From 374f71af541ee7ba6507a0cb3d5d628e897816da Mon Sep 17 00:00:00 2001 From: Ian Bashford Date: Sun, 3 Jan 2021 18:44:46 +0000 Subject: community/dnscrypt-proxy: update to 2.0.45 Many functional changes Move to block/allow list naming convention; old names not deprecated --- community/dnscrypt-proxy/APKBUILD | 8 +- community/dnscrypt-proxy/config-full-paths.patch | 182 ++++++++++++++++------- 2 files changed, 134 insertions(+), 56 deletions(-) diff --git a/community/dnscrypt-proxy/APKBUILD b/community/dnscrypt-proxy/APKBUILD index a5f7d9f43d2..a0aefd5ed09 100644 --- a/community/dnscrypt-proxy/APKBUILD +++ b/community/dnscrypt-proxy/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Ian Bashford # Maintainer: Ian Bashford pkgname=dnscrypt-proxy -pkgver=2.0.44 -pkgrel=1 +pkgver=2.0.45 +pkgrel=0 pkgdesc="Tool for securing communications between a client and a DNS resolver" url="https://dnscrypt.info" arch="all !mips64" # no golang on mips64 @@ -52,8 +52,8 @@ setup() { install -m755 -D "$srcdir"/$pkgname.setup "$subpkgdir"/usr/sbin/setup-dnscrypt } -sha512sums="009e2b669c1d6f6cd6b41f5e04d08735587f420dacdea8d422a3c12a62614c1ce1963deebca3af1f956070abd9ff5df9182cb27e31fa0fac8a95478739445801 dnscrypt-proxy-2.0.44.tar.gz +sha512sums="becfe3c2d4567725e6b7e973647163e32dd2eaae361087bb05c90b6ddc3b0db0891c2725f6b5c255b8965990832bad53bd6ef137be54a342f46594f3633fe47a dnscrypt-proxy-2.0.45.tar.gz e0a72d39d47dc24b889d08beedbd9fdf21615f42fbab79980debdfd2c3feaa83dc3f776351f7dd13533cc85905ce4e01812e4ff8a80a9ccc0b21e9db7d6cb232 dnscrypt-proxy.initd c001ae39da1b2db71764cab568f9ed18e4de0cea3d1a4e7bd6dd01a5668b81a888ea9eef99de6beac08857ad7f8eb1a32d730e946ac3563e4dcfa27147e35052 dnscrypt-proxy.confd 66dd43d84117a0151ae41f34d82b716760382a5a491424bf6418228ffd21f0dfbc88e34cc5074e11f97f006335d97b85367bb9ab1d96747a48e893c022ad52d0 dnscrypt-proxy.setup -94a86cf11de506c24ed0217168e97f20ae35a467f406302201576e4a5ba11245ca8781967f8eb0f3fb7591488370df5553fcc7c6e9069cef0dbf2f5763b5e3be config-full-paths.patch" +f79734205c1d2b018c2b9977c8fca81be3a89b79da6f20dcd627fd8cb4440221235cc16ebd16045c6c7e4e9815e44661f572939440cdd744203f5dea98b44c47 config-full-paths.patch" diff --git a/community/dnscrypt-proxy/config-full-paths.patch b/community/dnscrypt-proxy/config-full-paths.patch index b507e2d26e6..ed1d6cc8a37 100644 --- a/community/dnscrypt-proxy/config-full-paths.patch +++ b/community/dnscrypt-proxy/config-full-paths.patch @@ -1,10 +1,10 @@ Add paths to config files, log files and downloaded data files diff --git a/./dnscrypt-proxy.toml b/dnscrypt-proxy/dnscrypt-proxy.toml new file mode 100644 -index 0000000..aaf7234 +index 0000000..12d9bde --- /dev/null +++ b/dnscrypt-proxy/dnscrypt-proxy.toml -@@ -0,0 +1,750 @@ +@@ -0,0 +1,828 @@ + +############################################## +# # @@ -82,7 +82,7 @@ index 0000000..aaf7234 +# Server must not log user queries (declarative) +require_nolog = true + -+# Server must not enforce its own blacklist (for parental control, ads blocking...) ++# Server must not enforce its own blocklist (for parental control, ads blocking...) +require_nofilter = true + +# Server names to avoid even if they match all criteria @@ -124,20 +124,31 @@ index 0000000..aaf7234 +keepalive = 30 + + -+## Response for blocked queries. Options are `refused`, `hinfo` (default) or -+## an IP response. To give an IP response, use the format `a:,aaaa:`. ++## Add EDNS-client-subnet information to outgoing queries ++## ++## Multiple networks can be listed; they will be randomly chosen. ++## These networks don't have to match your actual networks. ++ ++# edns_client_subnet = ["0.0.0.0/0", "2001:db8::/32"] ++ ++ ++## Response for blocked queries. Options are `refused`, `hinfo` (default) or ++## an IP response. To give an IP response, use the format `a:,aaaa:`. +## Using the `hinfo` option means that some responses will be lies. +## Unfortunately, the `hinfo` option appears to be required for Android 8+ + +# blocked_query_response = 'refused' + + -+## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random' ++## Load-balancing strategy: 'p2' (default), 'ph', 'p', 'first' or 'random' ++## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency. ++## The response quality still depends on the server itself. + +# lb_strategy = 'p2' + +## Set to `true` to constantly try to estimate the latency of all the resolvers +## and adjust the load-balancing parameters accordingly, or to `false` to disable. ++## Default is `true` that makes 'p2' `lb_strategy` work well. + +# lb_estimator = true + @@ -205,12 +216,16 @@ index 0000000..aaf7234 +## These are normal, non-encrypted DNS resolvers, that will be only used +## for one-shot queries when retrieving the initial resolvers list, and +## only if the system DNS configuration doesn't work. ++## +## No user application queries will ever be leaked through these resolvers, +## and they will not be used after IP addresses of resolvers URLs have been found. +## They will never be used if lists have already been cached, and if stamps +## don't include host names without IP addresses. ++## +## They will not be used if the configured system DNS works. -+## Resolvers supporting DNSSEC are recommended. ++## Resolvers supporting DNSSEC are recommended, and, if you are using ++## DoH, fallback resolvers should ideally be operated by a different entity than ++## the DoH servers you will be using, especially if you have IPv6 enabled. +## +## People in China may need to use 114.114.114.114:53 here. +## Other popular options include 8.8.8.8 and 1.1.1.1. @@ -260,7 +275,7 @@ index 0000000..aaf7234 +## encrypted-dns-server can be configured to use this for access control +## in the [access_control] section + -+# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"] ++# query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken'] + + +## Automatic log files rotation @@ -282,7 +297,7 @@ index 0000000..aaf7234 + +## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you +## configure dnscrypt-proxy to do any kind of filtering (including the filters -+## below and blacklists). ++## below and blocklists). +## You can still choose resolvers that do DNSSEC validation. + + @@ -305,7 +320,7 @@ index 0000000..aaf7234 + + +## TTL for synthetic responses sent when a request has been blocked (due to -+## IPv6 or blacklists). ++## IPv6 or blocklists). + +reject_ttl = 600 + @@ -338,6 +353,7 @@ index 0000000..aaf7234 +# cloak_ttl = 600 + + ++ +########################### +# DNS cache # +########################### @@ -373,6 +389,21 @@ index 0000000..aaf7234 + + + ++######################################## ++# Captive portal handling # ++######################################## ++ ++[captive_portals] ++ ++## A file that contains a set of names used by operating systems to ++## check for connectivity and captive portals, along with hard-coded ++## IP addresses to return. ++## see '/usr/share/dnscrypt-proxy/example-captive-portals.txt' file for an example ++ ++# map_file = '/etc/dnscrypt-proxy/captive-portals.txt' ++ ++ ++ +################################## +# Local DoH server # +################################## @@ -393,14 +424,14 @@ index 0000000..aaf7234 +## For each `listen_address` the complete URL to access the server will be: +## `https://` (ex: `https://127.0.0.1/dns-query`) + -+# path = "/dns-query" ++# path = '/dns-query' + + +## Certificate file and key - Note that the certificate has to be trusted. +## See the documentation (wiki) for more information. + -+# cert_file = "localhost.pem" -+# cert_key_file = "localhost.pem" ++# cert_file = 'localhost.pem' ++# cert_key_file = 'localhost.pem' + + + @@ -413,7 +444,7 @@ index 0000000..aaf7234 +[query_log] + + ## Path to the query log file (absolute, or relative to the same directory as the config file) -+ ## On non-Windows systems, can be /dev/stdout to log to the standard output (also set log_files_max_size to 0) ++ ## Can be set to /dev/stdout in order to log to the standard output. + + # file = '/var/log/dnscrypt-proxy/query.log' + @@ -451,10 +482,10 @@ index 0000000..aaf7234 + + +###################################################### -+# Pattern-based blocking (blacklists) # ++# Pattern-based blocking (blocklists) # +###################################################### + -+## Blacklists are made of one pattern per line. Example of valid patterns: ++## Blocklists are made of one pattern per line. Example of valid patterns: +## +## example.com +## =example.com @@ -463,20 +494,20 @@ index 0000000..aaf7234 +## ads*.example.* +## ads*.example[0-9]*.com +## -+## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/ -+## A script to build blacklists from public feeds can be found in the -+## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code. ++## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/ ++## A script to build blocklists from public feeds can be found in the ++## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code. + -+[blacklist] ++[blocked_names] + + ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) + -+ # blacklist_file = '/etc/dnscrypt-proxy/blacklist.txt' ++ # blocked_names_file = '/etc/dnscrypt-proxy/blocked-names.txt' + + + ## Optional path to a file logging blocked queries + -+ # log_file = '/var/log/dnscrypt-proxy/blocked.log' ++ # log_file = '/var/log/dnscrypt-proxy/blocked-names.log' + + + ## Optional log format: tsv or ltsv (default: tsv) @@ -486,25 +517,25 @@ index 0000000..aaf7234 + + +########################################################### -+# Pattern-based IP blocking (IP blacklists) # ++# Pattern-based IP blocking (IP blocklists) # +########################################################### + -+## IP blacklists are made of one pattern per line. Example of valid patterns: ++## IP blocklists are made of one pattern per line. Example of valid patterns: +## +## 127.* +## fe80:abcd:* +## 192.168.1.4 + -+[ip_blacklist] ++[blocked_ips] + + ## Path to the file of blocking rules (absolute, or relative to the same directory as the config file) + -+ # blacklist_file = '/etc/dnscrypt-proxy/ip-blacklist.txt' ++ # blocked_ips_file = '/etc/dnscrypt-proxy/blocked-ips.txt' + + + ## Optional path to a file logging blocked queries + -+ # log_file = '/var/log/dnscrypt-proxy/ip-blocked.log' ++ # log_file = '/var/log/dnscrypt-proxy/blocked-ips.log' + + + ## Optional log format: tsv or ltsv (default: tsv) @@ -514,27 +545,54 @@ index 0000000..aaf7234 + + +###################################################### -+# Pattern-based whitelisting (blacklists bypass) # ++# Pattern-based allow lists (blocklists bypass) # +###################################################### + -+## Whitelists support the same patterns as blacklists -+## If a name matches a whitelist entry, the corresponding session ++## Allowlists support the same patterns as blocklists ++## If a name matches an allowlist entry, the corresponding session +## will bypass names and IP filters. +## +## Time-based rules are also supported to make some websites only accessible at specific times of the day. + -+[whitelist] ++[allowed_names] ++ ++ ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file) ++ ++ # allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt' ++ ++ ++ ## Optional path to a file logging allowed queries + -+ ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file) ++ # log_file = '/var/log/dnscrypt-proxy/allowed-names.log' + -+ # whitelist_file = '/etc/dnscrypt-proxy/whitelist.txt' + ++ ## Optional log format: tsv or ltsv (default: tsv) ++ ++ # log_format = 'tsv' ++ ++ ++ ++######################################################### ++# Pattern-based allowed IPs lists (blocklists bypass) # ++######################################################### ++ ++## Allowed IP lists support the same patterns as IP blocklists ++## If an IP response matches an allow ip entry, the corresponding session ++## will bypass IP filters. ++## ++## Time-based rules are also supported to make some websites only accessible at specific times of the day. ++ ++[allowed_ips] + -+ ## Optional path to a file logging whitelisted queries ++ ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file) + -+ # log_file = '/var/log/dnscrypt-proxy/whitelisted.log' ++ # allowed_ips_file = '/etc/dnscrypt-proxy/allowed-ips.txt' + + ++ ## Optional path to a file logging allowed queries ++ ++ # log_file = '/var/log/dnscrypt-proxy/allowed-ips.log' ++ + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' @@ -546,10 +604,10 @@ index 0000000..aaf7234 +########################################## + +## One or more weekly schedules can be defined here. -+## Patterns in the name-based blocklist can optionally be followed with @schedule_name ++## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name +## to apply the pattern 'schedule_name' only when it matches a time range of that schedule. +## -+## For example, the following rule in a blacklist file: ++## For example, the following rule in a blocklist file: +## *.youtube.* @time-to-sleep +## would block access to YouTube during the times defined by the 'time-to-sleep' schedule. +## @@ -594,21 +652,25 @@ index 0000000..aaf7234 +## If the `urls` property is missing, cache files and valid signatures +## must already be present. This doesn't prevent these cache files from +## expiring after `refresh_delay` hours. ++## Cache freshness is checked every 24 hours, so values for 'refresh_delay' ++## of less than 24 hours will have no effect. ++## A maximum delay of 168 hours (1 week) is imposed to ensure cache freshness. + +[sources] + + ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers + + [sources.'public-resolvers'] -+ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] ++ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md'] + cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' ++ refresh_delay = 72 + prefix = '' + + ## Anonymized DNS relays + + [sources.'relays'] -+ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md'] ++ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md'] + cache_file = '/var/cache/dnscrypt-proxy/relays.md' + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + refresh_delay = 72 @@ -626,7 +688,7 @@ index 0000000..aaf7234 + ## This is a subset of the `public-resolvers` list, so enabling both is useless + + # [sources.'parental-control'] -+ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md'] ++ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://download.dnscrypt.net/resolvers-list/v3/parental-control.md'] + # cache_file = '/var/cache/dnscrypt-proxy/parental-control.md' + # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + @@ -642,13 +704,14 @@ index 0000000..aaf7234 +# truncate reponses larger than questions as expected by the DNSCrypt protocol. +# This prevents large responses from being received over UDP and over relays. +# -+# The `dnsdist` server software drops client queries larger than 1500 bytes. -+# They are aware of it and are working on a fix. ++# Older versions of the `dnsdist` server software had a bug with queries larger ++# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but ++# some server may still run an outdated version. +# +# The list below enables workarounds to make non-relayed usage more reliable +# until the servers are fixed. + -+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security'] ++fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6'] + + + @@ -683,11 +746,11 @@ index 0000000..aaf7234 +## used to connect to that server. +## +## A relay can be specified as a DNS Stamp (either a relay stamp, or a -+## DNSCrypt stamp), an IP:port, a hostname:port, or a server name. ++## DNSCrypt stamp) or a server name. +## +## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`, -+## and "example-server-2" via the relay whose relay DNS stamp -+## is "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM". ++## and "example-server-2" via the relay whose relay DNS stamp is ++## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM". +## +## !!! THESE ARE JUST EXAMPLES !!! +## @@ -696,8 +759,15 @@ index 0000000..aaf7234 +## +## Carefully choose relays and servers so that they are run by different entities. +## -+## "server_name" can also be set to "*" to define a default route, but this is not -+## recommended. If you do so, keep "server_names" short and distinct from relays. ++## "server_name" can also be set to "*" to define a default route, for all servers: ++## { server_name='*', via=['anon-example-1', 'anon-example-2'] } ++## ++## If a route is ["*"], the proxy automatically picks a relay on a distinct network. ++## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal. ++## ++## Manual selection is always recommended over automatic selection, so that you can ++## select (relay,server) pairs that work well and fit your own criteria (close by or ++## in different countries, operated by different entities, on distinct ISPs...) + +# routes = [ +# { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] }, @@ -705,11 +775,18 @@ index 0000000..aaf7234 +# ] + + -+# skip resolvers incompatible with anonymization instead of using them directly ++# Skip resolvers incompatible with anonymization instead of using them directly + +skip_incompatible = false + + ++# If public server certificates for a non-conformant server cannot be ++# retrieved via a relay, try getting them directly. Actual queries ++# will then always go through relays. ++ ++# direct_cert_fallback = false ++ ++ + +############################### +# DNS64 # @@ -734,13 +811,13 @@ index 0000000..aaf7234 +[dns64] + +## (Option 1) Static prefix(es) as Pref64::/n CIDRs. -+# prefix = ["64:ff9b::/96"] ++# prefix = ['64:ff9b::/96'] + +## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs. +## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only. +## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96). +## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only. -+# resolver = ["[2606:4700:4700::64]:53", "[2001:4860:4860::64]:53"] ++# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53'] + + + @@ -754,4 +831,5 @@ index 0000000..aaf7234 +[static] + + # [static.'myserver'] -+ # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' ++ # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' ++ -- cgit v1.2.3