Release 1.3.5

Hopefully we can improve the availability of DoH under unstable network environments.

Changelog.md

@@ -4,6 +4,17 @@ This Changelog records major changes between versions.
 
 Not all changes are recorded. Please check git log for details.
 
+## Version 1.3.5
+
+- Limit the frequency of creating HTTP client on bad network condition
+
+## Version 1.3.4
+
+- doh-client now silently fails in case of network error to prevent caching of SERVFAIL
+- EDNS0 is now inserted to the beginning of OPT section, to ensure DNSSEC signatures are at the end
+- Improve building system
+- Update documents
+
 ## Version 1.3.3
 
 - Take User-Agent out of common library, that would be better for packaging

Makefile

@@ -45,8 +45,8 @@ deps:
 	$(GOGET_UPDATE) github.com/m13253/dns-over-https/json-dns
 	$(GOGET) ./doh-client ./doh-server
 
-doh-client/doh-client: deps doh-client/client.go doh-client/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+doh-client/doh-client: deps doh-client/client.go doh-client/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go doh-client/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
 	cd doh-client && $(GOBUILD)
 
-doh-server/doh-server: deps doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+doh-server/doh-server: deps doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go doh-server/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
 	cd doh-server && $(GOBUILD)

Readme.md

@@ -70,6 +70,9 @@ The following is a typical DNS-over-HTTPS architecture:
 Although DNS-over-HTTPS can work alone, a HTTP service muxer would be useful as
 you can host DNS-over-HTTPS along with other HTTPS services.
 
+HTTP/2 with at least TLS v1.3 is recommended. OCSP stapling must be enabled,
+otherwise DNS recursion may happen.
+
 ## DNSSEC
 
 DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by
@@ -90,8 +93,10 @@ EDNS0-Client-Subnet is affecting your privacy, you can set `no_ecs = true` in
 `/etc/dns-over-https/doh-client.conf`, with the cost of slower video streaming
 or software downloading speed.
 
-If your server is backed by `unbound` or `bind`, you probably want to enable
-the EDNS0-Client-Subnet feature in their configuration files as well.
+To ultilize ECS, `X-Forwarded-For` or `X-Real-IP` should be enabled on your
+HTTP service muxer. If your server is backed by `unbound` or `bind`, you
+probably want to configure it to enable the EDNS0-Client-Subnet feature as
+well.
 
 ## Protocol compatibility
 

doh-client/client.go

@@ -40,15 +40,16 @@ import (
 )
 
 type Client struct {
-	conf              *config
-	bootstrap         []string
-	udpServers        []*dns.Server
-	tcpServers        []*dns.Server
-	bootstrapResolver *net.Resolver
-	cookieJar         *cookiejar.Jar
-	httpClientMux     *sync.RWMutex
-	httpTransport     *http.Transport
-	httpClient        *http.Client
+	conf                 *config
+	bootstrap            []string
+	udpServers           []*dns.Server
+	tcpServers           []*dns.Server
+	bootstrapResolver    *net.Resolver
+	cookieJar            *cookiejar.Jar
+	httpClientMux        *sync.RWMutex
+	httpTransport        *http.Transport
+	httpClient           *http.Client
+	httpClientLastCreate time.Time
 }
 
 type DNSRequest struct {
@@ -65,19 +66,19 @@ func NewClient(conf *config) (c *Client, err error) {
 		conf: conf,
 	}
 
-	udpH := dns.HandlerFunc(c.udpHandlerFunc)
-	tcpH := dns.HandlerFunc(c.tcpHandlerFunc)
+	udpHandler := dns.HandlerFunc(c.udpHandlerFunc)
+	tcpHandler := dns.HandlerFunc(c.tcpHandlerFunc)
 	for _, addr := range conf.Listen {
 		c.udpServers = append(c.udpServers, &dns.Server{
 			Addr:    addr,
 			Net:     "udp",
-			Handler: udpH,
-			UDPSize: 4096,
+			Handler: udpHandler,
+			UDPSize: dns.DefaultMsgSize,
 		})
 		c.tcpServers = append(c.tcpServers, &dns.Server{
 			Addr:    addr,
 			Net:     "tcp",
-			Handler: tcpH,
+			Handler: tcpHandler,
 		})
 	}
 	c.bootstrapResolver = net.DefaultResolver
@@ -124,6 +125,9 @@ func NewClient(conf *config) (c *Client, err error) {
 func (c *Client) newHTTPClient() error {
 	c.httpClientMux.Lock()
 	defer c.httpClientMux.Unlock()
+	if !c.httpClientLastCreate.IsZero() && time.Now().Sub(c.httpClientLastCreate) < time.Duration(c.conf.Timeout)*time.Second {
+		return nil
+	}
 	if c.httpTransport != nil {
 		c.httpTransport.CloseIdleConnections()
 	}
@@ -150,6 +154,7 @@ func (c *Client) newHTTPClient() error {
 		Transport: c.httpTransport,
 		Jar:       c.cookieJar,
 	}
+	c.httpClientLastCreate = time.Now()
 	return nil
 }
 

doh-client/doh-client.conf

@@ -47,7 +47,7 @@ bootstrap = [
 ]
 
 # Timeout for upstream request
-timeout = 10
+timeout = 30
 
 # Disable HTTP Cookies
 #

doh-client/ietf.go

@@ -73,9 +73,9 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 		opt = new(dns.OPT)
 		opt.Hdr.Name = "."
 		opt.Hdr.Rrtype = dns.TypeOPT
-		opt.SetUDPSize(4096)
+		opt.SetUDPSize(dns.DefaultMsgSize)
 		opt.SetDo(false)
-		r.Extra = append(r.Extra, opt)
+		r.Extra = append([]dns.RR{opt}, r.Extra...)
 	} else {
 		udpSize = opt.UDPSize()
 	}
@@ -134,9 +134,8 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 	if len(requestURL) < 2048 {
 		req, err = http.NewRequest("GET", requestURL, nil)
 		if err != nil {
+			// Do not respond, silently fail to prevent caching of SERVFAIL
 			log.Println(err)
-			reply.Rcode = dns.RcodeServerFailure
-			w.WriteMsg(reply)
 			return &DNSRequest{
 				err: err,
 			}
@@ -144,9 +143,8 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 	} else {
 		req, err = http.NewRequest("POST", upstream, bytes.NewReader(requestBinary))
 		if err != nil {
+			// Do not respond, silently fail to prevent caching of SERVFAIL
 			log.Println(err)
-			reply.Rcode = dns.RcodeServerFailure
-			w.WriteMsg(reply)
 			return &DNSRequest{
 				err: err,
 			}

doh-client/version.go

@@ -23,5 +23,7 @@
 
 package main
 
-const VERSION = "1.3.3"
-const USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
+const (
+	VERSION    = "1.3.5"
+	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
+)

doh-server/google.go

@@ -150,7 +150,7 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 	opt := new(dns.OPT)
 	opt.Hdr.Name = "."
 	opt.Hdr.Rrtype = dns.TypeOPT
-	opt.SetUDPSize(4096)
+	opt.SetUDPSize(dns.DefaultMsgSize)
 	opt.SetDo(true)
 	if ednsClientAddress != nil {
 		edns0Subnet := new(dns.EDNS0_SUBNET)

doh-server/ietf.go

@@ -93,9 +93,9 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 		opt = new(dns.OPT)
 		opt.Hdr.Name = "."
 		opt.Hdr.Rrtype = dns.TypeOPT
-		opt.SetUDPSize(4096)
+		opt.SetUDPSize(dns.DefaultMsgSize)
 		opt.SetDo(false)
-		msg.Extra = append(msg.Extra, opt)
+		msg.Extra = append([]dns.RR{opt}, msg.Extra...)
 	}
 	var edns0Subnet *dns.EDNS0_SUBNET
 	for _, option := range opt.Option {

doh-server/server.go

@@ -58,6 +58,7 @@ func NewServer(conf *config) (s *Server) {
 		conf: conf,
 		udpClient: &dns.Client{
 			Net:     "udp",
+			UDPSize: dns.DefaultMsgSize,
 			Timeout: time.Duration(conf.Timeout) * time.Second,
 		},
 		tcpClient: &dns.Client{

doh-server/version.go

@@ -23,5 +23,7 @@
 
 package main
 
-const VERSION = "1.3.3"
-const USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
+const (
+	VERSION    = "1.3.5"
+	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
+)