Update to IETF draft-06

Makefile

@@ -3,24 +3,41 @@
 GOBUILD=go build
 GOGET=go get -d -v
 PREFIX=/usr/local
+ifeq ($(shell uname),Darwin)
+	CONFDIR=/usr/local/etc/dns-over-https
+else
+	CONFDIR=/etc/dns-over-https
+endif
 
 all: doh-client/doh-client doh-server/doh-server
 
 clean:
 	rm -f doh-client/doh-client doh-server/doh-server
 
-install: doh-client/doh-client doh-server/doh-server
-	install -Dm0755 doh-client/doh-client "$(DESTDIR)$(PREFIX)/bin/doh-client"
-	install -Dm0755 doh-server/doh-server "$(DESTDIR)$(PREFIX)/bin/doh-server"
-	[ -e "$(DESTDIR)/etc/dns-over-https/doh-client.conf" ] || install -Dm0644 doh-client/doh-client.conf "$(DESTDIR)/etc/dns-over-https/doh-client.conf"
-	[ -e "$(DESTDIR)/etc/dns-over-https/doh-server.conf" ] || install -Dm0644 doh-server/doh-server.conf "$(DESTDIR)/etc/dns-over-https/doh-server.conf"
-	$(MAKE) -C systemd install "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
-	$(MAKE) -C NetworkManager install "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
+install:
+	[ -e doh-client/doh-client ] || $(MAKE) doh-client/doh-client
+	[ -e doh-server/doh-server ] || $(MAKE) doh-server/doh-server
+	mkdir -p "$(DESTDIR)$(PREFIX)/bin/"
+	install -m0755 doh-client/doh-client "$(DESTDIR)$(PREFIX)/bin/doh-client"
+	install -m0755 doh-server/doh-server "$(DESTDIR)$(PREFIX)/bin/doh-server"
+	mkdir -p "$(DESTDIR)$(CONFDIR)/"
+	[ -e "$(DESTDIR)$(CONFDIR)/doh-client.conf" ] || install -m0644 doh-client/doh-client.conf "$(DESTDIR)$(CONFDIR)/doh-client.conf"
+	[ -e "$(DESTDIR)$(CONFDIR)/doh-server.conf" ] || install -m0644 doh-server/doh-server.conf "$(DESTDIR)$(CONFDIR)/doh-server.conf"
+	if [ "`uname`" = "Linux" ]; then \
+		$(MAKE) -C systemd install "DESTDIR=$(DESTDIR)"; \
+		$(MAKE) -C NetworkManager install "DESTDIR=$(DESTDIR)"; \
+	elif [ "`uname`" = "Darwin" ]; then \
+		$(MAKE) -C launchd install "DESTDIR=$(DESTDIR)"; \
+	fi
 
 uninstall:
 	rm -f "$(DESTDIR)$(PREFIX)/bin/doh-client" "$(DESTDIR)$(PREFIX)/bin/doh-server"
-	$(MAKE) -C systemd uninstall "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
-	$(MAKE) -C NetworkManager uninstall "DESTDIR=$(DESTDIR)" "PREFIX=$(PREFIX)"
+	if [ "`uname`" = "Linux" ]; then \
+		$(MAKE) -C systemd uninstall "DESTDIR=$(DESTDIR)"; \
+		$(MAKE) -C NetworkManager uninstall "DESTDIR=$(DESTDIR)"; \
+	elif [ "`uname`" = "Darwin" ]; then \
+		$(MAKE) -C launchd uninstall "DESTDIR=$(DESTDIR)"; \
+	fi
 
 deps:
 	$(GOGET) ./doh-client ./doh-server

Readme.md

@@ -85,7 +85,7 @@ server. This is useful for GeoDNS and CDNs to work, and is exactly the same
 configuration as most public DNS servers.
 
 Keep in mind that /24 is not enough to track a single user, although it is
-precise enough to know the city where the user is from. If you think
+precise enough to know the city where the user is located. If you think
 EDNS0-Client-Subnet is affecting your privacy, you can set `no_ecs = true` in
 `/etc/dns-over-https/doh-client.conf`, with the cost of slower video streaming
 or software downloading speed.

doh-client/client.go

@@ -31,20 +31,24 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"strings"
+	"sync"
 	"time"
 
-	"../json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/http2"
 )
 
 type Client struct {
-	conf          *config
-	bootstrap     []string
-	udpServer     *dns.Server
-	tcpServer     *dns.Server
-	httpTransport *http.Transport
-	httpClient    *http.Client
+	conf              *config
+	bootstrap         []string
+	udpServer         *dns.Server
+	tcpServer         *dns.Server
+	bootstrapResolver *net.Resolver
+	cookieJar         *cookiejar.Jar
+	httpClientMux     *sync.RWMutex
+	httpTransport     *http.Transport
+	httpClient        *http.Client
 }
 
 type DNSRequest struct {
@@ -71,7 +75,7 @@ func NewClient(conf *config) (c *Client, err error) {
 		Net:     "tcp",
 		Handler: dns.HandlerFunc(c.tcpHandlerFunc),
 	}
-	bootResolver := net.DefaultResolver
+	c.bootstrapResolver = net.DefaultResolver
 	if len(conf.Bootstrap) != 0 {
 		c.bootstrap = make([]string, len(conf.Bootstrap))
 		for i, bootstrap := range conf.Bootstrap {
@@ -84,7 +88,7 @@ func NewClient(conf *config) (c *Client, err error) {
 			}
 			c.bootstrap[i] = bootstrapAddr.String()
 		}
-		bootResolver = &net.Resolver{
+		c.bootstrapResolver = &net.Resolver{
 			PreferGo: true,
 			Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
 				var d net.Dialer
@@ -95,33 +99,53 @@ func NewClient(conf *config) (c *Client, err error) {
 			},
 		}
 	}
-	c.httpTransport = new(http.Transport)
+	// Most CDNs require Cookie support to prevent DDoS attack.
+	// Disabling Cookie does not effectively prevent tracking,
+	// so I will leave it on to make anti-DDoS services happy.
+	if !c.conf.NoCookies {
+		c.cookieJar, err = cookiejar.New(nil)
+		if err != nil {
+			return nil, err
+		}
+	}
+	c.httpClientMux = new(sync.RWMutex)
+	err = c.newHTTPClient()
+	if err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
+func (c *Client) newHTTPClient() error {
+	c.httpClientMux.Lock()
+	defer c.httpClientMux.Unlock()
+	if c.httpTransport != nil {
+		c.httpTransport.CloseIdleConnections()
+	}
 	c.httpTransport = &http.Transport{
 		DialContext: (&net.Dialer{
-			Timeout:   time.Duration(conf.Timeout) * time.Second,
+			Timeout:   time.Duration(c.conf.Timeout) * time.Second,
 			KeepAlive: 30 * time.Second,
 			DualStack: true,
-			Resolver:  bootResolver,
+			Resolver:  c.bootstrapResolver,
 		}).DialContext,
 		ExpectContinueTimeout: 1 * time.Second,
 		IdleConnTimeout:       90 * time.Second,
 		MaxIdleConns:          100,
 		MaxIdleConnsPerHost:   10,
 		Proxy:                 http.ProxyFromEnvironment,
-		ResponseHeaderTimeout: time.Duration(conf.Timeout) * time.Second,
-		TLSHandshakeTimeout:   time.Duration(conf.Timeout) * time.Second,
+		ResponseHeaderTimeout: time.Duration(c.conf.Timeout) * time.Second,
+		TLSHandshakeTimeout:   time.Duration(c.conf.Timeout) * time.Second,
 	}
-	http2.ConfigureTransport(c.httpTransport)
-	// Most CDNs require Cookie support to prevent DDoS attack
-	cookieJar, err := cookiejar.New(nil)
+	err := http2.ConfigureTransport(c.httpTransport)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	c.httpClient = &http.Client{
 		Transport: c.httpTransport,
-		Jar:       cookieJar,
+		Jar:       c.cookieJar,
 	}
-	return c, nil
+	return nil
 }
 
 func (c *Client) Start() error {
@@ -156,23 +180,23 @@ func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
 
 	requestType := ""
 	if len(c.conf.UpstreamIETF) == 0 {
-		requestType = "application/x-www-form-urlencoded"
+		requestType = "application/dns-json"
 	} else if len(c.conf.UpstreamGoogle) == 0 {
-		requestType = "application/dns-udpwireformat"
+		requestType = "message/dns"
 	} else {
 		numServers := len(c.conf.UpstreamGoogle) + len(c.conf.UpstreamIETF)
 		random := rand.Intn(numServers)
 		if random < len(c.conf.UpstreamGoogle) {
-			requestType = "application/x-www-form-urlencoded"
+			requestType = "application/dns-json"
 		} else {
-			requestType = "application/dns-udpwireformat"
+			requestType = "message/dns"
 		}
 	}
 
 	var req *DNSRequest
-	if requestType == "application/x-www-form-urlencoded" {
+	if requestType == "application/dns-json" {
 		req = c.generateRequestGoogle(w, r, isTCP)
-	} else if requestType == "application/dns-udpwireformat" {
+	} else if requestType == "message/dns" {
 		req = c.generateRequestIETF(w, r, isTCP)
 	} else {
 		panic("Unknown request Content-Type")
@@ -186,19 +210,21 @@ func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
 	candidateType := strings.SplitN(req.response.Header.Get("Content-Type"), ";", 2)[0]
 	if candidateType == "application/json" {
 		contentType = "application/json"
+	} else if candidateType == "message/dns" {
+		contentType = "message/dns"
 	} else if candidateType == "application/dns-udpwireformat" {
-		contentType = "application/dns-udpwireformat"
+		contentType = "message/dns"
 	} else {
-		if requestType == "application/x-www-form-urlencoded" {
+		if requestType == "application/dns-json" {
 			contentType = "application/json"
-		} else if requestType == "application/dns-udpwireformat" {
-			contentType = "application/dns-udpwireformat"
+		} else if requestType == "message/dns" {
+			contentType = "message/dns"
 		}
 	}
 
 	if contentType == "application/json" {
 		c.parseResponseGoogle(w, r, isTCP, req)
-	} else if contentType == "application/dns-udpwireformat" {
+	} else if contentType == "message/dns" {
 		c.parseResponseIETF(w, r, isTCP, req)
 	} else {
 		panic("Unknown response Content-Type")

doh-client/config.go

@@ -35,6 +35,7 @@ type config struct {
 	UpstreamIETF   []string `toml:"upstream_ietf"`
 	Bootstrap      []string `toml:"bootstrap"`
 	Timeout        uint     `toml:"timeout"`
+	NoCookies      bool     `toml:"no_cookies"`
 	NoECS          bool     `toml:"no_ecs"`
 	Verbose        bool     `toml:"verbose"`
 }

doh-client/doh-client.conf

@@ -4,24 +4,62 @@ listen = "127.0.0.1:53"
 # HTTP path for upstream resolver
 # If multiple servers are specified, a random one will be chosen each time.
 upstream_google = [
+
+    # Google's productive resolver, good ECS, bad DNSSEC
     "https://dns.google.com/resolve",
+
+    # CloudFlare's resolver, bad ECS, good DNSSEC
+    #"https://cloudflare-dns.com/dns-query",
+    #"https://1.1.1.1/dns-query",
+    #"https://1.0.0.1/dns-query",
+
 ]
 upstream_ietf = [
+
+    # Google's experimental resolver, good ECS, good DNSSEC
     #"https://dns.google.com/experimental",
+
+    # CloudFlare's resolver, bad ECS, good DNSSEC
+    #"https://cloudflare-dns.com/dns-query",
+    #"https://1.1.1.1/dns-query",
+    #"https://1.0.0.1/dns-query",
+
 ]
 
 # Bootstrap DNS server to resolve the address of the upstream resolver
 # If multiple servers are specified, a random one will be chosen each time.
 # If empty, use the system DNS settings.
+# If you want to preload IP addresses in /etc/hosts instead of using a
+# bootstrap server, please make this list empty.
 bootstrap = [
+
+    # Google's resolver, bad ECS, good DNSSEC
     "8.8.8.8:53",
     "8.8.4.4:53",
+
+    # CloudFlare's resolver, bad ECS, good DNSSEC
+    #"1.1.1.1:53",
+    #"1.0.0.1:53",
+
 ]
 
 # Timeout for upstream request
 timeout = 10
 
-# Disable EDNS0-Client-Subnet, do not send client's IP address
+# Disable HTTP Cookies
+#
+# Cookies may be useful if your upstream resolver is protected by some
+# anti-DDoS services to identify clients.
+# Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability
+# to track uesrs and is not controlled by doh-client.
+no_cookies = false
+
+# Disable EDNS0-Client-Subnet (ECS)
+#
+# DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of
+# the client's IP address (/24 for IPv4, /48 for IPv6 by default) to the
+# upstream server. This is useful for GeoDNS and CDNs to work, and is exactly
+# the same configuration as most public DNS servers.
 no_ecs = false
 
 # Enable logging

doh-client/google.go

@@ -35,7 +35,7 @@ import (
 	"strings"
 	"time"
 
-	"../json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
 
@@ -66,7 +66,7 @@ func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP b
 
 	numServers := len(c.conf.UpstreamGoogle)
 	upstream := c.conf.UpstreamGoogle[rand.Intn(numServers)]
-	requestURL := fmt.Sprintf("%s?name=%s&type=%s", upstream, url.QueryEscape(questionName), url.QueryEscape(questionType))
+	requestURL := fmt.Sprintf("%s?ct=application/dns-json&name=%s&type=%s", upstream, url.QueryEscape(questionName), url.QueryEscape(questionType))
 
 	if r.CheckingDisabled {
 		requestURL += "&cd=1"
@@ -91,14 +91,19 @@ func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP b
 			err: err,
 		}
 	}
-	req.Header.Set("Accept", "application/json, application/dns-udpwireformat")
+	req.Header.Set("Accept", "application/json, message/dns, application/dns-udpwireformat")
 	req.Header.Set("User-Agent", "DNS-over-HTTPS/1.1 (+https://github.com/m13253/dns-over-https)")
+	c.httpClientMux.RLock()
 	resp, err := c.httpClient.Do(req)
+	c.httpClientMux.RUnlock()
 	if err != nil {
 		log.Println(err)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
-		c.httpTransport.CloseIdleConnections()
+		err1 := c.newHTTPClient()
+		if err1 != nil {
+			log.Fatalln(err1)
+		}
 		return &DNSRequest{
 			err: err,
 		}

doh-client/ietf.go

@@ -36,7 +36,7 @@ import (
 	"strings"
 	"time"
 
-	"../json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
 
@@ -128,6 +128,7 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 	numServers := len(c.conf.UpstreamIETF)
 	upstream := c.conf.UpstreamIETF[rand.Intn(numServers)]
 	requestURL := fmt.Sprintf("%s?ct=application/dns-udpwireformat&dns=%s", upstream, requestBase64)
+	//requestURL := fmt.Sprintf("%s?ct=message/dns&dns=%s", upstream, requestBase64)
 
 	var req *http.Request
 	if len(requestURL) < 2048 {
@@ -150,16 +151,21 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 				err: err,
 			}
 		}
-		req.Header.Set("Content-Type", "application/dns-udpwireformat")
+		req.Header.Set("Content-Type", "message/dns")
 	}
-	req.Header.Set("Accept", "application/dns-udpwireformat, application/json")
+	req.Header.Set("Accept", "message/dns, application/dns-udpwireformat, application/json")
 	req.Header.Set("User-Agent", "DNS-over-HTTPS/1.1 (+https://github.com/m13253/dns-over-https)")
+	c.httpClientMux.RLock()
 	resp, err := c.httpClient.Do(req)
+	c.httpClientMux.RUnlock()
 	if err != nil {
 		log.Println(err)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
-		c.httpTransport.CloseIdleConnections()
+		err1 := c.newHTTPClient()
+		if err1 != nil {
+			log.Fatalln(err1)
+		}
 		return &DNSRequest{
 			err: err,
 		}
@@ -179,7 +185,7 @@ func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool,
 		log.Printf("HTTP error: %s\n", req.response.Status)
 		req.reply.Rcode = dns.RcodeServerFailure
 		contentType := req.response.Header.Get("Content-Type")
-		if contentType != "application/dns-udpwireformat" && !strings.HasPrefix(contentType, "application/dns-udpwireformat;") {
+		if contentType != "message/dns" && !strings.HasPrefix(contentType, "message/dns;") {
 			w.WriteMsg(req.reply)
 			return
 		}

doh-server/google.go

@@ -33,7 +33,7 @@ import (
 	"strings"
 	"time"
 
-	"../json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/idna"
 )

doh-server/ietf.go

@@ -32,7 +32,7 @@ import (
 	"strconv"
 	"time"
 
-	"../json-dns"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
 
@@ -45,7 +45,7 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 			errtext: fmt.Sprintf("Invalid argument value: \"dns\" = %q", requestBase64),
 		}
 	}
-	if len(requestBinary) == 0 && r.Header.Get("Content-Type") == "application/dns-udpwireformat" {
+	if len(requestBinary) == 0 && (r.Header.Get("Content-Type") == "message/dns" || r.Header.Get("Content-Type") == "application/dns-udpwireformat") {
 		requestBinary, err = ioutil.ReadAll(r.Body)
 		if err != nil {
 			return &DNSRequest{
@@ -144,7 +144,7 @@ func (s *Server) generateResponseIETF(w http.ResponseWriter, r *http.Request, re
 		return
 	}
 
-	w.Header().Set("Content-Type", "application/dns-udpwireformat")
+	w.Header().Set("Content-Type", "message/dns")
 	now := time.Now().UTC().Format(http.TimeFormat)
 	w.Header().Set("Date", now)
 	w.Header().Set("Last-Modified", now)

doh-server/server.go

@@ -33,8 +33,8 @@ import (
 	"strings"
 	"time"
 
-	"../json-dns"
 	"github.com/gorilla/handlers"
+	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
 
@@ -96,34 +96,41 @@ func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 	if contentType == "" {
 		// Guess request Content-Type based on other parameters
 		if r.FormValue("name") != "" {
-			contentType = "application/x-www-form-urlencoded"
+			contentType = "application/dns-json"
 		} else if r.FormValue("dns") != "" {
-			contentType = "application/dns-udpwireformat"
+			contentType = "message/dns"
 		}
 	}
 	var responseType string
 	for _, responseCandidate := range strings.Split(r.Header.Get("Accept"), ",") {
-		responseCandidate = strings.ToLower(strings.SplitN(responseCandidate, ";", 2)[0])
+		responseCandidate = strings.SplitN(responseCandidate, ";", 2)[0]
 		if responseCandidate == "application/json" {
 			responseType = "application/json"
 			break
 		} else if responseCandidate == "application/dns-udpwireformat" {
-			responseType = "application/dns-udpwireformat"
+			responseType = "message/dns"
+			break
+		} else if responseCandidate == "message/dns" {
+			responseType = "message/dns"
 			break
 		}
 	}
 	if responseType == "" {
 		// Guess response Content-Type based on request Content-Type
-		if contentType == "application/x-www-form-urlencoded" {
+		if contentType == "application/dns-json" {
 			responseType = "application/json"
+		} else if contentType == "message/dns" {
+			responseType = "message/dns"
 		} else if contentType == "application/dns-udpwireformat" {
-			responseType = "application/dns-udpwireformat"
+			responseType = "message/dns"
 		}
 	}
 
 	var req *DNSRequest
-	if contentType == "application/x-www-form-urlencoded" {
+	if contentType == "application/dns-json" {
 		req = s.parseRequestGoogle(w, r)
+	} else if contentType == "message/dns" {
+		req = s.parseRequestIETF(w, r)
 	} else if contentType == "application/dns-udpwireformat" {
 		req = s.parseRequestIETF(w, r)
 	} else {
@@ -144,7 +151,7 @@ func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 
 	if responseType == "application/json" {
 		s.generateResponseGoogle(w, r, req)
-	} else if responseType == "application/dns-udpwireformat" {
+	} else if responseType == "message/dns" {
 		s.generateResponseIETF(w, r, req)
 	} else {
 		panic("Unknown response Content-Type")

launchd/Makefile

@@ -0,0 +1,16 @@
+.PHONY: install uninstall
+
+PREFIX = /usr/local
+LAUNCHD_DIR = /Library/LaunchDaemons
+
+install:
+	mkdir -p "$(DESTDIR)$(LAUNCHD_DIR)"
+	install -m0644 doh-client.plist "$(DESTDIR)$(LAUNCHD_DIR)/doh-client.plist"
+	install -m0644 doh-server.plist "$(DESTDIR)$(LAUNCHD_DIR)/doh-server.plist"
+	@echo
+	@echo 'Note:'
+	@echo '    Use "sudo launchctl load $(DESTDIR)$(LAUNCHD_DIR)/doh-client.plist" to start doh-client,'
+	@echo '    use "sudo launchctl load -w $(DESTDIR)$(LAUNCHD_DIR)/doh-server.plist" to enable doh-server.'
+
+uninstall:
+	rm -f "$(DESTDIR)$(LAUNCHD_DIR)/doh-client.plist" "$(DESTDIR)$(LAUNCHD_DIR)/doh-server.plist"

launchd/doh-client.plist

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>Label</key>
+		<string>org.eu.starlab.doh.client</string>
+		<key>ProgramArguments</key>
+		<array>
+			<string>/usr/local/bin/doh-client</string>
+			<string>-conf</string>
+			<string>/usr/local/etc/dns-over-https/doh-client.conf</string>
+		</array>
+		<key>RunAtLoad</key>
+		<true/>
+		<key>UserName</key>
+		<string>root</string>
+		<key>GroupName</key>
+		<string>wheel</string>
+		<key>KeepAlive</key>
+		<dict>
+			<key>SuccessfulExit</key>
+			<false/>
+		</dict>
+		<key>ThrottleInterval</key>
+		<integer>5</integer>
+	</dict>
+</plist>

launchd/doh-server.plist

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>Label</key>
+		<string>org.eu.starlab.doh.server</string>
+		<key>ProgramArguments</key>
+		<array>
+			<string>/usr/local/bin/doh-server</string>
+			<string>-conf</string>
+			<string>/usr/local/etc/dns-over-https/doh-server.conf</string>
+		</array>
+		<key>Disabled</key>
+		<true/>
+		<key>RunAtLoad</key>
+		<true/>
+		<key>UserName</key>
+		<string>root</string>
+		<key>GroupName</key>
+		<string>wheel</string>
+		<key>KeepAlive</key>
+		<dict>
+			<key>SuccessfulExit</key>
+			<false/>
+		</dict>
+		<key>ThrottleInterval</key>
+		<integer>5</integer>
+	</dict>
+</plist>

systemd/Makefile

@@ -1,6 +1,5 @@
 .PHONY: install uninstall
 
-PREFIX = /usr/local
 SYSTEMD_DIR = /usr/lib/systemd
 SYSTEMD_UNIT_DIR = $(SYSTEMD_DIR)/system