Release 2.2.5

Fix not working example docker command

Changelog.md

@@ -4,6 +4,16 @@ This Changelog records major changes between versions.
 
 Not all changes are recorded. Please check git log for details.
 
+## Version 2.2.5
+
+- Add client certificate authentication
+- Fixing documentation related to Docker
+
+## Version 2.2.4
+
+- Add options to configure ECS netmask length
+- Add an option to disable TLS verification (Note: dangerous)
+
 ## Version 2.2.3
 
 - Use the library ipTree to determine whether an IP is global routable, improving the performance

Readme.md

@@ -59,10 +59,10 @@ sudo make uninstall
 docker run -itd --name doh-server \
   -p 8053:8053 \
   -e UPSTREAM_DNS_SERVER="udp:8.8.8.8:53" \
-  -e DOH_HTTP_PREFIX="/dns-query"
-  -e DOH_SERVER_LISTEN=":8053"
-  -e DOH_SERVER_TIMEOUT="10"
-  -e DOH_SERVER_TRIES="3"
+  -e DOH_HTTP_PREFIX="/dns-query" \
+  -e DOH_SERVER_LISTEN=":8053" \
+  -e DOH_SERVER_TIMEOUT="10" \
+  -e DOH_SERVER_TRIES="3" \
   -e DOH_SERVER_VERBOSE="false"
 satishweb/doh-server
 ```
@@ -170,10 +170,11 @@ my.server.name {
 version: '2.2'
 networks:
   default:
+
 services:
   proxy:
     # The official v2 Traefik docker image
-    image: traefik:v2.2
+    image: traefik:v2.3
     hostname: proxy
     networks:
       - default
@@ -266,8 +267,6 @@ services:
 
 > Complete Guide available at: https://github.com/satishweb/docker-doh
 
-> No IPV6 Support: Docker Swarm does not support IPV6 as of yet. Issue is logged [here](https://github.com/moby/moby/issues/24379)
-
 > IPV6 Support for Docker Compose based configuration TBA
 
 ## DNSSEC

doh-client/client.go

@@ -25,6 +25,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"log"
 	"math/rand"
@@ -247,6 +248,7 @@ func (c *Client) newHTTPClient() error {
 		MaxIdleConnsPerHost:   10,
 		Proxy:                 http.ProxyFromEnvironment,
 		TLSHandshakeTimeout:   time.Duration(c.conf.Other.Timeout) * time.Second,
+		TLSClientConfig:       &tls.Config{InsecureSkipVerify: c.conf.Other.TLSInsecureSkipVerify},
 	}
 	if c.conf.Other.NoIPv6 {
 		c.httpTransport.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) {

doh-client/config/config.go

@@ -47,15 +47,16 @@ type upstream struct {
 }
 
 type others struct {
-	Bootstrap        []string `toml:"bootstrap"`
-	Passthrough      []string `toml:"passthrough"`
-	Timeout          uint     `toml:"timeout"`
-	NoCookies        bool     `toml:"no_cookies"`
-	NoECS            bool     `toml:"no_ecs"`
-	NoIPv6           bool     `toml:"no_ipv6"`
-	NoUserAgent      bool     `toml:"no_user_agent"`
-	Verbose          bool     `toml:"verbose"`
-	DebugHTTPHeaders []string `toml:"debug_http_headers"`
+	Bootstrap             []string `toml:"bootstrap"`
+	Passthrough           []string `toml:"passthrough"`
+	Timeout               uint     `toml:"timeout"`
+	NoCookies             bool     `toml:"no_cookies"`
+	NoECS                 bool     `toml:"no_ecs"`
+	NoIPv6                bool     `toml:"no_ipv6"`
+	NoUserAgent           bool     `toml:"no_user_agent"`
+	Verbose               bool     `toml:"verbose"`
+	DebugHTTPHeaders      []string `toml:"debug_http_headers"`
+	TLSInsecureSkipVerify bool     `toml:"insecure_tls_skip_verify"`
 }
 
 type Config struct {

doh-client/doh-client.conf

@@ -132,3 +132,9 @@ no_user_agent = false
 
 # Enable logging
 verbose = false
+
+# insecure_tls_skip_verification will disable necessary TLS security verification.
+# This option is designed for testing or development purposes,
+# turning on this option on public Internet may cause your connection
+# vulnerable to MITM attack.
+insecure_tls_skip_verify = false

doh-client/google.go

@@ -35,7 +35,7 @@ import (
 	"strings"
 
 	"github.com/m13253/dns-over-https/doh-client/selector"
-	"github.com/m13253/dns-over-https/json-dns"
+	jsondns "github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 )
 

doh-client/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "2.2.3"
+	VERSION    = "2.2.5"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

doh-server/config.go

@@ -31,17 +31,21 @@ import (
 )
 
 type config struct {
-	Listen           []string `toml:"listen"`
-	LocalAddr        string   `toml:"local_addr"`
-	Cert             string   `toml:"cert"`
-	Key              string   `toml:"key"`
-	Path             string   `toml:"path"`
-	Upstream         []string `toml:"upstream"`
-	Timeout          uint     `toml:"timeout"`
-	Tries            uint     `toml:"tries"`
-	Verbose          bool     `toml:"verbose"`
-	DebugHTTPHeaders []string `toml:"debug_http_headers"`
-	LogGuessedIP     bool     `toml:"log_guessed_client_ip"`
+	Listen              []string `toml:"listen"`
+	LocalAddr           string   `toml:"local_addr"`
+	Cert                string   `toml:"cert"`
+	Key                 string   `toml:"key"`
+	Path                string   `toml:"path"`
+	Upstream            []string `toml:"upstream"`
+	Timeout             uint     `toml:"timeout"`
+	Tries               uint     `toml:"tries"`
+	Verbose             bool     `toml:"verbose"`
+	DebugHTTPHeaders    []string `toml:"debug_http_headers"`
+	LogGuessedIP        bool     `toml:"log_guessed_client_ip"`
+	ECSAllowNonGlobalIP bool     `toml:"ecs_allow_non_global_ip"`
+	ECSUsePreciseIP     bool     `toml:"ecs_use_precise_ip"`
+	TLSClientAuth       bool     `toml:"tls_client_auth"`
+	TLSClientAuthCA     string   `toml:"tls_client_auth_ca"`
 }
 
 func loadConfig(path string) (*config, error) {

doh-server/doh-server.conf

@@ -51,3 +51,28 @@ verbose = false
 # Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
 # Note: http uri/useragent log cannot be controlled by this config
 log_guessed_client_ip = false
+
+# By default, non global IP addresses are never forwarded to upstream servers.
+# This is to prevent two things from happening:
+#   1. the upstream server knowing your private LAN addresses;
+#   2. the upstream server unable to provide geographically near results,
+#      or even fail to provide any result.
+# However, if you are deploying a split tunnel corporation network
+# environment, or for any other reason you want to inhibit this
+# behavior and allow local (eg RFC1918) address to be forwarded,
+# change the following option to "true".
+ecs_allow_non_global_ip = false
+
+# If ECS is added to the request, let the full IP address or
+# cap it to 24 or 128 mask. This option is to be used only on private
+# networks where knwoledge of the terminal endpoint may be required for
+# security purposes (eg. DNS Firewalling). Not a good option on the
+# internet where IP address may be used to identify the user and
+# not only the approximate location.
+ecs_use_precise_ip = false
+
+# If DOH is used for a controlled network, it is possible to enable
+# the client TLS certificate validation with a specific certificate
+# authority used to sign any client one. Disabled by default.
+# tls_client_auth = true
+# tls_client_auth_ca = "root-ca-public.crt"

doh-server/google.go

@@ -34,7 +34,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/m13253/dns-over-https/json-dns"
+	jsondns "github.com/m13253/dns-over-https/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/idna"
 )

doh-server/ietf.go

@@ -125,6 +125,7 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 	isTailored := edns0Subnet == nil
+
 	if edns0Subnet == nil {
 		ednsClientFamily := uint16(0)
 		ednsClientAddress := s.findClientIP(r)
@@ -133,10 +134,20 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 			if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
 				ednsClientFamily = 1
 				ednsClientAddress = ipv4
-				ednsClientNetmask = 24
+				if s.conf.ECSUsePreciseIP {
+					ednsClientNetmask = 32
+				} else {
+					ednsClientNetmask = 24
+					ednsClientAddress = ednsClientAddress.Mask(net.CIDRMask(24, 32))
+				}
 			} else {
 				ednsClientFamily = 2
-				ednsClientNetmask = 56
+				if s.conf.ECSUsePreciseIP {
+					ednsClientNetmask = 128
+				} else {
+					ednsClientNetmask = 56
+					ednsClientAddress = ednsClientAddress.Mask(net.CIDRMask(56, 128))
+				}
 			}
 			edns0Subnet = new(dns.EDNS0_SUBNET)
 			edns0Subnet.Code = dns.EDNS0SUBNET

doh-server/server.go

@@ -25,7 +25,10 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"math/rand"
 	"net"
@@ -107,12 +110,48 @@ func (s *Server) Start() error {
 	if s.conf.Verbose {
 		servemux = handlers.CombinedLoggingHandler(os.Stdout, servemux)
 	}
+
+	var clientCAPool *x509.CertPool
+	if s.conf.TLSClientAuth {
+		if s.conf.TLSClientAuthCA != "" {
+			clientCA, err := ioutil.ReadFile(s.conf.TLSClientAuthCA)
+			if err != nil {
+				log.Fatalf("Reading certificate for client authentication has failed: %v", err)
+			}
+			clientCAPool = x509.NewCertPool()
+			clientCAPool.AppendCertsFromPEM(clientCA)
+			log.Println("Certificate loaded for client TLS authentication")
+		} else {
+			log.Fatalln("TLS client authentication requires both tls_client_auth and tls_client_auth_ca, exiting.")
+		}
+	}
+
 	results := make(chan error, len(s.conf.Listen))
 	for _, addr := range s.conf.Listen {
 		go func(addr string) {
 			var err error
 			if s.conf.Cert != "" || s.conf.Key != "" {
-				err = http.ListenAndServeTLS(addr, s.conf.Cert, s.conf.Key, servemux)
+				if clientCAPool != nil {
+					srvtls := &http.Server{
+						Handler: servemux,
+						Addr:    addr,
+						TLSConfig: &tls.Config{
+							ClientCAs:  clientCAPool,
+							ClientAuth: tls.RequireAndVerifyClientCert,
+							GetCertificate: func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, e error) {
+								c, err := tls.LoadX509KeyPair(s.conf.Cert, s.conf.Key)
+								if err != nil {
+									fmt.Printf("Error loading server certificate key pair: %v\n", err)
+									return nil, err
+								}
+								return &c, nil
+							},
+						},
+					}
+					err = srvtls.ListenAndServeTLS("", "")
+				} else {
+					err = http.ListenAndServeTLS(addr, s.conf.Cert, s.conf.Key, servemux)
+				}
 			} else {
 				err = http.ListenAndServe(addr, servemux)
 			}
@@ -265,15 +304,17 @@ func (s *Server) findClientIP(r *http.Request) net.IP {
 	if XRealIP != "" {
 		addr := strings.TrimSpace(XRealIP)
 		ip := net.ParseIP(addr)
-		if jsondns.IsGlobalIP(ip) {
+		if s.conf.ECSAllowNonGlobalIP || jsondns.IsGlobalIP(ip) {
 			return ip
 		}
 	}
+
 	remoteAddr, err := net.ResolveTCPAddr("tcp", r.RemoteAddr)
 	if err != nil {
 		return nil
 	}
-	if ip := remoteAddr.IP; jsondns.IsGlobalIP(ip) {
+	ip := remoteAddr.IP
+	if s.conf.ECSAllowNonGlobalIP || jsondns.IsGlobalIP(ip) {
 		return ip
 	}
 	return nil

doh-server/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "2.2.3"
+	VERSION    = "2.2.5"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

go.mod

@@ -6,9 +6,8 @@ require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/gorilla/handlers v1.4.0
 	github.com/infobloxopen/go-trees v0.0.0-20200715205103-96a057b8dfb9
-	github.com/miekg/dns v1.1.31
-	golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de // indirect
-	golang.org/x/net v0.0.0-20200707034311-ab3426394381
-	golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1 // indirect
-	golang.org/x/text v0.3.2 // indirect
+	github.com/miekg/dns v1.1.41
+	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 // indirect
+	golang.org/x/net v0.0.0-20210324205630-d1beb07c2056
+	golang.org/x/tools v0.0.0-20191216052735-49a3e744a425 // indirect
 )

go.sum

@@ -6,33 +6,41 @@ github.com/infobloxopen/go-trees v0.0.0-20200715205103-96a057b8dfb9 h1:w66aaP3c6
 github.com/infobloxopen/go-trees v0.0.0-20200715205103-96a057b8dfb9/go.mod h1:BaIJzjD2ZnHmx2acPF6XfGLPzNCMiBbMRqJr+8/8uRI=
 github.com/miekg/dns v1.1.31 h1:sJFOl9BgwbYAWOGEwr61FU28pqsBNdpRBnhGXtO06Oo=
 github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/miekg/dns v1.1.41 h1:WMszZWJG0XmzbK9FEmzH2TVcqYzFesusSIB41b8KHxY=
+github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de h1:ikNHVSjEfnvz6sxdSPCaPt572qowuyMDMJLLm3Db3ig=
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210324205630-d1beb07c2056 h1:sANdAef76Ioam9aQUUdcAqricwY/WUaMc4+7LY4eGg8=
+golang.org/x/net v0.0.0-20210324205630-d1beb07c2056/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1 h1:sIky/MyNRSHTrdxfsiUSS4WIAMvInbeXljJz+jDjeYE=
 golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210324051608-47abb6519492 h1:Paq34FxTluEPvVyayQqMPgHm+vTOrIifmcYxFBx9TLg=
+golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=