Release 2.1.1

slightly optimize the order of instructions in Dockerfile

.gitignore

@@ -3,7 +3,6 @@
 *.dll
 *.so
 *.dylib
-build/
 
 # Test binary, build with `go test -c`
 *.test

Changelog.md

@@ -4,6 +4,18 @@ This Changelog records major changes between versions.
 
 Not all changes are recorded. Please check git log for details.
 
+## Version 2.1.1
+
+- Add a set of Dockerfile contributed by the community
+- Include DNS.SB's resolver in example configuration
+
+## Version 2.1.0
+
+- Add `local_addr` configuration for doh-server (#39)
+- Fix a problem when compiling on macOS 10.14.4 or newer
+- Add Quad9 DoH server to the example `doh-client.conf`
+- Use TCP when appropriate for the given query type/response (AXFR/IXFR)
+
 ## Version 2.0.1
 
 - Fix a crash with the random load balancing algorithm.

Dockerfile.client

@@ -0,0 +1,22 @@
+FROM golang:alpine AS build-env
+
+RUN apk add --no-cache git make
+
+WORKDIR /src
+ADD . /src
+RUN make doh-client/doh-client
+
+FROM alpine:latest
+
+COPY --from=build-env /src/doh-client/doh-client /doh-client
+
+ADD doh-client/doh-client.conf /doh-client.conf
+
+RUN sed -i '$!N;s/"127.0.0.1:53",.*"127.0.0.1:5380",/":53",/;P;D' /doh-client.conf
+RUN sed -i '$!N;s/"\[::1\]:53",.*"\[::1\]:5380",/":5380",/;P;D' /doh-client.conf
+
+EXPOSE 53
+EXPOSE 5380
+
+ENTRYPOINT ["/doh-client"]
+CMD ["-conf", "/doh-client.conf"]

Dockerfile.server

@@ -0,0 +1,20 @@
+FROM golang:alpine AS build-env
+
+RUN apk add --no-cache git make
+
+WORKDIR /src
+ADD . /src
+RUN make doh-server/doh-server
+
+FROM alpine:latest
+
+COPY --from=build-env /src/doh-server/doh-server /doh-server
+
+ADD doh-server/doh-server.conf /doh-server.conf
+
+RUN sed -i '$!N;s/"127.0.0.1:8053",\s*"\[::1\]:8053",/":8053",/;P;D' /doh-server.conf
+
+EXPOSE 8053
+
+ENTRYPOINT ["/doh-server"]
+CMD ["-conf", "/doh-server.conf"]

contrib/package.sh

@@ -1,173 +0,0 @@
-#!/bin/bash 
-set -euo pipefail
-
-# This is a script used for automated packaging.
-# Debian maintainers please don't use this.
-# 
-# Environment assumption:
-#  * Ubuntu 16.04
-#  * run with normal user
-#  * sudo with no password
-#  * go and fpm is pre-installed
-#  * rpmbuild is required if you need rpm packages
-#
-# Compatible with Azure DevOps hosted Ubuntu 16.04 agent
-
-export DEBIAN_FRONTEND="noninteractive"
-export DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"/..
-export BUILD_BINARIESDIRECTORY="${BUILD_BINARIESDIRECTORY:-${DIR}/build/bin}"
-export BUILD_ARTIFACTSTAGINGDIRECTORY="${BUILD_ARTIFACTSTAGINGDIRECTORY:-${DIR}/build/packages}"
-export TMP_DIRECTORY="/tmp/dohbuild"
-export GOPATH="${GOPATH:-/tmp/go}"
-export GOBIN="${GOBIN:-/tmp/go/bin}"
-
-function prepare_env() {
-    echo "Checking dependencies"
-
-    if ! [ -x "$(command -v go)" ]; then
-        echo "Please install golang"
-        exit 1
-    fi
-
-    if [ -x "$(command -v apt-get)" ]; then
-        sudo apt-get -y update
-    fi
-
-    if ! [ -x "$(command -v rpmbuild)" ]; then
-        # TODO: correctly install rpmbuild
-        ! sudo apt-get -y install rpmbuild
-    fi
-
-    # if ! [ -x "$(command -v upx)" ]; then
-    #     sudo apt-get -y install upx
-    # fi
-
-    echo "Creating directories"
-
-    mkdir -p "${BUILD_BINARIESDIRECTORY}/nm-dispatcher"
-    mkdir -p "${BUILD_BINARIESDIRECTORY}/launchd"
-    mkdir -p "${BUILD_BINARIESDIRECTORY}/systemd"
-    mkdir -p "${BUILD_BINARIESDIRECTORY}/config"
-    mkdir -p "${BUILD_ARTIFACTSTAGINGDIRECTORY}"
-    mkdir -p "${TMP_DIRECTORY}"
-}
-
-function build_common() {
-    cp NetworkManager/dispatcher.d/* "${BUILD_BINARIESDIRECTORY}"/nm-dispatcher
-    cp launchd/*.plist "${BUILD_BINARIESDIRECTORY}"/launchd
-    cp systemd/*.service "${BUILD_BINARIESDIRECTORY}"/systemd
-    cp doh-server/doh-server.conf "${BUILD_BINARIESDIRECTORY}"/config
-    cp doh-client/doh-client.conf "${BUILD_BINARIESDIRECTORY}"/config
-}
-
-# used to get version
-function build_native() {
-    echo "Building a native binary..."
-
-    go build -ldflags="-s -w" -o ${BUILD_BINARIESDIRECTORY}/"${EXE}"-native
-}
-
-function build() {
-    echo "Building ${EXE} for OS=$1 ARCH=$2"
-    env GOOS="$1" GOARCH="$2" go build -ldflags="-s -w" -o ${BUILD_BINARIESDIRECTORY}/"${EXE}"-"$3"
-
-    # echo "Compressing executable"
-    # ! upx --ultra-brute ${BUILD_BINARIESDIRECTORY}/${EXE}-"$3" || true
-}
-
-function package() {
-    VERSION=$("${BUILD_BINARIESDIRECTORY}/${EXE}-native" --version | head -n 1 | cut -d" " -f2)
-    REVISION=$(git log --pretty=format:'%h' -n 1)
-
-    echo "Packaging ${EXE} ${VERSION} for OS=$1 ARCH=$2 TYPE=$3 DST=$4"
-
-    ! rm -rf "${TMP_DIRECTORY}"/*
-
-    mkdir -p "${TMP_DIRECTORY}"/usr/bin
-    cp "${BUILD_BINARIESDIRECTORY}"/"${EXE}"-"$3" "${TMP_DIRECTORY}"/usr/bin/"${EXE}"
-
-    mkdir -p "${TMP_DIRECTORY}"/usr/lib/systemd/system
-    cp "${BUILD_BINARIESDIRECTORY}"/systemd/"${EXE}".service "${TMP_DIRECTORY}"/usr/lib/systemd/system
-
-    mkdir -p "${TMP_DIRECTORY}"/etc/dns-over-https
-    cp "${BUILD_BINARIESDIRECTORY}"/config/"${EXE}".conf "${TMP_DIRECTORY}"/etc/dns-over-https
-
-    mkdir -p "${TMP_DIRECTORY}"/etc/NetworkManager/dispatcher.d
-    cp "${BUILD_BINARIESDIRECTORY}"/nm-dispatcher/"${EXE}" "${TMP_DIRECTORY}"/etc/NetworkManager/dispatcher.d
-
-    # call fpm
-    fpm --input-type dir \
-        --output-type $4 \
-        --chdir "${TMP_DIRECTORY}" \
-        --package "${BUILD_ARTIFACTSTAGINGDIRECTORY}" \
-        --name "${EXE}" \
-        --description "${DESCR}" \
-        --version "${VERSION}" \
-        --iteration "${REVISION}" \
-        --url "https://github.com/m13253/dns-over-https" \
-        --vendor "Star Brilliant <coder@poorlab.com>" \
-        --license "MIT License" \
-        --category "net" \
-        --maintainer "James Swineson <autopkg@public.swineson.me>" \
-        --architecture "$2" \
-        --force \
-        .
-}
-
-cd "${DIR}"/..
-prepare_env
-make deps
-build_common
-
-pushd doh-server
-export EXE="doh-server"
-export DESCR="DNS-over-HTTPS Server"
-
-build_native
-
-build linux amd64 linux-amd64
-package linux amd64 linux-amd64 deb
-! package linux amd64 linux-amd64 rpm
-package linux amd64 linux-amd64 pacman
-
-build linux arm linux-armhf
-package linux arm linux-armhf deb
-! package linux arm linux-armhf rpm
-package linux arm linux-armhf pacman
-
-build linux arm64 linux-arm64
-package linux arm64 linux-arm64 deb
-! package linux arm64 linux-arm64 rpm
-package linux arm64 linux-arm64 pacman
-
-# build darwin amd64 darwin-amd64
-# build windows 386 windows-x86.exe
-# build windows amd64 windows-amd64.exe
-popd
-
-pushd doh-client
-export EXE="doh-client"
-export DESCR="DNS-over-HTTPS Client"
-
-build_native
-
-build linux amd64 linux-amd64
-package linux amd64 linux-amd64 deb
-! package linux amd64 linux-amd64 rpm
-package linux amd64 linux-amd64 pacman
-
-build linux arm linux-armhf
-package linux arm linux-armhf deb
-! package linux arm linux-armhf rpm
-package linux arm linux-armhf pacman
-
-build linux arm64 linux-arm64
-package linux arm64 linux-arm64 deb
-! package linux arm64 linux-arm64 rpm
-package linux arm64 linux-arm64 pacman
-
-# build darwin amd64 darwin-amd64
-# build windows 386 windows-x86.exe
-# build windows amd64 windows-amd64.exe
-popd
-

darwin-wrapper/Makefile

@@ -6,7 +6,7 @@ PREFIX = /usr/local
 all: doh-logger
 
 doh-logger: doh-logger.swift
-	$(SWIFTC) -o $@ -O -static-stdlib $<
+	$(SWIFTC) -o $@ -O $<
 
 clean:
 	rm -f doh-logger

doh-client/doh-client.conf

@@ -4,6 +4,9 @@ listen = [
     "127.0.0.1:5380",
     "[::1]:53",
     "[::1]:5380",
+
+    ## To listen on both 0.0.0.0:53 and [::]:53, use the following line
+    # ":53",
 ]
 
 # HTTP path for upstream resolver
@@ -21,25 +24,30 @@ upstream_selector = "random"
 #    weight = 50
 
 ## CloudFlare's resolver, bad ECS, good DNSSEC
-#[[upstream.upstream_google]]
-#    url = "https://cloudflare-dns.com/dns-query"
-#    weight = 50
-
-## CloudFlare's resolver, bad ECS, good DNSSEC
-#[[upstream.upstream_google]]
-#    url = "https://1.1.1.1/dns-query"
-#    weight = 50
-
-# CloudFlare's resolver, bad ECS, good DNSSEC
+## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
 [[upstream.upstream_ietf]]
     url = "https://cloudflare-dns.com/dns-query"
     weight = 50
 
 ## CloudFlare's resolver, bad ECS, good DNSSEC
+## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
+## Note that some ISPs have problems connecting to 1.1.1.1, try 1.0.0.1 if problems happen.
 #[[upstream.upstream_ietf]]
 #    url = "https://1.1.1.1/dns-query"
 #    weight = 50
 
+## DNS.SB's resolver, good ECS, good DNSSEC
+## The provider claims no logging: https://dns.sb/doh/
+#[[upstream.upstream_ietf]]
+#    url = "https://doh.dns.sb/dns-query"
+#    weight = 50
+
+## Quad9's resolver, bad ECS, good DNSSEC
+## ECS is disabled for privacy by design: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet
+#[[upstream.upstream_ietf]]
+#    url = "https://9.9.9.9/dns-query"
+#    weight = 50
+
 ## Google's experimental resolver, good ECS, good DNSSEC
 #[[upstream.upstream_ietf]]
 #    url = "https://dns.google.com/experimental"

doh-client/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "2.0.1"
+	VERSION    = "2.1.1"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

doh-server/doh-server.conf

@@ -2,6 +2,9 @@
 listen = [
     "127.0.0.1:8053",
     "[::1]:8053",
+
+    ## To listen on both 0.0.0.0:8053 and [::]:8053, use the following line
+    # ":8053",
 ]
 
 # Local address and port for upstream DNS

doh-server/server.go

@@ -263,19 +263,38 @@ func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
 	return req
 }
 
+// Return the position index for the question of qtype from a DNS msg, otherwise return -1
+func (s *Server) indexQuestionType(msg *dns.Msg, qtype uint16) int {
+	for i, question := range msg.Question {
+		if question.Qtype == qtype {
+			return i
+		}
+	}
+	return -1
+}
+
 func (s *Server) doDNSQuery(ctx context.Context, req *DNSRequest) (resp *DNSRequest, err error) {
 	// TODO(m13253): Make ctx work. Waiting for a patch for ExchangeContext from miekg/dns.
 	numServers := len(s.conf.Upstream)
 	for i := uint(0); i < s.conf.Tries; i++ {
 		req.currentUpstream = s.conf.Upstream[rand.Intn(numServers)]
-		if !s.conf.TCPOnly {
+
+		// Use TCP if always configured to or if the Query type dictates it (AXFR)
+		if s.conf.TCPOnly || (s.indexQuestionType(req.request, dns.TypeAXFR) > -1) {
+			req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
+		} else {
 			req.response, _, err = s.udpClient.Exchange(req.request, req.currentUpstream)
 			if err == nil && req.response != nil && req.response.Truncated {
 				log.Println(err)
 				req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
 			}
-		} else {
-			req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
+
+			// Retry with TCP if this was an IXFR request and we only received an SOA
+			if (s.indexQuestionType(req.request, dns.TypeIXFR) > -1) &&
+				(len(req.response.Answer) == 1) &&
+				(req.response.Answer[0].Header().Rrtype == dns.TypeSOA) {
+				req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
+			}
 		}
 		if err == nil {
 			return req, nil

doh-server/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "2.0.1"
+	VERSION    = "2.1.1"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

go.mod

@@ -5,9 +5,8 @@ go 1.12
 require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/gorilla/handlers v1.4.0
-	github.com/miekg/dns v1.1.6
-	golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a // indirect
-	golang.org/x/net v0.0.0-20190311183353-d8887717615a
-	golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 // indirect
-	golang.org/x/sys v0.0.0-20190312061237-fead79001313 // indirect
+	github.com/miekg/dns v1.1.14
+	golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4 // indirect
+	golang.org/x/net v0.0.0-20190620200207-3b0461eec859
+	golang.org/x/sys v0.0.0-20190621203818-d432491b9138 // indirect
 )

go.sum

@@ -2,24 +2,17 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/gorilla/handlers v1.4.0 h1:XulKRWSQK5uChr4pEgSE4Tc/OcmnU9GJuSwdog/tZsA=
 github.com/gorilla/handlers v1.4.0/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
-github.com/miekg/dns v1.1.4 h1:rCMZsU2ScVSYcAsOXgmC6+AKOK+6pmQTOcw03nfwYV0=
-github.com/miekg/dns v1.1.4/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/miekg/dns v1.1.6 h1:jVwb4GDwD65q/gtItR/lIZHjNH93QfeGxZUkzJcW9mc=
-github.com/miekg/dns v1.1.6/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
+github.com/miekg/dns v1.1.14 h1:wkQWn9wIp4mZbwW8XV6Km6owkvRPbOiV004ZM2CkGvA=
+github.com/miekg/dns v1.1.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a h1:YX8ljsm6wXlHZO+aRz9Exqr0evNhKRNe5K/gi+zKh4U=
-golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/net v0.0.0-20190301231341-16b79f2e4e95 h1:fY7Dsw114eJN4boqzVSbpVHO6rTdhq6/GnXeu+PKnzU=
-golang.org/x/net v0.0.0-20190301231341-16b79f2e4e95/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 h1:bjcUS9ztw9kFmmIxJInhon/0Is3p+EHBKNgquIzo1OI=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4 h1:ydJNl0ENAG67pFbB+9tfhiL2pYqLhfoaZFw/cjLhY4A=
+golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190308023053-584f3b12f43e h1:K7CV15oJ823+HLXQ+M7MSMrUg8LjfqY7O3naO+8Pp/I=
-golang.org/x/sys v0.0.0-20190308023053-584f3b12f43e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190621203818-d432491b9138 h1:t8BZD9RDjkm9/h7yYN6kE8oaeov5r9aztkB7zKA5Tkg=
+golang.org/x/sys v0.0.0-20190621203818-d432491b9138/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=