fix relative path

update comments
move package.sh to contrib
2026-03-31 09:45:38 +00:00 · 2019-03-26 15:57:01 +08:00 · 2019-03-26 15:46:57 +08:00 · 2019-03-26 12:30:57 +08:00 · 2019-03-26 12:28:14 +08:00 · 2019-03-26 12:16:07 +08:00
38 changed files with 469 additions and 1558 deletions
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -1,37 +0,0 @@
 name: Go build for Linux
 on: [push, pull_request]
 jobs:
  build:
    name: Build
    runs-on: ubuntu-18.04
    steps:
    - name: Set up Go
      uses: actions/setup-go@v2
      with:
        go-version: 1.18
      id: go
    - name: Check out repository
      uses: actions/checkout@v2
    - name: Linux build
      run: |
        make
    - name: Upload Linux build
      uses: actions/upload-artifact@v2
      with:
        name: linux-amd64
        path: |
          doh-client/doh-client
          doh-server/doh-server
    - name: Cache
      uses: actions/cache@v2
      with:
        # A directory to store and save the cache
        path: ~/go/pkg/mod
        # An explicit key for restoring and saving the cache
        key: ${{ runner.os }}-${{ hashFiles('**/go.sum') }}
--- a/.gitignore
+++ b/.gitignore
@@ -3,9 +3,7 @@
 *.dll
 *.so
 *.dylib
-darwin-wrapper/doh-logger
+build/
 doh-client/doh-client
 doh-server/doh-server
 # Test binary, build with `go test -c`
 *.test
@@ -17,4 +15,3 @@ doh-server/doh-server
 .glide/
 .idea/
 vendor/
--- a/Changelog.md
+++ b/Changelog.md
@@ -4,71 +4,6 @@ This Changelog records major changes between versions.
 Not all changes are recorded. Please check git log for details.
 ## Version 2.3.1
 - No new features in this release
 - Bumped versions of Go toolchain and third-party dependencies, requested by #128
 ## Version 2.3.0
 - The repository now conforms to the Go semvar standard (Fixed #115, thanks to @leiless)
 ## Version 2.2.5
 - Add client certificate authentication
 - Fixing documentation related to Docker
 ## Version 2.2.4
 - Add options to configure ECS netmask length
 - Add an option to disable TLS verification (Note: dangerous)
 ## Version 2.2.3
 - Use the library ipTree to determine whether an IP is global routable, improving the performance
 - Google's 8.8.8.8 resolver is now marked as "Good ECS" in the example configuration file
 ## Version 2.2.2
 - Allow client to opt-out EDNS0 Client Support
 - [JSON-DoH] Honor DNSSEC OK flag for incoming DNS requests
 - [JSON-DoH] Add support for non-standard response formats
 - `X-Real-IP` is now used in logging if set by frontend load balancer
 - Fix documentation
 ## Version 2.2.1
 - Fix messy log
 ## Version 2.2.0
 - Breaking change: The configuration format of doh-server is changed
 - Add support for type prefix for upstream addresses of doh-server
 - Add support for DNS-over-TLS upstream addresses of doh-server
 - Remove `tcp_only` configuration option in doh-server
 - Add `no_user_agent` configuration option in doh-server
 - Add an RPM package script with SELinux policy
 - Fix Opcode never assigned in `jsonDNS.PrepareReply`
 - Improve error logging / checking
 - Updated Readme
 ## Version 2.1.2
 - Update address for google's resolver
 - Fix a typo
 ## Version 2.1.1
 - Add a set of Dockerfile contributed by the community
 - Include DNS.SB's resolver in example configuration
 ## Version 2.1.0
 - Add `local_addr` configuration for doh-server (#39)
 - Fix a problem when compiling on macOS 10.14.4 or newer
 - Add Quad9 DoH server to the example `doh-client.conf`
 - Use TCP when appropriate for the given query type/response (AXFR/IXFR)
 ## Version 2.0.1
 - Fix a crash with the random load balancing algorithm.
--- a/Dockerfile.client
+++ b/Dockerfile.client
@@ -1,23 +0,0 @@
 FROM golang:alpine AS build-env
 RUN apk add --no-cache git make
 WORKDIR /src
 ADD . /src
 RUN make doh-client/doh-client
 FROM alpine:latest
 COPY --from=build-env /src/doh-client/doh-client /doh-client
 ADD doh-client/doh-client.conf /doh-client.conf
 RUN sed -i '$!N;s/"127.0.0.1:53",.*"127.0.0.1:5380",/":53",/;P;D' /doh-client.conf
 RUN sed -i '$!N;s/"\[::1\]:53",.*"\[::1\]:5380",/":5380",/;P;D' /doh-client.conf
 EXPOSE 53/udp
 EXPOSE 53/tcp
 EXPOSE 5380
 ENTRYPOINT ["/doh-client"]
 CMD ["-conf", "/doh-client.conf"]
--- a/Dockerfile.server
+++ b/Dockerfile.server
@@ -1,20 +0,0 @@
 FROM golang:alpine AS build-env
 RUN apk add --no-cache git make
 WORKDIR /src
 ADD . /src
 RUN make doh-server/doh-server
 FROM alpine:latest
 COPY --from=build-env /src/doh-server/doh-server /doh-server
 ADD doh-server/doh-server.conf /doh-server.conf
 RUN sed -i '$!N;s/"127.0.0.1:8053",\s*"\[::1\]:8053",/":8053",/;P;D' /doh-server.conf
 EXPOSE 8053
 ENTRYPOINT ["/doh-server"]
 CMD ["-conf", "/doh-server.conf"]
--- a/15
+++ b/15
@@ -1,11 +1,15 @@
-.PHONY: all clean install uninstall
+.PHONY: all clean install uninstall deps
 PREFIX = /usr/local
 ifeq ($(GOROOT),)
 GOBUILD = go build
 GOGET = go get -d -v
 GOGET_UPDATE = go get -d -u -v
 else
 GOBUILD = $(GOROOT)/bin/go build
 GOGET = $(GOROOT)/bin/go get -d -v
 GOGET_UPDATE = $(GOROOT)/bin/go get -d -u -v
 endif
 ifeq ($(shell uname),Darwin)
@@ -53,8 +57,13 @@ uninstall:
 		$(MAKE) -C launchd uninstall "DESTDIR=$(DESTDIR)"; \
 	fi
-doh-client/doh-client: doh-client/client.go doh-client/config/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go doh-client/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+deps:
 	@# I am not sure if it is the correct way to keep the common library updated
 	$(GOGET_UPDATE) github.com/m13253/dns-over-https/json-dns
 	$(GOGET) ./doh-client ./doh-server
 doh-client/doh-client: deps doh-client/client.go doh-client/config/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go doh-client/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
 	cd doh-client && $(GOBUILD)
-doh-server/doh-server: doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go doh-server/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+doh-server/doh-server: deps doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go doh-server/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
 	cd doh-server && $(GOBUILD)
--- a/Readme.md
+++ b/Readme.md
@@ -4,68 +4,57 @@ DNS-over-HTTPS
 Client and server software to query DNS over HTTPS, using [Google DNS-over-HTTPS protocol](https://developers.google.com/speed/public-dns/docs/dns-over-https)
 and [IETF DNS-over-HTTPS (RFC 8484)](https://www.rfc-editor.org/rfc/rfc8484.txt).
-## Guides
+## Guide
- [Tutorial: Setup your own DNS-over-HTTPS (DoH) server](https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/). (Thanks to Antoine Aflalo)
+[Tutorial to setup your own DNS-over-HTTPS (DoH) server](https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/). (Thanks to Antoine Aflalo)
 - [Tutorial: Setup your own Docker based DNS-over-HTTPS (DoH) server](https://github.com/satishweb/docker-doh/blob/master/README.md). (Thanks to Satish Gaikwad)
 ## Installing
 ### From Source
 - Install [Go](https://golang.org), at least version 1.13. The newer the better.
 > Note for Debian/Ubuntu users: You need to set `$GOROOT` if you could not get your new version of Go selected by the Makefile.)
- First create an empty directory, used for `$GOPATH`:
+Install [Go](https://golang.org), at least version 1.10.
-```bash
+
-mkdir ~/gopath
+(Note for Debian/Ubuntu users: You need to set `$GOROOT` if you could not get your new version of Go selected by the Makefile.)
-export GOPATH=~/gopath
+
-```
+First create an empty directory, used for `$GOPATH`:
- To build the program, type:
+
-```bash
+    mkdir ~/gopath
-make
+    export GOPATH=~/gopath
-```
+
- To install DNS-over-HTTPS as Systemd services, type:
+To build the program, type:
-```bash
+
-sudo make install
+    make
-```
+
- By default, [Google DNS over HTTPS](https://dns.google.com) is used. It should
+To install DNS-over-HTTPS as Systemd services, type:
    sudo make install
 By default, [Google DNS over HTTPS](https://dns.google.com) is used. It should
 work for most users (except for People's Republic of China). If you need to
 modify the default settings, type:
 ```bash
 sudoedit /etc/dns-over-https/doh-client.conf
 ```
 - To automatically start DNS-over-HTTPS client as a system service, type:
 ```bash
 sudo systemctl start doh-client.service
 sudo systemctl enable doh-client.service
 ```
 - Then, modify your DNS settings (usually with NetworkManager) to 127.0.0.1.
- To test your configuration, type:
+    sudoedit /etc/dns-over-https/doh-client.conf
 ```bash
 dig www.google.com
 Output:
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ```
 #### Uninstall
- To uninstall, type:
+To automatically start DNS-over-HTTPS client as a system service, type:
 ```bash
 sudo make uninstall
 ```
 > Note: The configuration files are kept at `/etc/dns-over-https`. Remove them manually if you want.
-### Using docker image
+    sudo systemctl start doh-client.service
-```bash
+    sudo systemctl enable doh-client.service
-docker run -d --name doh-server \
+
-  -p 8053:8053 \
+Then, modify your DNS settings (usually with NetworkManager) to 127.0.0.1.
-  -e UPSTREAM_DNS_SERVER="udp:8.8.8.8:53" \
+
-  -e DOH_HTTP_PREFIX="/dns-query" \
+To test your configuration, type:
-  -e DOH_SERVER_LISTEN=":8053" \
+
-  -e DOH_SERVER_TIMEOUT="10" \
+    dig www.google.com
-  -e DOH_SERVER_TRIES="3" \
+
-  -e DOH_SERVER_VERBOSE="false" \
+If it is OK, you will wee:
-  satishweb/doh-server
+
-```
+    ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ### Uninstalling
 To uninstall, type:
    sudo make uninstall
 The configuration files are kept at `/etc/dns-over-https`. Remove them manually if you want.
 ## Server Configuration
@@ -90,209 +79,12 @@ you can host DNS-over-HTTPS along with other HTTPS services.
 HTTP/2 with at least TLS v1.3 is recommended. OCSP stapling must be enabled,
 otherwise DNS recursion may happen.
 ### Configuration file
 The main configuration file is `doh-client.conf`.
 **Server selectors.** If several upstream servers are set, one is selected according to `upstream_selector` for each request. With `upstream_selector = "random"`, a random upstream server will be chosen for each request.
 ```toml
 # available selector: random (default) or weighted_round_robin or lvs_weighted_round_robin
 upstream_selector = "random"
 ```
 ### Example configuration: Apache
 ```bash
 SSLProtocol TLSv1.2
 SSLHonorCipherOrder On
 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!eNULL:!EXP:!LOW:!MD5
 SSLUseStapling on
 SSLStaplingCache shmcb:/var/lib/apache2/stapling_cache(512000)
 <VirtualHost *:443>
    ServerName MY_SERVER_NAME
    Protocols h2 http/1.1
    ProxyPass /dns-query http://[::1]:8053/dns-query
    ProxyPassReverse /dns-query http://[::1]:8053/dns-query
 </VirtualHost>
 ```
 (Credit: [Joan Moreau](https://github.com/m13253/dns-over-https/issues/51#issuecomment-526820884))
 ### Example configuration: Nginx
 ```bash
 server {
  listen       443 ssl http2 default_server;
  listen       [::]:443 ssl http2 default_server;
  server_name  MY_SERVER_NAME;
  server_tokens off;
  ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.13.0
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/dhparam.pem;     # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
  ssl_ecdh_curve secp384r1;               # Requires nginx >= 1.1.0
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;                # Requires nginx >= 1.5.9
  ssl_stapling on;                        # Requires nginx >= 1.3.7
  ssl_stapling_verify on;                 # Requires nginx => 1.3.7
  ssl_early_data off;                     # 0-RTT, enable if desired - Requires nginx >= 1.15.4
  resolver 1.1.1.1 valid=300s;            # Replace with your local resolver
  resolver_timeout 5s;
  # HTTP Security Headers
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header Strict-Transport-Security "max-age=63072000";
  ssl_certificate /path/to/your/server/certificates/fullchain.pem;
  ssl_certificate_key /path/to/your/server/certificates/privkey.pem;
  location /dns-query {
    proxy_pass       http://localhost:8053/dns-query;
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
  }
 }
 ```
 (Credit: [Cipherli.st](https://cipherli.st/))
 ### Example configuration: Caddy (v2)
 ```bash
 my.server.name {
        reverse_proxy * localhost:8053
        tls your@email.address
        try_files {path} {path}/index.php /index.php?{query}
 }
 ```
 ### Example configuration: Docker Compose + Traefik + Unbound (Raspberry Pi/Linux/Mac) [linux/amd64,linux/arm64,linux/arm/v7]
 ```yaml
 version: '2.2'
 networks:
  default:
 services:
  proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.3
    hostname: proxy
    networks:
      - default
    environment:
      TRAEFIK_ACCESSLOG: "true"
      TRAEFIK_API: "true"
      TRAEFIK_PROVIDERS_DOCKER: "true"
      TRAEFIK_API_INSECURE: "true"
      TRAEFIK_PROVIDERS_DOCKER_NETWORK: "${STACK}_default"
      # DNS provider specific environment variables for DNS Challenge using route53 (AWS)
      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
      AWS_REGION: ${AWS_REGION}
      AWS_HOSTED_ZONE_ID: ${AWS_HOSTED_ZONE_ID}
    ports:
      # The HTTP port
      - "80:80"
      # The HTTPS port
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    command:
      #- "--log.level=DEBUG"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
      # Providers list:
      #  https://docs.traefik.io/https/acme/#providers
      #  https://go-acme.github.io/lego/dns/
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=route53"
      # Enable below line to use staging letsencrypt server.
      #- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.letsencrypt.acme.email=${EMAIL}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/proxy/certs:/certs
  doh-server:
    image: satishweb/doh-server:latest
    hostname: doh-server
    networks:
      - default
    environment:
      # Enable below line to see more logs
      # DEBUG: "1"
      UPSTREAM_DNS_SERVER: "udp:unbound:53"
      DOH_HTTP_PREFIX: "${DOH_HTTP_PREFIX}"
      DOH_SERVER_LISTEN: ":${DOH_SERVER_LISTEN}"
      DOH_SERVER_TIMEOUT: "10"
      DOH_SERVER_TRIES: "3"
      DOH_SERVER_VERBOSE: "false"
    #volumes:
      # - ./doh-server.conf:/server/doh-server.conf
      # - ./app-config:/app-config
    depends_on:
      - unbound
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.doh-server.rule=Host(`${SUBDOMAIN}.${DOMAIN}`) && Path(`${DOH_HTTP_PREFIX}`)"
      - "traefik.http.services.doh-server.loadbalancer.server.port=${DOH_SERVER_LISTEN}"
      - "traefik.http.middlewares.mw-doh-compression.compress=true"
      - "traefik.http.routers.doh-server.tls=true"
      - "traefik.http.middlewares.mw-doh-tls.headers.sslredirect=true"
      - "traefik.http.middlewares.mw-doh-tls.headers.sslforcehost=true"
      - "traefik.http.routers.doh-server.tls.certresolver=letsencrypt"
      - "traefik.http.routers.doh-server.tls.domains[0].main=${DOMAIN}"
      - "traefik.http.routers.doh-server.tls.domains[0].sans=${SUBDOMAIN}.${DOMAIN}"
      # Protection from requests flood
      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.average=100"
      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.burst=50"
      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.period=10s"
  unbound:
    image: satishweb/unbound:latest
    hostname: unbound
    networks:
      - default
    ports:
      # Disable these ports if DOH server is the only client
      - 53:53/tcp
      - 53:53/udp
    volumes:
      - ./unbound.sample.conf:/templates/unbound.sample.conf
      - ./data/unbound/custom:/etc/unbound/custom
      # Keep your custom.hosts file inside custom folder
    #environment:
    #  DEBUG: "1"
 ````
 > Complete Guide available at: https://github.com/satishweb/docker-doh
 > IPV6 Support for Docker Compose based configuration TBA
 ### Example configuration: DNS-over-TLS
 There is no native [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) support but you can easily add it via nginx:
 ```
 stream {
    server {
        listen                  *:853 ssl;
        proxy_pass              ipofyourdnsresolver:port  #127.0.0.1:53
    }
    ssl_certificate /etc/letsencrypt/live/site.yourdomain/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/site.yourdomain/privkey.pem; 
 }
 ```
 The DoT service can also be provided by running a [STunnel](https://www.stunnel.org/) instance to wrap dnsmasq (or any other resolver of your choice, listening on a TCP port);
 this approach does not need a stand-alone daemon to provide the DoT service.
 ## DNSSEC
 DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by
 default. However signature validation is not built-in. It is highly recommended
 that you install `unbound` or `bind` and pass results for them to validate DNS
-records. An instance of [Pi Hole](https://pi-hole.net) could also be used to validate DNS signatures as well as provide other capabilities.
+records.
 ## EDNS0-Client-Subnet (GeoDNS)
--- a/contrib/package.sh
+++ b/contrib/package.sh
@@ -0,0 +1,173 @@
 #!/bin/bash 
 set -euo pipefail
 # This is a script used for automated packaging.
 # Debian maintainers please don't use this.
 # 
 # Environment assumption:
 #  * Ubuntu 16.04
 #  * run with normal user
 #  * sudo with no password
 #  * go and fpm is pre-installed
 #  * rpmbuild is required if you need rpm packages
 #
 # Compatible with Azure DevOps hosted Ubuntu 16.04 agent
 export DEBIAN_FRONTEND="noninteractive"
 export DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"/..
 export BUILD_BINARIESDIRECTORY="${BUILD_BINARIESDIRECTORY:-${DIR}/build/bin}"
 export BUILD_ARTIFACTSTAGINGDIRECTORY="${BUILD_ARTIFACTSTAGINGDIRECTORY:-${DIR}/build/packages}"
 export TMP_DIRECTORY="/tmp/dohbuild"
 export GOPATH="${GOPATH:-/tmp/go}"
 export GOBIN="${GOBIN:-/tmp/go/bin}"
 function prepare_env() {
    echo "Checking dependencies"
    if ! [ -x "$(command -v go)" ]; then
        echo "Please install golang"
        exit 1
    fi
    if [ -x "$(command -v apt-get)" ]; then
        sudo apt-get -y update
    fi
    if ! [ -x "$(command -v rpmbuild)" ]; then
        # TODO: correctly install rpmbuild
        ! sudo apt-get -y install rpmbuild
    fi
    # if ! [ -x "$(command -v upx)" ]; then
    #     sudo apt-get -y install upx
    # fi
    echo "Creating directories"
    mkdir -p "${BUILD_BINARIESDIRECTORY}/nm-dispatcher"
    mkdir -p "${BUILD_BINARIESDIRECTORY}/launchd"
    mkdir -p "${BUILD_BINARIESDIRECTORY}/systemd"
    mkdir -p "${BUILD_BINARIESDIRECTORY}/config"
    mkdir -p "${BUILD_ARTIFACTSTAGINGDIRECTORY}"
    mkdir -p "${TMP_DIRECTORY}"
 }
 function build_common() {
    cp NetworkManager/dispatcher.d/* "${BUILD_BINARIESDIRECTORY}"/nm-dispatcher
    cp launchd/*.plist "${BUILD_BINARIESDIRECTORY}"/launchd
    cp systemd/*.service "${BUILD_BINARIESDIRECTORY}"/systemd
    cp doh-server/doh-server.conf "${BUILD_BINARIESDIRECTORY}"/config
    cp doh-client/doh-client.conf "${BUILD_BINARIESDIRECTORY}"/config
 }
 # used to get version
 function build_native() {
    echo "Building a native binary..."
    go build -ldflags="-s -w" -o ${BUILD_BINARIESDIRECTORY}/"${EXE}"-native
 }
 function build() {
    echo "Building ${EXE} for OS=$1 ARCH=$2"
    env GOOS="$1" GOARCH="$2" go build -ldflags="-s -w" -o ${BUILD_BINARIESDIRECTORY}/"${EXE}"-"$3"
    # echo "Compressing executable"
    # ! upx --ultra-brute ${BUILD_BINARIESDIRECTORY}/${EXE}-"$3" || true
 }
 function package() {
    VERSION=$("${BUILD_BINARIESDIRECTORY}/${EXE}-native" --version | head -n 1 | cut -d" " -f2)
    REVISION=$(git log --pretty=format:'%h' -n 1)
    echo "Packaging ${EXE} ${VERSION} for OS=$1 ARCH=$2 TYPE=$3 DST=$4"
    ! rm -rf "${TMP_DIRECTORY}"/*
    mkdir -p "${TMP_DIRECTORY}"/usr/bin
    cp "${BUILD_BINARIESDIRECTORY}"/"${EXE}"-"$3" "${TMP_DIRECTORY}"/usr/bin/"${EXE}"
    mkdir -p "${TMP_DIRECTORY}"/usr/lib/systemd/system
    cp "${BUILD_BINARIESDIRECTORY}"/systemd/"${EXE}".service "${TMP_DIRECTORY}"/usr/lib/systemd/system
    mkdir -p "${TMP_DIRECTORY}"/etc/dns-over-https
    cp "${BUILD_BINARIESDIRECTORY}"/config/"${EXE}".conf "${TMP_DIRECTORY}"/etc/dns-over-https
    mkdir -p "${TMP_DIRECTORY}"/etc/NetworkManager/dispatcher.d
    cp "${BUILD_BINARIESDIRECTORY}"/nm-dispatcher/"${EXE}" "${TMP_DIRECTORY}"/etc/NetworkManager/dispatcher.d
    # call fpm
    fpm --input-type dir \
        --output-type $4 \
        --chdir "${TMP_DIRECTORY}" \
        --package "${BUILD_ARTIFACTSTAGINGDIRECTORY}" \
        --name "${EXE}" \
        --description "${DESCR}" \
        --version "${VERSION}" \
        --iteration "${REVISION}" \
        --url "https://github.com/m13253/dns-over-https" \
        --vendor "Star Brilliant <coder@poorlab.com>" \
        --license "MIT License" \
        --category "net" \
        --maintainer "James Swineson <autopkg@public.swineson.me>" \
        --architecture "$2" \
        --force \
        .
 }
 cd "${DIR}"/..
 prepare_env
 make deps
 build_common
 pushd doh-server
 export EXE="doh-server"
 export DESCR="DNS-over-HTTPS Server"
 build_native
 build linux amd64 linux-amd64
 package linux amd64 linux-amd64 deb
 ! package linux amd64 linux-amd64 rpm
 package linux amd64 linux-amd64 pacman
 build linux arm linux-armhf
 package linux arm linux-armhf deb
 ! package linux arm linux-armhf rpm
 package linux arm linux-armhf pacman
 build linux arm64 linux-arm64
 package linux arm64 linux-arm64 deb
 ! package linux arm64 linux-arm64 rpm
 package linux arm64 linux-arm64 pacman
 # build darwin amd64 darwin-amd64
 # build windows 386 windows-x86.exe
 # build windows amd64 windows-amd64.exe
 popd
 pushd doh-client
 export EXE="doh-client"
 export DESCR="DNS-over-HTTPS Client"
 build_native
 build linux amd64 linux-amd64
 package linux amd64 linux-amd64 deb
 ! package linux amd64 linux-amd64 rpm
 package linux amd64 linux-amd64 pacman
 build linux arm linux-armhf
 package linux arm linux-armhf deb
 ! package linux arm linux-armhf rpm
 package linux arm linux-armhf pacman
 build linux arm64 linux-arm64
 package linux arm64 linux-arm64 deb
 ! package linux arm64 linux-arm64 rpm
 package linux arm64 linux-arm64 pacman
 # build darwin amd64 darwin-amd64
 # build windows 386 windows-x86.exe
 # build windows amd64 windows-amd64.exe
 popd
--- a/contrib/rpm/dns-over-https-2.1.2-systemd.patch
+++ b/contrib/rpm/dns-over-https-2.1.2-systemd.patch
@@ -1,36 +0,0 @@
 diff -Naur dns-over-https-2.1.2.org/systemd/doh-client.service dns-over-https-2.1.2/systemd/doh-client.service
 --- dns-over-https-2.1.2.org/systemd/doh-client.service	2019-09-10 12:08:35.177574074 +0200
 +++ dns-over-https-2.1.2/systemd/doh-client.service	2019-09-10 12:10:05.473700374 +0200
@@ -7,12 +7,12 @@
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 -ExecStart=/usr/local/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
 +ExecStart=/usr/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
 LimitNOFILE=1048576
 Restart=always
 RestartSec=3
 Type=simple
 -User=nobody
 +User=doh-client
 [Install]
 WantedBy=multi-user.target
 diff -Naur dns-over-https-2.1.2.org/systemd/doh-server.service dns-over-https-2.1.2/systemd/doh-server.service
 --- dns-over-https-2.1.2.org/systemd/doh-server.service	2019-09-10 12:08:35.177574074 +0200
 +++ dns-over-https-2.1.2/systemd/doh-server.service	2019-09-10 12:10:20.980273992 +0200
@@ -5,12 +5,12 @@
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 -ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
 +ExecStart=/usr/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
 LimitNOFILE=1048576
 Restart=always
 RestartSec=3
 Type=simple
 -User=nobody
 +User=doh-server
 [Install]
 WantedBy=multi-user.target
--- a/contrib/rpm/doh.spec
+++ b/contrib/rpm/doh.spec
@@ -1,240 +0,0 @@
 # vim: tabstop=4 shiftwidth=4 expandtab
 %global _hardened_build 1
 # Debug package is empty anyway
 %define debug_package %{nil}
 %global _release        1
 %global provider        github
 %global provider_tld    com
 %global project         m13253
 %global repo            dns-over-https
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path     %{provider_prefix}
 #define commit          984df34ca7b45897ecb5871791e398cc160a4b93
 %if 0%{?commit:1}
 %define shortcommit     %(c=%{commit}; echo ${c:0:7})
 %define _date           %(date +'%%Y%%m%%dT%%H%%M%%S')
 %endif
 %define rand_id         %(head -c20 /dev/urandom|od -An -tx1|tr -d '[[:space:]]')
 %if ! 0%{?gobuild:1}
 %define gobuild(o:) go build -ldflags "${LDFLAGS:-} -B 0x%{rand_id}" -a -v -x %{?**};
 %endif
 %if ! 0%{?gotest:1}
 %define gotest() go test -ldflags "${LDFLAGS:-}" %{?**}
 %endif
 Name:           %{repo}
 Version:        2.1.2
 %if 0%{?commit:1}
 Release:    %{_release}.git%{shortcommit}.%{_date}%{?dist}
 Source0:        https://%{import_path}/archive/%{commit}.tar.gz
 %else
 Release:        %{_release}%{?dist}
 Source0:        https://%{import_path}/archive/v%{version}.tar.gz
 %endif
 Patch0:         %{name}-%{version}-systemd.patch
 Summary:        High performance DNS over HTTPS client & server
 License:        MIT
 URL:            https://github.com/m13253/dns-over-https
 # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
 # If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
 #BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.10
 BuildRequires:  golang >= 1.10
 BuildRequires:  systemd
 BuildRequires:  upx
 %description
 %{summary}
 %package common
 BuildArch: noarch
 Summary: %{summary} - common files
 %description common
 %{summary}
 %package server
 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
 Summary: %{summary} - Server
 Requires(pre):          shadow-utils
 Requires(post):         systemd
 Requires(preun):        systemd
 Requires(postun):       systemd
 %description server
 %{summary}
 %package client
 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
 Summary: %{summary} - Client
 Requires(pre):          shadow-utils
 Requires(post):         systemd
 Requires(preun):        systemd
 Requires(postun):       systemd
 %description client
 %{summary}
 %package selinux
 BuildArch:      noarch
 Source3:        doh_server.fc
 Source4:        doh_server.if
 Source5:        doh_server.te
 Source6:        doh_client.fc
 Source7:        doh_client.if
 Source8:        doh_client.te
 BuildRequires:  selinux-policy
 BuildRequires:  selinux-policy-devel
 Requires:       %{name}
 Requires(post):     policycoreutils
 Requires(post):     policycoreutils-python 
 Requires(postun):   policycoreutils
 Summary: SELinux policy for %{name}
 %description selinux
 %summary
 %prep
 %if 0%{?commit:1}
 %autosetup -n %{name}-%{commit} -p1
 %else
 %autosetup -n %{name}-%{version} -p1
 %endif
 mkdir -p selinux
 cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} selinux
 %build
 cd selinux
 make -f /usr/share/selinux/devel/Makefile doh_server.pp doh_client.pp || exit
 cd -
 %set_build_flags
 %make_build \
    PREFIX=%{_prefix} \
    GOBUILD="go build -ldflags \"-s -w -B 0x%{rand_id}\" -a -v -x"
 %install
 %make_install \
    PREFIX=%{_prefix}
 install -Dpm 0600 selinux/doh_server.pp %{buildroot}%{_datadir}/selinux/packages/doh_server.pp
 install -Dpm 0644 selinux/doh_server.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_server.if
 install -Dpm 0600 selinux/doh_client.pp %{buildroot}%{_datadir}/selinux/packages/doh_client.pp
 install -Dpm 0644 selinux/doh_client.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_client.if
 mkdir -p %{buildroot}%{_docdir}/%{name}
 mv %{buildroot}%{_sysconfdir}/%{name}/*.example %{buildroot}%{_docdir}/%{name}
 mkdir -p %{buildroot}%{_libdir}
 mv %{buildroot}%{_sysconfdir}/NetworkManager %{buildroot}%{_libdir}/
 for i in $(find %{_buildroot}%{_bindir} -type f)
 do
    upx $i
 done
 %files common
 %license LICENSE
 %doc Changelog.md Readme.md
 %files server
 %{_libdir}/NetworkManager/dispatcher.d/doh-server
 %{_docdir}/%{name}/doh-server.conf.example
 %config(noreplace) %{_sysconfdir}/%{name}/doh-server.conf
 %{_bindir}/doh-server
 %{_unitdir}/doh-server.service
 %files client
 %{_libdir}/NetworkManager/dispatcher.d/doh-client
 %{_docdir}/%{name}/doh-client.conf.example
 %config(noreplace) %{_sysconfdir}/%{name}/doh-client.conf
 %{_bindir}/doh-client
 %{_unitdir}/doh-client.service
 %pre server
 test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
 getent group doh-server > /dev/null || groupadd -r doh-server
 getent passwd doh-server > /dev/null || \
    useradd -r -d %{_sharedstatedir}/home/doh-server -g doh-server \
    -s /sbin/nologin -c "%{name} - server" doh-server
 exit 0
 %pre client
 test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
 getent group doh-client > /dev/null || groupadd -r doh-client
 getent passwd doh-client > /dev/null || \
    useradd -r -d %{_sharedstatedir}/home/doh-client -g doh-client \
    -s /sbin/nologin -c "%{name} - client" doh-client
 exit 0
 %post server
 %systemd_post doh-server.service
 %preun server
 %systemd_preun doh-server.service
 %postun server
 %systemd_postun_with_restart doh-server.service
 %post client
 %systemd_post doh-client.service
 %preun client
 %systemd_preun doh-client.service
 %postun client
 %systemd_postun_with_restart doh-client.service
 %files selinux
 %{_datadir}/selinux/packages/doh_server.pp
 %{_datadir}/selinux/devel/include/contrib/doh_server.if
 %{_datadir}/selinux/packages/doh_client.pp
 %{_datadir}/selinux/devel/include/contrib/doh_client.if
 %post selinux
 semodule -n -i %{_datadir}/selinux/packages/doh_server.pp
 semodule -n -i %{_datadir}/selinux/packages/doh_client.pp
 if /usr/sbin/selinuxenabled ; then
    /usr/sbin/load_policy
    /usr/sbin/fixfiles -R %{name}-server restore
    /usr/sbin/fixfiles -R %{name}-client restore
 fi;
 semanage -i - << __eof
 port -a -t doh_server_port_t -p tcp "8053"
 port -a -t doh_client_port_t -p udp "5380"
 __eof
 exit 0
 %postun selinux
 if [ $1 -eq 0 ]; then
    semanage -i - << __eof
 port -d -t doh_server_port_t -p tcp "8053"
 port -d -t doh_client_port_t -p udp "5380"
 __eof
    semodule -n -r doh_server
    semodule -n -r doh_client
    if /usr/sbin/selinuxenabled ; then
       /usr/sbin/load_policy
       /usr/sbin/fixfiles -R %{name}-server restore
       /usr/sbin/fixfiles -R %{name}-client restore
    fi;
 fi;
 exit 0
 %changelog
 * Tue Sep 10 2019 fuero <fuerob@gmail.com> 2.1.2-1
 - initial package
--- a/contrib/rpm/doh_client.fc
+++ b/contrib/rpm/doh_client.fc
@@ -1,2 +0,0 @@
 /usr/bin/doh-client					--	gen_context(system_u:object_r:doh_client_exec_t,s0)
 /usr/lib/systemd/system/doh-client.service		--	gen_context(system_u:object_r:doh_client_unit_file_t,s0)
--- a/contrib/rpm/doh_client.if
+++ b/contrib/rpm/doh_client.if
@@ -1,103 +0,0 @@
 ## <summary>policy for doh_client</summary>
 ########################################
 ## <summary>
 ##	Execute doh_client_exec_t in the doh_client domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`doh_client_domtrans',`
 	gen_require(`
 		type doh_client_t, doh_client_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, doh_client_exec_t, doh_client_t)
 ')
 ######################################
 ## <summary>
 ##	Execute doh_client in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`doh_client_exec',`
 	gen_require(`
 		type doh_client_exec_t;
 	')
 	corecmd_search_bin($1)
 	can_exec($1, doh_client_exec_t)
 ')
 ########################################
 ## <summary>
 ##	Execute doh_client server in the doh_client domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
 interface(`doh_client_systemctl',`
 	gen_require(`
 		type doh_client_t;
 		type doh_client_unit_file_t;
 	')
 	systemd_exec_systemctl($1)
        systemd_read_fifo_file_passwd_run($1)
 	allow $1 doh_client_unit_file_t:file read_file_perms;
 	allow $1 doh_client_unit_file_t:service manage_service_perms;
 	ps_process_pattern($1, doh_client_t)
 ')
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
 ##	an doh_client environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`doh_client_admin',`
 	gen_require(`
 		type doh_client_t;
 	type doh_client_unit_file_t;
 	')
 	allow $1 doh_client_t:process { signal_perms };
 	ps_process_pattern($1, doh_client_t)
    tunable_policy(`deny_ptrace',`',`
        allow $1 doh_client_t:process ptrace;
    ')
 	doh_client_systemctl($1)
 	admin_pattern($1, doh_client_unit_file_t)
 	allow $1 doh_client_unit_file_t:service all_service_perms;
 	optional_policy(`
 		systemd_passwd_agent_exec($1)
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
--- a/contrib/rpm/doh_client.te
+++ b/contrib/rpm/doh_client.te
@@ -1,49 +0,0 @@
 policy_module(doh_client, 1.0.0)
 ########################################
 #
 # Declarations
 #
 type doh_client_t;
 type doh_client_exec_t;
 init_daemon_domain(doh_client_t, doh_client_exec_t)
 type doh_client_port_t;
 corenet_port(doh_client_port_t)
 type doh_client_unit_file_t;
 systemd_unit_file(doh_client_unit_file_t)
 ########################################
 #
 # doh_client local policy
 #
 allow doh_client_t self:fifo_file rw_fifo_file_perms;
 allow doh_client_t self:unix_stream_socket create_stream_socket_perms;
 allow doh_client_t self:capability net_bind_service;
 allow doh_client_t self:process execmem;
 allow doh_client_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write };
 allow doh_client_t self:udp_socket { bind connect create getattr read setopt write };
 allow doh_client_t doh_client_exec_t:file execmod;
 allow doh_client_t doh_client_port_t:tcp_socket name_bind;
 corenet_tcp_bind_dns_port(doh_client_t)
 corenet_tcp_bind_generic_node(doh_client_t)
 corenet_tcp_connect_http_port(doh_client_t)
 corenet_udp_bind_dns_port(doh_client_t)
 corenet_udp_bind_generic_node(doh_client_t)
 corenet_udp_bind_generic_port(doh_client_t)
 kernel_read_net_sysctls(doh_client_t)
 kernel_search_network_sysctl(doh_client_t)
 miscfiles_read_certs(doh_client_t)
 sysnet_read_config(doh_client_t)
 domain_use_interactive_fds(doh_client_t)
 files_read_etc_files(doh_client_t)
 miscfiles_read_localization(doh_client_t)
--- a/contrib/rpm/doh_server.fc
+++ b/contrib/rpm/doh_server.fc
@@ -1,2 +0,0 @@
 /usr/bin/doh-server					--	gen_context(system_u:object_r:doh_server_exec_t,s0)
 /usr/lib/systemd/system/doh-server.service		--	gen_context(system_u:object_r:doh_server_unit_file_t,s0)
--- a/contrib/rpm/doh_server.if
+++ b/contrib/rpm/doh_server.if
@@ -1,122 +0,0 @@
 ## <summary>policy for doh_server</summary>
 ########################################
 ## <summary>
 ##	Execute doh_server_exec_t in the doh_server domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`doh_server_domtrans',`
 	gen_require(`
 		type doh_server_t, doh_server_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, doh_server_exec_t, doh_server_t)
 ')
 ######################################
 ## <summary>
 ##	Execute doh_server in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`doh_server_exec',`
 	gen_require(`
 		type doh_server_exec_t;
 	')
 	corecmd_search_bin($1)
 	can_exec($1, doh_server_exec_t)
 ')
 ########################################
 ## <summary>
 ##	Execute doh_server server in the doh_server domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed to transition.
 ##	</summary>
 ## </param>
 #
 interface(`doh_server_systemctl',`
 	gen_require(`
 		type doh_server_t;
 		type doh_server_unit_file_t;
 	')
 	systemd_exec_systemctl($1)
        systemd_read_fifo_file_passwd_run($1)
 	allow $1 doh_server_unit_file_t:file read_file_perms;
 	allow $1 doh_server_unit_file_t:service manage_service_perms;
 	ps_process_pattern($1, doh_server_t)
 ')
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
 ##	an doh_server environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`doh_server_admin',`
 	gen_require(`
 		type doh_server_t;
 	type doh_server_unit_file_t;
 	')
 	allow $1 doh_server_t:process { signal_perms };
 	ps_process_pattern($1, doh_server_t)
    tunable_policy(`deny_ptrace',`',`
        allow $1 doh_server_t:process ptrace;
    ')
 	doh_server_systemctl($1)
 	admin_pattern($1, doh_server_unit_file_t)
 	allow $1 doh_server_unit_file_t:service all_service_perms;
 	optional_policy(`
 		systemd_passwd_agent_exec($1)
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
 ########################################
 ## <summary>
 ##      Make a TCP connection to the vault_ocsp_responder port.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 #
 interface(`doh_server_connect',`
        gen_require(`
                type doh_server_port_t;
 		type $1;
        ')
        allow $1 doh_server_port_t:tcp_socket name_connect;
 ')
--- a/contrib/rpm/doh_server.te
+++ b/contrib/rpm/doh_server.te
@@ -1,42 +0,0 @@
 policy_module(doh_server, 1.0.0)
 require {
 	class process execmem;
 	class tcp_socket { accept bind create read write getattr listen setopt connect getopt };
 	class udp_socket { connect create getattr setopt read write };
 	class file execmod;
 }
 type doh_server_t;
 type doh_server_exec_t;
 init_daemon_domain(doh_server_t, doh_server_exec_t)
 type doh_server_port_t;
 corenet_port(doh_server_port_t)
 type doh_server_unit_file_t;
 systemd_unit_file(doh_server_unit_file_t)
 allow doh_server_t self:fifo_file rw_fifo_file_perms;
 allow doh_server_t self:unix_stream_socket create_stream_socket_perms;
 allow doh_server_t self:process execmem;
 allow doh_server_t self:tcp_socket { accept read write bind create getattr listen setopt connect getopt};
 allow doh_server_t self:udp_socket { connect create getattr setopt read write };
 allow doh_server_t doh_server_exec_t:file execmod;
 allow doh_server_t doh_server_port_t:tcp_socket name_bind;
 domain_use_interactive_fds(doh_server_t)
 files_read_etc_files(doh_server_t)
 corenet_tcp_bind_generic_node(doh_server_t)
 corenet_tcp_connect_dns_port(doh_server_t)
 doh_server_connect(httpd_t)
 kernel_read_net_sysctls(doh_server_t)
 kernel_search_network_sysctl(doh_server_t)
 miscfiles_read_localization(doh_server_t)
--- a/darwin-wrapper/Makefile
+++ b/darwin-wrapper/Makefile
@@ -6,7 +6,7 @@ PREFIX = /usr/local
 all: doh-logger
 doh-logger: doh-logger.swift
-	$(SWIFTC) -o $@ -O $<
+	$(SWIFTC) -o $@ -O -static-stdlib $<
 clean:
 	rm -f doh-logger
--- a/doh-client/client.go
+++ b/doh-client/client.go
@@ -25,7 +25,6 @@ package main
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	"log"
 	"math/rand"
@@ -38,9 +37,9 @@ import (
 	"sync"
 	"time"
-	"github.com/m13253/dns-over-https/v2/doh-client/config"
+	"github.com/m13253/dns-over-https/doh-client/config"
-	"github.com/m13253/dns-over-https/v2/doh-client/selector"
+	"github.com/m13253/dns-over-https/doh-client/selector"
-	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/idna"
@@ -248,7 +247,6 @@ func (c *Client) newHTTPClient() error {
 		MaxIdleConnsPerHost:   10,
 		Proxy:                 http.ProxyFromEnvironment,
 		TLSHandshakeTimeout:   time.Duration(c.conf.Other.Timeout) * time.Second,
 		TLSClientConfig:       &tls.Config{InsecureSkipVerify: c.conf.Other.TLSInsecureSkipVerify},
 	}
 	if c.conf.Other.NoIPv6 {
 		c.httpTransport.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) {
@@ -307,7 +305,7 @@ func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
 	if len(r.Question) != 1 {
 		log.Println("Number of questions is not 1")
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeFormatError
 		w.WriteMsg(reply)
 		return
@@ -358,7 +356,7 @@ func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
 			return
 		}
 		log.Println(err)
-		reply = jsondns.PrepareReply(r)
+		reply = jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
 		return
@@ -473,7 +471,7 @@ func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddre
 	if err != nil {
 		return
 	}
-	if ip := remoteAddr.IP; jsondns.IsGlobalIP(ip) {
+	if ip := remoteAddr.IP; jsonDNS.IsGlobalIP(ip) {
 		if ipv4 := ip.To4(); ipv4 != nil {
 			ednsClientAddress = ipv4.Mask(ipv4Mask24)
 			ednsClientNetmask = 24
--- a/doh-client/config/config.go
+++ b/doh-client/config/config.go
@@ -47,16 +47,14 @@ type upstream struct {
 }
 type others struct {
-	Bootstrap             []string `toml:"bootstrap"`
+	Bootstrap        []string `toml:"bootstrap"`
-	Passthrough           []string `toml:"passthrough"`
+	Passthrough      []string `toml:"passthrough"`
-	Timeout               uint     `toml:"timeout"`
+	Timeout          uint     `toml:"timeout"`
-	NoCookies             bool     `toml:"no_cookies"`
+	NoCookies        bool     `toml:"no_cookies"`
-	NoECS                 bool     `toml:"no_ecs"`
+	NoECS            bool     `toml:"no_ecs"`
-	NoIPv6                bool     `toml:"no_ipv6"`
+	NoIPv6           bool     `toml:"no_ipv6"`
-	NoUserAgent           bool     `toml:"no_user_agent"`
+	Verbose          bool     `toml:"verbose"`
-	Verbose               bool     `toml:"verbose"`
+	DebugHTTPHeaders []string `toml:"debug_http_headers"`
 	DebugHTTPHeaders      []string `toml:"debug_http_headers"`
 	TLSInsecureSkipVerify bool     `toml:"insecure_tls_skip_verify"`
 }
 type Config struct {
--- a/doh-client/doh-client.conf
+++ b/doh-client/doh-client.conf
@@ -4,9 +4,6 @@ listen = [
    "127.0.0.1:5380",
    "[::1]:53",
    "[::1]:5380",
    ## To listen on both 0.0.0.0:53 and [::]:53, use the following line
    # ":53",
 ]
 # HTTP path for upstream resolver
@@ -18,34 +15,34 @@ upstream_selector = "random"
 # weight should in (0, 100], if upstream_selector is random, weight will be ignored
-## Google's resolver, good ECS, good DNSSEC
+## Google's productive resolver, good ECS, bad DNSSEC
-#[[upstream.upstream_ietf]]
+#[[upstream.upstream_google]]
-#    url = "https://dns.google/dns-query"
+#    url = "https://dns.google.com/resolve"
 #    weight = 50
 ## CloudFlare's resolver, bad ECS, good DNSSEC
-## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
+#[[upstream.upstream_google]]
 #    url = "https://cloudflare-dns.com/dns-query"
 #    weight = 50
 ## CloudFlare's resolver, bad ECS, good DNSSEC
 #[[upstream.upstream_google]]
 #    url = "https://1.1.1.1/dns-query"
 #    weight = 50
 # CloudFlare's resolver, bad ECS, good DNSSEC
 [[upstream.upstream_ietf]]
    url = "https://cloudflare-dns.com/dns-query"
    weight = 50
 ## CloudFlare's resolver, bad ECS, good DNSSEC
 ## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
 ## Note that some ISPs have problems connecting to 1.1.1.1, try 1.0.0.1 if problems happen.
 #[[upstream.upstream_ietf]]
 #    url = "https://1.1.1.1/dns-query"
 #    weight = 50
-## DNS.SB's resolver, good ECS, good DNSSEC
+## Google's experimental resolver, good ECS, good DNSSEC
 ## The provider claims no logging: https://dns.sb/doh/
 #[[upstream.upstream_ietf]]
-#    url = "https://doh.dns.sb/dns-query"
+#    url = "https://dns.google.com/experimental"
 #    weight = 50
 ## Quad9's resolver, bad ECS, good DNSSEC
 ## ECS is disabled for privacy by design: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet
 #[[upstream.upstream_ietf]]
 #    url = "https://9.9.9.9/dns-query"
 #    weight = 50
 ## CloudFlare's resolver for Tor, available only with Tor
@@ -64,7 +61,7 @@ upstream_selector = "random"
 # bootstrap server, please make this list empty.
 bootstrap = [
-    # Google's resolver, good ECS, good DNSSEC
+    # Google's resolver, bad ECS, good DNSSEC
    "8.8.8.8:53",
    "8.8.4.4:53",
@@ -119,22 +116,5 @@ no_ecs = false
 # Note that DNS listening and bootstrapping is not controlled by this option.
 no_ipv6 = false
 # Disable submitting User-Agent
 #
 # It is generally not recommended to disable submitting User-Agent because it
 # is still possible to probe client version according to behavior differences,
 # such as TLS handshaking, handling of malformed packets, and specific bugs.
 # Additionally, User-Agent is an important way for the server to distinguish
 # buggy, old, or insecure clients, and to workaround specific bugs.
 # (e.g. doh-server can detect and workaround certain issues of DNSCrypt-Proxy
 # and older Firefox.)
 no_user_agent = false
 # Enable logging
 verbose = false
 # insecure_tls_skip_verification will disable necessary TLS security verification.
 # This option is designed for testing or development purposes,
 # turning on this option on public Internet may cause your connection
 # vulnerable to MITM attack.
 insecure_tls_skip_verify = false
--- a/doh-client/google.go
+++ b/doh-client/google.go
@@ -34,8 +34,8 @@ import (
 	"strconv"
 	"strings"
-	"github.com/m13253/dns-over-https/v2/doh-client/selector"
+	"github.com/m13253/dns-over-https/doh-client/selector"
-	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
@@ -44,7 +44,7 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	questionName := question.Name
 	questionClass := question.Qclass
 	if questionClass != dns.ClassINET {
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeRefused
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -67,9 +67,6 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	udpSize := uint16(512)
 	if opt := r.IsEdns0(); opt != nil {
 		udpSize = opt.UDPSize()
 		if opt.Do() {
 			requestURL += "&do=1"
 		}
 	}
 	ednsClientAddress, ednsClientNetmask := c.findClientIP(w, r)
@@ -80,7 +77,7 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
 	if err != nil {
 		log.Println(err)
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -89,11 +86,7 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	}
 	req.Header.Set("Accept", "application/json, application/dns-message, application/dns-udpwireformat")
-	if !c.conf.Other.NoUserAgent {
+	req.Header.Set("User-Agent", USER_AGENT)
 		req.Header.Set("User-Agent", USER_AGENT)
 	} else {
 		req.Header.Set("User-Agent", "")
 	}
 	req = req.WithContext(ctx)
 	c.httpClientMux.RLock()
@@ -111,7 +104,7 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	if err != nil {
 		log.Println(err)
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -121,7 +114,7 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	return &DNSRequest{
 		response:          resp,
-		reply:             jsondns.PrepareReply(r),
+		reply:             jsonDNS.PrepareReply(r),
 		udpSize:           udpSize,
 		ednsClientAddress: ednsClientAddress,
 		ednsClientNetmask: ednsClientNetmask,
@@ -148,7 +141,7 @@ func (c *Client) parseResponseGoogle(ctx context.Context, w dns.ResponseWriter,
 		return
 	}
-	var respJSON jsondns.Response
+	var respJSON jsonDNS.Response
 	err = json.Unmarshal(body, &respJSON)
 	if err != nil {
 		log.Println(err)
@@ -160,9 +153,8 @@ func (c *Client) parseResponseGoogle(ctx context.Context, w dns.ResponseWriter,
 	if respJSON.Status != dns.RcodeSuccess && respJSON.Comment != "" {
 		log.Printf("DNS error: %s\n", respJSON.Comment)
 	}
 	fixEmptyNames(&respJSON)
-	fullReply := jsondns.Unmarshal(req.reply, &respJSON, req.udpSize, req.ednsClientNetmask)
+	fullReply := jsonDNS.Unmarshal(req.reply, &respJSON, req.udpSize, req.ednsClientNetmask)
 	buf, err := fullReply.Pack()
 	if err != nil {
 		log.Println(err)
@@ -181,19 +173,3 @@ func (c *Client) parseResponseGoogle(ctx context.Context, w dns.ResponseWriter,
 	}
 	w.Write(buf)
 }
 // Fix DNS response empty []RR.Name
 // Additional section won't be rectified
 // see: https://stackoverflow.com/questions/52136176/what-is-additional-section-in-dns-and-how-it-works
 func fixEmptyNames(respJSON *jsondns.Response) {
 	for i := range respJSON.Answer {
 		if respJSON.Answer[i].Name == "" {
 			respJSON.Answer[i].Name = "."
 		}
 	}
 	for i := range respJSON.Authority {
 		if respJSON.Authority[i].Name == "" {
 			respJSON.Authority[i].Name = "."
 		}
 	}
 }
--- a/doh-client/ietf.go
+++ b/doh-client/ietf.go
@@ -35,8 +35,8 @@ import (
 	"strings"
 	"time"
-	"github.com/m13253/dns-over-https/v2/doh-client/selector"
+	"github.com/m13253/dns-over-https/doh-client/selector"
-	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
@@ -90,7 +90,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 	requestBinary, err := r.Pack()
 	if err != nil {
 		log.Println(err)
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeFormatError
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -107,7 +107,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 		req, err = http.NewRequest(http.MethodGet, requestURL, nil)
 		if err != nil {
 			log.Println(err)
-			reply := jsondns.PrepareReply(r)
+			reply := jsonDNS.PrepareReply(r)
 			reply.Rcode = dns.RcodeServerFailure
 			w.WriteMsg(reply)
 			return &DNSRequest{
@@ -118,7 +118,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 		req, err = http.NewRequest(http.MethodPost, upstream.URL, bytes.NewReader(requestBinary))
 		if err != nil {
 			log.Println(err)
-			reply := jsondns.PrepareReply(r)
+			reply := jsonDNS.PrepareReply(r)
 			reply.Rcode = dns.RcodeServerFailure
 			w.WriteMsg(reply)
 			return &DNSRequest{
@@ -128,11 +128,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 		req.Header.Set("Content-Type", "application/dns-message")
 	}
 	req.Header.Set("Accept", "application/dns-message, application/dns-udpwireformat, application/json")
-	if !c.conf.Other.NoUserAgent {
+	req.Header.Set("User-Agent", USER_AGENT)
 		req.Header.Set("User-Agent", USER_AGENT)
 	} else {
 		req.Header.Set("User-Agent", "")
 	}
 	req = req.WithContext(ctx)
 	c.httpClientMux.RLock()
 	resp, err := c.httpClient.Do(req)
@@ -149,7 +145,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 	if err != nil {
 		log.Println(err)
-		reply := jsondns.PrepareReply(r)
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -159,7 +155,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 	return &DNSRequest{
 		response:          resp,
-		reply:             jsondns.PrepareReply(r),
+		reply:             jsonDNS.PrepareReply(r),
 		udpSize:           udpSize,
 		ednsClientAddress: ednsClientAddress,
 		ednsClientNetmask: ednsClientNetmask,
@@ -180,7 +176,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 	body, err := ioutil.ReadAll(req.response.Body)
 	if err != nil {
-		log.Printf("read error from upstream %s: %v\n", req.currentUpstream, err)
+		log.Println(err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -191,7 +187,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 		if nowDate, err := time.Parse(http.TimeFormat, headerNow); err == nil {
 			now = nowDate
 		} else {
-			log.Printf("Date header parse error from upstream %s: %v\n", req.currentUpstream, err)
+			log.Println(err)
 		}
 	}
 	headerLastModified := req.response.Header.Get("Last-Modified")
@@ -200,7 +196,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 		if lastModifiedDate, err := time.Parse(http.TimeFormat, headerLastModified); err == nil {
 			lastModified = lastModifiedDate
 		} else {
-			log.Printf("Last-Modified header parse error from upstream %s: %v\n", req.currentUpstream, err)
+			log.Println(err)
 		}
 	}
 	timeDelta := now.Sub(lastModified)
@@ -211,7 +207,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 	fullReply := new(dns.Msg)
 	err = fullReply.Unpack(body)
 	if err != nil {
-		log.Printf("unpacking error from upstream %s: %v\n", req.currentUpstream, err)
+		log.Println(err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -233,7 +229,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 	buf, err := fullReply.Pack()
 	if err != nil {
-		log.Printf("packing error with upstream %s: %v\n", req.currentUpstream, err)
+		log.Println(err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -242,15 +238,12 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 		fullReply.Truncated = true
 		buf, err = fullReply.Pack()
 		if err != nil {
-			log.Printf("re-packing error with upstream %s: %v\n", req.currentUpstream, err)
+			log.Println(err)
 			return
 		}
 		buf = buf[:req.udpSize]
 	}
-	_, err = w.Write(buf)
+	w.Write(buf)
 	if err != nil {
 		log.Printf("failed to write to client: %v\n", err)
 	}
 }
 func fixRecordTTL(rr dns.RR, delta time.Duration) dns.RR {
--- a/doh-client/main.go
+++ b/doh-client/main.go
@@ -33,7 +33,7 @@ import (
 	"runtime"
 	"strconv"
-	"github.com/m13253/dns-over-https/v2/doh-client/config"
+	"github.com/m13253/dns-over-https/doh-client/config"
 )
 func checkPIDFile(pidFile string) (bool, error) {
@@ -89,7 +89,7 @@ func main() {
 	flag.Parse()
 	if *showVersion {
-		fmt.Printf("doh-client %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
+		fmt.Printf("doh-server %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
 		return
 	}
--- a/doh-client/version.go
+++ b/doh-client/version.go
@@ -24,6 +24,6 @@
 package main
 const (
-	VERSION    = "2.3.2"
+	VERSION    = "2.0.1"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )
--- a/doh-server/config.go
+++ b/doh-server/config.go
@@ -25,27 +25,23 @@ package main
 import (
 	"fmt"
 	"regexp"
 	"github.com/BurntSushi/toml"
 )
 type config struct {
-	Listen              []string `toml:"listen"`
+	Listen           []string `toml:"listen"`
-	LocalAddr           string   `toml:"local_addr"`
+	LocalAddr        string   `toml:"local_addr"`
-	Cert                string   `toml:"cert"`
+	Cert             string   `toml:"cert"`
-	Key                 string   `toml:"key"`
+	Key              string   `toml:"key"`
-	Path                string   `toml:"path"`
+	Path             string   `toml:"path"`
-	Upstream            []string `toml:"upstream"`
+	Upstream         []string `toml:"upstream"`
-	Timeout             uint     `toml:"timeout"`
+	Timeout          uint     `toml:"timeout"`
-	Tries               uint     `toml:"tries"`
+	Tries            uint     `toml:"tries"`
-	Verbose             bool     `toml:"verbose"`
+	TCPOnly          bool     `toml:"tcp_only"`
-	DebugHTTPHeaders    []string `toml:"debug_http_headers"`
+	Verbose          bool     `toml:"verbose"`
-	LogGuessedIP        bool     `toml:"log_guessed_client_ip"`
+	DebugHTTPHeaders []string `toml:"debug_http_headers"`
-	ECSAllowNonGlobalIP bool     `toml:"ecs_allow_non_global_ip"`
+	LogGuessedIP     bool     `toml:"log_guessed_client_ip"`
 	ECSUsePreciseIP     bool     `toml:"ecs_use_precise_ip"`
 	TLSClientAuth       bool     `toml:"tls_client_auth"`
 	TLSClientAuthCA     string   `toml:"tls_client_auth_ca"`
 }
 func loadConfig(path string) (*config, error) {
@@ -66,7 +62,7 @@ func loadConfig(path string) (*config, error) {
 		conf.Path = "/dns-query"
 	}
 	if len(conf.Upstream) == 0 {
-		conf.Upstream = []string{"udp:8.8.8.8:53", "udp:8.8.4.4:53"}
+		conf.Upstream = []string{"8.8.8.8:53", "8.8.4.4:53"}
 	}
 	if conf.Timeout == 0 {
 		conf.Timeout = 10
@@ -79,35 +75,9 @@ func loadConfig(path string) (*config, error) {
 		return nil, &configError{"You must specify both -cert and -key to enable TLS"}
 	}
 	// validate all upstreams
 	for _, us := range conf.Upstream {
 		address, t := addressAndType(us)
 		if address == "" {
 			return nil, &configError{"One of the upstreams has not a (udp|tcp|tcp-tls) prefix e.g. udp:1.1.1.1:53"}
 		}
 		switch t {
 		case "tcp", "udp", "tcp-tls":
 			// OK
 		default:
 			return nil, &configError{"Invalid upstream prefix specified, choose one of: udp tcp tcp-tls"}
 		}
 	}
 	return conf, nil
 }
 var rxUpstreamWithTypePrefix = regexp.MustCompile("^[a-z-]+(:)")
 func addressAndType(us string) (string, string) {
 	p := rxUpstreamWithTypePrefix.FindStringSubmatchIndex(us)
 	if len(p) != 4 {
 		return "", ""
 	}
 	return us[p[2]+1:], us[:p[2]]
 }
 type configError struct {
 	err string
 }
--- a/doh-server/doh-server.conf
+++ b/doh-server/doh-server.conf
@@ -2,9 +2,6 @@
 listen = [
    "127.0.0.1:8053",
    "[::1]:8053",
    ## To listen on both 0.0.0.0:8053 and [::]:8053, use the following line
    # ":8053",
 ]
 # Local address and port for upstream DNS
@@ -27,16 +24,11 @@ path = "/dns-query"
 # Upstream DNS resolver
 # If multiple servers are specified, a random one will be chosen each time.
 # You can use "udp", "tcp" or "tcp-tls" for the type prefix.
 # For "udp", UDP will first be used, and switch to TCP when the server asks to
 # or the response is too large.
 # For "tcp", only TCP will be used.
 # For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection.
 upstream = [
-    "udp:1.1.1.1:53",
+    "1.1.1.1:53",
-    "udp:1.0.0.1:53",
+    "1.0.0.1:53",
-    "udp:8.8.8.8:53",
+    "8.8.8.8:53",
-    "udp:8.8.4.4:53",
+    "8.8.4.4:53",
 ]
 # Upstream timeout
@@ -45,34 +37,12 @@ timeout = 10
 # Number of tries if upstream DNS fails
 tries = 3
 # Only use TCP for DNS query
 tcp_only = false
 # Enable logging
 verbose = false
 # Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
 # Note: http uri/useragent log cannot be controlled by this config
 log_guessed_client_ip = false
 # By default, non global IP addresses are never forwarded to upstream servers.
 # This is to prevent two things from happening:
 #   1. the upstream server knowing your private LAN addresses;
 #   2. the upstream server unable to provide geographically near results,
 #      or even fail to provide any result.
 # However, if you are deploying a split tunnel corporation network
 # environment, or for any other reason you want to inhibit this
 # behavior and allow local (eg RFC1918) address to be forwarded,
 # change the following option to "true".
 ecs_allow_non_global_ip = false
 # If ECS is added to the request, let the full IP address or
 # cap it to 24 or 128 mask. This option is to be used only on private
 # networks where knwoledge of the terminal endpoint may be required for
 # security purposes (eg. DNS Firewalling). Not a good option on the
 # internet where IP address may be used to identify the user and
 # not only the approximate location.
 ecs_use_precise_ip = false
 # If DOH is used for a controlled network, it is possible to enable
 # the client TLS certificate validation with a specific certificate
 # authority used to sign any client one. Disabled by default.
 # tls_client_auth = true
 # tls_client_auth_ca = "root-ca-public.crt"
--- a/doh-server/google.go
+++ b/doh-server/google.go
@@ -34,7 +34,7 @@ import (
 	"strings"
 	"time"
-	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/idna"
 )
@@ -170,11 +170,11 @@ func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter,
 }
 func (s *Server) generateResponseGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
-	respJSON := jsondns.Marshal(req.response)
+	respJSON := jsonDNS.Marshal(req.response)
 	respStr, err := json.Marshal(respJSON)
 	if err != nil {
 		log.Println(err)
-		jsondns.FormatError(w, fmt.Sprintf("DNS packet parse failure (%s)", err.Error()), 500)
+		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet parse failure (%s)", err.Error()), 500)
 		return
 	}
--- a/doh-server/ietf.go
+++ b/doh-server/ietf.go
@@ -36,7 +36,7 @@ import (
 	"strings"
 	"time"
-	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
@@ -125,7 +125,6 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 	isTailored := edns0Subnet == nil
 	if edns0Subnet == nil {
 		ednsClientFamily := uint16(0)
 		ednsClientAddress := s.findClientIP(r)
@@ -134,20 +133,10 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
 				ednsClientFamily = 1
 				ednsClientAddress = ipv4
-				if s.conf.ECSUsePreciseIP {
+				ednsClientNetmask = 24
 					ednsClientNetmask = 32
 				} else {
 					ednsClientNetmask = 24
 					ednsClientAddress = ednsClientAddress.Mask(net.CIDRMask(24, 32))
 				}
 			} else {
 				ednsClientFamily = 2
-				if s.conf.ECSUsePreciseIP {
+				ednsClientNetmask = 56
 					ednsClientNetmask = 128
 				} else {
 					ednsClientNetmask = 56
 					ednsClientAddress = ednsClientAddress.Mask(net.CIDRMask(56, 128))
 				}
 			}
 			edns0Subnet = new(dns.EDNS0_SUBNET)
 			edns0Subnet.Code = dns.EDNS0SUBNET
@@ -167,12 +156,12 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 }
 func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
-	respJSON := jsondns.Marshal(req.response)
+	respJSON := jsonDNS.Marshal(req.response)
 	req.response.Id = req.transactionID
 	respBytes, err := req.response.Pack()
 	if err != nil {
-		log.Printf("DNS packet construct failure with upstream %s: %v\n", req.currentUpstream, err)
+		log.Println(err)
-		jsondns.FormatError(w, fmt.Sprintf("DNS packet construct failure (%s)", err.Error()), 500)
+		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet construct failure (%s)", err.Error()), 500)
 		return
 	}
@@ -194,21 +183,15 @@ func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter
 	}
 	if respJSON.Status == dns.RcodeServerFailure {
 		log.Printf("received server failure from upstream %s: %v\n", req.currentUpstream, req.response)
 		w.WriteHeader(503)
 	}
-	_, err = w.Write(respBytes)
+	w.Write(respBytes)
 	if err != nil {
 		log.Printf("failed to write to client: %v\n", err)
 	}
 }
 // Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
 func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request, requestBinary []byte) bool {
 	if strings.Contains(r.UserAgent(), "dnscrypt-proxy") && bytes.Equal(requestBinary, []byte("\xca\xfe\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x00\x02\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00")) {
-		if s.conf.Verbose {
+		log.Println("DNSCrypt-Proxy detected. Patching response.")
 			log.Println("DNSCrypt-Proxy detected. Patching response.")
 		}
 		w.Header().Set("Content-Type", "application/dns-message")
 		w.Header().Set("Vary", "Accept, User-Agent")
 		now := time.Now().UTC().Format(http.TimeFormat)
@@ -222,9 +205,7 @@ func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request,
 // Workaround a bug causing Firefox 61-62 to reject responses with Content-Type = application/dns-message
 func (s *Server) patchFirefoxContentType(w http.ResponseWriter, r *http.Request, req *DNSRequest) bool {
 	if strings.Contains(r.UserAgent(), "Firefox") && strings.Contains(r.Header.Get("Accept"), "application/dns-udpwireformat") && !strings.Contains(r.Header.Get("Accept"), "application/dns-message") {
-		if s.conf.Verbose {
+		log.Println("Firefox 61-62 detected. Patching response.")
 			log.Println("Firefox 61-62 detected. Patching response.")
 		}
 		w.Header().Set("Content-Type", "application/dns-udpwireformat")
 		w.Header().Set("Vary", "Accept, User-Agent")
 		req.isTailored = true
--- a/doh-server/server.go
+++ b/doh-server/server.go
@@ -25,10 +25,7 @@ package main
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"math/rand"
 	"net"
@@ -38,16 +35,15 @@ import (
 	"time"
 	"github.com/gorilla/handlers"
-	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
 type Server struct {
-	conf         *config
+	conf      *config
-	udpClient    *dns.Client
+	udpClient *dns.Client
-	tcpClient    *dns.Client
+	tcpClient *dns.Client
-	tcpClientTLS *dns.Client
+	servemux  *http.ServeMux
 	servemux     *http.ServeMux
 }
 type DNSRequest struct {
@@ -73,10 +69,6 @@ func NewServer(conf *config) (*Server, error) {
 			Net:     "tcp",
 			Timeout: timeout,
 		},
 		tcpClientTLS: &dns.Client{
 			Net:     "tcp-tls",
 			Timeout: timeout,
 		},
 		servemux: http.NewServeMux(),
 	}
 	if conf.LocalAddr != "" {
@@ -96,10 +88,6 @@ func NewServer(conf *config) (*Server, error) {
 			Timeout:   timeout,
 			LocalAddr: tcpLocalAddr,
 		}
 		s.tcpClientTLS.Dialer = &net.Dialer{
 			Timeout:   timeout,
 			LocalAddr: tcpLocalAddr,
 		}
 	}
 	s.servemux.HandleFunc(conf.Path, s.handlerFunc)
 	return s, nil
@@ -110,48 +98,12 @@ func (s *Server) Start() error {
 	if s.conf.Verbose {
 		servemux = handlers.CombinedLoggingHandler(os.Stdout, servemux)
 	}
 	var clientCAPool *x509.CertPool
 	if s.conf.TLSClientAuth {
 		if s.conf.TLSClientAuthCA != "" {
 			clientCA, err := ioutil.ReadFile(s.conf.TLSClientAuthCA)
 			if err != nil {
 				log.Fatalf("Reading certificate for client authentication has failed: %v", err)
 			}
 			clientCAPool = x509.NewCertPool()
 			clientCAPool.AppendCertsFromPEM(clientCA)
 			log.Println("Certificate loaded for client TLS authentication")
 		} else {
 			log.Fatalln("TLS client authentication requires both tls_client_auth and tls_client_auth_ca, exiting.")
 		}
 	}
 	results := make(chan error, len(s.conf.Listen))
 	for _, addr := range s.conf.Listen {
 		go func(addr string) {
 			var err error
 			if s.conf.Cert != "" || s.conf.Key != "" {
-				if clientCAPool != nil {
+				err = http.ListenAndServeTLS(addr, s.conf.Cert, s.conf.Key, servemux)
 					srvtls := &http.Server{
 						Handler: servemux,
 						Addr:    addr,
 						TLSConfig: &tls.Config{
 							ClientCAs:  clientCAPool,
 							ClientAuth: tls.RequireAndVerifyClientCert,
 							GetCertificate: func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, e error) {
 								c, err := tls.LoadX509KeyPair(s.conf.Cert, s.conf.Key)
 								if err != nil {
 									fmt.Printf("Error loading server certificate key pair: %v\n", err)
 									return nil, err
 								}
 								return &c, nil
 							},
 						},
 					}
 					err = srvtls.ListenAndServeTLS("", "")
 				} else {
 					err = http.ListenAndServeTLS(addr, s.conf.Cert, s.conf.Key, servemux)
 				}
 			} else {
 				err = http.ListenAndServe(addr, servemux)
 			}
@@ -175,18 +127,6 @@ func (s *Server) Start() error {
 func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if realIP := r.Header.Get("X-Real-IP"); realIP != "" {
 		if strings.ContainsRune(realIP, ':') {
 			r.RemoteAddr = "[" + realIP + "]:0"
 		} else {
 			r.RemoteAddr = realIP + ":0"
 		}
 		_, _, err := net.SplitHostPort(r.RemoteAddr)
 		if err != nil {
 			r.RemoteAddr = realIP
 		}
 	}
 	w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
 	w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS, POST")
 	w.Header().Set("Access-Control-Allow-Origin", "*")
@@ -255,22 +195,23 @@ func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 	} else if contentType == "application/dns-udpwireformat" {
 		req = s.parseRequestIETF(ctx, w, r)
 	} else {
-		jsondns.FormatError(w, fmt.Sprintf("Invalid argument value: \"ct\" = %q", contentType), 415)
+		jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"ct\" = %q", contentType), 415)
 		return
 	}
 	if req.errcode == 444 {
 		return
 	}
 	if req.errcode != 0 {
-		jsondns.FormatError(w, req.errtext, req.errcode)
+		jsonDNS.FormatError(w, req.errtext, req.errcode)
 		return
 	}
 	req = s.patchRootRD(req)
-	err := s.doDNSQuery(ctx, req)
+	var err error
 	req, err = s.doDNSQuery(ctx, req)
 	if err != nil {
-		jsondns.FormatError(w, fmt.Sprintf("DNS query failure (%s)", err.Error()), 503)
+		jsonDNS.FormatError(w, fmt.Sprintf("DNS query failure (%s)", err.Error()), 503)
 		return
 	}
@@ -284,17 +225,12 @@ func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 }
 func (s *Server) findClientIP(r *http.Request) net.IP {
 	noEcs := r.URL.Query().Get("no_ecs")
 	if strings.ToLower(noEcs) == "true" {
 		return nil
 	}
 	XForwardedFor := r.Header.Get("X-Forwarded-For")
 	if XForwardedFor != "" {
 		for _, addr := range strings.Split(XForwardedFor, ",") {
 			addr = strings.TrimSpace(addr)
 			ip := net.ParseIP(addr)
-			if jsondns.IsGlobalIP(ip) {
+			if jsonDNS.IsGlobalIP(ip) {
 				return ip
 			}
 		}
@@ -303,17 +239,15 @@ func (s *Server) findClientIP(r *http.Request) net.IP {
 	if XRealIP != "" {
 		addr := strings.TrimSpace(XRealIP)
 		ip := net.ParseIP(addr)
-		if s.conf.ECSAllowNonGlobalIP || jsondns.IsGlobalIP(ip) {
+		if jsonDNS.IsGlobalIP(ip) {
 			return ip
 		}
 	}
 	remoteAddr, err := net.ResolveTCPAddr("tcp", r.RemoteAddr)
 	if err != nil {
 		return nil
 	}
-	ip := remoteAddr.IP
+	if ip := remoteAddr.IP; jsonDNS.IsGlobalIP(ip) {
 	if s.conf.ECSAllowNonGlobalIP || jsondns.IsGlobalIP(ip) {
 		return ip
 	}
 	return nil
@@ -329,54 +263,24 @@ func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
 	return req
 }
-// Return the position index for the question of qtype from a DNS msg, otherwise return -1
+func (s *Server) doDNSQuery(ctx context.Context, req *DNSRequest) (resp *DNSRequest, err error) {
-func (s *Server) indexQuestionType(msg *dns.Msg, qtype uint16) int {
+	// TODO(m13253): Make ctx work. Waiting for a patch for ExchangeContext from miekg/dns.
 	for i, question := range msg.Question {
 		if question.Qtype == qtype {
 			return i
 		}
 	}
 	return -1
 }
 func (s *Server) doDNSQuery(ctx context.Context, req *DNSRequest) (err error) {
 	numServers := len(s.conf.Upstream)
 	for i := uint(0); i < s.conf.Tries; i++ {
 		req.currentUpstream = s.conf.Upstream[rand.Intn(numServers)]
-
+		if !s.conf.TCPOnly {
-		upstream, t := addressAndType(req.currentUpstream)
+			req.response, _, err = s.udpClient.Exchange(req.request, req.currentUpstream)
-
+			if err == nil && req.response != nil && req.response.Truncated {
-		switch t {
+				log.Println(err)
-		default:
+				req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
 			log.Printf("invalid DNS type %q in upstream %q", t, upstream)
 			return &configError{"invalid DNS type"}
 		// Use DNS-over-TLS (DoT) if configured to do so
 		case "tcp-tls":
 			req.response, _, err = s.tcpClientTLS.ExchangeContext(ctx, req.request, upstream)
 		case "tcp", "udp":
 			// Use TCP if always configured to or if the Query type dictates it (AXFR)
 			if t == "tcp" || (s.indexQuestionType(req.request, dns.TypeAXFR) > -1) {
 				req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
 			} else {
 				req.response, _, err = s.udpClient.ExchangeContext(ctx, req.request, upstream)
 				if err == nil && req.response != nil && req.response.Truncated {
 					log.Println(err)
 					req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
 				}
 				// Retry with TCP if this was an IXFR request and we only received an SOA
 				if (s.indexQuestionType(req.request, dns.TypeIXFR) > -1) &&
 					(len(req.response.Answer) == 1) &&
 					(req.response.Answer[0].Header().Rrtype == dns.TypeSOA) {
 					req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
 				}
 			}
 		} else {
 			req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
 		}
 		if err == nil {
-			return nil
+			return req, nil
 		}
 		log.Printf("DNS error from upstream %s: %s\n", req.currentUpstream, err.Error())
 	}
-	return err
+	return req, err
 }
--- a/doh-server/version.go
+++ b/doh-server/version.go
@@ -24,6 +24,6 @@
 package main
 const (
-	VERSION    = "2.3.2"
+	VERSION    = "2.0.1"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )
--- a/go.mod
+++ b/go.mod
@@ -1,20 +1,13 @@
-module github.com/m13253/dns-over-https/v2
+module github.com/m13253/dns-over-https
-go 1.19
+go 1.12
 require (
-	github.com/BurntSushi/toml v1.2.0
+	github.com/BurntSushi/toml v0.3.1
-	github.com/gorilla/handlers v1.5.1
+	github.com/gorilla/handlers v1.4.0
-	github.com/infobloxopen/go-trees v0.0.0-20200715205103-96a057b8dfb9
+	github.com/miekg/dns v1.1.6
-	github.com/miekg/dns v1.1.50
+	golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a // indirect
-	golang.org/x/net v0.0.0-20220812174116-3211cb980234
+	golang.org/x/net v0.0.0-20190311183353-d8887717615a
-)
+	golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 // indirect
-
+	golang.org/x/sys v0.0.0-20190312061237-fead79001313 // indirect
 require (
 	github.com/felixge/httpsnoop v1.0.1 // indirect
 	golang.org/x/mod v0.4.2 // indirect
 	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,51 +1,25 @@
-github.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
-github.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
+github.com/gorilla/handlers v1.4.0 h1:XulKRWSQK5uChr4pEgSE4Tc/OcmnU9GJuSwdog/tZsA=
-github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/gorilla/handlers v1.4.0/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
-github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
+github.com/miekg/dns v1.1.4 h1:rCMZsU2ScVSYcAsOXgmC6+AKOK+6pmQTOcw03nfwYV0=
-github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
+github.com/miekg/dns v1.1.4/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/infobloxopen/go-trees v0.0.0-20200715205103-96a057b8dfb9 h1:w66aaP3c6SIQ0pi3QH1Tb4AMO3aWoEPxd1CNvLphbkA=
+github.com/miekg/dns v1.1.6 h1:jVwb4GDwD65q/gtItR/lIZHjNH93QfeGxZUkzJcW9mc=
-github.com/infobloxopen/go-trees v0.0.0-20200715205103-96a057b8dfb9/go.mod h1:BaIJzjD2ZnHmx2acPF6XfGLPzNCMiBbMRqJr+8/8uRI=
+github.com/miekg/dns v1.1.6/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a h1:YX8ljsm6wXlHZO+aRz9Exqr0evNhKRNe5K/gi+zKh4U=
-golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
+golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190301231341-16b79f2e4e95 h1:fY7Dsw114eJN4boqzVSbpVHO6rTdhq6/GnXeu+PKnzU=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190301231341-16b79f2e4e95/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 h1:bjcUS9ztw9kFmmIxJInhon/0Is3p+EHBKNgquIzo1OI=
-golang.org/x/net v0.0.0-20220812174116-3211cb980234 h1:RDqmgfe7SvlMWoqC3xwQ2blLO3fcWcxMa3eBLRdRW7E=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/net v0.0.0-20220812174116-3211cb980234/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190308023053-584f3b12f43e h1:K7CV15oJ823+HLXQ+M7MSMrUg8LjfqY7O3naO+8Pp/I=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190308023053-584f3b12f43e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2 h1:BonxutuHCTL0rBDnZlKjpGIQFTjyUVTexFOdWkB6Fg0=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/json-dns/error.go
+++ b/json-dns/error.go
@@ -21,7 +21,7 @@
   DEALINGS IN THE SOFTWARE.
 */
-package jsondns
+package jsonDNS
 import (
 	"encoding/json"
@@ -38,11 +38,11 @@ type dnsError struct {
 func FormatError(w http.ResponseWriter, comment string, errcode int) {
 	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
-	errJSON := dnsError{
+	errJson := dnsError{
 		Status:  dns.RcodeServerFailure,
 		Comment: comment,
 	}
-	errStr, err := json.Marshal(errJSON)
+	errStr, err := json.Marshal(errJson)
 	if err != nil {
 		log.Fatalln(err)
 	}
--- a/json-dns/globalip.go
+++ b/json-dns/globalip.go
@@ -21,111 +21,109 @@
   DEALINGS IN THE SOFTWARE.
 */
-package jsondns
+package jsonDNS
 import (
 	"net"
 	"github.com/infobloxopen/go-trees/iptree"
 )
-var defaultFilter *iptree.Tree
+// RFC6890
-
+var localIPv4Nets = []net.IPNet{
 func init() {
 	defaultFilter = iptree.NewTree()
 	// RFC6890
 	// This host on this network
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{0, 0, 0, 0},
+		net.IP{0, 0, 0, 0},
-		Mask: net.IPMask{255, 0, 0, 0},
+		net.IPMask{255, 0, 0, 0},
-	}, struct{}{})
+	},
 	// Private-Use Networks
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{10, 0, 0, 0},
+		net.IP{10, 0, 0, 0},
-		Mask: net.IPMask{255, 0, 0, 0},
+		net.IPMask{255, 0, 0, 0},
-	}, struct{}{})
+	},
 	// Shared Address Space
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{100, 64, 0, 0},
+		net.IP{100, 64, 0, 0},
-		Mask: net.IPMask{255, 192, 0, 0},
+		net.IPMask{255, 192, 0, 0},
-	}, struct{}{})
+	},
 	// Loopback
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{127, 0, 0, 0},
+		net.IP{127, 0, 0, 0},
-		Mask: net.IPMask{255, 0, 0, 0},
+		net.IPMask{255, 0, 0, 0},
-	}, struct{}{})
+	},
 	// Link Local
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{169, 254, 0, 0},
+		net.IP{169, 254, 0, 0},
-		Mask: net.IPMask{255, 255, 0, 0},
+		net.IPMask{255, 255, 0, 0},
-	}, struct{}{})
+	},
 	// Private-Use Networks
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{172, 16, 0, 0},
+		net.IP{172, 16, 0, 0},
-		Mask: net.IPMask{255, 240, 0, 0},
+		net.IPMask{255, 240, 0, 0},
-	}, struct{}{})
+	},
 	// DS-Lite
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{192, 0, 0, 0},
+		net.IP{192, 0, 0, 0},
-		Mask: net.IPMask{255, 255, 255, 248},
+		net.IPMask{255, 255, 255, 248},
-	}, struct{}{})
+	},
 	// 6to4 Relay Anycast
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{192, 88, 99, 0},
+		net.IP{192, 88, 99, 0},
-		Mask: net.IPMask{255, 255, 255, 0},
+		net.IPMask{255, 255, 255, 0},
-	}, struct{}{})
+	},
 	// Private-Use Networks
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{192, 168, 0, 0},
+		net.IP{192, 168, 0, 0},
-		Mask: net.IPMask{255, 255, 0, 0},
+		net.IPMask{255, 255, 0, 0},
-	}, struct{}{})
+	},
 	// Reserved for Future Use & Limited Broadcast
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{240, 0, 0, 0},
+		net.IP{240, 0, 0, 0},
-		Mask: net.IPMask{240, 0, 0, 0},
+		net.IPMask{240, 0, 0, 0},
-	}, struct{}{})
+	},
 }
-	// RFC6890
+// RFC6890
 var localIPv6Nets = []net.IPNet{
 	// Unspecified & Loopback Address
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		Mask: net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
+		net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
-	}, struct{}{})
+	},
 	// Discard-Only Prefix
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		Mask: net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	}, struct{}{})
+	},
 	// Unique-Local
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IP{0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		Mask: net.IPMask{0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IPMask{0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	}, struct{}{})
+	},
 	// Linked-Scoped Unicast
-	defaultFilter.InplaceInsertNet(&net.IPNet{
+	net.IPNet{
-		IP:   net.IP{0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IP{0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		Mask: net.IPMask{0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IPMask{0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	}, struct{}{})
+	},
 }
 func IsGlobalIP(ip net.IP) bool {
 	if ip == nil {
 		return false
 	}
-	_, contained := defaultFilter.GetByIP(ip)
+	if ipv4 := ip.To4(); len(ipv4) == net.IPv4len {
-	return !contained
+		for _, ipnet := range localIPv4Nets {
 			if ipnet.Contains(ip) {
 				return false
 			}
 		}
 		return true
 	}
 	if len(ip) == net.IPv6len {
 		for _, ipnet := range localIPv6Nets {
 			if ipnet.Contains(ip) {
 				return false
 			}
 		}
 		return true
 	}
 	return true
 }
--- a/json-dns/globalip_test.go
+++ b/json-dns/globalip_test.go
@@ -1,34 +0,0 @@
 package jsondns
 import (
 	"fmt"
 	"net"
 )
 func ExampleIsGlobalIP() {
 	fmt.Println(IsGlobalIP(net.ParseIP("127.0.0.1")))
 	fmt.Println(IsGlobalIP(net.IP{192, 168, 1, 1}))
 	fmt.Println(IsGlobalIP(net.ParseIP("8.8.8.8")))
 	fmt.Println(IsGlobalIP(net.IP{8, 8, 4, 4}))
 	fmt.Println(IsGlobalIP(net.ParseIP("::1")))
 	fmt.Println(IsGlobalIP(net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}))
 	fmt.Println(IsGlobalIP(net.ParseIP("2001:4860:4860::8888")))
 	fmt.Println(IsGlobalIP(net.IP{0x20, 0x01, 0x48, 0x60, 0x48, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x44}))
 	fmt.Println(IsGlobalIP(net.ParseIP("::ffff:127.0.0.1")))
 	fmt.Println(IsGlobalIP(net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 192, 168, 1, 1}))
 	fmt.Println(IsGlobalIP(net.ParseIP("::ffff:808:808")))
 	fmt.Println(IsGlobalIP(net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 8, 8, 4, 4}))
 	// Output:
 	// false
 	// false
 	// true
 	// true
 	// false
 	// false
 	// true
 	// true
 	// false
 	// false
 	// true
 	// true
 }
--- a/json-dns/marshal.go
+++ b/json-dns/marshal.go
@@ -21,7 +21,7 @@
   DEALINGS IN THE SOFTWARE.
 */
-package jsondns
+package jsonDNS
 import (
 	"net"
--- a/json-dns/response.go
+++ b/json-dns/response.go
@@ -21,32 +21,12 @@
   DEALINGS IN THE SOFTWARE.
 */
-package jsondns
+package jsonDNS
 import (
 	"encoding/json"
 	"time"
 )
 type QuestionList []Question
 func (ql *QuestionList) UnmarshalJSON(b []byte) error {
 	// Fix variant question response in Response.Question
 	//
 	// Solution taken from:
 	//	https://engineering.bitnami.com/articles/dealing-with-json-with-non-homogeneous-types-in-go.html
 	//	https://archive.is/NU4zR
 	if len(b) > 0 && b[0] == '[' {
 		return json.Unmarshal(b, (*[]Question)(ql))
 	}
 	var q Question
 	if err := json.Unmarshal(b, &q); err != nil {
 		return err
 	}
 	*ql = []Question{q}
 	return nil
 }
 type Response struct {
 	// Standard DNS response code (32 bit integer)
 	Status uint32 `json:"Status"`
@@ -60,13 +40,13 @@ type Response struct {
 	// FIXME: We don't have DNSSEC yet! This bit is not reliable!
 	AD bool `json:"AD"`
 	// Whether the client asked to disable DNSSEC
-	CD               bool         `json:"CD"`
+	CD               bool       `json:"CD"`
-	Question         QuestionList `json:"Question"`
+	Question         []Question `json:"Question"`
-	Answer           []RR         `json:"Answer,omitempty"`
+	Answer           []RR       `json:"Answer,omitempty"`
-	Authority        []RR         `json:"Authority,omitempty"`
+	Authority        []RR       `json:"Authority,omitempty"`
-	Additional       []RR         `json:"Additional,omitempty"`
+	Additional       []RR       `json:"Additional,omitempty"`
-	Comment          string       `json:"Comment,omitempty"`
+	Comment          string     `json:"Comment,omitempty"`
-	EdnsClientSubnet string       `json:"edns_client_subnet,omitempty"`
+	EdnsClientSubnet string     `json:"edns_client_subnet,omitempty"`
 	// Least time-to-live
 	HaveTTL         bool      `json:"-"`
 	LeastTTL        uint32    `json:"-"`
--- a/json-dns/unmarshal.go
+++ b/json-dns/unmarshal.go
@@ -21,7 +21,7 @@
   DEALINGS IN THE SOFTWARE.
 */
-package jsondns
+package jsonDNS
 import (
 	"fmt"
@@ -38,7 +38,7 @@ func PrepareReply(req *dns.Msg) *dns.Msg {
 	reply := new(dns.Msg)
 	reply.Id = req.Id
 	reply.Response = true
-	reply.Opcode = req.Opcode
+	reply.Opcode = reply.Opcode
 	reply.RecursionDesired = req.RecursionDesired
 	reply.RecursionAvailable = req.RecursionDesired
 	reply.CheckingDisabled = req.CheckingDisabled
Author	SHA1	Message	Date
James Swineson	9985c4b279	fix relative path	2019-03-26 15:57:01 +08:00
James Swineson	97a27e60e1	update comments	2019-03-26 15:46:57 +08:00
James Swineson	ca14db8929	move package.sh to contrib	2019-03-26 12:30:57 +08:00
James Swineson	a95e3e5f39	add networkmanager dispatcher script	2019-03-26 12:28:14 +08:00
James Swineson	5010a16458	initial dirty auto packaging	2019-03-26 12:16:07 +08:00
		`@@ -1,2 +0,0 @@`
			`/usr/bin/doh-client -- gen_context(system_u:object_r:doh_client_exec_t,s0)`
			`/usr/lib/systemd/system/doh-client.service -- gen_context(system_u:object_r:doh_client_unit_file_t,s0)`
		`@@ -1,2 +0,0 @@`
			`/usr/bin/doh-server -- gen_context(system_u:object_r:doh_server_exec_t,s0)`
			`/usr/lib/systemd/system/doh-server.service -- gen_context(system_u:object_r:doh_server_unit_file_t,s0)`