Release 1.3.9

This is to avoid confusions like issue #12

Changelog.md

@@ -4,6 +4,29 @@ This Changelog records major changes between versions.
 
 Not all changes are recorded. Please check git log for details.
 
+## Version 1.3.9
+
+- Fix client crash with `no_cookies = true`
+- Add 5380 as an additional default doh-client port
+- If `$GOROOT` is defined, Makefile now respects the value for the convenience of Debian/Ubuntu users
+- Change the ECS prefix length from /48 to /56 for IPv6, per RFC 7871
+
+## Version 1.3.8
+
+- Workaround a bug causing Firefox 61-62 to reject responses with Content-Type = application/dns-message
+- Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
+- TransactionID is now preserved to maintain compatibility with some clients
+- Turn on `no_cookies` by default according to the IETF draft
+- Update Documentation
+
+## Version 1.3.7
+
+- Add CloudFlare DNS resolver for Tor to the preset
+- It is now able to print upstream information if error happens
+- Updated default configuration files are now installed to `*.conf.example`
+- Workaround a bug causing Unbound to refuse returning anything about the root
+- Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
+
 ## Version 1.3.6
 
 - We have a logger for macOS platform now, so logs can be sent to Console.app

Makefile

@@ -1,13 +1,21 @@
 .PHONY: all clean install uninstall deps
 
-GOBUILD=go build
-GOGET=go get -d -v
-GOGET_UPDATE=go get -d -u -v
-PREFIX=/usr/local
-ifeq ($(shell uname),Darwin)
-	CONFDIR=/usr/local/etc/dns-over-https
+PREFIX = /usr/local
+
+ifeq ($(GOROOT),)
+GOBUILD = go build
+GOGET = go get -d -v
+GOGET_UPDATE = go get -d -u -v
 else
-	CONFDIR=/etc/dns-over-https
+GOBUILD = $(GOROOT)/bin/go build
+GOGET = $(GOROOT)/bin/go get -d -v
+GOGET_UPDATE = $(GOROOT)/bin/go get -d -u -v
+endif
+
+ifeq ($(shell uname),Darwin)
+CONFDIR = /usr/local/etc/dns-over-https
+else
+CONFDIR = /etc/dns-over-https
 endif
 
 all: doh-client/doh-client doh-server/doh-server
@@ -28,6 +36,8 @@ install:
 	install -m0755 doh-client/doh-client "$(DESTDIR)$(PREFIX)/bin/doh-client"
 	install -m0755 doh-server/doh-server "$(DESTDIR)$(PREFIX)/bin/doh-server"
 	mkdir -p "$(DESTDIR)$(CONFDIR)/"
+	install -m0644 doh-client/doh-client.conf "$(DESTDIR)$(CONFDIR)/doh-client.conf.example"
+	install -m0644 doh-server/doh-server.conf "$(DESTDIR)$(CONFDIR)/doh-server.conf.example"
 	[ -e "$(DESTDIR)$(CONFDIR)/doh-client.conf" ] || install -m0644 doh-client/doh-client.conf "$(DESTDIR)$(CONFDIR)/doh-client.conf"
 	[ -e "$(DESTDIR)$(CONFDIR)/doh-server.conf" ] || install -m0644 doh-server/doh-server.conf "$(DESTDIR)$(CONFDIR)/doh-server.conf"
 	if [ "`uname`" = "Linux" ]; then \
@@ -39,7 +49,7 @@ install:
 	fi
 
 uninstall:
-	rm -f "$(DESTDIR)$(PREFIX)/bin/doh-client" "$(DESTDIR)$(PREFIX)/bin/doh-server"
+	rm -f "$(DESTDIR)$(PREFIX)/bin/doh-client" "$(DESTDIR)$(PREFIX)/bin/doh-server" "$(DESTDIR)$(CONFDIR)/doh-client.conf.example" "$(DESTDIR)$(CONFDIR)/doh-server.conf.example"
 	if [ "`uname`" = "Linux" ]; then \
 		$(MAKE) -C systemd uninstall "DESTDIR=$(DESTDIR)"; \
 		$(MAKE) -C NetworkManager uninstall "DESTDIR=$(DESTDIR)"; \

Readme.md

@@ -8,6 +8,8 @@ and [draft-ietf-doh-dns-over-https](https://github.com/dohwg/draft-ietf-doh-dns-
 
 Install [Go](https://golang.org), at least version 1.9.
 
+(Note for Debian/Ubuntu users: You need to set `$GOROOT` if you could not get your new version of Go selected by the Makefile.)
+
 First create an empty directory, used for `$GOPATH`:
 
     mkdir ~/gopath
@@ -83,7 +85,7 @@ records.
 ## EDNS0-Client-Subnet (GeoDNS)
 
 DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of the
-client's IP address (/24 for IPv4, /48 for IPv6 by default) to the upstream
+client's IP address (/24 for IPv4, /56 for IPv6 by default) to the upstream
 server. This is useful for GeoDNS and CDNs to work, and is exactly the same
 configuration as most public DNS servers.
 
@@ -119,7 +121,13 @@ Currently supported features are:
 
 - [X] IPv4 / IPv6
 - [X] EDNS0 large UDP packet (4 KiB by default)
-- [X] EDNS0-Client-Subnet (/24 for IPv4, /48 for IPv6 by default)
+- [X] EDNS0-Client-Subnet (/24 for IPv4, /56 for IPv6 by default)
+
+## The name of the project
+
+This project is named "DNS-over-HTTPS" because it was written before the IETF DoH project. Although this project is compatible with IETF DoH, the project is not affiliated with IETF.
+
+To avoid confusion, you may also call this project "m13253/DNS-over-HTTPS" or anything you like.
 
 ## License
 

doh-client/client.go

@@ -45,7 +45,7 @@ type Client struct {
 	udpServers           []*dns.Server
 	tcpServers           []*dns.Server
 	bootstrapResolver    *net.Resolver
-	cookieJar            *cookiejar.Jar
+	cookieJar            http.CookieJar
 	httpClientMux        *sync.RWMutex
 	httpTransport        *http.Transport
 	httpClient           *http.Client
@@ -58,6 +58,7 @@ type DNSRequest struct {
 	udpSize           uint16
 	ednsClientAddress net.IP
 	ednsClientNetmask uint8
+	currentUpstream   string
 	err               error
 }
 
@@ -258,7 +259,7 @@ func (c *Client) tcpHandlerFunc(w dns.ResponseWriter, r *dns.Msg) {
 
 var (
 	ipv4Mask24 = net.IPMask{255, 255, 255, 0}
-	ipv6Mask48 = net.CIDRMask(48, 128)
+	ipv6Mask56 = net.CIDRMask(56, 128)
 )
 
 func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddress net.IP, ednsClientNetmask uint8) {
@@ -285,8 +286,8 @@ func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddre
 			ednsClientAddress = ipv4.Mask(ipv4Mask24)
 			ednsClientNetmask = 24
 		} else {
-			ednsClientAddress = ip.Mask(ipv6Mask48)
-			ednsClientNetmask = 48
+			ednsClientAddress = ip.Mask(ipv6Mask56)
+			ednsClientNetmask = 56
 		}
 	}
 	return

doh-client/doh-client.conf

@@ -1,7 +1,9 @@
 # DNS listen port
 listen = [
     "127.0.0.1:53",
+    "127.0.0.1:5380",
     "[::1]:53",
+    "[::1]:5380",
 ]
 
 # HTTP path for upstream resolver
@@ -16,6 +18,11 @@ upstream_google = [
     #"https://1.1.1.1/dns-query",
     #"https://1.0.0.1/dns-query",
 
+    # CloudFlare's resolver for Tor, available only with Tor
+    # Remember to disable ECS below when using Tor!
+    # Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
+    #"https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query",
+
 ]
 upstream_ietf = [
 
@@ -27,6 +34,11 @@ upstream_ietf = [
     #"https://1.1.1.1/dns-query",
     #"https://1.0.0.1/dns-query",
 
+    # CloudFlare's resolver for Tor, available only with Tor
+    # Remember to disable ECS below when using Tor!
+    # Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
+    #"https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query",
+
 ]
 
 # Bootstrap DNS server to resolve the address of the upstream resolver
@@ -55,12 +67,12 @@ timeout = 30
 # anti-DDoS services to identify clients.
 # Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability
 # to track uesrs and is not controlled by doh-client.
-no_cookies = false
+no_cookies = true
 
 # Disable EDNS0-Client-Subnet (ECS)
 #
 # DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of
-# the client's IP address (/24 for IPv4, /48 for IPv6 by default) to the
+# the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the
 # upstream server. This is useful for GeoDNS and CDNs to work, and is exactly
 # the same configuration as most public DNS servers.
 no_ecs = false

doh-client/google.go

@@ -51,8 +51,7 @@ func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP b
 		}
 	}
 	question := &r.Question[0]
-	// knot-resolver scrambles capitalization, I think it is unfriendly to cache
-	questionName := strings.ToLower(question.Name)
+	questionName := question.Name
 	questionType := ""
 	if qtype, ok := dns.TypeToString[question.Qtype]; ok {
 		questionType = qtype
@@ -115,12 +114,13 @@ func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP b
 		udpSize:           udpSize,
 		ednsClientAddress: ednsClientAddress,
 		ednsClientNetmask: ednsClientNetmask,
+		currentUpstream:   upstream,
 	}
 }
 
 func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
 	if req.response.StatusCode != 200 {
-		log.Printf("HTTP error: %s\n", req.response.Status)
+		log.Printf("HTTP error from upstream %s: %s\n", req.currentUpstream, req.response.Status)
 		req.reply.Rcode = dns.RcodeServerFailure
 		contentType := req.response.Header.Get("Content-Type")
 		if contentType != "application/json" && !strings.HasPrefix(contentType, "application/json;") {

doh-client/ietf.go

@@ -53,8 +53,7 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 	}
 
 	question := &r.Question[0]
-	// knot-resolver scrambles capitalization, I think it is unfriendly to cache
-	questionName := strings.ToLower(question.Name)
+	questionName := question.Name
 	questionType := ""
 	if qtype, ok := dns.TypeToString[question.Qtype]; ok {
 		questionType = qtype
@@ -97,7 +96,7 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 				ednsClientNetmask = 24
 			} else {
 				ednsClientFamily = 2
-				ednsClientNetmask = 48
+				ednsClientNetmask = 56
 			}
 			edns0Subnet = new(dns.EDNS0_SUBNET)
 			edns0Subnet.Code = dns.EDNS0SUBNET
@@ -175,12 +174,13 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 		udpSize:           udpSize,
 		ednsClientAddress: ednsClientAddress,
 		ednsClientNetmask: ednsClientNetmask,
+		currentUpstream:   upstream,
 	}
 }
 
 func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
 	if req.response.StatusCode != 200 {
-		log.Printf("HTTP error: %s\n", req.response.Status)
+		log.Printf("HTTP error from upstream %s: %s\n", req.currentUpstream, req.response.Status)
 		req.reply.Rcode = dns.RcodeServerFailure
 		contentType := req.response.Header.Get("Content-Type")
 		if contentType != "application/dns-message" && !strings.HasPrefix(contentType, "application/dns-message;") {

doh-client/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "1.3.6"
+	VERSION    = "1.3.9"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

doh-server/doh-server.conf

@@ -5,9 +5,14 @@ listen = [
 ]
 
 # TLS certification file
+# If left empty, plain-text HTTP will be used.
+# You are recommended to leave empty and to use a server load balancer (e.g.
+# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
+# Stapling, which is necessary for client bootstrapping in a network
+# environment with completely no traditional DNS service.
 cert = ""
 
-# TLS key file
+# TLS private key file
 key = ""
 
 # HTTP path for resolve application
@@ -16,6 +21,8 @@ path = "/dns-query"
 # Upstream DNS resolver
 # If multiple servers are specified, a random one will be chosen each time.
 upstream = [
+    "1.1.1.1:53",
+    "1.0.0.1:53",
     "8.8.8.8:53",
     "8.8.4.4:53",
 ]

doh-server/google.go

@@ -46,7 +46,6 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 			errtext: "Invalid argument value: \"name\"",
 		}
 	}
-	name = strings.ToLower(name)
 	if punycode, err := idna.ToASCII(name); err == nil {
 		name = punycode
 	} else {
@@ -105,7 +104,7 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 				ednsClientNetmask = 24
 			} else {
 				ednsClientFamily = 2
-				ednsClientNetmask = 48
+				ednsClientNetmask = 56
 			}
 		} else {
 			ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
@@ -140,7 +139,7 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 			ednsClientNetmask = 24
 		} else {
 			ednsClientFamily = 2
-			ednsClientNetmask = 48
+			ednsClientNetmask = 56
 		}
 	}
 
@@ -182,6 +181,7 @@ func (s *Server) generateResponseGoogle(w http.ResponseWriter, r *http.Request,
 	now := time.Now().UTC().Format(http.TimeFormat)
 	w.Header().Set("Date", now)
 	w.Header().Set("Last-Modified", now)
+	w.Header().Set("Vary", "Accept")
 	if respJSON.HaveTTL {
 		if req.isTailored {
 			w.Header().Set("Cache-Control", "private, max-age="+strconv.Itoa(int(respJSON.LeastTTL)))

doh-server/ietf.go

@@ -24,12 +24,14 @@
 package main
 
 import (
+	"bytes"
 	"encoding/base64"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/m13253/dns-over-https/json-dns"
@@ -60,6 +62,13 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 			errtext: fmt.Sprintf("Invalid argument value: \"dns\""),
 		}
 	}
+
+	if s.patchDNSCryptProxyReqID(w, r, requestBinary) {
+		return &DNSRequest{
+			errcode: 444,
+		}
+	}
+
 	msg := new(dns.Msg)
 	err = msg.Unpack(requestBinary)
 	if err != nil {
@@ -87,6 +96,7 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 		fmt.Printf("%s - - [%s] \"%s %s %s\"\n", r.RemoteAddr, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
 	}
 
+	transactionID := msg.Id
 	msg.Id = dns.Id()
 	opt := msg.IsEdns0()
 	if opt == nil {
@@ -116,7 +126,7 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 				ednsClientNetmask = 24
 			} else {
 				ednsClientFamily = 2
-				ednsClientNetmask = 48
+				ednsClientNetmask = 56
 			}
 			edns0Subnet = new(dns.EDNS0_SUBNET)
 			edns0Subnet.Code = dns.EDNS0SUBNET
@@ -129,14 +139,15 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 	}
 
 	return &DNSRequest{
-		request:    msg,
-		isTailored: isTailored,
+		request:       msg,
+		transactionID: transactionID,
+		isTailored:    isTailored,
 	}
 }
 
 func (s *Server) generateResponseIETF(w http.ResponseWriter, r *http.Request, req *DNSRequest) {
 	respJSON := jsonDNS.Marshal(req.response)
-	req.response.Id = 0
+	req.response.Id = req.transactionID
 	respBytes, err := req.response.Pack()
 	if err != nil {
 		log.Println(err)
@@ -148,6 +159,10 @@ func (s *Server) generateResponseIETF(w http.ResponseWriter, r *http.Request, re
 	now := time.Now().UTC().Format(http.TimeFormat)
 	w.Header().Set("Date", now)
 	w.Header().Set("Last-Modified", now)
+	w.Header().Set("Vary", "Accept")
+
+	_ = s.patchFirefoxContentType(w, r, req)
+
 	if respJSON.HaveTTL {
 		if req.isTailored {
 			w.Header().Set("Cache-Control", "private, max-age="+strconv.Itoa(int(respJSON.LeastTTL)))
@@ -156,8 +171,35 @@ func (s *Server) generateResponseIETF(w http.ResponseWriter, r *http.Request, re
 		}
 		w.Header().Set("Expires", respJSON.EarliestExpires.Format(http.TimeFormat))
 	}
+
 	if respJSON.Status == dns.RcodeServerFailure {
 		w.WriteHeader(503)
 	}
 	w.Write(respBytes)
 }
+
+// Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
+func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request, requestBinary []byte) bool {
+	if strings.Contains(r.UserAgent(), "dnscrypt-proxy") && bytes.Equal(requestBinary, []byte("\xca\xfe\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x00\x02\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00")) {
+		log.Println("DNSCrypt-Proxy detected. Patching response.")
+		w.Header().Set("Content-Type", "application/dns-message")
+		w.Header().Set("Vary", "Accept, User-Agent")
+		now := time.Now().UTC().Format(http.TimeFormat)
+		w.Header().Set("Date", now)
+		w.Write([]byte("\xca\xfe\x81\x05\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00\x02\x00\x01\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\xa8\xa7\r\nWorkaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe\r\nRefer to https://github.com/jedisct1/dnscrypt-proxy/issues/526 for details."))
+		return true
+	}
+	return false
+}
+
+// Workaround a bug causing Firefox 61-62 to reject responses with Content-Type = application/dns-message
+func (s *Server) patchFirefoxContentType(w http.ResponseWriter, r *http.Request, req *DNSRequest) bool {
+	if strings.Contains(r.UserAgent(), "Firefox") && strings.Contains(r.Header.Get("Accept"), "application/dns-udpwireformat") && !strings.Contains(r.Header.Get("Accept"), "application/dns-message") {
+		log.Println("Firefox 61-62 detected. Patching response.")
+		w.Header().Set("Content-Type", "application/dns-udpwireformat")
+		w.Header().Set("Vary", "Accept, User-Agent")
+		req.isTailored = true
+		return true
+	}
+	return false
+}

doh-server/server.go

@@ -46,11 +46,13 @@ type Server struct {
 }
 
 type DNSRequest struct {
-	request    *dns.Msg
-	response   *dns.Msg
-	isTailored bool
-	errcode    int
-	errtext    string
+	request         *dns.Msg
+	response        *dns.Msg
+	transactionID   uint16
+	currentUpstream string
+	isTailored      bool
+	errcode         int
+	errtext         string
 }
 
 func NewServer(conf *config) (s *Server) {
@@ -158,13 +160,18 @@ func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 		jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"ct\" = %q", contentType), 415)
 		return
 	}
+	if req.errcode == 444 {
+		return
+	}
 	if req.errcode != 0 {
 		jsonDNS.FormatError(w, req.errtext, req.errcode)
 		return
 	}
 
+	req = s.patchRootRD(req)
+
 	var err error
-	req.response, err = s.doDNSQuery(req.request)
+	req, err = s.doDNSQuery(req)
 	if err != nil {
 		jsonDNS.FormatError(w, fmt.Sprintf("DNS query failure (%s)", err.Error()), 503)
 		return
@@ -208,23 +215,33 @@ func (s *Server) findClientIP(r *http.Request) net.IP {
 	return nil
 }
 
-func (s *Server) doDNSQuery(msg *dns.Msg) (resp *dns.Msg, err error) {
+// Workaround a bug causing Unbound to refuse returning anything about the root
+func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
+	for _, question := range req.request.Question {
+		if question.Name == "." {
+			req.request.RecursionDesired = true
+		}
+	}
+	return req
+}
+
+func (s *Server) doDNSQuery(req *DNSRequest) (resp *DNSRequest, err error) {
 	numServers := len(s.conf.Upstream)
 	for i := uint(0); i < s.conf.Tries; i++ {
-		server := s.conf.Upstream[rand.Intn(numServers)]
+		req.currentUpstream = s.conf.Upstream[rand.Intn(numServers)]
 		if !s.conf.TCPOnly {
-			resp, _, err = s.udpClient.Exchange(msg, server)
+			req.response, _, err = s.udpClient.Exchange(req.request, req.currentUpstream)
 			if err == dns.ErrTruncated {
 				log.Println(err)
-				resp, _, err = s.tcpClient.Exchange(msg, server)
+				req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
 			}
 		} else {
-			resp, _, err = s.tcpClient.Exchange(msg, server)
+			req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
 		}
 		if err == nil {
-			return
+			return req, nil
 		}
-		log.Println(err)
+		log.Printf("DNS error from upstream %s: %s\n", req.currentUpstream, err.Error())
 	}
-	return
+	return req, err
 }

doh-server/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "1.3.6"
+	VERSION    = "1.3.9"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

json-dns/unmarshal.go

@@ -119,7 +119,7 @@ func Unmarshal(msg *dns.Msg, resp *Response, udpSize uint16, ednsClientNetmask u
 			if ednsClientFamily == 1 {
 				ednsClientNetmask = 24
 			} else {
-				ednsClientNetmask = 48
+				ednsClientNetmask = 56
 			}
 		}
 		edns0Subnet := new(dns.EDNS0_SUBNET)