOLVER_NAME=dnscrypt.org-fr
    66        dnscrypt-proxy \
    77        --resolver-name="$RESOLVER_NAME" \
    88        --resolvers-list=/system/etc/dnscrypt-proxy/dnscrypt-resolvers.csv \
    9         --test=3600
     9        --test=700
    1010        case "$?" in
    1111                0 ) break;;
    1212        esac
    13         sleep 1
    1413
    1514# check second server (servers go down pretty often)
    16         RESOLVER_NAME=okturtles
     15        RESOLVER_NAME=random
    1716        dnscrypt-proxy \
    1817        --resolver-name="$RESOLVER_NAME" \
    1918        --resolvers-list=/system/etc/dnscrypt-proxy/dnscrypt-resolvers.csv \
    20         --test=3600
     19        --test=700
    2120        case "$?" in
    2221                0 ) break;;
    2322        esac
    24         sleep 1
     23
     24        sleep 5
    2525done
    2626
    2727dnscrypt-proxy \
    2828--daemonize \
    29 --loglevel=3 \
     29--pidfile=/data/local/tmp/dnscrypt-proxy.pid \
    3030--resolver-name="$RESOLVER_NAME" \
    3131--resolvers-list=/system/etc/dnscrypt-proxy/dnscrypt-resolvers.csv && \
  • src/router/dnscrypt/dist-build/ios.sh

    r31742 r32055  
    1414export LDFLAGS="$LDFLAGS -L${SODIUM_IOS_PREFIX}/lib"
    1515
    16 ./configure --host=arm-apple-darwin10 \
    17             --disable-shared \
    18             --disable-plugins \
    19             --prefix="$PREFIX" && \
     16./configure \
     17    --datadir="${PREFIX}/etc" \
     18    --disable-plugins \
     19    --disable-shared \
     20    --enable-relaxed-plugins-permissions \
     21    --host=arm-apple-darwin10 \
     22    --prefix="${PREFIX}" \
     23    --sysconfdir="${PREFIX}/etc/dnscrypt-proxy" && \
     24make clean && \
    2025make -j3 install && \
    21 sed 's#/usr/local/#/usr/#g' < org.dnscrypt.osx.DNSCryptProxy.plist > \
    22   "$PREFIX/org.dnscrypt.osx.DNSCryptProxy.plist" && \
    23 cp README-iOS.markdown "$PREFIX/" && \
    24 echo "dnscrypt-proxy has been installed into $PREFIX" && \
     26rm -fr "${PREFIX}/include" "${PREFIX}/share" "${PREFIX}/man" && \
     27install -m 644 org.dnscrypt.osx.DNSCryptProxy.plist "${PREFIX}/org.dnscrypt.osx.DNSCryptProxy.plist" && \
     28cp README-iOS.markdown "${PREFIX}/" && \
     29echo "dnscrypt-proxy has been installed into ${PREFIX}" && \
    2530echo 'Now, using codesign(1) to sign dnscrypt-proxy'
  • src/router/dnscrypt/dist-build/osx.sh

    r31742 r32055  
    11#! /bin/sh
    22
    3 export CFLAGS="-mmacosx-version-min=10.8 -march=core2 -O2 -g"
    4 export LDFLAGS="-mmacosx-version-min=10.8 -march=core2 -O2 -g"
     3export CFLAGS="-mmacosx-version-min=10.10 -march=core2 -O2 -g"
     4export LDFLAGS="-mmacosx-version-min=10.10 -march=core2 -O2 -g"
    55
    66./configure --with-included-ltdl \
  • src/router/dnscrypt/dist-build/win32-win64-xcompile.sh

    r31742 r32055  
    22
    33set -x
     4cd $(dirname $(readlink -f "$0"))
    45
    56setup() {
    67
     8  pacman -Syu --noconfirm
    79  pacman -Sy --noconfirm \
    810    base-devel git libtool autoconf automake \
     
    110112      --bindir="$RELEASE_DIR" \
    111113      --datarootdir="$RELEASE_DIR" \
     114      --docdir="${RELEASE_DIR}/doc" \
    112115      --exec-prefix="$RELEASE_DIR" \
    113116      --prefix="$RELEASE_DIR" \
     
    122125    rm -fr ${RELEASE_DIR}/man
    123126    rm -fr ${RELEASE_DIR}/pkgconfig
     127    cp README-WINDOWS.markdown "${RELEASE_DIR}/doc"
     128    rm -f "${RELEASE_DIR}/doc/dnscrypt-proxy.conf"
    124129    cp ${DEPS_DIR}/bin/*.dll $RELEASE_DIR
    125130    rm ${RELEASE_DIR}/libtls-*.dll
  • src/router/dnscrypt/dnscrypt-proxy.conf

    r31742 r32055  
    1111## Usually the only thing you need to change in this configuration file.
    1212## This corresponds to the first column in the dnscrypt-resolvers.csv file.
    13 
    14 ResolverName please-change-the-resolver-name-in-the-config-file
     13## Alternatively, "random" (without quotes) picks a random random resolver
     14## accessible over IPv4, that doesn't log and supports DNSSEC.
     15
     16ResolverName random
    1517
    1618
     
    2628## Manual settings, only for a custom resolver not present in the CSV file
    2729
    28 # ProviderName    dnscrypt.resolver.example
     30# ProviderName    2.dnscrypt.resolver.example
    2931# ProviderKey     E801:B84E:A606:BFB0:BAC0:CE43:445B:B15E:BA64:B02F:A3C4:AA31:AE10:636A:0790:324D
    3032# ResolverAddress 203.0.113.1:443
     
    3436############## Process options ##############
    3537
    36 ## Run the proxy as a background process
     38## [NOT AVAILABLE ON WINDOWS] Run the proxy as a background process.
    3739## Unless you are using systemd, you probably want to change this to "yes"
    3840## after having verified that the rest of the configuration works as expected.
     
    108110
    109111
    110 ## Forward queries for specific domains to one or more non-DNSCrypt resolvers.
     112## Forward queries for specific zones to one or more non-DNSCrypt resolvers.
    111113## For instance, this can be used to redirect queries for local domains to
    112114## the router, or queries for an internal domain to an internal DNS server.
    113 ## Multiple whitespace-delimited domains and IP addresses can be specified.
     115## Multiple whitespace-delimited zones and IP addresses can be specified.
    114116## Do not enable this unless you absolutely know you need it.
    115 ## If you see useless queries to these domains, you'd better block them with
     117## If you see useless queries to these zones, you'd better block them with
    116118## the BlackList feature instead of sending them in clear text to the router.
    117119## This uses a plugin that requires dnscrypt-proxy to be compiled with
     
    231233
    232234# Test 2880
     235
     236
     237
     238############## Recursive configuration ##############
     239
     240## A configuration file can include other configuration files by inserting
     241## the `Include` directive anywhere (the full path required, no quotes):
     242
     243# Include /etc/dnscrypt-proxy-common.conf
  • src/router/dnscrypt/dnscrypt-resolvers.csv

    r32054 r32055  
    11Name,"Full name","Description","Location","Coordinates",URL,Version,DNSSEC validation,No logs,Namecoin,Resolver address,Provider name,Provider public key,Provider public key TXT record
    22adguard-dns-family-ns1,"Adguard DNS Family Protection 1","Adguard DNS with safesearch and adult content blocking","Anycast","",https://adguard.com/en/adguard-dns/overview.html,1,no,yes,no,176.103.130.132:5443,2.dnscrypt.family.ns1.adguard.com,B831:5DD7:B14B:6EE3:20A4:70DC:2ED6:B1AA:398C:C9E5:86F8:5D45:45D6:B8C9:B500:5ABA,pk.family.ns1.adguard.com
    3 adguard-dns-family-ns2,"Adguard DNS Family Protection 2","Adguard DNS with safesearch and adult content blocking","Anycast","",https://adguard.com/en/adguard-dns/overview.html,1,no,yes,no,176.103.130.134:5443,2.dnscrypt.family.ns2.adguard.com,8C21:17A9:EBC1:57D6:FB64:056F:0ADB:C11C:5D83:6734:73C4:6E25:8D9B:2F57:D4EE:351F,pk.family.ns2.adguard.com
    43adguard-dns-ns1,"Adguard DNS 1","Remove ads and protect your computer from malware","Anycast","",https://adguard.com/en/adguard-dns/overview.html,1,no,yes,no,176.103.130.130:5443,2.dnscrypt.default.ns1.adguard.com,D12B:47F2:52DC:F2C2:BBF8:9910:86EA:F79C:E449:5D8B:16C8:A0C4:322E:52CA:3F39:0873,pk.default.ns1.adguard.com
    5 adguard-dns-ns2,"Adguard DNS 2","Remove ads and protect your computer from malware","Anycast","",https://adguard.com/en/adguard-dns/overview.html,1,no,yes,no,176.103.130.131:5443,2.dnscrypt.default.ns2.adguard.com,81D0:02D3:6A4C:A50C:473B:7479:650F:E12E:02B3:21CB:6138:562A:208E:403D:FDC5:5E94,pk.default.ns2.adguard.com
    64bn-ca0,"Babylon Network Canada 0","Non-logging, uncensored DNS resolver provided by Babylon Network","Quebec, Canada","",https://babylon.network,1,no,yes,no,149.56.229.28:5353,2.dnscrypt-cert.babylon.network,8794:070A:143D:35CA:1CA6:32E7:B189:3028:4EAE:5DAF:EBB4:01E3:DF52:E9F0:37AB:D182,pk.ca0.dnscrypt.babylon.network
    75bn-ca0-ipv6,"Babylon Network Canada 0 (IPv6)","Non-logging, uncensored IPv6 DNS resolver provided by Babylon Network","Quebec, Canada","",https://babylon.network,1,no,yes,no,[2607:5300:60:3a71::28]:5353,2.dnscrypt-cert.babylon.network,8794:070A:143D:35CA:1CA6:32E7:B189:3028:4EAE:5DAF:EBB4:01E3:DF52:E9F0:37AB:D182,pk.ca0.dnscrypt.babylon.network
     
    4543d0wn-au-ns1,"D0wn Resolver Australia 01","Server provided by Martin 'd0wn' Albus","Australia","",https://dns.d0wn.biz,1,yes,yes,no,27.100.36.191,2.dnscrypt-cert.au.d0wn.biz,A7D9:0F8E:9A98:1381:176A:3D25:36DE:E865:8538:9CD8:78BC:C3B5:A146:23F1:C2EF:58D8,pubkey.au.dnscrypt.d0wn.biz
    4644d0wn-au-ns1-ipv6,"D0wn Resolver Australia 01 over IPv6","Server provided by Martin 'd0wn' Albus","Australia","",https://dns.d0wn.biz,1,yes,yes,no,[2402:9e80:1::1:e554]:443,2.dnscrypt-cert.au.d0wn.biz,A7D9:0F8E:9A98:1381:176A:3D25:36DE:E865:8538:9CD8:78BC:C3B5:A146:23F1:C2EF:58D8,pubkey.au.dnscrypt.d0wn.biz
     45d0wn-au-ns2,"D0wn Resolver Australia 02","Server provided by Martin 'd0wn' Albus","Australia","",https://dns.d0wn.biz,1,yes,yes,no,153.92.44.147,2.dnscrypt-cert.au2.d0wn.biz,9BA0:92E1:ACA6:D69B:597F:18BC:F654:5C63:DA36:09CF:FBFC:7550:54EB:2FF7:0CA8:DF87,pubkey.au2.dnscrypt.d0wn.biz
    4746d0wn-bg-ns1,"D0wn Resolver Bulgaria 01","Server provided by Martin 'd0wn' Albus","Bulgaria","",https://dns.d0wn.biz,1,yes,yes,no,217.12.203.133,2.dnscrypt-cert.bg.d0wn.biz,423C:D823:B3EA:2015:F027:ECF1:5704:3EB7:764A:D02D:9447:56E6:51FD:D06F:E571:2FCC,pubkey.bg.dnscrypt.d0wn.biz
    4847d0wn-cr-ns1,"D0wn Resolver Costa Rica 01","Server provided by Martin 'd0wn' Albus","Costa Rica","",https://dns.d0wn.biz,1,yes,yes,no,138.59.17.208,2.dnscrypt-cert.cr.d0wn.biz,408B:5064:1EF0:575F:EC9A:BBF6:FC0A:F83A:F434:22BD:03FA:2663:81B3:DADD:1312:5A85,pubkey.cr.dnscrypt.d0wn.biz
     
    5958d0wn-gr-ns1,"D0wn Resolver Greece 01","Server provided by Martin 'd0wn' Albus","Greece","",https://dns.d0wn.biz,1,yes,yes,no,85.25.105.193,2.dnscrypt-cert.gr.d0wn.biz,B19C:0B5C:48F2:58FA:0BE4:67F4:5F50:BC7F:985F:C544:8A4F:BC9D:5574:5A35:5701:8009,pubkey.gr.dnscrypt.d0wn.biz
    6059d0wn-hk-ns1,"D0wn Resolver Hongkong 01","Server provided by Martin 'd0wn' Albus","Hongkong","",https://dns.d0wn.biz,1,yes,yes,no,45.124.66.200,2.dnscrypt-cert.hk.d0wn.biz,84ED:0DFF:7967:5DBD:2D93:65A2:A6AB:7F90:146F:A50B:048C:8C75:651B:AA55:7129:6740,pubkey.hk.dnscrypt.d0wn.biz
     60d0wn-hk-ns3,"D0wn Resolver Hongkong 03","Server provided by Martin 'd0wn' Albus","Hongkong","",https://dns.d0wn.biz,1,yes,yes,no,176.126.71.163,2.dnscrypt-cert.hk3.d0wn.biz,7778:A684:6C56:1C95:1421:CC22:6AE8:8CAD:67EA:2D27:71C4:7D8C:CA56:1738:5B52:9D07,pubkey.hk3.dnscrypt.d0wn.biz
    6161d0wn-id-ns1,"D0wn Resolver Indonesia 01","Server provided by Martin 'd0wn' Albus","Indonesia","",https://dns.d0wn.biz,1,yes,yes,no,45.114.118.195,2.dnscrypt-cert.id.d0wn.biz,BE93:B3F1:2A3B:2448:8F33:F91F:9461:5F73:D5CA:56D6:C789:96DE:7A18:D4DE:5182:094D,pubkey.id.dnscrypt.d0wn.biz
    6262d0wn-is-ns1,"D0wn Resolver Iceland 01","Server provided by Martin 'd0wn' Albus","Iceland","",https://dns.d0wn.biz,1,yes,yes,no,37.235.49.61,2.dnscrypt-cert.is.d0wn.biz,2B28:974E:073A:6B38:722A:5BE1:F7A0:250C:508F:A809:238F:8F3D:76D8:6098:20D7:B2D9,pubkey.is.dnscrypt.d0wn.biz
     
    101101dnscrypt.nl-ns0-ipv6,"DNSCrypt.nl The Netherlands (NL) over IPv6","Public DNSCrypt server in Amsterdam, the Netherlands","Netherlands","",https://dnscrypt.nl,1,yes,yes,no,[2001:19f0:5001:30a:5400:ff:fe58:7140]:443,2.dnscrypt-cert.ns0.dnscrypt.nl,4C84:FB8C:0511:5DFA:5F97:C5ED:0329:1370:C78A:BCD6:4E15:DD53:AB08:DE72:FB84:4ACA,pkey.ns0.dnscrypt.nl
    102102dnscrypt.org-fr,"DNSCrypt.org France","DNSSEC/Non-logged/Uncensored - ARM server donated by Scaleway.com","Paris, France","",https://fr.dnscrypt.org,2,yes,yes,no,212.47.228.136,2.dnscrypt-cert.fr.dnscrypt.org,E801:B84E:A606:BFB0:BAC0:CE43:445B:B15E:BA64:B02F:A3C4:AA31:AE10:636A:0790:324D,pubkey.fr.dnscrypt.org
    103 freetsa.org,"FreeTSA USA DNSCrypt server","Non-logged/Uncensored provided by freetsa.org","California","","https://freetsa.org",1,"yes","yes","no",205.185.116.116:553,2.dnscrypt-cert.freetsa.org,D8FF:BB42:E031:BE7A:7973:0B45:568D:496A:4E8A:CB59:AA83:66FD:6AB9:1E27:2A7D:16E4,pubkey.freetsa.org
    104103fvz-anyone,"Primary OpenNIC Anycast DNS Resolver","Fusl's public primary OpenNIC Tier2 Anycast DNS Resolver","Anycast","",http://dnsrec.meo.ws/,1,no,yes,no,185.121.177.177:5353,2.dnscrypt-cert.dnsrec.meo.ws,1A6A:D0A3:2B4C:5A61:A695:D153:670D:69AB:1690:3F9E:C3F7:F64F:13E5:35A3:18B2:28A5,
    105104fvz-anyone-ipv6,"Primary OpenNIC Anycast DNS IPv6 Resolver","Fusl's public primary OpenNIC Tier2 Anycast DNS Resolver","Anycast","",http://dnsrec.meo.ws/,1,no,yes,no,[2a05:dfc7:5::53]:5353,2.dnscrypt-cert.dnsrec.meo.ws,1A6A:D0A3:2B4C:5A61:A695:D153:670D:69AB:1690:3F9E:C3F7:F64F:13E5:35A3:18B2:28A5,
  • src/router/dnscrypt/man/dnscrypt-proxy.8

    r31742 r32055  
    22.\" http://github.com/rtomayko/ronn/tree/0.7.3
    33.
    4 .TH "DNSCRYPT\-PROXY" "8" "January 2017" "" ""
     4.TH "DNSCRYPT\-PROXY" "8" "March 2017" "" ""
    55.
    66.SH "NAME"
     
    2828.
    2929.IP "\(bu" 4
    30 \fB\-R\fR, \fB\-\-resolver\-name=<name>\fR: name of the resolver to use, from the list of available resolvers (see \fB\-L\fR)\.
     30\fB\-R\fR, \fB\-\-resolver\-name=<name>\fR: name of the resolver to use, from the list of available resolvers (see \fB\-L\fR)\. Or \fBrandom\fR for a random resolver accessible over IPv4, that doesn\'t log and supports DNSSEC\.
    3131.
    3232.IP "\(bu" 4
  • src/router/dnscrypt/man/dnscrypt-proxy.8.markdown

    r31742 r32055  
    2525
    2626  * `-R`, `--resolver-name=<name>`: name of the resolver to use, from
    27     the list of available resolvers (see `-L`).
     27    the list of available resolvers (see `-L`). Or `random` for a random
     28    resolver accessible over IPv4, that doesn't log and supports DNSSEC.
    2829
    2930  * `-a`, `--local-address=<ip>[:port]`: what local IP the daemon will listen
  • src/router/dnscrypt/man/hostip.8

    r31742 r32055  
    22.\" http://github.com/rtomayko/ronn/tree/0.7.3
    33.
    4 .TH "HOSTIP" "8" "January 2017" "" ""
     4.TH "HOSTIP" "8" "March 2017" "" ""
    55.
    66.SH "NAME"
  • src/router/dnscrypt/src/libevent-modified/config.h.in

    r31742 r32055  
    2121/* Define to 1 if you have the <arpa/inet.h> header file. */
    2222#undef HAVE_ARPA_INET_H
    23 
    24 /* Define to 1 if you have the `clock_gettime' function. */
    25 #undef HAVE_CLOCK_GETTIME
    2623
    2724/* Define to 1 if you have the declaration of `CTL_KERN', and to 0 if you
  • src/router/dnscrypt/src/libevent-modified/configure

    r31742 r32055  
    32163216fi
    32173217
     3218# Check whether --enable-silent-rules was given.
     3219if test "${enable_silent_rules+set}" = set; then :
     3220  enableval=$enable_silent_rules;
     3221fi
     3222
     3223case $enable_silent_rules in # (((
     3224  yes) AM_DEFAULT_VERBOSITY=0;;
     3225   no) AM_DEFAULT_VERBOSITY=1;;
     3226    *) AM_DEFAULT_VERBOSITY=0;;
     3227esac
     3228am_make=${MAKE-make}
     3229{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5
     3230$as_echo_n "checking whether $am_make supports nested variables... " >&6; }
     3231if ${am_cv_make_support_nested_variables+:} false; then :
     3232  $as_echo_n "(cached) " >&6
     3233else
     3234  if $as_echo 'TRUE=$(BAR$(V))
     3235BAR0=false
     3236BAR1=true
     3237V=1
     3238am__doit:
     3239        @$(TRUE)
     3240.PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then
     3241  am_cv_make_support_nested_variables=yes
     3242else
     3243  am_cv_make_support_nested_variables=no
     3244fi
     3245fi
     3246{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5
     3247$as_echo "$am_cv_make_support_nested_variables" >&6; }
     3248if test $am_cv_make_support_nested_variables = yes; then
     3249    AM_V='$(V)'
     3250  AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)'
     3251else
     3252  AM_V=$AM_DEFAULT_VERBOSITY
     3253  AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY
     3254fi
     3255AM_BACKSLASH='\'
     3256
    32183257ac_config_headers="$ac_config_headers config.h"
    32193258
     
    1273712776fi
    1273812777
    12739 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
     12778
     12779if test "$host_vendor" = "apple"; then :
     12780
     12781else
     12782
     12783  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5
    1274012784$as_echo_n "checking for library containing clock_gettime... " >&6; }
    1274112785if ${ac_cv_search_clock_gettime+:} false; then :
     
    1279312837fi
    1279412838
     12839
     12840fi
     12841
    1279512842{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing sendfile" >&5
    1279612843$as_echo_n "checking for library containing sendfile... " >&6; }
     
    1368013727
    1368113728
    13682 for ac_func in gettimeofday vasprintf fcntl clock_gettime strtok_r strsep
     13729for ac_func in gettimeofday vasprintf fcntl strtok_r strsep
    1368313730do :
    1368413731  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
  • src/router/dnscrypt/src/libevent-modified/configure.ac

    r31742 r32055  
    1414AC_CONFIG_SRCDIR([evdns.c])
    1515AM_INIT_AUTOMAKE
     16m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
    1617AC_CONFIG_HEADERS(config.h)
    1718AC_DEFINE(NUMERIC_VERSION, 0x02001700, [Numeric representation of the version])
     
    114115AC_SEARCH_LIBS([socket], [socket])
    115116AC_SEARCH_LIBS([inet_aton], [resolv])
    116 AC_SEARCH_LIBS([clock_gettime], [rt])
     117
     118AS_IF([test "$host_vendor" = "apple"], [],[
     119  AC_SEARCH_LIBS([clock_gettime], [rt])
     120])
     121
    117122AC_SEARCH_LIBS([sendfile], [sendfile])
    118123
     
    291296
    292297dnl Checks for library functions.
    293 AC_CHECK_FUNCS([gettimeofday vasprintf fcntl clock_gettime strtok_r strsep])
     298AC_CHECK_FUNCS([gettimeofday vasprintf fcntl strtok_r strsep])
    294299AC_CHECK_FUNCS([getnameinfo strlcpy inet_ntop inet_pton signal sigaction strtoll inet_aton pipe eventfd sendfile mmap splice arc4random arc4random_buf arc4random_addrandom issetugid geteuid getegid getprotobynumber setenv unsetenv putenv sysctl])
    295300AC_CHECK_FUNCS([umask])
  • src/router/dnscrypt/src/libevent-modified/evutil_rand.c

    r31742 r32055  
    4040#include "evthread-internal.h"
    4141
     42#include <stdlib.h>
    4243#ifdef _EVENT_HAVE_ARC4RANDOM
    43 #include <stdlib.h>
    4444#include <string.h>
    4545int
  • src/router/dnscrypt/src/plugins/example-cache/example-cache.c

    r31742 r32055  
    230230            }
    231231            assert(last_cache_entry_parent->next == scanned_cache_entry);
    232             last_cache_entry_parent->next = NULL;
     232            last_cache_entry_parent->next = scanned_cache_entry->next;
    233233            scanned_cache_entry->next = cache->cache_entries_frequent;
    234234            cache->cache_entries_frequent = scanned_cache_entry;
  • src/router/dnscrypt/src/plugins/example-ldns-blocking/example-ldns-blocking.c

    r31742 r32055  
    619619                break;
    620620            }
     621            if (found_key_len < owner_str_len) {
     622                size_t owner_part_len = owner_str_len;
     623
     624                while (owner_part_len > 0U && rev[owner_part_len] != '.') {
     625                    owner_part_len--;
     626                }
     627                rev[owner_part_len] = 0;
     628                if (owner_part_len > 0U && fpst_starts_with_existing_key
     629                    (blocking->domains_rev, rev, owner_part_len,
     630                     &found_key, &found_block_type)) {
     631                    const size_t found_key_len = strlen(found_key);
     632                    if (found_key_len <= owner_part_len &&
     633                        (rev[found_key_len] == 0 || rev[found_key_len] == '.')) {
     634                        block = 1;
     635                        break;
     636                    }
     637                }
     638            }
    621639        }
    622640        if (fpst_starts_with_existing_key(blocking->domains,
  • src/router/dnscrypt/src/plugins/example-ldns-blocking/fpst.c

    r31742 r32055  
    44#include <stdlib.h>
    55#include <string.h>
    6 
    7 #include "fpst.h"
    86
    97typedef struct FPST {
     
    1412    uint32_t     val;
    1513} FPST;
     14
     15#define FPST_DEFINED 1
     16#include "fpst.h"
    1617
    1718#ifdef __GNUC__
     
    141142        lk = t->key;
    142143        x = 0U;
    143         for (; j < len; j++) {
     144        for (; j <= len; j++) {
    144145            x = ((unsigned char) lk[j]) ^ ((unsigned char) key[j]);
    145146            if (x != 0U) {
     
    147148            }
    148149        }
    149         if (j == len && lk[j] == 0) {
    150             assert(key[j] == 0);
     150        if (j > len && lk[j - 1] == 0) {
     151            assert(key[j - 1] == 0);
    151152            t->val = val;
    152153            return trie;
  • src/router/dnscrypt/src/plugins/example-ldns-blocking/fpst.h

    r31742 r32055  
    55#include <stdlib.h>
    66
     7#ifndef FPST_DEFINED
    78/** A trie */
    89typedef struct FPST FPST;
     10#endif
    911
    1012/** Type of the function pointer for `fpst_free()` */
  • src/router/dnscrypt/src/plugins/example-ldns-forwarding/example-ldns-forwarding.c

    r31742 r32055  
    320320    size_t                    response_wire_len;
    321321    DCPluginSyncFilterResult  result = DCP_SYNC_FILTER_RESULT_OK;
     322    int                       i;
     323    _Bool                     has_reachable_ns = 0;
    322324
    323325    query_wire = dcplugin_get_wire_data(dcp_packet);
     
    343345    free(owner_str);
    344346    owner_str = NULL;
     347    /* If all nameservers have been marked as unreachable, reset them and try again */
     348    for (i = 0; i < ldns_resolver_nameserver_count(forwarder->resolver); i++) {
     349        if (ldns_resolver_nameserver_rtt(forwarder->resolver, i) != LDNS_RESOLV_RTT_INF) {
     350            has_reachable_ns = 1;
     351            break;
     352        }
     353    }
     354    if (!has_reachable_ns) {
     355        for (i = 0; i < ldns_resolver_nameserver_count(forwarder->resolver); i++) {
     356            ldns_resolver_set_nameserver_rtt(forwarder->resolver, i, LDNS_RESOLV_RTT_MIN);
     357        }
     358    }
    345359    if (ldns_send(&response, forwarder->resolver, query) != LDNS_STATUS_OK) {
    346360        ldns_pkt_free(query);
  • src/router/dnscrypt/src/plugins/example-logging/example-logging.c

    r31742 r32055  
    257257    case 0x0f:
    258258        fprintf(logging->fp, "MX\n"); break;
     259    case 0x10:
     260        fprintf(logging->fp, "TXT\n"); break;
    259261    case 0x1c:
    260262        fprintf(logging->fp, "AAAA\n"); break;
  • src/router/dnscrypt/src/plugins/vendor-specific/example-ldns-opendns-deviceid/CONFIGURATION.txt

    r31742 r32055  
    11## -- The following option can be included in the configuration file --
    22
    3 ## OpenDNS Umbrella customers are identified by appending an 8 bytes password
     3## Cisco Umbrella customers are identified by appending an 8 bytes password
    44## in clear text to each query. That password can be retrieved with the
    55## following command: "dig TXT debug.opendns.com." while using the VPN or their
  • src/router/dnscrypt/src/plugins/vendor-specific/example-ldns-opendns-deviceid/example-ldns-opendns-deviceid.c

    r31742 r32055  
    2020dcplugin_description(DCPlugin * const dcplugin)
    2121{
    22     return "Add an OpenDNS device identifier to outgoing queries";
     22    return "Add a Cisco Umbrella device identifier to outgoing queries";
    2323}
    2424
     
    2828    return
    2929        "This plugin tags outgoing packets with the 8 bytes password,\n"
    30         "that the OpenDNS Umbrella service uses to identify their users.\n"
     30        "that the Cisco Umbrella service uses to identify their users.\n"
    3131        "\n"
    32         "If you happen to have an OpenDNS VPN or Umbrella account,\n"
     32        "If you happen to have an OpenDNS VPN or Cisco Umbrella account,\n"
    3333        "your password ('device') can be displayed with:\n"
    3434        "\n"
  • src/router/dnscrypt/src/proxy/app.c

    r31742 r32055  
    1616#include <time.h>
    1717#include <unistd.h>
     18
     19#if defined(__linux__) && defined(HAVE_LINUX_RANDOM_H)
     20# include <sys/ioctl.h>
     21# include <sys/stat.h>
     22# include <fcntl.h>
     23# include <linux/random.h>
     24#endif
    1825
    1926#include <event2/event.h>
     
    284291    assert(num_sd_fds <= INT_MAX - SD_LISTEN_FDS_START);
    285292    for (sock = SD_LISTEN_FDS_START; sock < SD_LISTEN_FDS_START + num_sd_fds;
    286          ++sock) {
     293         sock++) {
    287294       if (sd_is_socket(sock, AF_INET, SOCK_DGRAM, 0) > 0 ||
    288295           sd_is_socket(sock, AF_INET6, SOCK_DGRAM, 0) > 0) {
     
    333340#endif
    334341
     342static void
     343entropy_check(void)
     344{
     345#if defined(__linux__) && defined(HAVE_LINUX_RANDOM_H) && defined(RNDGETENTCNT)
     346    int fd;
     347    int c;
     348
     349    if ((fd = open("/dev/random", O_RDONLY)) != -1) {
     350        if (ioctl(fd, RNDGETENTCNT, &c) == 0 && c < 160) {
     351            logger(NULL, LOG_WARNING,
     352                   "This system doesn't provide enough entropy to quickly generate high-quality random numbers");
     353            logger(NULL, LOG_WARNING,
     354                   "Installing the rng-utils/rng-tools or haveged packages may help.");
     355            logger(NULL, LOG_WARNING,
     356                   "On virtualized Linux environments, also consider using virtio-rng.");
     357            logger(NULL, LOG_WARNING,
     358                   "The service will not start until enough entropy has been collected.");
     359        }
     360        close(fd);
     361    }
     362#endif
     363}
     364
    335365int
    336366dnscrypt_proxy_main(int argc, char *argv[])
     
    345375    setvbuf(stdout, NULL, _IOLBF, BUFSIZ);
    346376    stack_trace_on_crash();
     377    entropy_check();
    347378    if (sodium_init() != 0) {
    348379        exit(1);
  • src/router/dnscrypt/src/proxy/cert.c

    r31742 r32055  
    378378        logger_noformat(proxy_context, LOG_ERR,
    379379                        "No useable certificates found");
    380         cert_reschedule_query_after_failure(proxy_context);
    381380        DNSCRYPT_PROXY_CERTS_UPDATE_ERROR_NOCERTS();
    382381        if (proxy_context->test_only) {
    383382            exit(DNSCRYPT_EXIT_CERT_NOCERTS);
    384383        }
     384        cert_reschedule_query_after_failure(proxy_context);
    385385        return;
    386386    }
     
    398398                        "Unsupported certificate version");
    399399        cert_reschedule_query_after_failure(proxy_context);
    400         DNSCRYPT_PROXY_CERTS_UPDATE_ERROR_NOCERTS();
    401         if (proxy_context->test_only) {
    402             exit(DNSCRYPT_EXIT_CERT_NOCERTS);
    403         }
    404400        return;
    405401    }
    406402    if (proxy_context->test_only != 0) {
    407403        const uint32_t now_u32 = (uint32_t) time(NULL);
     404        uint32_t       ts_begin;
    408405        uint32_t       ts_end;
    409 
     406        uint32_t       safe_end;
     407
     408        memcpy(&ts_begin, bincert->ts_begin, sizeof ts_begin);
     409        ts_begin = htonl(ts_begin);
    410410        memcpy(&ts_end, bincert->ts_end, sizeof ts_end);
    411         ts_end = htonl(ts_end);
    412 
    413         if (ts_end < (uint32_t) proxy_context->test_cert_margin ||
    414             now_u32 > ts_end - (uint32_t) proxy_context->test_cert_margin) {
     411        safe_end = ts_end = htonl(ts_end);
     412        if (safe_end > (uint32_t) proxy_context->test_cert_margin) {
     413            safe_end -= (uint32_t) proxy_context->test_cert_margin;
     414        } else {
     415            safe_end = ts_begin;
     416        }
     417        if (safe_end < ts_begin) {
    415418            logger_noformat(proxy_context, LOG_WARNING,
    416                             "The certificate is not valid for the given safety margin");
     419                            "Safety margin wider than the certificate validity period");
     420            safe_end = ts_begin;
     421        }
     422        if (now_u32 < ts_begin || now_u32 > safe_end) {
     423            logger(proxy_context, LOG_WARNING,
     424                   "The certificate is not valid for the given safety margin (%lu-%lu not within [%lu..%lu])",
     425                   (unsigned long) now_u32, (unsigned long) proxy_context->test_cert_margin,
     426                   (unsigned long) ts_begin, (unsigned long) safe_end);
    417427            DNSCRYPT_PROXY_CERTS_UPDATE_ERROR_NOCERTS();
    418428            exit(DNSCRYPT_EXIT_CERT_MARGIN);
  • src/router/dnscrypt/src/proxy/dnscrypt_client.c

    r31742 r32055  
    227227                                        const uint8_t resolver_publickey[crypto_box_PUBLICKEYBYTES])
    228228{
     229    int res = -1;
     230
    229231#if crypto_box_BEFORENMBYTES != crypto_box_PUBLICKEYBYTES
    230232# error crypto_box_BEFORENMBYTES != crypto_box_PUBLICKEYBYTES
    231233#endif
    232234    if (client->ephemeral_keys == 0) {
    233         if (crypto_box_beforenm(client->nmkey, resolver_publickey,
    234                                 client->secretkey) != 0) {
    235             return -1;
     235        if (client->cipher == CIPHER_XSALSA20POLY1305) {
     236            res = crypto_box_beforenm
     237                (client->nmkey, resolver_publickey, client->secretkey);
     238#ifdef HAVE_XCHACHA20
     239        } else if (client->cipher == CIPHER_XCHACHA20POLY1305) {
     240            res = crypto_box_curve25519xchacha20poly1305_beforenm
     241                (client->nmkey, resolver_publickey, client->secretkey);
     242#endif
    236243        }
    237244    } else {
    238245        memcpy(client->publickey, resolver_publickey, sizeof client->publickey);
    239     }
    240     return 0;
     246        res = 0;
     247    }
     248    return res;
    241249}
    242250
  • src/router/dnscrypt/src/proxy/dnscrypt_proxy.h

    r31742 r32055  
    4747#  define DEFAULT_RESOLVERS_LIST PKGDATADIR "/dnscrypt-resolvers.csv"
    4848# endif
    49 #endif
    50 
    51 #ifndef DEFAULT_RESOLVER_NAME
    52 # define DEFAULT_RESOLVER_NAME NULL
    5349#endif
    5450
  • src/router/dnscrypt/src/proxy/logger.c

    r31742 r32055  
    130130    memcpy(previous_line, line, len);
    131131    if (context == NULL || context->log_fp == NULL) {
    132         log_fp = stdout;
     132        log_fp = crit >= LOG_NOTICE ? stdout : stderr;
    133133    } else {
    134134        log_fp = context->log_fp;
  • src/router/dnscrypt/src/proxy/options.c

    r31742 r32055  
    2727#include "minicsv.h"
    2828#include "pid_file.h"
     29#include "shims.h"
    2930#include "simpleconf.h"
    3031#include "simpleconf_dnscrypt.h"
     
    8889options_version(void)
    8990{
     91#ifdef PACKAGE_VENDOR
     92    puts(PACKAGE_STRING "-" PACKAGE_VENDOR);
     93#else
    9094    puts(PACKAGE_STRING);
     95#endif
     96    puts("");
     97    printf("Compilation date: %s\n", __DATE__);
     98#ifdef PLUGINS
     99    puts("Support for plugins: present");
     100#endif
     101#if defined(PLUGINS_ROOT) && !defined(_WIN32)
     102    printf("Plugins root directory: [%s]\n", PLUGINS_ROOT);
     103#endif
     104#ifdef ENABLE_PLUGINS_ROOT
     105    puts("Plugins restricted to the default plugins directory: yes");
     106#endif
     107#ifdef RELAXED_PLUGINS_PERMISSIONS
     108    puts("Relaxed plugins permissions: yes");
     109#endif
     110#ifdef USE_LDNS
     111    puts("Support for ldns-based plugins: present");
     112#endif
     113#ifdef HAVE_LIBSYSTEMD
     114    puts("Support for systemd socket activation: present");
     115#endif
     116#ifdef HAVE_XCHACHA20
     117    puts("Support for the XChaCha20-Poly1305 cipher: present");
     118#endif
    91119}
    92120
     
    128156    proxy_context->pid_file = NULL;
    129157    proxy_context->resolvers_list = DEFAULT_RESOLVERS_LIST;
    130     proxy_context->resolver_name = DEFAULT_RESOLVER_NAME;
     158    proxy_context->resolver_name = NULL;
    131159    proxy_context->provider_name = NULL;
    132160    proxy_context->provider_publickey_s = NULL;
     
    213241    }
    214242    return NULL;
     243}
     244
     245static int
     246options_parse_candidate(ProxyContext * const proxy_context,
     247                        char * const * const headers, const size_t headers_count,
     248                        char * const * const cols, const size_t cols_count,
     249                        uint32_t * const candidate_count_p)
     250{
     251    const char *dnssec;
     252    const char *nologs;
     253    const char *resolver_ip;
     254    const char *resolver_name;
     255
     256    resolver_name = options_get_col(headers, headers_count,
     257                                    cols, cols_count, "Name");
     258    if (resolver_name == NULL || *resolver_name == 0) {
     259        return -1;
     260    }
     261    nologs = options_get_col(headers, headers_count,
     262                             cols, cols_count, "No logs");
     263    if (nologs == NULL || evutil_ascii_strcasecmp(nologs, "no") == 0) {
     264        return 0;
     265    }
     266    dnssec = options_get_col(headers, headers_count,
     267                             cols, cols_count, "DNSSEC validation");
     268    if (dnssec == NULL || evutil_ascii_strcasecmp(dnssec, "no") == 0) {
     269        return 0;
     270    }
     271    resolver_ip = options_get_col(headers, headers_count,
     272                                  cols, cols_count, "Resolver address");
     273    if (*resolver_ip == '[') {
     274        return 0;
     275    }
     276    (*candidate_count_p)++;
     277    if (randombytes_uniform(*candidate_count_p) > 0U) {
     278        return 0;
     279    }
     280    free((void *) proxy_context->resolver_name);
     281    if ((proxy_context->resolver_name = strdup(resolver_name)) == NULL) {
     282        return -1;
     283    }
     284    return 1;
    215285}
    216286
     
    314384
    315385static int
    316 options_parse_resolvers_list(ProxyContext * const proxy_context, char *buf)
    317 {
    318     char   *cols[OPTIONS_RESOLVERS_LIST_MAX_COLS];
    319     char   *headers[OPTIONS_RESOLVERS_LIST_MAX_COLS];
    320     size_t  cols_count;
    321     size_t  headers_count;
    322 
    323     assert(proxy_context->resolver_name != NULL);
    324     buf = minicsv_parse_line(buf, headers, &headers_count,
     386options_pick_random_resolver(ProxyContext * const proxy_context, const char *buf_)
     387{
     388    char     *buf;
     389    char     *buf_local;
     390    char     *cols[OPTIONS_RESOLVERS_LIST_MAX_COLS];
     391    char     *headers[OPTIONS_RESOLVERS_LIST_MAX_COLS];
     392    size_t    cols_count;
     393    size_t    headers_count;
     394    uint32_t  candidate_count = 0U;
     395
     396    if ((buf_local = strdup(buf_)) == NULL) {
     397        return -1;
     398    }
     399    buf = minicsv_parse_line(buf_local, headers, &headers_count,
    325400                             sizeof headers / sizeof headers[0]);
    326401    if (headers_count < 4U || headers_count > OPTIONS_RESOLVERS_LIST_MAX_COLS) {
     402        free(buf_local);
    327403        return -1;
    328404    }
     
    337413            continue;
    338414        }
     415        if (options_parse_candidate(proxy_context, headers, headers_count,
     416                                    cols, cols_count, &candidate_count) < 0) {
     417            free(buf_local);
     418            return -1;
     419        }
     420    } while (*buf != 0);
     421    free(buf_local);
     422
     423    return 0;
     424}
     425
     426static int
     427options_parse_resolvers_list(ProxyContext * const proxy_context, char *buf)
     428{
     429    char   *cols[OPTIONS_RESOLVERS_LIST_MAX_COLS];
     430    char   *headers[OPTIONS_RESOLVERS_LIST_MAX_COLS];
     431    size_t  cols_count;
     432    size_t  headers_count;
     433
     434    assert(proxy_context->resolver_name != NULL);
     435    buf = minicsv_parse_line(buf, headers, &headers_count,
     436                             sizeof headers / sizeof headers[0]);
     437    if (headers_count < 4U || headers_count > OPTIONS_RESOLVERS_LIST_MAX_COLS) {
     438        return -1;
     439    }
     440    do {
     441        buf = minicsv_parse_line(buf, cols, &cols_count,
     442                                 sizeof cols / sizeof cols[0]);
     443        if (cols_count < 4U || cols_count > OPTIONS_RESOLVERS_LIST_MAX_COLS) {
     444            continue;
     445        }
     446        minicsv_trim_cols(cols, cols_count);
     447        if (*cols[0] == 0 || *cols[0] == '#') {
     448            continue;
     449        }
    339450        if (options_parse_resolver(proxy_context, headers, headers_count,
    340451                                   cols, cols_count) > 0) {
     
    362473               resolvers_list_rebased);
    363474        exit(1);
     475    }
     476    if (evutil_ascii_strcasecmp(proxy_context->resolver_name,
     477                                OPTIONS_RESOLVERS_RANDOM) == 0) {
     478        free((void *) proxy_context->resolver_name);
     479        proxy_context->resolver_name = NULL;
     480        options_pick_random_resolver(proxy_context, file_buf);
     481        if (proxy_context->resolver_name == NULL) {
     482            logger_noformat(proxy_context, LOG_ERR,
     483                            "No suitable candidates found for a random selection");
     484            exit(1);
     485        }
     486        logger(proxy_context, LOG_INFO, "Randomly chosen resolver: [%s]",
     487               proxy_context->resolver_name);
    364488    }
    365489    assert(proxy_context->resolver_name != NULL);
     
    514638}
    515639
     640static SimpleConfSpecialHandlerResult
     641simpleconf_special_handler(void **output, const char *arg, void *user_data)
     642{
     643    char *file_name;
     644
     645    if ((file_name = strdup(arg)) == NULL) {
     646        logger((ProxyContext *) user_data, LOG_EMERG, "Out of memory");
     647        exit(1);
     648    }
     649    *output = (void *) file_name;
     650
     651    return SC_SPECIAL_HANDLER_RESULT_INCLUDE;
     652}
     653
    516654int
    517655options_parse(AppContext * const app_context,
    518656              ProxyContext * const proxy_context, int *argc_p, char ***argv_p)
    519657{
    520     const char *service_config_file = NULL;
    521     int         opt_flag;
    522     int         option_index = 0;
     658    SimpleConfConfig  simpleconf_config = {
     659        proxy_context, simpleconf_special_handler
     660    };
     661    const char       *service_config_file = NULL;
     662    int               opt_flag;
     663    int               option_index = 0;
    523664#ifdef _WIN32
    524     _Bool       option_install = 0;
     665    _Bool             option_install = 0;
    525666#endif
    526667
    527668    options_init_with_default(app_context, proxy_context);
    528669    if (*argc_p == 2 && *(*argv_p)[1] != '-') {
    529         if (sc_build_command_line_from_file((*argv_p)[1], simpleconf_options,
     670        if (sc_build_command_line_from_file((*argv_p)[1], &simpleconf_config,
     671                                            simpleconf_options,
    530672                                            (sizeof simpleconf_options) /
    531673                                            (sizeof simpleconf_options[0]),
     
    594736            break;
    595737        case 'R':
    596             proxy_context->resolver_name = optarg;
     738            free((void *) proxy_context->resolver_name);
     739            proxy_context->resolver_name = strdup(optarg);
    597740            break;
    598741#ifndef _WIN32
     
    770913    proxy_context->user_dir = NULL;
    771914#endif
     915    free((void *) proxy_context->resolver_name);
     916    proxy_context->resolver_name = NULL;
    772917    free((void *) proxy_context->provider_name);
    773918    proxy_context->provider_name = NULL;
  • src/router/dnscrypt/src/proxy/options.h

    r31742 r32055  
    99
    1010#define OPTIONS_RESOLVERS_LIST_MAX_COLS 50
     11#define OPTIONS_RESOLVERS_RANDOM "random"
    1112#define OPTIONS_CLIENT_KEY_HEADER "\01\01"
    1213
  • src/router/dnscrypt/src/proxy/sandboxes.c

    r31742 r32055  
    11
    22#include <config.h>
    3 #include <sys/types.h>
    4 #include <sys/time.h>
     3#ifndef _WIN32
     4# include <sys/types.h>
     5# include <sys/socket.h>
     6# include <sys/time.h>
     7#endif
    58
    69#ifdef HAVE_SANDBOX_H
     
    3033    return 0;
    3134}
     35
     36#if defined(SO_ATTACH_FILTER) && defined(HAVE_LINUX_FILTER_H)
     37# include <linux/filter.h>
     38
     39/*
     40  ldh [x + 4]
     41  jlt #25, fail
     42  ldh [x + 10]
     43  and #0xfc8f
     44  jne #0, fail
     45  ldh [x + 12]
     46  jneq #1, fail
     47  ld [x + 14]
     48  jneq #0, fail
     49  ldh [x + 18]
     50  jgt #1, fail
     51  ret #0x40000
     52
     53fail:
     54  ret #0
     55*/
     56
     57int
     58attach_udp_dnsq_bpf(int fd)
     59{
     60    struct sock_filter code[] = {
     61       { 0x48,  0,  0, 0x00000004 },
     62       { 0x35,  0, 10, 0x00000019 },
     63       { 0x48,  0,  0, 0x0000000a },
     64       { 0x54,  0,  0, 0x0000fc8f },
     65       { 0x15,  0,  7, 0000000000 },
     66       { 0x48,  0,  0, 0x0000000c },
     67       { 0x15,  0,  5, 0x00000001 },
     68       { 0x40,  0,  0, 0x0000000e },
     69       { 0x15,  0,  3, 0000000000 },
     70       { 0x48,  0,  0, 0x00000012 },
     71       { 0x25,  1,  0, 0x00000001 },
     72       { 0x06,  0,  0, 0x00040000 },
     73       { 0x06,  0,  0, 0000000000 },
     74    };
     75    struct sock_fprog bpf = {
     76        .len = (sizeof code) / (sizeof code[0]),
     77        .filter = code
     78    };
     79    return setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof bpf);
     80}
     81
     82#else
     83
     84int
     85attach_udp_dnsq_bpf(int fd) {
     86    (void) fd;
     87    return -1;
     88}
     89
     90#endif
  • src/router/dnscrypt/src/proxy/sandboxes.h

    r31742 r32055  
    66int sandboxes_pidproc(void);
    77
     8int attach_udp_dnsq_bpf(int fd);
     9
    810#endif
  • src/router/dnscrypt/src/proxy/shims.h

    r31742 r32055  
    1111 * overlapping buffers. Use temporary buffers to work around this.
    1212 */
    13 #if SODIUM_LIBRARY_VERSION_MAJOR < 7 || SODIUM_LIBRARY_VERSION_MINOR <= 2
     13#if SODIUM_LIBRARY_VERSION_MAJOR < 7 || (SODIUM_LIBRARY_VERSION_MAJOR == 7 && SODIUM_LIBRARY_VERSION_MINOR <= 2)
     14# warning The installed libsodium version is very old and will not be supported in the future.
     15# warning Support for the XChaCha20 cipher will also not be available in that build.
    1416static int
    1517crypto_box_easy_nooverlap(unsigned char *c, const unsigned char *m,
     
    5860                            const unsigned char *n, const unsigned char *k)
    5961{
    60     return crypto_secretbox_detached(c, mac, m, mlen, n, k);
     62    unsigned char tmp[65536];
     63
     64    if (mlen > sizeof tmp) {
     65        return -1;
     66    }
     67    if (crypto_secretbox_detached(tmp, mac, m, mlen, n, k) != 0) {
     68        return -1;
     69    }
     70    memcpy(c, tmp, mlen);
     71
     72    return 0;
    6173}
    6274
     
    8092                                 const unsigned char *k)
    8193{
    82     return crypto_secretbox_open_detached(m, c, mac, clen, n, k);
     94    unsigned char tmp[65536];
     95
     96    if (clen > sizeof tmp) {
     97        return -1;
     98    }
     99    if (crypto_secretbox_open_detached(tmp, c, mac, clen, n, k) != 0) {
     100        return -1;
     101    }
     102    memcpy(m, tmp, clen);
     103
     104    return 0;
    83105}
    84106
  • src/router/dnscrypt/src/proxy/simpleconf.c

    r31742 r32055  
    88#include "simpleconf.h"
    99
    10 #define MAX_ARG_LENGTH 65536
     10#ifndef SC_MAX_ARG_LENGTH
     11# define SC_MAX_ARG_LENGTH 65536
     12#endif
     13#ifndef SC_MAX_RECURSION
     14# define SC_MAX_RECURSION  16
     15#endif
    1116
    1217typedef enum State_ {
     
    4954    ENTRYRESULT_INVALID_ENTRY,
    5055    ENTRYRESULT_INTERNAL,
    51     ENTRYRESULT_E2BIG
     56    ENTRYRESULT_E2BIG,
     57    ENTRYRESULT_SPECIAL
    5258} EntryResult;
    5359
     
    139145    int         is_boolean;
    140146    int         is_enabled;
     147    int         is_special;
    141148    int         c = 0;
    142149    int         d = 0;
     
    153160    matches_len = 0;
    154161    expect_char = 0;
     162    is_boolean  = 0;
    155163    is_enabled  = 0;
    156     is_boolean  = 0;
     164    is_special  = 0;
    157165    state       = STATE_PROPNAME;
    158166    while (*in_pnt != 0 || *line_pnt != 0) {
     
    164172                in_pnt++;
    165173                state = STATE_AFTERPROPNAME;
    166             } else if (d == '?') {
     174            } else if (d == '?' && is_boolean == 0) {
    167175                is_boolean = 1;
     176                in_pnt++;
     177            } else if (d == '!' && is_special == 0) {
     178                is_special = 1;
    168179                in_pnt++;
    169180            } else if (c != 0 && d != 0 && tolower(c) == tolower(d)) {
     
    424435    }
    425436    out_pnt = entry->out;
    426     if ((arg = malloc(MAX_ARG_LENGTH + 1)) == NULL) {
     437    if ((arg = malloc(SC_MAX_ARG_LENGTH + 1)) == NULL) {
    427438        return ENTRYRESULT_INTERNAL;
    428439    }
    429440    arg_len = 0;
    430441    state   = STATE_TEMPLATE_RCHAR;
    431     while (arg_len < MAX_ARG_LENGTH && *out_pnt != 0) {
     442    while (arg_len < SC_MAX_ARG_LENGTH && *out_pnt != 0) {
    432443        d = *(const unsigned char *)out_pnt;
    433444        switch (state) {
     
    446457                size_t i = 0;
    447458
    448                 while (arg_len < MAX_ARG_LENGTH && i < wildcard_len) {
     459                while (arg_len < SC_MAX_ARG_LENGTH && i < wildcard_len) {
    449460                    arg[arg_len++] = wildcard_start[i++];
    450461                }
     
    459470                }
    460471                while (
    461                     arg_len < MAX_ARG_LENGTH && i < matches[match_id].str_len) {
     472                    arg_len < SC_MAX_ARG_LENGTH && i < matches[match_id].str_len) {
    462473                    arg[arg_len++] = matches[match_id].str[i++];
    463474                }
     
    472483        }
    473484    }
    474     if (arg_len >= MAX_ARG_LENGTH) {
     485    if (arg_len >= SC_MAX_ARG_LENGTH) {
    475486        free(arg);
    476487        errno = E2BIG;
     
    480491    *arg_p       = arg;
    481492
     493    if (is_special) {
     494        return ENTRYRESULT_SPECIAL;
     495    }
    482496    return ENTRYRESULT_OK;
    483497}
     
    516530}
    517531
    518 static void
    519 argv_fp_free(int argc, char *argv[], FILE *fp)
    520 {
    521     int errno_save = errno;
    522     int i;
    523 
    524     if (fp != NULL) {
    525         (void) fclose(fp);
    526     }
    527     sc_argv_free(argc, argv);
    528     errno = errno_save;
    529 }
    530 
    531 int
    532 sc_build_command_line_from_file(const char *file_name,
    533                                 const SimpleConfEntry entries[],
    534                                 size_t entries_count, char *app_name,
    535                                 int *argc_p, char ***argv_p)
    536 {
    537     FILE *       fp;
    538     char *       arg;
    539     char **      argv = NULL;
    540     char **      argv_tmp;
    541     const char * err = NULL;
    542     const char * err_tmp;
    543     char         line[MAX_ARG_LENGTH];
    544     unsigned int line_count = 0;
    545     int          argc       = 0;
    546     int          try_next   = 1;
    547     size_t       i;
    548 
    549     *argc_p = 0;
    550     *argv_p = NULL;
     532static int
     533append_to_command_line_from_file(const char *file_name,
     534                                 const SimpleConfConfig *config,
     535                                 const SimpleConfEntry entries[],
     536                                 size_t entries_count,
     537                                 int *argc_p, char ***argv_p,
     538                                 unsigned int depth)
     539{
     540    char          line[SC_MAX_ARG_LENGTH];
     541    FILE         *fp = NULL;
     542    char         *arg;
     543    char        **argv_tmp;
     544    const char   *err = NULL;
     545    const char   *err_tmp;
     546    size_t        i;
     547    unsigned int  line_count = 0;
     548    int           try_next   = 1;
     549
     550    if (depth >= SC_MAX_RECURSION) {
     551        fprintf(stderr, "[%s]: too many levels of recursion\n", file_name);
     552        return -1;
     553    }
    551554    if ((fp = fopen(file_name, "r")) == NULL) {
    552555        fprintf(stderr, "Unable to open [%s]: %s\n", file_name, strerror(errno));
    553556        return -1;
    554557    }
    555     if ((argv = malloc(sizeof arg)) == NULL ||
    556         (app_name = strdup(app_name)) == NULL) {
    557         argv_fp_free(argc, argv, fp);
    558         return -1;
    559     }
    560     argv[argc++] = app_name;
    561558    while (fgets(line, (int)(sizeof line), fp) != NULL) {
    562559        chomp(line);
     
    571568                break;
    572569            case ENTRYRESULT_E2BIG:
    573                 argv_fp_free(argc, argv, fp);
     570                fclose(fp);
    574571                return -1;
    575572            case ENTRYRESULT_INVALID_ENTRY:
     
    577574                abort();
    578575            case ENTRYRESULT_INTERNAL:
    579                 argv_fp_free(argc, argv, fp);
     576                fclose(fp);
    580577                return -1;
    581578            case ENTRYRESULT_MISMATCH:
     
    592589                        file_name, line_count, line_count, line);
    593590                }
    594                 argv_fp_free(argc, argv, fp);
     591                fclose(fp);
    595592                return -1;
    596593            }
     
    601598                    break;
    602599                }
    603                 if (argc >= INT_MAX / (int)(sizeof arg)) {
     600                if (*argc_p >= INT_MAX / (int)(sizeof *arg)) {
    604601                    abort();
    605602                }
    606                 if ((argv_tmp = realloc(argv, (sizeof arg) *
    607                                         ((size_t) argc + 1))) == NULL) {
    608                     argv_fp_free(argc, argv, fp);
     603                if ((argv_tmp = realloc(*argv_p, (sizeof arg) *
     604                                        ((size_t) *argc_p + 1))) == NULL) {
     605                    fclose(fp);
    609606                    return -1;
    610607                }
    611                 argv        = argv_tmp;
    612                 argv[argc++] = arg;
     608                *argv_p = argv_tmp;
     609                (*argv_p)[(*argc_p)++] = arg;
    613610                break;
     611            case ENTRYRESULT_SPECIAL: {
     612                char                           *output = NULL;
     613                SimpleConfSpecialHandlerResult  special_result;
     614
     615                try_next = 0;
     616                if (config == NULL || config->special_handler == NULL) {
     617                    fprintf(stderr, "Undefined handler for special keywords\n");
     618                    abort();
     619                }
     620                special_result = config->special_handler((void **) &output, arg,
     621                                                         config->user_data);
     622                if (special_result == SC_SPECIAL_HANDLER_RESULT_NEXT) {
     623                    free(arg);
     624                    break;
     625                } else if (special_result == SC_SPECIAL_HANDLER_RESULT_ERROR) {
     626                    free(arg);
     627                    fclose(fp);
     628                    return -1;
     629                } else if (special_result == SC_SPECIAL_HANDLER_RESULT_INCLUDE) {
     630                    const int ret = append_to_command_line_from_file
     631                        ((const char *) output, config, entries, entries_count,
     632                         argc_p, argv_p, depth + 1U);
     633                    free(output);
     634                    free(arg);
     635                    if (ret != 0) {
     636                        fclose(fp);
     637                        return -1;
     638                    }
     639                    break;
     640                }
     641                abort();
     642            }
    614643            default:
    615644                abort();
     
    628657                    file_name, line_count, line_count, line);
    629658            }
    630             argv_fp_free(argc, argv, fp);
     659            fclose(fp);
    631660            return -1;
    632661        }
    633662    }
    634663    (void) fclose(fp);
     664
     665    return 0;
     666}
     667
     668int
     669sc_build_command_line_from_file(const char *file_name,
     670                                const SimpleConfConfig *config,
     671                                const SimpleConfEntry entries[],
     672                                size_t entries_count, char *app_name,
     673                                int *argc_p, char ***argv_p)
     674{
     675    char **argv = NULL;
     676    int    argc = 0;
     677
     678    *argc_p = 0;
     679    *argv_p = NULL;
     680    if ((argv = malloc(sizeof *argv)) == NULL ||
     681        (app_name = strdup(app_name)) == NULL) {
     682        sc_argv_free(argc, argv);
     683        return -1;
     684    }
     685    argv[argc++] = app_name;
     686    if (append_to_command_line_from_file(file_name, config,
     687                                         entries, entries_count,
     688                                         &argc, &argv, 0U) != 0) {
     689        sc_argv_free(argc, argv);
     690        return -1;
     691    }
    635692    *argc_p = argc;
    636693    *argv_p = argv;
  • src/router/dnscrypt/src/proxy/simpleconf.h

    r31742 r32055  
    99} SimpleConfEntry;
    1010
     11typedef enum SimpleConfSpecialHandlerResult_ {
     12    SC_SPECIAL_HANDLER_RESULT_UNDEFINED,
     13    SC_SPECIAL_HANDLER_RESULT_NEXT,
     14    SC_SPECIAL_HANDLER_RESULT_ERROR,
     15    SC_SPECIAL_HANDLER_RESULT_INCLUDE,
     16} SimpleConfSpecialHandlerResult;
     17
     18typedef SimpleConfSpecialHandlerResult (*SimpleConfSpecialHandler)
     19    (void **output_p, const char *arg, void *user_data);
     20
     21typedef struct SimpleConfConfig_ {
     22    void                     *user_data;
     23    SimpleConfSpecialHandler  special_handler;
     24} SimpleConfConfig;
     25
    1126int sc_build_command_line_from_file(const char *file_name,
     27                                    const SimpleConfConfig *config,
    1228                                    const SimpleConfEntry entries[],
    1329                                    size_t entries_count, char *app_name,
  • src/router/dnscrypt/src/proxy/simpleconf_dnscrypt.h

    r31742 r32055  
    77
    88static const SimpleConfEntry simpleconf_options[] = {
    9     {"ClientKey (<any*>)",           "--client-key=$0"},
    10     {"Daemonize? <bool>",            "--daemonize"},
    11     {"EDNSPayloadSize (<digits>)",   "--edns-payload-size=$0"},
    12     {"EphemeralKeys? <bool>",        "--ephemeral-keys"},
    13     {"IgnoreTimestamps? <bool>",     "--ignore-timestamps"},
    14     {"LocalAddress (<nospace>)",     "--local-address=$0"},
    15     {"LogFile (<any*>)",             "--logfile=$0"},
    16     {"LogLevel (<digits>)",          "--loglevel=$0"},
    17     {"MaxActiveRequests (<digits>)", "--max-active-requests=$0"},
    18     {"PidFile (<any*>)",             "--pidfile=$0"},
    19     {"ProviderKey (<any>)",          "--provider-key=$0"},
    20     {"ProviderName (<any*>)",        "--provider-name=$0"},
    21     {"ResolverAddress (<nospace>)",  "--resolver-address=$0"},
    22     {"ResolverName (<nospace>)",     "--resolver-name=$0"},
    23     {"ResolversList (<any*>)",       "--resolvers-list=$0"},
    24     {"SyslogPrefix (<nospace>)",     "--syslog-prefix=$0"},
    25     {"Syslog? <bool>",               "--syslog"},
    26     {"TCPOnly? <bool>",              "--tcp-only"},
    27     {"Test (<digits>)",              "--test=$0"},
    28     {"User (<nospace>)",             "--user=$0"},
     9    {"ClientKey (<any*>)",                                    "--client-key=$0"},
     10    {"Daemonize? <bool>",                                     "--daemonize"},
     11    {"EDNSPayloadSize (<digits>)",                            "--edns-payload-size=$0"},
     12    {"EphemeralKeys? <bool>",                                 "--ephemeral-keys"},
     13    {"IgnoreTimestamps? <bool>",                              "--ignore-timestamps"},
     14    {"LocalAddress (<nospace>)",                              "--local-address=$0"},
     15    {"LogFile (<any*>)",                                      "--logfile=$0"},
     16    {"LogLevel (<digits>)",                                   "--loglevel=$0"},
     17    {"MaxActiveRequests (<digits>)",                          "--max-active-requests=$0"},
     18    {"PidFile (<any*>)",                                      "--pidfile=$0"},
     19    {"ProviderKey (<any>)",                                   "--provider-key=$0"},
     20    {"ProviderName (<any*>)",                                 "--provider-name=$0"},
     21    {"ResolverAddress (<nospace>)",                           "--resolver-address=$0"},
     22    {"ResolverName (<nospace>)",                              "--resolver-name=$0"},
     23    {"ResolversList (<any*>)",                                "--resolvers-list=$0"},
     24    {"SyslogPrefix (<nospace>)",                              "--syslog-prefix=$0"},
     25    {"Syslog? <bool>",                                        "--syslog"},
     26    {"TCPOnly? <bool>",                                       "--tcp-only"},
     27    {"Test (<digits>)",                                       "--test=$0"},
     28    {"User (<nospace>)",                                      "--user=$0"},
    2929    {"BlackList domains:(<any>) logfile:(<any>)",             "--plugin=" PLUGIN_LIB("ldns_blocking") ",--domains=$0,--logfile=$1" },
    3030    {"BlackList ips:(<any>) logfile:(<any>)",                 "--plugin=" PLUGIN_LIB("ldns_blocking") ",--ips=$0,--logfile=$1" },
    3131    {"BlackList domains:(<any>) ips:(<any>) logfile:(<any>)", "--plugin=" PLUGIN_LIB("ldns_blocking") ",--domains=$0,--ips=$1,--logfile=$2" },
    32     {"BlackList domains:(<any>)",             "--plugin=" PLUGIN_LIB("ldns_blocking") ",--domains=$0" },
    33     {"BlackList ips:(<any>)",                 "--plugin=" PLUGIN_LIB("ldns_blocking") ",--ips=$0" },
    34     {"BlackList domains:(<any>) ips:(<any>)", "--plugin=" PLUGIN_LIB("ldns_blocking") ",--domains=$0,--ips=$1" },
    35     {"BlockIPv6? <bool>",            "--plugin=" PLUGIN_LIB("ldns_aaaa_blocking") },
    36     {"QueryLogFile (<any*>)",        "--plugin=" PLUGIN_LIB("logging") ",$0" },
    37     {"Forward domains:(<any>) to:(<any>)", "--plugin=" PLUGIN_LIB("ldns_forwarding") ",--domains=$0,--resolvers=$1" },
    38     {"LocalCache? <bool> min-ttl:(<digits>)", "--plugin=" PLUGIN_LIB("cache") ",--min-ttl=$0" },
    39     {"LocalCache? <bool>",           "--plugin=" PLUGIN_LIB("cache") },
    40     {"OpenDNSIP (<nospace>)",        "--plugin=" PLUGIN_LIB("ldns_opendns_set_client_ip") ",$0" },
    41     {"OpenDNSPasswordFile (<any*>)", "--plugin=" PLUGIN_LIB("ldns_opendns_deviceid") ",$0" },
    42     {"Plugin (<any_noquotes>)",      "--plugin=$0" }
     32    {"BlackList domains:(<any>)",                             "--plugin=" PLUGIN_LIB("ldns_blocking") ",--domains=$0" },
     33    {"BlackList ips:(<any>)",                                 "--plugin=" PLUGIN_LIB("ldns_blocking") ",--ips=$0" },
     34    {"BlackList domains:(<any>) ips:(<any>)",                 "--plugin=" PLUGIN_LIB("ldns_blocking") ",--domains=$0,--ips=$1" },
     35    {"BlockIPv6? <bool>",                                     "--plugin=" PLUGIN_LIB("ldns_aaaa_blocking") },
     36    {"QueryLogFile (<any*>)",                                 "--plugin=" PLUGIN_LIB("logging") ",$0" },
     37    {"Forward domains:(<any>) to:(<any>)",                    "--plugin=" PLUGIN_LIB("ldns_forwarding") ",--domains=$0,--resolvers=$1" },
     38    {"LocalCache? <bool> min-ttl:(<digits>)",                 "--plugin=" PLUGIN_LIB("cache") ",--min-ttl=$0" },
     39    {"LocalCache? <bool>",                                    "--plugin=" PLUGIN_LIB("cache") },
     40    {"OpenDNSIP (<nospace>)",                                 "--plugin=" PLUGIN_LIB("ldns_opendns_set_client_ip") ",$0" },
     41    {"OpenDNSPasswordFile (<any*>)",                          "--plugin=" PLUGIN_LIB("ldns_opendns_deviceid") ",$0" },
     42    {"Plugin (<any*>)",                                       "--plugin=$0" },
     43
     44    {"!Include (<any*>)",                                     "$0"}
    4345};
    4446
  • src/router/dnscrypt/src/proxy/tcp_request.c

    r31742 r32055  
    1111
    1212#include <assert.h>
     13#include <errno.h>
    1314#include <limits.h>
    1415#include <signal.h>
     
    559560#endif
    560561    if (proxy_context->tcp_listener_handle == -1) {
    561         proxy_context->tcp_conn_listener =
    562             evconnlistener_new_bind(proxy_context->event_loop,
    563                                     tcp_connection_cb, proxy_context,
    564                                     LEV_OPT_CLOSE_ON_FREE |
    565                                     LEV_OPT_CLOSE_ON_EXEC |
    566                                     LEV_OPT_REUSEABLE |
    567                                     LEV_OPT_REUSEABLE_PORT |
    568                                     LEV_OPT_DEFERRED_ACCEPT,
    569                                     TCP_REQUEST_BACKLOG,
    570                                     (struct sockaddr *)
    571                                     &proxy_context->local_sockaddr,
    572                                     (int) proxy_context->local_sockaddr_len);
     562        unsigned int flags = LEV_OPT_CLOSE_ON_FREE | LEV_OPT_CLOSE_ON_EXEC |
     563                             LEV_OPT_REUSEABLE | LEV_OPT_REUSEABLE_PORT |
     564                             LEV_OPT_DEFERRED_ACCEPT;
     565        for (;;) {
     566            proxy_context->tcp_conn_listener =
     567                evconnlistener_new_bind(proxy_context->event_loop,
     568                                        tcp_connection_cb, proxy_context,
     569                                        flags, TCP_REQUEST_BACKLOG,
     570                                        (struct sockaddr *)
     571                                        &proxy_context->local_sockaddr,
     572                                        (int) proxy_context->local_sockaddr_len);
     573            if (proxy_context->tcp_conn_listener != NULL ||
     574                (flags & LEV_OPT_REUSEABLE_PORT) == 0U) {
     575                break;
     576            }
     577            flags &= ~LEV_OPT_REUSEABLE_PORT;
     578        }
    573579    } else {
    574580        evutil_make_socket_closeonexec(proxy_context->tcp_listener_handle);
     
    585591    }
    586592    if (proxy_context->tcp_conn_listener == NULL) {
    587         logger_noformat(proxy_context, LOG_ERR, "Unable to bind (TCP)");
     593        logger(proxy_context, LOG_ERR, "Unable to bind (TCP): [%s]",
     594               evutil_socket_error_to_string(evutil_socket_geterror(
     595                   proxy_context->tcp_listener_handle)));
    588596        return -1;
    589597    }
  • src/router/dnscrypt/src/proxy/udp_request.c

    r31742 r32055  
    2727#include "probes.h"
    2828#include "queue.h"
     29#include "sandboxes.h"
    2930#include "tcp_request.h"
    3031#include "udp_request.h"
     
    501502            return -1;
    502503        }
    503 #if defined(__linux__) && defined(SO_REUSEPORT)
     504#if defined(__linux__) && defined(SO_REUSEPORT) && !defined(NO_REUSEPORT)
    504505        setsockopt(proxy_context->udp_listener_handle, SOL_SOCKET, SO_REUSEPORT, &optval, sizeof(optval));
    505506#endif
     
    518519    evutil_make_socket_nonblocking(proxy_context->udp_listener_handle);
    519520    udp_tune(proxy_context->udp_listener_handle);
    520 
     521    attach_udp_dnsq_bpf(proxy_context->udp_listener_handle);
    521522    if ((proxy_context->udp_proxy_resolver_handle = socket
    522523         (proxy_context->resolver_sockaddr.ss_family, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
  • src/router/dnscrypt/src/proxy/windows_service.c

    r31742 r32055  
    355355        err += cmdline_add_option(argc_p, argv_p, "--ephemeral-keys");
    356356    }
     357    if (windows_service_registry_read_dword
     358        ("IgnoreTimestamps", &dword_value) == 0 && dword_value > (DWORD) 0) {
     359        err += cmdline_add_option(argc_p, argv_p, "--ignore-timestamps");
     360    }
    357361    if (windows_service_registry_read_string
    358362        ("ClientKeyFile", &string_value) == 0) {
     
    366370        err += cmdline_add_option(argc_p, argv_p, string_value);
    367371        free(string_value);
     372    }
     373    if (windows_service_registry_read_dword
     374        ("LogLevel", &dword_value) == 0) {
     375        evutil_snprintf(dword_string, sizeof dword_string, "%ld",
     376                        (long) dword_value);
     377        err += cmdline_add_option(argc_p, argv_p, "--loglevel");
     378        err += cmdline_add_option(argc_p, argv_p, dword_string);
    368379    }
    369380    windows_service_registry_read_multi_sz
  • src/router/dnscrypt/test/features/test-dnscrypt-proxy/ephemeral_keys.feature

    r31742 r32055  
    66 
    77    Given a working server proxy on 212.47.228.136
    8     And a running dnscrypt proxy with options "--edns-payload-size=0 -R dnscrypt.org-fr --ephemeral-keys"
     8    And a running dnscrypt proxy with options "--edns-payload-size=0 -R random --ephemeral-keys"
    99    When a client asks dnscrypt-proxy for "test-ff.dnscrypt.org"
    1010    Then dnscrypt-proxy returns "255.255.255.255"
     
    1313 
    1414    Given a working server proxy on 212.47.228.136
    15     And a running dnscrypt proxy with options "--edns-payload-size=0 -R dnscrypt.org-fr --ephemeral-keys"
     15    And a running dnscrypt proxy with options "--edns-payload-size=0 -R random --ephemeral-keys"
    1616    When a client asks dnscrypt-proxy for "test-nonexistent.dnscrypt.org"
    1717    Then dnscrypt-proxy returns a NXDOMAIN answer
  • src/router/dnscrypt/test/features/test-dnscrypt-proxy/forced_tcp.feature

    r31742 r32055  
    99 
    1010    Given a working server proxy on 212.47.228.136
    11     And a running dnscrypt proxy with options "--edns-payload-size=4096 --tcp-only -R dnscrypt.org-fr"
     11    And a running dnscrypt proxy with options "--edns-payload-size=4096 --tcp-only -R random"
    1212    When a client asks dnscrypt-proxy for "test-ff.dnscrypt.org"
    1313    Then dnscrypt-proxy returns "255.255.255.255"
  • src/router/dnscrypt/test/features/test-dnscrypt-proxy/plugins.feature

    r31742 r32055  
    55  Scenario: start the proxy with the no-op plugin
    66
    7     When I run `dnscrypt-proxy --test=0 -R dnscrypt.org-fr --plugin=libdcplugin_example.la`
     7    When I run `dnscrypt-proxy --test=0 -R random --plugin=libdcplugin_example.la`
    88    Then the output should contain:
    99    """
     
    1414  Scenario: start the proxy with the ldns_aaaa_blocking plugin
    1515
    16     When I run `dnscrypt-proxy --test=0 -R dnscrypt.org-fr --plugin=libdcplugin_example_ldns_aaaa_blocking.la`
     16    When I run `dnscrypt-proxy --test=0 -R random --plugin=libdcplugin_example_ldns_aaaa_blocking.la`
    1717    Then the output should contain:
    1818    """
  • src/router/dnscrypt/test/features/test-dnscrypt-proxy/small_udp_query.feature

    r31742 r32055  
    66 
    77    Given a working server proxy on 212.47.228.136
    8     And a running dnscrypt proxy with options "--edns-payload-size=0 -R dnscrypt.org-fr"
     8    And a running dnscrypt proxy with options "--edns-payload-size=0 -R random"
    99    When a client asks dnscrypt-proxy for "test-ff.dnscrypt.org"
    1010    Then dnscrypt-proxy returns "255.255.255.255"
     
    1313 
    1414    Given a working server proxy on 212.47.228.136
    15     And a running dnscrypt proxy with options "--edns-payload-size=0 -R dnscrypt.org-fr"
     15    And a running dnscrypt proxy with options "--edns-payload-size=0 -R random"
    1616    When a client asks dnscrypt-proxy for "test-nonexistent.dnscrypt.org"
    1717    Then dnscrypt-proxy returns a NXDOMAIN answer
  • src/router/dnscrypt/test/features/test-dnscrypt-proxy/static_keys.feature

    r31742 r32055  
    55  Scenario: start the daemon with both ephemeral and static keys
    66
    7     When I run `dnscrypt-proxy -R dnscrypt.org-fr --client-key=test-client.key --ephemeral-keys`
     7    When I run `dnscrypt-proxy -R random --client-key=test-client.key --ephemeral-keys`
    88    Then the output should contain:
    99    """
     
    1414  Scenario: start the daemon with a nonexistent static key kfile
    1515
    16     When I run `dnscrypt-proxy -R dnscrypt.org-fr --client-key=/nonexistent`
     16    When I run `dnscrypt-proxy -R random --client-key=/nonexistent`
    1717    Then the output should contain:
    1818    """
     
    2424
    2525    Given a working server proxy on 212.47.228.136
    26     And a running dnscrypt proxy with options "--edns-payload-size=0 -R dnscrypt.org-fr --client-key=test-client.key"
     26    And a running dnscrypt proxy with options "--edns-payload-size=0 -R random --client-key=test-client.key"
    2727    When a client asks dnscrypt-proxy for "test-ff.dnscrypt.org"
    2828    Then dnscrypt-proxy returns "255.255.255.255"
     
    3131
    3232    Given a working server proxy on 212.47.228.136
    33     And a running dnscrypt proxy with options "--edns-payload-size=0 -R dnscrypt.org-fr --client-key=test-client.key"
     33    And a running dnscrypt proxy with options "--edns-payload-size=0 -R random --client-key=test-client.key"
    3434    When a client asks dnscrypt-proxy for "test-nonexistent.dnscrypt.org"
    3535    Then dnscrypt-proxy returns a NXDOMAIN answer
  • src/router/dnscrypt/test/features/test-dnscrypt-proxy/tcp_fallback.feature

    r31742 r32055  
    88 
    99    Given a working server proxy on 212.47.228.136
    10     And a running dnscrypt proxy with options "--edns-payload-size=0 -R dnscrypt.org-fr"
     10    And a running dnscrypt proxy with options "--edns-payload-size=0 -R random"
    1111    When a client asks dnscrypt-proxy for "test-tcp.dnscrypt.org"
    1212    Then dnscrypt-proxy returns "127.0.0.1"
Note: See TracChangeset for help on using the changeset viewer.