mirror of
https://github.com/DNSCrypt/encrypted-dns-server.git
synced 2024-05-18 20:06:05 +02:00
Add a reasonable default set of ports + a new option
This commit is contained in:
parent
e43ad4949b
commit
2706b2994d
|
@ -195,8 +195,14 @@ enabled = false
|
|||
|
||||
|
||||
# Allowed upstream ports
|
||||
# This is a list of commonly used ports for encrypted DNS services
|
||||
|
||||
allowed_ports = [ 443 ]
|
||||
allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ]
|
||||
|
||||
|
||||
# Allow all ports >= 1024 in addition to the list above
|
||||
|
||||
allow_non_reserved_ports = false
|
||||
|
||||
|
||||
# Blacklisted upstream IP addresses
|
||||
|
|
|
@ -45,7 +45,8 @@ pub async fn handle_anonymized_dns(
|
|||
);
|
||||
let port = BigEndian::read_u16(&encrypted_packet[16..18]);
|
||||
ensure!(
|
||||
globals.anonymized_dns_allowed_ports.contains(&port),
|
||||
(globals.anonymized_dns_allow_non_reserved_ports && port >= 1024)
|
||||
|| globals.anonymized_dns_allowed_ports.contains(&port),
|
||||
"Forbidden upstream port"
|
||||
);
|
||||
let upstream_address = SocketAddr::new(ip, port);
|
||||
|
|
|
@ -13,6 +13,7 @@ use tokio::prelude::*;
|
|||
pub struct AnonymizedDNSConfig {
|
||||
pub enabled: bool,
|
||||
pub allowed_ports: Vec<u16>,
|
||||
pub allow_non_reserved_ports: Option<bool>,
|
||||
pub blacklisted_ips: Vec<IpAddr>,
|
||||
}
|
||||
|
||||
|
|
|
@ -42,6 +42,7 @@ pub struct Globals {
|
|||
pub blacklist: Option<BlackList>,
|
||||
pub anonymized_dns_enabled: bool,
|
||||
pub anonymized_dns_allowed_ports: Vec<u16>,
|
||||
pub anonymized_dns_allow_non_reserved_ports: bool,
|
||||
pub anonymized_dns_blacklisted_ips: Vec<IpAddr>,
|
||||
#[cfg(feature = "metrics")]
|
||||
#[derivative(Debug = "ignore")]
|
||||
|
|
24
src/main.rs
24
src/main.rs
|
@ -615,15 +615,20 @@ fn main() -> Result<(), Error> {
|
|||
.map_err(|e| format_err!("Unable to load the blacklist [{:?}]: [{}]", path, e))?,
|
||||
),
|
||||
};
|
||||
let (anonymized_dns_enabled, anonymized_dns_allowed_ports, anonymized_dns_blacklisted_ips) =
|
||||
match config.anonymized_dns {
|
||||
None => (false, vec![], vec![]),
|
||||
Some(anonymized_dns) => (
|
||||
anonymized_dns.enabled,
|
||||
anonymized_dns.allowed_ports,
|
||||
anonymized_dns.blacklisted_ips,
|
||||
),
|
||||
};
|
||||
let (
|
||||
anonymized_dns_enabled,
|
||||
anonymized_dns_allowed_ports,
|
||||
anonymized_dns_allow_non_reserved_ports,
|
||||
anonymized_dns_blacklisted_ips,
|
||||
) = match config.anonymized_dns {
|
||||
None => (false, vec![], false, vec![]),
|
||||
Some(anonymized_dns) => (
|
||||
anonymized_dns.enabled,
|
||||
anonymized_dns.allowed_ports,
|
||||
anonymized_dns.allow_non_reserved_ports.unwrap_or(false),
|
||||
anonymized_dns.blacklisted_ips,
|
||||
),
|
||||
};
|
||||
|
||||
let globals = Arc::new(Globals {
|
||||
runtime: runtime.clone(),
|
||||
|
@ -655,6 +660,7 @@ fn main() -> Result<(), Error> {
|
|||
blacklist,
|
||||
anonymized_dns_enabled,
|
||||
anonymized_dns_allowed_ports,
|
||||
anonymized_dns_allow_non_reserved_ports,
|
||||
anonymized_dns_blacklisted_ips,
|
||||
#[cfg(feature = "metrics")]
|
||||
varz: Varz::default(),
|
||||
|
|
Loading…
Reference in New Issue