From 498fdb782d444b199745c0e493bfb9f2dcfbbefa Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Oct 2019 12:50:49 +0200 Subject: [PATCH] Add support for Anonymized DNS --- Dockerfile | 2 +- README.md | 14 ++++++++ encrypted-dns.toml.in | 34 ++++++++++++++++++ entrypoint.sh | 83 ++++++++++++++++++++++++------------------- 4 files changed, 95 insertions(+), 38 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0f590c9..050d635 100644 --- a/Dockerfile +++ b/Dockerfile @@ -37,7 +37,7 @@ ENV RUSTFLAGS "-C link-arg=-s" RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \ curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain nightly && \ export PATH="$HOME/.cargo/bin:$PATH" && \ - echo "Compiling encrypted-dns version 0.2.10" && \ + echo "Compiling encrypted-dns version 0.3.1" && \ cargo install encrypted-dns && \ mkdir -p /opt/encrypted-dns/sbin && \ mv ~/.cargo/bin/encrypted-dns /opt/encrypted-dns/sbin/ && \ diff --git a/README.md b/README.md index b8b43eb..fa61aff 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,8 @@ to get your resolver up and running. Table of Contents ================= +- [DNSCrypt server Docker image](#dnscrypt-server-docker-image) +- [Table of Contents](#table-of-contents) - [Quickstart](#quickstart) - [Installation](#installation) - [Customizing Unbound](#customizing-unbound) @@ -20,6 +22,8 @@ Table of Contents - [Troubleshooting](#troubleshooting) - [Details](#details) - [Kubernetes](#kubernetes) +- [Anonymized DNS](#anonymized-dns) +- [TLS (including HTTPS and DoH) forwarding](#tls-including-https-and-doh-forwarding) - [Join the network](#join-the-network) Quickstart @@ -135,6 +139,16 @@ in minutes. To get your public key just view the logs for the `dnscrypt-init` job. The public IP for your server is merely the `dnscrypt` service address. +Anonymized DNS +============== + +The server can be configured as a relay for the Anonymized DNSCrypt protocol by adding the `-A` switch to the `init` command. + +TLS (including HTTPS and DoH) forwarding +======================================== + +If the DNS server is listening to port `443`, but you still want to have a web (or DoH) service accessible on that port, add the `-T` switch followed by the backend server IP and port to the `init` command (for example: `-T 10.0.0.1:4443`). + Join the network ================ diff --git a/encrypted-dns.toml.in b/encrypted-dns.toml.in index c6f15b6..66a12ec 100644 --- a/encrypted-dns.toml.in +++ b/encrypted-dns.toml.in @@ -161,3 +161,37 @@ key_cache_capacity = 10000 [filtering] @DOMAIN_BLACKLIST_CONFIGURATION@ + + + +######################### +# Metrics # +######################### + +# [metrics] + +# type = "prometheus" +# listen_addr = "0.0.0.0:9100" +# path = "/metrics" + + + +################################ +# Anonymized DNS # +################################ + +[anonymized_dns] + +# Enable relaying support for Anonymized DNS + +enabled = @ANONDNS_ENABLED@ + + +# Allowed upstream ports + +allowed_ports = [ 443 ] + + +# Blacklisted upstream IP addresses + +blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ] \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 6757731..c40ad49 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -22,28 +22,32 @@ init() { exit $? fi - while getopts "h?N:E:T:" opt; do + anondns_enabled="false" + anondns_blacklisted_ips="" + + while getopts "h?N:E:T:A" opt; do case "$opt" in - h | \?) usage ;; - N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;; - E) ext_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;; - T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;; + h | \?) usage ;; + N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;; + E) ext_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;; + T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;; + A) anondns_enabled="true" ;; esac done [ -z "$provider_name" ] && usage case "$provider_name" in - .*) usage ;; - 2.dnscrypt-cert.*) ;; - *) provider_name="2.dnscrypt-cert.${provider_name}" ;; + .*) usage ;; + 2.dnscrypt-cert.*) ;; + *) provider_name="2.dnscrypt-cert.${provider_name}" ;; esac [ -z "$ext_address" ] && usage case "$ext_address" in - .*) usage ;; - 0.*) - echo "Do not use 0.0.0.0, use an actual external IP address" >&2 - exit 1 - ;; + .*) usage ;; + 0.*) + echo "Do not use 0.0.0.0, use an actual external IP address" >&2 + exit 1 + ;; esac tls_proxy_configuration="" @@ -59,7 +63,7 @@ init() { echo "Provider name: [$provider_name]" - echo "$provider_name" > "${KEYS_DIR}/provider_name" + echo "$provider_name" >"${KEYS_DIR}/provider_name" chmod 644 "${KEYS_DIR}/provider_name" sed \ @@ -67,7 +71,9 @@ init() { -e "s#@EXTERNAL_IPV4@#${ext_address}#" \ -e "s#@TLS_PROXY_CONFIGURATION@#${tls_proxy_configuration}#" \ -e "s#@DOMAIN_BLACKLIST_CONFIGURATION@#${domain_blacklist_configuration}#" \ - "$CONFIG_FILE_TEMPLATE" > "$CONFIG_FILE" + -e "s#@ANONDNS_ENABLEDN@#${anondns_enabled}#" \ + -e "s#@ANONDNS_BLACKLISTED_IPS@#${anondns_blacklisted_ips}#" \ + "$CONFIG_FILE_TEMPLATE" >"$CONFIG_FILE" mkdir -p -m 700 "${STATE_DIR}" chown _encrypted-dns:_encrypted-dns "${STATE_DIR}" @@ -77,7 +83,7 @@ init() { /opt/encrypted-dns/sbin/encrypted-dns \ --config "$CONFIG_FILE" \ --import-from-dnscrypt-wrapper "${KEYS_DIR}/secret.key" \ - --dry-run > /dev/null || exit 1 + --dry-run >/dev/null || exit 1 mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated" fi @@ -107,22 +113,22 @@ legacy_compat() { if [ -f "${LEGACY_KEYS_DIR}/provider-info.txt" ] && [ -f "${LEGACY_KEYS_DIR}/provider_name" ]; then echo "Using [${LEGACY_KEYS_DIR}] for keys" >&2 mkdir -p "${KEYS_DIR}" - mv -f "${KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt.migrated" 2> /dev/null || : - ln -s "${LEGACY_KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt" 2> /dev/null || : - mv -f "${KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name.migrated" 2> /dev/null || : - ln -s "${LEGACY_KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name" 2> /dev/null || : - mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated" 2> /dev/null || : - ln -s "${LEGACY_KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key" 2> /dev/null || : + mv -f "${KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt.migrated" 2>/dev/null || : + ln -s "${LEGACY_KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt" 2>/dev/null || : + mv -f "${KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name.migrated" 2>/dev/null || : + ln -s "${LEGACY_KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name" 2>/dev/null || : + mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated" 2>/dev/null || : + ln -s "${LEGACY_KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key" 2>/dev/null || : mkdir -p -m 700 "${LEGACY_STATE_DIR}" chown _encrypted-dns:_encrypted-dns "${LEGACY_STATE_DIR}" - mv -f "$STATE_DIR" "${STATE_DIR}.migrated" 2> /dev/null || : - ln -s "$LEGACY_STATE_DIR" "${STATE_DIR}" 2> /dev/null || : + mv -f "$STATE_DIR" "${STATE_DIR}.migrated" 2>/dev/null || : + ln -s "$LEGACY_STATE_DIR" "${STATE_DIR}" 2>/dev/null || : fi if [ -f "${LEGACY_LISTS_DIR}/blacklist.txt" ]; then echo "Using [${LEGACY_LISTS_DIR}] for lists" >&2 mkdir -p "${LISTS_DIR}" - mv -f "${LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt.migrated" 2> /dev/null || : - ln -s "${LEGACY_LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt" 2> /dev/null || : + mv -f "${LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt.migrated" 2>/dev/null || : + ln -s "${LEGACY_LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt" 2>/dev/null || : fi } @@ -155,13 +161,13 @@ start() { /opt/encrypted-dns/sbin/encrypted-dns \ --config "$CONFIG_FILE" \ --import-from-dnscrypt-wrapper "${KEYS_DIR}/secret.key" \ - --dry-run > /dev/null || exit 1 + --dry-run >/dev/null || exit 1 mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated" fi /opt/encrypted-dns/sbin/encrypted-dns \ --config "$CONFIG_FILE" --dry-run | tee "${KEYS_DIR}/provider-info.txt" - exec /etc/runit/2 < /dev/null > /dev/null 2> /dev/null + exec /etc/runit/2 /dev/null 2>/dev/null } shell() { @@ -169,16 +175,19 @@ shell() { } usage() { - cat << EOT + cat < -E : initialize the container for a server accessible at ip on port , for a provider named . This is required only once. + If TLS connections to the same port have to be redirected to a HTTPS server (e.g. for DoH), add -T : +To enable Anonymized DNS relaying, add -A. + * start (default command): start the resolver and the dnscrypt server proxy. Ports 443/udp and 443/tcp have to be publicly exposed. @@ -193,12 +202,12 @@ EOT } case "$action" in - start) start ;; - init) - shift - init "$@" - ;; - provider-info) provider_info ;; - shell) shell ;; - *) usage ;; +start) start ;; +init) + shift + init "$@" + ;; +provider-info) provider_info ;; +shell) shell ;; +*) usage ;; esac