aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorIan Bashford <ian@bashford.net>2021-01-03 18:44:46 +0000
committerIan Bashford <ian@bashford.net>2021-01-03 18:44:46 +0000
commit374f71af541ee7ba6507a0cb3d5d628e897816da (patch)
tree3ddef3e95dc70b5ec0fdd05b198d8af66a7b9061
parentfc8c4a5a857f77bf9ee65cf905a9aedf3a01ddcb (diff)
downloadaports-374f71af541ee7ba6507a0cb3d5d628e897816da.tar.gz
aports-374f71af541ee7ba6507a0cb3d5d628e897816da.tar.bz2
aports-374f71af541ee7ba6507a0cb3d5d628e897816da.tar.xz
community/dnscrypt-proxy: update to 2.0.45
Many functional changes Move to block/allow list naming convention; old names not deprecated
-rw-r--r--community/dnscrypt-proxy/APKBUILD8
-rw-r--r--community/dnscrypt-proxy/config-full-paths.patch182
2 files changed, 134 insertions, 56 deletions
diff --git a/community/dnscrypt-proxy/APKBUILD b/community/dnscrypt-proxy/APKBUILD
index a5f7d9f43d..a0aefd5ed0 100644
--- a/community/dnscrypt-proxy/APKBUILD
+++ b/community/dnscrypt-proxy/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Ian Bashford <ianbashford@gmail.com>
# Maintainer: Ian Bashford <ianbashford@gmail.com>
pkgname=dnscrypt-proxy
-pkgver=2.0.44
-pkgrel=1
+pkgver=2.0.45
+pkgrel=0
pkgdesc="Tool for securing communications between a client and a DNS resolver"
url="https://dnscrypt.info"
arch="all !mips64" # no golang on mips64
@@ -52,8 +52,8 @@ setup() {
install -m755 -D "$srcdir"/$pkgname.setup "$subpkgdir"/usr/sbin/setup-dnscrypt
}
-sha512sums="009e2b669c1d6f6cd6b41f5e04d08735587f420dacdea8d422a3c12a62614c1ce1963deebca3af1f956070abd9ff5df9182cb27e31fa0fac8a95478739445801 dnscrypt-proxy-2.0.44.tar.gz
+sha512sums="becfe3c2d4567725e6b7e973647163e32dd2eaae361087bb05c90b6ddc3b0db0891c2725f6b5c255b8965990832bad53bd6ef137be54a342f46594f3633fe47a dnscrypt-proxy-2.0.45.tar.gz
e0a72d39d47dc24b889d08beedbd9fdf21615f42fbab79980debdfd2c3feaa83dc3f776351f7dd13533cc85905ce4e01812e4ff8a80a9ccc0b21e9db7d6cb232 dnscrypt-proxy.initd
c001ae39da1b2db71764cab568f9ed18e4de0cea3d1a4e7bd6dd01a5668b81a888ea9eef99de6beac08857ad7f8eb1a32d730e946ac3563e4dcfa27147e35052 dnscrypt-proxy.confd
66dd43d84117a0151ae41f34d82b716760382a5a491424bf6418228ffd21f0dfbc88e34cc5074e11f97f006335d97b85367bb9ab1d96747a48e893c022ad52d0 dnscrypt-proxy.setup
-94a86cf11de506c24ed0217168e97f20ae35a467f406302201576e4a5ba11245ca8781967f8eb0f3fb7591488370df5553fcc7c6e9069cef0dbf2f5763b5e3be config-full-paths.patch"
+f79734205c1d2b018c2b9977c8fca81be3a89b79da6f20dcd627fd8cb4440221235cc16ebd16045c6c7e4e9815e44661f572939440cdd744203f5dea98b44c47 config-full-paths.patch"
diff --git a/community/dnscrypt-proxy/config-full-paths.patch b/community/dnscrypt-proxy/config-full-paths.patch
index b507e2d26e..ed1d6cc8a3 100644
--- a/community/dnscrypt-proxy/config-full-paths.patch
+++ b/community/dnscrypt-proxy/config-full-paths.patch
@@ -1,10 +1,10 @@
Add paths to config files, log files and downloaded data files
diff --git a/./dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml
new file mode 100644
-index 0000000..aaf7234
+index 0000000..12d9bde
--- /dev/null
+++ b/dnscrypt-proxy/dnscrypt-proxy.toml
-@@ -0,0 +1,750 @@
+@@ -0,0 +1,828 @@
+
+##############################################
+# #
@@ -82,7 +82,7 @@ index 0000000..aaf7234
+# Server must not log user queries (declarative)
+require_nolog = true
+
-+# Server must not enforce its own blacklist (for parental control, ads blocking...)
++# Server must not enforce its own blocklist (for parental control, ads blocking...)
+require_nofilter = true
+
+# Server names to avoid even if they match all criteria
@@ -124,20 +124,31 @@ index 0000000..aaf7234
+keepalive = 30
+
+
-+## Response for blocked queries. Options are `refused`, `hinfo` (default) or
-+## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
++## Add EDNS-client-subnet information to outgoing queries
++##
++## Multiple networks can be listed; they will be randomly chosen.
++## These networks don't have to match your actual networks.
++
++# edns_client_subnet = ["0.0.0.0/0", "2001:db8::/32"]
++
++
++## Response for blocked queries. Options are `refused`, `hinfo` (default) or
++## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
+## Using the `hinfo` option means that some responses will be lies.
+## Unfortunately, the `hinfo` option appears to be required for Android 8+
+
+# blocked_query_response = 'refused'
+
+
-+## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'
++## Load-balancing strategy: 'p2' (default), 'ph', 'p<n>', 'first' or 'random'
++## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency.
++## The response quality still depends on the server itself.
+
+# lb_strategy = 'p2'
+
+## Set to `true` to constantly try to estimate the latency of all the resolvers
+## and adjust the load-balancing parameters accordingly, or to `false` to disable.
++## Default is `true` that makes 'p2' `lb_strategy` work well.
+
+# lb_estimator = true
+
@@ -205,12 +216,16 @@ index 0000000..aaf7234
+## These are normal, non-encrypted DNS resolvers, that will be only used
+## for one-shot queries when retrieving the initial resolvers list, and
+## only if the system DNS configuration doesn't work.
++##
+## No user application queries will ever be leaked through these resolvers,
+## and they will not be used after IP addresses of resolvers URLs have been found.
+## They will never be used if lists have already been cached, and if stamps
+## don't include host names without IP addresses.
++##
+## They will not be used if the configured system DNS works.
-+## Resolvers supporting DNSSEC are recommended.
++## Resolvers supporting DNSSEC are recommended, and, if you are using
++## DoH, fallback resolvers should ideally be operated by a different entity than
++## the DoH servers you will be using, especially if you have IPv6 enabled.
+##
+## People in China may need to use 114.114.114.114:53 here.
+## Other popular options include 8.8.8.8 and 1.1.1.1.
@@ -260,7 +275,7 @@ index 0000000..aaf7234
+## encrypted-dns-server can be configured to use this for access control
+## in the [access_control] section
+
-+# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"]
++# query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']
+
+
+## Automatic log files rotation
@@ -282,7 +297,7 @@ index 0000000..aaf7234
+
+## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
+## configure dnscrypt-proxy to do any kind of filtering (including the filters
-+## below and blacklists).
++## below and blocklists).
+## You can still choose resolvers that do DNSSEC validation.
+
+
@@ -305,7 +320,7 @@ index 0000000..aaf7234
+
+
+## TTL for synthetic responses sent when a request has been blocked (due to
-+## IPv6 or blacklists).
++## IPv6 or blocklists).
+
+reject_ttl = 600
+
@@ -338,6 +353,7 @@ index 0000000..aaf7234
+# cloak_ttl = 600
+
+
++
+###########################
+# DNS cache #
+###########################
@@ -373,6 +389,21 @@ index 0000000..aaf7234
+
+
+
++########################################
++# Captive portal handling #
++########################################
++
++[captive_portals]
++
++## A file that contains a set of names used by operating systems to
++## check for connectivity and captive portals, along with hard-coded
++## IP addresses to return.
++## see '/usr/share/dnscrypt-proxy/example-captive-portals.txt' file for an example
++
++# map_file = '/etc/dnscrypt-proxy/captive-portals.txt'
++
++
++
+##################################
+# Local DoH server #
+##################################
@@ -393,14 +424,14 @@ index 0000000..aaf7234
+## For each `listen_address` the complete URL to access the server will be:
+## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
+
-+# path = "/dns-query"
++# path = '/dns-query'
+
+
+## Certificate file and key - Note that the certificate has to be trusted.
+## See the documentation (wiki) for more information.
+
-+# cert_file = "localhost.pem"
-+# cert_key_file = "localhost.pem"
++# cert_file = 'localhost.pem'
++# cert_key_file = 'localhost.pem'
+
+
+
@@ -413,7 +444,7 @@ index 0000000..aaf7234
+[query_log]
+
+ ## Path to the query log file (absolute, or relative to the same directory as the config file)
-+ ## On non-Windows systems, can be /dev/stdout to log to the standard output (also set log_files_max_size to 0)
++ ## Can be set to /dev/stdout in order to log to the standard output.
+
+ # file = '/var/log/dnscrypt-proxy/query.log'
+
@@ -451,10 +482,10 @@ index 0000000..aaf7234
+
+
+######################################################
-+# Pattern-based blocking (blacklists) #
++# Pattern-based blocking (blocklists) #
+######################################################
+
-+## Blacklists are made of one pattern per line. Example of valid patterns:
++## Blocklists are made of one pattern per line. Example of valid patterns:
+##
+## example.com
+## =example.com
@@ -463,20 +494,20 @@ index 0000000..aaf7234
+## ads*.example.*
+## ads*.example[0-9]*.com
+##
-+## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
-+## A script to build blacklists from public feeds can be found in the
-+## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
++## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
++## A script to build blocklists from public feeds can be found in the
++## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.
+
-+[blacklist]
++[blocked_names]
+
+ ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
+
-+ # blacklist_file = '/etc/dnscrypt-proxy/blacklist.txt'
++ # blocked_names_file = '/etc/dnscrypt-proxy/blocked-names.txt'
+
+
+ ## Optional path to a file logging blocked queries
+
-+ # log_file = '/var/log/dnscrypt-proxy/blocked.log'
++ # log_file = '/var/log/dnscrypt-proxy/blocked-names.log'
+
+
+ ## Optional log format: tsv or ltsv (default: tsv)
@@ -486,25 +517,25 @@ index 0000000..aaf7234
+
+
+###########################################################
-+# Pattern-based IP blocking (IP blacklists) #
++# Pattern-based IP blocking (IP blocklists) #
+###########################################################
+
-+## IP blacklists are made of one pattern per line. Example of valid patterns:
++## IP blocklists are made of one pattern per line. Example of valid patterns:
+##
+## 127.*
+## fe80:abcd:*
+## 192.168.1.4
+
-+[ip_blacklist]
++[blocked_ips]
+
+ ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
+
-+ # blacklist_file = '/etc/dnscrypt-proxy/ip-blacklist.txt'
++ # blocked_ips_file = '/etc/dnscrypt-proxy/blocked-ips.txt'
+
+
+ ## Optional path to a file logging blocked queries
+
-+ # log_file = '/var/log/dnscrypt-proxy/ip-blocked.log'
++ # log_file = '/var/log/dnscrypt-proxy/blocked-ips.log'
+
+
+ ## Optional log format: tsv or ltsv (default: tsv)
@@ -514,27 +545,54 @@ index 0000000..aaf7234
+
+
+######################################################
-+# Pattern-based whitelisting (blacklists bypass) #
++# Pattern-based allow lists (blocklists bypass) #
+######################################################
+
-+## Whitelists support the same patterns as blacklists
-+## If a name matches a whitelist entry, the corresponding session
++## Allowlists support the same patterns as blocklists
++## If a name matches an allowlist entry, the corresponding session
+## will bypass names and IP filters.
+##
+## Time-based rules are also supported to make some websites only accessible at specific times of the day.
+
-+[whitelist]
++[allowed_names]
++
++ ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)
++
++ # allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt'
++
++
++ ## Optional path to a file logging allowed queries
+
-+ ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file)
++ # log_file = '/var/log/dnscrypt-proxy/allowed-names.log'
+
-+ # whitelist_file = '/etc/dnscrypt-proxy/whitelist.txt'
+
++ ## Optional log format: tsv or ltsv (default: tsv)
++
++ # log_format = 'tsv'
++
++
++
++#########################################################
++# Pattern-based allowed IPs lists (blocklists bypass) #
++#########################################################
++
++## Allowed IP lists support the same patterns as IP blocklists
++## If an IP response matches an allow ip entry, the corresponding session
++## will bypass IP filters.
++##
++## Time-based rules are also supported to make some websites only accessible at specific times of the day.
++
++[allowed_ips]
+
-+ ## Optional path to a file logging whitelisted queries
++ ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)
+
-+ # log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
++ # allowed_ips_file = '/etc/dnscrypt-proxy/allowed-ips.txt'
+
+
++ ## Optional path to a file logging allowed queries
++
++ # log_file = '/var/log/dnscrypt-proxy/allowed-ips.log'
++
+ ## Optional log format: tsv or ltsv (default: tsv)
+
+ # log_format = 'tsv'
@@ -546,10 +604,10 @@ index 0000000..aaf7234
+##########################################
+
+## One or more weekly schedules can be defined here.
-+## Patterns in the name-based blocklist can optionally be followed with @schedule_name
++## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
+## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
+##
-+## For example, the following rule in a blacklist file:
++## For example, the following rule in a blocklist file:
+## *.youtube.* @time-to-sleep
+## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
+##
@@ -594,21 +652,25 @@ index 0000000..aaf7234
+## If the `urls` property is missing, cache files and valid signatures
+## must already be present. This doesn't prevent these cache files from
+## expiring after `refresh_delay` hours.
++## Cache freshness is checked every 24 hours, so values for 'refresh_delay'
++## of less than 24 hours will have no effect.
++## A maximum delay of 168 hours (1 week) is imposed to ensure cache freshness.
+
+[sources]
+
+ ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
+
+ [sources.'public-resolvers']
-+ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
++ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
+ cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
+ minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
++ refresh_delay = 72
+ prefix = ''
+
+ ## Anonymized DNS relays
+
+ [sources.'relays']
-+ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md']
++ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
+ cache_file = '/var/cache/dnscrypt-proxy/relays.md'
+ minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+ refresh_delay = 72
@@ -626,7 +688,7 @@ index 0000000..aaf7234
+ ## This is a subset of the `public-resolvers` list, so enabling both is useless
+
+ # [sources.'parental-control']
-+ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md']
++ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://download.dnscrypt.net/resolvers-list/v3/parental-control.md']
+ # cache_file = '/var/cache/dnscrypt-proxy/parental-control.md'
+ # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+
@@ -642,13 +704,14 @@ index 0000000..aaf7234
+# truncate reponses larger than questions as expected by the DNSCrypt protocol.
+# This prevents large responses from being received over UDP and over relays.
+#
-+# The `dnsdist` server software drops client queries larger than 1500 bytes.
-+# They are aware of it and are working on a fix.
++# Older versions of the `dnsdist` server software had a bug with queries larger
++# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
++# some server may still run an outdated version.
+#
+# The list below enables workarounds to make non-relayed usage more reliable
+# until the servers are fixed.
+
-+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
++fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
+
+
+
@@ -683,11 +746,11 @@ index 0000000..aaf7234
+## used to connect to that server.
+##
+## A relay can be specified as a DNS Stamp (either a relay stamp, or a
-+## DNSCrypt stamp), an IP:port, a hostname:port, or a server name.
++## DNSCrypt stamp) or a server name.
+##
+## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
-+## and "example-server-2" via the relay whose relay DNS stamp
-+## is "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
++## and "example-server-2" via the relay whose relay DNS stamp is
++## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
+##
+## !!! THESE ARE JUST EXAMPLES !!!
+##
@@ -696,8 +759,15 @@ index 0000000..aaf7234
+##
+## Carefully choose relays and servers so that they are run by different entities.
+##
-+## "server_name" can also be set to "*" to define a default route, but this is not
-+## recommended. If you do so, keep "server_names" short and distinct from relays.
++## "server_name" can also be set to "*" to define a default route, for all servers:
++## { server_name='*', via=['anon-example-1', 'anon-example-2'] }
++##
++## If a route is ["*"], the proxy automatically picks a relay on a distinct network.
++## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal.
++##
++## Manual selection is always recommended over automatic selection, so that you can
++## select (relay,server) pairs that work well and fit your own criteria (close by or
++## in different countries, operated by different entities, on distinct ISPs...)
+
+# routes = [
+# { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
@@ -705,11 +775,18 @@ index 0000000..aaf7234
+# ]
+
+
-+# skip resolvers incompatible with anonymization instead of using them directly
++# Skip resolvers incompatible with anonymization instead of using them directly
+
+skip_incompatible = false
+
+
++# If public server certificates for a non-conformant server cannot be
++# retrieved via a relay, try getting them directly. Actual queries
++# will then always go through relays.
++
++# direct_cert_fallback = false
++
++
+
+###############################
+# DNS64 #
@@ -734,13 +811,13 @@ index 0000000..aaf7234
+[dns64]
+
+## (Option 1) Static prefix(es) as Pref64::/n CIDRs.
-+# prefix = ["64:ff9b::/96"]
++# prefix = ['64:ff9b::/96']
+
+## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs.
+## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
+## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
+## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
-+# resolver = ["[2606:4700:4700::64]:53", "[2001:4860:4860::64]:53"]
++# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
+
+
+
@@ -754,4 +831,5 @@ index 0000000..aaf7234
+[static]
+
+ # [static.'myserver']
-+ # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
++ # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
++