From 69210719c2a46ca2d29ce5e9f136f135087eed4a Mon Sep 17 00:00:00 2001 From: llightcb Date: Sat, 12 Aug 2023 14:43:09 +0200 Subject: [PATCH] community/dnscrypt-proxy: upgrade to 2.1.5 --- community/dnscrypt-proxy/APKBUILD | 8 +- community/dnscrypt-proxy/dnscrypt-proxy.toml | 158 +++++++++++-------- 2 files changed, 97 insertions(+), 69 deletions(-) diff --git a/community/dnscrypt-proxy/APKBUILD b/community/dnscrypt-proxy/APKBUILD index 6775c327a8e..ccf59303ee0 100644 --- a/community/dnscrypt-proxy/APKBUILD +++ b/community/dnscrypt-proxy/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Ian Bashford # Maintainer: Ian Bashford pkgname=dnscrypt-proxy -pkgver=2.1.4 -pkgrel=7 +pkgver=2.1.5 +pkgrel=0 pkgdesc="Tool for securing communications between a client and a DNS resolver" url="https://dnscrypt.info" arch="all" @@ -52,9 +52,9 @@ setup() { } sha512sums=" -4540d11432c4f35244b79f66b8926f8a1025e09010d8d313f0cd0d62e3fafcbd12bd24e9956ddf9cd8c1ec8aae997b031ab08dae4ee220bf31f33227ec6c07ca dnscrypt-proxy-2.1.4.tar.gz +2c9a0e0896483b4453cb3779efd41205be8839e61e17b86701deb91e531676529a82b8859ae0975d121322ec8cc05bdd13a1324b8f56010692e1ac9f36a99d69 dnscrypt-proxy-2.1.5.tar.gz a1bbcc63d3160e2101096cb06d714422ee85f7cf86a856b53437abb04f23995ac75b2a9d980c6c8e790bd5db350f1e2d6d39093705b0657020323179e5ff2076 dnscrypt-proxy.initd c001ae39da1b2db71764cab568f9ed18e4de0cea3d1a4e7bd6dd01a5668b81a888ea9eef99de6beac08857ad7f8eb1a32d730e946ac3563e4dcfa27147e35052 dnscrypt-proxy.confd 1c2bd450b1d195bd11d3441017f269904b3eb8ee8ace419f11882679664840b47d32e20c56d190b06dc5d9bb4dea0bfadbc878dcb1272af391b225bae56ad1e7 dnscrypt-proxy.setup -5d94c3bb7592888aef610bf2821db8e1d9e5ec50e881ea55ca6dadd3f193146c1c7b265e3272d12be1baa97a6c668ff5eac8b74944cf033cd87a8519fd7d8294 dnscrypt-proxy.toml +57ef614959b0f5bc72caed0a1b8027984a34b8d8b8abbe9eae531c4d6d98fee136f3852820c71ae858dd98b7039af5c826c88eb4153f4f0d17866db1d206facd dnscrypt-proxy.toml " diff --git a/community/dnscrypt-proxy/dnscrypt-proxy.toml b/community/dnscrypt-proxy/dnscrypt-proxy.toml index 11c31cd3982..8e37607e9f0 100644 --- a/community/dnscrypt-proxy/dnscrypt-proxy.toml +++ b/community/dnscrypt-proxy/dnscrypt-proxy.toml @@ -97,7 +97,7 @@ disabled_server_names = [] force_tcp = false -## Enable support for HTTP/3 (DoH3, HTTP over QUIC) +## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC) ## Note that, like DNSCrypt but unlike other HTTP versions, this uses ## UDP and (usually) port 443 instead of TCP. @@ -125,7 +125,7 @@ http3 = false timeout = 5000 -## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds +## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds keepalive = 30 @@ -188,6 +188,13 @@ keepalive = 30 cert_refresh_delay = 240 +## Initially don't check DNSCrypt server certificates for expiration, and +## only start checking them after a first successful connection to a resolver. +## This can be useful on routers with no battery-backed clock. + +# cert_ignore_timestamp = false + + ## DNSCrypt: Create a new, unique key for every single DNS query ## This may improve privacy but can also have a significant impact on CPU usage ## Only enable if you don't have a lot of network load @@ -200,24 +207,30 @@ cert_refresh_delay = 240 # tls_disable_session_tickets = false -## DoH: Use a specific cipher suite instead of the server preference +## DoH: Use TLS 1.2 and specific cipher suite instead of the server preference ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 -## 4865 = TLS_AES_128_GCM_SHA256 -## 4867 = TLS_CHACHA20_POLY1305_SHA256 ## ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...), ## the following suite improves performance. ## This may also help on Intel CPUs running 32-bit operating systems. ## ## Keep tls_cipher_suite empty if you have issues fetching sources or -## connecting to some DoH servers. Google and Cloudflare are fine with it. +## connecting to some DoH servers. # tls_cipher_suite = [52392, 49199] +## Log TLS key material to a file, for debugging purposes only. +## This file will contain the TLS master key, which can be used to decrypt +## all TLS traffic to/from DoH servers. +## Never ever enable except for debugging purposes with a tool such as mitmproxy. + +# tls_key_log_file = '/tmp/keylog.txt' + + ## Bootstrap resolvers ## ## These are normal, non-encrypted DNS resolvers, that will be only used @@ -251,7 +264,17 @@ cert_refresh_delay = 240 bootstrap_resolvers = ['9.9.9.11:53', '8.8.8.8:53'] -## Always use the bootstrap resolver before the system DNS settings. +## When internal DNS resolution is required, for example to retrieve +## the resolvers list: +## +## - queries will be sent to dnscrypt-proxy itself, if it is already +## running with active servers (*) +## - or else, queries will be sent to fallback servers +## - finally, if `ignore_system_dns` is `false`, queries will be sent +## to the system DNS +## +## (*) this is incompatible with systemd sockets. +## `listen_addrs` must not be empty. ignore_system_dns = true @@ -325,6 +348,7 @@ block_ipv6 = false ## Immediately respond to A and AAAA queries for host names without a domain name +## This also prevents "dotless domain names" from being resolved upstream. block_unqualified = true @@ -359,6 +383,8 @@ reject_ttl = 10 ## Cloaking returns a predefined address for a specific name. ## In addition to acting as a HOSTS file, it can also return the IP address ## of a different name. It will also do CNAME flattening. +## If 'cloak_ptr' is set, then PTR (reverse lookups) are enabled +## for cloaking rules that do not contain wild cards. ## ## See the `/usr/share/doc/dnscrypt-proxy/example-cloaking-rules.txt` file for an example @@ -367,6 +393,7 @@ reject_ttl = 10 ## TTL used when serving entries in cloaking-rules.txt # cloak_ttl = 600 +# cloak_ptr = false @@ -444,6 +471,8 @@ cache_neg_max_ttl = 600 ## Certificate file and key - Note that the certificate has to be trusted. +## Can be generated using the following command: +## openssl req -x509 -nodes -newkey rsa:2048 -days 5000 -sha256 -keyout localhost.pem -out localhost.pem ## See the documentation (wiki) for more information. # cert_file = 'localhost.pem' @@ -462,7 +491,7 @@ cache_neg_max_ttl = 600 ## Path to the query log file (absolute, or relative to the same directory as the config file) ## Can be set to /dev/stdout in order to log to the standard output. - # file = '/var/log/dnscrypt-proxy/query.log' +# file = '/var/log/dnscrypt-proxy/query.log' ## Query log format (currently supported: tsv and ltsv) @@ -488,7 +517,7 @@ format = 'tsv' ## Path to the query log file (absolute, or relative to the same directory as the config file) - # file = '/var/log/dnscrypt-proxy/nx.log' +# file = '/var/log/dnscrypt-proxy/nx.log' ## Query log format (currently supported: tsv and ltsv) @@ -518,12 +547,12 @@ format = 'tsv' ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) - # blocked_names_file = '/etc/dnscrypt-proxy/blocked-names.txt' +# blocked_names_file = '/etc/dnscrypt-proxy/blocked-names.txt' ## Optional path to a file logging blocked queries - # log_file = '/var/log/dnscrypt-proxy/blocked-names.log' +# log_file = '/var/log/dnscrypt-proxy/blocked-names.log' ## Optional log format: tsv or ltsv (default: tsv) @@ -546,12 +575,12 @@ format = 'tsv' ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) - # blocked_ips_file = '/etc/dnscrypt-proxy/blocked-ips.txt' +# blocked_ips_file = '/etc/dnscrypt-proxy/blocked-ips.txt' ## Optional path to a file logging blocked queries - # log_file = '/var/log/dnscrypt-proxy/blocked-ips.log' +# log_file = '/var/log/dnscrypt-proxy/blocked-ips.log' ## Optional log format: tsv or ltsv (default: tsv) @@ -561,7 +590,7 @@ format = 'tsv' ###################################################### -# Pattern-based allow lists (blocklists bypass) # +# Pattern-based allow lists (blocklists bypass) # ###################################################### ## Allowlists support the same patterns as blocklists @@ -574,7 +603,7 @@ format = 'tsv' ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) - # allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt' +# allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt' ## Optional path to a file logging allowed queries @@ -600,14 +629,14 @@ format = 'tsv' [allowed_ips] - ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) +## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) - # allowed_ips_file = '/etc/dnscrypt-proxy/allowed-ips.txt' +# allowed_ips_file = '/etc/dnscrypt-proxy/allowed-ips.txt' ## Optional path to a file logging allowed queries - # log_file = '/var/log/dnscrypt-proxy/allowed-ips.log' +# log_file = '/var/log/dnscrypt-proxy/allowed-ips.log' ## Optional log format: tsv or ltsv (default: tsv) @@ -633,20 +662,20 @@ format = 'tsv' [schedules] # [schedules.time-to-sleep] - # mon = [{after='21:00', before='7:00'}] - # tue = [{after='21:00', before='7:00'}] - # wed = [{after='21:00', before='7:00'}] - # thu = [{after='21:00', before='7:00'}] - # fri = [{after='23:00', before='7:00'}] - # sat = [{after='23:00', before='7:00'}] - # sun = [{after='21:00', before='7:00'}] + # mon = [{after='21:00', before='7:00'}] + # tue = [{after='21:00', before='7:00'}] + # wed = [{after='21:00', before='7:00'}] + # thu = [{after='21:00', before='7:00'}] + # fri = [{after='23:00', before='7:00'}] + # sat = [{after='23:00', before='7:00'}] + # sun = [{after='21:00', before='7:00'}] # [schedules.work] - # mon = [{after='9:00', before='18:00'}] - # tue = [{after='9:00', before='18:00'}] - # wed = [{after='9:00', before='18:00'}] - # thu = [{after='9:00', before='18:00'}] - # fri = [{after='9:00', before='17:00'}] + # mon = [{after='9:00', before='18:00'}] + # tue = [{after='9:00', before='18:00'}] + # wed = [{after='9:00', before='18:00'}] + # thu = [{after='9:00', before='18:00'}] + # fri = [{after='9:00', before='17:00'}] @@ -668,46 +697,46 @@ format = 'tsv' ## If the `urls` property is missing, cache files and valid signatures ## must already be present. This doesn't prevent these cache files from ## expiring after `refresh_delay` hours. -## Cache freshness is checked every 24 hours, so values for 'refresh_delay' -## of less than 24 hours will have no effect. -## A maximum delay of 168 hours (1 week) is imposed to ensure cache freshness. +## `refreshed_delay` must be in the [24..168] interval. +## The minimum delay of 24 hours (1 day) avoids unnecessary requests to servers. +## The maximum delay of 168 hours (1 week) ensures cache freshness. [sources] - ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers + ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers [sources.public-resolvers] - urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = '' - ## Anonymized DNS relays + ### Anonymized DNS relays [sources.relays] - urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md'] + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md'] cache_file = '/var/cache/dnscrypt-proxy/relays.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = '' - ## ODoH (Oblivious DoH) servers and relays + ### ODoH (Oblivious DoH) servers and relays # [sources.odoh-servers] - # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md'] + # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md'] # cache_file = '/var/cache/dnscrypt-proxy/odoh-servers.md' # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' # refresh_delay = 24 # prefix = '' # [sources.odoh-relays] - # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md'] + # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md'] # cache_file = '/var/cache/dnscrypt-proxy/odoh-relays.md' # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' # refresh_delay = 24 # prefix = '' - ## Quad9 + ### Quad9 # [sources.quad9-resolvers] # urls = ['https://www.quad9.net/quad9-resolvers.md'] @@ -718,10 +747,10 @@ format = 'tsv' ## Another example source, with resolvers censoring some websites not appropriate for children ### This is a subset of the `public-resolvers` list, so enabling both is useless. - # [sources.parental-control] - # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md'] - # cache_file = '/var/cache/dnscrypt-proxy/parental-control.md' - # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + # [sources.parental-control] + # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md'] + # cache_file = '/var/cache/dnscrypt-proxy/parental-control.md' + # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' @@ -731,16 +760,16 @@ format = 'tsv' [broken_implementations] -# Cisco servers currently cannot handle queries larger than 1472 bytes, and don't -# truncate reponses larger than questions as expected by the DNSCrypt protocol. -# This prevents large responses from being received over UDP and over relays. -# -# Older versions of the `dnsdist` server software had a bug with queries larger -# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but -# some server may still run an outdated version. -# -# The list below enables workarounds to make non-relayed usage more reliable -# until the servers are fixed. +## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't +## truncate responses larger than questions as expected by the DNSCrypt protocol. +## This prevents large responses from being received over UDP and over relays. +## +## Older versions of the `dnsdist` server software had a bug with queries larger +## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but +## some server may still run an outdated version. +## +## The list below enables workarounds to make non-relayed usage more reliable +## until the servers are fixed. fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6'] @@ -750,15 +779,14 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys # Certificate-based client authentication for DoH # ################################################################# -# Use a X509 certificate to authenticate yourself when connecting to DoH servers. -# This is only useful if you are operating your own, private DoH server(s). -# 'creds' maps servers to certificates, and supports multiple entries. -# If you are not using the standard root CA, an optional "root_ca" -# property set to the path to a root CRT file can be added to a server entry. +## Use a X509 certificate to authenticate yourself when connecting to DoH servers. +## This is only useful if you are operating your own, private DoH server(s). +## 'creds' maps servers to certificates, and supports multiple entries. +## If you are not using the standard root CA, an optional "root_ca" +## property set to the path to a root CRT file can be added to a server entry. [doh_client_x509_auth] -# # creds = [ # { server_name='*', client_cert='client.crt', client_key='client.key' } # ] @@ -806,14 +834,14 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys # ] -# Skip resolvers incompatible with anonymization instead of using them directly +## Skip resolvers incompatible with anonymization instead of using them directly skip_incompatible = false -# If public server certificates for a non-conformant server cannot be -# retrieved via a relay, try getting them directly. Actual queries -# will then always go through relays. +## If public server certificates for a non-conformant server cannot be +## retrieved via a relay, try getting them directly. Actual queries +## will then always go through relays. # direct_cert_fallback = false