Update Changelog

* log real client ip behind a HTTPS gateway

* fix tab/space indent

* better compatible for apache/nginx log default format

* add  config option

.gitignore

@@ -12,3 +12,5 @@
 
 # Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
 .glide/
+
+.idea/

Changelog.md

@@ -0,0 +1,140 @@
+# Changelog
+
+This Changelog records major changes between versions.
+
+Not all changes are recorded. Please check git log for details.
+
+## Version 2.0.0
+
+**This is a breaking change!** Please update the configuration file after upgrading.
+
+- Implemented two upstream server selector algorithms: `weighted_round_robin` and `lvs_weighted_round_robin`.
+- Add a configuration option for doh-server: `log_guessed_client_ip`.
+
+## Version 1.4.2
+
+- Add PID file feature for systems which lacks a cgroup-based process tracker.
+- Remove dns.ErrTruncated according to <https://github.com/miekg/dns/pull/815>.
+
+## Version 1.4.1
+
+- Add a configuration option: `debug_http_headers` (e.g. Add `CF-Ray` to diagnose Cloudflare's resolver)
+- Add a configuration option: `passrthrough`
+- macOS logger is rebuilt with static libswiftCore
+- Fix HTTP stream leaking problem, which may cause massive half-open connections if HTTP/1 is in use
+- Utilize Go's cancelable context to detect timeouts more reliably.
+- Fix interoperation problems with gDNS
+- CORS is enabled by default in doh-server
+- Documentation updates
+
+## Version 1.3.10
+
+- Enable application/dns-message (draft-13) by default, since Google has finally supported it
+
+## Version 1.3.9
+
+- Fix client crash with `no_cookies = true`
+- Add 5380 as an additional default doh-client port
+- If `$GOROOT` is defined, Makefile now respects the value for the convenience of Debian/Ubuntu users
+- Change the ECS prefix length from /48 to /56 for IPv6, per RFC 7871
+
+## Version 1.3.8
+
+- Workaround a bug causing Firefox 61-62 to reject responses with Content-Type = application/dns-message
+- Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
+- TransactionID is now preserved to maintain compatibility with some clients
+- Turn on `no_cookies` by default according to the IETF draft
+- Update Documentation
+
+## Version 1.3.7
+
+- Add CloudFlare DNS resolver for Tor to the preset
+- It is now able to print upstream information if error happens
+- Updated default configuration files are now installed to `*.conf.example`
+- Workaround a bug causing Unbound to refuse returning anything about the root
+- Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
+
+## Version 1.3.6
+
+- We have a logger for macOS platform now, so logs can be sent to Console.app
+- Add an option to disable IPv6, this option is available to client only
+
+## Version 1.3.5
+
+- Limit the frequency of creating HTTP client on bad network condition
+
+## Version 1.3.4
+
+- doh-client now silently fails in case of network error to prevent caching of SERVFAIL
+- EDNS0 is now inserted to the beginning of OPT section, to ensure DNSSEC signatures are at the end
+- Improve building system
+- Update documents
+
+## Version 1.3.3
+
+- Take User-Agent out of common library, that would be better for packaging
+
+## Version 1.3.2
+
+- Fix version string in HTTP User-Agent
+
+## Version 1.3.1
+
+- Fix the "address already in use" issue
+
+## Version 1.3.0
+
+- Breaking change: Add client / server support for multiple listen address
+  The `listen` option in the configuration file is a list now
+
+## Version 1.2.1
+
+- Update protocol to IETF draft-07
+- Update installation documentations for Ubuntu / Debian
+
+## Version 1.2.0
+
+- Add installation documentations for Ubuntu / Debian
+- Include CloudFlare DOH server (1.1.1.1, 1.0.0.1) in default configuration
+- Fix a problem causing `go get` to fail due to relative paths
+- Add documentation about `/etc/hosts` preloading
+
+## Version 1.1.4
+
+- Add `no_cookies` option
+- Add documentation on privacy issues
+- Adapt for CloudFlare DNS service
+- Fix a problem causing a single network failure blocking future requests
+- Add experimental macOS support
+
+## Version 1.1.3
+
+- Unsupported Content-Type now generates HTTP error code 415
+
+## Version 1.1.2
+
+- Adapt to IETF protocol
+- Optimize for HTTP caches
+
+## Version 1.1.1
+
+- Adapt to IETF protocol
+- Optimize for HTTP caches
+- Add documentation for uninstallation instructions
+- Fix build issues
+
+## Version 1.1.0
+
+- Adpat to IETF protocol
+- Fix issues regarding to HTTP caching
+- Require Go 1.9 to build now
+- Fix systemd issue
+
+## Version 1.0.1
+
+- Fix build issues
+
+## Version 1.0.0
+
+- First release
+- Relicense as MIT license

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

Makefile

@@ -1,29 +1,69 @@
-.PHONY: all clean install uninstall
+.PHONY: all clean install uninstall deps
 
-GOBUILD=go build
-GOGET=go get -d -v .
-PREFIX=/usr/local
+PREFIX = /usr/local
+
+ifeq ($(GOROOT),)
+GOBUILD = go build
+GOGET = go get -d -v
+GOGET_UPDATE = go get -d -u -v
+else
+GOBUILD = $(GOROOT)/bin/go build
+GOGET = $(GOROOT)/bin/go get -d -v
+GOGET_UPDATE = $(GOROOT)/bin/go get -d -u -v
+endif
+
+ifeq ($(shell uname),Darwin)
+CONFDIR = /usr/local/etc/dns-over-https
+else
+CONFDIR = /etc/dns-over-https
+endif
 
 all: doh-client/doh-client doh-server/doh-server
+	if [ "`uname`" = "Darwin" ]; then \
+		$(MAKE) -C darwin-wrapper; \
+	fi
 
 clean:
 	rm -f doh-client/doh-client doh-server/doh-server
+	if [ "`uname`" = "Darwin" ]; then \
+		$(MAKE) -C darwin-wrapper clean; \
+	fi
 
-install: doh-client/doh-client doh-server/doh-server
-	install -Dm0755 doh-client/doh-client "$(DESTDIR)$(PREFIX)/bin/doh-client"
-	install -Dm0755 doh-server/doh-server "$(DESTDIR)$(PREFIX)/bin/doh-server"
-	[ -e "$(DESTDIR)/etc/dns-over-https/doh-client.conf" ] || install -Dm0644 doh-client/doh-client.conf "$(DESTDIR)/etc/dns-over-https/doh-client.conf"
-	[ -e "$(DESTDIR)/etc/dns-over-https/doh-server.conf" ] || install -Dm0644 doh-server/doh-server.conf "$(DESTDIR)/etc/dns-over-https/doh-server.conf"
-	$(MAKE) -C systemd install "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
-	$(MAKE) -C NetworkManager install "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
+install:
+	[ -e doh-client/doh-client ] || $(MAKE) doh-client/doh-client
+	[ -e doh-server/doh-server ] || $(MAKE) doh-server/doh-server
+	mkdir -p "$(DESTDIR)$(PREFIX)/bin/"
+	install -m0755 doh-client/doh-client "$(DESTDIR)$(PREFIX)/bin/doh-client"
+	install -m0755 doh-server/doh-server "$(DESTDIR)$(PREFIX)/bin/doh-server"
+	mkdir -p "$(DESTDIR)$(CONFDIR)/"
+	install -m0644 doh-client/doh-client.conf "$(DESTDIR)$(CONFDIR)/doh-client.conf.example"
+	install -m0644 doh-server/doh-server.conf "$(DESTDIR)$(CONFDIR)/doh-server.conf.example"
+	[ -e "$(DESTDIR)$(CONFDIR)/doh-client.conf" ] || install -m0644 doh-client/doh-client.conf "$(DESTDIR)$(CONFDIR)/doh-client.conf"
+	[ -e "$(DESTDIR)$(CONFDIR)/doh-server.conf" ] || install -m0644 doh-server/doh-server.conf "$(DESTDIR)$(CONFDIR)/doh-server.conf"
+	if [ "`uname`" = "Linux" ]; then \
+		$(MAKE) -C systemd install "DESTDIR=$(DESTDIR)"; \
+		$(MAKE) -C NetworkManager install "DESTDIR=$(DESTDIR)"; \
+	elif [ "`uname`" = "Darwin" ]; then \
+		$(MAKE) -C darwin-wrapper install "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"; \
+		$(MAKE) -C launchd install "DESTDIR=$(DESTDIR)"; \
+	fi
 
 uninstall:
-	rm -f "$(DESTDIR)$(PREFIX)/bin/doh-client" "$(DESTDIR)$(PREFIX)/bin/doh-server"
-	$(MAKE) -C systemd uninstall "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
-	$(MAKE) -C NetworkManager uninstall "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
+	rm -f "$(DESTDIR)$(PREFIX)/bin/doh-client" "$(DESTDIR)$(PREFIX)/bin/doh-server" "$(DESTDIR)$(CONFDIR)/doh-client.conf.example" "$(DESTDIR)$(CONFDIR)/doh-server.conf.example"
+	if [ "`uname`" = "Linux" ]; then \
+		$(MAKE) -C systemd uninstall "DESTDIR=$(DESTDIR)"; \
+		$(MAKE) -C NetworkManager uninstall "DESTDIR=$(DESTDIR)"; \
+	elif [ "`uname`" = "Darwin" ]; then \
+		$(MAKE) -C launchd uninstall "DESTDIR=$(DESTDIR)"; \
+	fi
 
-doh-client/doh-client: doh-client/client.go doh-client/config.go doh-client/main.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
-	cd doh-client && $(GOGET) && $(GOBUILD)
+deps:
+	@# I am not sure if it is the correct way to keep the common library updated
+	$(GOGET_UPDATE) github.com/m13253/dns-over-https/json-dns
+	$(GOGET) ./doh-client ./doh-server
 
-doh-server/doh-server: doh-server/config.go doh-server/main.go doh-server/server.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
-	cd doh-server && $(GOGET) && $(GOBUILD)
+doh-client/doh-client: deps doh-client/client.go doh-client/config/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go doh-client/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+	cd doh-client && $(GOBUILD)
+
+doh-server/doh-server: deps doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go doh-server/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+	cd doh-server && $(GOBUILD)

Readme.md

@@ -1,11 +1,18 @@
 DNS-over-HTTPS
 ==============
 
-Client and server software to query DNS over HTTPS, using [Google DNS-over-HTTPS protocol](https://developers.google.com/speed/public-dns/docs/dns-over-https).
+Client and server software to query DNS over HTTPS, using [Google DNS-over-HTTPS protocol](https://developers.google.com/speed/public-dns/docs/dns-over-https)
+and [IETF DNS-over-HTTPS (RFC 8484)](https://www.rfc-editor.org/rfc/rfc8484.txt).
 
-## Easy start
+## Guide
 
-Install [Go](https://golang.org), at least version 1.8.
+[Tutorial to setup your own DNS-over-HTTPS (DoH) server](https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/). (Thanks to Antoine Aflalo)
+
+## Installing
+
+Install [Go](https://golang.org), at least version 1.10.
+
+(Note for Debian/Ubuntu users: You need to set `$GOROOT` if you could not get your new version of Go selected by the Makefile.)
 
 First create an empty directory, used for `$GOPATH`:
 
@@ -41,6 +48,14 @@ If it is OK, you will wee:
 
     ;; SERVER: 127.0.0.1#53(127.0.0.1)
 
+### Uninstalling
+
+To uninstall, type:
+
+    sudo make uninstall
+
+The configuration files are kept at `/etc/dns-over-https`. Remove them manually if you want.
+
 ## Server Configuration
 
 The following is a typical DNS-over-HTTPS architecture:
@@ -61,26 +76,60 @@ The following is a typical DNS-over-HTTPS architecture:
 Although DNS-over-HTTPS can work alone, a HTTP service muxer would be useful as
 you can host DNS-over-HTTPS along with other HTTPS services.
 
+HTTP/2 with at least TLS v1.3 is recommended. OCSP stapling must be enabled,
+otherwise DNS recursion may happen.
+
 ## DNSSEC
 
-DNSSEC validation is not built-in. It is highly recommended that you install
-`unbound` or `bind` and pass results for them to validate DNS records.
+DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by
+default. However signature validation is not built-in. It is highly recommended
+that you install `unbound` or `bind` and pass results for them to validate DNS
+records.
 
-If you are running a server without anycast, you probably want to enable EDNS0
-Client Subnet during your configuring `unbound` or `bind`.
+## EDNS0-Client-Subnet (GeoDNS)
+
+DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of the
+client's IP address (/24 for IPv4, /56 for IPv6 by default) to the upstream
+server. This is useful for GeoDNS and CDNs to work, and is exactly the same
+configuration as most public DNS servers.
+
+Keep in mind that /24 is not enough to track a single user, although it is
+precise enough to know the city where the user is located. If you think
+EDNS0-Client-Subnet is affecting your privacy, you can set `no_ecs = true` in
+`/etc/dns-over-https/doh-client.conf`, with the cost of slower video streaming
+or software downloading speed.
+
+To ultilize ECS, `X-Forwarded-For` or `X-Real-IP` should be enabled on your
+HTTP service muxer. If your server is backed by `unbound` or `bind`, you
+probably want to configure it to enable the EDNS0-Client-Subnet feature as
+well.
 
 ## Protocol compatibility
 
-DNS-over-HTTPS use a protocol compatible to [Google DNS-over-HTTPS](https://developers.google.com/speed/public-dns/docs/dns-over-https),
+### Google DNS-over-HTTPS Protocol
+
+DNS-over-HTTPS uses a protocol compatible to [Google DNS-over-HTTPS](https://developers.google.com/speed/public-dns/docs/dns-over-https),
 except for absolute expire time is preferred to relative TTL value. Refer to
 [json-dns/response.go](json-dns/response.go) for a complete description of the
 API.
 
+### IETF DNS-over-HTTPS Protocol
+
+DNS-over-HTTPS uses a protocol compatible to [IETF DNS-over-HTTPS (RFC 8484)](https://www.rfc-editor.org/rfc/rfc8484.txt).
+
+### Supported features
+
 Currently supported features are:
 
 - [X] IPv4 / IPv6
 - [X] EDNS0 large UDP packet (4 KiB by default)
-- [X] EDNS0 Client Subnet (/24 for IPv4, /48 for IPv6 by default)
+- [X] EDNS0-Client-Subnet (/24 for IPv4, /56 for IPv6 by default)
+
+## The name of the project
+
+This project is named "DNS-over-HTTPS" because it was written before the IETF DoH project. Although this project is compatible with IETF DoH, the project is not affiliated with IETF.
+
+To avoid confusion, you may also call this project "m13253/DNS-over-HTTPS" or anything you like.
 
 ## License
 

contrib/linux-install.md

@@ -0,0 +1,51 @@
+# Ubuntu Install
+> Tested on a clean install of `Ubuntu 16.04 LTS`
+
+## Intalling go
+Install `Go >= 1.9`
+
+```bash
+sudo apt update
+sudo apt install golang-1.10 -y
+```
+
+Add the newly install `go` to the path
+
+```bash
+export PATH=$PATH:/usr/lib/go-1.10/bin
+```
+
+Test to make sure that you can execute `go`
+
+```bash
+go version
+```
+which should output something like
+
+```bash
+go version go1.10.1 linux/amd64
+```
+
+## Installing dns-over-https
+
+Clone this repo
+
+
+```bash
+git clone https://github.com/m13253/dns-over-https.git
+```
+
+Change directory to the cloned repo
+
+```bash
+cd dns-over-https
+```
+
+make and install
+
+```bash
+make
+sudo make install
+```	
+
+

contrib/linux-install.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# See the linux-install.md (README) first. 
+set -e 
+
+sudo apt update
+sudo apt install golang-1.10 git -y
+export PATH=$PATH:/usr/lib/go-1.10/bin
+cd /tmp
+git clone https://github.com/m13253/dns-over-https.git
+cd dns-over-https
+make 
+sudo make install

darwin-wrapper/Makefile

@@ -0,0 +1,19 @@
+.PHONY: all clean install uninstall
+
+SWIFTC = swiftc
+PREFIX = /usr/local
+
+all: doh-logger
+
+doh-logger: doh-logger.swift
+	$(SWIFTC) -o $@ -O -static-stdlib $<
+
+clean:
+	rm -f doh-logger
+
+install: doh-logger
+	mkdir -p $(DESTDIR)$(PREFIX)/bin
+	install -m0755 doh-logger $(DESTDIR)$(PREFIX)/bin
+
+uninstall:
+	rm -f $(DESTDIR)$(PREFIX)/bin/doh-logger

darwin-wrapper/doh-logger.swift

@@ -0,0 +1,94 @@
+#!/usr/bin/swift
+
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+import Foundation
+import os.log
+
+if CommandLine.arguments.count < 3 {
+    let programName = CommandLine.arguments[0]
+    print("Usage: \(programName) LOG_NAME PROGRAM [ARGUMENTS]\n")
+    exit(1)
+}
+let logSubsystem = CommandLine.arguments[1]
+let logger = OSLog(subsystem: logSubsystem, category: "default")
+
+let pipe = Pipe()
+var buffer = Data()
+NotificationCenter.default.addObserver(forName: FileHandle.readCompletionNotification, object: pipe.fileHandleForReading, queue: nil) { notification in
+    let data = notification.userInfo?["NSFileHandleNotificationDataItem"] as? Data ?? Data()
+    buffer.append(data)
+    var lastIndex = 0
+    for (i, byte) in buffer.enumerated() {
+        if byte == 0x0a {
+            let line = String(data: buffer.subdata(in: lastIndex..<i), encoding: .utf8) ?? ""
+            print(line)
+            os_log("%{public}@", log: logger, line)
+            lastIndex = i + 1
+        }
+    }
+    buffer = buffer.subdata(in: lastIndex..<buffer.count)
+    if data.count == 0 && buffer.count != 0 {
+        let line = String(data: buffer, encoding: .utf8) ?? ""
+        print(line, terminator: "")
+        os_log("%{public}@", log: logger, line)
+    }
+    pipe.fileHandleForReading.readInBackgroundAndNotify()
+}
+pipe.fileHandleForReading.readInBackgroundAndNotify()
+
+let process = Process()
+process.arguments = Array(CommandLine.arguments[3...])
+process.executableURL = URL(fileURLWithPath: CommandLine.arguments[2])
+process.standardError = pipe.fileHandleForWriting
+process.standardInput = FileHandle.standardInput
+process.standardOutput = pipe.fileHandleForWriting
+NotificationCenter.default.addObserver(forName: Process.didTerminateNotification, object: process, queue: nil) { notification in
+    if buffer.count != 0 {
+        let line = String(data: buffer, encoding: .utf8) ?? ""
+        print(line, terminator: "")
+        os_log("%{public}@", log: logger, line)
+    }
+    exit(process.terminationStatus)
+}
+
+let SIGINTSource = DispatchSource.makeSignalSource(signal: SIGINT)
+let SIGTERMSource = DispatchSource.makeSignalSource(signal: SIGTERM)
+SIGINTSource.setEventHandler(handler: process.interrupt)
+SIGTERMSource.setEventHandler(handler: process.terminate)
+signal(SIGINT, SIG_IGN)
+signal(SIGTERM, SIG_IGN)
+SIGINTSource.resume()
+SIGTERMSource.resume()
+
+do {
+    try process.run()
+} catch {
+    let errorMessage = error.localizedDescription
+    print(errorMessage)
+    os_log("%{public}@", log: logger, type: .fault, errorMessage)
+    exit(1)
+}
+
+RunLoop.current.run()

doh-client/client.go

@@ -1,245 +1,442 @@
 /*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
 
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
 */
 
 package main
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"math/rand"
-	"io/ioutil"
 	"log"
+	"math/rand"
 	"net"
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
+
+	"github.com/m13253/dns-over-https/doh-client/config"
+	"github.com/m13253/dns-over-https/doh-client/selector"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
-	"../json-dns"
+	"golang.org/x/net/http2"
+	"golang.org/x/net/idna"
 )
 
 type Client struct {
-	conf			*config
-	bootstrap		[]string
-	udpServer		*dns.Server
-	tcpServer		*dns.Server
-	httpTransport	*http.Transport
-	httpClient		*http.Client
+	conf                 *config.Config
+	bootstrap            []string
+	passthrough          []string
+	udpClient            *dns.Client
+	tcpClient            *dns.Client
+	udpServers           []*dns.Server
+	tcpServers           []*dns.Server
+	bootstrapResolver    *net.Resolver
+	cookieJar            http.CookieJar
+	httpClientMux        *sync.RWMutex
+	httpTransport        *http.Transport
+	httpClient           *http.Client
+	httpClientLastCreate time.Time
+	selector             selector.Selector
 }
 
-func NewClient(conf *config) (c *Client, err error) {
-	c = &Client {
+type DNSRequest struct {
+	response          *http.Response
+	reply             *dns.Msg
+	udpSize           uint16
+	ednsClientAddress net.IP
+	ednsClientNetmask uint8
+	currentUpstream   string
+	err               error
+}
+
+func NewClient(conf *config.Config) (c *Client, err error) {
+	c = &Client{
 		conf: conf,
 	}
-	c.udpServer = &dns.Server {
-		Addr: conf.Listen,
-		Net: "udp",
-		Handler: dns.HandlerFunc(c.udpHandlerFunc),
-		UDPSize: 4096,
+
+	udpHandler := dns.HandlerFunc(c.udpHandlerFunc)
+	tcpHandler := dns.HandlerFunc(c.tcpHandlerFunc)
+	c.udpClient = &dns.Client{
+		Net:     "udp",
+		UDPSize: dns.DefaultMsgSize,
+		Timeout: time.Duration(conf.Other.Timeout) * time.Second,
 	}
-	c.tcpServer = &dns.Server {
-		Addr: conf.Listen,
-		Net: "tcp",
-		Handler: dns.HandlerFunc(c.tcpHandlerFunc),
+	c.tcpClient = &dns.Client{
+		Net:     "tcp",
+		Timeout: time.Duration(conf.Other.Timeout) * time.Second,
 	}
-	bootResolver := net.DefaultResolver
-	if len(conf.Bootstrap) != 0 {
-		c.bootstrap = make([]string, len(conf.Bootstrap))
-		for i, bootstrap := range conf.Bootstrap {
+	for _, addr := range conf.Listen {
+		c.udpServers = append(c.udpServers, &dns.Server{
+			Addr:    addr,
+			Net:     "udp",
+			Handler: udpHandler,
+			UDPSize: dns.DefaultMsgSize,
+		})
+		c.tcpServers = append(c.tcpServers, &dns.Server{
+			Addr:    addr,
+			Net:     "tcp",
+			Handler: tcpHandler,
+		})
+	}
+	c.bootstrapResolver = net.DefaultResolver
+	if len(conf.Other.Bootstrap) != 0 {
+		c.bootstrap = make([]string, len(conf.Other.Bootstrap))
+		for i, bootstrap := range conf.Other.Bootstrap {
 			bootstrapAddr, err := net.ResolveUDPAddr("udp", bootstrap)
 			if err != nil {
-				bootstrapAddr, err = net.ResolveUDPAddr("udp", "[" + bootstrap + "]:53")
+				bootstrapAddr, err = net.ResolveUDPAddr("udp", "["+bootstrap+"]:53")
+			}
+			if err != nil {
+				return nil, err
 			}
-			if err != nil { return nil, err }
 			c.bootstrap[i] = bootstrapAddr.String()
 		}
-		bootResolver = &net.Resolver {
+		c.bootstrapResolver = &net.Resolver{
 			PreferGo: true,
 			Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
 				var d net.Dialer
-				num_servers := len(c.bootstrap)
-				bootstrap := c.bootstrap[rand.Intn(num_servers)]
+				numServers := len(c.bootstrap)
+				bootstrap := c.bootstrap[rand.Intn(numServers)]
 				conn, err := d.DialContext(ctx, network, bootstrap)
 				return conn, err
 			},
 		}
+		if len(conf.Other.Passthrough) != 0 {
+			c.passthrough = make([]string, len(conf.Other.Passthrough))
+			for i, passthrough := range conf.Other.Passthrough {
+				if punycode, err := idna.ToASCII(passthrough); err != nil {
+					passthrough = punycode
+				}
+				c.passthrough[i] = "." + strings.ToLower(strings.Trim(passthrough, ".")) + "."
+			}
+		}
 	}
-	c.httpTransport = new(http.Transport)
-	*c.httpTransport = *http.DefaultTransport.(*http.Transport)
-	c.httpTransport.DialContext = (&net.Dialer {
-		Timeout: time.Duration(conf.Timeout) * time.Second,
-		KeepAlive: 30 * time.Second,
-		DualStack: true,
-		Resolver: bootResolver,
-	}).DialContext
-	c.httpTransport.ResponseHeaderTimeout = time.Duration(conf.Timeout) * time.Second
-	// Most CDNs require Cookie support to prevent DDoS attack
-	cookieJar, err := cookiejar.New(nil)
-	if err != nil { return nil, err }
-	c.httpClient = &http.Client {
-		Transport: c.httpTransport,
-		Jar: cookieJar,
+	// Most CDNs require Cookie support to prevent DDoS attack.
+	// Disabling Cookie does not effectively prevent tracking,
+	// so I will leave it on to make anti-DDoS services happy.
+	if !c.conf.Other.NoCookies {
+		c.cookieJar, err = cookiejar.New(nil)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		c.cookieJar = nil
 	}
+
+	c.httpClientMux = new(sync.RWMutex)
+	err = c.newHTTPClient()
+	if err != nil {
+		return nil, err
+	}
+
+	switch c.conf.Upstream.UpstreamSelector {
+	case config.NginxWRR:
+		if c.conf.Other.Verbose {
+			log.Println(config.NginxWRR, " mode start")
+		}
+
+		s := selector.NewNginxWRRSelector(time.Duration(c.conf.Other.Timeout) * time.Second)
+		for _, u := range c.conf.Upstream.UpstreamGoogle {
+			if err := s.Add(u.URL, selector.Google, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		for _, u := range c.conf.Upstream.UpstreamIETF {
+			if err := s.Add(u.URL, selector.IETF, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		c.selector = s
+
+	case config.LVSWRR:
+		if c.conf.Other.Verbose {
+			log.Println(config.LVSWRR, " mode start")
+		}
+
+		s := selector.NewLVSWRRSelector(time.Duration(c.conf.Other.Timeout) * time.Second)
+		for _, u := range c.conf.Upstream.UpstreamGoogle {
+			if err := s.Add(u.URL, selector.Google, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		for _, u := range c.conf.Upstream.UpstreamIETF {
+			if err := s.Add(u.URL, selector.IETF, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		c.selector = s
+
+	default:
+		if c.conf.Other.Verbose {
+			log.Println(config.Random, " mode start")
+		}
+
+		// if selector is invalid or random, use random selector, or should we stop program and let user knows he is wrong?
+		s := selector.NewRandomSelector()
+		for _, u := range c.conf.Upstream.UpstreamGoogle {
+			if err := s.Add(u.URL, selector.Google); err != nil {
+				return nil, err
+			}
+		}
+
+		for _, u := range c.conf.Upstream.UpstreamIETF {
+			if err := s.Add(u.URL, selector.IETF); err != nil {
+				return nil, err
+			}
+		}
+
+		c.selector = s
+	}
+
+	if c.conf.Other.Verbose {
+		if reporter, ok := c.selector.(selector.DebugReporter); ok {
+			reporter.ReportWeights()
+		}
+	}
+
 	return c, nil
 }
 
-func (c *Client) Start() error {
-	result := make(chan error)
-	go func() {
-		err := c.udpServer.ListenAndServe()
-		if err != nil {
-			log.Println(err)
+func (c *Client) newHTTPClient() error {
+	c.httpClientMux.Lock()
+	defer c.httpClientMux.Unlock()
+	if !c.httpClientLastCreate.IsZero() && time.Since(c.httpClientLastCreate) < time.Duration(c.conf.Other.Timeout)*time.Second {
+		return nil
+	}
+	if c.httpTransport != nil {
+		c.httpTransport.CloseIdleConnections()
+	}
+	dialer := &net.Dialer{
+		Timeout:   time.Duration(c.conf.Other.Timeout) * time.Second,
+		KeepAlive: 30 * time.Second,
+		// DualStack: true,
+		Resolver: c.bootstrapResolver,
+	}
+	c.httpTransport = &http.Transport{
+		DialContext:           dialer.DialContext,
+		ExpectContinueTimeout: 1 * time.Second,
+		IdleConnTimeout:       90 * time.Second,
+		MaxIdleConns:          100,
+		MaxIdleConnsPerHost:   10,
+		Proxy:                 http.ProxyFromEnvironment,
+		TLSHandshakeTimeout:   time.Duration(c.conf.Other.Timeout) * time.Second,
+	}
+	if c.conf.Other.NoIPv6 {
+		c.httpTransport.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) {
+			if strings.HasPrefix(network, "tcp") {
+				network = "tcp4"
+			}
+			return dialer.DialContext(ctx, network, address)
 		}
-		result <- err
-	} ()
-	go func() {
-		err := c.tcpServer.ListenAndServe()
-		if err != nil {
-			log.Println(err)
-		}
-		result <- err
-	} ()
-	err := <-result
+	}
+	err := http2.ConfigureTransport(c.httpTransport)
 	if err != nil {
 		return err
 	}
-	err = <-result
-	return err
+	c.httpClient = &http.Client{
+		Transport: c.httpTransport,
+		Jar:       c.cookieJar,
+	}
+	c.httpClientLastCreate = time.Now()
+	return nil
+}
+
+func (c *Client) Start() error {
+	results := make(chan error, len(c.udpServers)+len(c.tcpServers))
+	for _, srv := range append(c.udpServers, c.tcpServers...) {
+		go func(srv *dns.Server) {
+			err := srv.ListenAndServe()
+			if err != nil {
+				log.Println(err)
+			}
+			results <- err
+		}(srv)
+	}
+
+	// start evaluation loop
+	c.selector.StartEvaluate()
+
+	for i := 0; i < cap(results); i++ {
+		err := <-results
+		if err != nil {
+			return err
+		}
+	}
+	close(results)
+
+	return nil
 }
 
 func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
-	if r.Response == true {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(c.conf.Other.Timeout)*time.Second)
+	defer cancel()
+
+	if r.Response {
 		log.Println("Received a response packet")
 		return
 	}
 
-	reply := jsonDNS.PrepareReply(r)
-
 	if len(r.Question) != 1 {
 		log.Println("Number of questions is not 1")
+		reply := jsonDNS.PrepareReply(r)
 		reply.Rcode = dns.RcodeFormatError
 		w.WriteMsg(reply)
 		return
 	}
-	question := r.Question[0]
-	questionName := strings.ToLower(question.Name)
+	question := &r.Question[0]
+	questionName := question.Name
+	questionClass := ""
+	if qclass, ok := dns.ClassToString[question.Qclass]; ok {
+		questionClass = qclass
+	} else {
+		questionClass = strconv.FormatUint(uint64(question.Qclass), 10)
+	}
 	questionType := ""
 	if qtype, ok := dns.TypeToString[question.Qtype]; ok {
 		questionType = qtype
 	} else {
-		questionType = strconv.Itoa(int(question.Qtype))
+		questionType = strconv.FormatUint(uint64(question.Qtype), 10)
+	}
+	if c.conf.Other.Verbose {
+		fmt.Printf("%s - - [%s] \"%s %s %s\"\n", w.RemoteAddr(), time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
 	}
 
-	if c.conf.Verbose {
-		fmt.Printf("%s - - [%s] \"%s IN %s\"\n", w.RemoteAddr(), time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionType)
+	shouldPassthrough := false
+	passthroughQuestionName := questionName
+	if punycode, err := idna.ToASCII(passthroughQuestionName); err != nil {
+		passthroughQuestionName = punycode
 	}
-
-	num_servers := len(c.conf.Upstream)
-	upstream := c.conf.Upstream[rand.Intn(num_servers)]
-	requestURL := fmt.Sprintf("%s?name=%s&type=%s", upstream, url.QueryEscape(questionName), url.QueryEscape(questionType))
-
-	if r.CheckingDisabled {
-		requestURL += "&cd=1"
+	passthroughQuestionName = "." + strings.ToLower(strings.Trim(passthroughQuestionName, ".")) + "."
+	for _, passthrough := range c.passthrough {
+		if strings.HasSuffix(passthroughQuestionName, passthrough) {
+			shouldPassthrough = true
+			break
+		}
 	}
-
-	udpSize := uint16(512)
-	if opt := r.IsEdns0(); opt != nil {
-		udpSize = opt.UDPSize()
-	}
-
-	ednsClientAddress, ednsClientNetmask := c.findClientIP(w, r)
-	if ednsClientAddress != nil {
-		requestURL += fmt.Sprintf("&edns_client_subnet=%s/%d", ednsClientAddress.String(), ednsClientNetmask)
-	}
-
-	req, err := http.NewRequest("GET", requestURL, nil)
-	if err != nil {
-		log.Println(err)
-		reply.Rcode = dns.RcodeServerFailure
-		w.WriteMsg(reply)
-		return
-	}
-	req.Header.Set("User-Agent", "DNS-over-HTTPS/1.0 (+https://github.com/m13253/dns-over-https)")
-	resp, err := c.httpClient.Do(req)
-	if err != nil {
-		log.Println(err)
-		reply.Rcode = dns.RcodeServerFailure
-		w.WriteMsg(reply)
-		c.httpTransport.CloseIdleConnections()
-		return
-	}
-	if resp.StatusCode != 200 {
-		log.Printf("HTTP error: %s\n", resp.Status)
-		reply.Rcode = dns.RcodeServerFailure
-		w.WriteMsg(reply)
-		contentType := resp.Header.Get("Content-Type")
-		if contentType != "application/json" && !strings.HasPrefix(contentType, "application/json;") {
+	if shouldPassthrough {
+		numServers := len(c.bootstrap)
+		upstream := c.bootstrap[rand.Intn(numServers)]
+		log.Printf("Request \"%s %s %s\" is passed through %s.\n", questionName, questionClass, questionType, upstream)
+		var reply *dns.Msg
+		var err error
+		if !isTCP {
+			reply, _, err = c.udpClient.Exchange(r, upstream)
+		} else {
+			reply, _, err = c.tcpClient.Exchange(r, upstream)
+		}
+		if err == nil {
+			w.WriteMsg(reply)
 			return
 		}
+		log.Println(err)
+		reply = jsonDNS.PrepareReply(r)
+		reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(reply)
+		return
+	}
+
+	upstream := c.selector.Get()
+	requestType := upstream.RequestType
+
+	if c.conf.Other.Verbose {
+		log.Println("choose upstream:", upstream)
+	}
+
+	var req *DNSRequest
+	switch requestType {
+	case "application/dns-json":
+		req = c.generateRequestGoogle(ctx, w, r, isTCP, upstream)
+
+	case "application/dns-message":
+		req = c.generateRequestIETF(ctx, w, r, isTCP, upstream)
+
+	default:
+		panic("Unknown request Content-Type")
+	}
+
+	if req.err != nil {
+		if urlErr, ok := req.err.(*url.Error); ok {
+			// should we only check timeout?
+			if urlErr.Timeout() {
+				c.selector.ReportUpstreamStatus(upstream, selector.Timeout)
+			}
+		}
+
+		return
+	}
+
+	// if req.err == nil, req.response != nil
+	defer req.response.Body.Close()
+
+	for _, header := range c.conf.Other.DebugHTTPHeaders {
+		if value := req.response.Header.Get(header); value != "" {
+			log.Printf("%s: %s\n", header, value)
+		}
 	}
 
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		log.Println(err)
-		reply.Rcode = dns.RcodeServerFailure
-		w.WriteMsg(reply)
-		return
-	}
+	candidateType := strings.SplitN(req.response.Header.Get("Content-Type"), ";", 2)[0]
 
-	var respJson jsonDNS.Response
-	err = json.Unmarshal(body, &respJson)
-	if err != nil {
-		log.Println(err)
-		reply.Rcode = dns.RcodeServerFailure
-		w.WriteMsg(reply)
-		return
-	}
+	switch candidateType {
+	case "application/json":
+		c.parseResponseGoogle(ctx, w, r, isTCP, req)
 
-	if respJson.Status != dns.RcodeSuccess && respJson.Comment != "" {
-		log.Printf("DNS error: %s\n", respJson.Comment)
-	}
+	case "application/dns-message", "application/dns-udpwireformat":
+		c.parseResponseIETF(ctx, w, r, isTCP, req)
 
-	fullReply := jsonDNS.Unmarshal(reply, &respJson, udpSize, ednsClientNetmask)
-	buf, err := fullReply.Pack()
-	if err != nil {
-		log.Println(err)
-		reply.Rcode = dns.RcodeServerFailure
-		w.WriteMsg(reply)
-		return
-	}
-	if !isTCP && len(buf) > int(udpSize) {
-		fullReply.Truncated = true
-		buf, err = fullReply.Pack()
-		if err != nil {
-			log.Println(err)
-			return
+	default:
+		switch requestType {
+		case "application/dns-json":
+			c.parseResponseGoogle(ctx, w, r, isTCP, req)
+
+		case "application/dns-message":
+			c.parseResponseIETF(ctx, w, r, isTCP, req)
+
+		default:
+			panic("Unknown response Content-Type")
 		}
-		buf = buf[:udpSize]
 	}
-	w.Write(buf)
+
+	// https://developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/ says
+	// returns code will be 200 / 400 / 413 / 415 / 504, some server will return 503, so
+	// I think if status code is 5xx, upstream must has some problems
+	/*if req.response.StatusCode/100 == 5 {
+		c.selector.ReportUpstreamStatus(upstream, selector.Medium)
+	}*/
+
+	switch req.response.StatusCode / 100 {
+	case 5:
+		c.selector.ReportUpstreamStatus(upstream, selector.Error)
+
+	case 2:
+		c.selector.ReportUpstreamStatus(upstream, selector.OK)
+	}
 }
 
 func (c *Client) udpHandlerFunc(w dns.ResponseWriter, r *dns.Msg) {
@@ -251,13 +448,13 @@ func (c *Client) tcpHandlerFunc(w dns.ResponseWriter, r *dns.Msg) {
 }
 
 var (
-	ipv4Mask24	net.IPMask = net.IPMask { 255, 255, 255, 0 }
-	ipv6Mask48	net.IPMask = net.CIDRMask(48, 128)
+	ipv4Mask24 = net.IPMask{255, 255, 255, 0}
+	ipv6Mask56 = net.CIDRMask(56, 128)
 )
 
 func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddress net.IP, ednsClientNetmask uint8) {
 	ednsClientNetmask = 255
-	if c.conf.NoECS {
+	if c.conf.Other.NoECS {
 		return net.IPv4(0, 0, 0, 0), 0
 	}
 	if opt := r.IsEdns0(); opt != nil {
@@ -279,8 +476,8 @@ func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddre
 			ednsClientAddress = ipv4.Mask(ipv4Mask24)
 			ednsClientNetmask = 24
 		} else {
-			ednsClientAddress = ip.Mask(ipv6Mask48)
-			ednsClientNetmask = 48
+			ednsClientAddress = ip.Mask(ipv6Mask56)
+			ednsClientNetmask = 56
 		}
 	}
 	return

doh-client/config.go

@@ -1,69 +0,0 @@
-/*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
-
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
-*/
-
-package main
-
-import (
-	"fmt"
-	"github.com/BurntSushi/toml"
-)
-
-type config struct {
-	Listen		string		`toml:"listen"`
-	Upstream	[]string	`toml:"upstream"`
-	Bootstrap	[]string	`toml:"bootstrap"`
-	Timeout		uint		`toml:"timeout"`
-	NoECS		bool		`toml:"no_ecs"`
-	Verbose		bool		`toml:"verbose"`
-}
-
-func loadConfig(path string) (*config, error) {
-	conf := &config {}
-	metaData, err := toml.DecodeFile(path, conf)
-	if err != nil {
-		return nil, err
-	}
-	for _, key := range metaData.Undecoded() {
-		return nil, &configError { fmt.Sprintf("unknown option %q", key.String()) }
-	}
-
-	if conf.Listen == "" {
-		conf.Listen = "127.0.0.1:53"
-	}
-	if len(conf.Upstream) == 0 {
-		conf.Upstream = []string { "https://dns.google.com/resolve" }
-	}
-	if conf.Timeout == 0 {
-		conf.Timeout = 10
-	}
-
-	return conf, nil
-}
-
-type configError struct {
-	err		string
-}
-
-func (e *configError) Error() string {
-	return e.err
-}

doh-client/config/config.go

@@ -0,0 +1,99 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package config
+
+import (
+	"fmt"
+
+	"github.com/BurntSushi/toml"
+)
+
+const (
+	Random   = "random"
+	NginxWRR = "weighted_round_robin"
+	LVSWRR   = "lvs_weighted_round_robin"
+)
+
+type upstreamDetail struct {
+	URL    string `toml:"url"`
+	Weight int32  `toml:"weight"`
+}
+
+type upstream struct {
+	UpstreamGoogle   []upstreamDetail `toml:"upstream_google"`
+	UpstreamIETF     []upstreamDetail `toml:"upstream_ietf"`
+	UpstreamSelector string           `toml:"upstream_selector"` // usable: random or weighted_random
+}
+
+type others struct {
+	Bootstrap        []string `toml:"bootstrap"`
+	Passthrough      []string `toml:"passthrough"`
+	Timeout          uint     `toml:"timeout"`
+	NoCookies        bool     `toml:"no_cookies"`
+	NoECS            bool     `toml:"no_ecs"`
+	NoIPv6           bool     `toml:"no_ipv6"`
+	Verbose          bool     `toml:"verbose"`
+	DebugHTTPHeaders []string `toml:"debug_http_headers"`
+}
+
+type Config struct {
+	Listen   []string `toml:"listen"`
+	Upstream upstream `toml:"upstream"`
+	Other    others   `toml:"others"`
+}
+
+func LoadConfig(path string) (*Config, error) {
+	conf := &Config{}
+	metaData, err := toml.DecodeFile(path, conf)
+	if err != nil {
+		return nil, err
+	}
+	for _, key := range metaData.Undecoded() {
+		return nil, &configError{fmt.Sprintf("unknown option %q", key.String())}
+	}
+
+	if len(conf.Listen) == 0 {
+		conf.Listen = []string{"127.0.0.1:53", "[::1]:53"}
+	}
+	if len(conf.Upstream.UpstreamGoogle) == 0 && len(conf.Upstream.UpstreamIETF) == 0 {
+		conf.Upstream.UpstreamGoogle = []upstreamDetail{{URL: "https://dns.google.com/resolve", Weight: 50}}
+	}
+	if conf.Other.Timeout == 0 {
+		conf.Other.Timeout = 10
+	}
+
+	if conf.Upstream.UpstreamSelector == "" {
+		conf.Upstream.UpstreamSelector = Random
+	}
+
+	return conf, nil
+}
+
+type configError struct {
+	err string
+}
+
+func (e *configError) Error() string {
+	return e.err
+}

doh-client/doh-client.conf

@@ -1,25 +1,120 @@
 # DNS listen port
-listen = "127.0.0.1:53"
-
-# HTTP path for upstream resolver
-# If multiple servers are specified, a random one will be chosen each time.
-upstream = [
-    "https://dns.google.com/resolve",
+listen = [
+    "127.0.0.1:53",
+    "127.0.0.1:5380",
+    "[::1]:53",
+    "[::1]:5380",
 ]
 
+# HTTP path for upstream resolver
+
+[upstream]
+
+# available selector: random or weighted_round_robin or lvs_weighted_round_robin
+upstream_selector = "random"
+
+# weight should in (0, 100], if upstream_selector is random, weight will be ignored
+
+## Google's productive resolver, good ECS, bad DNSSEC
+#[[upstream.upstream_google]]
+#    url = "https://dns.google.com/resolve"
+#    weight = 50
+
+## CloudFlare's resolver, bad ECS, good DNSSEC
+#[[upstream.upstream_google]]
+#    url = "https://cloudflare-dns.com/dns-query"
+#    weight = 50
+
+## CloudFlare's resolver, bad ECS, good DNSSEC
+#[[upstream.upstream_google]]
+#    url = "https://1.1.1.1/dns-query"
+#    weight = 50
+
+# CloudFlare's resolver, bad ECS, good DNSSEC
+[[upstream.upstream_ietf]]
+    url = "https://cloudflare-dns.com/dns-query"
+    weight = 50
+
+## CloudFlare's resolver, bad ECS, good DNSSEC
+#[[upstream.upstream_ietf]]
+#    url = "https://1.1.1.1/dns-query"
+#    weight = 50
+
+## Google's experimental resolver, good ECS, good DNSSEC
+#[[upstream.upstream_ietf]]
+#    url = "https://dns.google.com/experimental"
+#    weight = 50
+
+## CloudFlare's resolver for Tor, available only with Tor
+## Remember to disable ECS below when using Tor!
+## Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
+#[[upstream.upstream_ietf]]
+#    url = "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query"
+#    weight = 50
+
+
+[others]
 # Bootstrap DNS server to resolve the address of the upstream resolver
 # If multiple servers are specified, a random one will be chosen each time.
 # If empty, use the system DNS settings.
+# If you want to preload IP addresses in /etc/hosts instead of using a
+# bootstrap server, please make this list empty.
 bootstrap = [
+
+    # Google's resolver, bad ECS, good DNSSEC
     "8.8.8.8:53",
     "8.8.4.4:53",
+
+    # CloudFlare's resolver, bad ECS, good DNSSEC
+    #"1.1.1.1:53",
+    #"1.0.0.1:53",
+
 ]
 
-# Timeout for upstream request
-timeout = 10
+# The domain names here are directly passed to bootstrap servers listed above,
+# allowing captive portal detection and systems without RTC to work.
+# Only effective if at least one bootstrap server is configured.
+passthrough = [
+    "captive.apple.com",
+    "connectivitycheck.gstatic.com",
+    "detectportal.firefox.com",
+    "msftconnecttest.com",
+    "nmcheck.gnome.org",
 
-# Disable EDNS0-Client-Subnet, do not send client's IP address
+    "pool.ntp.org",
+    "time.apple.com",
+    "time.asia.apple.com",
+    "time.euro.apple.com",
+    "time.nist.gov",
+    "time.windows.com",
+]
+
+# Timeout for upstream request in seconds
+timeout = 30
+
+# Disable HTTP Cookies
+#
+# Cookies may be useful if your upstream resolver is protected by some
+# anti-DDoS services to identify clients.
+# Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability
+# to track uesrs and is not controlled by doh-client.
+no_cookies = true
+
+# Disable EDNS0-Client-Subnet (ECS)
+#
+# DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of
+# the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the
+# upstream server. This is useful for GeoDNS and CDNs to work, and is exactly
+# the same configuration as most public DNS servers.
 no_ecs = false
 
+# Disable IPv6 when querying upstream
+#
+# Only enable this if you really have trouble connecting.
+# Doh-client uses both IPv4 and IPv6 by default and should not have problems
+# with an IPv4-only environment.
+# Note that DNS listening and bootstrapping is not controlled by this option.
+no_ipv6 = false
+
 # Enable logging
 verbose = false

doh-client/google.go

@@ -0,0 +1,175 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+
+	"github.com/m13253/dns-over-https/doh-client/selector"
+	"github.com/m13253/dns-over-https/json-dns"
+	"github.com/miekg/dns"
+)
+
+func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, upstream *selector.Upstream) *DNSRequest {
+	question := &r.Question[0]
+	questionName := question.Name
+	questionClass := question.Qclass
+	if questionClass != dns.ClassINET {
+		reply := jsonDNS.PrepareReply(r)
+		reply.Rcode = dns.RcodeRefused
+		w.WriteMsg(reply)
+		return &DNSRequest{
+			err: &dns.Error{},
+		}
+	}
+	questionType := ""
+	if qtype, ok := dns.TypeToString[question.Qtype]; ok {
+		questionType = qtype
+	} else {
+		questionType = strconv.FormatUint(uint64(question.Qtype), 10)
+	}
+
+	requestURL := fmt.Sprintf("%s?ct=application/dns-json&name=%s&type=%s", upstream.URL, url.QueryEscape(questionName), url.QueryEscape(questionType))
+
+	if r.CheckingDisabled {
+		requestURL += "&cd=1"
+	}
+
+	udpSize := uint16(512)
+	if opt := r.IsEdns0(); opt != nil {
+		udpSize = opt.UDPSize()
+	}
+
+	ednsClientAddress, ednsClientNetmask := c.findClientIP(w, r)
+	if ednsClientAddress != nil {
+		requestURL += fmt.Sprintf("&edns_client_subnet=%s/%d", ednsClientAddress.String(), ednsClientNetmask)
+	}
+
+	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
+	if err != nil {
+		log.Println(err)
+		reply := jsonDNS.PrepareReply(r)
+		reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(reply)
+		return &DNSRequest{
+			err: err,
+		}
+	}
+
+	req.Header.Set("Accept", "application/json, application/dns-message, application/dns-udpwireformat")
+	req.Header.Set("User-Agent", USER_AGENT)
+	req = req.WithContext(ctx)
+
+	c.httpClientMux.RLock()
+	resp, err := c.httpClient.Do(req)
+	c.httpClientMux.RUnlock()
+
+	// if http Client.Do returns non-nil error, it always *url.Error
+	/*if err == context.DeadlineExceeded {
+		// Do not respond, silently fail to prevent caching of SERVFAIL
+		log.Println(err)
+		return &DNSRequest{
+			err: err,
+		}
+	}*/
+
+	if err != nil {
+		log.Println(err)
+		reply := jsonDNS.PrepareReply(r)
+		reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(reply)
+		return &DNSRequest{
+			err: err,
+		}
+	}
+
+	return &DNSRequest{
+		response:          resp,
+		reply:             jsonDNS.PrepareReply(r),
+		udpSize:           udpSize,
+		ednsClientAddress: ednsClientAddress,
+		ednsClientNetmask: ednsClientNetmask,
+		currentUpstream:   upstream.URL,
+	}
+}
+
+func (c *Client) parseResponseGoogle(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
+	if req.response.StatusCode != http.StatusOK {
+		log.Printf("HTTP error from upstream %s: %s\n", req.currentUpstream, req.response.Status)
+		req.reply.Rcode = dns.RcodeServerFailure
+		contentType := req.response.Header.Get("Content-Type")
+		if contentType != "application/json" && !strings.HasPrefix(contentType, "application/json;") {
+			w.WriteMsg(req.reply)
+			return
+		}
+	}
+
+	body, err := ioutil.ReadAll(req.response.Body)
+	if err != nil {
+		log.Println(err)
+		req.reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(req.reply)
+		return
+	}
+
+	var respJSON jsonDNS.Response
+	err = json.Unmarshal(body, &respJSON)
+	if err != nil {
+		log.Println(err)
+		req.reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(req.reply)
+		return
+	}
+
+	if respJSON.Status != dns.RcodeSuccess && respJSON.Comment != "" {
+		log.Printf("DNS error: %s\n", respJSON.Comment)
+	}
+
+	fullReply := jsonDNS.Unmarshal(req.reply, &respJSON, req.udpSize, req.ednsClientNetmask)
+	buf, err := fullReply.Pack()
+	if err != nil {
+		log.Println(err)
+		req.reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(req.reply)
+		return
+	}
+	if !isTCP && len(buf) > int(req.udpSize) {
+		fullReply.Truncated = true
+		buf, err = fullReply.Pack()
+		if err != nil {
+			log.Println(err)
+			return
+		}
+		buf = buf[:req.udpSize]
+	}
+	w.Write(buf)
+}

doh-client/ietf.go

@@ -0,0 +1,259 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/m13253/dns-over-https/doh-client/selector"
+	"github.com/m13253/dns-over-https/json-dns"
+	"github.com/miekg/dns"
+)
+
+func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, upstream *selector.Upstream) *DNSRequest {
+	opt := r.IsEdns0()
+	udpSize := uint16(512)
+	if opt == nil {
+		opt = new(dns.OPT)
+		opt.Hdr.Name = "."
+		opt.Hdr.Rrtype = dns.TypeOPT
+		opt.SetUDPSize(dns.DefaultMsgSize)
+		opt.SetDo(false)
+		r.Extra = append([]dns.RR{opt}, r.Extra...)
+	} else {
+		udpSize = opt.UDPSize()
+	}
+	var edns0Subnet *dns.EDNS0_SUBNET
+	for _, option := range opt.Option {
+		if option.Option() == dns.EDNS0SUBNET {
+			edns0Subnet = option.(*dns.EDNS0_SUBNET)
+			break
+		}
+	}
+	ednsClientAddress, ednsClientNetmask := net.IP(nil), uint8(255)
+	if edns0Subnet == nil {
+		ednsClientFamily := uint16(0)
+		ednsClientAddress, ednsClientNetmask = c.findClientIP(w, r)
+		if ednsClientAddress != nil {
+			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+				ednsClientFamily = 1
+				ednsClientAddress = ipv4
+				ednsClientNetmask = 24
+			} else {
+				ednsClientFamily = 2
+				ednsClientNetmask = 56
+			}
+			edns0Subnet = new(dns.EDNS0_SUBNET)
+			edns0Subnet.Code = dns.EDNS0SUBNET
+			edns0Subnet.Family = ednsClientFamily
+			edns0Subnet.SourceNetmask = ednsClientNetmask
+			edns0Subnet.SourceScope = 0
+			edns0Subnet.Address = ednsClientAddress
+			opt.Option = append(opt.Option, edns0Subnet)
+		}
+	} else {
+		ednsClientAddress, ednsClientNetmask = edns0Subnet.Address, edns0Subnet.SourceNetmask
+	}
+
+	requestID := r.Id
+	r.Id = 0
+	requestBinary, err := r.Pack()
+	if err != nil {
+		log.Println(err)
+		reply := jsonDNS.PrepareReply(r)
+		reply.Rcode = dns.RcodeFormatError
+		w.WriteMsg(reply)
+		return &DNSRequest{
+			err: err,
+		}
+	}
+	r.Id = requestID
+	requestBase64 := base64.RawURLEncoding.EncodeToString(requestBinary)
+
+	requestURL := fmt.Sprintf("%s?ct=application/dns-message&dns=%s", upstream.URL, requestBase64)
+
+	var req *http.Request
+	if len(requestURL) < 2048 {
+		req, err = http.NewRequest(http.MethodGet, requestURL, nil)
+		if err != nil {
+			log.Println(err)
+			reply := jsonDNS.PrepareReply(r)
+			reply.Rcode = dns.RcodeServerFailure
+			w.WriteMsg(reply)
+			return &DNSRequest{
+				err: err,
+			}
+		}
+	} else {
+		req, err = http.NewRequest(http.MethodPost, upstream.URL, bytes.NewReader(requestBinary))
+		if err != nil {
+			log.Println(err)
+			reply := jsonDNS.PrepareReply(r)
+			reply.Rcode = dns.RcodeServerFailure
+			w.WriteMsg(reply)
+			return &DNSRequest{
+				err: err,
+			}
+		}
+		req.Header.Set("Content-Type", "application/dns-message")
+	}
+	req.Header.Set("Accept", "application/dns-message, application/dns-udpwireformat, application/json")
+	req.Header.Set("User-Agent", USER_AGENT)
+	req = req.WithContext(ctx)
+	c.httpClientMux.RLock()
+	resp, err := c.httpClient.Do(req)
+	c.httpClientMux.RUnlock()
+
+	// if http Client.Do returns non-nil error, it always *url.Error
+	/*if err == context.DeadlineExceeded {
+		// Do not respond, silently fail to prevent caching of SERVFAIL
+		log.Println(err)
+		return &DNSRequest{
+			err: err,
+		}
+	}*/
+
+	if err != nil {
+		log.Println(err)
+		reply := jsonDNS.PrepareReply(r)
+		reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(reply)
+		return &DNSRequest{
+			err: err,
+		}
+	}
+
+	return &DNSRequest{
+		response:          resp,
+		reply:             jsonDNS.PrepareReply(r),
+		udpSize:           udpSize,
+		ednsClientAddress: ednsClientAddress,
+		ednsClientNetmask: ednsClientNetmask,
+		currentUpstream:   upstream.URL,
+	}
+}
+
+func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
+	if req.response.StatusCode != http.StatusOK {
+		log.Printf("HTTP error from upstream %s: %s\n", req.currentUpstream, req.response.Status)
+		req.reply.Rcode = dns.RcodeServerFailure
+		contentType := req.response.Header.Get("Content-Type")
+		if contentType != "application/dns-message" && !strings.HasPrefix(contentType, "application/dns-message;") {
+			w.WriteMsg(req.reply)
+			return
+		}
+	}
+
+	body, err := ioutil.ReadAll(req.response.Body)
+	if err != nil {
+		log.Println(err)
+		req.reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(req.reply)
+		return
+	}
+	headerNow := req.response.Header.Get("Date")
+	now := time.Now().UTC()
+	if headerNow != "" {
+		if nowDate, err := time.Parse(http.TimeFormat, headerNow); err == nil {
+			now = nowDate
+		} else {
+			log.Println(err)
+		}
+	}
+	headerLastModified := req.response.Header.Get("Last-Modified")
+	lastModified := now
+	if headerLastModified != "" {
+		if lastModifiedDate, err := time.Parse(http.TimeFormat, headerLastModified); err == nil {
+			lastModified = lastModifiedDate
+		} else {
+			log.Println(err)
+		}
+	}
+	timeDelta := now.Sub(lastModified)
+	if timeDelta < 0 {
+		timeDelta = 0
+	}
+
+	fullReply := new(dns.Msg)
+	err = fullReply.Unpack(body)
+	if err != nil {
+		log.Println(err)
+		req.reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(req.reply)
+		return
+	}
+
+	fullReply.Id = r.Id
+	for _, rr := range fullReply.Answer {
+		_ = fixRecordTTL(rr, timeDelta)
+	}
+	for _, rr := range fullReply.Ns {
+		_ = fixRecordTTL(rr, timeDelta)
+	}
+	for _, rr := range fullReply.Extra {
+		if rr.Header().Rrtype == dns.TypeOPT {
+			continue
+		}
+		_ = fixRecordTTL(rr, timeDelta)
+	}
+
+	buf, err := fullReply.Pack()
+	if err != nil {
+		log.Println(err)
+		req.reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(req.reply)
+		return
+	}
+	if !isTCP && len(buf) > int(req.udpSize) {
+		fullReply.Truncated = true
+		buf, err = fullReply.Pack()
+		if err != nil {
+			log.Println(err)
+			return
+		}
+		buf = buf[:req.udpSize]
+	}
+	w.Write(buf)
+}
+
+func fixRecordTTL(rr dns.RR, delta time.Duration) dns.RR {
+	rrHeader := rr.Header()
+	oldTTL := time.Duration(rrHeader.Ttl) * time.Second
+	newTTL := oldTTL - delta
+	if newTTL > 0 {
+		rrHeader.Ttl = uint32(newTTL / time.Second)
+	} else {
+		rrHeader.Ttl = 0
+	}
+	return rr
+}

doh-client/main.go

@@ -1,45 +1,115 @@
 /*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
 
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
 */
 
 package main
 
 import (
 	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
 	"log"
+	"os"
+	"runtime"
+	"strconv"
+
+	"github.com/m13253/dns-over-https/doh-client/config"
 )
 
+func checkPIDFile(pidFile string) (bool, error) {
+retry:
+	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0666)
+	if os.IsExist(err) {
+		pidStr, err := ioutil.ReadFile(pidFile)
+		if err != nil {
+			return false, err
+		}
+		pid, err := strconv.ParseUint(string(pidStr), 10, 0)
+		if err != nil {
+			return false, err
+		}
+		_, err = os.Stat(fmt.Sprintf("/proc/%d", pid))
+		if os.IsNotExist(err) {
+			err = os.Remove(pidFile)
+			if err != nil {
+				return false, err
+			}
+			goto retry
+		} else if err != nil {
+			return false, err
+		}
+		log.Printf("Already running on PID %d, exiting.\n", pid)
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	defer f.Close()
+	_, err = io.WriteString(f, strconv.FormatInt(int64(os.Getpid()), 10))
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
 func main() {
 	confPath := flag.String("conf", "doh-client.conf", "Configuration file")
 	verbose := flag.Bool("verbose", false, "Enable logging")
+	showVersion := flag.Bool("version", false, "Show software version and exit")
+	var pidFile *string
+
+	// I really want to push the technology forward by recommending cgroup-based
+	// process tracking. But I understand some cloud service providers have
+	// their own monitoring system. So this feature is only enabled on Linux and
+	// BSD series platforms which lacks functionality similar to cgroup.
+	switch runtime.GOOS {
+	case "dragonfly", "freebsd", "linux", "netbsd", "openbsd":
+		pidFile = flag.String("pid-file", "", "PID file for legacy supervision systems lacking support for reliable cgroup-based process tracking")
+	}
+
 	flag.Parse()
 
-	conf, err := loadConfig(*confPath)
+	if *showVersion {
+		fmt.Printf("doh-server %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
+		return
+	}
+
+	if pidFile != nil && *pidFile != "" {
+		ok, err := checkPIDFile(*pidFile)
+		if err != nil {
+			log.Printf("Error checking PID file: %v\n", err)
+		}
+		if !ok {
+			return
+		}
+	}
+
+	conf, err := config.LoadConfig(*confPath)
 	if err != nil {
 		log.Fatalln(err)
 	}
 
 	if *verbose {
-		conf.Verbose = true
+		conf.Other.Verbose = true
 	}
 
 	client, err := NewClient(conf)

doh-client/selector/lvsWRRSelector.go

@@ -0,0 +1,262 @@
+package selector
+
+import (
+	"encoding/json"
+	"errors"
+	"log"
+	"net/http"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+type LVSWRRSelector struct {
+	upstreams     []*Upstream // upstreamsInfo
+	client        http.Client // http client to check the upstream
+	lastChoose    int32
+	currentWeight int32
+}
+
+func NewLVSWRRSelector(timeout time.Duration) *LVSWRRSelector {
+	return &LVSWRRSelector{
+		client:     http.Client{Timeout: timeout},
+		lastChoose: -1,
+	}
+}
+
+func (ls *LVSWRRSelector) Add(url string, upstreamType UpstreamType, weight int32) (err error) {
+	if weight < 1 {
+		return errors.New("weight is 1")
+	}
+
+	switch upstreamType {
+	case Google:
+		ls.upstreams = append(ls.upstreams, &Upstream{
+			Type:            Google,
+			URL:             url,
+			RequestType:     "application/dns-json",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	case IETF:
+		ls.upstreams = append(ls.upstreams, &Upstream{
+			Type:            IETF,
+			URL:             url,
+			RequestType:     "application/dns-message",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	default:
+		return errors.New("unknown upstream type")
+	}
+
+	return nil
+}
+
+func (ls *LVSWRRSelector) StartEvaluate() {
+	go func() {
+		for {
+			wg := sync.WaitGroup{}
+
+			for i := range ls.upstreams {
+				wg.Add(1)
+
+				go func(i int) {
+					defer wg.Done()
+
+					upstreamURL := ls.upstreams[i].URL
+					var acceptType string
+
+					switch ls.upstreams[i].Type {
+					case Google:
+						upstreamURL += "?name=www.example.com&type=A"
+						acceptType = "application/dns-json"
+
+					case IETF:
+						// www.example.com
+						upstreamURL += "?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB"
+						acceptType = "application/dns-message"
+					}
+
+					req, err := http.NewRequest(http.MethodGet, upstreamURL, nil)
+					if err != nil {
+						/*log.Println("upstream:", upstreamURL, "type:", typeMap[upstream.Type], "check failed:", err)
+						continue*/
+
+						// should I only log it? But if there is an error, I think when query the server will return error too
+						panic("upstream: " + upstreamURL + " type: " + typeMap[ls.upstreams[i].Type] + " check failed: " + err.Error())
+					}
+
+					req.Header.Set("accept", acceptType)
+
+					resp, err := ls.client.Do(req)
+					if err != nil {
+						// should I check error in detail?
+						if atomic.AddInt32(&ls.upstreams[i].effectiveWeight, -5) < 1 {
+							atomic.StoreInt32(&ls.upstreams[i].effectiveWeight, 1)
+						}
+						return
+					}
+
+					switch ls.upstreams[i].Type {
+					case Google:
+						ls.checkGoogleResponse(resp, ls.upstreams[i])
+
+					case IETF:
+						ls.checkIETFResponse(resp, ls.upstreams[i])
+					}
+				}(i)
+			}
+
+			wg.Wait()
+
+			time.Sleep(15 * time.Second)
+		}
+	}()
+}
+
+func (ls *LVSWRRSelector) Get() *Upstream {
+	if len(ls.upstreams) == 1 {
+		return ls.upstreams[0]
+	}
+
+	for {
+		atomic.StoreInt32(&ls.lastChoose, (atomic.LoadInt32(&ls.lastChoose)+1)%int32(len(ls.upstreams)))
+
+		if atomic.LoadInt32(&ls.lastChoose) == 0 {
+			atomic.AddInt32(&ls.currentWeight, -ls.gcdWeight())
+
+			if atomic.LoadInt32(&ls.currentWeight) <= 0 {
+				atomic.AddInt32(&ls.currentWeight, ls.maxWeight())
+
+				if atomic.LoadInt32(&ls.currentWeight) == 0 {
+					panic("current weight is 0")
+				}
+			}
+		}
+
+		if atomic.LoadInt32(&ls.upstreams[atomic.LoadInt32(&ls.lastChoose)].effectiveWeight) >= atomic.LoadInt32(&ls.currentWeight) {
+			return ls.upstreams[atomic.LoadInt32(&ls.lastChoose)]
+		}
+	}
+}
+
+func (ls *LVSWRRSelector) gcdWeight() (res int32) {
+	res = gcd(atomic.LoadInt32(&ls.upstreams[0].effectiveWeight), atomic.LoadInt32(&ls.upstreams[0].effectiveWeight))
+
+	for i := 1; i < len(ls.upstreams); i++ {
+		res = gcd(res, atomic.LoadInt32(&ls.upstreams[i].effectiveWeight))
+	}
+
+	return
+}
+
+func (ls *LVSWRRSelector) maxWeight() (res int32) {
+	for _, upstream := range ls.upstreams {
+		w := atomic.LoadInt32(&upstream.effectiveWeight)
+		if w > res {
+			res = w
+		}
+	}
+
+	return
+}
+
+func gcd(x, y int32) int32 {
+	for {
+		if x < y {
+			x, y = y, x
+		}
+
+		tmp := x % y
+		if tmp == 0 {
+			return y
+		}
+
+		x = tmp
+	}
+}
+
+func (ls *LVSWRRSelector) ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus) {
+	switch upstreamStatus {
+	case Timeout:
+		if atomic.AddInt32(&upstream.effectiveWeight, -5) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case Error:
+		if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case OK:
+		if atomic.AddInt32(&upstream.effectiveWeight, 1) > upstream.weight {
+			atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+		}
+	}
+}
+
+func (ls *LVSWRRSelector) checkGoogleResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	m := make(map[string]interface{})
+	if err := json.NewDecoder(resp.Body).Decode(&m); err != nil {
+		// should I check error in detail?
+		if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if status, ok := m["Status"]; ok {
+		if statusNum, ok := status.(float64); ok && statusNum == 0 {
+			if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+				atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+			}
+			return
+		}
+	}
+
+	// should I check error in detail?
+	if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+		atomic.StoreInt32(&upstream.effectiveWeight, 1)
+	}
+}
+
+func (ls *LVSWRRSelector) checkIETFResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+		atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+	}
+}
+
+func (ls *LVSWRRSelector) ReportWeights() {
+	go func() {
+		for {
+			time.Sleep(15 * time.Second)
+
+			for _, u := range ls.upstreams {
+				log.Printf("%s, effect weight: %d", u, atomic.LoadInt32(&u.effectiveWeight))
+			}
+		}
+	}()
+}

doh-client/selector/nginxWRRSelector.go

@@ -0,0 +1,215 @@
+package selector
+
+import (
+	"encoding/json"
+	"errors"
+	"log"
+	"net/http"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+type NginxWRRSelector struct {
+	upstreams []*Upstream // upstreamsInfo
+	client    http.Client // http client to check the upstream
+}
+
+func NewNginxWRRSelector(timeout time.Duration) *NginxWRRSelector {
+	return &NginxWRRSelector{
+		client: http.Client{Timeout: timeout},
+	}
+}
+
+func (ws *NginxWRRSelector) Add(url string, upstreamType UpstreamType, weight int32) (err error) {
+	switch upstreamType {
+	case Google:
+		ws.upstreams = append(ws.upstreams, &Upstream{
+			Type:            Google,
+			URL:             url,
+			RequestType:     "application/dns-json",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	case IETF:
+		ws.upstreams = append(ws.upstreams, &Upstream{
+			Type:            IETF,
+			URL:             url,
+			RequestType:     "application/dns-message",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	default:
+		return errors.New("unknown upstream type")
+	}
+
+	return nil
+}
+
+func (ws *NginxWRRSelector) StartEvaluate() {
+	go func() {
+		for {
+			wg := sync.WaitGroup{}
+
+			for i := range ws.upstreams {
+				wg.Add(1)
+
+				go func(i int) {
+					defer wg.Done()
+
+					upstreamURL := ws.upstreams[i].URL
+					var acceptType string
+
+					switch ws.upstreams[i].Type {
+					case Google:
+						upstreamURL += "?name=www.example.com&type=A"
+						acceptType = "application/dns-json"
+
+					case IETF:
+						// www.example.com
+						upstreamURL += "?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB"
+						acceptType = "application/dns-message"
+					}
+
+					req, err := http.NewRequest(http.MethodGet, upstreamURL, nil)
+					if err != nil {
+						/*log.Println("upstream:", upstreamURL, "type:", typeMap[upstream.Type], "check failed:", err)
+						continue*/
+
+						// should I only log it? But if there is an error, I think when query the server will return error too
+						panic("upstream: " + upstreamURL + " type: " + typeMap[ws.upstreams[i].Type] + " check failed: " + err.Error())
+					}
+
+					req.Header.Set("accept", acceptType)
+
+					resp, err := ws.client.Do(req)
+					if err != nil {
+						// should I check error in detail?
+						if atomic.AddInt32(&ws.upstreams[i].effectiveWeight, -10) < 1 {
+							atomic.StoreInt32(&ws.upstreams[i].effectiveWeight, 1)
+						}
+						return
+					}
+
+					switch ws.upstreams[i].Type {
+					case Google:
+						ws.checkGoogleResponse(resp, ws.upstreams[i])
+
+					case IETF:
+						ws.checkIETFResponse(resp, ws.upstreams[i])
+					}
+				}(i)
+			}
+
+			wg.Wait()
+
+			time.Sleep(15 * time.Second)
+		}
+	}()
+}
+
+// nginx wrr like
+func (ws *NginxWRRSelector) Get() *Upstream {
+	var (
+		total             int32
+		bestUpstreamIndex = -1
+	)
+
+	for i := range ws.upstreams {
+		effectiveWeight := atomic.LoadInt32(&ws.upstreams[i].effectiveWeight)
+		atomic.AddInt32(&ws.upstreams[i].currentWeight, effectiveWeight)
+		total += effectiveWeight
+
+		if bestUpstreamIndex == -1 || atomic.LoadInt32(&ws.upstreams[i].currentWeight) > atomic.LoadInt32(&ws.upstreams[bestUpstreamIndex].currentWeight) {
+			bestUpstreamIndex = i
+		}
+	}
+
+	atomic.AddInt32(&ws.upstreams[bestUpstreamIndex].currentWeight, -total)
+
+	return ws.upstreams[bestUpstreamIndex]
+}
+
+func (ws *NginxWRRSelector) ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus) {
+	switch upstreamStatus {
+	case Timeout:
+		if atomic.AddInt32(&upstream.effectiveWeight, -5) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case Error:
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case OK:
+		if atomic.AddInt32(&upstream.effectiveWeight, 1) > upstream.weight {
+			atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+		}
+	}
+}
+
+func (ws *NginxWRRSelector) checkGoogleResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	m := make(map[string]interface{})
+	if err := json.NewDecoder(resp.Body).Decode(&m); err != nil {
+		// should I check error in detail?
+		if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if status, ok := m["Status"]; ok {
+		if statusNum, ok := status.(float64); ok && statusNum == 0 {
+			if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+				atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+			}
+			return
+		}
+	}
+
+	// should I check error in detail?
+	if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+		atomic.StoreInt32(&upstream.effectiveWeight, 1)
+	}
+}
+
+func (ws *NginxWRRSelector) checkIETFResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -5) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+		atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+	}
+}
+
+func (ws *NginxWRRSelector) ReportWeights() {
+	go func() {
+		for {
+			time.Sleep(15 * time.Second)
+
+			for _, u := range ws.upstreams {
+				log.Printf("%s, effect weight: %d", u, atomic.LoadInt32(&u.effectiveWeight))
+			}
+		}
+	}()
+}

doh-client/selector/randomSelector.go

@@ -0,0 +1,50 @@
+package selector
+
+import (
+	"errors"
+	"math/rand"
+	"time"
+)
+
+func init() {
+	rand.Seed(time.Now().UnixNano())
+}
+
+type RandomSelector struct {
+	upstreams []*Upstream
+}
+
+func NewRandomSelector() *RandomSelector {
+	return new(RandomSelector)
+}
+
+func (rs *RandomSelector) Add(url string, upstreamType UpstreamType) (err error) {
+	switch upstreamType {
+	case Google:
+		rs.upstreams = append(rs.upstreams, &Upstream{
+			Type:        Google,
+			URL:         url,
+			RequestType: "application/dns-json",
+		})
+
+	case IETF:
+		rs.upstreams = append(rs.upstreams, &Upstream{
+			Type:        IETF,
+			URL:         url,
+			RequestType: "application/dns-message",
+		})
+
+	default:
+		return errors.New("unknown upstream type")
+	}
+
+	return nil
+}
+
+func (rs *RandomSelector) Get() *Upstream {
+	return rs.upstreams[rand.Intn(len(rs.upstreams)-1)]
+}
+
+func (rs *RandomSelector) StartEvaluate() {}
+
+func (rs *RandomSelector) ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus) {}

doh-client/selector/selector.go

@@ -0,0 +1,17 @@
+package selector
+
+type Selector interface {
+	// Get returns a upstream
+	Get() *Upstream
+
+	// StartEvaluate start upstream evaluation loop
+	StartEvaluate()
+
+	// ReportUpstreamStatus report upstream status
+	ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus)
+}
+
+type DebugReporter interface {
+	// ReportWeights starts a goroutine to report all upstream weights, recommend interval is 15s
+	ReportWeights()
+}

doh-client/selector/upstream.go

@@ -0,0 +1,28 @@
+package selector
+
+import "fmt"
+
+type UpstreamType int
+
+const (
+	Google UpstreamType = iota
+	IETF
+)
+
+var typeMap = map[UpstreamType]string{
+	Google: "Google",
+	IETF:   "IETF",
+}
+
+type Upstream struct {
+	Type            UpstreamType
+	URL             string
+	RequestType     string
+	weight          int32
+	effectiveWeight int32
+	currentWeight   int32
+}
+
+func (u Upstream) String() string {
+	return fmt.Sprintf("upstream type: %s, upstream url: %s", typeMap[u.Type], u.URL)
+}

doh-client/selector/upstreamStatus.go

@@ -0,0 +1,14 @@
+package selector
+
+type upstreamStatus int
+
+const (
+	// when query upstream timeout, usually upstream is unavailable for a long time
+	Timeout upstreamStatus = iota
+
+	// when query upstream return 5xx response, upstream still alive, maybe just a lof of query for him
+	Error
+
+	// when query upstream ok, means upstream is available
+	OK
+)

doh-client/version.go

@@ -0,0 +1,29 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package main
+
+const (
+	VERSION    = "2.0.0"
+	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
+)

doh-server/config.go

@@ -1,76 +1,84 @@
 /*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
 
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
 */
 
 package main
 
 import (
 	"fmt"
+
 	"github.com/BurntSushi/toml"
 )
 
 type config struct {
-	Listen		string		`toml:"listen"`
-	Cert		string		`toml:"cert"`
-	Key			string		`toml:"key"`
-	Path		string		`toml:"path"`
-	Upstream	[]string	`toml:"upstream"`
-	Tries		uint		`toml:"tries"`
-	TCPOnly		bool		`toml:"tcp_only"`
-	Verbose		bool		`toml:"verbose"`
+	Listen           []string `toml:"listen"`
+	Cert             string   `toml:"cert"`
+	Key              string   `toml:"key"`
+	Path             string   `toml:"path"`
+	Upstream         []string `toml:"upstream"`
+	Timeout          uint     `toml:"timeout"`
+	Tries            uint     `toml:"tries"`
+	TCPOnly          bool     `toml:"tcp_only"`
+	Verbose          bool     `toml:"verbose"`
+	DebugHTTPHeaders []string `toml:"debug_http_headers"`
+	LogGuessedIP     bool     `toml:"log_guessed_client_ip"`
 }
 
 func loadConfig(path string) (*config, error) {
-	conf := &config {}
+	conf := &config{}
 	metaData, err := toml.DecodeFile(path, conf)
 	if err != nil {
 		return nil, err
 	}
 	for _, key := range metaData.Undecoded() {
-		return nil, &configError { fmt.Sprintf("unknown option %q", key.String()) }
+		return nil, &configError{fmt.Sprintf("unknown option %q", key.String())}
 	}
 
-	if conf.Listen == "" {
-		conf.Listen = "127.0.0.1:8053"
+	if len(conf.Listen) == 0 {
+		conf.Listen = []string{"127.0.0.1:8053", "[::1]:8053"}
 	}
+
 	if conf.Path == "" {
-		conf.Path = "/resolve"
+		conf.Path = "/dns-query"
 	}
 	if len(conf.Upstream) == 0 {
-		conf.Upstream = []string { "8.8.8.8:53", "8.8.4.4:53" }
+		conf.Upstream = []string{"8.8.8.8:53", "8.8.4.4:53"}
+	}
+	if conf.Timeout == 0 {
+		conf.Timeout = 10
 	}
 	if conf.Tries == 0 {
-		conf.Tries = 3
+		conf.Tries = 1
 	}
 
 	if (conf.Cert != "") != (conf.Key != "") {
-		return nil, &configError { "You must specify both -cert and -key to enable TLS" }
+		return nil, &configError{"You must specify both -cert and -key to enable TLS"}
 	}
 
 	return conf, nil
 }
 
 type configError struct {
-	err		string
+	err string
 }
 
 func (e *configError) Error() string {

doh-server/doh-server.conf

@@ -1,22 +1,35 @@
 # HTTP listen port
-listen = "127.0.0.1:8053"
+listen = [
+    "127.0.0.1:8053",
+    "[::1]:8053",
+]
 
 # TLS certification file
+# If left empty, plain-text HTTP will be used.
+# You are recommended to leave empty and to use a server load balancer (e.g.
+# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
+# Stapling, which is necessary for client bootstrapping in a network
+# environment with completely no traditional DNS service.
 cert = ""
 
-# TLS key file
+# TLS private key file
 key = ""
 
 # HTTP path for resolve application
-path = "/resolve"
+path = "/dns-query"
 
 # Upstream DNS resolver
 # If multiple servers are specified, a random one will be chosen each time.
 upstream = [
+    "1.1.1.1:53",
+    "1.0.0.1:53",
     "8.8.8.8:53",
     "8.8.4.4:53",
 ]
 
+# Upstream timeout
+timeout = 10
+
 # Number of tries if upstream DNS fails
 tries = 3
 
@@ -25,3 +38,7 @@ tcp_only = false
 
 # Enable logging
 verbose = false
+
+# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
+# Note: http uri/useragent log cannot be controlled by this config
+log_guessed_client_ip = false

doh-server/google.go

@@ -0,0 +1,198 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/m13253/dns-over-https/json-dns"
+	"github.com/miekg/dns"
+	"golang.org/x/net/idna"
+)
+
+func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request) *DNSRequest {
+	name := r.FormValue("name")
+	if name == "" {
+		return &DNSRequest{
+			errcode: 400,
+			errtext: "Invalid argument value: \"name\"",
+		}
+	}
+	if punycode, err := idna.ToASCII(name); err == nil {
+		name = punycode
+	} else {
+		return &DNSRequest{
+			errcode: 400,
+			errtext: fmt.Sprintf("Invalid argument value: \"name\" = %q (%s)", name, err.Error()),
+		}
+	}
+
+	rrTypeStr := r.FormValue("type")
+	rrType := uint16(1)
+	if rrTypeStr == "" {
+	} else if v, err := strconv.ParseUint(rrTypeStr, 10, 16); err == nil {
+		rrType = uint16(v)
+	} else if v, ok := dns.StringToType[strings.ToUpper(rrTypeStr)]; ok {
+		rrType = v
+	} else {
+		return &DNSRequest{
+			errcode: 400,
+			errtext: fmt.Sprintf("Invalid argument value: \"type\" = %q", rrTypeStr),
+		}
+	}
+
+	cdStr := r.FormValue("cd")
+	cd := false
+	if cdStr == "1" || strings.EqualFold(cdStr, "true") {
+		cd = true
+	} else if cdStr == "0" || strings.EqualFold(cdStr, "false") || cdStr == "" {
+	} else {
+		return &DNSRequest{
+			errcode: 400,
+			errtext: fmt.Sprintf("Invalid argument value: \"cd\" = %q", cdStr),
+		}
+	}
+
+	ednsClientSubnet := r.FormValue("edns_client_subnet")
+	ednsClientFamily := uint16(0)
+	ednsClientAddress := net.IP(nil)
+	ednsClientNetmask := uint8(255)
+	if ednsClientSubnet != "" {
+		if ednsClientSubnet == "0/0" {
+			ednsClientSubnet = "0.0.0.0/0"
+		}
+		slash := strings.IndexByte(ednsClientSubnet, '/')
+		if slash < 0 {
+			ednsClientAddress = net.ParseIP(ednsClientSubnet)
+			if ednsClientAddress == nil {
+				return &DNSRequest{
+					errcode: 400,
+					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
+				}
+			}
+			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+				ednsClientFamily = 1
+				ednsClientAddress = ipv4
+				ednsClientNetmask = 24
+			} else {
+				ednsClientFamily = 2
+				ednsClientNetmask = 56
+			}
+		} else {
+			ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
+			if ednsClientAddress == nil {
+				return &DNSRequest{
+					errcode: 400,
+					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
+				}
+			}
+			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+				ednsClientFamily = 1
+				ednsClientAddress = ipv4
+			} else {
+				ednsClientFamily = 2
+			}
+			netmask, err := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
+			if err != nil {
+				return &DNSRequest{
+					errcode: 400,
+					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
+				}
+			}
+			ednsClientNetmask = uint8(netmask)
+		}
+	} else {
+		ednsClientAddress = s.findClientIP(r)
+		if ednsClientAddress == nil {
+			ednsClientNetmask = 0
+		} else if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+			ednsClientFamily = 1
+			ednsClientAddress = ipv4
+			ednsClientNetmask = 24
+		} else {
+			ednsClientFamily = 2
+			ednsClientNetmask = 56
+		}
+	}
+
+	msg := new(dns.Msg)
+	msg.SetQuestion(dns.Fqdn(name), rrType)
+	msg.CheckingDisabled = cd
+	opt := new(dns.OPT)
+	opt.Hdr.Name = "."
+	opt.Hdr.Rrtype = dns.TypeOPT
+	opt.SetUDPSize(dns.DefaultMsgSize)
+	opt.SetDo(true)
+	if ednsClientAddress != nil {
+		edns0Subnet := new(dns.EDNS0_SUBNET)
+		edns0Subnet.Code = dns.EDNS0SUBNET
+		edns0Subnet.Family = ednsClientFamily
+		edns0Subnet.SourceNetmask = ednsClientNetmask
+		edns0Subnet.SourceScope = 0
+		edns0Subnet.Address = ednsClientAddress
+		opt.Option = append(opt.Option, edns0Subnet)
+	}
+	msg.Extra = append(msg.Extra, opt)
+
+	return &DNSRequest{
+		request:    msg,
+		isTailored: ednsClientSubnet == "",
+	}
+}
+
+func (s *Server) generateResponseGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
+	respJSON := jsonDNS.Marshal(req.response)
+	respStr, err := json.Marshal(respJSON)
+	if err != nil {
+		log.Println(err)
+		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet parse failure (%s)", err.Error()), 500)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
+	now := time.Now().UTC().Format(http.TimeFormat)
+	w.Header().Set("Date", now)
+	w.Header().Set("Last-Modified", now)
+	w.Header().Set("Vary", "Accept")
+	if respJSON.HaveTTL {
+		if req.isTailored {
+			w.Header().Set("Cache-Control", "private, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
+		} else {
+			w.Header().Set("Cache-Control", "public, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
+		}
+		w.Header().Set("Expires", respJSON.EarliestExpires.Format(http.TimeFormat))
+	}
+	if respJSON.Status == dns.RcodeServerFailure {
+		w.WriteHeader(503)
+	}
+	w.Write(respStr)
+}

doh-server/ietf.go

@@ -0,0 +1,215 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/m13253/dns-over-https/json-dns"
+	"github.com/miekg/dns"
+)
+
+func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r *http.Request) *DNSRequest {
+	requestBase64 := r.FormValue("dns")
+	requestBinary, err := base64.RawURLEncoding.DecodeString(requestBase64)
+	if err != nil {
+		return &DNSRequest{
+			errcode: 400,
+			errtext: fmt.Sprintf("Invalid argument value: \"dns\" = %q", requestBase64),
+		}
+	}
+	if len(requestBinary) == 0 && (r.Header.Get("Content-Type") == "application/dns-message" || r.Header.Get("Content-Type") == "application/dns-udpwireformat") {
+		requestBinary, err = ioutil.ReadAll(r.Body)
+		if err != nil {
+			return &DNSRequest{
+				errcode: 400,
+				errtext: fmt.Sprintf("Failed to read request body (%s)", err.Error()),
+			}
+		}
+	}
+	if len(requestBinary) == 0 {
+		return &DNSRequest{
+			errcode: 400,
+			errtext: fmt.Sprintf("Invalid argument value: \"dns\""),
+		}
+	}
+
+	if s.patchDNSCryptProxyReqID(w, r, requestBinary) {
+		return &DNSRequest{
+			errcode: 444,
+		}
+	}
+
+	msg := new(dns.Msg)
+	err = msg.Unpack(requestBinary)
+	if err != nil {
+		return &DNSRequest{
+			errcode: 400,
+			errtext: fmt.Sprintf("DNS packet parse failure (%s)", err.Error()),
+		}
+	}
+
+	if s.conf.Verbose && len(msg.Question) > 0 {
+		question := &msg.Question[0]
+		questionName := question.Name
+		questionClass := ""
+		if qclass, ok := dns.ClassToString[question.Qclass]; ok {
+			questionClass = qclass
+		} else {
+			questionClass = strconv.FormatUint(uint64(question.Qclass), 10)
+		}
+		questionType := ""
+		if qtype, ok := dns.TypeToString[question.Qtype]; ok {
+			questionType = qtype
+		} else {
+			questionType = strconv.FormatUint(uint64(question.Qtype), 10)
+		}
+		var clientip net.IP = nil
+		if s.conf.LogGuessedIP {
+			clientip = s.findClientIP(r)
+		}
+		if clientip != nil {
+			fmt.Printf("%s - - [%s] \"%s %s %s\"\n", clientip, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
+		} else {
+			fmt.Printf("%s - - [%s] \"%s %s %s\"\n", r.RemoteAddr, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
+		}
+	}
+
+	transactionID := msg.Id
+	msg.Id = dns.Id()
+	opt := msg.IsEdns0()
+	if opt == nil {
+		opt = new(dns.OPT)
+		opt.Hdr.Name = "."
+		opt.Hdr.Rrtype = dns.TypeOPT
+		opt.SetUDPSize(dns.DefaultMsgSize)
+		opt.SetDo(false)
+		msg.Extra = append([]dns.RR{opt}, msg.Extra...)
+	}
+	var edns0Subnet *dns.EDNS0_SUBNET
+	for _, option := range opt.Option {
+		if option.Option() == dns.EDNS0SUBNET {
+			edns0Subnet = option.(*dns.EDNS0_SUBNET)
+			break
+		}
+	}
+	isTailored := edns0Subnet == nil
+	if edns0Subnet == nil {
+		ednsClientFamily := uint16(0)
+		ednsClientAddress := s.findClientIP(r)
+		ednsClientNetmask := uint8(255)
+		if ednsClientAddress != nil {
+			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+				ednsClientFamily = 1
+				ednsClientAddress = ipv4
+				ednsClientNetmask = 24
+			} else {
+				ednsClientFamily = 2
+				ednsClientNetmask = 56
+			}
+			edns0Subnet = new(dns.EDNS0_SUBNET)
+			edns0Subnet.Code = dns.EDNS0SUBNET
+			edns0Subnet.Family = ednsClientFamily
+			edns0Subnet.SourceNetmask = ednsClientNetmask
+			edns0Subnet.SourceScope = 0
+			edns0Subnet.Address = ednsClientAddress
+			opt.Option = append(opt.Option, edns0Subnet)
+		}
+	}
+
+	return &DNSRequest{
+		request:       msg,
+		transactionID: transactionID,
+		isTailored:    isTailored,
+	}
+}
+
+func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
+	respJSON := jsonDNS.Marshal(req.response)
+	req.response.Id = req.transactionID
+	respBytes, err := req.response.Pack()
+	if err != nil {
+		log.Println(err)
+		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet construct failure (%s)", err.Error()), 500)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/dns-message")
+	now := time.Now().UTC().Format(http.TimeFormat)
+	w.Header().Set("Date", now)
+	w.Header().Set("Last-Modified", now)
+	w.Header().Set("Vary", "Accept")
+
+	_ = s.patchFirefoxContentType(w, r, req)
+
+	if respJSON.HaveTTL {
+		if req.isTailored {
+			w.Header().Set("Cache-Control", "private, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
+		} else {
+			w.Header().Set("Cache-Control", "public, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
+		}
+		w.Header().Set("Expires", respJSON.EarliestExpires.Format(http.TimeFormat))
+	}
+
+	if respJSON.Status == dns.RcodeServerFailure {
+		w.WriteHeader(503)
+	}
+	w.Write(respBytes)
+}
+
+// Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
+func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request, requestBinary []byte) bool {
+	if strings.Contains(r.UserAgent(), "dnscrypt-proxy") && bytes.Equal(requestBinary, []byte("\xca\xfe\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x00\x02\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00")) {
+		log.Println("DNSCrypt-Proxy detected. Patching response.")
+		w.Header().Set("Content-Type", "application/dns-message")
+		w.Header().Set("Vary", "Accept, User-Agent")
+		now := time.Now().UTC().Format(http.TimeFormat)
+		w.Header().Set("Date", now)
+		w.Write([]byte("\xca\xfe\x81\x05\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00\x02\x00\x01\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\xa8\xa7\r\nWorkaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe\r\nRefer to https://github.com/jedisct1/dnscrypt-proxy/issues/526 for details."))
+		return true
+	}
+	return false
+}
+
+// Workaround a bug causing Firefox 61-62 to reject responses with Content-Type = application/dns-message
+func (s *Server) patchFirefoxContentType(w http.ResponseWriter, r *http.Request, req *DNSRequest) bool {
+	if strings.Contains(r.UserAgent(), "Firefox") && strings.Contains(r.Header.Get("Accept"), "application/dns-udpwireformat") && !strings.Contains(r.Header.Get("Accept"), "application/dns-message") {
+		log.Println("Firefox 61-62 detected. Patching response.")
+		w.Header().Set("Content-Type", "application/dns-udpwireformat")
+		w.Header().Set("Vary", "Accept, User-Agent")
+		req.isTailored = true
+		return true
+	}
+	return false
+}

doh-server/main.go

@@ -1,38 +1,106 @@
 /*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
 
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
 */
 
 package main
 
 import (
 	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
 	"log"
+	"os"
+	"runtime"
+	"strconv"
 )
 
+func checkPIDFile(pidFile string) (bool, error) {
+retry:
+	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0666)
+	if os.IsExist(err) {
+		pidStr, err := ioutil.ReadFile(pidFile)
+		if err != nil {
+			return false, err
+		}
+		pid, err := strconv.ParseUint(string(pidStr), 10, 0)
+		if err != nil {
+			return false, err
+		}
+		_, err = os.Stat(fmt.Sprintf("/proc/%d", pid))
+		if os.IsNotExist(err) {
+			err = os.Remove(pidFile)
+			if err != nil {
+				return false, err
+			}
+			goto retry
+		} else if err != nil {
+			return false, err
+		}
+		log.Printf("Already running on PID %d, exiting.\n", pid)
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	defer f.Close()
+	_, err = io.WriteString(f, strconv.FormatInt(int64(os.Getpid()), 10))
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
 func main() {
 	confPath := flag.String("conf", "doh-server.conf", "Configuration file")
 	verbose := flag.Bool("verbose", false, "Enable logging")
+	showVersion := flag.Bool("version", false, "Show software version and exit")
+	var pidFile *string
+
+	// I really want to push the technology forward by recommending cgroup-based
+	// process tracking. But I understand some cloud service providers have
+	// their own monitoring system. So this feature is only enabled on Linux and
+	// BSD series platforms which lacks functionality similar to cgroup.
+	switch runtime.GOOS {
+	case "dragonfly", "freebsd", "linux", "netbsd", "openbsd":
+		pidFile = flag.String("pid-file", "", "PID file for legacy supervision systems lacking support for reliable cgroup-based process tracking")
+	}
+
 	flag.Parse()
 
+	if *showVersion {
+		fmt.Printf("doh-server %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
+		return
+	}
+
+	if pidFile != nil && *pidFile != "" {
+		ok, err := checkPIDFile(*pidFile)
+		if err != nil {
+			log.Printf("Error checking PID file: %v\n", err)
+		}
+		if !ok {
+			return
+		}
+	}
+
 	conf, err := loadConfig(*confPath)
 	if err != nil {
 		log.Fatalln(err)
@@ -43,8 +111,5 @@ func main() {
 	}
 
 	server := NewServer(conf)
-	err = server.Start()
-	if err != nil {
-		log.Fatalln(err)
-	}
+	_ = server.Start()
 }

doh-server/server.go

@@ -1,60 +1,72 @@
 /*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
 
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
 */
 
 package main
 
 import (
-	"encoding/json"
+	"context"
 	"fmt"
-	"math/rand"
 	"log"
+	"math/rand"
 	"net"
 	"net/http"
 	"os"
-	"strconv"
 	"strings"
 	"time"
-	"golang.org/x/net/idna"
+
 	"github.com/gorilla/handlers"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
-	"../json-dns"
 )
 
 type Server struct {
-	conf		*config
-	udpClient	*dns.Client
-	tcpClient	*dns.Client
-	servemux	*http.ServeMux
+	conf      *config
+	udpClient *dns.Client
+	tcpClient *dns.Client
+	servemux  *http.ServeMux
+}
+
+type DNSRequest struct {
+	request         *dns.Msg
+	response        *dns.Msg
+	transactionID   uint16
+	currentUpstream string
+	isTailored      bool
+	errcode         int
+	errtext         string
 }
 
 func NewServer(conf *config) (s *Server) {
-	s = &Server {
+	s = &Server{
 		conf: conf,
-		udpClient: &dns.Client {
-			Net: "udp",
+		udpClient: &dns.Client{
+			Net:     "udp",
+			UDPSize: dns.DefaultMsgSize,
+			Timeout: time.Duration(conf.Timeout) * time.Second,
 		},
-		tcpClient: &dns.Client {
-			Net: "tcp",
+		tcpClient: &dns.Client{
+			Net:     "tcp",
+			Timeout: time.Duration(conf.Timeout) * time.Second,
 		},
 		servemux: http.NewServeMux(),
 	}
@@ -67,153 +79,130 @@ func (s *Server) Start() error {
 	if s.conf.Verbose {
 		servemux = handlers.CombinedLoggingHandler(os.Stdout, servemux)
 	}
-	if s.conf.Cert != "" || s.conf.Key != "" {
-		return http.ListenAndServeTLS(s.conf.Listen, s.conf.Cert, s.conf.Key, servemux)
-	} else {
-		return http.ListenAndServe(s.conf.Listen, servemux)
+	results := make(chan error, len(s.conf.Listen))
+	for _, addr := range s.conf.Listen {
+		go func(addr string) {
+			var err error
+			if s.conf.Cert != "" || s.conf.Key != "" {
+				err = http.ListenAndServeTLS(addr, s.conf.Cert, s.conf.Key, servemux)
+			} else {
+				err = http.ListenAndServe(addr, servemux)
+			}
+			if err != nil {
+				log.Println(err)
+			}
+			results <- err
+		}(addr)
 	}
+	// wait for all handlers
+	for i := 0; i < cap(results); i++ {
+		err := <-results
+		if err != nil {
+			return err
+		}
+	}
+	close(results)
+	return nil
 }
 
 func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
-	w.Header().Set("Server", "DNS-over-HTTPS/1.0 (+https://github.com/m13253/dns-over-https)")
-	w.Header().Set("X-Powered-By", "DNS-over-HTTPS/1.0 (+https://github.com/m13253/dns-over-https)")
+	ctx := r.Context()
 
-	name := r.FormValue("name")
-	if name == "" {
-		jsonDNS.FormatError(w, "Invalid argument value: \"name\"", 400)
-		return
-	}
-	name = strings.ToLower(name)
-	if punycode, err := idna.ToASCII(name); err == nil {
-		name = punycode
-	} else {
-		jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"name\" = %q (%s)", name, err.Error()), 400)
+	w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS, POST")
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Max-Age", "3600")
+	w.Header().Set("Server", USER_AGENT)
+	w.Header().Set("X-Powered-By", USER_AGENT)
+
+	if r.Method == "OPTIONS" {
+		w.Header().Set("Content-Length", "0")
 		return
 	}
 
-	rrTypeStr := r.FormValue("type")
-	rrType := uint16(1)
-	if rrTypeStr == "" {
-	} else if v, err := strconv.ParseUint(rrTypeStr, 10, 16); err == nil {
-		rrType = uint16(v)
-	} else if v, ok := dns.StringToType[strings.ToUpper(rrTypeStr)]; ok {
-		rrType = v
-	} else {
-		jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"type\" = %q", rrTypeStr), 400)
-		return
+	if r.Form == nil {
+		const maxMemory = 32 << 20 // 32 MB
+		r.ParseMultipartForm(maxMemory)
 	}
 
-	cdStr := r.FormValue("cd")
-	cd := false
-	if cdStr == "1" || cdStr == "true" {
-		cd = true
-	} else if cdStr == "0" || cdStr == "false" || cdStr == "" {
-	} else {
-		jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"cd\" = %q", cdStr), 400)
-		return
-	}
-
-	ednsClientSubnet := r.FormValue("edns_client_subnet")
-	ednsClientFamily := uint16(0)
-	ednsClientAddress := net.IP(nil)
-	ednsClientNetmask := uint8(255)
-	if ednsClientSubnet != "" {
-		if ednsClientSubnet == "0/0" {
-			ednsClientSubnet = "0.0.0.0/0"
-		}
-		slash := strings.IndexByte(ednsClientSubnet, '/')
-		if slash < 0 {
-			ednsClientAddress = net.ParseIP(ednsClientSubnet)
-			if ednsClientAddress == nil {
-				jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet), 400)
-				return
-			}
-			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
-				ednsClientFamily = 1
-				ednsClientAddress = ipv4
-				ednsClientNetmask = 24
-			} else {
-				ednsClientFamily = 2
-				ednsClientNetmask = 48
-			}
-		} else {
-			ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
-			if ednsClientAddress == nil {
-				jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet), 400)
-				return
-			}
-			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
-				ednsClientFamily = 1
-				ednsClientAddress = ipv4
-			} else {
-				ednsClientFamily = 2
-			}
-			netmask, err := strconv.ParseUint(ednsClientSubnet[slash + 1:], 10, 8)
-			if err != nil {
-				jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q (%s)", ednsClientSubnet, err.Error()), 400)
-				return
-			}
-			ednsClientNetmask = uint8(netmask)
-		}
-	} else {
-		ednsClientAddress = s.findClientIP(r)
-		if ednsClientAddress == nil {
-			ednsClientNetmask = 0
-		} else if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
-			ednsClientFamily = 1
-			ednsClientAddress = ipv4
-			ednsClientNetmask = 24
-		} else {
-			ednsClientFamily = 2
-			ednsClientNetmask = 48
+	for _, header := range s.conf.DebugHTTPHeaders {
+		if value := r.Header.Get(header); value != "" {
+			log.Printf("%s: %s\n", header, value)
 		}
 	}
 
-	msg := new(dns.Msg)
-	msg.SetQuestion(dns.Fqdn(name), rrType)
-	msg.CheckingDisabled = cd
-	opt := new(dns.OPT)
-	opt.Hdr.Name = "."
-	opt.Hdr.Rrtype = dns.TypeOPT
-	opt.SetUDPSize(4096)
-	opt.SetDo(true)
-	if ednsClientAddress != nil {
-		edns0Subnet := new(dns.EDNS0_SUBNET)
-		edns0Subnet.Code = dns.EDNS0SUBNET
-		edns0Subnet.Family = ednsClientFamily
-		edns0Subnet.SourceNetmask = ednsClientNetmask
-		edns0Subnet.SourceScope = 0
-		edns0Subnet.Address = ednsClientAddress
-		opt.Option = append(opt.Option, edns0Subnet)
+	contentType := r.Header.Get("Content-Type")
+	if ct := r.FormValue("ct"); ct != "" {
+		contentType = ct
+	}
+	if contentType == "" {
+		// Guess request Content-Type based on other parameters
+		if r.FormValue("name") != "" {
+			contentType = "application/dns-json"
+		} else if r.FormValue("dns") != "" {
+			contentType = "application/dns-message"
+		}
+	}
+	var responseType string
+	for _, responseCandidate := range strings.Split(r.Header.Get("Accept"), ",") {
+		responseCandidate = strings.SplitN(responseCandidate, ";", 2)[0]
+		if responseCandidate == "application/json" {
+			responseType = "application/json"
+			break
+		} else if responseCandidate == "application/dns-udpwireformat" {
+			responseType = "application/dns-message"
+			break
+		} else if responseCandidate == "application/dns-message" {
+			responseType = "application/dns-message"
+			break
+		}
+	}
+	if responseType == "" {
+		// Guess response Content-Type based on request Content-Type
+		if contentType == "application/dns-json" {
+			responseType = "application/json"
+		} else if contentType == "application/dns-message" {
+			responseType = "application/dns-message"
+		} else if contentType == "application/dns-udpwireformat" {
+			responseType = "application/dns-message"
+		}
 	}
-	msg.Extra = append(msg.Extra, opt)
 
-	resp, err := s.doDNSQuery(msg)
+	var req *DNSRequest
+	if contentType == "application/dns-json" {
+		req = s.parseRequestGoogle(ctx, w, r)
+	} else if contentType == "application/dns-message" {
+		req = s.parseRequestIETF(ctx, w, r)
+	} else if contentType == "application/dns-udpwireformat" {
+		req = s.parseRequestIETF(ctx, w, r)
+	} else {
+		jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"ct\" = %q", contentType), 415)
+		return
+	}
+	if req.errcode == 444 {
+		return
+	}
+	if req.errcode != 0 {
+		jsonDNS.FormatError(w, req.errtext, req.errcode)
+		return
+	}
+
+	req = s.patchRootRD(req)
+
+	var err error
+	req, err = s.doDNSQuery(ctx, req)
 	if err != nil {
 		jsonDNS.FormatError(w, fmt.Sprintf("DNS query failure (%s)", err.Error()), 503)
 		return
 	}
-	respJson := jsonDNS.Marshal(resp)
-	respStr, err := json.Marshal(respJson)
-	if err != nil {
-		log.Println(err)
-		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet parse failure (%s)", err.Error()), 500)
-		return
-	}
 
-	if respJson.HaveTTL {
-		if ednsClientSubnet != "" {
-			w.Header().Set("Cache-Control", "public, max-age=" + strconv.Itoa(int(respJson.LeastTTL)))
-		} else {
-			w.Header().Set("Cache-Control", "private, max-age=" + strconv.Itoa(int(respJson.LeastTTL)))
-		}
-		w.Header().Set("Expires", respJson.EarliestExpires.Format(time.RFC1123))
+	if responseType == "application/json" {
+		s.generateResponseGoogle(ctx, w, r, req)
+	} else if responseType == "application/dns-message" {
+		s.generateResponseIETF(ctx, w, r, req)
+	} else {
+		panic("Unknown response Content-Type")
 	}
-	if respJson.Status == dns.RcodeServerFailure {
-		w.WriteHeader(503)
-	}
-	w.Write(respStr)
 }
 
 func (s *Server) findClientIP(r *http.Request) net.IP {
@@ -245,23 +234,34 @@ func (s *Server) findClientIP(r *http.Request) net.IP {
 	return nil
 }
 
-func (s *Server) doDNSQuery(msg *dns.Msg) (resp *dns.Msg, err error) {
-	num_servers := len(s.conf.Upstream)
+// Workaround a bug causing Unbound to refuse returning anything about the root
+func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
+	for _, question := range req.request.Question {
+		if question.Name == "." {
+			req.request.RecursionDesired = true
+		}
+	}
+	return req
+}
+
+func (s *Server) doDNSQuery(ctx context.Context, req *DNSRequest) (resp *DNSRequest, err error) {
+	// TODO(m13253): Make ctx work. Waiting for a patch for ExchangeContext from miekg/dns.
+	numServers := len(s.conf.Upstream)
 	for i := uint(0); i < s.conf.Tries; i++ {
-		server := s.conf.Upstream[rand.Intn(num_servers)]
+		req.currentUpstream = s.conf.Upstream[rand.Intn(numServers)]
 		if !s.conf.TCPOnly {
-			resp, _, err = s.udpClient.Exchange(msg, server)
-			if err == dns.ErrTruncated {
+			req.response, _, err = s.udpClient.Exchange(req.request, req.currentUpstream)
+			if err == nil && req.response != nil && req.response.Truncated {
 				log.Println(err)
-				resp, _, err = s.tcpClient.Exchange(msg, server)
+				req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
 			}
 		} else {
-			resp, _, err = s.tcpClient.Exchange(msg, server)
+			req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
 		}
 		if err == nil {
-			return
+			return req, nil
 		}
-		log.Println(err)
+		log.Printf("DNS error from upstream %s: %s\n", req.currentUpstream, err.Error())
 	}
-	return
+	return req, err
 }

doh-server/version.go

@@ -0,0 +1,29 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package main
+
+const (
+	VERSION    = "2.0.0"
+	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
+)

go.mod

@@ -0,0 +1,13 @@
+module github.com/m13253/dns-over-https
+
+go 1.12
+
+require (
+	github.com/BurntSushi/toml v0.3.1
+	github.com/gorilla/handlers v1.4.0
+	github.com/miekg/dns v1.1.6
+	golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a // indirect
+	golang.org/x/net v0.0.0-20190311183353-d8887717615a
+	golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 // indirect
+	golang.org/x/sys v0.0.0-20190312061237-fead79001313 // indirect
+)

go.sum

@@ -0,0 +1,25 @@
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/gorilla/handlers v1.4.0 h1:XulKRWSQK5uChr4pEgSE4Tc/OcmnU9GJuSwdog/tZsA=
+github.com/gorilla/handlers v1.4.0/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
+github.com/miekg/dns v1.1.4 h1:rCMZsU2ScVSYcAsOXgmC6+AKOK+6pmQTOcw03nfwYV0=
+github.com/miekg/dns v1.1.4/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+github.com/miekg/dns v1.1.6 h1:jVwb4GDwD65q/gtItR/lIZHjNH93QfeGxZUkzJcW9mc=
+github.com/miekg/dns v1.1.6/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a h1:YX8ljsm6wXlHZO+aRz9Exqr0evNhKRNe5K/gi+zKh4U=
+golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/net v0.0.0-20190301231341-16b79f2e4e95 h1:fY7Dsw114eJN4boqzVSbpVHO6rTdhq6/GnXeu+PKnzU=
+golang.org/x/net v0.0.0-20190301231341-16b79f2e4e95/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 h1:bjcUS9ztw9kFmmIxJInhon/0Is3p+EHBKNgquIzo1OI=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190308023053-584f3b12f43e h1:K7CV15oJ823+HLXQ+M7MSMrUg8LjfqY7O3naO+8Pp/I=
+golang.org/x/sys v0.0.0-20190308023053-584f3b12f43e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

json-dns/error.go

@@ -1,24 +1,24 @@
 /*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
 
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
 */
 
 package jsonDNS
@@ -27,17 +27,19 @@ import (
 	"encoding/json"
 	"log"
 	"net/http"
+
 	"github.com/miekg/dns"
 )
 
 type dnsError struct {
-	Status				uint32		`json:"Status"`
-	Comment				string		`json:"Comment,omitempty"`
+	Status  uint32 `json:"Status"`
+	Comment string `json:"Comment,omitempty"`
 }
 
 func FormatError(w http.ResponseWriter, comment string, errcode int) {
-	errJson := dnsError {
-		Status: dns.RcodeServerFailure,
+	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
+	errJson := dnsError{
+		Status:  dns.RcodeServerFailure,
 		Comment: comment,
 	}
 	errStr, err := json.Marshal(errJson)

json-dns/globalip.go

@@ -1,24 +1,24 @@
 /*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
 
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
 */
 
 package jsonDNS
@@ -28,80 +28,80 @@ import (
 )
 
 // RFC6890
-var localIPv4Nets = []net.IPNet {
+var localIPv4Nets = []net.IPNet{
 	// This host on this network
-	net.IPNet {
-		net.IP { 0, 0, 0, 0 },
-		net.IPMask { 255, 0, 0, 0 },
+	net.IPNet{
+		net.IP{0, 0, 0, 0},
+		net.IPMask{255, 0, 0, 0},
 	},
 	// Private-Use Networks
-	net.IPNet {
-		net.IP { 10, 0, 0, 0 },
-		net.IPMask { 255, 0, 0, 0 },
+	net.IPNet{
+		net.IP{10, 0, 0, 0},
+		net.IPMask{255, 0, 0, 0},
 	},
 	// Shared Address Space
-	net.IPNet {
-		net.IP { 100, 64, 0, 0 },
-		net.IPMask { 255, 192, 0, 0 },
+	net.IPNet{
+		net.IP{100, 64, 0, 0},
+		net.IPMask{255, 192, 0, 0},
 	},
 	// Loopback
-	net.IPNet {
-		net.IP { 127, 0, 0, 0 },
-		net.IPMask { 255, 0, 0, 0 },
+	net.IPNet{
+		net.IP{127, 0, 0, 0},
+		net.IPMask{255, 0, 0, 0},
 	},
 	// Link Local
-	net.IPNet {
-		net.IP { 169, 254, 0, 0 },
-		net.IPMask { 255, 255, 0, 0 },
+	net.IPNet{
+		net.IP{169, 254, 0, 0},
+		net.IPMask{255, 255, 0, 0},
 	},
 	// Private-Use Networks
-	net.IPNet {
-		net.IP { 172, 16, 0, 0 },
-		net.IPMask { 255, 240, 0, 0 },
+	net.IPNet{
+		net.IP{172, 16, 0, 0},
+		net.IPMask{255, 240, 0, 0},
 	},
 	// DS-Lite
-	net.IPNet {
-		net.IP { 192, 0, 0, 0 },
-		net.IPMask { 255, 255, 255, 248 },
+	net.IPNet{
+		net.IP{192, 0, 0, 0},
+		net.IPMask{255, 255, 255, 248},
 	},
 	// 6to4 Relay Anycast
-	net.IPNet {
-		net.IP { 192, 88, 99, 0 },
-		net.IPMask { 255, 255, 255, 0 },
+	net.IPNet{
+		net.IP{192, 88, 99, 0},
+		net.IPMask{255, 255, 255, 0},
 	},
 	// Private-Use Networks
-	net.IPNet {
-		net.IP { 192, 168, 0, 0 },
-		net.IPMask { 255, 255, 0, 0 },
+	net.IPNet{
+		net.IP{192, 168, 0, 0},
+		net.IPMask{255, 255, 0, 0},
 	},
 	// Reserved for Future Use & Limited Broadcast
-	net.IPNet {
-		net.IP { 240, 0, 0, 0 },
-		net.IPMask { 240, 0, 0, 0 },
+	net.IPNet{
+		net.IP{240, 0, 0, 0},
+		net.IPMask{240, 0, 0, 0},
 	},
 }
 
 // RFC6890
-var localIPv6Nets = []net.IPNet {
+var localIPv6Nets = []net.IPNet{
 	// Unspecified & Loopback Address
-	net.IPNet {
-		net.IP { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-		net.IPMask { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe },
+	net.IPNet{
+		net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
 	},
 	// Discard-Only Prefix
-	net.IPNet {
-		net.IP { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-		net.IPMask { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+	net.IPNet{
+		net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
 	},
 	// Unique-Local
-	net.IPNet {
-		net.IP { 0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-		net.IPMask { 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+	net.IPNet{
+		net.IP{0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IPMask{0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
 	},
 	// Linked-Scoped Unicast
-	net.IPNet {
-		net.IP { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-		net.IPMask { 0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+	net.IPNet{
+		net.IP{0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		net.IPMask{0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
 	},
 }
 

json-dns/marshal.go

@@ -1,24 +1,24 @@
 /*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
 
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
 */
 
 package jsonDNS
@@ -28,6 +28,7 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
 	"github.com/miekg/dns"
 )
 
@@ -44,7 +45,7 @@ func Marshal(msg *dns.Msg) *Response {
 
 	resp.Question = make([]Question, 0, len(msg.Question))
 	for _, question := range msg.Question {
-		jsonQuestion := Question {
+		jsonQuestion := Question{
 			Name: question.Name,
 			Type: question.Qtype,
 		}
@@ -85,11 +86,11 @@ func Marshal(msg *dns.Msg) *Response {
 					edns0 := option.(*dns.EDNS0_SUBNET)
 					clientAddress := edns0.Address
 					if clientAddress == nil {
-						clientAddress = net.IP { 0, 0, 0, 0 }
+						clientAddress = net.IP{0, 0, 0, 0}
 					} else if ipv4 := clientAddress.To4(); ipv4 != nil {
 						clientAddress = ipv4
 					}
-					resp.EdnsClientSubnet = clientAddress.String() + "/" + strconv.Itoa(int(edns0.SourceScope))
+					resp.EdnsClientSubnet = clientAddress.String() + "/" + strconv.FormatUint(uint64(edns0.SourceScope), 10)
 				}
 			}
 			continue
@@ -106,7 +107,7 @@ func Marshal(msg *dns.Msg) *Response {
 }
 
 func marshalRR(rr dns.RR, now time.Time) RR {
-	jsonRR := RR {}
+	jsonRR := RR{}
 	rrHeader := rr.Header()
 	jsonRR.Name = rrHeader.Name
 	jsonRR.Type = rrHeader.Rrtype

json-dns/response.go

@@ -1,24 +1,24 @@
 /*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
 
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
 */
 
 package jsonDNS
@@ -29,44 +29,44 @@ import (
 
 type Response struct {
 	// Standard DNS response code (32 bit integer)
-	Status				uint32		`json:"Status"`
+	Status uint32 `json:"Status"`
 	// Whether the response is truncated
-	TC					bool		`json:"TC"`
+	TC bool `json:"TC"`
 	// Recursion desired
-	RD					bool		`json:"RD"`
+	RD bool `json:"RD"`
 	// Recursion available
-	RA					bool		`json:"RA"`
+	RA bool `json:"RA"`
 	// Whether all response data was validated with DNSSEC
 	// FIXME: We don't have DNSSEC yet! This bit is not reliable!
-	AD					bool		`json:"AD"`
+	AD bool `json:"AD"`
 	// Whether the client asked to disable DNSSEC
-	CD					bool		`json:"CD"`
-	Question			[]Question	`json:"Question"`
-	Answer				[]RR		`json:"Answer,omitempty"`
-	Authority			[]RR		`json:"Authority,omitempty"`
-	Additional			[]RR		`json:"Additional,omitempty"`
-	Comment				string		`json:"Comment,omitempty"`
-	EdnsClientSubnet	string		`json:"edns_client_subnet,omitempty"`
+	CD               bool       `json:"CD"`
+	Question         []Question `json:"Question"`
+	Answer           []RR       `json:"Answer,omitempty"`
+	Authority        []RR       `json:"Authority,omitempty"`
+	Additional       []RR       `json:"Additional,omitempty"`
+	Comment          string     `json:"Comment,omitempty"`
+	EdnsClientSubnet string     `json:"edns_client_subnet,omitempty"`
 	// Least time-to-live
-	HaveTTL				bool		`json:"-"`
-	LeastTTL			uint32		`json:"-"`
-	EarliestExpires		time.Time	`json:"-"`
+	HaveTTL         bool      `json:"-"`
+	LeastTTL        uint32    `json:"-"`
+	EarliestExpires time.Time `json:"-"`
 }
 
 type Question struct {
 	// FQDN with trailing dot
-	Name				string		`json:"name"`
+	Name string `json:"name"`
 	// Standard DNS RR type
-	Type				uint16		`json:"type"`
+	Type uint16 `json:"type"`
 }
 
 type RR struct {
 	Question
 	// Record's time-to-live in seconds
-	TTL					uint32		`json:"TTL"`
+	TTL uint32 `json:"TTL"`
 	// TTL in absolute time
-	Expires				time.Time	`json:"-"`
-	ExpiresStr			string		`json:"Expires"`
+	Expires    time.Time `json:"-"`
+	ExpiresStr string    `json:"Expires"`
 	// Data
-	Data				string		`json:"data"`
+	Data string `json:"data"`
 }

json-dns/unmarshal.go

@@ -1,24 +1,24 @@
 /*
-    DNS-over-HTTPS
-    Copyright (C) 2017 Star Brilliant <m13253@hotmail.com>
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
 
-    Permission is hereby granted, free of charge, to any person obtaining a
-    copy of this software and associated documentation files (the "Software"),
-    to deal in the Software without restriction, including without limitation
-    the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the
-    Software is furnished to do so, subject to the following conditions:
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
 
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-    DEALINGS IN THE SOFTWARE.
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
 */
 
 package jsonDNS
@@ -30,6 +30,7 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
 	"github.com/miekg/dns"
 )
 
@@ -77,7 +78,7 @@ func Unmarshal(msg *dns.Msg, resp *Response, udpSize uint16, ednsClientNetmask u
 		}
 	}
 
-	reply.Extra = make([]dns.RR, 0, len(resp.Additional) + 1)
+	reply.Extra = make([]dns.RR, 0, len(resp.Additional)+1)
 	opt := new(dns.OPT)
 	opt.Hdr.Name = "."
 	opt.Hdr.Rrtype = dns.TypeOPT
@@ -94,20 +95,20 @@ func Unmarshal(msg *dns.Msg, resp *Response, udpSize uint16, ednsClientNetmask u
 	if ednsClientSubnet != "" {
 		slash := strings.IndexByte(ednsClientSubnet, '/')
 		if slash < 0 {
-			log.Println(UnmarshalError { "Invalid client subnet" })
+			log.Println(UnmarshalError{"Invalid client subnet"})
 		} else {
 			ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
 			if ednsClientAddress == nil {
-				log.Println(UnmarshalError { "Invalid client subnet address" })
+				log.Println(UnmarshalError{"Invalid client subnet address"})
 			} else if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
 				ednsClientFamily = 1
 				ednsClientAddress = ipv4
 			} else {
 				ednsClientFamily = 2
 			}
-			scope, err := strconv.ParseUint(ednsClientSubnet[slash + 1:], 10, 8)
+			scope, err := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
 			if err != nil {
-				log.Println(UnmarshalError { "Invalid client subnet address" })
+				log.Println(UnmarshalError{"Invalid client subnet address"})
 			} else {
 				ednsClientScope = uint8(scope)
 			}
@@ -118,7 +119,7 @@ func Unmarshal(msg *dns.Msg, resp *Response, udpSize uint16, ednsClientNetmask u
 			if ednsClientFamily == 1 {
 				ednsClientNetmask = 24
 			} else {
-				ednsClientNetmask = 48
+				ednsClientNetmask = 56
 			}
 		}
 		edns0Subnet := new(dns.EDNS0_SUBNET)
@@ -147,12 +148,12 @@ func Unmarshal(msg *dns.Msg, resp *Response, udpSize uint16, ednsClientNetmask u
 
 func unmarshalRR(rr RR, now time.Time) (dnsRR dns.RR, err error) {
 	if strings.ContainsAny(rr.Name, "\t\r\n \"();\\") {
-		return nil, UnmarshalError { fmt.Sprintf("Record name contains space: %q", rr.Name) }
+		return nil, UnmarshalError{fmt.Sprintf("Record name contains space: %q", rr.Name)}
 	}
 	if rr.ExpiresStr != "" {
 		rr.Expires, err = time.Parse(time.RFC1123, rr.ExpiresStr)
 		if err != nil {
-			return nil, UnmarshalError { fmt.Sprintf("Invalid expire time: %q", rr.ExpiresStr) }
+			return nil, UnmarshalError{fmt.Sprintf("Invalid expire time: %q", rr.ExpiresStr)}
 		}
 		ttl := rr.Expires.Sub(now) / time.Second
 		if ttl >= 0 && ttl <= 0xffffffff {
@@ -161,10 +162,10 @@ func unmarshalRR(rr RR, now time.Time) (dnsRR dns.RR, err error) {
 	}
 	rrType, ok := dns.TypeToString[rr.Type]
 	if !ok {
-		return nil, UnmarshalError { fmt.Sprintf("Unknown record type: %d", rr.Type) }
+		return nil, UnmarshalError{fmt.Sprintf("Unknown record type: %d", rr.Type)}
 	}
 	if strings.ContainsAny(rr.Data, "\r\n") {
-		return nil, UnmarshalError { fmt.Sprintf("Record data contains newline: %q", rr.Data) }
+		return nil, UnmarshalError{fmt.Sprintf("Record data contains newline: %q", rr.Data)}
 	}
 	zone := fmt.Sprintf("%s %d IN %s %s", rr.Name, rr.TTL, rrType, rr.Data)
 	dnsRR, err = dns.NewRR(zone)
@@ -172,7 +173,7 @@ func unmarshalRR(rr RR, now time.Time) (dnsRR dns.RR, err error) {
 }
 
 type UnmarshalError struct {
-	err		string
+	err string
 }
 
 func (e UnmarshalError) Error() string {

launchd/Makefile

@@ -0,0 +1,16 @@
+.PHONY: install uninstall
+
+PREFIX = /usr/local
+LAUNCHD_DIR = /Library/LaunchDaemons
+
+install:
+	mkdir -p "$(DESTDIR)$(LAUNCHD_DIR)"
+	install -m0644 doh-client.plist "$(DESTDIR)$(LAUNCHD_DIR)/doh-client.plist"
+	install -m0644 doh-server.plist "$(DESTDIR)$(LAUNCHD_DIR)/doh-server.plist"
+	@echo
+	@echo 'Note:'
+	@echo '    Use "sudo launchctl load $(DESTDIR)$(LAUNCHD_DIR)/doh-client.plist" to start doh-client,'
+	@echo '    use "sudo launchctl load -w $(DESTDIR)$(LAUNCHD_DIR)/doh-server.plist" to enable doh-server.'
+
+uninstall:
+	rm -f "$(DESTDIR)$(LAUNCHD_DIR)/doh-client.plist" "$(DESTDIR)$(LAUNCHD_DIR)/doh-server.plist"

launchd/doh-client.plist

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>Label</key>
+		<string>org.eu.starlab.doh.client</string>
+		<key>ProgramArguments</key>
+		<array>
+			<string>/usr/local/bin/doh-logger</string>
+			<string>doh-client</string>
+			<string>/usr/local/bin/doh-client</string>
+			<string>-conf</string>
+			<string>/usr/local/etc/dns-over-https/doh-client.conf</string>
+		</array>
+		<key>RunAtLoad</key>
+		<true/>
+		<key>UserName</key>
+		<string>root</string>
+		<key>GroupName</key>
+		<string>wheel</string>
+		<key>KeepAlive</key>
+		<dict>
+			<key>SuccessfulExit</key>
+			<false/>
+		</dict>
+		<key>ThrottleInterval</key>
+		<integer>5</integer>
+	</dict>
+</plist>

launchd/doh-server.plist

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>Label</key>
+		<string>org.eu.starlab.doh.server</string>
+		<key>ProgramArguments</key>
+		<array>
+			<string>/usr/local/bin/doh-logger</string>
+			<string>doh-server</string>
+			<string>/usr/local/bin/doh-server</string>
+			<string>-conf</string>
+			<string>/usr/local/etc/dns-over-https/doh-server.conf</string>
+		</array>
+		<key>Disabled</key>
+		<true/>
+		<key>RunAtLoad</key>
+		<true/>
+		<key>UserName</key>
+		<string>root</string>
+		<key>GroupName</key>
+		<string>wheel</string>
+		<key>KeepAlive</key>
+		<dict>
+			<key>SuccessfulExit</key>
+			<false/>
+		</dict>
+		<key>ThrottleInterval</key>
+		<integer>5</integer>
+	</dict>
+</plist>

systemd/Makefile

@@ -1,6 +1,5 @@
 .PHONY: install uninstall
 
-PREFIX = /usr/local
 SYSTEMD_DIR = /usr/lib/systemd
 SYSTEMD_UNIT_DIR = $(SYSTEMD_DIR)/system
 

systemd/doh-client.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=DNS-over-HTTPS Client
+Documentation=https://github.com/m13253/dns-over-https
 After=network.target
 Before=nss-lookup.target
 Wants=nss-lookup.target

systemd/doh-server.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=DNS-over-HTTPS Server
+Documentation=https://github.com/m13253/dns-over-https
 After=network.target
 
 [Service]