Release 2.2.1

Add support for DNS-over-TLS upstream resolvers

Changelog.md

@@ -4,6 +4,27 @@ This Changelog records major changes between versions.
 
 Not all changes are recorded. Please check git log for details.
 
+## Version 2.2.1
+
+- Fix messy log
+
+## Version 2.2.0
+
+- Breaking change: The configuration format of doh-server is changed
+- Add support for type prefix for upstream addresses of doh-server
+- Add support for DNS-over-TLS upstream addresses of doh-server
+- Remove `tcp_only` configuration option in doh-server
+- Add `no_user_agent` configuration option in doh-server
+- Add an RPM package script with SELinux policy
+- Fix Opcode never assigned in `jsonDNS.PrepareReply`
+- Improve error logging / checking
+- Updated Readme
+
+## Version 2.1.2
+
+- Update address for google's resolver
+- Fix a typo
+
 ## Version 2.1.1
 
 - Add a set of Dockerfile contributed by the community

Makefile

@@ -59,6 +59,7 @@ uninstall:
 
 deps:
 	@# I am not sure if it is the correct way to keep the common library updated
+	$(GOGET_UPDATE) github.com/m13253/dns-over-https/doh-client/config
 	$(GOGET_UPDATE) github.com/m13253/dns-over-https/json-dns
 	$(GOGET) ./doh-client ./doh-server
 

Readme.md

@@ -44,7 +44,7 @@ To test your configuration, type:
 
     dig www.google.com
 
-If it is OK, you will wee:
+If it is OK, you will see:
 
     ;; SERVER: 127.0.0.1#53(127.0.0.1)
 
@@ -79,6 +79,81 @@ you can host DNS-over-HTTPS along with other HTTPS services.
 HTTP/2 with at least TLS v1.3 is recommended. OCSP stapling must be enabled,
 otherwise DNS recursion may happen.
 
+### Example configuration: Apache
+
+    SSLProtocol TLSv1.2
+    SSLHonorCipherOrder On
+    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!eNULL:!EXP:!LOW:!MD5
+    SSLUseStapling on
+    SSLStaplingCache shmcb:/var/lib/apache2/stapling_cache(512000)
+
+    <VirtualHost *:443>
+        ServerName MY_SERVER_NAME
+        Protocols h2 http/1.1
+        ProxyPass /dns-query http://[::1]:8053/dns-query
+        ProxyPassReverse /dns-query http://[::1]:8053/dns-query
+    </VirtualHost>
+
+(Credit: [Joan Moreau](https://github.com/m13253/dns-over-https/issues/51#issuecomment-526820884))
+
+### Example configuration: Nginx
+
+    server {
+        listen       443 ssl http2 default_server;
+        listen       [::]:443 ssl http2 default_server;
+        server_name  MY_SERVER_NAME;
+
+        server_tokens off;
+
+        ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.13.0
+        ssl_prefer_server_ciphers on;
+        ssl_dhparam /etc/nginx/dhparam.pem;     # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
+        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+        ssl_ecdh_curve secp384r1;               # Requires nginx >= 1.1.0
+        ssl_session_timeout  10m;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_tickets off;                # Requires nginx >= 1.5.9
+        ssl_stapling on;                        # Requires nginx >= 1.3.7
+        ssl_stapling_verify on;                 # Requires nginx => 1.3.7
+        ssl_early_data off;                     # 0-RTT, enable if desired - Requires nginx >= 1.15.4
+        resolver 1.1.1.1 valid=300s;            # Replace with your local resolver
+        resolver_timeout 5s;
+        # HTTP Security Headers
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Strict-Transport-Security "max-age=63072000";
+        ssl_certificate /path/to/your/server/certificates/fullchain.pem;
+        ssl_certificate_key /path/to/your/server/certificates/privkey.pem;
+        location /dns-query {
+            proxy_pass       http://localhost:8053/dns-query;
+            proxy_set_header Host      $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+    }
+
+(Credit: [Cipherli.st](https://cipherli.st/))
+
+### Example configuration: Caddy
+
+    https://MY_SERVER_NAME {
+            log     / syslog "{remote} - {user} [{when}] \"{method} {scheme}://{host}{uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {>X-Forwarded-For}"
+            errors  syslog
+            gzip
+            proxy   /dns-query      http://[::1]:18053 {
+                    header_upstream Host {host}
+                    header_upstream X-Real-IP {remote}
+                    header_upstream X-Forwarded-For {>X-Forwarded-For},{remote}
+                    header_upstream X-Forwarded-Proto {scheme}
+            }
+            root    /var/www
+            tls {
+                    ciphers ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256
+                    curves  X25519 p384 p521
+                    must_staple
+            }
+    }
+
 ## DNSSEC
 
 DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by

contrib/rpm/dns-over-https-2.1.2-systemd.patch

@@ -0,0 +1,36 @@
+diff -Naur dns-over-https-2.1.2.org/systemd/doh-client.service dns-over-https-2.1.2/systemd/doh-client.service
+--- dns-over-https-2.1.2.org/systemd/doh-client.service	2019-09-10 12:08:35.177574074 +0200
++++ dns-over-https-2.1.2/systemd/doh-client.service	2019-09-10 12:10:05.473700374 +0200
+@@ -7,12 +7,12 @@
+ 
+ [Service]
+ AmbientCapabilities=CAP_NET_BIND_SERVICE
+-ExecStart=/usr/local/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
++ExecStart=/usr/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
+ LimitNOFILE=1048576
+ Restart=always
+ RestartSec=3
+ Type=simple
+-User=nobody
++User=doh-client
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff -Naur dns-over-https-2.1.2.org/systemd/doh-server.service dns-over-https-2.1.2/systemd/doh-server.service
+--- dns-over-https-2.1.2.org/systemd/doh-server.service	2019-09-10 12:08:35.177574074 +0200
++++ dns-over-https-2.1.2/systemd/doh-server.service	2019-09-10 12:10:20.980273992 +0200
+@@ -5,12 +5,12 @@
+ 
+ [Service]
+ AmbientCapabilities=CAP_NET_BIND_SERVICE
+-ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
++ExecStart=/usr/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
+ LimitNOFILE=1048576
+ Restart=always
+ RestartSec=3
+ Type=simple
+-User=nobody
++User=doh-server
+ 
+ [Install]
+ WantedBy=multi-user.target

contrib/rpm/doh.spec

@@ -0,0 +1,240 @@
+# vim: tabstop=4 shiftwidth=4 expandtab
+%global _hardened_build 1
+# Debug package is empty anyway
+%define debug_package %{nil}
+
+%global _release        1
+%global provider        github
+%global provider_tld    com
+%global project         m13253
+%global repo            dns-over-https
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path     %{provider_prefix}
+
+#define commit          984df34ca7b45897ecb5871791e398cc160a4b93
+
+%if 0%{?commit:1}
+%define shortcommit     %(c=%{commit}; echo ${c:0:7})
+%define _date           %(date +'%%Y%%m%%dT%%H%%M%%S')
+%endif
+
+%define rand_id         %(head -c20 /dev/urandom|od -An -tx1|tr -d '[[:space:]]')
+
+%if ! 0%{?gobuild:1}
+%define gobuild(o:) go build -ldflags "${LDFLAGS:-} -B 0x%{rand_id}" -a -v -x %{?**};
+%endif
+
+%if ! 0%{?gotest:1}
+%define gotest() go test -ldflags "${LDFLAGS:-}" %{?**}
+%endif
+
+Name:           %{repo}
+Version:        2.1.2
+%if 0%{?commit:1}
+Release:    %{_release}.git%{shortcommit}.%{_date}%{?dist}
+Source0:        https://%{import_path}/archive/%{commit}.tar.gz
+%else
+Release:        %{_release}%{?dist}
+Source0:        https://%{import_path}/archive/v%{version}.tar.gz
+%endif
+Patch0:         %{name}-%{version}-systemd.patch
+
+Summary:        High performance DNS over HTTPS client & server
+License:        MIT
+URL:            https://github.com/m13253/dns-over-https
+
+
+# e.g. el6 has ppc64 arch without gcc-go, so EA tag is required
+# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
+#BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.10
+BuildRequires:  golang >= 1.10
+BuildRequires:  systemd
+BuildRequires:  upx
+
+%description
+%{summary}
+
+%package common
+BuildArch: noarch
+Summary: %{summary} - common files
+
+%description common
+%{summary}
+
+%package server
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+Summary: %{summary} - Server
+Requires(pre):          shadow-utils
+Requires(post):         systemd
+Requires(preun):        systemd
+Requires(postun):       systemd
+
+%description server
+%{summary}
+
+%package client
+ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 %{arm}}
+Summary: %{summary} - Client
+Requires(pre):          shadow-utils
+Requires(post):         systemd
+Requires(preun):        systemd
+Requires(postun):       systemd
+
+%description client
+%{summary}
+
+%package selinux
+BuildArch:      noarch
+
+Source3:        doh_server.fc
+Source4:        doh_server.if
+Source5:        doh_server.te
+Source6:        doh_client.fc
+Source7:        doh_client.if
+Source8:        doh_client.te
+
+BuildRequires:  selinux-policy
+BuildRequires:  selinux-policy-devel
+Requires:       %{name}
+
+Requires(post):     policycoreutils
+Requires(post):     policycoreutils-python 
+Requires(postun):   policycoreutils
+
+Summary: SELinux policy for %{name}
+
+%description selinux
+%summary
+ 
+%prep
+%if 0%{?commit:1}
+%autosetup -n %{name}-%{commit} -p1
+%else
+%autosetup -n %{name}-%{version} -p1
+%endif
+
+mkdir -p selinux
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} selinux
+
+%build
+cd selinux
+make -f /usr/share/selinux/devel/Makefile doh_server.pp doh_client.pp || exit
+cd -
+
+%set_build_flags
+%make_build \
+    PREFIX=%{_prefix} \
+    GOBUILD="go build -ldflags \"-s -w -B 0x%{rand_id}\" -a -v -x"
+
+%install
+%make_install \
+    PREFIX=%{_prefix}
+install -Dpm 0600 selinux/doh_server.pp %{buildroot}%{_datadir}/selinux/packages/doh_server.pp
+install -Dpm 0644 selinux/doh_server.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_server.if
+install -Dpm 0600 selinux/doh_client.pp %{buildroot}%{_datadir}/selinux/packages/doh_client.pp
+install -Dpm 0644 selinux/doh_client.if %{buildroot}%{_datadir}/selinux/devel/include/contrib/doh_client.if
+
+mkdir -p %{buildroot}%{_docdir}/%{name}
+mv %{buildroot}%{_sysconfdir}/%{name}/*.example %{buildroot}%{_docdir}/%{name}
+
+mkdir -p %{buildroot}%{_libdir}
+mv %{buildroot}%{_sysconfdir}/NetworkManager %{buildroot}%{_libdir}/
+
+for i in $(find %{_buildroot}%{_bindir} -type f)
+do
+    upx $i
+done
+
+%files common
+%license LICENSE
+%doc Changelog.md Readme.md
+
+%files server
+%{_libdir}/NetworkManager/dispatcher.d/doh-server
+%{_docdir}/%{name}/doh-server.conf.example
+%config(noreplace) %{_sysconfdir}/%{name}/doh-server.conf
+%{_bindir}/doh-server
+%{_unitdir}/doh-server.service
+
+%files client
+%{_libdir}/NetworkManager/dispatcher.d/doh-client
+%{_docdir}/%{name}/doh-client.conf.example
+%config(noreplace) %{_sysconfdir}/%{name}/doh-client.conf
+%{_bindir}/doh-client
+%{_unitdir}/doh-client.service
+
+%pre server
+test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
+getent group doh-server > /dev/null || groupadd -r doh-server
+getent passwd doh-server > /dev/null || \
+    useradd -r -d %{_sharedstatedir}/home/doh-server -g doh-server \
+    -s /sbin/nologin -c "%{name} - server" doh-server
+exit 0
+
+%pre client
+test -d %{_sharedstatedir}/home || mkdir -p %{_sharedstatedir}/home
+getent group doh-client > /dev/null || groupadd -r doh-client
+getent passwd doh-client > /dev/null || \
+    useradd -r -d %{_sharedstatedir}/home/doh-client -g doh-client \
+    -s /sbin/nologin -c "%{name} - client" doh-client
+exit 0
+
+%post server
+%systemd_post doh-server.service
+
+%preun server
+%systemd_preun doh-server.service
+
+%postun server
+%systemd_postun_with_restart doh-server.service
+
+%post client
+%systemd_post doh-client.service
+
+%preun client
+%systemd_preun doh-client.service
+
+%postun client
+%systemd_postun_with_restart doh-client.service
+
+%files selinux
+%{_datadir}/selinux/packages/doh_server.pp
+%{_datadir}/selinux/devel/include/contrib/doh_server.if
+%{_datadir}/selinux/packages/doh_client.pp
+%{_datadir}/selinux/devel/include/contrib/doh_client.if
+
+%post selinux
+semodule -n -i %{_datadir}/selinux/packages/doh_server.pp
+semodule -n -i %{_datadir}/selinux/packages/doh_client.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    /usr/sbin/fixfiles -R %{name}-server restore
+    /usr/sbin/fixfiles -R %{name}-client restore
+fi;
+semanage -i - << __eof
+port -a -t doh_server_port_t -p tcp "8053"
+port -a -t doh_client_port_t -p udp "5380"
+__eof
+exit 0
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    semanage -i - << __eof
+port -d -t doh_server_port_t -p tcp "8053"
+port -d -t doh_client_port_t -p udp "5380"
+__eof
+
+    semodule -n -r doh_server
+    semodule -n -r doh_client
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       /usr/sbin/fixfiles -R %{name}-server restore
+       /usr/sbin/fixfiles -R %{name}-client restore
+    fi;
+fi;
+exit 0
+
+%changelog
+* Tue Sep 10 2019 fuero <fuerob@gmail.com> 2.1.2-1
+- initial package
+

contrib/rpm/doh_client.fc

@@ -0,0 +1,2 @@
+/usr/bin/doh-client					--	gen_context(system_u:object_r:doh_client_exec_t,s0)
+/usr/lib/systemd/system/doh-client.service		--	gen_context(system_u:object_r:doh_client_unit_file_t,s0)

contrib/rpm/doh_client.if

@@ -0,0 +1,103 @@
+
+## <summary>policy for doh_client</summary>
+
+########################################
+## <summary>
+##	Execute doh_client_exec_t in the doh_client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`doh_client_domtrans',`
+	gen_require(`
+		type doh_client_t, doh_client_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, doh_client_exec_t, doh_client_t)
+')
+
+######################################
+## <summary>
+##	Execute doh_client in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`doh_client_exec',`
+	gen_require(`
+		type doh_client_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, doh_client_exec_t)
+')
+########################################
+## <summary>
+##	Execute doh_client server in the doh_client domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`doh_client_systemctl',`
+	gen_require(`
+		type doh_client_t;
+		type doh_client_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 doh_client_unit_file_t:file read_file_perms;
+	allow $1 doh_client_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, doh_client_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an doh_client environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`doh_client_admin',`
+	gen_require(`
+		type doh_client_t;
+	type doh_client_unit_file_t;
+	')
+
+	allow $1 doh_client_t:process { signal_perms };
+	ps_process_pattern($1, doh_client_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 doh_client_t:process ptrace;
+    ')
+
+	doh_client_systemctl($1)
+	admin_pattern($1, doh_client_unit_file_t)
+	allow $1 doh_client_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')

contrib/rpm/doh_client.te

@@ -0,0 +1,49 @@
+policy_module(doh_client, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type doh_client_t;
+type doh_client_exec_t;
+init_daemon_domain(doh_client_t, doh_client_exec_t)
+
+type doh_client_port_t;
+
+corenet_port(doh_client_port_t)
+
+type doh_client_unit_file_t;
+systemd_unit_file(doh_client_unit_file_t)
+
+########################################
+#
+# doh_client local policy
+#
+allow doh_client_t self:fifo_file rw_fifo_file_perms;
+allow doh_client_t self:unix_stream_socket create_stream_socket_perms;
+
+allow doh_client_t self:capability net_bind_service;
+allow doh_client_t self:process execmem;
+allow doh_client_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write };
+allow doh_client_t self:udp_socket { bind connect create getattr read setopt write };
+
+allow doh_client_t doh_client_exec_t:file execmod;
+allow doh_client_t doh_client_port_t:tcp_socket name_bind;
+
+corenet_tcp_bind_dns_port(doh_client_t)
+corenet_tcp_bind_generic_node(doh_client_t)
+corenet_tcp_connect_http_port(doh_client_t)
+corenet_udp_bind_dns_port(doh_client_t)
+corenet_udp_bind_generic_node(doh_client_t)
+corenet_udp_bind_generic_port(doh_client_t)
+kernel_read_net_sysctls(doh_client_t)
+kernel_search_network_sysctl(doh_client_t)
+miscfiles_read_certs(doh_client_t)
+sysnet_read_config(doh_client_t)
+
+domain_use_interactive_fds(doh_client_t)
+
+files_read_etc_files(doh_client_t)
+
+miscfiles_read_localization(doh_client_t)

contrib/rpm/doh_server.fc

@@ -0,0 +1,2 @@
+/usr/bin/doh-server					--	gen_context(system_u:object_r:doh_server_exec_t,s0)
+/usr/lib/systemd/system/doh-server.service		--	gen_context(system_u:object_r:doh_server_unit_file_t,s0)

contrib/rpm/doh_server.if

@@ -0,0 +1,122 @@
+
+## <summary>policy for doh_server</summary>
+
+########################################
+## <summary>
+##	Execute doh_server_exec_t in the doh_server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`doh_server_domtrans',`
+	gen_require(`
+		type doh_server_t, doh_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, doh_server_exec_t, doh_server_t)
+')
+
+######################################
+## <summary>
+##	Execute doh_server in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`doh_server_exec',`
+	gen_require(`
+		type doh_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, doh_server_exec_t)
+')
+########################################
+## <summary>
+##	Execute doh_server server in the doh_server domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`doh_server_systemctl',`
+	gen_require(`
+		type doh_server_t;
+		type doh_server_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 doh_server_unit_file_t:file read_file_perms;
+	allow $1 doh_server_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, doh_server_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an doh_server environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`doh_server_admin',`
+	gen_require(`
+		type doh_server_t;
+	type doh_server_unit_file_t;
+	')
+
+	allow $1 doh_server_t:process { signal_perms };
+	ps_process_pattern($1, doh_server_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 doh_server_t:process ptrace;
+    ')
+
+	doh_server_systemctl($1)
+	admin_pattern($1, doh_server_unit_file_t)
+	allow $1 doh_server_unit_file_t:service all_service_perms;
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##      Make a TCP connection to the vault_ocsp_responder port.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`doh_server_connect',`
+        gen_require(`
+                type doh_server_port_t;
+		type $1;
+        ')
+
+        allow $1 doh_server_port_t:tcp_socket name_connect;
+')

contrib/rpm/doh_server.te

@@ -0,0 +1,42 @@
+policy_module(doh_server, 1.0.0)
+
+require {
+	class process execmem;
+	class tcp_socket { accept bind create read write getattr listen setopt connect getopt };
+	class udp_socket { connect create getattr setopt read write };
+	class file execmod;
+}
+
+type doh_server_t;
+type doh_server_exec_t;
+
+init_daemon_domain(doh_server_t, doh_server_exec_t)
+
+type doh_server_port_t;
+
+corenet_port(doh_server_port_t)
+
+type doh_server_unit_file_t;
+systemd_unit_file(doh_server_unit_file_t)
+
+allow doh_server_t self:fifo_file rw_fifo_file_perms;
+allow doh_server_t self:unix_stream_socket create_stream_socket_perms;
+allow doh_server_t self:process execmem;
+allow doh_server_t self:tcp_socket { accept read write bind create getattr listen setopt connect getopt};
+allow doh_server_t self:udp_socket { connect create getattr setopt read write };
+
+allow doh_server_t doh_server_exec_t:file execmod;
+allow doh_server_t doh_server_port_t:tcp_socket name_bind;
+
+domain_use_interactive_fds(doh_server_t)
+
+files_read_etc_files(doh_server_t)
+
+corenet_tcp_bind_generic_node(doh_server_t)
+corenet_tcp_connect_dns_port(doh_server_t)
+doh_server_connect(httpd_t)
+
+kernel_read_net_sysctls(doh_server_t)
+kernel_search_network_sysctl(doh_server_t)
+
+miscfiles_read_localization(doh_server_t)

doh-client/config/config.go

@@ -53,6 +53,7 @@ type others struct {
 	NoCookies        bool     `toml:"no_cookies"`
 	NoECS            bool     `toml:"no_ecs"`
 	NoIPv6           bool     `toml:"no_ipv6"`
+	NoUserAgent      bool     `toml:"no_user_agent"`
 	Verbose          bool     `toml:"verbose"`
 	DebugHTTPHeaders []string `toml:"debug_http_headers"`
 }

doh-client/doh-client.conf

@@ -18,9 +18,9 @@ upstream_selector = "random"
 
 # weight should in (0, 100], if upstream_selector is random, weight will be ignored
 
-## Google's productive resolver, good ECS, bad DNSSEC
+## Google's resolver, good ECS, good DNSSEC
-#[[upstream.upstream_google]]
+#[[upstream.upstream_ietf]]
-#    url = "https://dns.google.com/resolve"
+#    url = "https://dns.google/dns-query"
 #    weight = 50
 
 ## CloudFlare's resolver, bad ECS, good DNSSEC
@@ -48,11 +48,6 @@ upstream_selector = "random"
 #    url = "https://9.9.9.9/dns-query"
 #    weight = 50
 
-## Google's experimental resolver, good ECS, good DNSSEC
-#[[upstream.upstream_ietf]]
-#    url = "https://dns.google.com/experimental"
-#    weight = 50
-
 ## CloudFlare's resolver for Tor, available only with Tor
 ## Remember to disable ECS below when using Tor!
 ## Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
@@ -124,5 +119,16 @@ no_ecs = false
 # Note that DNS listening and bootstrapping is not controlled by this option.
 no_ipv6 = false
 
+# Disable submitting User-Agent
+#
+# It is generally not recommended to disable submitting User-Agent because it
+# is still possible to probe client version according to behavior differences,
+# such as TLS handshaking, handling of malformed packets, and specific bugs.
+# Additionally, User-Agent is an important way for the server to distinguish
+# buggy, old, or insecure clients, and to workaround specific bugs.
+# (e.g. doh-server can detect and workaround certain issues of DNSCrypt-Proxy
+# and older Firefox.)
+no_user_agent = false
+
 # Enable logging
 verbose = false

doh-client/google.go

@@ -86,7 +86,11 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 	}
 
 	req.Header.Set("Accept", "application/json, application/dns-message, application/dns-udpwireformat")
-	req.Header.Set("User-Agent", USER_AGENT)
+	if !c.conf.Other.NoUserAgent {
+		req.Header.Set("User-Agent", USER_AGENT)
+	} else {
+		req.Header.Set("User-Agent", "")
+	}
 	req = req.WithContext(ctx)
 
 	c.httpClientMux.RLock()

doh-client/ietf.go

@@ -36,7 +36,7 @@ import (
 	"time"
 
 	"github.com/m13253/dns-over-https/doh-client/selector"
-	"github.com/m13253/dns-over-https/json-dns"
+	jsonDNS "github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
 
@@ -128,7 +128,11 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 		req.Header.Set("Content-Type", "application/dns-message")
 	}
 	req.Header.Set("Accept", "application/dns-message, application/dns-udpwireformat, application/json")
-	req.Header.Set("User-Agent", USER_AGENT)
+	if !c.conf.Other.NoUserAgent {
+		req.Header.Set("User-Agent", USER_AGENT)
+	} else {
+		req.Header.Set("User-Agent", "")
+	}
 	req = req.WithContext(ctx)
 	c.httpClientMux.RLock()
 	resp, err := c.httpClient.Do(req)
@@ -176,7 +180,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 
 	body, err := ioutil.ReadAll(req.response.Body)
 	if err != nil {
-		log.Println(err)
+		log.Printf("read error from upstream %s: %v\n", req.currentUpstream, err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -187,7 +191,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 		if nowDate, err := time.Parse(http.TimeFormat, headerNow); err == nil {
 			now = nowDate
 		} else {
-			log.Println(err)
+			log.Printf("Date header parse error from upstream %s: %v\n", req.currentUpstream, err)
 		}
 	}
 	headerLastModified := req.response.Header.Get("Last-Modified")
@@ -196,7 +200,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 		if lastModifiedDate, err := time.Parse(http.TimeFormat, headerLastModified); err == nil {
 			lastModified = lastModifiedDate
 		} else {
-			log.Println(err)
+			log.Printf("Last-Modified header parse error from upstream %s: %v\n", req.currentUpstream, err)
 		}
 	}
 	timeDelta := now.Sub(lastModified)
@@ -207,7 +211,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 	fullReply := new(dns.Msg)
 	err = fullReply.Unpack(body)
 	if err != nil {
-		log.Println(err)
+		log.Printf("unpacking error from upstream %s: %v\n", req.currentUpstream, err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -229,7 +233,7 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 
 	buf, err := fullReply.Pack()
 	if err != nil {
-		log.Println(err)
+		log.Printf("packing error with upstream %s: %v\n", req.currentUpstream, err)
 		req.reply.Rcode = dns.RcodeServerFailure
 		w.WriteMsg(req.reply)
 		return
@@ -238,12 +242,15 @@ func (c *Client) parseResponseIETF(ctx context.Context, w dns.ResponseWriter, r
 		fullReply.Truncated = true
 		buf, err = fullReply.Pack()
 		if err != nil {
-			log.Println(err)
+			log.Printf("re-packing error with upstream %s: %v\n", req.currentUpstream, err)
 			return
 		}
 		buf = buf[:req.udpSize]
 	}
-	w.Write(buf)
+	_, err = w.Write(buf)
+	if err != nil {
+		log.Printf("failed to write to client: %v\n", err)
+	}
 }
 
 func fixRecordTTL(rr dns.RR, delta time.Duration) dns.RR {

doh-client/main.go

@@ -89,7 +89,7 @@ func main() {
 	flag.Parse()
 
 	if *showVersion {
-		fmt.Printf("doh-server %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
+		fmt.Printf("doh-client %s\nHomepage: https://github.com/m13253/dns-over-https\n", VERSION)
 		return
 	}
 

doh-client/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "2.1.1"
+	VERSION    = "2.2.1"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

doh-server/config.go

@@ -25,6 +25,7 @@ package main
 
 import (
 	"fmt"
+	"regexp"
 
 	"github.com/BurntSushi/toml"
 )
@@ -38,7 +39,6 @@ type config struct {
 	Upstream         []string `toml:"upstream"`
 	Timeout          uint     `toml:"timeout"`
 	Tries            uint     `toml:"tries"`
-	TCPOnly          bool     `toml:"tcp_only"`
 	Verbose          bool     `toml:"verbose"`
 	DebugHTTPHeaders []string `toml:"debug_http_headers"`
 	LogGuessedIP     bool     `toml:"log_guessed_client_ip"`
@@ -62,7 +62,7 @@ func loadConfig(path string) (*config, error) {
 		conf.Path = "/dns-query"
 	}
 	if len(conf.Upstream) == 0 {
-		conf.Upstream = []string{"8.8.8.8:53", "8.8.4.4:53"}
+		conf.Upstream = []string{"udp:8.8.8.8:53", "udp:8.8.4.4:53"}
 	}
 	if conf.Timeout == 0 {
 		conf.Timeout = 10
@@ -75,9 +75,35 @@ func loadConfig(path string) (*config, error) {
 		return nil, &configError{"You must specify both -cert and -key to enable TLS"}
 	}
 
+	// validate all upstreams
+	for _, us := range conf.Upstream {
+		address, t := addressAndType(us)
+		if address == "" {
+			return nil, &configError{"One of the upstreams has not a (udp|tcp|tcp-tls) prefix e.g. udp:1.1.1.1:53"}
+		}
+
+		switch t {
+		case "tcp", "udp", "tcp-tls":
+			// OK
+		default:
+			return nil, &configError{"Invalid upstream prefix specified, choose one of: udp tcp tcp-tls"}
+		}
+	}
+
 	return conf, nil
 }
 
+var rxUpstreamWithTypePrefix = regexp.MustCompile("^[a-z-]+(:)")
+
+func addressAndType(us string) (string, string) {
+	p := rxUpstreamWithTypePrefix.FindStringSubmatchIndex(us)
+	if len(p) != 4 {
+		return "", ""
+	}
+
+	return us[p[2]+1:], us[:p[2]]
+}
+
 type configError struct {
 	err string
 }

doh-server/doh-server.conf

@@ -27,11 +27,16 @@ path = "/dns-query"
 
 # Upstream DNS resolver
 # If multiple servers are specified, a random one will be chosen each time.
+# You can use "udp", "tcp" or "tcp-tls" for the type prefix.
+# For "udp", UDP will first be used, and switch to TCP when the server asks to
+# or the response is too large.
+# For "tcp", only TCP will be used.
+# For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection.
 upstream = [
-    "1.1.1.1:53",
+    "udp:1.1.1.1:53",
-    "1.0.0.1:53",
+    "udp:1.0.0.1:53",
-    "8.8.8.8:53",
+    "udp:8.8.8.8:53",
-    "8.8.4.4:53",
+    "udp:8.8.4.4:53",
 ]
 
 # Upstream timeout
@@ -40,9 +45,6 @@ timeout = 10
 # Number of tries if upstream DNS fails
 tries = 3
 
-# Only use TCP for DNS query
-tcp_only = false
-
 # Enable logging
 verbose = false
 

doh-server/ietf.go

@@ -36,7 +36,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/m13253/dns-over-https/json-dns"
+	jsonDNS "github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
 
@@ -160,7 +160,7 @@ func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter
 	req.response.Id = req.transactionID
 	respBytes, err := req.response.Pack()
 	if err != nil {
-		log.Println(err)
+		log.Printf("DNS packet construct failure with upstream %s: %v\n", req.currentUpstream, err)
 		jsonDNS.FormatError(w, fmt.Sprintf("DNS packet construct failure (%s)", err.Error()), 500)
 		return
 	}
@@ -183,9 +183,13 @@ func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter
 	}
 
 	if respJSON.Status == dns.RcodeServerFailure {
+		log.Printf("received server failure from upstream %s: %v\n", req.currentUpstream, req.response)
 		w.WriteHeader(503)
 	}
-	w.Write(respBytes)
+	_, err = w.Write(respBytes)
+	if err != nil {
+		log.Printf("failed to write to client: %v\n", err)
+	}
 }
 
 // Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe

doh-server/server.go

@@ -35,15 +35,16 @@ import (
 	"time"
 
 	"github.com/gorilla/handlers"
-	"github.com/m13253/dns-over-https/json-dns"
+	jsonDNS "github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
 
 type Server struct {
-	conf      *config
+	conf         *config
-	udpClient *dns.Client
+	udpClient    *dns.Client
-	tcpClient *dns.Client
+	tcpClient    *dns.Client
-	servemux  *http.ServeMux
+	tcpClientTLS *dns.Client
+	servemux     *http.ServeMux
 }
 
 type DNSRequest struct {
@@ -69,6 +70,10 @@ func NewServer(conf *config) (*Server, error) {
 			Net:     "tcp",
 			Timeout: timeout,
 		},
+		tcpClientTLS: &dns.Client{
+			Net:     "tcp-tls",
+			Timeout: timeout,
+		},
 		servemux: http.NewServeMux(),
 	}
 	if conf.LocalAddr != "" {
@@ -88,6 +93,10 @@ func NewServer(conf *config) (*Server, error) {
 			Timeout:   timeout,
 			LocalAddr: tcpLocalAddr,
 		}
+		s.tcpClientTLS.Dialer = &net.Dialer{
+			Timeout:   timeout,
+			LocalAddr: tcpLocalAddr,
+		}
 	}
 	s.servemux.HandleFunc(conf.Path, s.handlerFunc)
 	return s, nil
@@ -279,23 +288,35 @@ func (s *Server) doDNSQuery(ctx context.Context, req *DNSRequest) (resp *DNSRequ
 	for i := uint(0); i < s.conf.Tries; i++ {
 		req.currentUpstream = s.conf.Upstream[rand.Intn(numServers)]
 
-		// Use TCP if always configured to or if the Query type dictates it (AXFR)
+		upstream, t := addressAndType(req.currentUpstream)
-		if s.conf.TCPOnly || (s.indexQuestionType(req.request, dns.TypeAXFR) > -1) {
-			req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
-		} else {
-			req.response, _, err = s.udpClient.Exchange(req.request, req.currentUpstream)
-			if err == nil && req.response != nil && req.response.Truncated {
-				log.Println(err)
-				req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
-			}
 
-			// Retry with TCP if this was an IXFR request and we only received an SOA
+		switch t {
-			if (s.indexQuestionType(req.request, dns.TypeIXFR) > -1) &&
+		default:
-				(len(req.response.Answer) == 1) &&
+			log.Printf("invalid DNS type %q in upstream %q", t, upstream)
-				(req.response.Answer[0].Header().Rrtype == dns.TypeSOA) {
+			return nil, &configError{"invalid DNS type"}
-				req.response, _, err = s.tcpClient.Exchange(req.request, req.currentUpstream)
+		// Use DNS-over-TLS (DoT) if configured to do so
+		case "tcp-tls":
+			req.response, _, err = s.tcpClientTLS.Exchange(req.request, upstream)
+		case "tcp", "udp":
+			// Use TCP if always configured to or if the Query type dictates it (AXFR)
+			if t == "tcp" || (s.indexQuestionType(req.request, dns.TypeAXFR) > -1) {
+				req.response, _, err = s.tcpClient.Exchange(req.request, upstream)
+			} else {
+				req.response, _, err = s.udpClient.Exchange(req.request, upstream)
+				if err == nil && req.response != nil && req.response.Truncated {
+					log.Println(err)
+					req.response, _, err = s.tcpClient.Exchange(req.request, upstream)
+				}
+
+				// Retry with TCP if this was an IXFR request and we only received an SOA
+				if (s.indexQuestionType(req.request, dns.TypeIXFR) > -1) &&
+					(len(req.response.Answer) == 1) &&
+					(req.response.Answer[0].Header().Rrtype == dns.TypeSOA) {
+					req.response, _, err = s.tcpClient.Exchange(req.request, upstream)
+				}
 			}
 		}
+
 		if err == nil {
 			return req, nil
 		}

doh-server/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "2.1.1"
+	VERSION    = "2.2.1"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

go.mod

@@ -5,8 +5,8 @@ go 1.12
 require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/gorilla/handlers v1.4.0
-	github.com/miekg/dns v1.1.14
+	github.com/miekg/dns v1.1.22
-	golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4 // indirect
+	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 // indirect
-	golang.org/x/net v0.0.0-20190620200207-3b0461eec859
+	golang.org/x/net v0.0.0-20191027093000-83d349e8ac1a
-	golang.org/x/sys v0.0.0-20190621203818-d432491b9138 // indirect
+	golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 // indirect
 )

go.sum

@@ -4,15 +4,33 @@ github.com/gorilla/handlers v1.4.0 h1:XulKRWSQK5uChr4pEgSE4Tc/OcmnU9GJuSwdog/tZs
 github.com/gorilla/handlers v1.4.0/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
 github.com/miekg/dns v1.1.14 h1:wkQWn9wIp4mZbwW8XV6Km6owkvRPbOiV004ZM2CkGvA=
 github.com/miekg/dns v1.1.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+github.com/miekg/dns v1.1.22 h1:Jm64b3bO9kP43ddLjL2EY3Io6bmy1qGb9Xxz6TqS6rc=
+github.com/miekg/dns v1.1.22/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4 h1:ydJNl0ENAG67pFbB+9tfhiL2pYqLhfoaZFw/cjLhY4A=
 golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191027093000-83d349e8ac1a h1:Yu34BogBivvmu7SAzHHaB9nZWH5D1C+z3F1jyIaYZSQ=
+golang.org/x/net v0.0.0-20191027093000-83d349e8ac1a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190621203818-d432491b9138 h1:t8BZD9RDjkm9/h7yYN6kE8oaeov5r9aztkB7zKA5Tkg=
 golang.org/x/sys v0.0.0-20190621203818-d432491b9138/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

json-dns/unmarshal.go

@@ -38,7 +38,7 @@ func PrepareReply(req *dns.Msg) *dns.Msg {
 	reply := new(dns.Msg)
 	reply.Id = req.Id
 	reply.Response = true
-	reply.Opcode = reply.Opcode
+	reply.Opcode = req.Opcode
 	reply.RecursionDesired = req.RecursionDesired
 	reply.RecursionAvailable = req.RecursionDesired
 	reply.CheckingDisabled = req.CheckingDisabled