aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--network/dnscrypt-proxy/README21
-rw-r--r--network/dnscrypt-proxy/README.Slackware74
-rw-r--r--network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild115
-rw-r--r--network/dnscrypt-proxy/dnscrypt-proxy.default30
-rw-r--r--network/dnscrypt-proxy/dnscrypt-proxy.info18
-rw-r--r--network/dnscrypt-proxy/dnscrypt-proxy.toml353
-rw-r--r--network/dnscrypt-proxy/dnsmasq.conf21
-rw-r--r--network/dnscrypt-proxy/doinst.sh27
-rw-r--r--network/dnscrypt-proxy/named.conf153
-rw-r--r--network/dnscrypt-proxy/rc.dnscrypt-proxy185
-rw-r--r--network/dnscrypt-proxy/slack-desc2
11 files changed, 427 insertions, 572 deletions
diff --git a/network/dnscrypt-proxy/README b/network/dnscrypt-proxy/README
index 673a8bae88c8..0e857524f63f 100644
--- a/network/dnscrypt-proxy/README
+++ b/network/dnscrypt-proxy/README
@@ -1,14 +1,11 @@
-dnscrypt-proxy is a tool for securing communications between a client
-and a DNS resolver. It provides a local service which can be used
-directly as your local resolver or as a DNS forwarder, encrypting and
-authenticating requests using the DNSCrypt protocol and passing them
-to an upstream server.
+DNSCrypt is a protocol that encrypts, authenticates and optionally
+anonymizes communications between a DNS client and a DNS resolver.
+It prevents DNS spoofing. It uses cryptographic signatures to verify
+that responses originate from the chosen DNS resolver and haven’t been
+tampered with.
-By default dnscrypt-proxy is configured to use a random DNS server;
-you will definitely want to change this.
+It is an open specification, with free and open source reference
+implementations, and it is not affiliated with any company nor
+organization.
-Note that google-go-lang is a compile-time dependency and is not
-needed during run-time.
-
-Be sure to read README.Slackware for information on configuring/running
-dnscrypt-proxy as a daemon!
+Free, DNSCrypt-enabled resolvers are available all over the world.
diff --git a/network/dnscrypt-proxy/README.Slackware b/network/dnscrypt-proxy/README.Slackware
index b5a6388c563f..11336b586466 100644
--- a/network/dnscrypt-proxy/README.Slackware
+++ b/network/dnscrypt-proxy/README.Slackware
@@ -1,27 +1,34 @@
-A. Setup
+An init script and configuration file have been provided to run
+dnscrypt-proxy as a daemon. To configure dnscrypt-proxy, edit:
-An init script and configuration file have been provided to run dnscrypt-proxy
-as a daemon. To configure dnscrypt-proxy, edit
-/etc/dnscrypt-proxy/dnscrypt-proxy.toml with the desired settings. By default
-dnscrypt-proxy will use a random DNS server and will run on localhost
-(127.0.0.1), port 53.
+ /etc/dnscrypt-proxy/dnscrypt-proxy.toml
-The configuration file is setup to use a dnscrypt user by default. In order to
-use the default configuration you should create a dnscrypt user and group with
-the following commands:
+Remember to chmod +x /etc/rc.d/rc.dnscrypt-proxy before starting.
+
+By default dnscrypt-proxy will use a random DNS server, i have hardcoded
+some anonymizing relays to bounce the DNS querries around for increased
+privacy.
+Built in local caching is also enabled by default.
+The proxy will run on localhost 127.0.0.1 and ::1 port 53.
+If ipv6 is not required or available, it can be disabled in the config.
+
+The configuration file is setup to use a 'dnscrypt' user by default.
+In order to use the default configuration you should create a
+'dnscrypt' user and group with the following commands:
groupadd -g 293 dnscrypt
useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt
-If you decide to use another user you should edit the USER setting in
-/etc/default/dnscrypt-proxy and the user_name setting in
-/etc/dnscrypt-proxy/dnscrypt-proxy.toml (there are example settings provided
-for the user 'nobody').
+If you decide to use another user you should edit the user_name setting
+in:
-In order to send all DNS requests through dnscrypt-proxy, you will need to
-update /etc/resolv.conf to point to localhost. If using dhcpcd, the easiest way
-to set dnscrypt-proxy as the primary (but not exclusive) dns resolver is to
-create file /etc/resolv.conf.head with the following line:
+ /etc/dnscrypt-proxy/dnscrypt-proxy.toml
+
+In order to send all DNS requests through dnscrypt-proxy, you will need
+to update /etc/resolv.conf to point to localhost. If using dhcpcd, the
+easiest way to set dnscrypt-proxy as the primary (but not exclusive)
+dns resolver is to create file /etc/resolv.conf.head with the following
+line:
nameserver 127.0.0.1
@@ -29,30 +36,27 @@ You may also have to add the following line to enable EDNS:
options edns0
-To start dnscrypt-proxy automatically at system start, add the following to
-/etc/rc.d/rc.local:
+It is also recommended to make the resolv.conf file immutable by
+issuing:
+
+ chattr +i /etc/resolv.conf
+
+To prevent the settings from being reset by dhcp or any other service.
+
+To start dnscrypt-proxy automatically at system start, add the following
+to:
+
+ /etc/rc.d/rc.local:
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy start
fi
-To properly stop dnscrypt-proxy on system shutdown, add the following to
-/etc/rc.d/rc.local_shutdown:
+To properly stop dnscrypt-proxy on system shutdown, add the following
+to:
+
+ /etc/rc.d/rc.local_shutdown:
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy stop
fi
-
-B. DNS Cache
-
-dnscrypt-proxy provides control over how it caches DNS queries via its
-configuration file. However, you can also run your own local caching DNS
-server. A sample configuration for dnsmasq (included with Slackware) is
-provided at /usr/doc/dnscrypt-proxy-@VERSION@/dnsmasq.conf. A sample
-configuration for bind/named that also does local DNSSEC validation (if
-supported by the upstream DNS server) is also provided at
-/usr/doc/dnscrypt-proxy-@VERSION@/named.conf. Both configurations run on port
-53, forwarding lookups to dnscrypt-proxy running on port 55. In order to use
-these configurations you will need to change the port dnscrypt-proxy runs on in
-/etc/dnscrypt-proxy/dnscrypt-proxy.toml. If you perform your own DNS caching,
-it makes sense to disable dnscrypt-proxy's caching in its configuration file.
diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild b/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild
index 041a3dec97f6..2c372e1022dc 100644
--- a/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild
+++ b/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild
@@ -2,7 +2,8 @@
# Slackware build script for dnscrypt-proxy
-# Copyright 2019 T3slider <t3slider@gmail.com>
+# Copyright 2023 thnkman <thnkman@proton.me>
+# Based on Marco Bonetti's <sid77@slackware.it> tor script.
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
@@ -22,101 +23,87 @@
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-# Thanks to Larry Hajali for work on README.Slackware, the basis for the sample
-# dnsmasq configuration, and the idea for an init script. His contributions
-# significantly improved the value of this script!
-
cd $(dirname $0) ; CWD=$(pwd)
+set -e
+
PRGNAM=dnscrypt-proxy
-VERSION=${VERSION:-2.0.45}
+VERSION=${VERSION:-2.1.5}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
PKGTYPE=${PKGTYPE:-tgz}
-DOMAIN=github.com
-ORG=jedisct1
+DNSCRYPT_USER=${TOR_USER:-dnscrypt}
+DNSCRYPT_UID=${TOR_UID:-293}
+DNSCRYPT_GROUP=${TOR_GROUP:-dnscrypt}
+DNSCRYPT_GID=${TOR_GID:-293}
if [ -z "$ARCH" ]; then
- case "$( uname -m )" in
+ case "$( uname -m )" in
i?86) ARCH=i586 ;;
arm*) ARCH=arm ;;
*) ARCH=$( uname -m ) ;;
- esac
+ esac
fi
-# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
-# the name of the created package would be, and then exit. This information
-# could be useful to other scripts.
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
- echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
- exit 0
+ echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
+ exit 0
fi
TMP=${TMP:-/tmp/SBo}
PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}
-if [ "$ARCH" = "i586" ]; then
- LIBDIRSUFFIX=""
-elif [ "$ARCH" = "i686" ]; then
- LIBDIRSUFFIX=""
-elif [ "$ARCH" = "x86_64" ]; then
- LIBDIRSUFFIX="64"
-else
- LIBDIRSUFFIX=""
+bailout() {
+ echo -e "\nYou must have a $DNSCRYPT_USER user and $DNSCRYPT_GROUP group to run this script. "
+ echo -e "Something like this should suffice for most systems: "
+ echo -e "# groupadd -g $DNSCRYPT_GID $DNSCRYPT_GROUP "
+ echo -e "# useradd -u $DNSCRYPT_UID -g $DNSCRYPT_GID -c \"DNSCrypt-proxy\" -d /dev/null -s /bin/false $DNSCRYPT_USER \n"
+ exit 1
+}
+
+if ! grep -q "^$DNSCRYPT_USER:" /etc/passwd; then
+ bailout
+elif ! grep -q "^$DNSCRYPT_GROUP:" /etc/group; then
+ bailout
fi
-set -e
-
rm -rf $PKG
-mkdir -p $TMP $PKG $OUTPUT
+mkdir -p $TMP/$PRGNAM-$VERSION $PKG $OUTPUT
cd $TMP
rm -rf $PRGNAM-$VERSION
-mkdir -p $PRGNAM-$VERSION/src/$DOMAIN/$ORG
-cd $PRGNAM-$VERSION/src/$DOMAIN/$ORG
-tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
-mv $PRGNAM-$VERSION $PRGNAM
-cd $TMP/$PRGNAM-$VERSION
+
+if [ $ARCH == i586 ]; then
+ tar xvf $CWD/$PRGNAM-linux_i386-$VERSION.tar.gz --transform="s/linux-i386/$PRGNAM-$VERSION/"
+elif [ $ARCH == x86_64 ]; then
+ tar xvf $CWD/$PRGNAM-linux_x86_64-$VERSION.tar.gz --transform="s/linux-x86_64/$PRGNAM-$VERSION/"
+fi
+
+cd $PRGNAM-$VERSION
chown -R root:root .
-find -L . \
+
+find -L . $CWD \
\( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
-o -perm 511 \) -exec chmod 755 {} \; -o \
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
-export GO111MODULE=auto
-export GOPATH="$TMP/$PRGNAM-$VERSION"
-
-go install -a -x ./...
-
-cd $TMP/$PRGNAM-$VERSION/src/$DOMAIN/$ORG/$PRGNAM
-
-mkdir -p $PKG/usr/sbin
-
-install -m 755 "$TMP/$PRGNAM-$VERSION/bin/${PRGNAM}" $PKG/usr/sbin/${PRGNAM}
-
-find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
- | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
-
-mkdir -p $PKG/var/log/$PRGNAM $PKG/etc/default $PKG/etc/$PRGNAM
-chmod 0700 $PKG/var/log/$PRGNAM
-sed "s/@VERSION@/$VERSION/" $CWD/$PRGNAM.default > $PKG/etc/default/$PRGNAM.new
-install -D -m 0755 $CWD/rc.$PRGNAM $PKG/etc/rc.d/rc.$PRGNAM.new
-install -D -m 0644 $CWD/$PRGNAM.toml $PKG/etc/$PRGNAM/$PRGNAM.toml.new
-
-mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
-cp -a \
- ChangeLog LICENSE README.md utils $PRGNAM/example-* \
- $PKG/usr/doc/$PRGNAM-$VERSION
-sed "s/@VERSION@/$VERSION/g" $CWD/README.Slackware > $PKG/usr/doc/$PRGNAM-$VERSION/README.Slackware
-cat $CWD/dnsmasq.conf > $PKG/usr/doc/$PRGNAM-$VERSION/dnsmasq.conf
-cat $CWD/named.conf > $PKG/usr/doc/$PRGNAM-$VERSION/named.conf
-cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
-
-mkdir -p $PKG/install
-cat $CWD/slack-desc > $PKG/install/slack-desc
-cat $CWD/doinst.sh > $PKG/install/doinst.sh
+mkdir -p $PKG/usr/{bin,doc/$PRGNAM-$VERSION} \
+ $PKG/etc/{$PRGNAM,rc.d} \
+ $PKG/var/{log,run}/$PRGNAM \
+ $PKG/install
+
+find . $CWD -mindepth 1 -type f \( -name '*.txt' -o -name '*.toml' -o -name '*.pem' \) -exec cp {} $PKG/etc/$PRGNAM/ \; -o \
+ \( -name 'LICENSE' \) -exec cp {} $PKG/usr/doc/$PRGNAM-$VERSION/ \; -o \
+ \( -name 'README.Slackware' \) -exec cp {} $PKG/usr/doc/$PRGNAM-$VERSION/ \; -o \
+ \( -name "$PRGNAM" \) -exec cp {} $PKG/usr/bin/ \; -o \
+ \( -name "$PRGNAM.toml" \) -exec cp {} $PKG/etc/$PRGNAM/ \; -o \
+ \( -name "rc.$PRGNAM" \) -exec cp {} $PKG/etc/rc.d/ \; -o \
+ \( -name 'slack-desc' \) -exec cp {} $PKG/install/ \;
+
+chown $DNSCRYPT_USER:$DNSCRYPT_GROUP $PKG/var/{log,run}/$PRGNAM \
+ $PKG/etc/$PRGNAM/*
cd $PKG
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE
diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.default b/network/dnscrypt-proxy/dnscrypt-proxy.default
deleted file mode 100644
index 112202cc9ea2..000000000000
--- a/network/dnscrypt-proxy/dnscrypt-proxy.default
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/default/dnscrypt-proxy
-
-# This file contains additional configuration settings for dnscrypt-proxy
-# (primary configuration belongs in the dnscrypt-proxy configuration file).
-# This file supports configuring and running multiple instances (see the bottom
-# of this file for a sample secondary configuration). However, note that
-# dnscrypt-proxy now automatically provides redundancy based on a pool of
-# available servers in its own configuration file. Under normal circumstances
-# you would only ever need one active configuration in this file, but support
-# for multiple independent servers has been maintained in case you have a need
-# for segregation of upstream servers.
-
-# DNSCRYPTCONFIG should be the path to the dnscrypt-proxy configuration file
-# for the given instance.
-DNSCRYPTCONFIG[0]="/etc/dnscrypt-proxy/dnscrypt-proxy.toml"
-
-# The pid file for this instance. PIDFILE must always be specified for each
-# instance!
-PIDFILE[0]="/run/dnscrypt-proxy/dnscrypt-proxy-0.pid"
-
-# The user to run the daemon. This should be the same user specified in the
-# config.
-#USER[0]="nobody"
-USER[0]="dnscrypt"
-
-# A simple example configuration for a second instance (note that this would
-# require a new dnscrypt-proxy configuration file)
-#DNSCRYPTCONFIG[1]="/etc/dnscrypt-proxy/dnscrypt-proxy-1.toml"
-#PIDFILE[1]="/run/dnscrypt-proxy/dnscrypt-proxy-1.pid"
-#USER[1]="dnscrypt"
diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.info b/network/dnscrypt-proxy/dnscrypt-proxy.info
index 1ae915490616..f4ba8b100e9e 100644
--- a/network/dnscrypt-proxy/dnscrypt-proxy.info
+++ b/network/dnscrypt-proxy/dnscrypt-proxy.info
@@ -1,10 +1,10 @@
PRGNAM="dnscrypt-proxy"
-VERSION="2.0.45"
-HOMEPAGE="https://github.com/jedisct1/dnscrypt-proxy"
-DOWNLOAD="https://github.com/jedisct1/dnscrypt-proxy/archive/2.0.45/dnscrypt-proxy-2.0.45.tar.gz"
-MD5SUM="200c8a9bcf38c85648c9288f31b2ea68"
-DOWNLOAD_x86_64=""
-MD5SUM_x86_64=""
-REQUIRES="google-go-lang"
-MAINTAINER="T3slider"
-EMAIL="t3slider@gmail.com"
+VERSION="2.1.5"
+HOMEPAGE="https://github.com/DNSCrypt/dnscrypt-proxy"
+DOWNLOAD="https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.5/dnscrypt-proxy-linux_i386-2.1.5.tar.gz"
+MD5SUM="edbd10c9d3be0e81976203c77902f339"
+DOWNLOAD_x86_64="https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.5/dnscrypt-proxy-linux_x86_64-2.1.5.tar.gz"
+MD5SUM_x86_64="8190b0d10841aea11f74caf77dbc2c39"
+REQUIRES=""
+MAINTAINER="thnkman"
+EMAIL="thnkman@proton.me"
diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.toml b/network/dnscrypt-proxy/dnscrypt-proxy.toml
index 0da38f82720e..182429bd6739 100644
--- a/network/dnscrypt-proxy/dnscrypt-proxy.toml
+++ b/network/dnscrypt-proxy/dnscrypt-proxy.toml
@@ -35,8 +35,11 @@
## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
## Example with both IPv4 and IPv6:
## listen_addresses = ['127.0.0.1:53', '[::1]:53']
+##
+## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']`
+## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']`
-listen_addresses = ['127.0.0.1:53']
+listen_addresses = ['127.0.0.1:53', '[::1]:53']
## Maximum number of simultaneous client connections to accept
@@ -49,35 +52,37 @@ max_clients = 250
## Note (2): this feature is not compatible with systemd socket activation.
## Note (3): when using -pidfile, the PID file directory must be writable by the new user
-# user_name = 'nobody'
user_name = 'dnscrypt'
-## Require servers (from static + remote sources) to satisfy specific properties
+## Require servers (from remote sources) to satisfy specific properties
# Use servers reachable over IPv4
ipv4_servers = true
# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
-ipv6_servers = false
+ipv6_servers = true
# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true
# Use servers implementing the DNS-over-HTTPS protocol
-doh_servers = true
+doh_servers = false
+
+# Use servers implementing the Oblivious DoH protocol
+odoh_servers = false
## Require servers defined by remote sources to satisfy specific properties
# Server must support DNS security extensions (DNSSEC)
-require_dnssec = false
+require_dnssec = true
# Server must not log user queries (declarative)
require_nolog = true
-# Server must not enforce its own blacklist (for parental control, ads blocking...)
-require_nofilter = true
+# Server must not enforce its own blocklist (for parental control, ads blocking...)
+require_nofilter = false
# Server names to avoid even if they match all criteria
disabled_server_names = []
@@ -118,20 +123,31 @@ timeout = 5000
keepalive = 30
-## Response for blocked queries. Options are `refused`, `hinfo` (default) or
-## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
+## Add EDNS-client-subnet information to outgoing queries
+##
+## Multiple networks can be listed; they will be randomly chosen.
+## These networks don't have to match your actual networks.
+
+# edns_client_subnet = ["0.0.0.0/0", "2001:db8::/32"]
+
+
+## Response for blocked queries. Options are `refused`, `hinfo` (default) or
+## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
## Using the `hinfo` option means that some responses will be lies.
## Unfortunately, the `hinfo` option appears to be required for Android 8+
# blocked_query_response = 'refused'
-## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'
+## Load-balancing strategy: 'p2' (default), 'ph', 'p<n>', 'first' or 'random'
+## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency.
+## The response quality still depends on the server itself.
# lb_strategy = 'p2'
## Set to `true` to constantly try to estimate the latency of all the resolvers
## and adjust the load-balancing parameters accordingly, or to `false` to disable.
+## Default is `true` that makes 'p2' `lb_strategy` work well.
# lb_estimator = true
@@ -141,12 +157,20 @@ keepalive = 30
# log_level = 2
-## log file for the application
+## Log file for the application, as an alternative to sending logs to
+## the standard system logging service (syslog/Windows event log).
+##
+## This file is different from other log files, and will not be
+## automatically rotated by the application.
-# log_file = 'dnscrypt-proxy.log'
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
+## When using a log file, only keep logs from the most recent launch.
+
+# log_file_latest = true
+
+
## Use the system logger (syslog on Unix, Event Log on Windows)
# use_syslog = true
@@ -161,7 +185,7 @@ cert_refresh_delay = 240
## This may improve privacy but can also have a significant impact on CPU usage
## Only enable if you don't have a lot of network load
-# dnscrypt_ephemeral_keys = false
+dnscrypt_ephemeral_keys = true
## DoH: Disable TLS session tickets - increases privacy but also latency
@@ -187,26 +211,40 @@ cert_refresh_delay = 240
# tls_cipher_suite = [52392, 49199]
-## Fallback resolvers
+## Bootstrap resolvers
+##
## These are normal, non-encrypted DNS resolvers, that will be only used
-## for one-shot queries when retrieving the initial resolvers list, and
-## only if the system DNS configuration doesn't work.
-## No user application queries will ever be leaked through these resolvers,
-## and they will not be used after IP addresses of resolvers URLs have been found.
-## They will never be used if lists have already been cached, and if stamps
-## don't include host names without IP addresses.
-## They will not be used if the configured system DNS works.
-## Resolvers supporting DNSSEC are recommended.
-##
-## People in China may need to use 114.114.114.114:53 here.
-## Other popular options include 8.8.8.8 and 1.1.1.1.
+## for one-shot queries when retrieving the initial resolvers list and if
+## the system DNS configuration doesn't work.
+##
+## No user queries will ever be leaked through these resolvers, and they will
+## not be used after IP addresses of DoH resolvers have been found (if you are
+## using DoH).
+##
+## They will never be used if lists have already been cached, and if the stamps
+## of the configured servers already include IP addresses (which is the case for
+## most of DoH servers, and for all DNSCrypt servers and relays).
+##
+## They will not be used if the configured system DNS works, or after the
+## proxy already has at least one usable secure resolver.
+##
+## Resolvers supporting DNSSEC are recommended, and, if you are using
+## DoH, bootstrap resolvers should ideally be operated by a different entity
+## than the DoH servers you will be using, especially if you have IPv6 enabled.
+##
+## People in China may want to use 114.114.114.114:53 here.
+## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1.
##
## If more than one resolver is specified, they will be tried in sequence.
+##
+## TL;DR: put valid standard resolver addresses here. Your actual queries will
+## not be sent there. If you're using DNSCrypt or Anonymized DNS and your
+## lists are up to date, these resolvers will not even be used.
-fallback_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
+bootstrap_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
-## Always use the fallback resolver before the system DNS settings.
+## Always use the bootstrap resolver before the system DNS settings.
ignore_system_dns = true
@@ -246,7 +284,7 @@ netprobe_address = '9.9.9.9:53'
## encrypted-dns-server can be configured to use this for access control
## in the [access_control] section
-# query_meta = ["key1:value1", "key2:value2", "token:MySecretToken"]
+# query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken']
## Automatic log files rotation
@@ -268,7 +306,7 @@ log_files_max_backups = 1
## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you
## configure dnscrypt-proxy to do any kind of filtering (including the filters
-## below and blacklists).
+## below and blocklists).
## You can still choose resolvers that do DNSSEC validation.
@@ -276,7 +314,7 @@ log_files_max_backups = 1
## This makes things faster when there is no IPv6 connectivity, but can
## also cause reliability issues with some stub resolvers.
-block_ipv6 = false
+block_ipv6 = true
## Immediately respond to A and AAAA queries for host names without a domain name
@@ -291,9 +329,9 @@ block_undelegated = true
## TTL for synthetic responses sent when a request has been blocked (due to
-## IPv6 or blacklists).
+## IPv6 or blocklists).
-reject_ttl = 600
+reject_ttl = 10
@@ -324,6 +362,7 @@ reject_ttl = 600
# cloak_ttl = 600
+
###########################
# DNS cache #
###########################
@@ -359,6 +398,20 @@ cache_neg_max_ttl = 600
+########################################
+# Captive portal handling #
+########################################
+
+[captive_portals]
+
+## A file that contains a set of names used by operating systems to
+## check for connectivity and captive portals, along with hard-coded
+## IP addresses to return.
+
+# map_file = 'example-captive-portals.txt'
+
+
+
##################################
# Local DoH server #
##################################
@@ -379,14 +432,14 @@ cache_neg_max_ttl = 600
## For each `listen_address` the complete URL to access the server will be:
## `https://<listen_address><path>` (ex: `https://127.0.0.1/dns-query`)
-# path = "/dns-query"
+# path = '/dns-query'
## Certificate file and key - Note that the certificate has to be trusted.
## See the documentation (wiki) for more information.
-# cert_file = "localhost.pem"
-# cert_key_file = "localhost.pem"
+# cert_file = 'localhost.pem'
+# cert_key_file = 'localhost.pem'
@@ -399,7 +452,7 @@ cache_neg_max_ttl = 600
[query_log]
## Path to the query log file (absolute, or relative to the same directory as the config file)
- ## On non-Windows systems, can be /dev/stdout to log to the standard output (also set log_files_max_size to 0)
+ ## Can be set to /dev/stdout in order to log to the standard output.
# file = 'query.log'
@@ -437,10 +490,10 @@ cache_neg_max_ttl = 600
######################################################
-# Pattern-based blocking (blacklists) #
+# Pattern-based blocking (blocklists) #
######################################################
-## Blacklists are made of one pattern per line. Example of valid patterns:
+## Blocklists are made of one pattern per line. Example of valid patterns:
##
## example.com
## =example.com
@@ -449,20 +502,20 @@ cache_neg_max_ttl = 600
## ads*.example.*
## ads*.example[0-9]*.com
##
-## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
-## A script to build blacklists from public feeds can be found in the
-## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.
+## Example blocklist files can be found at https://download.dnscrypt.info/blocklists/
+## A script to build blocklists from public feeds can be found in the
+## `utils/generate-domains-blocklists` directory of the dnscrypt-proxy source code.
-[blacklist]
+[blocked_names]
## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
- # blacklist_file = 'blacklist.txt'
+ # blocked_names_file = 'blocked-names.txt'
## Optional path to a file logging blocked queries
- # log_file = 'blocked.log'
+ # log_file = 'blocked-names.log'
## Optional log format: tsv or ltsv (default: tsv)
@@ -472,25 +525,25 @@ cache_neg_max_ttl = 600
###########################################################
-# Pattern-based IP blocking (IP blacklists) #
+# Pattern-based IP blocking (IP blocklists) #
###########################################################
-## IP blacklists are made of one pattern per line. Example of valid patterns:
+## IP blocklists are made of one pattern per line. Example of valid patterns:
##
## 127.*
## fe80:abcd:*
## 192.168.1.4
-[ip_blacklist]
+[blocked_ips]
## Path to the file of blocking rules (absolute, or relative to the same directory as the config file)
- # blacklist_file = 'ip-blacklist.txt'
+ # blocked_ips_file = 'blocked-ips.txt'
## Optional path to a file logging blocked queries
- # log_file = 'ip-blocked.log'
+ # log_file = 'blocked-ips.log'
## Optional log format: tsv or ltsv (default: tsv)
@@ -500,25 +553,25 @@ cache_neg_max_ttl = 600
######################################################
-# Pattern-based whitelisting (blacklists bypass) #
+# Pattern-based allow lists (blocklists bypass) #
######################################################
-## Whitelists support the same patterns as blacklists
-## If a name matches a whitelist entry, the corresponding session
+## Allowlists support the same patterns as blocklists
+## If a name matches an allowlist entry, the corresponding session
## will bypass names and IP filters.
##
## Time-based rules are also supported to make some websites only accessible at specific times of the day.
-[whitelist]
+[allowed_names]
- ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the config file)
+ ## Path to the file of allow list rules (absolute, or relative to the same directory as the config file)
- # whitelist_file = 'whitelist.txt'
+ # allowed_names_file = 'allowed-names.txt'
- ## Optional path to a file logging whitelisted queries
+ ## Optional path to a file logging allowed queries
- # log_file = 'whitelisted.log'
+ # log_file = 'allowed-names.log'
## Optional log format: tsv or ltsv (default: tsv)
@@ -527,15 +580,42 @@ cache_neg_max_ttl = 600
+#########################################################
+# Pattern-based allowed IPs lists (blocklists bypass) #
+#########################################################
+
+## Allowed IP lists support the same patterns as IP blocklists
+## If an IP response matches an allow ip entry, the corresponding session
+## will bypass IP filters.
+##
+## Time-based rules are also supported to make some websites only accessible at specific times of the day.
+
+[allowed_ips]
+
+ ## Path to the file of allowed ip rules (absolute, or relative to the same directory as the config file)
+
+ # allowed_ips_file = 'allowed-ips.txt'
+
+
+ ## Optional path to a file logging allowed queries
+
+ # log_file = 'allowed-ips.log'
+
+ ## Optional log format: tsv or ltsv (default: tsv)
+
+ # log_format = 'tsv'
+
+
+
##########################################
# Time access restrictions #
##########################################
## One or more weekly schedules can be defined here.
-## Patterns in the name-based blocklist can optionally be followed with @schedule_name
+## Patterns in the name-based blocked_names file can optionally be followed with @schedule_name
## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
##
-## For example, the following rule in a blacklist file:
+## For example, the following rule in a blocklist file:
## *.youtube.* @time-to-sleep
## would block access to YouTube during the times defined by the 'time-to-sleep' schedule.
##
@@ -580,41 +660,60 @@ cache_neg_max_ttl = 600
## If the `urls` property is missing, cache files and valid signatures
## must already be present. This doesn't prevent these cache files from
## expiring after `refresh_delay` hours.
+## Cache freshness is checked every 24 hours, so values for 'refresh_delay'
+## of less than 24 hours will have no effect.
+## A maximum delay of 168 hours (1 week) is imposed to ensure cache freshness.
[sources]
## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
[sources.'public-resolvers']
- urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
- cache_file = 'public-resolvers.md'
- minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
- prefix = ''
+ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
+ cache_file = 'public-resolvers.md'
+ minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+ refresh_delay = 72
+ prefix = ''
## Anonymized DNS relays
[sources.'relays']
- urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
- cache_file = 'relays.md'
- minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
- refresh_delay = 72
- prefix = ''
-
- ## Quad9 over DNSCrypt - https://quad9.net/
+ urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
+ cache_file = 'relays.md'
+ minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+ refresh_delay = 72
+ prefix = ''
+
+ ## ODoH (Oblivious DoH) servers and relays
+
+ # [sources.'odoh-servers']
+ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh-servers.md']
+ # cache_file = 'odoh-servers.md'
+ # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+ # refresh_delay = 24
+ # prefix = ''
+ # [sources.'odoh-relays']
+ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/odoh-relays.md']
+ # cache_file = 'odoh-relays.md'
+ # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+ # refresh_delay = 24
+ # prefix = ''
+
+ ## Quad9
# [sources.quad9-resolvers]
- # urls = ['https://www.quad9.net/quad9-resolvers.md']
- # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
- # cache_file = 'quad9-resolvers.md'
- # prefix = 'quad9-'
+ # urls = ['https://www.quad9.net/quad9-resolvers.md']
+ # minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
+ # cache_file = 'quad9-resolvers.md'
+ # prefix = 'quad9-'
## Another example source, with resolvers censoring some websites not appropriate for children
## This is a subset of the `public-resolvers` list, so enabling both is useless
# [sources.'parental-control']
- # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
- # cache_file = 'parental-control.md'
- # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+ # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/parental-control.md', 'https://download.dnscrypt.net/resolvers-list/v3/parental-control.md']
+ # cache_file = 'parental-control.md'
+ # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
@@ -628,28 +727,32 @@ cache_neg_max_ttl = 600
# truncate reponses larger than questions as expected by the DNSCrypt protocol.
# This prevents large responses from being received over UDP and over relays.
#
-# The `dnsdist` server software drops client queries larger than 1500 bytes.
-# They are aware of it and are working on a fix.
+# Older versions of the `dnsdist` server software had a bug with queries larger
+# than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but
+# some server may still run an outdated version.
#
# The list below enables workarounds to make non-relayed usage more reliable
# until the servers are fixed.
-fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
-
+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']
-################################
-# TLS Client Authentication #
-################################
+#################################################################
+# Certificate-based client authentication for DoH #
+#################################################################
+# Use a X509 certificate to authenticate yourself when connecting to DoH servers.
# This is only useful if you are operating your own, private DoH server(s).
-# (for DNSCrypt, see the `query_meta` feature instead)
+# 'creds' maps servers to certificates, and supports multiple entries.
+# If you are not using the standard root CA, an optional "root_ca"
+# property set to the path to a root CRT file can be added to a server entry.
-[tls_client_auth]
+[doh_client_x509_auth]
+#
# creds = [
-# { server_name='myserver', client_cert='client.crt', client_key='client.key' }
+# { server_name='*', client_cert='client.crt', client_key='client.key' }
# ]
@@ -666,11 +769,11 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
## used to connect to that server.
##
## A relay can be specified as a DNS Stamp (either a relay stamp, or a
-## DNSCrypt stamp), an IP:port, a hostname:port, or a server name.
+## DNSCrypt stamp) or a server name.
##
## The following example routes "example-server-1" via `anon-example-1` or `anon-example-2`,
-## and "example-server-2" via the relay whose relay DNS stamp
-## is "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
+## and "example-server-2" via the relay whose relay DNS stamp is
+## "sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM".
##
## !!! THESE ARE JUST EXAMPLES !!!
##
@@ -679,21 +782,71 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
##
## Carefully choose relays and servers so that they are run by different entities.
##
-## "server_name" can also be set to "*" to define a default route, but this is not
-## recommended. If you do so, keep "server_names" short and distinct from relays.
+## "server_name" can also be set to "*" to define a default route, for all servers:
+## { server_name='*', via=['anon-example-1', 'anon-example-2'] }
+##
+## If a route is ["*"], the proxy automatically picks a relay on a distinct network.
+## { server_name='*', via=['*'] } is also an option, but is likely to be suboptimal.
+##
+## Manual selection is always recommended over automatic selection, so that you can
+## select (relay,server) pairs that work well and fit your own criteria (close by or
+## in different countries, operated by different entities, on distinct ISPs...)
-# routes = [
-# { server_name='example-server-1', via=['anon-example-1', 'anon-example-2'] },
-# { server_name='example-server-2', via=['sdns://gRIxMzcuNzQuMjIzLjIzNDo0NDM'] }
-# ]
+ routes = [
+ { server_name='ams-dnscrypt-nl', via=['sdns://gRE4OS4zOC4xMzEuMzg6NDM0Mw', 'sdns://gQ4zNy4xMjAuMTQyLjExNQ', 'sdns://gQ8xMjguMTI3LjEwNC4xMDg'] },
+ { server_name='ams-dnscrypt-nl-ipv6', via=['sdns://gQ4zNy4xMjAuMTQyLjExNQ', 'sdns://gRpbMmEwYzpiOWMwOmY6NDUxZDo6MV06NDM0Mw', 'sdns://gQ8xMjguMTI3LjEwNC4xMDg'] }
+ ]
+
+
+# Skip resolvers incompatible with anonymization instead of using them directly
+
+skip_incompatible = true
+
+
+# If public server certificates for a non-conformant server cannot be
+# retrieved via a relay, try getting them directly. Actual queries
+# will then always go through relays.
+
+# direct_cert_fallback = false
+
+
+
+###############################
+# DNS64 #
+###############################
+
+## DNS64 is a mechanism for synthesizing AAAA records from A records.
+## It is used with an IPv6/IPv4 translator to enable client-server
+## communication between an IPv6-only client and an IPv4-only server,
+## without requiring any changes to either the IPv6 or the IPv4 node,
+## for the class of applications that work through NATs.
+##
+## There are two options to synthesize such records:
+## Option 1: Using a set of static IPv6 prefixes;
+## Option 2: By discovering the IPv6 prefix from DNS64-enabled resolver.
+##
+## If both options are configured - only static prefixes are used.
+## (Ref. RFC6147, RFC6052, RFC7050)
+##
+## Do not enable unless you know what DNS64 is and why you need it, or else
+## you won't be able to connect to anything at all.
+[dns64]
-# skip resolvers incompatible with anonymization instead of using them directly
+## (Option 1) Static prefix(es) as Pref64::/n CIDRs.
+# prefix = ['64:ff9b::/96']
-skip_incompatible = false
+## (Option 2) DNS64-enabled resolver(s) to discover Pref64::/n CIDRs.
+## These resolvers are used to query for Well-Known IPv4-only Name (WKN) "ipv4only.arpa." to discover only.
+## Set with your ISP's resolvers in case of custom prefixes (other than Well-Known Prefix 64:ff9b::/96).
+## IMPORTANT: Default resolvers listed below support Well-Known Prefix 64:ff9b::/96 only.
+# resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
+########################################
+# Static entries #
+########################################
## Optional, local, static list of additional servers
## Mostly useful for testing your own servers.
@@ -701,4 +854,4 @@ skip_incompatible = false
[static]
# [static.'myserver']
- # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
+ # stamp = 'sdns://AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
diff --git a/network/dnscrypt-proxy/dnsmasq.conf b/network/dnscrypt-proxy/dnsmasq.conf
deleted file mode 100644
index 9700cb2df9b9..000000000000
--- a/network/dnscrypt-proxy/dnsmasq.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Use dnsmasq as a caching DNS forwarder to dnscrypt-proxy. This configuration
-# assumes dnscrypt-proxy is running on port 55.
-
-# Never forward plain names (without a dot or domain part)
-domain-needed
-
-# Never forward addresses in the non-routed address spaces.
-bogus-priv
-
-# Don't use /etc/resolv.conf. Forward all queries to dnscrypt-proxy.
-no-resolv
-
-# Use the resolver on localhost port 55 (dnscrypt-proxy)
-server=127.0.0.1#55
-
-# Listen on localhost. Default port 53
-listen-address=127.0.0.1
-
-# Pass on the upstream DNSSEC flag. Only enable this if you trust the upstream
-# resolver.
-#proxy-dnssec
diff --git a/network/dnscrypt-proxy/doinst.sh b/network/dnscrypt-proxy/doinst.sh
deleted file mode 100644
index e264e34a560d..000000000000
--- a/network/dnscrypt-proxy/doinst.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-config() {
- NEW="$1"
- OLD="$(dirname $NEW)/$(basename $NEW .new)"
- # If there's no config file by that name, mv it over:
- if [ ! -r $OLD ]; then
- mv $NEW $OLD
- elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
- # toss the redundant copy
- rm $NEW
- fi
- # Otherwise, we leave the .new copy for the admin to consider...
-}
-
-preserve_perms() {
- NEW="$1"
- OLD="$(dirname $NEW)/$(basename $NEW .new)"
- if [ -e $OLD ]; then
- cp -a $OLD ${NEW}.incoming
- cat $NEW > ${NEW}.incoming
- mv ${NEW}.incoming $NEW
- fi
- config $NEW
-}
-
-preserve_perms etc/rc.d/rc.dnscrypt-proxy.new
-config etc/default/dnscrypt-proxy.new
-config etc/dnscrypt-proxy/dnscrypt-proxy.toml.new
diff --git a/network/dnscrypt-proxy/named.conf b/network/dnscrypt-proxy/named.conf
deleted file mode 100644
index b416855f2685..000000000000
--- a/network/dnscrypt-proxy/named.conf
+++ /dev/null
@@ -1,153 +0,0 @@
-options {
- directory "/var/named";
- /*
- * If there is a firewall between you and nameservers you want
- * to talk to, you might need to uncomment the query-source
- * directive below. Previous versions of BIND always asked
- * questions using port 53, but BIND 8.1 uses an unprivileged
- * port by default.
- */
- // query-source address * port 53;
- forwarders { 127.0.0.1 port 55; };
- forward only;
- dnssec-enable yes;
- dnssec-validation auto;
- dnssec-lookaside auto;
- allow-transfer { "none"; };
- allow-query { 127.0.0.1; };
- listen-on { 127.0.0.1; };
-};
-
-//
-// a caching only nameserver config
-//
-zone "." IN {
- type hint;
- file "caching-example/named.root";
-};
-
-zone "localhost" IN {
- type master;
- file "caching-example/localhost.zone";
- allow-update { none; };
-};
-
-zone "0.0.127.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-// RFC 1918. These shouldn't be necessary but empty-zones-enable isn't
-// working properly...
-zone "10.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "16.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "17.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "18.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "19.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "20.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "21.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "22.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "23.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "24.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "25.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "26.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "27.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "28.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "29.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "30.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "31.172.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-zone "168.192.in-addr.arpa" IN {
- type master;
- file "caching-example/named.local";
- allow-update { none; };
-};
-
-logging {
- category edns-disabled { null; };
-};
diff --git a/network/dnscrypt-proxy/rc.dnscrypt-proxy b/network/dnscrypt-proxy/rc.dnscrypt-proxy
index 1aa68260b904..2f97005ce0e4 100644
--- a/network/dnscrypt-proxy/rc.dnscrypt-proxy
+++ b/network/dnscrypt-proxy/rc.dnscrypt-proxy
@@ -1,134 +1,79 @@
-#!/bin/bash
-
-CONFIGFILE="/etc/default/dnscrypt-proxy"
-DAEMON="/usr/sbin/dnscrypt-proxy"
-
-. $CONFIGFILE
-
-start_instance() {
- if [ ! -r ${DNSCRYPTCONFIG[$1]} ]; then
- echo "No configuration for instance $1 found!"
- return
- fi
- if [ -z ${PIDFILE[$1]} ]; then
- echo "No PID configuration for instance $1 found!"
- return
- fi
- if [ -z ${USER[$1]} ]; then
- echo "No user configuration for instance $1 found!"
- return
- fi
- if [ -r ${PIDFILE[$1]} ]; then
- echo "dnscrypt-proxy (instance $1) already running!"
- return
- fi
-
- mkdir -p $(dirname ${PIDFILE[$1]})
- # The child (unprivileged) process needs write access or the PID will not
- # be written.
- chmod 0700 $(dirname ${PIDFILE[$1]})
- chown ${USER[$1]} $(dirname ${PIDFILE[$1]})
-
- # The new Go-based dnscrypt-proxy no longer has the ability to daemonize.
- # In the absence of a standard Slackware daemon tool we'll use nohup. :(
- nohup $DAEMON -config ${DNSCRYPTCONFIG[$1]} -pidfile ${PIDFILE[$1]} >> /dev/null 2>&1 &
-}
+#!/bin/sh
-stop_instance() {
- if [ ! -r ${DNSCRYPTCONFIG[$1]} ]; then
- echo "No configuration for instance $1 found!"
- return
- fi
- if [ -z ${PIDFILE[$1]} ]; then
- echo "No PID configuration for instance $1 found!"
- return
- fi
- if [ ! -r ${PIDFILE[$1]} ]; then
- echo "dnscrypt-proxy (instance $1) is not running!"
- return
- fi
- echo "Stopping dnscrypt-proxy (instance $1)..."
- kill $(cat ${PIDFILE[$1]})
-}
+# Init file for dnscrypt-proxy
-status_instance() {
- if [ ! -r ${DNSCRYPTCONFIG[$1]} ]; then
- echo "No configuration for instance $1 found!"
- return
- fi
- if [ -z ${PIDFILE[$1]} ]; then
- echo "No PID configuration for instance $1 found!"
- return
- fi
- if [ ! -r ${PIDFILE[$1]} ]; then
- echo "dnscrypt-proxy (instance $1) is not running."
- return
- fi
- PID=$(cat ${PIDFILE[$1]})
- if [ -z "$PID" ]; then
- echo "PID file is empty! dnscrypt-proxy (instance $1) does not appear to be running, but there is a stale PID file."
- elif kill -0 $PID ; then
- echo "dnscrypt-proxy (instance $1) is running."
- else
- echo "dnscrypt-proxy (instance $1) is not running, but there is a stale PID file."
- fi
-}
+PRGNAM=dnscrypt-proxy
+
+CONFDIR="/etc/dnscrypt-proxy"
+LOGDIR="/var/log/dnscrypt-proxy"
+RUNDIR="/var/run/dnscrypt-proxy"
+
+OPTS="-config $CONFDIR/dnscrypt-proxy.toml -pidfile $RUNDIR/dnscrypt-proxy.pid -logfile $LOGDIR/dnscrypt-proxy.log"
+
+PID=$(cat /var/run/dnscrypt-proxy/dnscrypt-proxy.pid 2>/dev/null)
start() {
- for i in `/usr/bin/seq 0 $((${#DNSCRYPTCONFIG[@]}-1))`
- do
- start_instance $i
- done
+ echo "Starting DNSCrypt-proxy"
+ /usr/bin/dnscrypt-proxy $OPTS &
}
stop() {
- for i in `/usr/bin/seq 0 $((${#DNSCRYPTCONFIG[@]}-1))`
- do
- stop_instance $i
- done
+ echo "Stopping DNSCrypt-proxy"
+
+if [ -z $PID ]; then
+ echo "Not running"
+ exit 0
+fi
+if kill -15 $PID 2>/dev/null; then
+ echo "Stopped"
+ rm $RUNDIR/dnscrypt-proxy.pid 2>/dev/null
+else
+ sleep 1
+ if kill -9 $PID 2>/dev/null; then
+ echo "Killed"
+ rm $RUNDIR/dnscrypt-proxy.pid 2>/dev/null
+ else
+ echo "Error"
+ exit 1
+ fi
+fi
}
status() {
- for i in `/usr/bin/seq 0 $((${#DNSCRYPTCONFIG[@]}-1))`
- do
- status_instance $i
- done
+ if [ -z $PID ]; then
+ echo "Not running"
+ exit 1
+ elif kill -0 $PID; then
+ echo $(ps aux | grep $PID)
+ exit 0
+ else
+ echo "$RUNDIR/dnscrypt-proxy.pid present, but $PID is not running. Removing PID file."
+ rm $RUNDIR/dnscrypt-proxy.pid 2>/dev/null
+ exit 1
+ fi
}
case "$1" in
- 'start')
- start
- ;;
- 'stop')
- stop
- ;;
- 'restart')
- stop
- start
- ;;
- 'status')
- status
- ;;
- *_start)
- INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
- start_instance $INSTANCE
- ;;
- *_stop)
- INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
- stop_instance $INSTANCE
- ;;
- *_restart)
- INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
- stop_instance $INSTANCE
- sleep 1
- start_instance $INSTANCE
- ;;
- *_status)
- INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
- status_instance $INSTANCE
- ;;
- *)
- echo "Usage: $0 {start|stop|restart|status|#_start|#_stop|#_restart}"
- exit 1
- ;;
+ start)
+ start
+ ;;
+
+ stop)
+ stop
+ ;;
+
+ restart)
+ stop
+ sleep 3
+ start
+ ;;
+
+ status)
+ status
+ ;;
+
+ *)
+ echo "Usage: $0 (start|stop|restart|status)"
esac
+
+
diff --git a/network/dnscrypt-proxy/slack-desc b/network/dnscrypt-proxy/slack-desc
index 46cdd370c587..092cd543f49f 100644
--- a/network/dnscrypt-proxy/slack-desc
+++ b/network/dnscrypt-proxy/slack-desc
@@ -13,7 +13,7 @@ dnscrypt-proxy: your local resolver or as a DNS forwarder, encrypting and
dnscrypt-proxy: authenticating requests using the DNSCrypt protocol and passing them
dnscrypt-proxy: to an upstream DNSCrypt-enabled server.
dnscrypt-proxy:
-dnscrypt-proxy: https://github.com/jedisct1/dnscrypt-proxy
dnscrypt-proxy:
dnscrypt-proxy:
dnscrypt-proxy:
+dnscrypt-proxy: https://github.com/DNSCrypt/dnscrypt-proxy