Add a reasonable default set of ports + a new option

2024-05-18 20:06:05 +02:00 · 2019-10-17 22:44:43 +02:00 · 2019-10-17 22:44:43 +02:00 · 2706b2994d
parent e43ad4949b
commit 2706b2994d
5 changed files with 26 additions and 11 deletions
--- a/example-encrypted-dns.toml
+++ b/example-encrypted-dns.toml
@ -195,8 +195,14 @@ enabled = false


 # Allowed upstream ports
+# This is a list of commonly used ports for encrypted DNS services

-allowed_ports = [ 443 ]
+allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ]
+
+
+# Allow all ports >= 1024 in addition to the list above
+
+allow_non_reserved_ports = false


 # Blacklisted upstream IP addresses
--- a/src/anonymized_dns.rs
+++ b/src/anonymized_dns.rs
@ -45,7 +45,8 @@ pub async fn handle_anonymized_dns(
    );
    let port = BigEndian::read_u16(&encrypted_packet[16..18]);
    ensure!(
-        globals.anonymized_dns_allowed_ports.contains(&port),
+        (globals.anonymized_dns_allow_non_reserved_ports && port >= 1024)
+            || globals.anonymized_dns_allowed_ports.contains(&port),
        "Forbidden upstream port"
    );
    let upstream_address = SocketAddr::new(ip, port);
--- a/src/config.rs
+++ b/src/config.rs
@ -13,6 +13,7 @@ use tokio::prelude::*;
 pub struct AnonymizedDNSConfig {
    pub enabled: bool,
    pub allowed_ports: Vec<u16>,
+    pub allow_non_reserved_ports: Option<bool>,
    pub blacklisted_ips: Vec<IpAddr>,
 }

--- a/src/globals.rs
+++ b/src/globals.rs
@ -42,6 +42,7 @@ pub struct Globals {
    pub blacklist: Option<BlackList>,
    pub anonymized_dns_enabled: bool,
    pub anonymized_dns_allowed_ports: Vec<u16>,
+    pub anonymized_dns_allow_non_reserved_ports: bool,
    pub anonymized_dns_blacklisted_ips: Vec<IpAddr>,
    #[cfg(feature = "metrics")]
    #[derivative(Debug = "ignore")]
--- a/src/main.rs
+++ b/src/main.rs
@ -615,15 +615,20 @@ fn main() -> Result<(), Error> {
                .map_err(|e| format_err!("Unable to load the blacklist [{:?}]: [{}]", path, e))?,
        ),
    };
-    let (anonymized_dns_enabled, anonymized_dns_allowed_ports, anonymized_dns_blacklisted_ips) =
-        match config.anonymized_dns {
-            None => (false, vec![], vec![]),
-            Some(anonymized_dns) => (
-                anonymized_dns.enabled,
-                anonymized_dns.allowed_ports,
-                anonymized_dns.blacklisted_ips,
-            ),
-        };
+    let (
+        anonymized_dns_enabled,
+        anonymized_dns_allowed_ports,
+        anonymized_dns_allow_non_reserved_ports,
+        anonymized_dns_blacklisted_ips,
+    ) = match config.anonymized_dns {
+        None => (false, vec![], false, vec![]),
+        Some(anonymized_dns) => (
+            anonymized_dns.enabled,
+            anonymized_dns.allowed_ports,
+            anonymized_dns.allow_non_reserved_ports.unwrap_or(false),
+            anonymized_dns.blacklisted_ips,
+        ),
+    };

    let globals = Arc::new(Globals {
        runtime: runtime.clone(),
@ -655,6 +660,7 @@ fn main() -> Result<(), Error> {
        blacklist,
        anonymized_dns_enabled,
        anonymized_dns_allowed_ports,
+        anonymized_dns_allow_non_reserved_ports,
        anonymized_dns_blacklisted_ips,
        #[cfg(feature = "metrics")]
        varz: Varz::default(),