dandri/dns-over-https
1
0
Fork 0
mirror of https://github.com/m13253/dns-over-https.git synced 2026-03-31 22:45:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: dandri:v2.3.2
Branches Tags
dandri:master dandri:m13253/restart-backoff dandri:upgrade-deps dandri:docs/DoT dandri:docs/README-updates dandri:jamesits/packaging
dandri:v2.3.10 dandri:v2.3.9 dandri:v2.3.8 dandri:v2.3.7 dandri:v2.3.6 dandri:v2.3.5 dandri:v2.3.4 dandri:v2.3.3 dandri:v2.3.2 dandri:v2.3.1 dandri:v2.3.0 dandri:v2.2.5 dandri:v2.2.4 dandri:v2.2.3 dandri:v2.2.2 dandri:v2.2.1 dandri:v2.2.0 dandri:v2.1.2 dandri:v2.1.1 dandri:v2.1.0 dandri:v2.0.1 dandri:v2.0.0 dandri:v1.4.2 dandri:v1.4.1 dandri:v1.3.10 dandri:v1.3.9 dandri:v1.3.8 dandri:v1.3.7 dandri:v1.3.6 dandri:v1.3.5 dandri:v1.3.4 dandri:v1.3.3 dandri:v1.3.2 dandri:v1.3.1 dandri:v1.3.0 dandri:v1.2.1 dandri:v1.2.0 dandri:v1.1.4 dandri:v1.1.3 dandri:v1.1.2 dandri:v1.1.1 dandri:v1.1.0 dandri:v1.0.1 dandri:v1.0.0
..
compare: dandri:upgrade-deps
Branches Tags
dandri:master dandri:m13253/restart-backoff dandri:upgrade-deps dandri:docs/DoT dandri:docs/README-updates dandri:jamesits/packaging
dandri:v2.3.10 dandri:v2.3.9 dandri:v2.3.8 dandri:v2.3.7 dandri:v2.3.6 dandri:v2.3.5 dandri:v2.3.4 dandri:v2.3.3 dandri:v2.3.2 dandri:v2.3.1 dandri:v2.3.0 dandri:v2.2.5 dandri:v2.2.4 dandri:v2.2.3 dandri:v2.2.2 dandri:v2.2.1 dandri:v2.2.0 dandri:v2.1.2 dandri:v2.1.1 dandri:v2.1.0 dandri:v2.0.1 dandri:v2.0.0 dandri:v1.4.2 dandri:v1.4.1 dandri:v1.3.10 dandri:v1.3.9 dandri:v1.3.8 dandri:v1.3.7 dandri:v1.3.6 dandri:v1.3.5 dandri:v1.3.4 dandri:v1.3.3 dandri:v1.3.2 dandri:v1.3.1 dandri:v1.3.0 dandri:v1.2.1 dandri:v1.2.0 dandri:v1.1.4 dandri:v1.1.3 dandri:v1.1.2 dandri:v1.1.1 dandri:v1.1.0 dandri:v1.0.1 dandri:v1.0.0

2 Commits
v2.3.2 ... upgrade-de

Author SHA1 Message Date
Star Brilliant
fdf49c9065 Merge pull request #148 from vinnyperella/patch-1 
Update go.yml to use ubuntu-latest for runs-on
 2023-06-11 23:37:45 +00:00
Vinny
9bc797e6a4 Update go.yml 
Updated workflow to use ubuntu-latest as ubuntu-18.04 has been deprecated.
 2023-06-11 21:19:39 +00:00
6 changed files with 56 additions and 202 deletions
Expand all files Collapse all files

2
.github/workflows/go.yml vendored
View File

@@ -4,7 +4,7 @@ jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-latest
steps:
- name: Set up Go

9
Changelog.md
View File

@@ -4,15 +4,6 @@ This Changelog records major changes between versions.
Not all changes are recorded. Please check git log for details.
## Version 2.3.2
- Documentation updates, including deploying recommenation alongside DoT, thanks @gdm85
- Add unit tests for CIDR subnets parsing, thanks @gdm85
- Removing Firefox 61-62 patch
Since this version, @gdm85, @GreyXor, @Jamesits will be able to maintain this repository alongside @m13253. Anyone who contributed to this project can also apply to be a maintainer.
This is because changes in life have delayed the development of this project. By constructing a community hopefully can we restore the pace of development.
## Version 2.3.1
- No new features in this release

26
Readme.md
View File

@@ -67,10 +67,6 @@ docker run -d --name doh-server \
satishweb/doh-server
```
## Logging
All log lines (by either doh-client or doh-server) are written into `stderr`; you can view them using your OS tool of choice (`journalctl` when using systemd).
## Server Configuration
The following is a typical DNS-over-HTTPS architecture:
@@ -273,24 +269,6 @@ services:
> IPV6 Support for Docker Compose based configuration TBA
### Example configuration: DNS-over-TLS
There is no native [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) support but you can easily add it via nginx:
```
stream {
server {
listen *:853 ssl;
proxy_pass ipofyourdnsresolver:port #127.0.0.1:53
}
ssl_certificate /etc/letsencrypt/live/site.yourdomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.yourdomain/privkey.pem;
}
```
The DoT service can also be provided by running a [STunnel](https://www.stunnel.org/) instance to wrap dnsmasq (or any other resolver of your choice, listening on a TCP port);
this approach does not need a stand-alone daemon to provide the DoT service.
## DNSSEC
DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by
@@ -337,10 +315,6 @@ Currently supported features are:
- [X] EDNS0 large UDP packet (4 KiB by default)
- [X] EDNS0-Client-Subnet (/24 for IPv4, /56 for IPv6 by default)
## Known issues
* it does not work well with [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy), you might want to use either (or fix the compatibility bugs by submitting PRs)
## The name of the project
This project is named "DNS-over-HTTPS" because it was written before the IETF DoH project. Although this project is compatible with IETF DoH, the project is not affiliated with IETF.

84
doh-server/google.go
View File

@@ -90,14 +90,45 @@ func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter,
if ednsClientSubnet == "0/0" {
ednsClientSubnet = "0.0.0.0/0"
}
var err error
ednsClientFamily, ednsClientAddress, ednsClientNetmask, err = parseSubnet(ednsClientSubnet)
if err != nil {
return &DNSRequest{
errcode: 400,
errtext: err.Error(),
slash := strings.IndexByte(ednsClientSubnet, '/')
if slash < 0 {
ednsClientAddress = net.ParseIP(ednsClientSubnet)
if ednsClientAddress == nil {
return &DNSRequest{
errcode: 400,
errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
}
}
if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
ednsClientFamily = 1
ednsClientAddress = ipv4
ednsClientNetmask = 24
} else {
ednsClientFamily = 2
ednsClientNetmask = 56
}
} else {
ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
if ednsClientAddress == nil {
return &DNSRequest{
errcode: 400,
errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
}
}
if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
ednsClientFamily = 1
ednsClientAddress = ipv4
} else {
ednsClientFamily = 2
}
netmask, err := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
if err != nil {
return &DNSRequest{
errcode: 400,
errtext: fmt.Sprintf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet),
}
}
ednsClientNetmask = uint8(netmask)
}
} else {
ednsClientAddress = s.findClientIP(r)
@@ -138,45 +169,6 @@ func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter,
}
}
func parseSubnet(ednsClientSubnet string) (ednsClientFamily uint16, ednsClientAddress net.IP, ednsClientNetmask uint8, err error) {
slash := strings.IndexByte(ednsClientSubnet, '/')
if slash < 0 {
ednsClientAddress = net.ParseIP(ednsClientSubnet)
if ednsClientAddress == nil {
err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
return
}
if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
ednsClientFamily = 1
ednsClientAddress = ipv4
ednsClientNetmask = 24
} else {
ednsClientFamily = 2
ednsClientNetmask = 56
}
} else {
ednsClientAddress = net.ParseIP(ednsClientSubnet[:slash])
if ednsClientAddress == nil {
err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
return
}
if ipv4 := ednsClientAddress.To4(); ipv4 != nil {
ednsClientFamily = 1
ednsClientAddress = ipv4
} else {
ednsClientFamily = 2
}
netmask, err1 := strconv.ParseUint(ednsClientSubnet[slash+1:], 10, 8)
if err1 != nil {
err = fmt.Errorf("Invalid argument value: \"edns_client_subnet\" = %q", ednsClientSubnet)
return
}
ednsClientNetmask = uint8(netmask)
}
return
}
func (s *Server) generateResponseGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request, req *DNSRequest) {
respJSON := jsondns.Marshal(req.response)
respStr, err := json.Marshal(respJSON)

18
doh-server/ietf.go
View File

@@ -182,6 +182,8 @@ func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter
w.Header().Set("Last-Modified", now)
w.Header().Set("Vary", "Accept")
_ = s.patchFirefoxContentType(w, r, req)
if respJSON.HaveTTL {
if req.isTailored {
w.Header().Set("Cache-Control", "private, max-age="+strconv.FormatUint(uint64(respJSON.LeastTTL), 10))
@@ -215,4 +217,18 @@ func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request,
return true
}
return false
}
}
// Workaround a bug causing Firefox 61-62 to reject responses with Content-Type = application/dns-message
func (s *Server) patchFirefoxContentType(w http.ResponseWriter, r *http.Request, req *DNSRequest) bool {
if strings.Contains(r.UserAgent(), "Firefox") && strings.Contains(r.Header.Get("Accept"), "application/dns-udpwireformat") && !strings.Contains(r.Header.Get("Accept"), "application/dns-message") {
if s.conf.Verbose {
log.Println("Firefox 61-62 detected. Patching response.")
}
w.Header().Set("Content-Type", "application/dns-udpwireformat")
w.Header().Set("Vary", "Accept, User-Agent")
req.isTailored = true
return true
}
return false
}

119
doh-server/parse_test.go
View File

@@ -1,119 +0,0 @@
/*
DNS-over-HTTPS
Copyright (C) 2017-2018 Star Brilliant <m13253@hotmail.com>
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
*/
package main
import (
"testing"
"github.com/miekg/dns"
)
func TestParseCIDR(t *testing.T) {
t.Parallel()
for _, ednsClientSubnet := range []string{
"2001:db8::/0",
"2001:db8::/56",
"2001:db8::/129",
"2001:db8::",
"127.0.0.1/0",
"127.0.0.1/24",
"127.0.0.1/33",
"127.0.0.1",
"::ffff:7f00:1/0",
"::ffff:7f00:1/120",
"::ffff:7f00:1",
"127.0.0.1/0",
"127.0.0.1/24",
"127.0.0.1",
} {
_, ip, ipNet, err := parseSubnet(ednsClientSubnet)
if err != nil {
t.Errorf("ecs:%s ip:[%v] ipNet:[%v] err:[%v]", ednsClientSubnet, ip, ipNet, err)
}
}
}
func TestParseInvalidCIDR(t *testing.T) {
t.Parallel()
for _, ip := range []string{
"test",
"test/0",
"test/24",
"test/34",
"test/56",
"test/129",
} {
_, _, _, err := parseSubnet(ip)
if err == nil {
t.Errorf("expected error for %q", ip)
}
}
}
func TestEdns0SubnetParseCIDR(t *testing.T) {
t.Parallel()
// init dns Msg
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.SetQuestion(dns.Fqdn("example.com"), 1)
// init edns0Subnet
edns0Subnet := new(dns.EDNS0_SUBNET)
edns0Subnet.Code = dns.EDNS0SUBNET
edns0Subnet.SourceScope = 0
// init opt
opt := new(dns.OPT)
opt.Hdr.Name = "."
opt.Hdr.Rrtype = dns.TypeOPT
opt.SetUDPSize(dns.DefaultMsgSize)
opt.Option = append(opt.Option, edns0Subnet)
msg.Extra = append(msg.Extra, opt)
for _, subnet := range []string{"::ffff:7f00:1/120", "127.0.0.1/24"} {
var err error
edns0Subnet.Family, edns0Subnet.Address, edns0Subnet.SourceNetmask, err = parseSubnet(subnet)
if err != nil {
t.Error(err)
continue
}
t.Log(msg.Pack())
}
// ------127.0.0.1/24-----
// [143 29 1 0 0 1 0 0 0 0 0 1 7 101 120 97 109 112 108 101 3 99 111 109 0 0 1 0 1 0
// opt start 0 41 16 0 0 0 0 0 0 11
// subnet start 0 8 0 7 0 1 24 0
// client subnet start 127 0 0]
// -----::ffff:7f00:1/120----
// [111 113 1 0 0 1 0 0 0 0 0 1 7 101 120 97 109 112 108 101 3 99 111 109 0 0 1 0 1 0
// opt start 0 41 16 0 0 0 0 0 0 23
// subnet start 0 8 0 19 0 2 120 0
// client subnet start 0 0 0 0 0 0 0 0 0 0 255 255 127 0 0]
}