Add no_cookies option, update documentation for more instructions on privacy

doh-client/client.go

@@ -102,9 +102,11 @@ func NewClient(conf *config) (c *Client, err error) {
 	// Most CDNs require Cookie support to prevent DDoS attack.
 	// Disabling Cookie does not effectively prevent tracking,
 	// so I will leave it on to make anti-DDoS services happy.
-	c.cookieJar, err = cookiejar.New(nil)
-	if err != nil {
-		return nil, err
+	if !c.conf.NoCookies {
+		c.cookieJar, err = cookiejar.New(nil)
+		if err != nil {
+			return nil, err
+		}
 	}
 	c.httpClientMux = new(sync.RWMutex)
 	err = c.newHTTPClient()

doh-client/config.go

@@ -35,6 +35,7 @@ type config struct {
 	UpstreamIETF   []string `toml:"upstream_ietf"`
 	Bootstrap      []string `toml:"bootstrap"`
 	Timeout        uint     `toml:"timeout"`
+	NoCookies      bool     `toml:"no_cookies"`
 	NoECS          bool     `toml:"no_ecs"`
 	Verbose        bool     `toml:"verbose"`
 }

doh-client/doh-client.conf

@@ -4,28 +4,56 @@ listen = "127.0.0.1:53"
 # HTTP path for upstream resolver
 # If multiple servers are specified, a random one will be chosen each time.
 upstream_google = [
+
+    # Google's productive resolver, good ECS, bad DNSSEC
     "https://dns.google.com/resolve",
+
+    # CloudFlare's resolver, bad ECS, good DNSSEC
     #"https://cloudflare-dns.com/dns-query",
+
 ]
 upstream_ietf = [
+
+    # Google's experimental resolver, good ECS, good DNSSEC
     #"https://dns.google.com/experimental",
+
+    # CloudFlare's resolver, bad ECS, good DNSSEC
     #"https://cloudflare-dns.com/dns-query",
+
 ]
 
 # Bootstrap DNS server to resolve the address of the upstream resolver
 # If multiple servers are specified, a random one will be chosen each time.
 # If empty, use the system DNS settings.
 bootstrap = [
+
+    # Google's resolver, bad ECS, good DNSSEC
     "8.8.8.8:53",
     "8.8.4.4:53",
+
+    # CloudFlare's resolver, bad ECS, good DNSSEC
     #"1.1.1.1:53",
     #"1.0.0.1:53",
+
 ]
 
 # Timeout for upstream request
 timeout = 10
 
-# Disable EDNS0-Client-Subnet, do not send client's IP address
+# Disable HTTP Cookies
+#
+# Cookies may be useful if your upstream resolver is protected by some
+# anti-DDoS services to identify clients.
+# Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability
+# to track uesrs and is not controlled by doh-client.
+no_cookies = false
+
+# Disable EDNS0-Client-Subnet (ECS)
+#
+# DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of
+# the client's IP address (/24 for IPv4, /48 for IPv6 by default) to the
+# upstream server. This is useful for GeoDNS and CDNs to work, and is exactly
+# the same configuration as most public DNS servers.
 no_ecs = false
 
 # Enable logging