aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--network/dnscrypt-proxy/README2
-rw-r--r--network/dnscrypt-proxy/README.Slackware34
-rw-r--r--network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild72
-rw-r--r--network/dnscrypt-proxy/dnscrypt-proxy.conf244
-rw-r--r--network/dnscrypt-proxy/dnscrypt-proxy.default32
-rw-r--r--network/dnscrypt-proxy/dnscrypt-proxy.info10
-rw-r--r--network/dnscrypt-proxy/dnscrypt-proxy.logrotate9
-rw-r--r--network/dnscrypt-proxy/dnscrypt-proxy.toml512
-rw-r--r--network/dnscrypt-proxy/doinst.sh3
-rw-r--r--network/dnscrypt-proxy/poly1305.patch20
-rw-r--r--network/dnscrypt-proxy/rc.dnscrypt-proxy53
-rw-r--r--network/dnscrypt-proxy/slack-desc2
12 files changed, 629 insertions, 364 deletions
diff --git a/network/dnscrypt-proxy/README b/network/dnscrypt-proxy/README
index 5ec190cc0e82f..b55a58cae97ef 100644
--- a/network/dnscrypt-proxy/README
+++ b/network/dnscrypt-proxy/README
@@ -8,5 +8,3 @@ definitely want to change this.
Be sure to read README.Slackware for information on configuring/running
dnscrypt-proxy as a daemon!
-
-Optional dependency: ldns
diff --git a/network/dnscrypt-proxy/README.Slackware b/network/dnscrypt-proxy/README.Slackware
index 6af60acaab9a2..b5a6388c563f5 100644
--- a/network/dnscrypt-proxy/README.Slackware
+++ b/network/dnscrypt-proxy/README.Slackware
@@ -1,21 +1,22 @@
A. Setup
An init script and configuration file have been provided to run dnscrypt-proxy
-as a daemon. To configure dnscrypt-proxy, edit /etc/dnscrypt-proxy.conf with
-the desired settings. By default dnscrypt-proxy will use a random DNS server
-and will run on localhost (127.0.0.1), port 53.
+as a daemon. To configure dnscrypt-proxy, edit
+/etc/dnscrypt-proxy/dnscrypt-proxy.toml with the desired settings. By default
+dnscrypt-proxy will use a random DNS server and will run on localhost
+(127.0.0.1), port 53.
-The configuration file is setup to use a dnscrypt user by default, and to
-chroot into that user's home directory to maximize security. In order to use
-the default configuration you should create a dnscrypt user and group with the
-following commands:
+The configuration file is setup to use a dnscrypt user by default. In order to
+use the default configuration you should create a dnscrypt user and group with
+the following commands:
groupadd -g 293 dnscrypt
useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt
-If you decide to use another user you should edit the CHROOTDIR option in
-/etc/default/dnscrypt-proxy and the User setting in /etc/dnscrypt-proxy.conf
-(there are example settings provided for the user 'nobody').
+If you decide to use another user you should edit the USER setting in
+/etc/default/dnscrypt-proxy and the user_name setting in
+/etc/dnscrypt-proxy/dnscrypt-proxy.toml (there are example settings provided
+for the user 'nobody').
In order to send all DNS requests through dnscrypt-proxy, you will need to
update /etc/resolv.conf to point to localhost. If using dhcpcd, the easiest way
@@ -44,13 +45,14 @@ To properly stop dnscrypt-proxy on system shutdown, add the following to
B. DNS Cache
-dnscrypt-proxy provides limited control over how it caches DNS queries. In
-order to minimize the number of external DNS lookups, you can also run a local
-caching DNS server. A sample configuration for dnsmasq (included with
-Slackware) is provided at /usr/doc/dnscrypt-proxy-@VERSION@/dnsmasq.conf. A
-sample configuration for bind/named that also does local DNSSEC validation (if
+dnscrypt-proxy provides control over how it caches DNS queries via its
+configuration file. However, you can also run your own local caching DNS
+server. A sample configuration for dnsmasq (included with Slackware) is
+provided at /usr/doc/dnscrypt-proxy-@VERSION@/dnsmasq.conf. A sample
+configuration for bind/named that also does local DNSSEC validation (if
supported by the upstream DNS server) is also provided at
/usr/doc/dnscrypt-proxy-@VERSION@/named.conf. Both configurations run on port
53, forwarding lookups to dnscrypt-proxy running on port 55. In order to use
these configurations you will need to change the port dnscrypt-proxy runs on in
-/etc/dnscrypt-proxy.conf.
+/etc/dnscrypt-proxy/dnscrypt-proxy.toml. If you perform your own DNS caching,
+it makes sense to disable dnscrypt-proxy's caching in its configuration file.
diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild b/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild
index 0c42db33b66ee..696bd0950e659 100644
--- a/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild
+++ b/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild
@@ -2,7 +2,7 @@
# Slackware build script for dnscrypt-proxy
-# Copyright 2017 T3slider <t3slider@gmail.com>
+# Copyright 2018 T3slider <t3slider@gmail.com>
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
@@ -22,16 +22,18 @@
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-# Thanks to Larry Hajali for work on README.Slackware, some configure options,
-# the basis for the sample dnsmasq configuration, the logrotate configuration,
-# and the idea for an init script. His contributions significantly improved the
-# value of this script!
+# Thanks to Larry Hajali for work on README.Slackware, the basis for the sample
+# dnsmasq configuration, and the idea for an init script. His contributions
+# significantly improved the value of this script!
PRGNAM=dnscrypt-proxy
-VERSION=${VERSION:-1.9.5}
+VERSION=${VERSION:-2.0.16}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
+DOMAIN=github.com
+ORG=jedisct1
+
if [ -z "$ARCH" ]; then
case "$( uname -m )" in
i?86) ARCH=i586 ;;
@@ -46,16 +48,12 @@ PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}
if [ "$ARCH" = "i586" ]; then
- SLKCFLAGS="-O2 -march=i586 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "i686" ]; then
- SLKCFLAGS="-O2 -march=i686 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "x86_64" ]; then
- SLKCFLAGS="-O2 -fPIC"
LIBDIRSUFFIX="64"
else
- SLKCFLAGS="-O2"
LIBDIRSUFFIX=""
fi
@@ -65,8 +63,11 @@ rm -rf $PKG
mkdir -p $TMP $PKG $OUTPUT
cd $TMP
rm -rf $PRGNAM-$VERSION
-tar xvf $CWD/$PRGNAM-$VERSION.tar.bz2
-cd $PRGNAM-$VERSION
+mkdir -p $PRGNAM-$VERSION/src/$DOMAIN/$ORG
+cd $PRGNAM-$VERSION/src/$DOMAIN/$ORG
+tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
+mv $PRGNAM-$VERSION $PRGNAM
+cd $PRGNAM
chown -R root:root .
find -L . \
\( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
@@ -74,39 +75,30 @@ find -L . \
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
-CFLAGS="$SLKCFLAGS" \
-CXXFLAGS="$SLKCFLAGS" \
-./configure \
- --prefix=/usr \
- --libdir=/usr/lib${LIBDIRSUFFIX} \
- --sysconfdir=/etc \
- --localstatedir=/var \
- --mandir=/usr/man \
- --docdir=/usr/doc/$PRGNAM-$VERSION \
- --enable-plugins \
- --enable-plugins-root \
- --enable-static=no \
- --disable-ltdl-install \
- --without-included-ltdl \
- --build=$ARCH-slackware-linux
-
-make
-make install-strip DESTDIR=$PKG
-
-find $PKG/usr/man -type f -exec gzip -9 {} \;
-for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
-
-mkdir -p $PKG/var/{run,log}/$PRGNAM $PKG/etc/default
-chmod 0700 $PKG/var/{run,log}/$PRGNAM
+# Error compiling with go 1.11; fixed in dnscrypt-proxy master but not in the
+# latest release
+patch -p1 < $CWD/poly1305.patch
+
+export GOPATH="$TMP/$PRGNAM-$VERSION"
+
+go install -a -x ./...
+
+mkdir -p $PKG/usr/sbin
+
+install -m 755 "$TMP/$PRGNAM-$VERSION/bin/${PRGNAM}" $PKG/usr/sbin/${PRGNAM}
+
+find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
+ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
+
+mkdir -p $PKG/var/log/$PRGNAM $PKG/etc/default $PKG/etc/$PRGNAM
+chmod 0700 $PKG/var/log/$PRGNAM
sed "s/@VERSION@/$VERSION/" $CWD/$PRGNAM.default > $PKG/etc/default/$PRGNAM.new
install -D -m 0755 $CWD/rc.$PRGNAM $PKG/etc/rc.d/rc.$PRGNAM.new
-rm -f $PKG/etc/$PRGNAM.conf
-install -D -m 0644 $CWD/$PRGNAM.conf $PKG/etc/$PRGNAM.conf.new
-install -D -m 0644 $CWD/$PRGNAM.logrotate $PKG/etc/logrotate.d/$PRGNAM.new
+install -D -m 0644 $CWD/$PRGNAM.toml $PKG/etc/$PRGNAM/$PRGNAM.toml.new
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
cp -a \
- AUTHORS ChangeLog INSTALL NEWS README THANKS \
+ ChangeLog LICENSE README.md utils $PRGNAM/example-* \
$PKG/usr/doc/$PRGNAM-$VERSION
sed "s/@VERSION@/$VERSION/g" $CWD/README.Slackware > $PKG/usr/doc/$PRGNAM-$VERSION/README.Slackware
cat $CWD/dnsmasq.conf > $PKG/usr/doc/$PRGNAM-$VERSION/dnsmasq.conf
diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.conf b/network/dnscrypt-proxy/dnscrypt-proxy.conf
deleted file mode 100644
index cfd6a750d57a7..0000000000000
--- a/network/dnscrypt-proxy/dnscrypt-proxy.conf
+++ /dev/null
@@ -1,244 +0,0 @@
-######################################################
-# #
-# Sample configuration file for dnscrypt-proxy #
-# #
-######################################################
-
-
-############## Resolver settings ##############
-
-## [CHANGE THIS] Short name of the resolver to use
-## Usually the only thing you need to change in this configuration file.
-## This corresponds to the first column in the dnscrypt-resolvers.csv file.
-## Alternatively, "random" (without quotes) picks a random random resolver
-## accessible over IPv4, that doesn't log and supports DNSSEC.
-
-ResolverName random
-
-
-## Full path to the list of available DNSCrypt resolvers (dnscrypt-resolvers.csv)
-## An up-to-date list is available here:
-## https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv
-## and the dnscrypt-update-resolvers.sh script can be used in order to
-## automatically download and verify updates.
-
-# ResolversList /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv
-
-
-## Manual settings, only for a custom resolver not present in the CSV file
-
-# ProviderName 2.dnscrypt.resolver.example
-# ProviderKey E801:B84E:A606:BFB0:BAC0:CE43:445B:B15E:BA64:B02F:A3C4:AA31:AE10:636A:0790:324D
-# ResolverAddress 203.0.113.1:443
-
-
-
-############## Process options ##############
-
-## [NOT AVAILABLE ON WINDOWS] Run the proxy as a background process.
-## Unless you are using systemd, you probably want to change this to "yes"
-## after having verified that the rest of the configuration works as expected.
-
-Daemonize yes
-
-
-## Write the PID number to a file
-
-PidFile /var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid
-
-
-## [NOT AVAILABLE ON WINDOWS] Start the process, bind the required ports, and
-## run the server as a less-privileged system user.
-## The value for this parameter is a user name.
-
-# User nobody
-User dnscrypt
-
-
-
-############## Network/protocol settings ##############
-
-## Local address and port to listen to.
-## A 127.0.0.x address is recommended for local use, but 0.0.0.0 or
-## a specific interface address can be used on a router, or to
-## configure a single machine to act as a DNS proxy for different
-## devices.
-## If the socket is created by systemd, the proxy cannot change the address
-## using this option. You should edit systemd's dnscrypt-proxy.socket file
-## instead.
-
-LocalAddress 127.0.0.1:53
-
-
-## Cache DNS responses to avoid outgoing traffic when the same queries
-## are repeated multiple times in a row.
-
-LocalCache on
-
-
-## Creates a new key pair for every query.
-## This prevents logging servers from correlating client public keys with
-## IP addresses. However, this option implies extra CPU load, and is not
-## very useful with trusted/non-logging servers.
-
-EphemeralKeys off
-
-
-## Maximum number of active requests waiting for a response.
-## Keep it reasonable relative to the expected number of clients.
-
-# MaxActiveRequests 250
-
-
-## This is the maximum payload size allowed when using the UDP protocol.
-## The default is safe, and rarely needs to be changed.
-
-# EDNSPayloadSize 1252
-
-
-## Ignore the time stamps when checking the certificates
-## Do not enable this option ever, unless you know that you need it.
-
-# IgnoreTimestamps no
-
-
-## Do not send queries using UDP. Only use TCP.
-## Even if some resolvers mitigate this, DNS over TCP is almost always slower
-## than UDP and doesn't offer additional security.
-## Only enable this option if UDP doesn't work on your network.
-
-# TCPOnly no
-
-
-## Forward queries for specific zones to one or more non-DNSCrypt resolvers.
-## For instance, this can be used to redirect queries for local domains to
-## the router, or queries for an internal domain to an internal DNS server.
-## Multiple whitespace-delimited zones and IP addresses can be specified.
-## Do not enable this unless you absolutely know you need it.
-## If you see useless queries to these zones, you'd better block them with
-## the BlackList feature instead of sending them in clear text to the router.
-## This uses a plugin that requires dnscrypt-proxy to be compiled with
-## the ldns library.
-
-# Forward domains:"test private localdomain lan" to:"192.168.100.254"
-
-
-############## Logging ##############
-
-## Log the received DNS queries to a file, so you can watch in real-time what
-## is happening on the network.
-## The value for this parameter is a full path to the log file.
-## The file name can be prefixed with ltsv: in order to store logs using the
-## LTSV format (ex: ltsv:/tmp/dns-queries.log).
-
-# QueryLogFile /tmp/dns-queries.log
-
-
-## Log file to write server errors and information to.
-## If you use this tool for privacy, keeping logs of any kind is usually not
-## a good idea.
-
-LogFile /var/log/dnscrypt-proxy/dnscrypt-proxy.log
-
-
-## Don't log events with priority above this log level after the service has
-## been started up. Default is 6.
-## Valid values are between 0 (critical) to 7 (debug-level messages).
-
-# LogLevel 6
-
-
-## [NOT AVAILABLE ON WINDOWS] Send server logs to the syslog daemon
-## Log entries can optionally be prefixed with a string.
-
-# Syslog off
-# SyslogPrefix dnscrypt
-
-
-
-############## Local filtering ##############
-
-## If your network doesn't support IPv6, chances are that your
-## applications are still constantly trying to resolve IPv6 addresses,
-## causing unnecessary slowdowns.
-## This causes the proxy to immediately reply to IPv6 requests,
-## without having to send a useless request to upstream resolvers, and
-## having to wait for a response.
-## This uses a plugin that requires dnscrypt-proxy to be compiled with
-## the ldns library.
-
-BlockIPv6 no
-
-
-## Want to filter ads, malware, sensitive or inappropriate websites and
-## domain names? This feature can block lists of IP addresses and names
-## matching a list of patterns. The list of rules remains private, and
-## the filtering process directly happens on your own network. In order
-## to filter IP addresses, the list of IPs has to be put into a text
-## file, with one IP address per line. Lists of domain names can also be
-## blocked as well. Put the list into a text file, one domain per line.
-## Domains can include wildcards (*) in order to match patterns. For
-## example *sex* will match any name that contains the sex substring, and
-## ads.* will match anything starting with ads. The Internet has plenty
-## of free feeds of IP addresses and domain names used for malware,
-## phishing and spam that you can use with this feature.
-##
-## This uses a plugin that requires dnscrypt-proxy to be compiled with
-## the ldns library.
-##
-## To enable, uncomment one of the following definitions:
-
-## Block query names matching the rules stored in that file:
-# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt"
-
-## Block responses whose IP addresses match IPs stored in that file:
-# BlackList ips:"/etc/dnscrypt-blacklist-ips.txt"
-
-## Block both domain names and IP addresses:
-# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" ips:"/etc/dnscrypt-blacklist-ips.txt"
-
-## Same as the above + log the blocked queries in a file.
-## The log file can be prefixed with ltsv: (ex: ltsv:/tmp/log.txt) in order to
-## store logs using the LTSV format.
-# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" logfile:"/var/log/dnscrypt-blocked.log"
-# BlackList ips:"/etc/dnscrypt-blacklist-ips.txt" logfile:"/var/log/dnscrypt-blocked.log"
-# BlackList domains:"/etc/dnscrypt-blacklist-domains.txt" ips:"/etc/dnscrypt-blacklist-ips.txt" logfile:"/var/log/dnscrypt-blocked.log"
-
-
-
-############## User identification ##############
-
-## Use a client public key for identification
-## By default, the client uses a randomized key pair in order to make tracking
-## more difficult. This option does the opposite and uses a static key pair, so
-## that DNS providers can offer premium services to queries signed with a known
-## set of public keys. A client cannot decrypt the received responses without
-## also knowing the secret key.
-## The value for this property is the path to a file containing the secret key,
-## encoded as a hexadecimal string. The corresponding public key is computed
-## automatically.
-
-# ClientKey /etc/dnscrypt-client-secret.key
-
-
-
-############## Monitoring ##############
-
-## Do not actually start the proxy, but check that a valid certificate can be
-## retrieved from the server and that it will remain valid for the specified
-## time period. The process exit code is 0 if a valid certificate can be used,
-## 2 if no valid certificates can be used, 3 if a timeout occurred, and 4 if a
-## currently valid certificate is going to expire before the given margin.
-## Useful in a cron job to monitor your own dnscrypt-servers.
-## The margin is specified in minutes.
-
-# Test 2880
-
-
-
-############## Recursive configuration ##############
-
-## A configuration file can include other configuration files by inserting
-## the `Include` directive anywhere (the full path required, no quotes):
-
-# Include /etc/dnscrypt-proxy-common.conf
diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.default b/network/dnscrypt-proxy/dnscrypt-proxy.default
index 3979212adec4a..112202cc9ea2b 100644
--- a/network/dnscrypt-proxy/dnscrypt-proxy.default
+++ b/network/dnscrypt-proxy/dnscrypt-proxy.default
@@ -3,20 +3,28 @@
# This file contains additional configuration settings for dnscrypt-proxy
# (primary configuration belongs in the dnscrypt-proxy configuration file).
# This file supports configuring and running multiple instances (see the bottom
-# of this file for a sample secondary configuration).
-
-# CHROOTDIR should be the same path as the daemon user's home directory. For
-# the standard dnscrypt user this should be "/run/dnscrypt". For nobody, this
-# should be "/".
-CHROOTDIR[0]="/run/dnscrypt"
-#CHROOTDIR[0]="/"
+# of this file for a sample secondary configuration). However, note that
+# dnscrypt-proxy now automatically provides redundancy based on a pool of
+# available servers in its own configuration file. Under normal circumstances
+# you would only ever need one active configuration in this file, but support
+# for multiple independent servers has been maintained in case you have a need
+# for segregation of upstream servers.
# DNSCRYPTCONFIG should be the path to the dnscrypt-proxy configuration file
-# for the given instance. Note that PidFile must be defined in the config for
-# the rc.dnscrypt start/stop script to function properly!
-DNSCRYPTCONFIG[0]="/etc/dnscrypt-proxy.conf"
+# for the given instance.
+DNSCRYPTCONFIG[0]="/etc/dnscrypt-proxy/dnscrypt-proxy.toml"
+
+# The pid file for this instance. PIDFILE must always be specified for each
+# instance!
+PIDFILE[0]="/run/dnscrypt-proxy/dnscrypt-proxy-0.pid"
+
+# The user to run the daemon. This should be the same user specified in the
+# config.
+#USER[0]="nobody"
+USER[0]="dnscrypt"
# A simple example configuration for a second instance (note that this would
# require a new dnscrypt-proxy configuration file)
-#CHROOTDIR[1]="/run/dnscrypt"
-#DNSCRYPTCONFIG[1]="/etc/dnscrypt-proxy-1.conf"
+#DNSCRYPTCONFIG[1]="/etc/dnscrypt-proxy/dnscrypt-proxy-1.toml"
+#PIDFILE[1]="/run/dnscrypt-proxy/dnscrypt-proxy-1.pid"
+#USER[1]="dnscrypt"
diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.info b/network/dnscrypt-proxy/dnscrypt-proxy.info
index 67ec5b56e1cf1..da40844bfa518 100644
--- a/network/dnscrypt-proxy/dnscrypt-proxy.info
+++ b/network/dnscrypt-proxy/dnscrypt-proxy.info
@@ -1,10 +1,10 @@
PRGNAM="dnscrypt-proxy"
-VERSION="1.9.5"
-HOMEPAGE="https://www.opendns.com/"
-DOWNLOAD="https://sources.lede-project.org/dnscrypt-proxy-1.9.5.tar.bz2"
-MD5SUM="0c356411ae4b1d984eacc452d033ff76"
+VERSION="2.0.16"
+HOMEPAGE="https://github.com/jedisct1/dnscrypt-proxy"
+DOWNLOAD="https://github.com/jedisct1/dnscrypt-proxy/archive/2.0.16/dnscrypt-proxy-2.0.16.tar.gz"
+MD5SUM="2155eff38ed4062aa3dcbb823c840a69"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
-REQUIRES="libsodium"
+REQUIRES="google-go-lang"
MAINTAINER="T3slider"
EMAIL="t3slider@gmail.com"
diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.logrotate b/network/dnscrypt-proxy/dnscrypt-proxy.logrotate
deleted file mode 100644
index 884ad989e1337..0000000000000
--- a/network/dnscrypt-proxy/dnscrypt-proxy.logrotate
+++ /dev/null
@@ -1,9 +0,0 @@
-/var/log/dnscrypt-proxy/*log {
- weekly
- rotate 7
- copytruncate
- delaycompress
- compress
- notifempty
- missingok
-}
diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.toml b/network/dnscrypt-proxy/dnscrypt-proxy.toml
new file mode 100644
index 0000000000000..0341cbed712f7
--- /dev/null
+++ b/network/dnscrypt-proxy/dnscrypt-proxy.toml
@@ -0,0 +1,512 @@
+
+##############################################
+# #
+# dnscrypt-proxy configuration #
+# #
+##############################################
+
+## This is an example configuration file.
+## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
+##
+## Online documentation is available here: https://dnscrypt.info/doc
+
+
+
+##################################
+# Global settings #
+##################################
+
+## List of servers to use
+##
+## Servers from the "public-resolvers" source (see down below) can
+## be viewed here: https://dnscrypt.info/public-servers
+##
+## If this line is commented, all registered servers matching the require_* filters
+## will be used.
+##
+## The proxy will automatically pick the fastest, working servers from the list.
+## Remove the leading # first to enable this; lines starting with # are ignored.
+
+# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
+
+
+## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
+## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
+
+listen_addresses = ['127.0.0.1:53', '[::1]:53']
+
+
+## Maximum number of simultaneous client connections to accept
+
+max_clients = 250
+
+
+## Switch to a non-privileged system user after listening sockets have been created.
+## Two processes will be running.
+## The first one will keep root privileges, but is only a supervisor, that does nothing
+## except create the sockets, manage the service, and restart it if it crashes.
+## The second process is the service itself, and that one will always run as a different
+## user.
+## Note (1): this feature is currently unsupported on Windows.
+## Note (2): this feature is not compatible with systemd socket activation.
+
+# user_name = 'nobody'
+user_name = 'dnscrypt'
+
+
+## Require servers (from static + remote sources) to satisfy specific properties
+
+# Use servers reachable over IPv4
+ipv4_servers = true
+
+# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
+ipv6_servers = false
+
+# Use servers implementing the DNSCrypt protocol
+dnscrypt_servers = true
+
+# Use servers implementing the DNS-over-HTTPS protocol
+doh_servers = true
+
+
+## Require servers defined by remote sources to satisfy specific properties
+
+# Server must support DNS security extensions (DNSSEC)
+require_dnssec = false
+
+# Server must not log user queries (declarative)
+require_nolog = true
+
+# Server must not enforce its own blacklist (for parental control, ads blocking...)
+require_nofilter = true
+
+
+## Always use TCP to connect to upstream servers.
+## This can be can be useful if you need to route everything through Tor.
+## Otherwise, leave this to `false`, as it doesn't improve security
+## (dnscrypt-proxy will always encrypt everything even using UDP), and can
+## only increase latency.
+
+force_tcp = false
+
+
+## HTTP / SOCKS proxy
+## Uncomment the following line to route all TCP connections to a local Tor node
+## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
+
+# proxy = "socks5://127.0.0.1:9050"
+
+
+
+## How long a DNS query will wait for a response, in milliseconds
+
+timeout = 2500
+
+
+## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds
+
+keepalive = 30
+
+
+## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
+
+# lb_strategy = 'p2'
+
+
+## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)
+
+# log_level = 2
+
+
+## log file for the application
+
+# log_file = 'dnscrypt-proxy.log'
+log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
+
+
+## Use the system logger (syslog on Unix, Event Log on Windows)
+
+# use_syslog = true
+
+
+## Delay, in minutes, after which certificates are reloaded
+
+cert_refresh_delay = 240
+
+
+## DNSCrypt: Create a new, unique key for every single DNS query
+## This may improve privacy but can also have a significant impact on CPU usage
+## Only enable if you don't have a lot of network load
+
+# dnscrypt_ephemeral_keys = false
+
+
+## DoH: Disable TLS session tickets - increases privacy but also latency
+
+# tls_disable_session_tickets = false
+
+
+## DoH: Use a specific cipher suite instead of the server preference
+## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+##
+## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
+## the following suite improves performance.
+## This may also help on Intel CPUs running 32-bit operating systems.
+##
+## Keep tls_cipher_suite empty if you have issues fetching sources or
+## connecting to some DoH servers. Google and Cloudflare are fine with it.
+
+# tls_cipher_suite = [52392, 49199]
+
+
+## Fallback resolver
+## This is a normal, non-encrypted DNS resolver, that will be only used
+## for one-shot queries when retrieving the initial resolvers list, and
+## only if the system DNS configuration doesn't work.
+## No user application queries will ever be leaked through this resolver,
+## and it will not be used after IP addresses of resolvers URLs have been found.
+## It will never be used if lists have already been cached, and if stamps
+## don't include host names without IP addresses.
+## It will not be used if the configured system DNS works.
+## A resolver supporting DNSSEC is recommended. This may become mandatory.
+##
+## People in China may need to use 114.114.114.114:53 here.
+## Other popular options include 8.8.8.8 and 1.1.1.1.
+
+fallback_resolver = '9.9.9.9:53'
+
+
+## Never let dnscrypt-proxy try to use the system DNS settings;
+## unconditionally use the fallback resolver.
+
+ignore_system_dns = false
+
+
+## Maximum time (in seconds) to wait for network connectivity before
+## initializing the proxy.
+## Useful if the proxy is automatically started at boot, and network
+## connectivity is not guaranteed to be immediately available.
+## Use 0 to disable.
+
+netprobe_timeout = 30
+
+
+## Offline mode - Do not use any remote encrypted servers.
+## The proxy will remain fully functional to respond to queries that
+## plugins can handle directly (forwarding, cloaking, ...)
+
+# offline_mode = false
+
+
+## Automatic log files rotation
+
+# Maximum log files size in MB
+log_files_max_size = 10
+
+# How long to keep backup files, in days
+log_files_max_age = 7
+
+# Maximum log files backups to keep (or 0 to keep all backups)
+log_files_max_backups = 1
+
+
+
+#########################
+# Filters #
+#########################
+
+## Immediately respond to IPv6-related queries with an empty response
+## This makes things faster when there is no IPv6 connectivity, but can
+## also cause reliability issues with some stub resolvers.
+## Do not enable if you added a validating resolver such as dnsmasq in front
+## of the proxy.
+
+block_ipv6 = false
+
+
+
+##################################################################################
+# Route queries for specific domains to a dedicated set of servers #
+##################################################################################
+
+## Example map entries (one entry per line):
+## example.com 9.9.9.9
+## example.net 9.9.9.9,8.8.8.8,1.1.1.1
+
+# forwarding_rules = 'forwarding-rules.txt'
+
+
+
+###############################
+# Cloaking rules #
+###############################
+
+## Cloaking returns a predefined address for a specific name.
+## In addition to acting as a HOSTS file, it can also return the IP address
+## of a different name. It will also do CNAME flattening.
+##
+## Example map entries (one entry per line)
+## example.com 10.1.1.1
+## www.google.com forcesafesearch.google.com
+
+# cloaking_rules = 'cloaking-rules.txt'
+
+
+
+###########################
+# DNS cache #
+###########################
+
+## Enable a DNS cache to reduce latency and outgoing traffic
+
+cache = true
+
+
+## Cache size
+
+cache_size = 512
+
+
+## Minimum TTL for cached entries
+
+cache_min_ttl = 600
+
+
+## Maximum TTL for cached entries
+
+cache_max_ttl = 86400
+
+
+## Minimum TTL for negatively cached entries
+
+cache_neg_min_ttl = 60
+
+
+## Maximum TTL for negatively cached entries
+
+cache_neg_max_ttl = 600
+
+
+
+###############################
+# Query logging #
+###############################
+
+## Log client queries to a file
+
+[query_log]
+
+ ## Path to the query log file (absolute, or relative to the same directory as the executable file)
+
+ # file = 'query.log'
+
+
+ ## Query log format (currently supported: tsv and ltsv)
+
+ format = 'tsv'
+
+
+ ## Do not log these query types, to reduce verbosity. Keep empty to log everything.
+
+ # ignored_qtypes = ['DNSKEY', 'NS']
+
+
+
+############################################
+# Suspicious queries logging #
+############################################
+
+## Log queries for nonexistent zones
+## These queries can reveal the presence of malware, broken/obsolete applications,
+## and devices signaling their presence to 3rd parties.
+
+[nx_log]
+
+ ## Path to the query log file (absolute, or relative to the same directory as the executable file)
+
+ # file = 'nx.log'
+
+
+ ## Query log format (currently supported: tsv and ltsv)
+
+ format = 'tsv'
+
+
+
+######################################################
+# Pattern-based blocking (blacklists) #
+######################################################
+
+## Blacklists are made of one pattern per line. Example of valid patterns:
+##
+## example.com
+## =example.com
+## *sex*
+## ads.*
+## ads*.example.*
+## ads*.example[0-9]*.com
+##
+## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
+## A script to build blacklists from public feeds can be found in the
+## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
+
+[blacklist]
+
+ ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
+
+ # blacklist_file = 'blacklist.txt'
+
+
+ ## Optional path to a file logging blocked queries
+
+ # log_file = 'blocked.log'
+
+
+ ## Optional log format: tsv or ltsv (default: tsv)
+
+ # log_format = 'tsv'
+
+
+
+###########################################################
+# Pattern-based IP blocking (IP blacklists) #
+###########################################################
+
+## IP blacklists are made of one pattern per line. Example of valid patterns:
+##
+## 127.*
+## fe80:abcd:*
+## 192.168.1.4
+
+[ip_blacklist]
+
+ ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)
+
+ # blacklist_file = 'ip-blacklist.txt'
+
+
+ ## Optional path to a file logging blocked queries
+
+ # log_file = 'ip-blocked.log'
+
+
+ ## Optional log format: tsv or ltsv (default: tsv)
+
+ # log_format = 'tsv'
+
+
+
+######################################################
+# Pattern-based whitelisting (blacklists bypass) #
+######################################################
+
+## Whitelists support the same patterns as blacklists
+## If a name matches a whitelist entry, the corresponding session
+## will bypass names and IP filters.
+##
+## Time-based rules are also supported to make some websites only accessible at specific times of the day.
+
+[whitelist]
+
+ ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)
+
+ # whitelist_file = 'whitelist.txt'
+
+
+ ## Optional path to a file logging whitelisted queries
+
+ # log_file = 'whitelisted.log'
+
+
+ ## Optional log format: tsv or ltsv (default: tsv)
+
+ # log_format = 'tsv'
+
+
+
+##########################################
+# Time access restrictions #
+##########################################
+
+## One or more weekly schedules can be defined here.
+## Patterns in the name-based blocklist can optionally be followed with @schedule_name
+## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
+##
+## For example, the following rule in a blacklist file:
+## *.youtube.* @time-to-sleep
+## would block access to YouTube only during the days, and period of the days
+## define by the 'time-to-sleep' schedule.
+##
+## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
+## {after= '9:00', before='18:00'} matches 9:00-18:00
+
+[schedules]
+
+ # [schedules.'time-to-sleep']
+ # mon = [{after='21:00', before='7:00'}]
+ # tue = [{after='21:00', before='7:00'}]
+ # wed = [{after='21:00', before='7:00'}]
+ # thu = [{after='21:00', before='7:00'}]
+ # fri = [{after='23:00', before='7:00'}]
+ # sat = [{after='23:00', before='7:00'}]
+ # sun = [{after='21:00', before='7:00'}]
+
+ # [schedules.'work']
+ # mon = [{after='9:00', before='18:00'}]
+ # tue = [{after='9:00', before='18:00'}]
+ # wed = [{after='9:00', before='18:00'}]
+ # thu = [{after='9:00', before='18:00'}]
+ # fri = [{after='9:00', before='17:00'}]
+
+
+
+#########################
+# Servers #
+#########################
+
+## Remote lists of available servers
+## Multiple sources can be used simultaneously, but every source
+## requires a dedicated cache file.
+##
+## Refer to the documentation for URLs of public sources.
+##
+## A prefix can be prepended to server names in order to
+## avoid collisions if different sources share the same for
+## different servers. In that case, names listed in `server_names`
+## must include the prefixes.
+##
+## If the `urls` property is missing, cache files and valid signatures
+## must be already present; This doesn't prevent these cache files from
+## expiring after `refresh_delay` hours.
+
+[sources]
+
+ ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
+
+ [sources.'public-resolvers']
+ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
+ cache_file = 'public-resolvers.md'
+ minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+ refresh_delay = 72
+ prefix = ''
+
+ ## Another example source, with resolvers censoring some websites not appropriate for children
+ ## This is a subset of the `public-resolvers` list, so enabling both is useless
+
+ # [sources.'parental-control']
+ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
+ # cache_file = 'parental-control.md'
+ # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+
+
+
+## Optional, local, static list of additional servers
+## Mostly useful for testing your own servers.
+
+[static]
+
+ # [static.'google']
+ # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'
diff --git a/network/dnscrypt-proxy/doinst.sh b/network/dnscrypt-proxy/doinst.sh
index 0dffe8a4a868f..e264e34a560d9 100644
--- a/network/dnscrypt-proxy/doinst.sh
+++ b/network/dnscrypt-proxy/doinst.sh
@@ -24,5 +24,4 @@ preserve_perms() {
preserve_perms etc/rc.d/rc.dnscrypt-proxy.new
config etc/default/dnscrypt-proxy.new
-config etc/dnscrypt-proxy.conf.new
-config etc/logrotate.d/dnscrypt-proxy.new
+config etc/dnscrypt-proxy/dnscrypt-proxy.toml.new
diff --git a/network/dnscrypt-proxy/poly1305.patch b/network/dnscrypt-proxy/poly1305.patch
new file mode 100644
index 0000000000000..f701d6ae2100f
--- /dev/null
+++ b/network/dnscrypt-proxy/poly1305.patch
@@ -0,0 +1,20 @@
+diff --git a/vendor/github.com/aead/poly1305/poly1305_amd64.go b/vendor/github.com/aead/poly1305/poly1305_amd64.go
+index cd1a717..41b630f 100644
+--- a/vendor/github.com/aead/poly1305/poly1305_amd64.go
++++ b/vendor/github.com/aead/poly1305/poly1305_amd64.go
+@@ -7,13 +7,11 @@
+ package poly1305
+
+ import (
++ "golang.org/x/sys/cpu"
+ "io"
+ )
+
+-var useAVX2 = supportsAVX2()
+-
+-//go:noescape
+-func supportsAVX2() bool
++var useAVX2 = cpu.X86.HasAVX2
+
+ //go:noescape
+ func initialize(state *[7]uint64, key *[32]byte)
diff --git a/network/dnscrypt-proxy/rc.dnscrypt-proxy b/network/dnscrypt-proxy/rc.dnscrypt-proxy
index fd747759d1371..1aa68260b904f 100644
--- a/network/dnscrypt-proxy/rc.dnscrypt-proxy
+++ b/network/dnscrypt-proxy/rc.dnscrypt-proxy
@@ -10,39 +10,28 @@ start_instance() {
echo "No configuration for instance $1 found!"
return
fi
- PIDFILE=$(grep -i "^[[:space:]]*PidFile[[:space:]]\+." ${DNSCRYPTCONFIG[$1]} | awk '{print $2}')
- if [ -z ${PIDFILE} ]; then
+ if [ -z ${PIDFILE[$1]} ]; then
echo "No PID configuration for instance $1 found!"
return
fi
- if [ -r ${PIDFILE} ]; then
+ if [ -z ${USER[$1]} ]; then
+ echo "No user configuration for instance $1 found!"
+ return
+ fi
+ if [ -r ${PIDFILE[$1]} ]; then
echo "dnscrypt-proxy (instance $1) already running!"
return
fi
- # dnscrypt-proxy will work without this, but it drops privileges before
- # seeding the PRNG. libevent tries to work around a missing /dev/urandom
- # but it's safer just to make sure it is available in the chroot.
- if [ -n "${CHROOTDIR[$1]}" ]; then
- if [ "$(readlink -f ${CHROOTDIR[$1]})" != "/" ]; then
- if [ ! -d ${CHROOTDIR[$1]} ]; then
- mkdir -p ${CHROOTDIR[$1]}
- chmod 755 ${CHROOTDIR[$1]}
- fi
- if [ ! -d ${CHROOTDIR[$1]}/dev ]; then
- mkdir -p ${CHROOTDIR[$1]}/dev
- chmod 755 ${CHROOTDIR[$1]}/dev
- fi
- if [ ! -c ${CHROOTDIR[$1]}/dev/urandom ]; then
- mknod -m 666 ${CHROOTDIR[$1]}/dev/urandom c 1 9
- fi
- if [ ! -c ${CHROOTDIR[$1]}/dev/random ]; then
- mknod -m 666 ${CHROOTDIR[$1]}/dev/random c 1 8
- fi
- fi
- fi
+ mkdir -p $(dirname ${PIDFILE[$1]})
+ # The child (unprivileged) process needs write access or the PID will not
+ # be written.
+ chmod 0700 $(dirname ${PIDFILE[$1]})
+ chown ${USER[$1]} $(dirname ${PIDFILE[$1]})
- $DAEMON ${DNSCRYPTCONFIG[$1]}
+ # The new Go-based dnscrypt-proxy no longer has the ability to daemonize.
+ # In the absence of a standard Slackware daemon tool we'll use nohup. :(
+ nohup $DAEMON -config ${DNSCRYPTCONFIG[$1]} -pidfile ${PIDFILE[$1]} >> /dev/null 2>&1 &
}
stop_instance() {
@@ -50,17 +39,16 @@ stop_instance() {
echo "No configuration for instance $1 found!"
return
fi
- PIDFILE=$(grep -i "^[[:space:]]*PidFile[[:space:]]\+." ${DNSCRYPTCONFIG[$1]} | awk '{print $2}')
- if [ -z ${PIDFILE} ]; then
+ if [ -z ${PIDFILE[$1]} ]; then
echo "No PID configuration for instance $1 found!"
return
fi
- if [ ! -r ${PIDFILE} ]; then
+ if [ ! -r ${PIDFILE[$1]} ]; then
echo "dnscrypt-proxy (instance $1) is not running!"
return
fi
echo "Stopping dnscrypt-proxy (instance $1)..."
- kill $(cat ${PIDFILE})
+ kill $(cat ${PIDFILE[$1]})
}
status_instance() {
@@ -68,16 +56,15 @@ status_instance() {
echo "No configuration for instance $1 found!"
return
fi
- PIDFILE=$(grep -i "^[[:space:]]*PidFile[[:space:]]\+." ${DNSCRYPTCONFIG[$1]} | awk '{print $2}')
- if [ -z ${PIDFILE} ]; then
+ if [ -z ${PIDFILE[$1]} ]; then
echo "No PID configuration for instance $1 found!"
return
fi
- if [ ! -r ${PIDFILE} ]; then
+ if [ ! -r ${PIDFILE[$1]} ]; then
echo "dnscrypt-proxy (instance $1) is not running."
return
fi
- PID=$(cat ${PIDFILE})
+ PID=$(cat ${PIDFILE[$1]})
if [ -z "$PID" ]; then
echo "PID file is empty! dnscrypt-proxy (instance $1) does not appear to be running, but there is a stale PID file."
elif kill -0 $PID ; then
diff --git a/network/dnscrypt-proxy/slack-desc b/network/dnscrypt-proxy/slack-desc
index 182ed3682f027..46cdd370c587c 100644
--- a/network/dnscrypt-proxy/slack-desc
+++ b/network/dnscrypt-proxy/slack-desc
@@ -13,7 +13,7 @@ dnscrypt-proxy: your local resolver or as a DNS forwarder, encrypting and
dnscrypt-proxy: authenticating requests using the DNSCrypt protocol and passing them
dnscrypt-proxy: to an upstream DNSCrypt-enabled server.
dnscrypt-proxy:
-dnscrypt-proxy: https://www.opendns.com/
+dnscrypt-proxy: https://github.com/jedisct1/dnscrypt-proxy
dnscrypt-proxy:
dnscrypt-proxy:
dnscrypt-proxy: