Move StartLimitIntervalSec=0 from [Service] to [Unit]

This solves the warning message:
> systemd[1]: /usr/lib/systemd/system/doh-client.service:16: Unknown key 'StartLimitIntervalSec' in section [Service], ignoring.

.github/workflows/docker.yml

@@ -0,0 +1,36 @@
+name: "Docker"
+
+on:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    environment: "Docker Hub"
+    strategy:
+      matrix:
+        variant: ["client", "server"]
+    steps:
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          logout: true
+      - # TODO: port https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
+        name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          file: ./Dockerfile.${{ matrix.variant }}
+          tags: m13253/dns-over-https-${{ matrix.variant }}:latest
+          push: true
+          platforms: "linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8"

.github/workflows/go.yml

@@ -4,24 +4,24 @@ jobs:
 
   build:
     name: Build
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
 
     - name: Set up Go
       uses: actions/setup-go@v2
       with:
-        go-version: 1.18
+        go-version: 1.24.3
       id: go
 
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Linux build
       run: |
         make
 
     - name: Upload Linux build
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v4
       with:
         name: linux-amd64
         path: |
@@ -29,7 +29,7 @@ jobs:
           doh-server/doh-server
 
     - name: Cache
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         # A directory to store and save the cache
         path: ~/go/pkg/mod

.golangci.yml

@@ -0,0 +1,36 @@
+---
+issues:
+  fix: true
+linters:
+  enable-all: true
+  disable:
+    - importas
+    - depguard
+    - lll
+    - exhaustruct
+    - perfsprint
+    - gochecknoinits
+    - wsl
+    - exportloopref
+linters-settings:
+  revive:
+    enable-all-rules: true
+    rules:
+      - name: line-length-limit
+        disabled: true
+  gocritic:
+    enabled-tags:
+      - diagnostic
+      - style
+      - performance
+      - experimental
+      - opinionated
+  govet:
+    enable-all: true
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/m13253/dns-over-https/v2)
+  gofumpt:
+    extra-rules: true

Makefile

@@ -3,9 +3,9 @@
 PREFIX = /usr/local
 
 ifeq ($(GOROOT),)
-GOBUILD = go build
+GOBUILD = go build -ldflags "-s -w"
 else
-GOBUILD = $(GOROOT)/bin/go build
+GOBUILD = $(GOROOT)/bin/go build -ldflags "-s -w"
 endif
 
 ifeq ($(shell uname),Darwin)

Readme.md

@@ -11,8 +11,8 @@ and [IETF DNS-over-HTTPS (RFC 8484)](https://www.rfc-editor.org/rfc/rfc8484.txt)
 
 ## Installing
 ### From Source
-- Install [Go](https://golang.org), at least version 1.13. The newer the better.
-> Note for Debian/Ubuntu users: You need to set `$GOROOT` if you could not get your new version of Go selected by the Makefile.)
+- Install [Go](https://golang.org), at least version 1.20. The newer, the better.
+> Note for Debian/Ubuntu users: You need to set `$GOROOT` if you could not get your new version of Go selected by the Makefile.
 
 - First create an empty directory, used for `$GOPATH`:
 ```bash
@@ -58,7 +58,7 @@ sudo make uninstall
 ```bash
 docker run -d --name doh-server \
   -p 8053:8053 \
-  -e UPSTREAM_DNS_SERVER="udp:8.8.8.8:53" \
+  -e UPSTREAM_DNS_SERVER="udp:208.67.222.222:53,udp:208.67.220.220:53" \
   -e DOH_HTTP_PREFIX="/dns-query" \
   -e DOH_SERVER_LISTEN=":8053" \
   -e DOH_SERVER_TIMEOUT="10" \
@@ -66,6 +66,12 @@ docker run -d --name doh-server \
   -e DOH_SERVER_VERBOSE="false" \
   satishweb/doh-server
 ```
+Note: Multiple Upstream DNS server support was added in the container image on 2024-12-19.
+
+Feeling adventurous? Try the latest build:
+
+- `m13253/dns-over-https-server:latest`
+- `m13253/dns-over-https-client:latest`
 
 ## Logging
 
@@ -88,7 +94,7 @@ The following is a typical DNS-over-HTTPS architecture:
     |  doh-client  +--+ Content Delivery Network +--+ (Apache, Nginx, Caddy) |
     +--------------+  +--------------------------+  +------------------------+
 
-Although DNS-over-HTTPS can work alone, a HTTP service muxer would be useful as
+Although DNS-over-HTTPS can work alone, an HTTP service muxer would be useful as
 you can host DNS-over-HTTPS along with other HTTPS services.
 
 HTTP/2 with at least TLS v1.3 is recommended. OCSP stapling must be enabled,
@@ -131,7 +137,7 @@ server {
 
   server_tokens off;
 
-  ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.13.0
+  ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.20.0
   ssl_prefer_server_ciphers on;
   ssl_dhparam /etc/nginx/dhparam.pem;     # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
   ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
@@ -275,7 +281,7 @@ services:
 
 ### Example configuration: DNS-over-TLS
 
-There is no native [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) support but you can easily add it via nginx:
+There is no native [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) support, but you can easily add it via nginx:
 ```
 stream {
     server {
@@ -283,8 +289,8 @@ stream {
         proxy_pass              ipofyourdnsresolver:port  #127.0.0.1:53
     }
 
-    ssl_certificate /etc/letsencrypt/live/site.yourdomain/fullchain.pem; 
-    ssl_certificate_key /etc/letsencrypt/live/site.yourdomain/privkey.pem; 
+    ssl_certificate /etc/letsencrypt/live/site.yourdomain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/site.yourdomain/privkey.pem;
 }
 ```
 
@@ -294,7 +300,7 @@ this approach does not need a stand-alone daemon to provide the DoT service.
 ## DNSSEC
 
 DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by
-default. However signature validation is not built-in. It is highly recommended
+default. However, signature validation is not built-in. It is highly recommended
 that you install `unbound` or `bind` and pass results for them to validate DNS
 records. An instance of [Pi Hole](https://pi-hole.net) could also be used to validate DNS signatures as well as provide other capabilities.
 

doh-client/client.go

@@ -38,39 +38,40 @@ import (
 	"sync"
 	"time"
 
-	"github.com/m13253/dns-over-https/v2/doh-client/config"
-	"github.com/m13253/dns-over-https/v2/doh-client/selector"
-	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/idna"
+
+	"github.com/m13253/dns-over-https/v2/doh-client/config"
+	"github.com/m13253/dns-over-https/v2/doh-client/selector"
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 
 type Client struct {
-	conf                 *config.Config
-	bootstrap            []string
-	passthrough          []string
-	udpClient            *dns.Client
-	tcpClient            *dns.Client
-	udpServers           []*dns.Server
-	tcpServers           []*dns.Server
-	bootstrapResolver    *net.Resolver
+	httpClientLastCreate time.Time
 	cookieJar            http.CookieJar
+	selector             selector.Selector
 	httpClientMux        *sync.RWMutex
+	tcpClient            *dns.Client
+	bootstrapResolver    *net.Resolver
+	udpClient            *dns.Client
+	conf                 *config.Config
 	httpTransport        *http.Transport
 	httpClient           *http.Client
-	httpClientLastCreate time.Time
-	selector             selector.Selector
+	udpServers           []*dns.Server
+	tcpServers           []*dns.Server
+	passthrough          []string
+	bootstrap            []string
 }
 
 type DNSRequest struct {
+	err               error
 	response          *http.Response
 	reply             *dns.Msg
-	udpSize           uint16
-	ednsClientAddress net.IP
-	ednsClientNetmask uint8
 	currentUpstream   string
-	err               error
+	ednsClientAddress net.IP
+	udpSize           uint16
+	ednsClientNetmask uint8
 }
 
 func NewClient(conf *config.Config) (c *Client, err error) {
@@ -427,7 +428,7 @@ func (c *Client) handlerFunc(w dns.ResponseWriter, r *dns.Msg, isTCP bool) {
 
 	// https://developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/ says
 	// returns code will be 200 / 400 / 413 / 415 / 504, some server will return 503, so
-	// I think if status code is 5xx, upstream must has some problems
+	// I think if status code is 5xx, upstream must have some problems
 	/*if req.response.StatusCode/100 == 5 {
 		c.selector.ReportUpstreamStatus(upstream, selector.Medium)
 	}*/

doh-client/google.go

@@ -34,9 +34,10 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/miekg/dns"
+
 	"github.com/m13253/dns-over-https/v2/doh-client/selector"
 	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
-	"github.com/miekg/dns"
 )
 
 func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, upstream *selector.Upstream) *DNSRequest {
@@ -77,7 +78,7 @@ func (c *Client) generateRequestGoogle(ctx context.Context, w dns.ResponseWriter
 		requestURL += fmt.Sprintf("&edns_client_subnet=%s/%d", ednsClientAddress.String(), ednsClientNetmask)
 	}
 
-	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
+	req, err := http.NewRequest(http.MethodGet, requestURL, http.NoBody)
 	if err != nil {
 		log.Println(err)
 		reply := jsondns.PrepareReply(r)

doh-client/ietf.go

@@ -35,9 +35,10 @@ import (
 	"strings"
 	"time"
 
+	"github.com/miekg/dns"
+
 	"github.com/m13253/dns-over-https/v2/doh-client/selector"
 	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
-	"github.com/miekg/dns"
 )
 
 func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, isTCP bool, upstream *selector.Upstream) *DNSRequest {
@@ -104,7 +105,7 @@ func (c *Client) generateRequestIETF(ctx context.Context, w dns.ResponseWriter,
 
 	var req *http.Request
 	if len(requestURL) < 2048 {
-		req, err = http.NewRequest(http.MethodGet, requestURL, nil)
+		req, err = http.NewRequest(http.MethodGet, requestURL, http.NoBody)
 		if err != nil {
 			log.Println(err)
 			reply := jsondns.PrepareReply(r)

doh-client/main.go

@@ -26,7 +26,6 @@ package main
 import (
 	"flag"
 	"fmt"
-	"io"
 	"log"
 	"os"
 	"runtime"
@@ -37,7 +36,7 @@ import (
 
 func checkPIDFile(pidFile string) (bool, error) {
 retry:
-	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0666)
+	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o666)
 	if os.IsExist(err) {
 		pidStr, err := os.ReadFile(pidFile)
 		if err != nil {
@@ -63,7 +62,7 @@ retry:
 		return false, err
 	}
 	defer f.Close()
-	_, err = io.WriteString(f, strconv.FormatInt(int64(os.Getpid()), 10))
+	_, err = f.WriteString(strconv.FormatInt(int64(os.Getpid()), 10))
 	if err != nil {
 		return false, err
 	}

doh-client/selector/lvsWRRSelector.go

@@ -80,7 +80,7 @@ func (ls *LVSWRRSelector) StartEvaluate() {
 						acceptType = "application/dns-message"
 					}
 
-					req, err := http.NewRequest(http.MethodGet, upstreamURL, nil)
+					req, err := http.NewRequest(http.MethodGet, upstreamURL, http.NoBody)
 					if err != nil {
 						/*log.Println("upstream:", upstreamURL, "type:", typeMap[upstream.Type], "check failed:", err)
 						continue*/

doh-client/selector/nginxWRRSelector.go

@@ -73,7 +73,7 @@ func (ws *NginxWRRSelector) StartEvaluate() {
 						acceptType = "application/dns-message"
 					}
 
-					req, err := http.NewRequest(http.MethodGet, upstreamURL, nil)
+					req, err := http.NewRequest(http.MethodGet, upstreamURL, http.NoBody)
 					if err != nil {
 						/*log.Println("upstream:", upstreamURL, "type:", typeMap[upstream.Type], "check failed:", err)
 						continue*/
@@ -110,7 +110,7 @@ func (ws *NginxWRRSelector) StartEvaluate() {
 	}()
 }
 
-// nginx wrr like
+// nginx wrr like.
 func (ws *NginxWRRSelector) Get() *Upstream {
 	var (
 		total             int32

doh-client/selector/randomSelector.go

@@ -7,7 +7,7 @@ import (
 )
 
 func init() {
-	rand.Seed(time.Now().UnixNano())
+	rand.NewSource(time.Now().UnixNano())
 }
 
 type RandomSelector struct {

doh-client/selector/upstreamStatus.go

@@ -3,12 +3,12 @@ package selector
 type upstreamStatus int
 
 const (
-	// when query upstream timeout, usually upstream is unavailable for a long time
+	// when query upstream timeout, usually upstream is unavailable for a long time.
 	Timeout upstreamStatus = iota
 
-	// when query upstream return 5xx response, upstream still alive, maybe just a lof of query for him
+	// when query upstream return 5xx response, upstream still alive, maybe just a lof of query for him.
 	Error
 
-	// when query upstream ok, means upstream is available
+	// when query upstream ok, means upstream is available.
 	OK
 )

doh-client/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "2.3.3"
+	VERSION    = "2.3.10"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

doh-server/config.go

@@ -31,21 +31,21 @@ import (
 )
 
 type config struct {
-	Listen              []string `toml:"listen"`
+	TLSClientAuthCA     string   `toml:"tls_client_auth_ca"`
 	LocalAddr           string   `toml:"local_addr"`
 	Cert                string   `toml:"cert"`
 	Key                 string   `toml:"key"`
 	Path                string   `toml:"path"`
+	DebugHTTPHeaders    []string `toml:"debug_http_headers"`
+	Listen              []string `toml:"listen"`
 	Upstream            []string `toml:"upstream"`
 	Timeout             uint     `toml:"timeout"`
 	Tries               uint     `toml:"tries"`
 	Verbose             bool     `toml:"verbose"`
-	DebugHTTPHeaders    []string `toml:"debug_http_headers"`
 	LogGuessedIP        bool     `toml:"log_guessed_client_ip"`
 	ECSAllowNonGlobalIP bool     `toml:"ecs_allow_non_global_ip"`
 	ECSUsePreciseIP     bool     `toml:"ecs_use_precise_ip"`
 	TLSClientAuth       bool     `toml:"tls_client_auth"`
-	TLSClientAuthCA     string   `toml:"tls_client_auth_ca"`
 }
 
 func loadConfig(path string) (*config, error) {

doh-server/google.go

@@ -34,9 +34,10 @@ import (
 	"strings"
 	"time"
 
-	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 	"github.com/miekg/dns"
 	"golang.org/x/net/idna"
+
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 
 func (s *Server) parseRequestGoogle(ctx context.Context, w http.ResponseWriter, r *http.Request) *DNSRequest {

doh-server/ietf.go

@@ -36,8 +36,9 @@ import (
 	"strings"
 	"time"
 
-	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 	"github.com/miekg/dns"
+
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 
 func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r *http.Request) *DNSRequest {
@@ -61,7 +62,7 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 	if len(requestBinary) == 0 {
 		return &DNSRequest{
 			errcode: 400,
-			errtext: fmt.Sprintf("Invalid argument value: \"dns\""),
+			errtext: "Invalid argument value: \"dns\"",
 		}
 	}
 
@@ -201,7 +202,7 @@ func (s *Server) generateResponseIETF(ctx context.Context, w http.ResponseWriter
 	}
 }
 
-// Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe
+// Workaround a bug causing DNSCrypt-Proxy to expect a response with TransactionID = 0xcafe.
 func (s *Server) patchDNSCryptProxyReqID(w http.ResponseWriter, r *http.Request, requestBinary []byte) bool {
 	if strings.Contains(r.UserAgent(), "dnscrypt-proxy") && bytes.Equal(requestBinary, []byte("\xca\xfe\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x00\x02\x00\x01\x00\x00\x29\x10\x00\x00\x00\x80\x00\x00\x00")) {
 		if s.conf.Verbose {

doh-server/main.go

@@ -26,7 +26,6 @@ package main
 import (
 	"flag"
 	"fmt"
-	"io"
 	"log"
 	"os"
 	"runtime"
@@ -35,7 +34,7 @@ import (
 
 func checkPIDFile(pidFile string) (bool, error) {
 retry:
-	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0666)
+	f, err := os.OpenFile(pidFile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o666)
 	if os.IsExist(err) {
 		pidStr, err := os.ReadFile(pidFile)
 		if err != nil {
@@ -61,7 +60,7 @@ retry:
 		return false, err
 	}
 	defer f.Close()
-	_, err = io.WriteString(f, strconv.FormatInt(int64(os.Getpid()), 10))
+	_, err = f.WriteString(strconv.FormatInt(int64(os.Getpid()), 10))
 	if err != nil {
 		return false, err
 	}

doh-server/server.go

@@ -37,8 +37,9 @@ import (
 	"time"
 
 	"github.com/gorilla/handlers"
-	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 	"github.com/miekg/dns"
+
+	jsondns "github.com/m13253/dns-over-https/v2/json-dns"
 )
 
 type Server struct {
@@ -52,11 +53,11 @@ type Server struct {
 type DNSRequest struct {
 	request         *dns.Msg
 	response        *dns.Msg
-	transactionID   uint16
 	currentUpstream string
-	isTailored      bool
-	errcode         int
 	errtext         string
+	errcode         int
+	transactionID   uint16
+	isTailored      bool
 }
 
 func NewServer(conf *config) (*Server, error) {
@@ -284,7 +285,7 @@ func (s *Server) handlerFunc(w http.ResponseWriter, r *http.Request) {
 
 func (s *Server) findClientIP(r *http.Request) net.IP {
 	noEcs := r.URL.Query().Get("no_ecs")
-	if strings.ToLower(noEcs) == "true" {
+	if strings.EqualFold(noEcs, "true") {
 		return nil
 	}
 
@@ -318,7 +319,7 @@ func (s *Server) findClientIP(r *http.Request) net.IP {
 	return nil
 }
 
-// Workaround a bug causing Unbound to refuse returning anything about the root
+// Workaround a bug causing Unbound to refuse returning anything about the root.
 func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
 	for _, question := range req.request.Question {
 		if question.Name == "." {
@@ -328,7 +329,7 @@ func (s *Server) patchRootRD(req *DNSRequest) *DNSRequest {
 	return req
 }
 
-// Return the position index for the question of qtype from a DNS msg, otherwise return -1
+// Return the position index for the question of qtype from a DNS msg, otherwise return -1.
 func (s *Server) indexQuestionType(msg *dns.Msg, qtype uint16) int {
 	for i, question := range msg.Question {
 		if question.Qtype == qtype {
@@ -363,7 +364,7 @@ func (s *Server) doDNSQuery(ctx context.Context, req *DNSRequest) (err error) {
 					req.response, _, err = s.tcpClient.ExchangeContext(ctx, req.request, upstream)
 				}
 
-				// Retry with TCP if this was an IXFR request and we only received an SOA
+				// Retry with TCP if this was an IXFR request, and we only received an SOA
 				if (s.indexQuestionType(req.request, dns.TypeIXFR) > -1) &&
 					(len(req.response.Answer) == 1) &&
 					(req.response.Answer[0].Header().Rrtype == dns.TypeSOA) {

doh-server/version.go

@@ -24,6 +24,6 @@
 package main
 
 const (
-	VERSION    = "2.3.3"
+	VERSION    = "2.3.10"
 	USER_AGENT = "DNS-over-HTTPS/" + VERSION + " (+https://github.com/m13253/dns-over-https)"
 )

go.mod

@@ -1,19 +1,20 @@
 module github.com/m13253/dns-over-https/v2
 
-go 1.19
+go 1.24
 
 require (
-	github.com/BurntSushi/toml v1.2.1
-	github.com/gorilla/handlers v1.5.1
+	github.com/BurntSushi/toml v1.5.0
+	github.com/gorilla/handlers v1.5.2
 	github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc
-	github.com/miekg/dns v1.1.50
-	golang.org/x/net v0.5.0
+	github.com/miekg/dns v1.1.66
+	golang.org/x/net v0.40.0
 )
 
 require (
-	github.com/felixge/httpsnoop v1.0.1 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/sys v0.4.0 // indirect
-	golang.org/x/text v0.6.0 // indirect
-	golang.org/x/tools v0.1.12 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 )

go.sum

@@ -1,52 +1,28 @@
-github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
-github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
-github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
-github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
 github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc h1:RhT2pjLo3EVRmldbEcBdeRA7CGPWsNEJC+Y/N1aXQbg=
 github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc/go.mod h1:BaIJzjD2ZnHmx2acPF6XfGLPzNCMiBbMRqJr+8/8uRI=
-github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
-github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
+github.com/miekg/dns v1.1.66 h1:FeZXOS3VCVsKnEAd+wBkjMC3D2K+ww66Cq3VnCINuJE=
+github.com/miekg/dns v1.1.66/go.mod h1:jGFzBsSNbJw6z1HYut1RKBKHA9PBdxeHrZG8J+gC2WE=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
-golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
-golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
-golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

json-dns/globalip.go

@@ -119,7 +119,6 @@ func init() {
 		IP:   net.IP{0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
 		Mask: net.IPMask{0xff, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
 	}, struct{}{})
-
 }
 
 func IsGlobalIP(ip net.IP) bool {

systemd/doh-client.service

@@ -4,13 +4,16 @@ Documentation=https://github.com/m13253/dns-over-https
 After=network.target
 Before=nss-lookup.target
 Wants=nss-lookup.target
+StartLimitIntervalSec=0
 
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/local/bin/doh-client -conf /etc/dns-over-https/doh-client.conf
 LimitNOFILE=1048576
 Restart=always
-RestartSec=3
+RestartSec=1s
+RestartMaxDelaySec=76s
+RestartSteps=9
 Type=simple
 DynamicUser=yes
 

systemd/doh-server.service

@@ -2,13 +2,16 @@
 Description=DNS-over-HTTPS Server
 Documentation=https://github.com/m13253/dns-over-https
 After=network.target
+StartLimitIntervalSec=0
 
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
 LimitNOFILE=1048576
 Restart=always
-RestartSec=3
+RestartSec=1s
+RestartMaxDelaySec=76s
+RestartSteps=9
 Type=simple
 DynamicUser=yes