Release 2.3.2

Removing Firefox 61-62 workaround patch

Changelog.md

@@ -4,6 +4,15 @@ This Changelog records major changes between versions.
 
 Not all changes are recorded. Please check git log for details.
 
+## Version 2.3.2
+
+- Documentation updates, including deploying recommenation alongside DoT, thanks @gdm85
+- Add unit tests for CIDR subnets parsing, thanks @gdm85
+- Removing Firefox 61-62 patch
+
+Since this version, @gdm85, @GreyXor, @Jamesits will be able to maintain this repository alongside @m13253. Anyone who contributed to this project can also apply to be a maintainer.
+This is because changes in life have delayed the development of this project. By constructing a community hopefully can we restore the pace of development.
+
 ## Version 2.3.1
 
 - No new features in this release

Readme.md

@@ -67,6 +67,10 @@ docker run -d --name doh-server \
   satishweb/doh-server
 ```
 
+## Logging
+
+All log lines (by either doh-client or doh-server) are written into `stderr`; you can view them using your OS tool of choice (`journalctl` when using systemd).
+
 ## Server Configuration
 
 The following is a typical DNS-over-HTTPS architecture:
@@ -269,6 +273,24 @@ services:
 
 > IPV6 Support for Docker Compose based configuration TBA
 
+### Example configuration: DNS-over-TLS
+
+There is no native [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) support but you can easily add it via nginx:
+```
+stream {
+    server {
+        listen                  *:853 ssl;
+        proxy_pass              ipofyourdnsresolver:port  #127.0.0.1:53
+    }
+
+    ssl_certificate /etc/letsencrypt/live/site.yourdomain/fullchain.pem; 
+    ssl_certificate_key /etc/letsencrypt/live/site.yourdomain/privkey.pem; 
+}
+```
+
+The DoT service can also be provided by running a [STunnel](https://www.stunnel.org/) instance to wrap dnsmasq (or any other resolver of your choice, listening on a TCP port);
+this approach does not need a stand-alone daemon to provide the DoT service.
+
 ## DNSSEC
 
 DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by
@@ -315,6 +337,10 @@ Currently supported features are:
 - [X] EDNS0 large UDP packet (4 KiB by default)
 - [X] EDNS0-Client-Subnet (/24 for IPv4, /56 for IPv6 by default)
 
+## Known issues
+
+* it does not work well with [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy), you might want to use either (or fix the compatibility bugs by submitting PRs)
+
 ## The name of the project
 
 This project is named "DNS-over-HTTPS" because it was written before the IETF DoH project. Although this project is compatible with IETF DoH, the project is not affiliated with IETF.

doh-server/google.go

@@ -90,45 +90,14 @@ func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter,
 		if ednsClientSubnet == "0/0" {
 			ednsClientSubnet = "0.0.0.0/0"
 		}
-		slash := strings.IndexByte(ednsClientSubnet, '/')
+
-		if slash < 0 {
+		var err error
-			ednsClientAddress = net.ParseIP(ednsClientSubnet)
+		ednsClientFamily, ednsClientAddress, ednsClientNetmask, err = parseSubnet(ednsClientSubnet)
-			if ednsClientAddress == nil {
+		if err != nil {
-				return &DNSRequest{
+			return &DNSRequest{
-					errcode: 400,
+				errcode: 400,
-					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
+				errtext: err.Error(),
-				}
 			}
-			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
-				ednsClientFamily = 1
-				ednsClientAddress = ipv4
-				ednsClientNetmask = 24
-			} else {
-				ednsClientFamily = 2
-				ednsClientNetmask = 56
-			}
-		} else {
-			ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
-			if ednsClientAddress == nil {
-				return &DNSRequest{
-					errcode: 400,
-					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
-				}
-			}
-			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
-				ednsClientFamily = 1
-				ednsClientAddress = ipv4
-			} else {
-				ednsClientFamily = 2
-			}
-			netmask, err := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
-			if err != nil {
-				return &DNSRequest{
-					errcode: 400,
-					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
-				}
-			}
-			ednsClientNetmask = uint8(netmask)
 		}
 	} else {
 		ednsClientAddress = s.findClientIP(r)
@@ -169,6 +138,45 @@ func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter,
 	}
 }
 
+func parseSubnet(ednsClientSubnet string) (ednsClientFamily uint16, ednsClientAddress net.IP, ednsClientNetmask uint8, err error) {
+	slash := strings.IndexByte(ednsClientSubnet, '/')
+	if slash < 0 {
+		ednsClientAddress = net.ParseIP(ednsClientSubnet)
+		if ednsClientAddress == nil {
+			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
+			return
+		}
+		if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+			ednsClientFamily = 1
+			ednsClientAddress = ipv4
+			ednsClientNetmask = 24
+		} else {
+			ednsClientFamily = 2
+			ednsClientNetmask = 56
+		}
+	} else {
+		ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
+		if ednsClientAddress == nil {
+			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
+			return
+		}
+		if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+			ednsClientFamily = 1
+			ednsClientAddress = ipv4
+		} else {
+			ednsClientFamily = 2
+		}
+		netmask, err1 := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
+		if err1 != nil {
+			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
+			return
+		}
+		ednsClientNetmask = uint8(netmask)
+	}
+
+	return
+}
+
 func (s *Server) generateResponseGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
 	respJSON := jsondns.Marshal(req.response)
 	respStr, err := json.Marshal(respJSON)

doh-server/ietf.go

@@ -182,8 +182,6 @@ func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter
 	w.Header().Set("Last-Modified", now)
 	w.Header().Set("Vary", "Accept")
 
-	_ = s.patchFirefoxContentType(w, r, req)
-
 	if respJSON.HaveTTL {
 		if req.isTailored {
 			w.Header().Set("Cache-Control", "private, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
@@ -217,18 +215,4 @@ func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request,
 		return true
 	}
 	return false
-}
+}
-
-// Workaround a bug causing Firefox 61-62 to reject responses with Content-Type = application/dns-message
-func (s *Server) patchFirefoxContentType(w http.ResponseWriter, r *http.Request, req *DNSRequest) bool {
-	if strings.Contains(r.UserAgent(), "Firefox") && strings.Contains(r.Header.Get("Accept"), "application/dns-udpwireformat") && !strings.Contains(r.Header.Get("Accept"), "application/dns-message") {
-		if s.conf.Verbose {
-			log.Println("Firefox 61-62 detected. Patching response.")
-		}
-		w.Header().Set("Content-Type", "application/dns-udpwireformat")
-		w.Header().Set("Vary", "Accept, User-Agent")
-		req.isTailored = true
-		return true
-	}
-	return false
-}

doh-server/parse_test.go

@@ -0,0 +1,119 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package main
+
+import (
+	"testing"
+
+	"github.com/miekg/dns"
+)
+
+func TestParseCIDR(t *testing.T) {
+	t.Parallel()
+	for _, ednsClientSubnet := range []string{
+		"2001:db8::/0",
+		"2001:db8::/56",
+		"2001:db8::/129",
+		"2001:db8::",
+
+		"127.0.0.1/0",
+		"127.0.0.1/24",
+		"127.0.0.1/33",
+		"127.0.0.1",
+
+		"::ffff:7f00:1/0",
+		"::ffff:7f00:1/120",
+		"::ffff:7f00:1",
+		"127.0.0.1/0",
+		"127.0.0.1/24",
+		"127.0.0.1",
+	} {
+		_, ip, ipNet, err := parseSubnet(ednsClientSubnet)
+		if err != nil {
+			t.Errorf("ecs:%s ip:[%v]  ipNet:[%v]  err:[%v]", ednsClientSubnet, ip, ipNet, err)
+		}
+	}
+}
+
+func TestParseInvalidCIDR(t *testing.T) {
+	t.Parallel()
+
+	for _, ip := range []string{
+		"test",
+		"test/0",
+		"test/24",
+		"test/34",
+		"test/56",
+		"test/129",
+	} {
+		_, _, _, err := parseSubnet(ip)
+		if err == nil {
+			t.Errorf("expected error for %q", ip)
+		}
+	}
+}
+
+func TestEdns0SubnetParseCIDR(t *testing.T) {
+	t.Parallel()
+	// init dns Msg
+	msg := new(dns.Msg)
+	msg.Id = dns.Id()
+	msg.SetQuestion(dns.Fqdn("example.com"), 1)
+
+	// init edns0Subnet
+	edns0Subnet := new(dns.EDNS0_SUBNET)
+	edns0Subnet.Code = dns.EDNS0SUBNET
+	edns0Subnet.SourceScope = 0
+
+	// init opt
+	opt := new(dns.OPT)
+	opt.Hdr.Name = "."
+	opt.Hdr.Rrtype = dns.TypeOPT
+	opt.SetUDPSize(dns.DefaultMsgSize)
+
+	opt.Option = append(opt.Option, edns0Subnet)
+	msg.Extra = append(msg.Extra, opt)
+
+	for _, subnet := range []string{"::ffff:7f00:1/120", "127.0.0.1/24"} {
+		var err error
+		edns0Subnet.Family, edns0Subnet.Address, edns0Subnet.SourceNetmask, err = parseSubnet(subnet)
+		if err != nil {
+			t.Error(err)
+			continue
+		}
+		t.Log(msg.Pack())
+	}
+
+	// ------127.0.0.1/24-----
+	// [143 29 1 0 0 1 0 0 0 0 0 1 7 101 120 97 109 112 108 101 3 99 111 109 0 0 1 0 1 0
+	// opt start   0 41 16 0 0 0 0 0 0 11
+	// subnet start 0 8 0 7 0 1 24 0
+	// client subnet start 127 0 0]
+
+	// -----::ffff:7f00:1/120----
+	// [111 113 1 0 0 1 0 0 0 0 0 1 7 101 120 97 109 112 108 101 3 99 111 109 0 0 1 0 1 0
+	// opt start  0 41 16 0 0 0 0 0 0 23
+	// subnet start  0 8 0 19 0 2 120 0
+	// client subnet start 0 0 0 0 0 0 0 0 0 0 255 255 127 0 0]
+}