Move StartLimitIntervalSec=0 from [Service] to [Unit]

This solves the warning message:
> systemd[1]: /usr/lib/systemd/system/doh-client.service:16: Unknown key 'StartLimitIntervalSec' in section [Service], ignoring.

.github/workflows/docker.yml

@@ -0,0 +1,36 @@
+name: "Docker"
+
+on:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    environment: "Docker Hub"
+    strategy:
+      matrix:
+        variant: ["client", "server"]
+    steps:
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          logout: true
+      - # TODO: port https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
+        name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          file: ./Dockerfile.${{ matrix.variant }}
+          tags: m13253/dns-over-https-${{ matrix.variant }}:latest
+          push: true
+          platforms: "linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8"

.github/workflows/go.yml

@@ -0,0 +1,37 @@
+name: Go build for Linux
+on: [push, pull_request]
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.24.3
+      id: go
+
+    - name: Check out repository
+      uses: actions/checkout@v4
+
+    - name: Linux build
+      run: |
+        make
+
+    - name: Upload Linux build
+      uses: actions/upload-artifact@v4
+      with:
+        name: linux-amd64
+        path: |
+          doh-client/doh-client
+          doh-server/doh-server
+
+    - name: Cache
+      uses: actions/cache@v4
+      with:
+        # A directory to store and save the cache
+        path: ~/go/pkg/mod
+        # An explicit key for restoring and saving the cache
+        key: ${{ runner.os }}-${{ hashFiles('**/go.sum') }}

.gitignore

@@ -3,6 +3,9 @@
 *.dll
 *.so
 *.dylib
+darwin-wrapper/doh-logger
+doh-client/doh-client
+doh-server/doh-server
 
 # Test binary, build with `go test -c`
 *.test
@@ -12,3 +15,6 @@
 
 # Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
 .glide/
+
+.idea/
+vendor/

.golangci.yml

@@ -0,0 +1,36 @@
+---
+issues:
+  fix: true
+linters:
+  enable-all: true
+  disable:
+    - importas
+    - depguard
+    - lll
+    - exhaustruct
+    - perfsprint
+    - gochecknoinits
+    - wsl
+    - exportloopref
+linters-settings:
+  revive:
+    enable-all-rules: true
+    rules:
+      - name: line-length-limit
+        disabled: true
+  gocritic:
+    enabled-tags:
+      - diagnostic
+      - style
+      - performance
+      - experimental
+      - opinionated
+  govet:
+    enable-all: true
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/m13253/dns-over-https/v2)
+  gofumpt:
+    extra-rules: true

Changelog.md

@@ -4,6 +4,132 @@ This Changelog records major changes between versions.
 
 Not all changes are recorded. Please check git log for details.
 
+## Version 2.3.3
+
+- systemd: Use DynamicUser=yes instead of User=nobody (Fixed #139)
+- Migrate deprecated Go packages `ioutil` to `io` and `os`
+- Fix a bug that truncates the response improperly, causing malformed DNS responsed (Fixed #144)
+
+## Version 2.3.2
+
+- Documentation updates, including deploying recommenation alongside DoT, thanks @gdm85
+- Add unit tests for CIDR subnets parsing, thanks @gdm85
+- Removing Firefox 61-62 patch
+
+Since this version, @gdm85, @GreyXor, @Jamesits will be able to maintain this repository alongside @m13253. Anyone who contributed to this project can also apply to be a maintainer.
+This is because changes in life have delayed the development of this project. By constructing a community hopefully can we restore the pace of development.
+
+## Version 2.3.1
+
+- No new features in this release
+- Bumped versions of Go toolchain and third-party dependencies, requested by #128
+
+## Version 2.3.0
+
+- The repository now conforms to the Go semvar standard (Fixed #115, thanks to @leiless)
+
+## Version 2.2.5
+
+- Add client certificate authentication
+- Fixing documentation related to Docker
+
+## Version 2.2.4
+
+- Add options to configure ECS netmask length
+- Add an option to disable TLS verification (Note: dangerous)
+
+## Version 2.2.3
+
+- Use the library ipTree to determine whether an IP is global routable, improving the performance
+- Google's 8.8.8.8 resolver is now marked as "Good ECS" in the example configuration file
+
+## Version 2.2.2
+
+- Allow client to opt-out EDNS0 Client Support
+- [JSON-DoH] Honor DNSSEC OK flag for incoming DNS requests
+- [JSON-DoH] Add support for non-standard response formats
+- `X-Real-IP` is now used in logging if set by frontend load balancer
+- Fix documentation
+
+## Version 2.2.1
+
+- Fix messy log
+
+## Version 2.2.0
+
+- Breaking change: The configuration format of doh-server is changed
+- Add support for type prefix for upstream addresses of doh-server
+- Add support for DNS-over-TLS upstream addresses of doh-server
+- Remove `tcp_only` configuration option in doh-server
+- Add `no_user_agent` configuration option in doh-server
+- Add an RPM package script with SELinux policy
+- Fix Opcode never assigned in `jsonDNS.PrepareReply`
+- Improve error logging / checking
+- Updated Readme
+
+## Version 2.1.2
+
+- Update address for google's resolver
+- Fix a typo
+
+## Version 2.1.1
+
+- Add a set of Dockerfile contributed by the community
+- Include DNS.SB's resolver in example configuration
+
+## Version 2.1.0
+
+- Add `local_addr` configuration for doh-server (#39)
+- Fix a problem when compiling on macOS 10.14.4 or newer
+- Add Quad9 DoH server to the example `doh-client.conf`
+- Use TCP when appropriate for the given query type/response (AXFR/IXFR)
+
+## Version 2.0.1
+
+- Fix a crash with the random load balancing algorithm.
+
+## Version 2.0.0
+
+**This is a breaking change!** Please update the configuration file after upgrading.
+
+- Implemented two upstream server selector algorithms: `weighted_round_robin` and `lvs_weighted_round_robin`.
+- Add a configuration option for doh-server: `log_guessed_client_ip`.
+
+## Version 1.4.2
+
+- Add PID file feature for systems which lacks a cgroup-based process tracker.
+- Remove dns.ErrTruncated according to <https://github.com/miekg/dns/pull/815>.
+
+## Version 1.4.1
+
+- Add a configuration option: `debug_http_headers` (e.g. Add `CF-Ray` to diagnose Cloudflare's resolver)
+- Add a configuration option: `passrthrough`
+- macOS logger is rebuilt with static libswiftCore
+- Fix HTTP stream leaking problem, which may cause massive half-open connections if HTTP/1 is in use
+- Utilize Go's cancelable context to detect timeouts more reliably.
+- Fix interoperation problems with gDNS
+- CORS is enabled by default in doh-server
+- Documentation updates
+
+## Version 1.3.10
+
+- Enable application/dns-message (draft-13) by default, since Google has finally supported it
+
+## Version 1.3.9
+
+- Fix client crash with `no_cookies = true`
+- Add 5380 as an additional default doh-client port
+- If `$GOROOT` is defined, Makefile now respects the value for the convenience of Debian/Ubuntu users
+- Change the ECS prefix length from /48 to /56 for IPv6, per RFC 7871
+
+## Version 1.3.8
+
+- Workaround a bug causing Firefox 61-62 to reject responses with Content-Type = application/dns-message
+- Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
+- TransactionID is now preserved to maintain compatibility with some clients
+- Turn on `no_cookies` by default according to the IETF draft
+- Update Documentation
+
 ## Version 1.3.7
 
 - Add CloudFlare DNS resolver for Tor to the preset

Dockerfile.client

@@ -0,0 +1,23 @@
+FROM golang:alpine AS build-env
+
+RUN apk add --no-cache git make
+
+WORKDIR /src
+ADD . /src
+RUN make doh-client/doh-client
+
+FROM alpine:latest
+
+COPY --from=build-env /src/doh-client/doh-client /doh-client
+
+ADD doh-client/doh-client.conf /doh-client.conf
+
+RUN sed -i '$!N;s/"127.0.0.1:53",.*"127.0.0.1:5380",/":53",/;P;D' /doh-client.conf
+RUN sed -i '$!N;s/"\[::1\]:53",.*"\[::1\]:5380",/":5380",/;P;D' /doh-client.conf
+
+EXPOSE 53/udp
+EXPOSE 53/tcp
+EXPOSE 5380
+
+ENTRYPOINT ["/doh-client"]
+CMD ["-conf", "/doh-client.conf"]

Dockerfile.server

@@ -0,0 +1,20 @@
+FROM golang:alpine AS build-env
+
+RUN apk add --no-cache git make
+
+WORKDIR /src
+ADD . /src
+RUN make doh-server/doh-server
+
+FROM alpine:latest
+
+COPY --from=build-env /src/doh-server/doh-server /doh-server
+
+ADD doh-server/doh-server.conf /doh-server.conf
+
+RUN sed -i '$!N;s/"127.0.0.1:8053",\s*"\[::1\]:8053",/":8053",/;P;D' /doh-server.conf
+
+EXPOSE 8053
+
+ENTRYPOINT ["/doh-server"]
+CMD ["-conf", "/doh-server.conf"]

Makefile

@@ -1,13 +1,17 @@
-.PHONY: all clean install uninstall deps
+.PHONY: all clean install uninstall
 
-GOBUILD=go build
-GOGET=go get -d -v
-GOGET_UPDATE=go get -d -u -v
-PREFIX=/usr/local
-ifeq ($(shell uname),Darwin)
-	CONFDIR=/usr/local/etc/dns-over-https
+PREFIX = /usr/local
+
+ifeq ($(GOROOT),)
+GOBUILD = go build -ldflags "-s -w"
 else
-	CONFDIR=/etc/dns-over-https
+GOBUILD = $(GOROOT)/bin/go build -ldflags "-s -w"
+endif
+
+ifeq ($(shell uname),Darwin)
+CONFDIR = /usr/local/etc/dns-over-https
+else
+CONFDIR = /etc/dns-over-https
 endif
 
 all: doh-client/doh-client doh-server/doh-server
@@ -49,13 +53,8 @@ uninstall:
 		$(MAKE) -C launchd uninstall "DESTDIR=$(DESTDIR)"; \
 	fi
 
-deps:
-	@# I am not sure if it is the correct way to keep the common library updated
-	$(GOGET_UPDATE) github.com/m13253/dns-over-https/json-dns
-	$(GOGET) ./doh-client ./doh-server
-
-doh-client/doh-client: deps doh-client/client.go doh-client/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go doh-client/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+doh-client/doh-client: doh-client/client.go doh-client/config/config.go doh-client/google.go doh-client/ietf.go doh-client/main.go doh-client/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
 	cd doh-client && $(GOBUILD)
 
-doh-server/doh-server: deps doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go doh-server/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
+doh-server/doh-server: doh-server/config.go doh-server/google.go doh-server/ietf.go doh-server/main.go doh-server/server.go doh-server/version.go json-dns/error.go json-dns/globalip.go json-dns/marshal.go json-dns/response.go json-dns/unmarshal.go
 	cd doh-server && $(GOBUILD)

Readme.md

@@ -2,53 +2,80 @@ DNS-over-HTTPS
 ==============
 
 Client and server software to query DNS over HTTPS, using [Google DNS-over-HTTPS protocol](https://developers.google.com/speed/public-dns/docs/dns-over-https)
-and [draft-ietf-doh-dns-over-https](https://github.com/dohwg/draft-ietf-doh-dns-over-https).
+and [IETF DNS-over-HTTPS (RFC 8484)](https://www.rfc-editor.org/rfc/rfc8484.txt).
 
-## Easy start
+## Guides
 
-Install [Go](https://golang.org), at least version 1.9.
+- [Tutorial: Setup your own DNS-over-HTTPS (DoH) server](https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/). (Thanks to Antoine Aflalo)
+- [Tutorial: Setup your own Docker based DNS-over-HTTPS (DoH) server](https://github.com/satishweb/docker-doh/blob/master/README.md). (Thanks to Satish Gaikwad)
 
-First create an empty directory, used for `$GOPATH`:
+## Installing
+### From Source
+- Install [Go](https://golang.org), at least version 1.20. The newer, the better.
+> Note for Debian/Ubuntu users: You need to set `$GOROOT` if you could not get your new version of Go selected by the Makefile.
 
-    mkdir ~/gopath
-    export GOPATH=~/gopath
-
-To build the program, type:
-
-    make
-
-To install DNS-over-HTTPS as Systemd services, type:
-
-    sudo make install
-
-By default, [Google DNS over HTTPS](https://dns.google.com) is used. It should
+- First create an empty directory, used for `$GOPATH`:
+```bash
+mkdir ~/gopath
+export GOPATH=~/gopath
+```
+- To build the program, type:
+```bash
+make
+```
+- To install DNS-over-HTTPS as Systemd services, type:
+```bash
+sudo make install
+```
+- By default, [Google DNS over HTTPS](https://dns.google.com) is used. It should
 work for most users (except for People's Republic of China). If you need to
 modify the default settings, type:
+```bash
+sudoedit /etc/dns-over-https/doh-client.conf
+```
+- To automatically start DNS-over-HTTPS client as a system service, type:
+```bash
+sudo systemctl start doh-client.service
+sudo systemctl enable doh-client.service
+```
+- Then, modify your DNS settings (usually with NetworkManager) to 127.0.0.1.
 
-    sudoedit /etc/dns-over-https/doh-client.conf
+- To test your configuration, type:
+```bash
+dig www.google.com
+Output:
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+```
+#### Uninstall
 
-To automatically start DNS-over-HTTPS client as a system service, type:
+- To uninstall, type:
+```bash
+sudo make uninstall
+```
+> Note: The configuration files are kept at `/etc/dns-over-https`. Remove them manually if you want.
 
-    sudo systemctl start doh-client.service
-    sudo systemctl enable doh-client.service
+### Using docker image
+```bash
+docker run -d --name doh-server \
+  -p 8053:8053 \
+  -e UPSTREAM_DNS_SERVER="udp:208.67.222.222:53,udp:208.67.220.220:53" \
+  -e DOH_HTTP_PREFIX="/dns-query" \
+  -e DOH_SERVER_LISTEN=":8053" \
+  -e DOH_SERVER_TIMEOUT="10" \
+  -e DOH_SERVER_TRIES="3" \
+  -e DOH_SERVER_VERBOSE="false" \
+  satishweb/doh-server
+```
+Note: Multiple Upstream DNS server support was added in the container image on 2024-12-19.
 
-Then, modify your DNS settings (usually with NetworkManager) to 127.0.0.1.
+Feeling adventurous? Try the latest build:
 
-To test your configuration, type:
+- `m13253/dns-over-https-server:latest`
+- `m13253/dns-over-https-client:latest`
 
-    dig www.google.com
+## Logging
 
-If it is OK, you will wee:
-
-    ;; SERVER: 127.0.0.1#53(127.0.0.1)
-
-### Uninstalling
-
-To uninstall, type:
-
-    sudo make uninstall
-
-The configuration files are kept at `/etc/dns-over-https`. Remove them manually if you want.
+All log lines (by either doh-client or doh-server) are written into `stderr`; you can view them using your OS tool of choice (`journalctl` when using systemd).
 
 ## Server Configuration
 
@@ -67,23 +94,220 @@ The following is a typical DNS-over-HTTPS architecture:
     |  doh-client  +--+ Content Delivery Network +--+ (Apache, Nginx, Caddy) |
     +--------------+  +--------------------------+  +------------------------+
 
-Although DNS-over-HTTPS can work alone, a HTTP service muxer would be useful as
+Although DNS-over-HTTPS can work alone, an HTTP service muxer would be useful as
 you can host DNS-over-HTTPS along with other HTTPS services.
 
 HTTP/2 with at least TLS v1.3 is recommended. OCSP stapling must be enabled,
 otherwise DNS recursion may happen.
 
+### Configuration file
+
+The main configuration file is `doh-client.conf`.
+
+**Server selectors.** If several upstream servers are set, one is selected according to `upstream_selector` for each request. With `upstream_selector = "random"`, a random upstream server will be chosen for each request.
+
+```toml
+# available selector: random (default) or weighted_round_robin or lvs_weighted_round_robin
+upstream_selector = "random"
+```
+
+### Example configuration: Apache
+```bash
+SSLProtocol TLSv1.2
+SSLHonorCipherOrder On
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!eNULL:!EXP:!LOW:!MD5
+SSLUseStapling on
+SSLStaplingCache shmcb:/var/lib/apache2/stapling_cache(512000)
+
+<VirtualHost *:443>
+    ServerName MY_SERVER_NAME
+    Protocols h2 http/1.1
+    ProxyPass /dns-query http://[::1]:8053/dns-query
+    ProxyPassReverse /dns-query http://[::1]:8053/dns-query
+</VirtualHost>
+```
+(Credit: [Joan Moreau](https://github.com/m13253/dns-over-https/issues/51#issuecomment-526820884))
+
+### Example configuration: Nginx
+```bash
+server {
+  listen       443 ssl http2 default_server;
+  listen       [::]:443 ssl http2 default_server;
+  server_name  MY_SERVER_NAME;
+
+  server_tokens off;
+
+  ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.20.0
+  ssl_prefer_server_ciphers on;
+  ssl_dhparam /etc/nginx/dhparam.pem;     # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
+  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+  ssl_ecdh_curve secp384r1;               # Requires nginx >= 1.1.0
+  ssl_session_timeout  10m;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_tickets off;                # Requires nginx >= 1.5.9
+  ssl_stapling on;                        # Requires nginx >= 1.3.7
+  ssl_stapling_verify on;                 # Requires nginx => 1.3.7
+  ssl_early_data off;                     # 0-RTT, enable if desired - Requires nginx >= 1.15.4
+  resolver 1.1.1.1 valid=300s;            # Replace with your local resolver
+  resolver_timeout 5s;
+  # HTTP Security Headers
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Strict-Transport-Security "max-age=63072000";
+  ssl_certificate /path/to/your/server/certificates/fullchain.pem;
+  ssl_certificate_key /path/to/your/server/certificates/privkey.pem;
+  location /dns-query {
+    proxy_pass       http://localhost:8053/dns-query;
+    proxy_set_header Host      $host;
+    proxy_set_header X-Real-IP $remote_addr;
+  }
+}
+```
+(Credit: [Cipherli.st](https://cipherli.st/))
+
+### Example configuration: Caddy (v2)
+```bash
+my.server.name {
+        reverse_proxy * localhost:8053
+        tls your@email.address
+        try_files {path} {path}/index.php /index.php?{query}
+}
+```
+### Example configuration: Docker Compose + Traefik + Unbound (Raspberry Pi/Linux/Mac) [linux/amd64,linux/arm64,linux/arm/v7]
+
+```yaml
+version: '2.2'
+networks:
+  default:
+
+services:
+  proxy:
+    # The official v2 Traefik docker image
+    image: traefik:v2.3
+    hostname: proxy
+    networks:
+      - default
+    environment:
+      TRAEFIK_ACCESSLOG: "true"
+      TRAEFIK_API: "true"
+      TRAEFIK_PROVIDERS_DOCKER: "true"
+      TRAEFIK_API_INSECURE: "true"
+      TRAEFIK_PROVIDERS_DOCKER_NETWORK: "${STACK}_default"
+      # DNS provider specific environment variables for DNS Challenge using route53 (AWS)
+      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
+      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
+      AWS_REGION: ${AWS_REGION}
+      AWS_HOSTED_ZONE_ID: ${AWS_HOSTED_ZONE_ID}
+    ports:
+      # The HTTP port
+      - "80:80"
+      # The HTTPS port
+      - "443:443"
+      # The Web UI (enabled by --api.insecure=true)
+      - "8080:8080"
+    command:
+      #- "--log.level=DEBUG"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
+      # Providers list:
+      #  https://docs.traefik.io/https/acme/#providers
+      #  https://go-acme.github.io/lego/dns/
+      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=route53"
+      # Enable below line to use staging letsencrypt server.
+      #- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.letsencrypt.acme.email=${EMAIL}"
+      - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data/proxy/certs:/certs
+  doh-server:
+    image: satishweb/doh-server:latest
+    hostname: doh-server
+    networks:
+      - default
+    environment:
+      # Enable below line to see more logs
+      # DEBUG: "1"
+      UPSTREAM_DNS_SERVER: "udp:unbound:53"
+      DOH_HTTP_PREFIX: "${DOH_HTTP_PREFIX}"
+      DOH_SERVER_LISTEN: ":${DOH_SERVER_LISTEN}"
+      DOH_SERVER_TIMEOUT: "10"
+      DOH_SERVER_TRIES: "3"
+      DOH_SERVER_VERBOSE: "false"
+    #volumes:
+      # - ./doh-server.conf:/server/doh-server.conf
+      # - ./app-config:/app-config
+    depends_on:
+      - unbound
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.doh-server.rule=Host(`${SUBDOMAIN}.${DOMAIN}`) && Path(`${DOH_HTTP_PREFIX}`)"
+      - "traefik.http.services.doh-server.loadbalancer.server.port=${DOH_SERVER_LISTEN}"
+      - "traefik.http.middlewares.mw-doh-compression.compress=true"
+      - "traefik.http.routers.doh-server.tls=true"
+      - "traefik.http.middlewares.mw-doh-tls.headers.sslredirect=true"
+      - "traefik.http.middlewares.mw-doh-tls.headers.sslforcehost=true"
+      - "traefik.http.routers.doh-server.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.doh-server.tls.domains[0].main=${DOMAIN}"
+      - "traefik.http.routers.doh-server.tls.domains[0].sans=${SUBDOMAIN}.${DOMAIN}"
+      # Protection from requests flood
+      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.average=100"
+      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.burst=50"
+      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.period=10s"
+  unbound:
+    image: satishweb/unbound:latest
+    hostname: unbound
+    networks:
+      - default
+    ports:
+      # Disable these ports if DOH server is the only client
+      - 53:53/tcp
+      - 53:53/udp
+    volumes:
+      - ./unbound.sample.conf:/templates/unbound.sample.conf
+      - ./data/unbound/custom:/etc/unbound/custom
+      # Keep your custom.hosts file inside custom folder
+    #environment:
+    #  DEBUG: "1"
+````
+
+> Complete Guide available at: https://github.com/satishweb/docker-doh
+
+> IPV6 Support for Docker Compose based configuration TBA
+
+### Example configuration: DNS-over-TLS
+
+There is no native [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) support, but you can easily add it via nginx:
+```
+stream {
+    server {
+        listen                  *:853 ssl;
+        proxy_pass              ipofyourdnsresolver:port  #127.0.0.1:53
+    }
+
+    ssl_certificate /etc/letsencrypt/live/site.yourdomain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/site.yourdomain/privkey.pem;
+}
+```
+
+The DoT service can also be provided by running a [STunnel](https://www.stunnel.org/) instance to wrap dnsmasq (or any other resolver of your choice, listening on a TCP port);
+this approach does not need a stand-alone daemon to provide the DoT service.
+
 ## DNSSEC
 
 DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by
-default. However signature validation is not built-in. It is highly recommended
+default. However, signature validation is not built-in. It is highly recommended
 that you install `unbound` or `bind` and pass results for them to validate DNS
-records.
+records. An instance of [Pi Hole](https://pi-hole.net) could also be used to validate DNS signatures as well as provide other capabilities.
 
 ## EDNS0-Client-Subnet (GeoDNS)
 
 DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of the
-client's IP address (/24 for IPv4, /48 for IPv6 by default) to the upstream
+client's IP address (/24 for IPv4, /56 for IPv6 by default) to the upstream
 server. This is useful for GeoDNS and CDNs to work, and is exactly the same
 configuration as most public DNS servers.
 
@@ -107,11 +331,9 @@ except for absolute expire time is preferred to relative TTL value. Refer to
 [json-dns/response.go](json-dns/response.go) for a complete description of the
 API.
 
-### IETF DNS-over-HTTPS Protocol (Draft)
+### IETF DNS-over-HTTPS Protocol
 
-DNS-over-HTTPS uses a protocol compatible to [draft-ietf-doh-dns-over-https](https://github.com/dohwg/draft-ietf-doh-dns-over-https).
-This protocol is in draft stage. Any incompatibility may be introduced before
-it is finished.
+DNS-over-HTTPS uses a protocol compatible to [IETF DNS-over-HTTPS (RFC 8484)](https://www.rfc-editor.org/rfc/rfc8484.txt).
 
 ### Supported features
 
@@ -119,7 +341,17 @@ Currently supported features are:
 
 - [X] IPv4 / IPv6
 - [X] EDNS0 large UDP packet (4 KiB by default)
-- [X] EDNS0-Client-Subnet (/24 for IPv4, /48 for IPv6 by default)
+- [X] EDNS0-Client-Subnet (/24 for IPv4, /56 for IPv6 by default)
+
+## Known issues
+
+* it does not work well with [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy), you might want to use either (or fix the compatibility bugs by submitting PRs)
+
+## The name of the project
+
+This project is named "DNS-over-HTTPS" because it was written before the IETF DoH project. Although this project is compatible with IETF DoH, the project is not affiliated with IETF.
+
+To avoid confusion, you may also call this project "m13253/DNS-over-HTTPS" or anything you like.
 
 ## License
 

contrib/rpm/dns-over-https-2.1.2-systemd.patch

@@ -0,0 +1,36 @@
+diff -Naur dns-over-https-2.1.2.org/systemd/doh-client.service dns-over-https-2.1.2/systemd/doh-client.service
+--- dns-over-https-2.1.2.org/systemd/doh-client.service	2019-09-10 12:08:35.177574074 +0200
++++ dns-over-https-2.1.2/systemd/doh-client.service	2019-09-10 12:10:05.473700374 +0200
+@@ -7,12 +7,12 @@
+ 
+ [Service]
+ AmbientCapabilities=CAP_NET_BIND_SERVICE
+-ExecStart=/usr/local/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
++ExecStart=/usr/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
+ LimitNOFILE=1048576
+ Restart=always
+ RestartSec=3
+ Type=simple
+-User=nobody
++User=doh-client
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff -Naur dns-over-https-2.1.2.org/systemd/doh-server.service dns-over-https-2.1.2/systemd/doh-server.service
+--- dns-over-https-2.1.2.org/systemd/doh-server.service	2019-09-10 12:08:35.177574074 +0200
++++ dns-over-https-2.1.2/systemd/doh-server.service	2019-09-10 12:10:20.980273992 +0200
+@@ -5,12 +5,12 @@
+ 
+ [Service]
+ AmbientCapabilities=CAP_NET_BIND_SERVICE
+-ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
++ExecStart=/usr/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
+ LimitNOFILE=1048576
+ Restart=always
+ RestartSec=3
+ Type=simple
+-User=nobody
++User=doh-server
+ 
+ [Install]
+ WantedBy=multi-user.target

contrib/rpm/doh.spec

@@ -0,0 +1,240 @@
+# vim: tabstop=4 shiftwidth=4 expandtab
+%global _hardened_build 1
+# Debug package is empty anyway
+%define debug_package %{nil}
+
+%global _release        1
+%global provider        github
+%global provider_tld    com
+%global project         m13253
+%global repo            dns-over-https
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+#define commit          984df34ca7b45897ecb5871791e398cc160a4b93
+
+%if 0%{?commit:1}
+%define shortcommit     %(c=%{commit}; echo ${c:0:7})
+%define _date           %(date +'%%Y%%m%%dT%%H%%M%%S')
+%endif
+
+%define rand_id         %(head -c20 /dev/urandom|od -An -tx1|tr -d '[[:space:]]')
+
+%if ! 0%{?gobuild:1}
+%define gobuild(o:) go build -ldflags "${LDFLAGS:-} -B 0x%{rand_id}" -a -v -x %{?**};
+%endif
+
+%if ! 0%{?gotest:1}
+%define gotest() go test -ldflags "${LDFLAGS:-}" %{?**}
+%endif
+
+Name:           %{repo}
+Version:        2.1.2
+%if 0%{?commit:1}
+Release:    %{_release}.git%{shortcommit}.%{_date}%{?dist}
+Source0:        https://%{import_path}/archive/%{commit}.tar.gz
+%else
+Release:        %{_release}%{?dist}
+Source0:        https://%{import_path}/archive/v%{version}.tar.gz
+%endif
+Patch0:         %{name}-%{version}-systemd.patch
+
+Summary:        High performance DNS over HTTPS client & server
+License:        MIT
+URL:            https://github.com/m13253/dns-over-https
+
+
+# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
+# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
+#BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.10
+BuildRequires:  golang >= 1.10
+BuildRequires:  systemd
+BuildRequires:  upx
+
+%description
+%{summary}
+
+%package common
+BuildArch: noarch
+Summary: %{summary} - common files
+
+%description common
+%{summary}
+
+%package server
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+Summary: %{summary} - Server
+Requires(pre):          shadow-utils
+Requires(post):         systemd
+Requires(preun):        systemd
+Requires(postun):       systemd
+
+%description server
+%{summary}
+
+%package client
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+Summary: %{summary} - Client
+Requires(pre):          shadow-utils
+Requires(post):         systemd
+Requires(preun):        systemd
+Requires(postun):       systemd
+
+%description client
+%{summary}
+
+%package selinux
+BuildArch:      noarch
+
+Source3:        doh_server.fc
+Source4:        doh_server.if
+Source5:        doh_server.te
+Source6:        doh_client.fc
+Source7:        doh_client.if
+Source8:        doh_client.te
+
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+Requires:       %{name}
+
+Requires(post):     policycoreutils
+Requires(post):     policycoreutils-python 
+Requires(postun):   policycoreutils
+
+Summary: SELinux policy for %{name}
+
+%description selinux
+%summary
+ 
+%prep
+%if 0%{?commit:1}
+%autosetup -n %{name}-%{commit} -p1
+%else
+%autosetup -n %{name}-%{version} -p1
+%endif
+
+mkdir -p selinux
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} selinux
+
+%build
+cd selinux
+make -f /usr/share/selinux/devel/Makefile doh_server.pp doh_client.pp || exit
+cd -
+
+%set_build_flags
+%make_build \
+    PREFIX=%{_prefix} \
+    GOBUILD="go build -ldflags \"-s -w -B 0x%{rand_id}\" -a -v -x"
+
+%install
+%make_install \
+    PREFIX=%{_prefix}
+install -Dpm 0600 selinux/doh_server.pp %{buildroot}%{_datadir}/selinux/packages/doh_server.pp
+install -Dpm 0644 selinux/doh_server.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_server.if
+install -Dpm 0600 selinux/doh_client.pp %{buildroot}%{_datadir}/selinux/packages/doh_client.pp
+install -Dpm 0644 selinux/doh_client.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_client.if
+
+mkdir -p %{buildroot}%{_docdir}/%{name}
+mv %{buildroot}%{_sysconfdir}/%{name}/*.example %{buildroot}%{_docdir}/%{name}
+
+mkdir -p %{buildroot}%{_libdir}
+mv %{buildroot}%{_sysconfdir}/NetworkManager %{buildroot}%{_libdir}/
+
+for i in $(find %{_buildroot}%{_bindir} -type f)
+do
+    upx $i
+done
+
+%files common
+%license LICENSE
+%doc Changelog.md Readme.md
+
+%files server
+%{_libdir}/NetworkManager/dispatcher.d/doh-server
+%{_docdir}/%{name}/doh-server.conf.example
+%config(noreplace) %{_sysconfdir}/%{name}/doh-server.conf
+%{_bindir}/doh-server
+%{_unitdir}/doh-server.service
+
+%files client
+%{_libdir}/NetworkManager/dispatcher.d/doh-client
+%{_docdir}/%{name}/doh-client.conf.example
+%config(noreplace) %{_sysconfdir}/%{name}/doh-client.conf
+%{_bindir}/doh-client
+%{_unitdir}/doh-client.service
+
+%pre server
+test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
+getent group doh-server > /dev/null || groupadd -r doh-server
+getent passwd doh-server > /dev/null || \
+    useradd -r -d %{_sharedstatedir}/home/doh-server -g doh-server \
+    -s /sbin/nologin -c "%{name} - server" doh-server
+exit 0
+
+%pre client
+test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
+getent group doh-client > /dev/null || groupadd -r doh-client
+getent passwd doh-client > /dev/null || \
+    useradd -r -d %{_sharedstatedir}/home/doh-client -g doh-client \
+    -s /sbin/nologin -c "%{name} - client" doh-client
+exit 0
+
+%post server
+%systemd_post doh-server.service
+
+%preun server
+%systemd_preun doh-server.service
+
+%postun server
+%systemd_postun_with_restart doh-server.service
+
+%post client
+%systemd_post doh-client.service
+
+%preun client
+%systemd_preun doh-client.service
+
+%postun client
+%systemd_postun_with_restart doh-client.service
+
+%files selinux
+%{_datadir}/selinux/packages/doh_server.pp
+%{_datadir}/selinux/devel/include/contrib/doh_server.if
+%{_datadir}/selinux/packages/doh_client.pp
+%{_datadir}/selinux/devel/include/contrib/doh_client.if
+
+%post selinux
+semodule -n -i %{_datadir}/selinux/packages/doh_server.pp
+semodule -n -i %{_datadir}/selinux/packages/doh_client.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    /usr/sbin/fixfiles -R %{name}-server restore
+    /usr/sbin/fixfiles -R %{name}-client restore
+fi;
+semanage -i - << __eof
+port -a -t doh_server_port_t -p tcp "8053"
+port -a -t doh_client_port_t -p udp "5380"
+__eof
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    semanage -i - << __eof
+port -d -t doh_server_port_t -p tcp "8053"
+port -d -t doh_client_port_t -p udp "5380"
+__eof
+
+    semodule -n -r doh_server
+    semodule -n -r doh_client
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       /usr/sbin/fixfiles -R %{name}-server restore
+       /usr/sbin/fixfiles -R %{name}-client restore
+    fi;
+fi;
+exit 0
+
+%changelog
+* Tue Sep 10 2019 fuero <fuerob@gmail.com> 2.1.2-1
+- initial package
+

contrib/rpm/doh_client.fc

@@ -0,0 +1,2 @@
+/usr/bin/doh-client					--	gen_context(system_u:object_r:doh_client_exec_t,s0)
+/usr/lib/systemd/system/doh-client.service		--	gen_context(system_u:object_r:doh_client_unit_file_t,s0)

contrib/rpm/doh_client.if

@@ -0,0 +1,103 @@
+
+## <summary>policy for doh_client</summary>
+
+########################################
+## <summary>
+##	Execute doh_client_exec_t in the doh_client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`doh_client_domtrans',`
+	gen_require(`
+		type doh_client_t, doh_client_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, doh_client_exec_t, doh_client_t)
+')
+
+######################################
+## <summary>
+##	Execute doh_client in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`doh_client_exec',`
+	gen_require(`
+		type doh_client_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, doh_client_exec_t)
+')
+########################################
+## <summary>
+##	Execute doh_client server in the doh_client domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`doh_client_systemctl',`
+	gen_require(`
+		type doh_client_t;
+		type doh_client_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 doh_client_unit_file_t:file read_file_perms;
+	allow $1 doh_client_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, doh_client_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an doh_client environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`doh_client_admin',`
+	gen_require(`
+		type doh_client_t;
+	type doh_client_unit_file_t;
+	')
+
+	allow $1 doh_client_t:process { signal_perms };
+	ps_process_pattern($1, doh_client_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 doh_client_t:process ptrace;
+    ')
+
+	doh_client_systemctl($1)
+	admin_pattern($1, doh_client_unit_file_t)
+	allow $1 doh_client_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')

contrib/rpm/doh_client.te

@@ -0,0 +1,49 @@
+policy_module(doh_client, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type doh_client_t;
+type doh_client_exec_t;
+init_daemon_domain(doh_client_t, doh_client_exec_t)
+
+type doh_client_port_t;
+
+corenet_port(doh_client_port_t)
+
+type doh_client_unit_file_t;
+systemd_unit_file(doh_client_unit_file_t)
+
+########################################
+#
+# doh_client local policy
+#
+allow doh_client_t self:fifo_file rw_fifo_file_perms;
+allow doh_client_t self:unix_stream_socket create_stream_socket_perms;
+
+allow doh_client_t self:capability net_bind_service;
+allow doh_client_t self:process execmem;
+allow doh_client_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write };
+allow doh_client_t self:udp_socket { bind connect create getattr read setopt write };
+
+allow doh_client_t doh_client_exec_t:file execmod;
+allow doh_client_t doh_client_port_t:tcp_socket name_bind;
+
+corenet_tcp_bind_dns_port(doh_client_t)
+corenet_tcp_bind_generic_node(doh_client_t)
+corenet_tcp_connect_http_port(doh_client_t)
+corenet_udp_bind_dns_port(doh_client_t)
+corenet_udp_bind_generic_node(doh_client_t)
+corenet_udp_bind_generic_port(doh_client_t)
+kernel_read_net_sysctls(doh_client_t)
+kernel_search_network_sysctl(doh_client_t)
+miscfiles_read_certs(doh_client_t)
+sysnet_read_config(doh_client_t)
+
+domain_use_interactive_fds(doh_client_t)
+
+files_read_etc_files(doh_client_t)
+
+miscfiles_read_localization(doh_client_t)

contrib/rpm/doh_server.fc

@@ -0,0 +1,2 @@
+/usr/bin/doh-server					--	gen_context(system_u:object_r:doh_server_exec_t,s0)
+/usr/lib/systemd/system/doh-server.service		--	gen_context(system_u:object_r:doh_server_unit_file_t,s0)

contrib/rpm/doh_server.if

@@ -0,0 +1,122 @@
+
+## <summary>policy for doh_server</summary>
+
+########################################
+## <summary>
+##	Execute doh_server_exec_t in the doh_server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`doh_server_domtrans',`
+	gen_require(`
+		type doh_server_t, doh_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, doh_server_exec_t, doh_server_t)
+')
+
+######################################
+## <summary>
+##	Execute doh_server in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`doh_server_exec',`
+	gen_require(`
+		type doh_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, doh_server_exec_t)
+')
+########################################
+## <summary>
+##	Execute doh_server server in the doh_server domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`doh_server_systemctl',`
+	gen_require(`
+		type doh_server_t;
+		type doh_server_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 doh_server_unit_file_t:file read_file_perms;
+	allow $1 doh_server_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, doh_server_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an doh_server environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`doh_server_admin',`
+	gen_require(`
+		type doh_server_t;
+	type doh_server_unit_file_t;
+	')
+
+	allow $1 doh_server_t:process { signal_perms };
+	ps_process_pattern($1, doh_server_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 doh_server_t:process ptrace;
+    ')
+
+	doh_server_systemctl($1)
+	admin_pattern($1, doh_server_unit_file_t)
+	allow $1 doh_server_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##      Make a TCP connection to the vault_ocsp_responder port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`doh_server_connect',`
+        gen_require(`
+                type doh_server_port_t;
+		type $1;
+        ')
+
+        allow $1 doh_server_port_t:tcp_socket name_connect;
+')

contrib/rpm/doh_server.te

@@ -0,0 +1,42 @@
+policy_module(doh_server, 1.0.0)
+
+require {
+	class process execmem;
+	class tcp_socket { accept bind create read write getattr listen setopt connect getopt };
+	class udp_socket { connect create getattr setopt read write };
+	class file execmod;
+}
+
+type doh_server_t;
+type doh_server_exec_t;
+
+init_daemon_domain(doh_server_t, doh_server_exec_t)
+
+type doh_server_port_t;
+
+corenet_port(doh_server_port_t)
+
+type doh_server_unit_file_t;
+systemd_unit_file(doh_server_unit_file_t)
+
+allow doh_server_t self:fifo_file rw_fifo_file_perms;
+allow doh_server_t self:unix_stream_socket create_stream_socket_perms;
+allow doh_server_t self:process execmem;
+allow doh_server_t self:tcp_socket { accept read write bind create getattr listen setopt connect getopt};
+allow doh_server_t self:udp_socket { connect create getattr setopt read write };
+
+allow doh_server_t doh_server_exec_t:file execmod;
+allow doh_server_t doh_server_port_t:tcp_socket name_bind;
+
+domain_use_interactive_fds(doh_server_t)
+
+files_read_etc_files(doh_server_t)
+
+corenet_tcp_bind_generic_node(doh_server_t)
+corenet_tcp_connect_dns_port(doh_server_t)
+doh_server_connect(httpd_t)
+
+kernel_read_net_sysctls(doh_server_t)
+kernel_search_network_sysctl(doh_server_t)
+
+miscfiles_read_localization(doh_server_t)

doh-client/client.go

@@ -25,50 +25,71 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
+	"fmt"
 	"log"
 	"math/rand"
 	"net"
 	"net/http"
 	"net/http/cookiejar"
+	"net/url"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/http2"
+	"golang.org/x/net/idna"
+
+	"github.com/m13253/dns-over-https/v2/doh-client/config"
+	"github.com/m13253/dns-over-https/v2/doh-client/selector"
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 
 type Client struct {
-	conf                 *config
-	bootstrap            []string
-	udpServers           []*dns.Server
-	tcpServers           []*dns.Server
-	bootstrapResolver    *net.Resolver
-	cookieJar            *cookiejar.Jar
+	httpClientLastCreate time.Time
+	cookieJar            http.CookieJar
+	selector             selector.Selector
 	httpClientMux        *sync.RWMutex
+	tcpClient            *dns.Client
+	bootstrapResolver    *net.Resolver
+	udpClient            *dns.Client
+	conf                 *config.Config
 	httpTransport        *http.Transport
 	httpClient           *http.Client
-	httpClientLastCreate time.Time
+	udpServers           []*dns.Server
+	tcpServers           []*dns.Server
+	passthrough          []string
+	bootstrap            []string
 }
 
 type DNSRequest struct {
+	err               error
 	response          *http.Response
 	reply             *dns.Msg
-	udpSize           uint16
-	ednsClientAddress net.IP
-	ednsClientNetmask uint8
 	currentUpstream   string
-	err               error
+	ednsClientAddress net.IP
+	udpSize           uint16
+	ednsClientNetmask uint8
 }
 
-func NewClient(conf *config) (c *Client, err error) {
+func NewClient(conf *config.Config) (c *Client, err error) {
 	c = &Client{
 		conf: conf,
 	}
 
 	udpHandler := dns.HandlerFunc(c.udpHandlerFunc)
 	tcpHandler := dns.HandlerFunc(c.tcpHandlerFunc)
+	c.udpClient = &dns.Client{
+		Net:     "udp",
+		UDPSize: dns.DefaultMsgSize,
+		Timeout: time.Duration(conf.Other.Timeout) * time.Second,
+	}
+	c.tcpClient = &dns.Client{
+		Net:     "tcp",
+		Timeout: time.Duration(conf.Other.Timeout) * time.Second,
+	}
 	for _, addr := range conf.Listen {
 		c.udpServers = append(c.udpServers, &dns.Server{
 			Addr:    addr,
@@ -83,9 +104,9 @@ func NewClient(conf *config) (c *Client, err error) {
 		})
 	}
 	c.bootstrapResolver = net.DefaultResolver
-	if len(conf.Bootstrap) != 0 {
-		c.bootstrap = make([]string, len(conf.Bootstrap))
-		for i, bootstrap := range conf.Bootstrap {
+	if len(conf.Other.Bootstrap) != 0 {
+		c.bootstrap = make([]string, len(conf.Other.Bootstrap))
+		for i, bootstrap := range conf.Other.Bootstrap {
 			bootstrapAddr, err := net.ResolveUDPAddr("udp", bootstrap)
 			if err != nil {
 				bootstrapAddr, err = net.ResolveUDPAddr("udp", "["+bootstrap+"]:53")
@@ -105,38 +126,120 @@ func NewClient(conf *config) (c *Client, err error) {
 				return conn, err
 			},
 		}
+		if len(conf.Other.Passthrough) != 0 {
+			c.passthrough = make([]string, len(conf.Other.Passthrough))
+			for i, passthrough := range conf.Other.Passthrough {
+				if punycode, err := idna.ToASCII(passthrough); err != nil {
+					passthrough = punycode
+				}
+				c.passthrough[i] = "." + strings.ToLower(strings.Trim(passthrough, ".")) + "."
+			}
+		}
 	}
 	// Most CDNs require Cookie support to prevent DDoS attack.
 	// Disabling Cookie does not effectively prevent tracking,
 	// so I will leave it on to make anti-DDoS services happy.
-	if !c.conf.NoCookies {
+	if !c.conf.Other.NoCookies {
 		c.cookieJar, err = cookiejar.New(nil)
 		if err != nil {
 			return nil, err
 		}
+	} else {
+		c.cookieJar = nil
 	}
+
 	c.httpClientMux = new(sync.RWMutex)
 	err = c.newHTTPClient()
 	if err != nil {
 		return nil, err
 	}
+
+	switch c.conf.Upstream.UpstreamSelector {
+	case config.NginxWRR:
+		if c.conf.Other.Verbose {
+			log.Println(config.NginxWRR, "mode start")
+		}
+
+		s := selector.NewNginxWRRSelector(time.Duration(c.conf.Other.Timeout) * time.Second)
+		for _, u := range c.conf.Upstream.UpstreamGoogle {
+			if err := s.Add(u.URL, selector.Google, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		for _, u := range c.conf.Upstream.UpstreamIETF {
+			if err := s.Add(u.URL, selector.IETF, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		c.selector = s
+
+	case config.LVSWRR:
+		if c.conf.Other.Verbose {
+			log.Println(config.LVSWRR, "mode start")
+		}
+
+		s := selector.NewLVSWRRSelector(time.Duration(c.conf.Other.Timeout) * time.Second)
+		for _, u := range c.conf.Upstream.UpstreamGoogle {
+			if err := s.Add(u.URL, selector.Google, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		for _, u := range c.conf.Upstream.UpstreamIETF {
+			if err := s.Add(u.URL, selector.IETF, u.Weight); err != nil {
+				return nil, err
+			}
+		}
+
+		c.selector = s
+
+	default:
+		if c.conf.Other.Verbose {
+			log.Println(config.Random, "mode start")
+		}
+
+		// if selector is invalid or random, use random selector, or should we stop program and let user knows he is wrong?
+		s := selector.NewRandomSelector()
+		for _, u := range c.conf.Upstream.UpstreamGoogle {
+			if err := s.Add(u.URL, selector.Google); err != nil {
+				return nil, err
+			}
+		}
+
+		for _, u := range c.conf.Upstream.UpstreamIETF {
+			if err := s.Add(u.URL, selector.IETF); err != nil {
+				return nil, err
+			}
+		}
+
+		c.selector = s
+	}
+
+	if c.conf.Other.Verbose {
+		if reporter, ok := c.selector.(selector.DebugReporter); ok {
+			reporter.ReportWeights()
+		}
+	}
+
 	return c, nil
 }
 
 func (c *Client) newHTTPClient() error {
 	c.httpClientMux.Lock()
 	defer c.httpClientMux.Unlock()
-	if !c.httpClientLastCreate.IsZero() && time.Now().Sub(c.httpClientLastCreate) < time.Duration(c.conf.Timeout)*time.Second {
+	if !c.httpClientLastCreate.IsZero() && time.Since(c.httpClientLastCreate) < time.Duration(c.conf.Other.Timeout)*time.Second {
 		return nil
 	}
 	if c.httpTransport != nil {
 		c.httpTransport.CloseIdleConnections()
 	}
 	dialer := &net.Dialer{
-		Timeout:   time.Duration(c.conf.Timeout) * time.Second,
+		Timeout:   time.Duration(c.conf.Other.Timeout) * time.Second,
 		KeepAlive: 30 * time.Second,
-		DualStack: true,
-		Resolver:  c.bootstrapResolver,
+		// DualStack: true,
+		Resolver: c.bootstrapResolver,
 	}
 	c.httpTransport = &http.Transport{
 		DialContext:           dialer.DialContext,
@@ -145,10 +248,10 @@ func (c *Client) newHTTPClient() error {
 		MaxIdleConns:          100,
 		MaxIdleConnsPerHost:   10,
 		Proxy:                 http.ProxyFromEnvironment,
-		ResponseHeaderTimeout: time.Duration(c.conf.Timeout) * time.Second,
-		TLSHandshakeTimeout:   time.Duration(c.conf.Timeout) * time.Second,
+		TLSHandshakeTimeout:   time.Duration(c.conf.Other.Timeout) * time.Second,
+		TLSClientConfig:       &tls.Config{InsecureSkipVerify: c.conf.Other.TLSInsecureSkipVerify},
 	}
-	if c.conf.NoIPv6 {
+	if c.conf.Other.NoIPv6 {
 		c.httpTransport.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) {
 			if strings.HasPrefix(network, "tcp") {
 				network = "tcp4"
@@ -180,6 +283,9 @@ func (c *Client) Start() error {
 		}(srv)
 	}
 
+	// start evaluation loop
+	c.selector.StartEvaluate()
+
 	for i := 0; i < cap(results); i++ {
 		err := <-results
 		if err != nil {
@@ -187,65 +293,152 @@ func (c *Client) Start() error {
 		}
 	}
 	close(results)
+
 	return nil
 }
 
 func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
-	if r.Response == true {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(c.conf.Other.Timeout)*time.Second)
+	defer cancel()
+
+	if r.Response {
 		log.Println("Received a response packet")
 		return
 	}
 
-	requestType := ""
-	if len(c.conf.UpstreamIETF) == 0 {
-		requestType = "application/dns-json"
-	} else if len(c.conf.UpstreamGoogle) == 0 {
-		requestType = "application/dns-message"
+	if len(r.Question) != 1 {
+		log.Println("Number of questions is not 1")
+		reply := jsondns.PrepareReply(r)
+		reply.Rcode = dns.RcodeFormatError
+		w.WriteMsg(reply)
+		return
+	}
+	question := &r.Question[0]
+	questionName := question.Name
+	questionClass := ""
+	if qclass, ok := dns.ClassToString[question.Qclass]; ok {
+		questionClass = qclass
 	} else {
-		numServers := len(c.conf.UpstreamGoogle) + len(c.conf.UpstreamIETF)
-		random := rand.Intn(numServers)
-		if random < len(c.conf.UpstreamGoogle) {
-			requestType = "application/dns-json"
-		} else {
-			requestType = "application/dns-message"
+		questionClass = strconv.FormatUint(uint64(question.Qclass), 10)
+	}
+	questionType := ""
+	if qtype, ok := dns.TypeToString[question.Qtype]; ok {
+		questionType = qtype
+	} else {
+		questionType = strconv.FormatUint(uint64(question.Qtype), 10)
+	}
+	if c.conf.Other.Verbose {
+		fmt.Printf("%s - - [%s] \"%s %s %s\"\n", w.RemoteAddr(), time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
+	}
+
+	shouldPassthrough := false
+	passthroughQuestionName := questionName
+	if punycode, err := idna.ToASCII(passthroughQuestionName); err != nil {
+		passthroughQuestionName = punycode
+	}
+	passthroughQuestionName = "." + strings.ToLower(strings.Trim(passthroughQuestionName, ".")) + "."
+	for _, passthrough := range c.passthrough {
+		if strings.HasSuffix(passthroughQuestionName, passthrough) {
+			shouldPassthrough = true
+			break
 		}
 	}
+	if shouldPassthrough {
+		numServers := len(c.bootstrap)
+		upstream := c.bootstrap[rand.Intn(numServers)]
+		log.Printf("Request \"%s %s %s\" is passed through %s.\n", questionName, questionClass, questionType, upstream)
+		var reply *dns.Msg
+		var err error
+		if !isTCP {
+			reply, _, err = c.udpClient.Exchange(r, upstream)
+		} else {
+			reply, _, err = c.tcpClient.Exchange(r, upstream)
+		}
+		if err == nil {
+			w.WriteMsg(reply)
+			return
+		}
+		log.Println(err)
+		reply = jsondns.PrepareReply(r)
+		reply.Rcode = dns.RcodeServerFailure
+		w.WriteMsg(reply)
+		return
+	}
+
+	upstream := c.selector.Get()
+	requestType := upstream.RequestType
+
+	if c.conf.Other.Verbose {
+		log.Println("choose upstream:", upstream)
+	}
 
 	var req *DNSRequest
-	if requestType == "application/dns-json" {
-		req = c.generateRequestGoogle(w, r, isTCP)
-	} else if requestType == "application/dns-message" {
-		req = c.generateRequestIETF(w, r, isTCP)
-	} else {
+	switch requestType {
+	case "application/dns-json":
+		req = c.generateRequestGoogle(ctx, w, r, isTCP, upstream)
+
+	case "application/dns-message":
+		req = c.generateRequestIETF(ctx, w, r, isTCP, upstream)
+
+	default:
 		panic("Unknown request Content-Type")
 	}
 
 	if req.err != nil {
+		if urlErr, ok := req.err.(*url.Error); ok {
+			// should we only check timeout?
+			if urlErr.Timeout() {
+				c.selector.ReportUpstreamStatus(upstream, selector.Timeout)
+			}
+		}
+
 		return
 	}
 
-	contentType := ""
-	candidateType := strings.SplitN(req.response.Header.Get("Content-Type"), ";", 2)[0]
-	if candidateType == "application/json" {
-		contentType = "application/json"
-	} else if candidateType == "application/dns-message" {
-		contentType = "application/dns-message"
-	} else if candidateType == "application/dns-udpwireformat" {
-		contentType = "application/dns-message"
-	} else {
-		if requestType == "application/dns-json" {
-			contentType = "application/json"
-		} else if requestType == "application/dns-message" {
-			contentType = "application/dns-message"
+	// if req.err == nil, req.response != nil
+	defer req.response.Body.Close()
+
+	for _, header := range c.conf.Other.DebugHTTPHeaders {
+		if value := req.response.Header.Get(header); value != "" {
+			log.Printf("%s: %s\n", header, value)
 		}
 	}
 
-	if contentType == "application/json" {
-		c.parseResponseGoogle(w, r, isTCP, req)
-	} else if contentType == "application/dns-message" {
-		c.parseResponseIETF(w, r, isTCP, req)
-	} else {
-		panic("Unknown response Content-Type")
+	candidateType := strings.SplitN(req.response.Header.Get("Content-Type"), ";", 2)[0]
+
+	switch candidateType {
+	case "application/json":
+		c.parseResponseGoogle(ctx, w, r, isTCP, req)
+
+	case "application/dns-message", "application/dns-udpwireformat":
+		c.parseResponseIETF(ctx, w, r, isTCP, req)
+
+	default:
+		switch requestType {
+		case "application/dns-json":
+			c.parseResponseGoogle(ctx, w, r, isTCP, req)
+
+		case "application/dns-message":
+			c.parseResponseIETF(ctx, w, r, isTCP, req)
+
+		default:
+			panic("Unknown response Content-Type")
+		}
+	}
+
+	// https://developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/ says
+	// returns code will be 200 / 400 / 413 / 415 / 504, some server will return 503, so
+	// I think if status code is 5xx, upstream must have some problems
+	/*if req.response.StatusCode/100 == 5 {
+		c.selector.ReportUpstreamStatus(upstream, selector.Medium)
+	}*/
+
+	switch req.response.StatusCode / 100 {
+	case 5:
+		c.selector.ReportUpstreamStatus(upstream, selector.Error)
+
+	case 2:
+		c.selector.ReportUpstreamStatus(upstream, selector.OK)
 	}
 }
 
@@ -259,12 +452,12 @@ func (c *Client) tcpHandlerFunc(w dns.ResponseWriter, r *dns.Msg) {
 
 var (
 	ipv4Mask24 = net.IPMask{255, 255, 255, 0}
-	ipv6Mask48 = net.CIDRMask(48, 128)
+	ipv6Mask56 = net.CIDRMask(56, 128)
 )
 
 func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddress net.IP, ednsClientNetmask uint8) {
 	ednsClientNetmask = 255
-	if c.conf.NoECS {
+	if c.conf.Other.NoECS {
 		return net.IPv4(0, 0, 0, 0), 0
 	}
 	if opt := r.IsEdns0(); opt != nil {
@@ -281,13 +474,13 @@ func (c *Client) findClientIP(w dns.ResponseWriter, r *dns.Msg) (ednsClientAddre
 	if err != nil {
 		return
 	}
-	if ip := remoteAddr.IP; jsonDNS.IsGlobalIP(ip) {
+	if ip := remoteAddr.IP; jsondns.IsGlobalIP(ip) {
 		if ipv4 := ip.To4(); ipv4 != nil {
 			ednsClientAddress = ipv4.Mask(ipv4Mask24)
 			ednsClientNetmask = 24
 		} else {
-			ednsClientAddress = ip.Mask(ipv6Mask48)
-			ednsClientNetmask = 48
+			ednsClientAddress = ip.Mask(ipv6Mask56)
+			ednsClientNetmask = 56
 		}
 	}
 	return

doh-client/config/config.go

@@ -21,7 +21,7 @@
    DEALINGS IN THE SOFTWARE.
 */
 
-package main
+package config
 
 import (
 	"fmt"
@@ -29,20 +29,44 @@ import (
 	"github.com/BurntSushi/toml"
 )
 
-type config struct {
-	Listen         []string `toml:"listen"`
-	UpstreamGoogle []string `toml:"upstream_google"`
-	UpstreamIETF   []string `toml:"upstream_ietf"`
-	Bootstrap      []string `toml:"bootstrap"`
-	Timeout        uint     `toml:"timeout"`
-	NoCookies      bool     `toml:"no_cookies"`
-	NoECS          bool     `toml:"no_ecs"`
-	NoIPv6         bool     `toml:"no_ipv6"`
-	Verbose        bool     `toml:"verbose"`
+const (
+	Random   = "random"
+	NginxWRR = "weighted_round_robin"
+	LVSWRR   = "lvs_weighted_round_robin"
+)
+
+type upstreamDetail struct {
+	URL    string `toml:"url"`
+	Weight int32  `toml:"weight"`
 }
 
-func loadConfig(path string) (*config, error) {
-	conf := &config{}
+type upstream struct {
+	UpstreamGoogle   []upstreamDetail `toml:"upstream_google"`
+	UpstreamIETF     []upstreamDetail `toml:"upstream_ietf"`
+	UpstreamSelector string           `toml:"upstream_selector"` // usable: random or weighted_random
+}
+
+type others struct {
+	Bootstrap             []string `toml:"bootstrap"`
+	Passthrough           []string `toml:"passthrough"`
+	Timeout               uint     `toml:"timeout"`
+	NoCookies             bool     `toml:"no_cookies"`
+	NoECS                 bool     `toml:"no_ecs"`
+	NoIPv6                bool     `toml:"no_ipv6"`
+	NoUserAgent           bool     `toml:"no_user_agent"`
+	Verbose               bool     `toml:"verbose"`
+	DebugHTTPHeaders      []string `toml:"debug_http_headers"`
+	TLSInsecureSkipVerify bool     `toml:"insecure_tls_skip_verify"`
+}
+
+type Config struct {
+	Listen   []string `toml:"listen"`
+	Upstream upstream `toml:"upstream"`
+	Other    others   `toml:"others"`
+}
+
+func LoadConfig(path string) (*Config, error) {
+	conf := &Config{}
 	metaData, err := toml.DecodeFile(path, conf)
 	if err != nil {
 		return nil, err
@@ -54,11 +78,15 @@ func loadConfig(path string) (*config, error) {
 	if len(conf.Listen) == 0 {
 		conf.Listen = []string{"127.0.0.1:53", "[::1]:53"}
 	}
-	if len(conf.UpstreamGoogle) == 0 && len(conf.UpstreamIETF) == 0 {
-		conf.UpstreamGoogle = []string{"https://dns.google.com/resolve"}
+	if len(conf.Upstream.UpstreamGoogle) == 0 && len(conf.Upstream.UpstreamIETF) == 0 {
+		conf.Upstream.UpstreamGoogle = []upstreamDetail{{URL: "https://dns.google.com/resolve", Weight: 50}}
 	}
-	if conf.Timeout == 0 {
-		conf.Timeout = 10
+	if conf.Other.Timeout == 0 {
+		conf.Other.Timeout = 10
+	}
+
+	if conf.Upstream.UpstreamSelector == "" {
+		conf.Upstream.UpstreamSelector = Random
 	}
 
 	return conf, nil

doh-client/doh-client.conf

@@ -1,44 +1,62 @@
 # DNS listen port
 listen = [
     "127.0.0.1:53",
+    "127.0.0.1:5380",
     "[::1]:53",
+    "[::1]:5380",
+
+    ## To listen on both 0.0.0.0:53 and [::]:53, use the following line
+    # ":53",
 ]
 
 # HTTP path for upstream resolver
-# If multiple servers are specified, a random one will be chosen each time.
-upstream_google = [
 
-    # Google's productive resolver, good ECS, bad DNSSEC
-    "https://dns.google.com/resolve",
+[upstream]
 
-    # CloudFlare's resolver, bad ECS, good DNSSEC
-    #"https://cloudflare-dns.com/dns-query",
-    #"https://1.1.1.1/dns-query",
-    #"https://1.0.0.1/dns-query",
+# available selector: random or weighted_round_robin or lvs_weighted_round_robin
+upstream_selector = "random"
 
-    # CloudFlare's resolver for Tor, available only with Tor
-    # Remember to disable ECS below when using Tor!
-    # Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
-    #"https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query",
+# weight should in (0, 100], if upstream_selector is random, weight will be ignored
 
-]
-upstream_ietf = [
+## Google's resolver, good ECS, good DNSSEC
+#[[upstream.upstream_ietf]]
+#    url = "https://dns.google/dns-query"
+#    weight = 50
 
-    # Google's experimental resolver, good ECS, good DNSSEC
-    #"https://dns.google.com/experimental",
+## CloudFlare's resolver, bad ECS, good DNSSEC
+## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
+[[upstream.upstream_ietf]]
+    url = "https://cloudflare-dns.com/dns-query"
+    weight = 50
 
-    # CloudFlare's resolver, bad ECS, good DNSSEC
-    #"https://cloudflare-dns.com/dns-query",
-    #"https://1.1.1.1/dns-query",
-    #"https://1.0.0.1/dns-query",
+## CloudFlare's resolver, bad ECS, good DNSSEC
+## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet
+## Note that some ISPs have problems connecting to 1.1.1.1, try 1.0.0.1 if problems happen.
+#[[upstream.upstream_ietf]]
+#    url = "https://1.1.1.1/dns-query"
+#    weight = 50
 
-    # CloudFlare's resolver for Tor, available only with Tor
-    # Remember to disable ECS below when using Tor!
-    # Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
-    #"https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query",
+## DNS.SB's resolver, good ECS, good DNSSEC
+## The provider claims no logging: https://dns.sb/doh/
+#[[upstream.upstream_ietf]]
+#    url = "https://doh.dns.sb/dns-query"
+#    weight = 50
 
-]
+## Quad9's resolver, bad ECS, good DNSSEC
+## ECS is disabled for privacy by design: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet
+#[[upstream.upstream_ietf]]
+#    url = "https://9.9.9.9/dns-query"
+#    weight = 50
 
+## CloudFlare's resolver for Tor, available only with Tor
+## Remember to disable ECS below when using Tor!
+## Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
+#[[upstream.upstream_ietf]]
+#    url = "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query"
+#    weight = 50
+
+
+[others]
 # Bootstrap DNS server to resolve the address of the upstream resolver
 # If multiple servers are specified, a random one will be chosen each time.
 # If empty, use the system DNS settings.
@@ -46,7 +64,7 @@ upstream_ietf = [
 # bootstrap server, please make this list empty.
 bootstrap = [
 
-    # Google's resolver, bad ECS, good DNSSEC
+    # Google's resolver, good ECS, good DNSSEC
     "8.8.8.8:53",
     "8.8.4.4:53",
 
@@ -56,7 +74,25 @@ bootstrap = [
 
 ]
 
-# Timeout for upstream request
+# The domain names here are directly passed to bootstrap servers listed above,
+# allowing captive portal detection and systems without RTC to work.
+# Only effective if at least one bootstrap server is configured.
+passthrough = [
+    "captive.apple.com",
+    "connectivitycheck.gstatic.com",
+    "detectportal.firefox.com",
+    "msftconnecttest.com",
+    "nmcheck.gnome.org",
+
+    "pool.ntp.org",
+    "time.apple.com",
+    "time.asia.apple.com",
+    "time.euro.apple.com",
+    "time.nist.gov",
+    "time.windows.com",
+]
+
+# Timeout for upstream request in seconds
 timeout = 30
 
 # Disable HTTP Cookies
@@ -65,12 +101,12 @@ timeout = 30
 # anti-DDoS services to identify clients.
 # Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability
 # to track uesrs and is not controlled by doh-client.
-no_cookies = false
+no_cookies = true
 
 # Disable EDNS0-Client-Subnet (ECS)
 #
 # DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of
-# the client's IP address (/24 for IPv4, /48 for IPv6 by default) to the
+# the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the
 # upstream server. This is useful for GeoDNS and CDNs to work, and is exactly
 # the same configuration as most public DNS servers.
 no_ecs = false
@@ -83,5 +119,22 @@ no_ecs = false
 # Note that DNS listening and bootstrapping is not controlled by this option.
 no_ipv6 = false
 
+# Disable submitting User-Agent
+#
+# It is generally not recommended to disable submitting User-Agent because it
+# is still possible to probe client version according to behavior differences,
+# such as TLS handshaking, handling of malformed packets, and specific bugs.
+# Additionally, User-Agent is an important way for the server to distinguish
+# buggy, old, or insecure clients, and to workaround specific bugs.
+# (e.g. doh-server can detect and workaround certain issues of DNSCrypt-Proxy
+# and older Firefox.)
+no_user_agent = false
+
 # Enable logging
 verbose = false
+
+# insecure_tls_skip_verification will disable necessary TLS security verification.
+# This option is designed for testing or development purposes,
+# turning on this option on public Internet may cause your connection
+# vulnerable to MITM attack.
+insecure_tls_skip_verify = false

doh-client/google.go

@@ -24,49 +24,42 @@
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"log"
-	"math/rand"
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
-	"time"
 
-	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
+
+	"github.com/m13253/dns-over-https/v2/doh-client/selector"
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 
-func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP bool) *DNSRequest {
-	reply := jsonDNS.PrepareReply(r)
-
-	if len(r.Question) != 1 {
-		log.Println("Number of questions is not 1")
-		reply.Rcode = dns.RcodeFormatError
+func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, upstream *selector.Upstream) *DNSRequest {
+	question := &r.Question[0]
+	questionName := question.Name
+	questionClass := question.Qclass
+	if questionClass != dns.ClassINET {
+		reply := jsondns.PrepareReply(r)
+		reply.Rcode = dns.RcodeRefused
 		w.WriteMsg(reply)
 		return &DNSRequest{
 			err: &dns.Error{},
 		}
 	}
-	question := &r.Question[0]
-	// knot-resolver scrambles capitalization, I think it is unfriendly to cache
-	questionName := strings.ToLower(question.Name)
 	questionType := ""
 	if qtype, ok := dns.TypeToString[question.Qtype]; ok {
 		questionType = qtype
 	} else {
-		questionType = strconv.Itoa(int(question.Qtype))
+		questionType = strconv.FormatUint(uint64(question.Qtype), 10)
 	}
 
-	if c.conf.Verbose {
-		fmt.Printf("%s - - [%s] \"%s IN %s\"\n", w.RemoteAddr(), time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionType)
-	}
-
-	numServers := len(c.conf.UpstreamGoogle)
-	upstream := c.conf.UpstreamGoogle[rand.Intn(numServers)]
-	requestURL := fmt.Sprintf("%s?ct=application/dns-json&name=%s&type=%s", upstream, url.QueryEscape(questionName), url.QueryEscape(questionType))
+	requestURL := fmt.Sprintf("%s?ct=application/dns-json&name=%s&type=%s", upstream.URL, url.QueryEscape(questionName), url.QueryEscape(questionType))
 
 	if r.CheckingDisabled {
 		requestURL += "&cd=1"
@@ -75,6 +68,9 @@ func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP b
 	udpSize := uint16(512)
 	if opt := r.IsEdns0(); opt != nil {
 		udpSize = opt.UDPSize()
+		if opt.Do() {
+			requestURL += "&do=1"
+		}
 	}
 
 	ednsClientAddress, ednsClientNetmask := c.findClientIP(w, r)
@@ -82,28 +78,43 @@ func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP b
 		requestURL += fmt.Sprintf("&edns_client_subnet=%s/%d", ednsClientAddress.String(), ednsClientNetmask)
 	}
 
-	req, err := http.NewRequest("GET", requestURL, nil)
+	req, err := http.NewRequest(http.MethodGet, requestURL, http.NoBody)
 	if err != nil {
 		log.Println(err)
+		reply := jsondns.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
 		return &DNSRequest{
 			err: err,
 		}
 	}
+
 	req.Header.Set("Accept", "application/json, application/dns-message, application/dns-udpwireformat")
-	req.Header.Set("User-Agent", USER_AGENT)
+	if !c.conf.Other.NoUserAgent {
+		req.Header.Set("User-Agent", USER_AGENT)
+	} else {
+		req.Header.Set("User-Agent", "")
+	}
+	req = req.WithContext(ctx)
+
 	c.httpClientMux.RLock()
 	resp, err := c.httpClient.Do(req)
 	c.httpClientMux.RUnlock()
+
+	// if http Client.Do returns non-nil error, it always *url.Error
+	/*if err == context.DeadlineExceeded {
+		// Do not respond, silently fail to prevent caching of SERVFAIL
+		log.Println(err)
+		return &DNSRequest{
+			err: err,
+		}
+	}*/
+
 	if err != nil {
 		log.Println(err)
+		reply := jsondns.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
-		err1 := c.newHTTPClient()
-		if err1 != nil {
-			log.Fatalln(err1)
-		}
 		return &DNSRequest{
 			err: err,
 		}
@@ -111,16 +122,16 @@ func (c *Client) generateRequestGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP b
 
 	return &DNSRequest{
 		response:          resp,
-		reply:             reply,
+		reply:             jsondns.PrepareReply(r),
 		udpSize:           udpSize,
 		ednsClientAddress: ednsClientAddress,
 		ednsClientNetmask: ednsClientNetmask,
-		currentUpstream:   upstream,
+		currentUpstream:   upstream.URL,
 	}
 }
 
-func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
-	if req.response.StatusCode != 200 {
+func (c *Client) parseResponseGoogle(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
+	if req.response.StatusCode != http.StatusOK {
 		log.Printf("HTTP error from upstream %s: %s\n", req.currentUpstream, req.response.Status)
 		req.reply.Rcode = dns.RcodeServerFailure
 		contentType := req.response.Header.Get("Content-Type")
@@ -130,7 +141,7 @@ func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 		}
 	}
 
-	body, err := ioutil.ReadAll(req.response.Body)
+	body, err := io.ReadAll(req.response.Body)
 	if err != nil {
 		log.Println(err)
 		req.reply.Rcode = dns.RcodeServerFailure
@@ -138,7 +149,7 @@ func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 		return
 	}
 
-	var respJSON jsonDNS.Response
+	var respJSON jsondns.Response
 	err = json.Unmarshal(body, &respJSON)
 	if err != nil {
 		log.Println(err)
@@ -150,8 +161,14 @@ func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 	if respJSON.Status != dns.RcodeSuccess && respJSON.Comment != "" {
 		log.Printf("DNS error: %s\n", respJSON.Comment)
 	}
+	fixEmptyNames(&respJSON)
 
-	fullReply := jsonDNS.Unmarshal(req.reply, &respJSON, req.udpSize, req.ednsClientNetmask)
+	fullReply := jsondns.Unmarshal(req.reply, &respJSON, req.udpSize, req.ednsClientNetmask)
+	if isTCP {
+		fullReply.Truncate(dns.MaxMsgSize)
+	} else {
+		fullReply.Truncate(int(req.udpSize))
+	}
 	buf, err := fullReply.Pack()
 	if err != nil {
 		log.Println(err)
@@ -159,14 +176,21 @@ func (c *Client) parseResponseGoogle(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 		w.WriteMsg(req.reply)
 		return
 	}
-	if !isTCP && len(buf) > int(req.udpSize) {
-		fullReply.Truncated = true
-		buf, err = fullReply.Pack()
-		if err != nil {
-			log.Println(err)
-			return
-		}
-		buf = buf[:req.udpSize]
-	}
 	w.Write(buf)
 }
+
+// Fix DNS response empty []RR.Name
+// Additional section won't be rectified
+// see: https://stackoverflow.com/questions/52136176/what-is-additional-section-in-dns-and-how-it-works
+func fixEmptyNames(respJSON *jsondns.Response) {
+	for i := range respJSON.Answer {
+		if respJSON.Answer[i].Name == "" {
+			respJSON.Answer[i].Name = "."
+		}
+	}
+	for i := range respJSON.Authority {
+		if respJSON.Authority[i].Name == "" {
+			respJSON.Authority[i].Name = "."
+		}
+	}
+}

doh-client/ietf.go

@@ -25,48 +25,23 @@ package main
 
 import (
 	"bytes"
+	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"log"
-	"math/rand"
 	"net"
 	"net/http"
-	"strconv"
 	"strings"
 	"time"
 
-	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
+
+	"github.com/m13253/dns-over-https/v2/doh-client/selector"
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 
-func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool) *DNSRequest {
-	reply := jsonDNS.PrepareReply(r)
-
-	if len(r.Question) != 1 {
-		log.Println("Number of questions is not 1")
-		reply.Rcode = dns.RcodeFormatError
-		w.WriteMsg(reply)
-		return &DNSRequest{
-			err: &dns.Error{},
-		}
-	}
-
-	question := &r.Question[0]
-	// knot-resolver scrambles capitalization, I think it is unfriendly to cache
-	questionName := strings.ToLower(question.Name)
-	questionType := ""
-	if qtype, ok := dns.TypeToString[question.Qtype]; ok {
-		questionType = qtype
-	} else {
-		questionType = strconv.Itoa(int(question.Qtype))
-	}
-
-	if c.conf.Verbose {
-		fmt.Printf("%s - - [%s] \"%s IN %s\"\n", w.RemoteAddr(), time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionType)
-	}
-
-	question.Name = questionName
+func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, upstream *selector.Upstream) *DNSRequest {
 	opt := r.IsEdns0()
 	udpSize := uint16(512)
 	if opt == nil {
@@ -97,7 +72,7 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 				ednsClientNetmask = 24
 			} else {
 				ednsClientFamily = 2
-				ednsClientNetmask = 48
+				ednsClientNetmask = 56
 			}
 			edns0Subnet = new(dns.EDNS0_SUBNET)
 			edns0Subnet.Code = dns.EDNS0SUBNET
@@ -116,6 +91,7 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 	requestBinary, err := r.Pack()
 	if err != nil {
 		log.Println(err)
+		reply := jsondns.PrepareReply(r)
 		reply.Rcode = dns.RcodeFormatError
 		w.WriteMsg(reply)
 		return &DNSRequest{
@@ -125,26 +101,27 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 	r.Id = requestID
 	requestBase64 := base64.RawURLEncoding.EncodeToString(requestBinary)
 
-	numServers := len(c.conf.UpstreamIETF)
-	upstream := c.conf.UpstreamIETF[rand.Intn(numServers)]
-	requestURL := fmt.Sprintf("%s?ct=application/dns-udpwireformat&dns=%s", upstream, requestBase64)
-	//requestURL := fmt.Sprintf("%s?ct=application/dns-message&dns=%s", upstream, requestBase64)
+	requestURL := fmt.Sprintf("%s?ct=application/dns-message&dns=%s", upstream.URL, requestBase64)
 
 	var req *http.Request
 	if len(requestURL) < 2048 {
-		req, err = http.NewRequest("GET", requestURL, nil)
+		req, err = http.NewRequest(http.MethodGet, requestURL, http.NoBody)
 		if err != nil {
-			// Do not respond, silently fail to prevent caching of SERVFAIL
 			log.Println(err)
+			reply := jsondns.PrepareReply(r)
+			reply.Rcode = dns.RcodeServerFailure
+			w.WriteMsg(reply)
 			return &DNSRequest{
 				err: err,
 			}
 		}
 	} else {
-		req, err = http.NewRequest("POST", upstream, bytes.NewReader(requestBinary))
+		req, err = http.NewRequest(http.MethodPost, upstream.URL, bytes.NewReader(requestBinary))
 		if err != nil {
-			// Do not respond, silently fail to prevent caching of SERVFAIL
 			log.Println(err)
+			reply := jsondns.PrepareReply(r)
+			reply.Rcode = dns.RcodeServerFailure
+			w.WriteMsg(reply)
 			return &DNSRequest{
 				err: err,
 			}
@@ -152,18 +129,30 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 		req.Header.Set("Content-Type", "application/dns-message")
 	}
 	req.Header.Set("Accept", "application/dns-message, application/dns-udpwireformat, application/json")
-	req.Header.Set("User-Agent", USER_AGENT)
+	if !c.conf.Other.NoUserAgent {
+		req.Header.Set("User-Agent", USER_AGENT)
+	} else {
+		req.Header.Set("User-Agent", "")
+	}
+	req = req.WithContext(ctx)
 	c.httpClientMux.RLock()
 	resp, err := c.httpClient.Do(req)
 	c.httpClientMux.RUnlock()
+
+	// if http Client.Do returns non-nil error, it always *url.Error
+	/*if err == context.DeadlineExceeded {
+		// Do not respond, silently fail to prevent caching of SERVFAIL
+		log.Println(err)
+		return &DNSRequest{
+			err: err,
+		}
+	}*/
+
 	if err != nil {
 		log.Println(err)
+		reply := jsondns.PrepareReply(r)
 		reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(reply)
-		err1 := c.newHTTPClient()
-		if err1 != nil {
-			log.Fatalln(err1)
-		}
 		return &DNSRequest{
 			err: err,
 		}
@@ -171,16 +160,16 @@ func (c *Client) generateRequestIETF(w dns.ResponseWriter, r *dns.Msg, isTCP boo
 
 	return &DNSRequest{
 		response:          resp,
-		reply:             reply,
+		reply:             jsondns.PrepareReply(r),
 		udpSize:           udpSize,
 		ednsClientAddress: ednsClientAddress,
 		ednsClientNetmask: ednsClientNetmask,
-		currentUpstream:   upstream,
+		currentUpstream:   upstream.URL,
 	}
 }
 
-func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
-	if req.response.StatusCode != 200 {
+func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, req *DNSRequest) {
+	if req.response.StatusCode != http.StatusOK {
 		log.Printf("HTTP error from upstream %s: %s\n", req.currentUpstream, req.response.Status)
 		req.reply.Rcode = dns.RcodeServerFailure
 		contentType := req.response.Header.Get("Content-Type")
@@ -190,9 +179,9 @@ func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool,
 		}
 	}
 
-	body, err := ioutil.ReadAll(req.response.Body)
+	body, err := io.ReadAll(req.response.Body)
 	if err != nil {
-		log.Println(err)
+		log.Printf("read error from upstream %s: %v\n", req.currentUpstream, err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -203,7 +192,7 @@ func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool,
 		if nowDate, err := time.Parse(http.TimeFormat, headerNow); err == nil {
 			now = nowDate
 		} else {
-			log.Println(err)
+			log.Printf("Date header parse error from upstream %s: %v\n", req.currentUpstream, err)
 		}
 	}
 	headerLastModified := req.response.Header.Get("Last-Modified")
@@ -212,7 +201,7 @@ func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool,
 		if lastModifiedDate, err := time.Parse(http.TimeFormat, headerLastModified); err == nil {
 			lastModified = lastModifiedDate
 		} else {
-			log.Println(err)
+			log.Printf("Last-Modified header parse error from upstream %s: %v\n", req.currentUpstream, err)
 		}
 	}
 	timeDelta := now.Sub(lastModified)
@@ -223,7 +212,7 @@ func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool,
 	fullReply := new(dns.Msg)
 	err = fullReply.Unpack(body)
 	if err != nil {
-		log.Println(err)
+		log.Printf("unpacking error from upstream %s: %v\n", req.currentUpstream, err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -243,23 +232,22 @@ func (c *Client) parseResponseIETF(w dns.ResponseWriter, r *dns.Msg, isTCP bool,
 		_ = fixRecordTTL(rr, timeDelta)
 	}
 
+	if isTCP {
+		fullReply.Truncate(dns.MaxMsgSize)
+	} else {
+		fullReply.Truncate(int(req.udpSize))
+	}
 	buf, err := fullReply.Pack()
 	if err != nil {
-		log.Println(err)
+		log.Printf("packing error with upstream %s: %v\n", req.currentUpstream, err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
 	}
-	if !isTCP && len(buf) > int(req.udpSize) {
-		fullReply.Truncated = true
-		buf, err = fullReply.Pack()
-		if err != nil {
-			log.Println(err)
-			return
-		}
-		buf = buf[:req.udpSize]
+	_, err = w.Write(buf)
+	if err != nil {
+		log.Printf("failed to write to client: %v\n", err)
 	}
-	w.Write(buf)
 }
 
 func fixRecordTTL(rr dns.RR, delta time.Duration) dns.RR {

doh-client/main.go

@@ -25,21 +25,89 @@ package main
 
 import (
 	"flag"
+	"fmt"
 	"log"
+	"os"
+	"runtime"
+	"strconv"
+
+	"github.com/m13253/dns-over-https/v2/doh-client/config"
 )
 
+func checkPIDFile(pidFile string) (bool, error) {
+retry:
+	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o666)
+	if os.IsExist(err) {
+		pidStr, err := os.ReadFile(pidFile)
+		if err != nil {
+			return false, err
+		}
+		pid, err := strconv.ParseUint(string(pidStr), 10, 0)
+		if err != nil {
+			return false, err
+		}
+		_, err = os.Stat(fmt.Sprintf("/proc/%d", pid))
+		if os.IsNotExist(err) {
+			err = os.Remove(pidFile)
+			if err != nil {
+				return false, err
+			}
+			goto retry
+		} else if err != nil {
+			return false, err
+		}
+		log.Printf("Already running on PID %d, exiting.\n", pid)
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	defer f.Close()
+	_, err = f.WriteString(strconv.FormatInt(int64(os.Getpid()), 10))
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
 func main() {
 	confPath := flag.String("conf", "doh-client.conf", "Configuration file")
 	verbose := flag.Bool("verbose", false, "Enable logging")
+	showVersion := flag.Bool("version", false, "Show software version and exit")
+	var pidFile *string
+
+	// I really want to push the technology forward by recommending cgroup-based
+	// process tracking. But I understand some cloud service providers have
+	// their own monitoring system. So this feature is only enabled on Linux and
+	// BSD series platforms which lacks functionality similar to cgroup.
+	switch runtime.GOOS {
+	case "dragonfly", "freebsd", "linux", "netbsd", "openbsd":
+		pidFile = flag.String("pid-file", "", "PID file for legacy supervision systems lacking support for reliable cgroup-based process tracking")
+	}
+
 	flag.Parse()
 
-	conf, err := loadConfig(*confPath)
+	if *showVersion {
+		fmt.Printf("doh-client %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
+		return
+	}
+
+	if pidFile != nil && *pidFile != "" {
+		ok, err := checkPIDFile(*pidFile)
+		if err != nil {
+			log.Printf("Error checking PID file: %v\n", err)
+		}
+		if !ok {
+			return
+		}
+	}
+
+	conf, err := config.LoadConfig(*confPath)
 	if err != nil {
 		log.Fatalln(err)
 	}
 
 	if *verbose {
-		conf.Verbose = true
+		conf.Other.Verbose = true
 	}
 
 	client, err := NewClient(conf)

doh-client/selector/lvsWRRSelector.go

@@ -0,0 +1,262 @@
+package selector
+
+import (
+	"encoding/json"
+	"errors"
+	"log"
+	"net/http"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+type LVSWRRSelector struct {
+	upstreams     []*Upstream // upstreamsInfo
+	client        http.Client // http client to check the upstream
+	lastChoose    int32
+	currentWeight int32
+}
+
+func NewLVSWRRSelector(timeout time.Duration) *LVSWRRSelector {
+	return &LVSWRRSelector{
+		client:     http.Client{Timeout: timeout},
+		lastChoose: -1,
+	}
+}
+
+func (ls *LVSWRRSelector) Add(url string, upstreamType UpstreamType, weight int32) (err error) {
+	if weight < 1 {
+		return errors.New("weight is 1")
+	}
+
+	switch upstreamType {
+	case Google:
+		ls.upstreams = append(ls.upstreams, &Upstream{
+			Type:            Google,
+			URL:             url,
+			RequestType:     "application/dns-json",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	case IETF:
+		ls.upstreams = append(ls.upstreams, &Upstream{
+			Type:            IETF,
+			URL:             url,
+			RequestType:     "application/dns-message",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	default:
+		return errors.New("unknown upstream type")
+	}
+
+	return nil
+}
+
+func (ls *LVSWRRSelector) StartEvaluate() {
+	go func() {
+		for {
+			wg := sync.WaitGroup{}
+
+			for i := range ls.upstreams {
+				wg.Add(1)
+
+				go func(i int) {
+					defer wg.Done()
+
+					upstreamURL := ls.upstreams[i].URL
+					var acceptType string
+
+					switch ls.upstreams[i].Type {
+					case Google:
+						upstreamURL += "?name=www.example.com&type=A"
+						acceptType = "application/dns-json"
+
+					case IETF:
+						// www.example.com
+						upstreamURL += "?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB"
+						acceptType = "application/dns-message"
+					}
+
+					req, err := http.NewRequest(http.MethodGet, upstreamURL, http.NoBody)
+					if err != nil {
+						/*log.Println("upstream:", upstreamURL, "type:", typeMap[upstream.Type], "check failed:", err)
+						continue*/
+
+						// should I only log it? But if there is an error, I think when query the server will return error too
+						panic("upstream: " + upstreamURL + " type: " + typeMap[ls.upstreams[i].Type] + " check failed: " + err.Error())
+					}
+
+					req.Header.Set("accept", acceptType)
+
+					resp, err := ls.client.Do(req)
+					if err != nil {
+						// should I check error in detail?
+						if atomic.AddInt32(&ls.upstreams[i].effectiveWeight, -5) < 1 {
+							atomic.StoreInt32(&ls.upstreams[i].effectiveWeight, 1)
+						}
+						return
+					}
+
+					switch ls.upstreams[i].Type {
+					case Google:
+						ls.checkGoogleResponse(resp, ls.upstreams[i])
+
+					case IETF:
+						ls.checkIETFResponse(resp, ls.upstreams[i])
+					}
+				}(i)
+			}
+
+			wg.Wait()
+
+			time.Sleep(15 * time.Second)
+		}
+	}()
+}
+
+func (ls *LVSWRRSelector) Get() *Upstream {
+	if len(ls.upstreams) == 1 {
+		return ls.upstreams[0]
+	}
+
+	for {
+		atomic.StoreInt32(&ls.lastChoose, (atomic.LoadInt32(&ls.lastChoose)+1)%int32(len(ls.upstreams)))
+
+		if atomic.LoadInt32(&ls.lastChoose) == 0 {
+			atomic.AddInt32(&ls.currentWeight, -ls.gcdWeight())
+
+			if atomic.LoadInt32(&ls.currentWeight) <= 0 {
+				atomic.AddInt32(&ls.currentWeight, ls.maxWeight())
+
+				if atomic.LoadInt32(&ls.currentWeight) == 0 {
+					panic("current weight is 0")
+				}
+			}
+		}
+
+		if atomic.LoadInt32(&ls.upstreams[atomic.LoadInt32(&ls.lastChoose)].effectiveWeight) >= atomic.LoadInt32(&ls.currentWeight) {
+			return ls.upstreams[atomic.LoadInt32(&ls.lastChoose)]
+		}
+	}
+}
+
+func (ls *LVSWRRSelector) gcdWeight() (res int32) {
+	res = gcd(atomic.LoadInt32(&ls.upstreams[0].effectiveWeight), atomic.LoadInt32(&ls.upstreams[0].effectiveWeight))
+
+	for i := 1; i < len(ls.upstreams); i++ {
+		res = gcd(res, atomic.LoadInt32(&ls.upstreams[i].effectiveWeight))
+	}
+
+	return
+}
+
+func (ls *LVSWRRSelector) maxWeight() (res int32) {
+	for _, upstream := range ls.upstreams {
+		w := atomic.LoadInt32(&upstream.effectiveWeight)
+		if w > res {
+			res = w
+		}
+	}
+
+	return
+}
+
+func gcd(x, y int32) int32 {
+	for {
+		if x < y {
+			x, y = y, x
+		}
+
+		tmp := x % y
+		if tmp == 0 {
+			return y
+		}
+
+		x = tmp
+	}
+}
+
+func (ls *LVSWRRSelector) ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus) {
+	switch upstreamStatus {
+	case Timeout:
+		if atomic.AddInt32(&upstream.effectiveWeight, -5) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case Error:
+		if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case OK:
+		if atomic.AddInt32(&upstream.effectiveWeight, 1) > upstream.weight {
+			atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+		}
+	}
+}
+
+func (ls *LVSWRRSelector) checkGoogleResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	m := make(map[string]interface{})
+	if err := json.NewDecoder(resp.Body).Decode(&m); err != nil {
+		// should I check error in detail?
+		if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if status, ok := m["Status"]; ok {
+		if statusNum, ok := status.(float64); ok && statusNum == 0 {
+			if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+				atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+			}
+			return
+		}
+	}
+
+	// should I check error in detail?
+	if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+		atomic.StoreInt32(&upstream.effectiveWeight, 1)
+	}
+}
+
+func (ls *LVSWRRSelector) checkIETFResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+		atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+	}
+}
+
+func (ls *LVSWRRSelector) ReportWeights() {
+	go func() {
+		for {
+			time.Sleep(15 * time.Second)
+
+			for _, u := range ls.upstreams {
+				log.Printf("%s, effect weight: %d", u, atomic.LoadInt32(&u.effectiveWeight))
+			}
+		}
+	}()
+}

doh-client/selector/nginxWRRSelector.go

@@ -0,0 +1,215 @@
+package selector
+
+import (
+	"encoding/json"
+	"errors"
+	"log"
+	"net/http"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+type NginxWRRSelector struct {
+	upstreams []*Upstream // upstreamsInfo
+	client    http.Client // http client to check the upstream
+}
+
+func NewNginxWRRSelector(timeout time.Duration) *NginxWRRSelector {
+	return &NginxWRRSelector{
+		client: http.Client{Timeout: timeout},
+	}
+}
+
+func (ws *NginxWRRSelector) Add(url string, upstreamType UpstreamType, weight int32) (err error) {
+	switch upstreamType {
+	case Google:
+		ws.upstreams = append(ws.upstreams, &Upstream{
+			Type:            Google,
+			URL:             url,
+			RequestType:     "application/dns-json",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	case IETF:
+		ws.upstreams = append(ws.upstreams, &Upstream{
+			Type:            IETF,
+			URL:             url,
+			RequestType:     "application/dns-message",
+			weight:          weight,
+			effectiveWeight: weight,
+		})
+
+	default:
+		return errors.New("unknown upstream type")
+	}
+
+	return nil
+}
+
+func (ws *NginxWRRSelector) StartEvaluate() {
+	go func() {
+		for {
+			wg := sync.WaitGroup{}
+
+			for i := range ws.upstreams {
+				wg.Add(1)
+
+				go func(i int) {
+					defer wg.Done()
+
+					upstreamURL := ws.upstreams[i].URL
+					var acceptType string
+
+					switch ws.upstreams[i].Type {
+					case Google:
+						upstreamURL += "?name=www.example.com&type=A"
+						acceptType = "application/dns-json"
+
+					case IETF:
+						// www.example.com
+						upstreamURL += "?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB"
+						acceptType = "application/dns-message"
+					}
+
+					req, err := http.NewRequest(http.MethodGet, upstreamURL, http.NoBody)
+					if err != nil {
+						/*log.Println("upstream:", upstreamURL, "type:", typeMap[upstream.Type], "check failed:", err)
+						continue*/
+
+						// should I only log it? But if there is an error, I think when query the server will return error too
+						panic("upstream: " + upstreamURL + " type: " + typeMap[ws.upstreams[i].Type] + " check failed: " + err.Error())
+					}
+
+					req.Header.Set("accept", acceptType)
+
+					resp, err := ws.client.Do(req)
+					if err != nil {
+						// should I check error in detail?
+						if atomic.AddInt32(&ws.upstreams[i].effectiveWeight, -10) < 1 {
+							atomic.StoreInt32(&ws.upstreams[i].effectiveWeight, 1)
+						}
+						return
+					}
+
+					switch ws.upstreams[i].Type {
+					case Google:
+						ws.checkGoogleResponse(resp, ws.upstreams[i])
+
+					case IETF:
+						ws.checkIETFResponse(resp, ws.upstreams[i])
+					}
+				}(i)
+			}
+
+			wg.Wait()
+
+			time.Sleep(15 * time.Second)
+		}
+	}()
+}
+
+// nginx wrr like.
+func (ws *NginxWRRSelector) Get() *Upstream {
+	var (
+		total             int32
+		bestUpstreamIndex = -1
+	)
+
+	for i := range ws.upstreams {
+		effectiveWeight := atomic.LoadInt32(&ws.upstreams[i].effectiveWeight)
+		atomic.AddInt32(&ws.upstreams[i].currentWeight, effectiveWeight)
+		total += effectiveWeight
+
+		if bestUpstreamIndex == -1 || atomic.LoadInt32(&ws.upstreams[i].currentWeight) > atomic.LoadInt32(&ws.upstreams[bestUpstreamIndex].currentWeight) {
+			bestUpstreamIndex = i
+		}
+	}
+
+	atomic.AddInt32(&ws.upstreams[bestUpstreamIndex].currentWeight, -total)
+
+	return ws.upstreams[bestUpstreamIndex]
+}
+
+func (ws *NginxWRRSelector) ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus) {
+	switch upstreamStatus {
+	case Timeout:
+		if atomic.AddInt32(&upstream.effectiveWeight, -5) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case Error:
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+
+	case OK:
+		if atomic.AddInt32(&upstream.effectiveWeight, 1) > upstream.weight {
+			atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+		}
+	}
+}
+
+func (ws *NginxWRRSelector) checkGoogleResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -3) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	m := make(map[string]interface{})
+	if err := json.NewDecoder(resp.Body).Decode(&m); err != nil {
+		// should I check error in detail?
+		if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if status, ok := m["Status"]; ok {
+		if statusNum, ok := status.(float64); ok && statusNum == 0 {
+			if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+				atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+			}
+			return
+		}
+	}
+
+	// should I check error in detail?
+	if atomic.AddInt32(&upstream.effectiveWeight, -2) < 1 {
+		atomic.StoreInt32(&upstream.effectiveWeight, 1)
+	}
+}
+
+func (ws *NginxWRRSelector) checkIETFResponse(resp *http.Response, upstream *Upstream) {
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// server error
+		if atomic.AddInt32(&upstream.effectiveWeight, -5) < 1 {
+			atomic.StoreInt32(&upstream.effectiveWeight, 1)
+		}
+		return
+	}
+
+	if atomic.AddInt32(&upstream.effectiveWeight, 5) > upstream.weight {
+		atomic.StoreInt32(&upstream.effectiveWeight, upstream.weight)
+	}
+}
+
+func (ws *NginxWRRSelector) ReportWeights() {
+	go func() {
+		for {
+			time.Sleep(15 * time.Second)
+
+			for _, u := range ws.upstreams {
+				log.Printf("%s, effect weight: %d", u, atomic.LoadInt32(&u.effectiveWeight))
+			}
+		}
+	}()
+}

doh-client/selector/randomSelector.go

@@ -0,0 +1,50 @@
+package selector
+
+import (
+	"errors"
+	"math/rand"
+	"time"
+)
+
+func init() {
+	rand.NewSource(time.Now().UnixNano())
+}
+
+type RandomSelector struct {
+	upstreams []*Upstream
+}
+
+func NewRandomSelector() *RandomSelector {
+	return new(RandomSelector)
+}
+
+func (rs *RandomSelector) Add(url string, upstreamType UpstreamType) (err error) {
+	switch upstreamType {
+	case Google:
+		rs.upstreams = append(rs.upstreams, &Upstream{
+			Type:        Google,
+			URL:         url,
+			RequestType: "application/dns-json",
+		})
+
+	case IETF:
+		rs.upstreams = append(rs.upstreams, &Upstream{
+			Type:        IETF,
+			URL:         url,
+			RequestType: "application/dns-message",
+		})
+
+	default:
+		return errors.New("unknown upstream type")
+	}
+
+	return nil
+}
+
+func (rs *RandomSelector) Get() *Upstream {
+	return rs.upstreams[rand.Intn(len(rs.upstreams))]
+}
+
+func (rs *RandomSelector) StartEvaluate() {}
+
+func (rs *RandomSelector) ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus) {}

doh-client/selector/selector.go

@@ -0,0 +1,17 @@
+package selector
+
+type Selector interface {
+	// Get returns a upstream
+	Get() *Upstream
+
+	// StartEvaluate start upstream evaluation loop
+	StartEvaluate()
+
+	// ReportUpstreamStatus report upstream status
+	ReportUpstreamStatus(upstream *Upstream, upstreamStatus upstreamStatus)
+}
+
+type DebugReporter interface {
+	// ReportWeights starts a goroutine to report all upstream weights, recommend interval is 15s
+	ReportWeights()
+}

doh-client/selector/upstream.go

@@ -0,0 +1,28 @@
+package selector
+
+import "fmt"
+
+type UpstreamType int
+
+const (
+	Google UpstreamType = iota
+	IETF
+)
+
+var typeMap = map[UpstreamType]string{
+	Google: "Google",
+	IETF:   "IETF",
+}
+
+type Upstream struct {
+	Type            UpstreamType
+	URL             string
+	RequestType     string
+	weight          int32
+	effectiveWeight int32
+	currentWeight   int32
+}
+
+func (u Upstream) String() string {
+	return fmt.Sprintf("upstream type: %s, upstream url: %s", typeMap[u.Type], u.URL)
+}

doh-client/selector/upstreamStatus.go

@@ -0,0 +1,14 @@
+package selector
+
+type upstreamStatus int
+
+const (
+	// when query upstream timeout, usually upstream is unavailable for a long time.
+	Timeout upstreamStatus = iota
+
+	// when query upstream return 5xx response, upstream still alive, maybe just a lof of query for him.
+	Error
+
+	// when query upstream ok, means upstream is available.
+	OK
+)

doh-client/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "1.3.7"
+	VERSION    = "2.3.10"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

doh-server/config.go

@@ -25,20 +25,27 @@ package main
 
 import (
 	"fmt"
+	"regexp"
 
 	"github.com/BurntSushi/toml"
 )
 
 type config struct {
-	Listen   []string `toml:"listen"`
-	Cert     string   `toml:"cert"`
-	Key      string   `toml:"key"`
-	Path     string   `toml:"path"`
-	Upstream []string `toml:"upstream"`
-	Timeout  uint     `toml:"timeout"`
-	Tries    uint     `toml:"tries"`
-	TCPOnly  bool     `toml:"tcp_only"`
-	Verbose  bool     `toml:"verbose"`
+	TLSClientAuthCA     string   `toml:"tls_client_auth_ca"`
+	LocalAddr           string   `toml:"local_addr"`
+	Cert                string   `toml:"cert"`
+	Key                 string   `toml:"key"`
+	Path                string   `toml:"path"`
+	DebugHTTPHeaders    []string `toml:"debug_http_headers"`
+	Listen              []string `toml:"listen"`
+	Upstream            []string `toml:"upstream"`
+	Timeout             uint     `toml:"timeout"`
+	Tries               uint     `toml:"tries"`
+	Verbose             bool     `toml:"verbose"`
+	LogGuessedIP        bool     `toml:"log_guessed_client_ip"`
+	ECSAllowNonGlobalIP bool     `toml:"ecs_allow_non_global_ip"`
+	ECSUsePreciseIP     bool     `toml:"ecs_use_precise_ip"`
+	TLSClientAuth       bool     `toml:"tls_client_auth"`
 }
 
 func loadConfig(path string) (*config, error) {
@@ -59,7 +66,7 @@ func loadConfig(path string) (*config, error) {
 		conf.Path = "/dns-query"
 	}
 	if len(conf.Upstream) == 0 {
-		conf.Upstream = []string{"8.8.8.8:53", "8.8.4.4:53"}
+		conf.Upstream = []string{"udp:8.8.8.8:53", "udp:8.8.4.4:53"}
 	}
 	if conf.Timeout == 0 {
 		conf.Timeout = 10
@@ -72,9 +79,35 @@ func loadConfig(path string) (*config, error) {
 		return nil, &configError{"You must specify both -cert and -key to enable TLS"}
 	}
 
+	// validate all upstreams
+	for _, us := range conf.Upstream {
+		address, t := addressAndType(us)
+		if address == "" {
+			return nil, &configError{"One of the upstreams has not a (udp|tcp|tcp-tls) prefix e.g. udp:1.1.1.1:53"}
+		}
+
+		switch t {
+		case "tcp", "udp", "tcp-tls":
+			// OK
+		default:
+			return nil, &configError{"Invalid upstream prefix specified, choose one of: udp tcp tcp-tls"}
+		}
+	}
+
 	return conf, nil
 }
 
+var rxUpstreamWithTypePrefix = regexp.MustCompile("^[a-z-]+(:)")
+
+func addressAndType(us string) (string, string) {
+	p := rxUpstreamWithTypePrefix.FindStringSubmatchIndex(us)
+	if len(p) != 4 {
+		return "", ""
+	}
+
+	return us[p[2]+1:], us[:p[2]]
+}
+
 type configError struct {
 	err string
 }

doh-server/doh-server.conf

@@ -2,12 +2,24 @@
 listen = [
     "127.0.0.1:8053",
     "[::1]:8053",
+
+    ## To listen on both 0.0.0.0:8053 and [::]:8053, use the following line
+    # ":8053",
 ]
 
+# Local address and port for upstream DNS
+# If left empty, a local address is automatically chosen.
+local_addr = ""
+
 # TLS certification file
+# If left empty, plain-text HTTP will be used.
+# You are recommended to leave empty and to use a server load balancer (e.g.
+# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
+# Stapling, which is necessary for client bootstrapping in a network
+# environment with completely no traditional DNS service.
 cert = ""
 
-# TLS key file
+# TLS private key file
 key = ""
 
 # HTTP path for resolve application
@@ -15,9 +27,16 @@ path = "/dns-query"
 
 # Upstream DNS resolver
 # If multiple servers are specified, a random one will be chosen each time.
+# You can use "udp", "tcp" or "tcp-tls" for the type prefix.
+# For "udp", UDP will first be used, and switch to TCP when the server asks to
+# or the response is too large.
+# For "tcp", only TCP will be used.
+# For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection.
 upstream = [
-    "8.8.8.8:53",
-    "8.8.4.4:53",
+    "udp:1.1.1.1:53",
+    "udp:1.0.0.1:53",
+    "udp:8.8.8.8:53",
+    "udp:8.8.4.4:53",
 ]
 
 # Upstream timeout
@@ -26,8 +45,34 @@ timeout = 10
 # Number of tries if upstream DNS fails
 tries = 3
 
-# Only use TCP for DNS query
-tcp_only = false
-
 # Enable logging
 verbose = false
+
+# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
+# Note: http uri/useragent log cannot be controlled by this config
+log_guessed_client_ip = false
+
+# By default, non global IP addresses are never forwarded to upstream servers.
+# This is to prevent two things from happening:
+#   1. the upstream server knowing your private LAN addresses;
+#   2. the upstream server unable to provide geographically near results,
+#      or even fail to provide any result.
+# However, if you are deploying a split tunnel corporation network
+# environment, or for any other reason you want to inhibit this
+# behavior and allow local (eg RFC1918) address to be forwarded,
+# change the following option to "true".
+ecs_allow_non_global_ip = false
+
+# If ECS is added to the request, let the full IP address or
+# cap it to 24 or 128 mask. This option is to be used only on private
+# networks where knwoledge of the terminal endpoint may be required for
+# security purposes (eg. DNS Firewalling). Not a good option on the
+# internet where IP address may be used to identify the user and
+# not only the approximate location.
+ecs_use_precise_ip = false
+
+# If DOH is used for a controlled network, it is possible to enable
+# the client TLS certificate validation with a specific certificate
+# authority used to sign any client one. Disabled by default.
+# tls_client_auth = true
+# tls_client_auth_ca = "root-ca-public.crt"

doh-server/google.go

@@ -24,6 +24,7 @@
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"log"
@@ -33,12 +34,13 @@ import (
 	"strings"
 	"time"
 
-	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/idna"
+
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 
-func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNSRequest {
+func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request) *DNSRequest {
 	name := r.FormValue("name")
 	if name == "" {
 		return &DNSRequest{
@@ -46,7 +48,6 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 			errtext: "Invalid argument value: \"name\"",
 		}
 	}
-	name = strings.ToLower(name)
 	if punycode, err := idna.ToASCII(name); err == nil {
 		name = punycode
 	} else {
@@ -72,9 +73,9 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 
 	cdStr := r.FormValue("cd")
 	cd := false
-	if cdStr == "1" || cdStr == "true" {
+	if cdStr == "1" || strings.EqualFold(cdStr, "true") {
 		cd = true
-	} else if cdStr == "0" || cdStr == "false" || cdStr == "" {
+	} else if cdStr == "0" || strings.EqualFold(cdStr, "false") || cdStr == "" {
 	} else {
 		return &DNSRequest{
 			errcode: 400,
@@ -90,45 +91,14 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 		if ednsClientSubnet == "0/0" {
 			ednsClientSubnet = "0.0.0.0/0"
 		}
-		slash := strings.IndexByte(ednsClientSubnet, '/')
-		if slash < 0 {
-			ednsClientAddress = net.ParseIP(ednsClientSubnet)
-			if ednsClientAddress == nil {
-				return &DNSRequest{
-					errcode: 400,
-					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
-				}
+
+		var err error
+		ednsClientFamily, ednsClientAddress, ednsClientNetmask, err = parseSubnet(ednsClientSubnet)
+		if err != nil {
+			return &DNSRequest{
+				errcode: 400,
+				errtext: err.Error(),
 			}
-			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
-				ednsClientFamily = 1
-				ednsClientAddress = ipv4
-				ednsClientNetmask = 24
-			} else {
-				ednsClientFamily = 2
-				ednsClientNetmask = 48
-			}
-		} else {
-			ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
-			if ednsClientAddress == nil {
-				return &DNSRequest{
-					errcode: 400,
-					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
-				}
-			}
-			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
-				ednsClientFamily = 1
-				ednsClientAddress = ipv4
-			} else {
-				ednsClientFamily = 2
-			}
-			netmask, err := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
-			if err != nil {
-				return &DNSRequest{
-					errcode: 400,
-					errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
-				}
-			}
-			ednsClientNetmask = uint8(netmask)
 		}
 	} else {
 		ednsClientAddress = s.findClientIP(r)
@@ -140,7 +110,7 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 			ednsClientNetmask = 24
 		} else {
 			ednsClientFamily = 2
-			ednsClientNetmask = 48
+			ednsClientNetmask = 56
 		}
 	}
 
@@ -169,12 +139,51 @@ func (s *Server) parseRequestGoogle(w http.ResponseWriter, r *http.Request) *DNS
 	}
 }
 
-func (s *Server) generateResponseGoogle(w http.ResponseWriter, r *http.Request, req *DNSRequest) {
-	respJSON := jsonDNS.Marshal(req.response)
+func parseSubnet(ednsClientSubnet string) (ednsClientFamily uint16, ednsClientAddress net.IP, ednsClientNetmask uint8, err error) {
+	slash := strings.IndexByte(ednsClientSubnet, '/')
+	if slash < 0 {
+		ednsClientAddress = net.ParseIP(ednsClientSubnet)
+		if ednsClientAddress == nil {
+			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
+			return
+		}
+		if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+			ednsClientFamily = 1
+			ednsClientAddress = ipv4
+			ednsClientNetmask = 24
+		} else {
+			ednsClientFamily = 2
+			ednsClientNetmask = 56
+		}
+	} else {
+		ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
+		if ednsClientAddress == nil {
+			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
+			return
+		}
+		if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
+			ednsClientFamily = 1
+			ednsClientAddress = ipv4
+		} else {
+			ednsClientFamily = 2
+		}
+		netmask, err1 := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
+		if err1 != nil {
+			err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
+			return
+		}
+		ednsClientNetmask = uint8(netmask)
+	}
+
+	return
+}
+
+func (s *Server) generateResponseGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
+	respJSON := jsondns.Marshal(req.response)
 	respStr, err := json.Marshal(respJSON)
 	if err != nil {
 		log.Println(err)
-		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet parse failure (%s)", err.Error()), 500)
+		jsondns.FormatError(w, fmt.Sprintf("DNS packet parse failure (%s)", err.Error()), 500)
 		return
 	}
 
@@ -182,11 +191,12 @@ func (s *Server) generateResponseGoogle(w http.ResponseWriter, r *http.Request,
 	now := time.Now().UTC().Format(http.TimeFormat)
 	w.Header().Set("Date", now)
 	w.Header().Set("Last-Modified", now)
+	w.Header().Set("Vary", "Accept")
 	if respJSON.HaveTTL {
 		if req.isTailored {
-			w.Header().Set("Cache-Control", "private, max-age="+strconv.Itoa(int(respJSON.LeastTTL)))
+			w.Header().Set("Cache-Control", "private, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
 		} else {
-			w.Header().Set("Cache-Control", "public, max-age="+strconv.Itoa(int(respJSON.LeastTTL)))
+			w.Header().Set("Cache-Control", "public, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
 		}
 		w.Header().Set("Expires", respJSON.EarliestExpires.Format(http.TimeFormat))
 	}

doh-server/ietf.go

@@ -25,19 +25,23 @@ package main
 
 import (
 	"bytes"
+	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"log"
+	"net"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"
 
-	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
+
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 
-func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRequest {
+func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r *http.Request) *DNSRequest {
 	requestBase64 := r.FormValue("dns")
 	requestBinary, err := base64.RawURLEncoding.DecodeString(requestBase64)
 	if err != nil {
@@ -47,7 +51,7 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 		}
 	}
 	if len(requestBinary) == 0 && (r.Header.Get("Content-Type") == "application/dns-message" || r.Header.Get("Content-Type") == "application/dns-udpwireformat") {
-		requestBinary, err = ioutil.ReadAll(r.Body)
+		requestBinary, err = io.ReadAll(r.Body)
 		if err != nil {
 			return &DNSRequest{
 				errcode: 400,
@@ -58,11 +62,11 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 	if len(requestBinary) == 0 {
 		return &DNSRequest{
 			errcode: 400,
-			errtext: fmt.Sprintf("Invalid argument value: \"dns\""),
+			errtext: "Invalid argument value: \"dns\"",
 		}
 	}
 
-	if s.patchDNSCryptProxyReqID(requestBinary, w) {
+	if s.patchDNSCryptProxyReqID(w, r, requestBinary) {
 		return &DNSRequest{
 			errcode: 444,
 		}
@@ -84,17 +88,26 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 		if qclass, ok := dns.ClassToString[question.Qclass]; ok {
 			questionClass = qclass
 		} else {
-			questionClass = strconv.Itoa(int(question.Qclass))
+			questionClass = strconv.FormatUint(uint64(question.Qclass), 10)
 		}
 		questionType := ""
 		if qtype, ok := dns.TypeToString[question.Qtype]; ok {
 			questionType = qtype
 		} else {
-			questionType = strconv.Itoa(int(question.Qtype))
+			questionType = strconv.FormatUint(uint64(question.Qtype), 10)
+		}
+		var clientip net.IP = nil
+		if s.conf.LogGuessedIP {
+			clientip = s.findClientIP(r)
+		}
+		if clientip != nil {
+			fmt.Printf("%s - - [%s] \"%s %s %s\"\n", clientip, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
+		} else {
+			fmt.Printf("%s - - [%s] \"%s %s %s\"\n", r.RemoteAddr, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
 		}
-		fmt.Printf("%s - - [%s] \"%s %s %s\"\n", r.RemoteAddr, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
 	}
 
+	transactionID := msg.Id
 	msg.Id = dns.Id()
 	opt := msg.IsEdns0()
 	if opt == nil {
@@ -113,6 +126,7 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 		}
 	}
 	isTailored := edns0Subnet == nil
+
 	if edns0Subnet == nil {
 		ednsClientFamily := uint16(0)
 		ednsClientAddress := s.findClientIP(r)
@@ -121,10 +135,20 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
 				ednsClientFamily = 1
 				ednsClientAddress = ipv4
-				ednsClientNetmask = 24
+				if s.conf.ECSUsePreciseIP {
+					ednsClientNetmask = 32
+				} else {
+					ednsClientNetmask = 24
+					ednsClientAddress = ednsClientAddress.Mask(net.CIDRMask(24, 32))
+				}
 			} else {
 				ednsClientFamily = 2
-				ednsClientNetmask = 48
+				if s.conf.ECSUsePreciseIP {
+					ednsClientNetmask = 128
+				} else {
+					ednsClientNetmask = 56
+					ednsClientAddress = ednsClientAddress.Mask(net.CIDRMask(56, 128))
+				}
 			}
 			edns0Subnet = new(dns.EDNS0_SUBNET)
 			edns0Subnet.Code = dns.EDNS0SUBNET
@@ -137,18 +161,19 @@ func (s *Server) parseRequestIETF(w http.ResponseWriter, r *http.Request) *DNSRe
 	}
 
 	return &DNSRequest{
-		request:    msg,
-		isTailored: isTailored,
+		request:       msg,
+		transactionID: transactionID,
+		isTailored:    isTailored,
 	}
 }
 
-func (s *Server) generateResponseIETF(w http.ResponseWriter, r *http.Request, req *DNSRequest) {
-	respJSON := jsonDNS.Marshal(req.response)
-	req.response.Id = 0
+func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
+	respJSON := jsondns.Marshal(req.response)
+	req.response.Id = req.transactionID
 	respBytes, err := req.response.Pack()
 	if err != nil {
-		log.Println(err)
-		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet construct failure (%s)", err.Error()), 500)
+		log.Printf("DNS packet construct failure with upstream %s: %v\n", req.currentUpstream, err)
+		jsondns.FormatError(w, fmt.Sprintf("DNS packet construct failure (%s)", err.Error()), 500)
 		return
 	}
 
@@ -156,28 +181,38 @@ func (s *Server) generateResponseIETF(w http.ResponseWriter, r *http.Request, re
 	now := time.Now().UTC().Format(http.TimeFormat)
 	w.Header().Set("Date", now)
 	w.Header().Set("Last-Modified", now)
+	w.Header().Set("Vary", "Accept")
+
 	if respJSON.HaveTTL {
 		if req.isTailored {
-			w.Header().Set("Cache-Control", "private, max-age="+strconv.Itoa(int(respJSON.LeastTTL)))
+			w.Header().Set("Cache-Control", "private, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
 		} else {
-			w.Header().Set("Cache-Control", "public, max-age="+strconv.Itoa(int(respJSON.LeastTTL)))
+			w.Header().Set("Cache-Control", "public, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
 		}
 		w.Header().Set("Expires", respJSON.EarliestExpires.Format(http.TimeFormat))
 	}
+
 	if respJSON.Status == dns.RcodeServerFailure {
+		log.Printf("received server failure from upstream %s: %v\n", req.currentUpstream, req.response)
 		w.WriteHeader(503)
 	}
-	w.Write(respBytes)
+	_, err = w.Write(respBytes)
+	if err != nil {
+		log.Printf("failed to write to client: %v\n", err)
+	}
 }
 
-// Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
-func (s *Server) patchDNSCryptProxyReqID(requestBinary []byte, w http.ResponseWriter) bool {
-	if bytes.Equal(requestBinary, []byte("\xca\xfe\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x00\x02\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00")) {
-		log.Println("DNSCrypt-Proxy detected. Patching response.")
-		w.Header().Set("Content-Type", "application/octet-stream")
+// Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe.
+func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request, requestBinary []byte) bool {
+	if strings.Contains(r.UserAgent(), "dnscrypt-proxy") && bytes.Equal(requestBinary, []byte("\xca\xfe\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x00\x02\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00")) {
+		if s.conf.Verbose {
+			log.Println("DNSCrypt-Proxy detected. Patching response.")
+		}
+		w.Header().Set("Content-Type", "application/dns-message")
+		w.Header().Set("Vary", "Accept, User-Agent")
 		now := time.Now().UTC().Format(http.TimeFormat)
 		w.Header().Set("Date", now)
-		w.Write([]byte("\xca\xfe\x81\x01\x00\x01\r\nWorkaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe\r\nDo you know it is a violation of the protocol you fxxking DNSCrypt-Proxy?!\r\n"))
+		w.Write([]byte("\xca\xfe\x81\x05\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00\x02\x00\x01\x00\x00\x10\x00\x01\x00\x00\x00\x00\x00\xa8\xa7\r\nWorkaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe\r\nRefer to https://github.com/jedisct1/dnscrypt-proxy/issues/526 for details."))
 		return true
 	}
 	return false

doh-server/main.go

@@ -25,14 +25,80 @@ package main
 
 import (
 	"flag"
+	"fmt"
 	"log"
+	"os"
+	"runtime"
+	"strconv"
 )
 
+func checkPIDFile(pidFile string) (bool, error) {
+retry:
+	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o666)
+	if os.IsExist(err) {
+		pidStr, err := os.ReadFile(pidFile)
+		if err != nil {
+			return false, err
+		}
+		pid, err := strconv.ParseUint(string(pidStr), 10, 0)
+		if err != nil {
+			return false, err
+		}
+		_, err = os.Stat(fmt.Sprintf("/proc/%d", pid))
+		if os.IsNotExist(err) {
+			err = os.Remove(pidFile)
+			if err != nil {
+				return false, err
+			}
+			goto retry
+		} else if err != nil {
+			return false, err
+		}
+		log.Printf("Already running on PID %d, exiting.\n", pid)
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	defer f.Close()
+	_, err = f.WriteString(strconv.FormatInt(int64(os.Getpid()), 10))
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
 func main() {
 	confPath := flag.String("conf", "doh-server.conf", "Configuration file")
 	verbose := flag.Bool("verbose", false, "Enable logging")
+	showVersion := flag.Bool("version", false, "Show software version and exit")
+	var pidFile *string
+
+	// I really want to push the technology forward by recommending cgroup-based
+	// process tracking. But I understand some cloud service providers have
+	// their own monitoring system. So this feature is only enabled on Linux and
+	// BSD series platforms which lacks functionality similar to cgroup.
+	switch runtime.GOOS {
+	case "dragonfly", "freebsd", "linux", "netbsd", "openbsd":
+		pidFile = flag.String("pid-file", "", "PID file for legacy supervision systems lacking support for reliable cgroup-based process tracking")
+	}
+
 	flag.Parse()
 
+	if *showVersion {
+		fmt.Printf("doh-server %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
+		return
+	}
+
+	if pidFile != nil && *pidFile != "" {
+		ok, err := checkPIDFile(*pidFile)
+		if err != nil {
+			log.Printf("Error checking PID file: %v\n", err)
+		}
+		if !ok {
+			return
+		}
+	}
+
 	conf, err := loadConfig(*confPath)
 	if err != nil {
 		log.Fatalln(err)
@@ -42,6 +108,9 @@ func main() {
 		conf.Verbose = true
 	}
 
-	server := NewServer(conf)
+	server, err := NewServer(conf)
+	if err != nil {
+		log.Fatalln(err)
+	}
 	_ = server.Start()
 }

doh-server/parse_test.go

@@ -0,0 +1,119 @@
+/*
+   DNS-over-HTTPS
+   Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a
+   copy of this software and associated documentation files (the "Software"),
+   to deal in the Software without restriction, including without limitation
+   the rights to use, copy, modify, merge, publish, distribute, sublicense,
+   and/or sell copies of the Software, and to permit persons to whom the
+   Software is furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+   DEALINGS IN THE SOFTWARE.
+*/
+
+package main
+
+import (
+	"testing"
+
+	"github.com/miekg/dns"
+)
+
+func TestParseCIDR(t *testing.T) {
+	t.Parallel()
+	for _, ednsClientSubnet := range []string{
+		"2001:db8::/0",
+		"2001:db8::/56",
+		"2001:db8::/129",
+		"2001:db8::",
+
+		"127.0.0.1/0",
+		"127.0.0.1/24",
+		"127.0.0.1/33",
+		"127.0.0.1",
+
+		"::ffff:7f00:1/0",
+		"::ffff:7f00:1/120",
+		"::ffff:7f00:1",
+		"127.0.0.1/0",
+		"127.0.0.1/24",
+		"127.0.0.1",
+	} {
+		_, ip, ipNet, err := parseSubnet(ednsClientSubnet)
+		if err != nil {
+			t.Errorf("ecs:%s ip:[%v]  ipNet:[%v]  err:[%v]", ednsClientSubnet, ip, ipNet, err)
+		}
+	}
+}
+
+func TestParseInvalidCIDR(t *testing.T) {
+	t.Parallel()
+
+	for _, ip := range []string{
+		"test",
+		"test/0",
+		"test/24",
+		"test/34",
+		"test/56",
+		"test/129",
+	} {
+		_, _, _, err := parseSubnet(ip)
+		if err == nil {
+			t.Errorf("expected error for %q", ip)
+		}
+	}
+}
+
+func TestEdns0SubnetParseCIDR(t *testing.T) {
+	t.Parallel()
+	// init dns Msg
+	msg := new(dns.Msg)
+	msg.Id = dns.Id()
+	msg.SetQuestion(dns.Fqdn("example.com"), 1)
+
+	// init edns0Subnet
+	edns0Subnet := new(dns.EDNS0_SUBNET)
+	edns0Subnet.Code = dns.EDNS0SUBNET
+	edns0Subnet.SourceScope = 0
+
+	// init opt
+	opt := new(dns.OPT)
+	opt.Hdr.Name = "."
+	opt.Hdr.Rrtype = dns.TypeOPT
+	opt.SetUDPSize(dns.DefaultMsgSize)
+
+	opt.Option = append(opt.Option, edns0Subnet)
+	msg.Extra = append(msg.Extra, opt)
+
+	for _, subnet := range []string{"::ffff:7f00:1/120", "127.0.0.1/24"} {
+		var err error
+		edns0Subnet.Family, edns0Subnet.Address, edns0Subnet.SourceNetmask, err = parseSubnet(subnet)
+		if err != nil {
+			t.Error(err)
+			continue
+		}
+		t.Log(msg.Pack())
+	}
+
+	// ------127.0.0.1/24-----
+	// [143 29 1 0 0 1 0 0 0 0 0 1 7 101 120 97 109 112 108 101 3 99 111 109 0 0 1 0 1 0
+	// opt start   0 41 16 0 0 0 0 0 0 11
+	// subnet start 0 8 0 7 0 1 24 0
+	// client subnet start 127 0 0]
+
+	// -----::ffff:7f00:1/120----
+	// [111 113 1 0 0 1 0 0 0 0 0 1 7 101 120 97 109 112 108 101 3 99 111 109 0 0 1 0 1 0
+	// opt start  0 41 16 0 0 0 0 0 0 23
+	// subnet start  0 8 0 19 0 2 120 0
+	// client subnet start 0 0 0 0 0 0 0 0 0 0 255 255 127 0 0]
+}

doh-server/server.go

@@ -24,6 +24,9 @@
 package main
 
 import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"log"
 	"math/rand"
@@ -34,42 +37,72 @@ import (
 	"time"
 
 	"github.com/gorilla/handlers"
-	"github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
+
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 
 type Server struct {
-	conf      *config
-	udpClient *dns.Client
-	tcpClient *dns.Client
-	servemux  *http.ServeMux
+	conf         *config
+	udpClient    *dns.Client
+	tcpClient    *dns.Client
+	tcpClientTLS *dns.Client
+	servemux     *http.ServeMux
 }
 
 type DNSRequest struct {
 	request         *dns.Msg
 	response        *dns.Msg
 	currentUpstream string
-	isTailored      bool
-	errcode         int
 	errtext         string
+	errcode         int
+	transactionID   uint16
+	isTailored      bool
 }
 
-func NewServer(conf *config) (s *Server) {
-	s = &Server{
+func NewServer(conf *config) (*Server, error) {
+	timeout := time.Duration(conf.Timeout) * time.Second
+	s := &Server{
 		conf: conf,
 		udpClient: &dns.Client{
 			Net:     "udp",
 			UDPSize: dns.DefaultMsgSize,
-			Timeout: time.Duration(conf.Timeout) * time.Second,
+			Timeout: timeout,
 		},
 		tcpClient: &dns.Client{
 			Net:     "tcp",
-			Timeout: time.Duration(conf.Timeout) * time.Second,
+			Timeout: timeout,
+		},
+		tcpClientTLS: &dns.Client{
+			Net:     "tcp-tls",
+			Timeout: timeout,
 		},
 		servemux: http.NewServeMux(),
 	}
+	if conf.LocalAddr != "" {
+		udpLocalAddr, err := net.ResolveUDPAddr("udp", conf.LocalAddr)
+		if err != nil {
+			return nil, err
+		}
+		tcpLocalAddr, err := net.ResolveTCPAddr("tcp", conf.LocalAddr)
+		if err != nil {
+			return nil, err
+		}
+		s.udpClient.Dialer = &net.Dialer{
+			Timeout:   timeout,
+			LocalAddr: udpLocalAddr,
+		}
+		s.tcpClient.Dialer = &net.Dialer{
+			Timeout:   timeout,
+			LocalAddr: tcpLocalAddr,
+		}
+		s.tcpClientTLS.Dialer = &net.Dialer{
+			Timeout:   timeout,
+			LocalAddr: tcpLocalAddr,
+		}
+	}
 	s.servemux.HandleFunc(conf.Path, s.handlerFunc)
-	return
+	return s, nil
 }
 
 func (s *Server) Start() error {
@@ -77,12 +110,48 @@ func (s *Server) Start() error {
 	if s.conf.Verbose {
 		servemux = handlers.CombinedLoggingHandler(os.Stdout, servemux)
 	}
+
+	var clientCAPool *x509.CertPool
+	if s.conf.TLSClientAuth {
+		if s.conf.TLSClientAuthCA != "" {
+			clientCA, err := os.ReadFile(s.conf.TLSClientAuthCA)
+			if err != nil {
+				log.Fatalf("Reading certificate for client authentication has failed: %v", err)
+			}
+			clientCAPool = x509.NewCertPool()
+			clientCAPool.AppendCertsFromPEM(clientCA)
+			log.Println("Certificate loaded for client TLS authentication")
+		} else {
+			log.Fatalln("TLS client authentication requires both tls_client_auth and tls_client_auth_ca, exiting.")
+		}
+	}
+
 	results := make(chan error, len(s.conf.Listen))
 	for _, addr := range s.conf.Listen {
 		go func(addr string) {
 			var err error
 			if s.conf.Cert != "" || s.conf.Key != "" {
-				err = http.ListenAndServeTLS(addr, s.conf.Cert, s.conf.Key, servemux)
+				if clientCAPool != nil {
+					srvtls := &http.Server{
+						Handler: servemux,
+						Addr:    addr,
+						TLSConfig: &tls.Config{
+							ClientCAs:  clientCAPool,
+							ClientAuth: tls.RequireAndVerifyClientCert,
+							GetCertificate: func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, e error) {
+								c, err := tls.LoadX509KeyPair(s.conf.Cert, s.conf.Key)
+								if err != nil {
+									fmt.Printf("Error loading server certificate key pair: %v\n", err)
+									return nil, err
+								}
+								return &c, nil
+							},
+						},
+					}
+					err = srvtls.ListenAndServeTLS("", "")
+				} else {
+					err = http.ListenAndServeTLS(addr, s.conf.Cert, s.conf.Key, servemux)
+				}
 			} else {
 				err = http.ListenAndServe(addr, servemux)
 			}
@@ -104,13 +173,43 @@ func (s *Server) Start() error {
 }
 
 func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	if realIP := r.Header.Get("X-Real-IP"); realIP != "" {
+		if strings.ContainsRune(realIP, ':') {
+			r.RemoteAddr = "[" + realIP + "]:0"
+		} else {
+			r.RemoteAddr = realIP + ":0"
+		}
+		_, _, err := net.SplitHostPort(r.RemoteAddr)
+		if err != nil {
+			r.RemoteAddr = realIP
+		}
+	}
+
+	w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS, POST")
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Max-Age", "3600")
 	w.Header().Set("Server", USER_AGENT)
 	w.Header().Set("X-Powered-By", USER_AGENT)
 
+	if r.Method == "OPTIONS" {
+		w.Header().Set("Content-Length", "0")
+		return
+	}
+
 	if r.Form == nil {
 		const maxMemory = 32 << 20 // 32 MB
 		r.ParseMultipartForm(maxMemory)
 	}
+
+	for _, header := range s.conf.DebugHTTPHeaders {
+		if value := r.Header.Get(header); value != "" {
+			log.Printf("%s: %s\n", header, value)
+		}
+	}
+
 	contentType := r.Header.Get("Content-Type")
 	if ct := r.FormValue("ct"); ct != "" {
 		contentType = ct
@@ -150,48 +249,52 @@ func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 
 	var req *DNSRequest
 	if contentType == "application/dns-json" {
-		req = s.parseRequestGoogle(w, r)
+		req = s.parseRequestGoogle(ctx, w, r)
 	} else if contentType == "application/dns-message" {
-		req = s.parseRequestIETF(w, r)
+		req = s.parseRequestIETF(ctx, w, r)
 	} else if contentType == "application/dns-udpwireformat" {
-		req = s.parseRequestIETF(w, r)
+		req = s.parseRequestIETF(ctx, w, r)
 	} else {
-		jsonDNS.FormatError(w, fmt.Sprintf("Invalid argument value: \"ct\" = %q", contentType), 415)
+		jsondns.FormatError(w, fmt.Sprintf("Invalid argument value: \"ct\" = %q", contentType), 415)
 		return
 	}
 	if req.errcode == 444 {
 		return
 	}
 	if req.errcode != 0 {
-		jsonDNS.FormatError(w, req.errtext, req.errcode)
+		jsondns.FormatError(w, req.errtext, req.errcode)
 		return
 	}
 
 	req = s.patchRootRD(req)
 
-	var err error
-	req, err = s.doDNSQuery(req)
+	err := s.doDNSQuery(ctx, req)
 	if err != nil {
-		jsonDNS.FormatError(w, fmt.Sprintf("DNS query failure (%s)", err.Error()), 503)
+		jsondns.FormatError(w, fmt.Sprintf("DNS query failure (%s)", err.Error()), 503)
 		return
 	}
 
 	if responseType == "application/json" {
-		s.generateResponseGoogle(w, r, req)
+		s.generateResponseGoogle(ctx, w, r, req)
 	} else if responseType == "application/dns-message" {
-		s.generateResponseIETF(w, r, req)
+		s.generateResponseIETF(ctx, w, r, req)
 	} else {
 		panic("Unknown response Content-Type")
 	}
 }
 
 func (s *Server) findClientIP(r *http.Request) net.IP {
+	noEcs := r.URL.Query().Get("no_ecs")
+	if strings.EqualFold(noEcs, "true") {
+		return nil
+	}
+
 	XForwardedFor := r.Header.Get("X-Forwarded-For")
 	if XForwardedFor != "" {
 		for _, addr := range strings.Split(XForwardedFor, ",") {
 			addr = strings.TrimSpace(addr)
 			ip := net.ParseIP(addr)
-			if jsonDNS.IsGlobalIP(ip) {
+			if jsondns.IsGlobalIP(ip) {
 				return ip
 			}
 		}
@@ -200,21 +303,23 @@ func (s *Server) findClientIP(r *http.Request) net.IP {
 	if XRealIP != "" {
 		addr := strings.TrimSpace(XRealIP)
 		ip := net.ParseIP(addr)
-		if jsonDNS.IsGlobalIP(ip) {
+		if s.conf.ECSAllowNonGlobalIP || jsondns.IsGlobalIP(ip) {
 			return ip
 		}
 	}
+
 	remoteAddr, err := net.ResolveTCPAddr("tcp", r.RemoteAddr)
 	if err != nil {
 		return nil
 	}
-	if ip := remoteAddr.IP; jsonDNS.IsGlobalIP(ip) {
+	ip := remoteAddr.IP
+	if s.conf.ECSAllowNonGlobalIP || jsondns.IsGlobalIP(ip) {
 		return ip
 	}
 	return nil
 }
 
-// Workaround a bug causing Unbound to refuse returning anything about the root
+// Workaround a bug causing Unbound to refuse returning anything about the root.
 func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
 	for _, question := range req.request.Question {
 		if question.Name == "." {
@@ -224,23 +329,54 @@ func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
 	return req
 }
 
-func (s *Server) doDNSQuery(req *DNSRequest) (resp *DNSRequest, err error) {
+// Return the position index for the question of qtype from a DNS msg, otherwise return -1.
+func (s *Server) indexQuestionType(msg *dns.Msg, qtype uint16) int {
+	for i, question := range msg.Question {
+		if question.Qtype == qtype {
+			return i
+		}
+	}
+	return -1
+}
+
+func (s *Server) doDNSQuery(ctx context.Context, req *DNSRequest) (err error) {
 	numServers := len(s.conf.Upstream)
 	for i := uint(0); i < s.conf.Tries; i++ {
 		req.currentUpstream = s.conf.Upstream[rand.Intn(numServers)]
-		if !s.conf.TCPOnly {
-			req.response, _, err = s.udpClient.Exchange(req.request, req.currentUpstream)
-			if err == dns.ErrTruncated {
-				log.Println(err)
-				req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
+
+		upstream, t := addressAndType(req.currentUpstream)
+
+		switch t {
+		default:
+			log.Printf("invalid DNS type %q in upstream %q", t, upstream)
+			return &configError{"invalid DNS type"}
+		// Use DNS-over-TLS (DoT) if configured to do so
+		case "tcp-tls":
+			req.response, _, err = s.tcpClientTLS.ExchangeContext(ctx, req.request, upstream)
+		case "tcp", "udp":
+			// Use TCP if always configured to or if the Query type dictates it (AXFR)
+			if t == "tcp" || (s.indexQuestionType(req.request, dns.TypeAXFR) > -1) {
+				req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
+			} else {
+				req.response, _, err = s.udpClient.ExchangeContext(ctx, req.request, upstream)
+				if err == nil && req.response != nil && req.response.Truncated {
+					log.Println(err)
+					req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
+				}
+
+				// Retry with TCP if this was an IXFR request, and we only received an SOA
+				if (s.indexQuestionType(req.request, dns.TypeIXFR) > -1) &&
+					(len(req.response.Answer) == 1) &&
+					(req.response.Answer[0].Header().Rrtype == dns.TypeSOA) {
+					req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
+				}
 			}
-		} else {
-			req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
 		}
+
 		if err == nil {
-			return req, nil
+			return nil
 		}
 		log.Printf("DNS error from upstream %s: %s\n", req.currentUpstream, err.Error())
 	}
-	return req, err
+	return err
 }

doh-server/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "1.3.7"
+	VERSION    = "2.3.10"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

go.mod

@@ -0,0 +1,20 @@
+module github.com/m13253/dns-over-https/v2
+
+go 1.24
+
+require (
+	github.com/BurntSushi/toml v1.5.0
+	github.com/gorilla/handlers v1.5.2
+	github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc
+	github.com/miekg/dns v1.1.66
+	golang.org/x/net v0.40.0
+)
+
+require (
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
+)

go.sum

@@ -0,0 +1,28 @@
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
+github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc h1:RhT2pjLo3EVRmldbEcBdeRA7CGPWsNEJC+Y/N1aXQbg=
+github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc/go.mod h1:BaIJzjD2ZnHmx2acPF6XfGLPzNCMiBbMRqJr+8/8uRI=
+github.com/miekg/dns v1.1.66 h1:FeZXOS3VCVsKnEAd+wBkjMC3D2K+ww66Cq3VnCINuJE=
+github.com/miekg/dns v1.1.66/go.mod h1:jGFzBsSNbJw6z1HYut1RKBKHA9PBdxeHrZG8J+gC2WE=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

json-dns/error.go

@@ -21,7 +21,7 @@
    DEALINGS IN THE SOFTWARE.
 */
 
-package jsonDNS
+package jsondns
 
 import (
 	"encoding/json"
@@ -38,11 +38,11 @@ type dnsError struct {
 
 func FormatError(w http.ResponseWriter, comment string, errcode int) {
 	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
-	errJson := dnsError{
+	errJSON := dnsError{
 		Status:  dns.RcodeServerFailure,
 		Comment: comment,
 	}
-	errStr, err := json.Marshal(errJson)
+	errStr, err := json.Marshal(errJSON)
 	if err != nil {
 		log.Fatalln(err)
 	}

json-dns/globalip.go

@@ -21,109 +21,110 @@
    DEALINGS IN THE SOFTWARE.
 */
 
-package jsonDNS
+package jsondns
 
 import (
 	"net"
+
+	"github.com/infobloxopen/go-trees/iptree"
 )
 
-// RFC6890
-var localIPv4Nets = []net.IPNet{
-	// This host on this network
-	net.IPNet{
-		net.IP{0, 0, 0, 0},
-		net.IPMask{255, 0, 0, 0},
-	},
-	// Private-Use Networks
-	net.IPNet{
-		net.IP{10, 0, 0, 0},
-		net.IPMask{255, 0, 0, 0},
-	},
-	// Shared Address Space
-	net.IPNet{
-		net.IP{100, 64, 0, 0},
-		net.IPMask{255, 192, 0, 0},
-	},
-	// Loopback
-	net.IPNet{
-		net.IP{127, 0, 0, 0},
-		net.IPMask{255, 0, 0, 0},
-	},
-	// Link Local
-	net.IPNet{
-		net.IP{169, 254, 0, 0},
-		net.IPMask{255, 255, 0, 0},
-	},
-	// Private-Use Networks
-	net.IPNet{
-		net.IP{172, 16, 0, 0},
-		net.IPMask{255, 240, 0, 0},
-	},
-	// DS-Lite
-	net.IPNet{
-		net.IP{192, 0, 0, 0},
-		net.IPMask{255, 255, 255, 248},
-	},
-	// 6to4 Relay Anycast
-	net.IPNet{
-		net.IP{192, 88, 99, 0},
-		net.IPMask{255, 255, 255, 0},
-	},
-	// Private-Use Networks
-	net.IPNet{
-		net.IP{192, 168, 0, 0},
-		net.IPMask{255, 255, 0, 0},
-	},
-	// Reserved for Future Use & Limited Broadcast
-	net.IPNet{
-		net.IP{240, 0, 0, 0},
-		net.IPMask{240, 0, 0, 0},
-	},
-}
+var defaultFilter *iptree.Tree
 
-// RFC6890
-var localIPv6Nets = []net.IPNet{
+func init() {
+	defaultFilter = iptree.NewTree()
+
+	// RFC6890
+	// This host on this network
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{0, 0, 0, 0},
+		Mask: net.IPMask{255, 0, 0, 0},
+	}, struct{}{})
+
+	// Private-Use Networks
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{10, 0, 0, 0},
+		Mask: net.IPMask{255, 0, 0, 0},
+	}, struct{}{})
+
+	// Shared Address Space
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{100, 64, 0, 0},
+		Mask: net.IPMask{255, 192, 0, 0},
+	}, struct{}{})
+
+	// Loopback
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{127, 0, 0, 0},
+		Mask: net.IPMask{255, 0, 0, 0},
+	}, struct{}{})
+
+	// Link Local
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{169, 254, 0, 0},
+		Mask: net.IPMask{255, 255, 0, 0},
+	}, struct{}{})
+
+	// Private-Use Networks
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{172, 16, 0, 0},
+		Mask: net.IPMask{255, 240, 0, 0},
+	}, struct{}{})
+
+	// DS-Lite
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{192, 0, 0, 0},
+		Mask: net.IPMask{255, 255, 255, 248},
+	}, struct{}{})
+
+	// 6to4 Relay Anycast
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{192, 88, 99, 0},
+		Mask: net.IPMask{255, 255, 255, 0},
+	}, struct{}{})
+
+	// Private-Use Networks
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{192, 168, 0, 0},
+		Mask: net.IPMask{255, 255, 0, 0},
+	}, struct{}{})
+
+	// Reserved for Future Use & Limited Broadcast
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{240, 0, 0, 0},
+		Mask: net.IPMask{240, 0, 0, 0},
+	}, struct{}{})
+
+	// RFC6890
 	// Unspecified & Loopback Address
-	net.IPNet{
-		net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
-	},
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		Mask: net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
+	}, struct{}{})
+
 	// Discard-Only Prefix
-	net.IPNet{
-		net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	},
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		Mask: net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+	}, struct{}{})
+
 	// Unique-Local
-	net.IPNet{
-		net.IP{0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		net.IPMask{0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	},
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		Mask: net.IPMask{0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+	}, struct{}{})
+
 	// Linked-Scoped Unicast
-	net.IPNet{
-		net.IP{0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-		net.IPMask{0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
-	},
+	defaultFilter.InplaceInsertNet(&net.IPNet{
+		IP:   net.IP{0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+		Mask: net.IPMask{0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
+	}, struct{}{})
 }
 
 func IsGlobalIP(ip net.IP) bool {
 	if ip == nil {
 		return false
 	}
-	if ipv4 := ip.To4(); len(ipv4) == net.IPv4len {
-		for _, ipnet := range localIPv4Nets {
-			if ipnet.Contains(ip) {
-				return false
-			}
-		}
-		return true
-	}
-	if len(ip) == net.IPv6len {
-		for _, ipnet := range localIPv6Nets {
-			if ipnet.Contains(ip) {
-				return false
-			}
-		}
-		return true
-	}
-	return true
+	_, contained := defaultFilter.GetByIP(ip)
+	return !contained
 }

json-dns/globalip_test.go

@@ -0,0 +1,34 @@
+package jsondns
+
+import (
+	"fmt"
+	"net"
+)
+
+func ExampleIsGlobalIP() {
+	fmt.Println(IsGlobalIP(net.ParseIP("127.0.0.1")))
+	fmt.Println(IsGlobalIP(net.IP{192, 168, 1, 1}))
+	fmt.Println(IsGlobalIP(net.ParseIP("8.8.8.8")))
+	fmt.Println(IsGlobalIP(net.IP{8, 8, 4, 4}))
+	fmt.Println(IsGlobalIP(net.ParseIP("::1")))
+	fmt.Println(IsGlobalIP(net.IP{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}))
+	fmt.Println(IsGlobalIP(net.ParseIP("2001:4860:4860::8888")))
+	fmt.Println(IsGlobalIP(net.IP{0x20, 0x01, 0x48, 0x60, 0x48, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x44}))
+	fmt.Println(IsGlobalIP(net.ParseIP("::ffff:127.0.0.1")))
+	fmt.Println(IsGlobalIP(net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 192, 168, 1, 1}))
+	fmt.Println(IsGlobalIP(net.ParseIP("::ffff:808:808")))
+	fmt.Println(IsGlobalIP(net.IP{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 8, 8, 4, 4}))
+	// Output:
+	// false
+	// false
+	// true
+	// true
+	// false
+	// false
+	// true
+	// true
+	// false
+	// false
+	// true
+	// true
+}

json-dns/marshal.go

@@ -21,7 +21,7 @@
    DEALINGS IN THE SOFTWARE.
 */
 
-package jsonDNS
+package jsondns
 
 import (
 	"net"
@@ -90,7 +90,7 @@ func Marshal(msg *dns.Msg) *Response {
 					} else if ipv4 := clientAddress.To4(); ipv4 != nil {
 						clientAddress = ipv4
 					}
-					resp.EdnsClientSubnet = clientAddress.String() + "/" + strconv.Itoa(int(edns0.SourceScope))
+					resp.EdnsClientSubnet = clientAddress.String() + "/" + strconv.FormatUint(uint64(edns0.SourceScope), 10)
 				}
 			}
 			continue

json-dns/response.go

@@ -21,12 +21,32 @@
    DEALINGS IN THE SOFTWARE.
 */
 
-package jsonDNS
+package jsondns
 
 import (
+	"encoding/json"
 	"time"
 )
 
+type QuestionList []Question
+
+func (ql *QuestionList) UnmarshalJSON(b []byte) error {
+	// Fix variant question response in Response.Question
+	//
+	// Solution taken from:
+	//	https://engineering.bitnami.com/articles/dealing-with-json-with-non-homogeneous-types-in-go.html
+	//	https://archive.is/NU4zR
+	if len(b) > 0 && b[0] == '[' {
+		return json.Unmarshal(b, (*[]Question)(ql))
+	}
+	var q Question
+	if err := json.Unmarshal(b, &q); err != nil {
+		return err
+	}
+	*ql = []Question{q}
+	return nil
+}
+
 type Response struct {
 	// Standard DNS response code (32 bit integer)
 	Status uint32 `json:"Status"`
@@ -40,13 +60,13 @@ type Response struct {
 	// FIXME: We don't have DNSSEC yet! This bit is not reliable!
 	AD bool `json:"AD"`
 	// Whether the client asked to disable DNSSEC
-	CD               bool       `json:"CD"`
-	Question         []Question `json:"Question"`
-	Answer           []RR       `json:"Answer,omitempty"`
-	Authority        []RR       `json:"Authority,omitempty"`
-	Additional       []RR       `json:"Additional,omitempty"`
-	Comment          string     `json:"Comment,omitempty"`
-	EdnsClientSubnet string     `json:"edns_client_subnet,omitempty"`
+	CD               bool         `json:"CD"`
+	Question         QuestionList `json:"Question"`
+	Answer           []RR         `json:"Answer,omitempty"`
+	Authority        []RR         `json:"Authority,omitempty"`
+	Additional       []RR         `json:"Additional,omitempty"`
+	Comment          string       `json:"Comment,omitempty"`
+	EdnsClientSubnet string       `json:"edns_client_subnet,omitempty"`
 	// Least time-to-live
 	HaveTTL         bool      `json:"-"`
 	LeastTTL        uint32    `json:"-"`

json-dns/unmarshal.go

@@ -21,7 +21,7 @@
    DEALINGS IN THE SOFTWARE.
 */
 
-package jsonDNS
+package jsondns
 
 import (
 	"fmt"
@@ -38,7 +38,7 @@ func PrepareReply(req *dns.Msg) *dns.Msg {
 	reply := new(dns.Msg)
 	reply.Id = req.Id
 	reply.Response = true
-	reply.Opcode = reply.Opcode
+	reply.Opcode = req.Opcode
 	reply.RecursionDesired = req.RecursionDesired
 	reply.RecursionAvailable = req.RecursionDesired
 	reply.CheckingDisabled = req.CheckingDisabled
@@ -119,7 +119,7 @@ func Unmarshal(msg *dns.Msg, resp *Response, udpSize uint16, ednsClientNetmask u
 			if ednsClientFamily == 1 {
 				ednsClientNetmask = 24
 			} else {
-				ednsClientNetmask = 48
+				ednsClientNetmask = 56
 			}
 		}
 		edns0Subnet := new(dns.EDNS0_SUBNET)

systemd/doh-client.service

@@ -4,15 +4,18 @@ Documentation=https://github.com/m13253/dns-over-https
 After=network.target
 Before=nss-lookup.target
 Wants=nss-lookup.target
+StartLimitIntervalSec=0
 
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/local/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
 LimitNOFILE=1048576
 Restart=always
-RestartSec=3
+RestartSec=1s
+RestartMaxDelaySec=76s
+RestartSteps=9
 Type=simple
-User=nobody
+DynamicUser=yes
 
 [Install]
 WantedBy=multi-user.target

systemd/doh-server.service

@@ -2,15 +2,18 @@
 Description=DNS-over-HTTPS Server
 Documentation=https://github.com/m13253/dns-over-https
 After=network.target
+StartLimitIntervalSec=0
 
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
 LimitNOFILE=1048576
 Restart=always
-RestartSec=3
+RestartSec=1s
+RestartMaxDelaySec=76s
+RestartSteps=9
 Type=simple
-User=nobody
+DynamicUser=yes
 
 [Install]
 WantedBy=multi-user.target