cofyc / dnscrypt-wrapper Goto Github PK

View Code? Open in Web Editor NEW

527.0 44.0 74.0 2.17 MB

This is dnscrypt wrapper (server-side dnscrypt proxy), which helps to add dnscrypt support to any name resolver.

License: Other

C 83.65% Shell 4.80% Makefile 2.76% M4 1.29% Ruby 1.93% Python 3.58% Gherkin 1.83% C++ 0.15%

c dnscrypt-wrapper dns dnscrypt-proxy dnscrypt

dnscrypt-wrapper's Introduction

Name

dnscrypt-wrapper - A server-side dnscrypt proxy.

Description
Installation
Usage
Chinese
See also

Description

This is dnscrypt wrapper (server-side dnscrypt proxy), which helps to add dnscrypt support to any name resolver.

This software is modified from dnscrypt-proxy.

Installation

Install libsodium and libevent 2.1.1+ first.

On Linux:

$ ldconfig # if you install libsodium from source
$ git clone git://github.com/cofyc/dnscrypt-wrapper.git
$ cd dnscrypt-wrapper
$ make configure
$ ./configure
$ make install

On FreeBSD:

$ pkg install dnscrypt-wrapper

On OpenBSD:

$ pkg_add -r gmake autoconf
$ pkg_add -r libevent
$ git clone git://github.com/cofyc/dnscrypt-wrapper.git
$ cd dnscrypt-wrapper
$ gmake LDFLAGS='-L/usr/local/lib/' CFLAGS=-I/usr/local/include/

On MacOS:

$ brew install dnscrypt-wrapper

In Docker:

See https://github.com/jedisct1/dnscrypt-server-docker.

Usage

Quick Start

Generate the provider key pair:

$ dnscrypt-wrapper --gen-provider-keypair \
  --provider-name=2.dnscrypt-cert.<yourdomain> --ext-address=<external server ip>

If your server doesn't store logs, add --nolog and if it supports DNSSEC, add --dnssec.

This will create two files in the current directory: public.key and secret.key.

This is a long-term key pair that is never supposed to change unless the secret key is compromised. Make sure that secret.key is securely stored and backuped.

It will also print the stamp for dnscrypt-proxy version 2.x.

If you forgot to save your provider public key:

$ dnscrypt-wrapper --show-provider-publickey --provider-publickey-file <your-publickey-file>

This will print it out.

Generate a time-limited secret key, which will be used to encrypt and authenticate DNS queries. Also generate a certificate for it:

$ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=1.key
$ dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=1.key --provider-cert-file=1.cert \
                   --provider-publickey-file=public.key --provider-secretkey-file=secret.key

In this example, the time-limited secret key will be saved as 1.key and its related certificate as 1.cert in the current directory.

Time-limited secret keys and certificates can be updated at any time without requiring clients to update their configuration.

NOTE: By default, secret key expires in 1 day (24 hours) for safety. You can change it by adding --cert-file-expire-days=<your-expected-expiraiton-days>, but it's better to use short-term secret key and use key-rotation mechanism.

Run the program with a given key, a provider name and the most recent certificate:

$ dnscrypt-wrapper --resolver-address=8.8.8.8:53 --listen-address=0.0.0.0:443 \
                   --provider-name=2.dnscrypt-cert.<yourdomain> \
                   --crypt-secretkey-file=1.key --provider-cert-file=1.cert

The provider name can be anything; it doesn't have to be within an existing domain name. However, it has to start with 2.dnscrypt-cert., e.g. 2.dnscrypt-cert.example.com.

When the service is started with the --provider-cert-file switch, the proxy will automatically serve the certificate as a TXT record when a query for the provider name is received.

As an alternative, the TXT record can be served by a name server for an actual DNS zone you are authoritative for. In that scenario, the --provider-cert-file option is not required, and instructions for Unbound and TinyDNS are displayed by the program when generating a provider certificate.

You can get instructions later by running:

$ dnscrypt-wrapper --show-provider-publickey-dns-records
                   --provider-cert-file <path/to/your/provider_cert_file>

Run dnscrypt-proxy to check if it works:

$ dnscrypt-proxy --local-address=127.0.0.1:55 --resolver-address=127.0.0.1:443 \
                 --provider-name=2.dnscrypt-cert.<yourdomain> \
                 --provider-key=<provider_public_key>
$ dig -p 55 google.com @127.0.0.1

<provider_public_key> is public key generated by dnscrypt-wrapper --gen-provider-keypair, which looks like 4298:5F65:C295:DFAE:2BFB:20AD:5C47:F565:78EB:2404:EF83:198C:85DB:68F1:3E33:E952.

Optionally, add -d/--daemonize flag to run as a daemon.

Run dnscrypt-wrapper -h to view command line options.

Running unauthenticated DNS and the dnscrypt service on the same port

By default, and with the exception of records used for the certificates, only queries using the DNSCrypt protocol will be accepted.

If you want to run a service only accessible using DNSCrypt, this is what you want.

If you want to run a service accessible both with and without DNSCrypt, what you usually want is to keep the standard DNS port for the unauthenticated DNS service (53), and use a different port for DNSCrypt. You don't have to change anything for this either.

However, if you want to run both on the same port, maybe because only port 53 is reachable on your server, you can add the -U (--unauthenticated) switch to the command-line. This is not recommended.

Key rotation

Time-limited keys are bound to expire.

dnscrypt-proxy can check if the current key for a given server is not going to expire soon:

$ dnscrypt-proxy --resolver-address=127.0.0.1:443 \
                 --provider-name=2.dnscrypt-cert.<yourdomain> \
                 --provider-key=<provider_public_key> \
                 --test=10080

The --test option is followed by a "grace margin".

The command will immediately exit after verifying the certificate validity.

The exit code is 0 if a valid certificate can be used, 2 if no valid certificates can be used, 3 if a timeout occurred, and 4 if a currently valid certificate is going to expire before the margin.

The margin is always specified in minutes.

This can be used in a cron tab to trigger an alert before a key is going to expire.

In order to switch to a fresh new key:

First, create a new time-limited key (do not change the provider key!) and its certificate:

$ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=2.key
$ dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=2.key --provider-cert-file=2.cert \
                   --provider-publickey-file=public.key --provider-secretkey-file=secret.key \
                   --cert-file-expire-days=1

Second, Tell new users to use the new certificate but still accept the old key until all clients have loaded the new certificate:

$ dnscrypt-wrapper --resolver-address=8.8.8.8:53 --listen-address=0.0.0.0:443 \
                   --provider-name=2.dnscrypt-cert.<yourdomain> \
                   --crypt-secretkey-file=1.key,2.key --provider-cert-file=1.cert,2.cert

Note that both 1.key and 2.key have be specified, in order to accept both the previous and the current key.

Third, Clients automatically check for new certificates every hour. So, after one hour, the old certificate can be refused, by leaving only the new one in the configuration:

$ dnscrypt-wrapper --resolver-address=8.8.8.8:53 --listen-address=0.0.0.0:443 \
                   --provider-name=2.dnscrypt-cert.<yourdomain> \
                   --crypt-secretkey-file=2.key --provider-cert-file=2.cert

Please note that on Linux systems (kernel >= 3.9), multiples instances of dnscrypt-wrapper can run at the same time. Therefore, in order to switch to a new configuration, one can start a new daemon without killing the previous instance, and only kill the previous instance after the new one started.

This also allows upgrades with zero downtime.

Blocking

For servers willing to block specific domain names (ads, malware), the --blacklist-file parameter can be added. That blacklist file accepts patterns such as:

example.com: blocks example.com as well as www.example.com
*.example.com: identical, just more explicit
*example*: blocks the example substring no matter where it appears
ads.*: blocks the ads. prefix

Prefix and suffix lookups are fast and can scale to very large lists.

Chinese

CentOS/Debian/Ubuntu 下编译 dnscrypt-wrapper: http://03k.org/centos-make-dnscrypt-wrapper.html
dnscrypt-wrapper 使用方法: http://03k.org/dnscrypt-wrapper-usage.html

注：第三方文档可能未及时与最新版本同步，以 README.md 为准。

dnscrypt-wrapper's People

Contributors

Stargazers

Watchers

dnscrypt-wrapper's Issues

dnscrypt-proxy Project Archived

Greetings,

It seems the jedisct1/dnscrypt-proxy project was recently archived, making it read-only. A couple months ago jedisct1 created an issue asking for new maintainers but nobody seemed willing or able to take over ownership. The most pressing issue right now is probably that the public resolver list can no longer be updated and clients may end up trying to access dead or changed servers.

I have created an issue here on my fork in an attempt to create a place for users to discuss the future of the project (since a new issue obviously can not be opened on the original project page). If anyone has a better idea or is able to contact jedisct1 I am all ears. Hopefully opening an issue here doesn't seem like an overreaction, I just don't know of another way to locate dnscrypt-proxy users and discuss the future of the project.

If this is really an inappropriate place to look for help please accept my sincere apologies.

Snork.

Could you make a Windows Version please？

I really want use this on windows , Could you make a Windows Version please？ really thanks !

[ERROR] Suspicious certificate received

你好，我部署好dnscrypt-wrapper之后，用dnscrypt-proxy来测试，出现
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
的报错，请问是哪里出问题了？
部署过程是按照readme操作的，之后能够运行，ps -A看的到进程。

生成证书密钥的过程都很正常。

[root@localhost bin]# ./dnscrypt-wrapper --gen-provider-keypairGenerate provider key pair... ok.
Public key fingerprint: 2937:B40E:1B3C:8C09:DCD2:CA6E:71BC:BB4E:FA5C:FDE1:B3B9:273A:B279:F841:9B21:AFB6
Keys are stored in public.key & secret.key.
[root@localhost bin]# ./dnscrypt-wrapper --gen-crypt-keypair
Generate crypt key pair... ok.
Keys are stored in crypt_public.key & crypt_secret.key.
[root@localhost bin]# ./dnscrypt-wrapper --crypt-secretkey-file crypt_secret.key --crypt-publickey-file=crypt_public.key --provider-publickey-file=public.key --provider-secretkey-file=secret.key --gen-cert-file
[32115] 14 Sep 17:03:56.796 [notice] Generating pre-signed certificate.
[32115] 14 Sep 17:03:56.797 [notice] TXT record for signed-certificate:

Record for nsd:
2.dnscrypt-cert 86400 IN TXT "DNSC\000\001\000\000\144\139\158\240i\248\010\186g\222\156\136\132Xo@\092\135c\252\157\245\163\162\159\173e\155N\005\206\153\137\002F\208\183\024\134G\169x\225o\2216\021'\160U\127\003\224\190\215\251\228o\173s\172\248\015\005\144\139\158\240i\248\010\186g\222\156\136\132Xo@\092\135c\252\157\245\163\162\159\173e\155N\005\206\153\137\002F\208\183\024\134G\169x\225o\2216\021'\160U\127\003"
Record for tinydns:
'2.dnscrypt-cert:DNSC\000\001\000\000\220\213\236\360i\370\012\272g\336\234\210\204Xo@\134\207c\374\235\365\243\242\237\255e\233N\005\316\231\211\002F\320\267\030\206G\251x\341o\3356\025'\240U\177\003\340\276\327\373\344o\255s\254\370\017\005\220\213\236\360i\370\012\272g\336\234\210\204Xo@\134\207c\374\235\365\243\242\237\255e\233N\005\316\231\211\002F\320\267\030\206G\251x\341o\3356\025'\240U\177\003:86400

[32115] 14 Sep 17:03:56.797 [notice] Certificate stored in dnscrypt.cert.
[root@localhost bin]# dig txt 2.dnscrypt-cert.ntr.cu.cc

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> txt 2.dnscrypt-cert.ntr.cu.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15606
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0005 , udp: 4096
;; QUESTION SECTION:
;2.dnscrypt-cert.ntr.cu.cc. IN TXT

;; ANSWER SECTION:
2.dnscrypt-cert.ntr.cu.cc. 5 IN TXT "DNSC\000\001\000\000\144\139\158\240i\248\010\186g\222\156\136\132Xo@\135c\252\157\245\163\162\159\173e\155N\005\206\153\137\002F\208\183\024\134G\169x\225o\2216\021'\160U\127\003\224\190\215\251\228o\173s\172\248\015\005\144\139\158\240i\248\010\186g" "\222\156\136\132Xo@\135c\252\157\245\163\162\159\173e\155N\005\206\153\137\002F\208\183\024\134G\169x\225o\2216\021'\160U\127\003"

;; Query time: 306 msec
;; SERVER: 192.168.30.2#53(192.168.30.2)
;; WHEN: 日 9月 14 17:06:07 CST 2014
;; MSG SIZE rcvd: 192

dig查看了txt记录得知已生效，另开终端窗口用dnscrypt-proxy进行测试：

[root@localhost ~]# dnscrypt-proxy -a 127.0.0.1:55 --provider-name=2.dnscrypt-cert.ntr.cu.cc -r 192.168.30.128:3762 --provider-key=2937:B40E:1B3C:8C09:DCD2:CA6E:71BC:BB4E:FA5C:FDE1:B3B9:273A:B279:F841:9B21:AFB6
[NOTICE] Starting dnscrypt-proxy 1.4.0
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
[INFO] Refetching server certificates
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
[INFO] Refetching server certificates
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
[INFO] Refetching server certificates
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
^C

dnscrypt-wrapper的IP用127.0.0.1和局域网的IP都试过结果相同。
在运行dnscrypt-wrapper的窗口可以看到log，

[root@localhost bin]# ./dnscrypt-wrapper -r 8.8.8.8:53 -a 0.0.0.0:3762 --crypt-secretkey-file=crypt_secret.key --crypt-publickey-file=crypt_public.key --provider-cert-file=dnscrypt.cert --provider-name=2.dnscrypt-cert.ntr.cu.cc -VV
[32517] 14 Sep 17:18:23.834 [info] Crypt public key fingerprint: 7C34:22B2:EF89:B3C4:183B:8945:18F3:1260:A66D:477A:78C2:765C:5508:A955:E683:8D38
[32517] 14 Sep 17:33:53.962 [debug] client to proxy cb
[32517] 14 Sep 17:33:58.968 [debug] client to proxy cb
[32517] 14 Sep 17:34:03.973 [debug] client to proxy cb
[32517] 14 Sep 17:34:09.980 [debug] client to proxy cb
[32517] 14 Sep 17:34:14.986 [debug] client to proxy cb
[32517] 14 Sep 17:34:19.990 [debug] client to proxy cb
[32517] 14 Sep 17:34:27.999 [debug] client to proxy cb
[32517] 14 Sep 17:34:33.003 [debug] client to proxy cb
[32517] 14 Sep 17:34:38.009 [debug] client to proxy cb
[32517] 14 Sep 17:34:56.137 [debug] client to proxy cb
[32517] 14 Sep 17:34:57.140 [debug] client to proxy cb
[32517] 14 Sep 17:35:00.144 [debug] client to proxy cb
[32517] 14 Sep 17:35:06.154 [debug] client to proxy cb
[32517] 14 Sep 17:35:15.164 [debug] client to proxy cb
[32517] 14 Sep 17:35:27.169 [debug] client to proxy cb
[32517] 14 Sep 17:35:42.190 [debug] client to proxy cb
[32517] 14 Sep 17:36:00.210 [debug] client to proxy cb

之前在一台VPS上测试得到的结果也是这样，通过Win客户端dnscrypt-proxy.exe的test参数来测试也一样。

对了，在dnscrypt-wrapper安装的make环节，出现了两个警告，不知含义，可能以上问题与其有关。

[root@localhost dnscrypt-wrapper]# make
CC dnscrypt.o
CC udp_request.o
CC tcp_request.o
CC edns.o
CC logger.o
CC rfc1035.o
CC safe_rw.o
CC cert.o
cert.c: 在函数‘cert_display_txt_record_tinydns’中:
cert.c:76:18: 警告：iteration 4ul invokes undefined behavior [-Waggressive-loop-optimizations]
c = (int)(signed_cert->magic_cert + i);
^
cert.c:75:11: 附注：containing loop
while (i < sizeof(struct SignedCert)) {
^
cert.c: 在函数‘cert_display_txt_record’中:
cert.c:96:18: 警告：iteration 4ul invokes undefined behavior [-Waggressive-loop-optimizations]
c = (int)(signed_cert->magic_cert + i);
^
cert.c:95:11: 附注：containing loop
while (i < sizeof(struct SignedCert)) {
^
CC pidfile.o
CC main.o
make[1]: 进入目录“/root/dnscrypt-wrapper/argparse”
cc -o argparse.o -c -Wall -O3 -g -ggdb -fPIC argparse.c
ar rcs libargparse.a argparse.o
make[1]: 离开目录“/root/dnscrypt-wrapper/argparse”
LINK dnscrypt-wrapper

环境都是CentOS，安装了必要的libevent和libsodium，dnscrypt-wrapper版本0.1.10，dnscrypt-proxy版本1.4.0。

请求无反应

有没有遇到过这种情况,就是刚刚启动还可以正常解析,一段时间请求没有反应,也没有log打出,重启后正常
tcpdump抓包是有包发送到端口的,有没有什么方法可以打出更加详细的日志,已经加上-VVV了
我这里CentOS7 启动一段时间后必现
Linux li1439-167 4.1.5-x86_64 x86_64 x86_64 x86_64 GNU/Linux

Support edns-client-subnet?

http://tools.ietf.org/html/draft-ietf-dnsind-edns0-01
http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-01

编译失败，./configure检查库通过。

[root@centos dnscrypt-wrapper]# make
CC dnscrypt.o
In file included from dnscrypt.c:1:
dnscrypt.h:6:26: warning: event2/event.h: No such file or directory
dnscrypt.h:7:29: warning: event2/listener.h: No such file or directory
dnscrypt.h:8:32: warning: event2/bufferevent.h: No such file or directory
dnscrypt.h:9:27: warning: event2/buffer.h: No such file or directory
dnscrypt.h:10:25: warning: event2/util.h: No such file or directory
In file included from dnscrypt.h:74,
from dnscrypt.c:1:
udp_request.h:24: error: expected specifier-qualifier-list before 'evutil_socket_t'
In file included from dnscrypt.c:1:
dnscrypt.h:92: error: expected specifier-qualifier-list before 'ev_socklen_t'
dnscrypt.c: In function 'dnscrypt_hrtime':
dnscrypt.c:26: warning: implicit declaration of function 'evutil_gettimeofday'
dnscrypt.c: In function 'dnscrypt_key_to_fingerprint':
dnscrypt.c:45: warning: implicit declaration of function 'evutil_snprintf'
dnscrypt.c: In function 'dnscrypt_server_uncurve':
dnscrypt.c:186: error: 'struct context' has no member named 'crypt_secretkey'
dnscrypt.c: In function 'add_server_nonce':
dnscrypt.c:224: error: 'struct context' has no member named 'nonce_ts_last'
dnscrypt.c:225: error: 'struct context' has no member named 'nonce_ts_last'
dnscrypt.c:227: error: 'struct context' has no member named 'nonce_ts_last'
dnscrypt.c: In function 'dnscrypt_server_curve':
dnscrypt.c:266: error: 'struct context' has no member named 'crypt_secretkey'
make: *** [dnscrypt.o] Error 1

Regenerating an expired certificate

Recently, the first certificate that I created with dnscrypt-wrapper expired, causing dnscrypt-proxy to refuse to speak to it. I fixed the problem by removing the following files:

rm crypt_public.key crypt_secret.key dnscrypt.cert

This left only public.key and secret.key. I then re-generated them with the following commands:

dnscrypt-wrapper --gen-crypt-keypair
dnscrypt-wrapper --crypt-secretkey-file crypt_secret.key --provider-publickey-file=public.key --provider-secretkey-file=secret.key --gen-cert-file

This seemed to work, but I wanted to check and see if this was the correct way to do this?

centos 7安装了4遍，没有任何错误就是无法使用。

唯一异常的就是执行这段命令后服务器不响应。
$ dnscrypt-wrapper --resolver-address=8.8.8.8:53 --listen-address=0.0.0.0:443
--provider-name=2.dnscrypt-cert.yechengfu.com
--crypt-secretkey-file=1.key --provider-cert-file=1.cert

每步严格安装你的方法去执行，就是dns不通。防火墙也关闭了。

Upstream DNS over TLS

Any chance we can get DNS over TLS for upstream servers?

发现 dnscrypt-wrapper 经常会卡死.

嘿, 我发现如果一段时间不使用设备连接 dnscrypt-wrapper 解析 DNS, 稍后再用的时候, 常常打不开网页,

然后, 用 dig 发现, 是域名解析不可用.

这时候, 需要重启下 dnscrypt-wrapper 服务, 然后就好了.

下面是服务器和客户端命令示例:

客户端:

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="-T -a 127.0.0.1:65053 -r 123.123.123.123:22335 -N 2.dnscrypt-cert.domain.com -k 3750:AED7:CEAB:DA91:137A:AFCD:3330:AEAA:2FEB:22AB:07FB:KVCE:3E72:31A3:5F1E:FE78"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

服务器:

/usr/sbin/dnscrypt-wrapper \
    -r 8.8.4.4:53 \
    -a 0.0.0.0:22335 \
    --provider-name=2.dnscrypt-cert.domain.com \
    --crypt-secretkey-file=/root/.dnskey/1.key \
    --provider-cert-file=/root/.dnskey/1.cert \
    -d \
    -VVV \
    -l /tmp/dnscrypt-wrapper.log

谢谢.

[Possible DoS exploit] Crash on relatively large sized DNS response

Heya.

When my dnscrypt-wrapper suddenly crashed today I decided to dig deeper into the issue and noticed something strange: I noticed that doing a PTR lookup against the zone 10.29.96.63.in-addr.arpa (which contains roughly 2k PTR records) over a secured dnscrypt link easily crashes dnscrypt-wrapper 0.2.1-1.g6ac9ae3 (6ac9ae3) with the following strace:

readv(11, [{"dgroupinc\300A\300\f\0\f\0\1\0\0\5\277\0\7\4kcdc\300A\300\f\0\f\0\1\0\0\5\277\0\20\rvictoriaplace\300A\300\f\0\f\0\1\0\0\5\277\0\r\nconwaymgmt\300A\300\f\0\f\0\1\0\0\5\277\0\f\tnew"..., 352}, {"ure\300A\300\f\0\f\0\1\0\0\5\277\0\36\33renaissancecollaborativeinc\300A\300\f\0\f\0\1\0\0\5\277\0\23\20choctawhopedevel\300A\300\f\0\f\0\1\0\0\5\277\0\16\vevagiord"..., 3744}], 2) = 4096
epoll_wait(4, {{EPOLLIN, {u32=11, u64=11}}}, 32, 9973) = 1
clock_gettime(CLOCK_MONOTONIC, {2158235, 555787530}) = 0
ioctl(11, FIONREAD, [4026])             = 0
readv(11, [{"ight\300A\300\f\0\f\0\1\0\0\5\277\0\20\rswhproperties\300A\300\f\0\f\0\1\0\0\5\277\0\n\7hmneinc\300A\300\f\0\f\0\1\0\0\5\277\0\23\20mendhamareasrhse\300A\300\f\0\f\0\1\0\0\5\277\0\t"..., 304}, {"c\300A\300\f\0\f\0\1\0\0\5\277\0\22\17jacksonpropcomp\300A\300\f\0\f\0\1\0\0\5\277\0\6\3sqa\300A\300\f\0\f\0\1\0\0\5\277\0\v\10montford\300A\300\f\0\f\0\1\0\0\5\277\0\f\thunterdon\300A\300"..., 3722}], 2) = 4026
epoll_ctl(4, EPOLL_CTL_DEL, 11, 7ffef153c6f0) = 0
write(1, "[5850] 09 Jul 10:11:21.385 [debug] [tcp_request.c:324] Resolver read callback.\n", 79) = 79
brk(0x1a35000)                          = 0x1a35000
read(3, "'\21B\250", 4)                 = 4
read(3, "V\2411w", 4)                   = 4
epoll_ctl(4, EPOLL_CTL_ADD, 10, {EPOLLOUT, {u32=10, u64=10}}) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
write(1, "[5850] 09 Jul 10:11:21.386 [warning] [debug.c:95] Crashed by signal: 11\n", 72) = 72
write(1, "[5850] 09 Jul 10:11:21.386 [warning] [debug.c:96] --- STACK TRACE\n", 66) = 66
write(1, "[5850] 09 Jul 10:11:21.386 [warning] [debug.c:98] Failed assertion: <no assertion failed> (<no file"..., 104) = 104
write(1, "[5850] 09 Jul 10:11:21.386 [warning] [debug.c:100] --- STACK TRACE\n", 67) = 67
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 12
fstat(12, {st_mode=S_IFREG|0644, st_size=16850, ...}) = 0
mmap(NULL, 16850, PROT_READ, MAP_PRIVATE, 12, 0) = 0x7f1016c81000
close(12)                               = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 12
read(12, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260*\0\0\0\0\0\0@\0\0\0\0\0\0\0000Y\1\0\0\0\0\0\0\0\0\0@\0008\0\6\0@\0\33\0\32\0\1\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0LT\1"..., 832) = 832
fstat(12, {st_mode=S_IFREG|0644, st_size=90096, ...}) = 0
mmap(NULL, 2185952, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 12, 0) = 0x7f10158f0000
mprotect(0x7f1015906000, 2093056, PROT_NONE) = 0
mmap(0x7f1015b05000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 12, 0x15000) = 0x7f1015b05000
close(12)                               = 0
munmap(0x7f1016c81000, 16850)           = 0
futex(0x7f10160cc190, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f1015b05850, FUTEX_WAKE_PRIVATE, 2147483647) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
+++ killed by SIGSEGV +++
Segmentation fault

GDB:

Starting program: /usr/local/src/dnscrypt-wrapper/dnscrypt-wrapper -U -r 127.0.0.1:53 -a 185.121.177.177:443 --crypt-secretkey-file=/etc/dnscrypt-wrapper/crypt_secret.key --provider-secretkey-file=/etc/dnscrypt-wrapper/secret.key --provider-publickey-file=/etc/dnscrypt-wrapper/public.key --provider-cert-file=/etc/dnscrypt-wrapper/dnscrypt.cert --provider-name=2.dnscrypt-cert.dnsrec.meo.ws
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000406f69 in resolver_proxy_read_cb (proxy_resolver_bev=0x60fd00, tcp_request_=0x60f930) at tcp_request.c:368
368         if (bufferevent_write(tcp_request->client_proxy_bev,
(gdb) bt
#0  0x0000000000406f69 in resolver_proxy_read_cb (proxy_resolver_bev=0x60fd00, tcp_request_=0x60f930) at tcp_request.c:368
#1  0xb5576419f14aedcd in ?? ()
#2  0x34266dc62a3382cb in ?? ()
#3  0x01a17f2c705b53ea in ?? ()
#4  0x81ec1f30a063ecd3 in ?? ()
#5  0x4163b2dafaa4a4a8 in ?? ()
#6  0x55bc841f26efbbdf in ?? ()
#7  0xef2a7c0aed7ddf99 in ?? ()
#8  0xa6190d18a66a9176 in ?? ()
#9  0xeb15ed989a1b5ac3 in ?? ()
#10 0x8da1bf09160c4727 in ?? ()
#11 0x96376e18e63672e0 in ?? ()
#12 0x980352867fa50cbb in ?? ()
#13 0xe46b3866037c8266 in ?? ()
#14 0x121b1c3d474adbe7 in ?? ()
#15 0xb29599bb498b8c34 in ?? ()
#16 0x358b9dff13200f36 in ?? ()
#17 0xc11a24a9502a5fa5 in ?? ()
#18 0x6ae6412d06310f3c in ?? ()
#19 0xeca37448351df131 in ?? ()
#20 0x0000000000000000 in ?? ()

Client side args:

dnscrypt-proxy 
-a 127.123.45.0 
-N 2.dnscrypt-cert.dnsrec.meo.ws 
-k 1A6A:D0A3:2B4C:5A61:A695:D153:670D:69AB:1690:3F9E:C3F7:F64F:13E5:35A3:18B2:28A5 
-r 185.121.177.177

does dnscrypt-wrapper support client authentication?

Hi all,

I'm sniffing around dnscrypt and have a proof of concept (dnscrypt-proxy + dnscrypt-wrapper) working, but I'd love to add client authentication to it. I see this mentioned in various places as a means of having a dnscrypt "server" be able to identify clients that are authorized to query it. But I can't find much documentation about how this works or how to set it up.

is that something that dnscrypt-wrapper supports? if so, is there any docs (or hints?) on how to generate an appropriate key to use on authorized clients?

Thanks!

Joel

cygwin64 compile error and fix

New git version compile on Windows10 + cygwin64 will cause error:

error: �±SA_ONSTACK�² undeclared (first use in this function)

Fix:
add

#ifdef __CYGWIN__
#ifndef SA_ONSTACK
#define SA_ONSTACK 0x08000000
#endif
#endif

to debug.c

from: redis/redis#232

dnscrypt-wrapper dies on "resolver read callback"

I've tried making out from the source code what's happening, but I had to give up. The only thing I can make out from the logs is that it dies on the message "resolver read callback".

I'm seeing this randomly happen on A lookups regardless of the host being cached or not and with the same hostname lookup sometimes causing a crash and sometimes not.

I'm suspecting some sort of client compatibility issue.

DNS server: BIND 9.8.4-rpz2+rl005.12-P1
Clients: Well, it's public so I cant answer that.
Linux kernel: 2.6.32-042stab079.6

Let me know if you'd like more info.

不知名的错误，表示看不懂

[6446] 13 Jun 08:50:05.369 [debug] [udp_request.c:381] Unauthenticated query received over UDP
[6446] 13 Jun 08:50:16.381 [debug] [udp_request.c:308] client to proxy cb
[6446] 13 Jun 08:50:16.381 [debug] [udp_request.c:381] Unauthenticated query received over UDP
[6446] 13 Jun 08:50:21.385 [debug] [udp_request.c:308] client to proxy cb
[6446] 13 Jun 08:50:21.385 [debug] [udp_request.c:381] Unauthenticated query received over UDP
[6446] 13 Jun 08:50:26.391 [debug] [udp_request.c:308] client to proxy cb
[6446] 13 Jun 08:50:26.391 [debug] [udp_request.c:381] Unauthenticated query received over UDP
[6446] 13 Jun 08:50:40.353 [debug] [udp_request.c:308] client to proxy cb
[6446] 13 Jun 08:50:40.353 [debug] [udp_request.c:381] Unauthenticated query received over UDP
[6446] 13 Jun 08:50:45.403 [debug] [udp_request.c:308] client to proxy cb
[6446] 13 Jun 08:50:45.403 [debug] [udp_request.c:381] Unauthenticated query received over UDP
[6446] 13 Jun 08:50:50.415 [debug] [udp_request.c:308] client to proxy cb
[6446] 13 Jun 08:50:50.415 [debug] [udp_request.c:381] Unauthenticated query received over UDP
[6446] 13 Jun 08:51:07.433 [debug] [udp_request.c:308] client to proxy cb
[6446] 13 Jun 08:51:07.433 [debug] [udp_request.c:381] Unauthenticated query received over UDP

Segfault :(

Hi,
I updated today to the last version and tried to start dnscrypt-wrapper 4 times on 4 different ports...

Two times it's running but 3 times i got this issue... And yes there are only 4 ports...

[ 429.524058] dnscrypt-wrappe[4965]: segfault at 91 ip 00000000004044bd sp 00007fff19fd6020 error 4 in dnscrypt-wrapper[400000+a000]
[ 431.519669] dnscrypt-wrappe[4963]: segfault at 90 ip 00000000004044bd sp 00007fffbb460970 error 4 in dnscrypt-wrapper[400000+a000]
[ 484.112097] dnscrypt-wrappe[4977]: segfault at 91 ip 00000000004044bd sp 00007fff13188bb0 error 4 in dnscrypt-wrapper[400000+a000]

Unify dnscrypt-{proxy,wrapper}

Opening this task for more visibility. @cofyc more detail available in DNSCrypt/dnscrypt-proxy#503

installation

I am trying to install dnscrypt-wrapper but every 0.1.15 releases hits on this error:

git submodule update --init argparse
make: git: Command not found
make: *** [argparse/argparse.h] Error 127

but with git clone
everything works fine.

Any idea for 0.1.15 releases ?
Thanks in advance

Crash after restart

I'm not sure if this is a bug in my setup or if this is a dnscrypt-wrapper related bug, bug here we go:

My dnscrypt-wrapper keeps crashing AFTER I kill the previous process which listened on the exact same IP+Port with exact same configuration:

root@fvz-rec-hk-nt-01:~# /usr/local/sbin/dnscrypt-wrapper -U -r 127.0.0.1:53 -a 151.236.20.236:443 --crypt-secretkey-file=/etc/dnscrypt-wrapper/crypt_secret.key --crypt-publickey-file=/etc/dnscrypt-wrapper/crypt_public.key --provider-cert-file=/etc/dnscrypt-wrapper/dnscrypt.cert --provider-name=2.fvz-rec-hk-nt-01.dnscrypt-cert.meo.ws  -VVV
[31760] 02 Jul 12:15:31.087 [info] [main.c:318] Crypt public key fingerprint: C311:BD17:3CE5:D12F:4CE8:033B:275A:DF44:7EAC:D207:32DB:FF6E:DE22:3E03:537A:7B74
[31760] 02 Jul 12:15:31.116 [debug] [udp_request.c:308] client to proxy cb
[31760] 02 Jul 12:15:31.228 [debug] [udp_request.c:308] client to proxy cb
[31760] 02 Jul 12:15:31.381 [debug] [udp_request.c:308] client to proxy cb
[31760] 02 Jul 12:15:31.384 [debug] [udp_request.c:308] client to proxy cb
[...]
[31760] 02 Jul 12:15:34.558 [debug] [udp_request.c:444] resolver to proxy cb
[31760] 02 Jul 12:15:34.558 [debug] [udp_request.c:444] resolver to proxy cb
[31760] 02 Jul 12:15:34.628 [debug] [udp_request.c:308] client to proxy cb
[31760] 02 Jul 12:15:34.717 [debug] [udp_request.c:308] client to proxy cb
[31760] 02 Jul 12:15:34.775 [debug] [udp_request.c:444] resolver to proxy cb
^C
root@fvz-rec-hk-nt-01:~# /usr/local/sbin/dnscrypt-wrapper -U -r 127.0.0.1:53 -a 151.236.20.236:443 --crypt-secretkey-file=/etc/dnscrypt-wrapper/crypt_secret.key --crypt-publickey-file=/etc/dnscrypt-wrapper/crypt_public.key --provider-cert-file=/etc/dnscrypt-wrapper/dnscrypt.cert --provider-name=2.fvz-rec-hk-nt-01.dnscrypt-cert.meo.ws  -VVV
[31761] 02 Jul 12:15:36.054 [info] [main.c:318] Crypt public key fingerprint: C311:BD17:3CE5:D12F:4CE8:033B:275A:DF44:7EAC:D207:32DB:FF6E:DE22:3E03:537A:7B74
[31761] 02 Jul 12:15:36.055 [warning] [debug.c:93] Crashed by signal: 11
[31761] 02 Jul 12:15:36.055 [warning] [debug.c:94] --- STACK TRACE
[31761] 02 Jul 12:15:36.055 [warning] [debug.c:96] Failed assertion: <no assertion failed> (<no file>:0)
[31761] 02 Jul 12:15:36.055 [warning] [debug.c:98] --- STACK TRACE
[0x407fd8]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x273a)[0x7ff9c4310aaa]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x273a)[0x7ff9c4310aaa]
/lib/x86_64-linux-gnu/libc.so.6(vsnprintf+0xa2)[0x7ff9c4336512]
[0x406ea3]
[0x40684b]
[0x403831]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7ff9c42e9ead]
[0x403c9d]
Segmentation fault

Here is an strace of the command:
https://scr.meo.ws/paste/2015-07-02-14-18-19-O0YvcDhn.txt

GDB:

root@fvz-rec-hk-nt-01:~# gdb --args /usr/local/sbin/dnscrypt-wrapper -U -r 127.0.0.1:53 -a 151.236.20.236:443 --crypt-secretkey-file=/etc/dnscrypt-wrapper/crypt_secret.key --crypt-publickey-file=/etc/dnscrypt-wrapper/crypt_public.key --provider-cert-file=/etc/dnscrypt-wrapper/dnscrypt.cert --provider-name=2.fvz-rec-hk-nt-01.dnscrypt-cert.meo.ws  -VVV
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/dnscrypt-wrapper...done.
(gdb) r
Starting program: /usr/local/sbin/dnscrypt-wrapper -U -r 127.0.0.1:53 -a 151.236.20.236:443 --crypt-secretkey-file=/etc/dnscrypt-wrapper/crypt_secret.key --crypt-publickey-file=/etc/dnscrypt-wrapper/crypt_public.key --provider-cert-file=/etc/dnscrypt-wrapper/dnscrypt.cert --provider-name=2.fvz-rec-hk-nt-01.dnscrypt-cert.meo.ws -VVV
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[32063] 02 Jul 12:20:49.385 [info] [main.c:318] Crypt public key fingerprint: C311:BD17:3CE5:D12F:4CE8:033B:275A:DF44:7EAC:D207:32DB:FF6E:DE22:3E03:537A:7B74

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff716aaaa in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff716aaaa in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff7190512 in vsnprintf () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x0000000000406ea3 in _logger_with_fileline (priority=priority@entry=3, fmt=fmt@entry=0x4092ea "Unable to bind (TCP): %s", file=file@entry=0x409233 "tcp_request.c", line=line@entry=418) at logger.c:58
#3  0x000000000040684b in tcp_listener_bind (c=c@entry=0x7fffffffe2b0) at tcp_request.c:418
#4  0x0000000000403831 in main (argc=<optimized out>, argv=0x7fffffffeab8) at main.c:428
(gdb) kill
Kill the program being debugged? (y or n) y
(gdb) quit

So from what I can see, it's crashing while trying to bind to the requested IP/Port AND failed to print an error message(?).

But there is no process listening on that IP/Port pair:

root@fvz-rec-hk-nt-01:~# ss -ln
State   Recv-Q  Send-Q  Local Address:Port                   Peer  Address:Port
LISTEN  0       128     2a03:f80:852:151:236:20:236:1:5353   :::*
LISTEN  0       128     151.236.20.236:5353                  *:*
LISTEN  0       128     2a03:f80:852:151:236:20:236:1:1194   :::*
LISTEN  0       128     151.236.20.236:1194                  *:*
LISTEN  0       128     2a03:f80:852:151:236:20:236:1:8080   :::*
LISTEN  0       128     151.236.20.236:8080                  *:*
LISTEN  0       128     2a03:f80:852:151:236:20:236:1:53     :::*
LISTEN  0       128     151.236.20.236:53                    *:*
LISTEN  0       128     ::1:53                               :::*
LISTEN  0       128     127.0.0.1:53                         *:*
LISTEN  0       128     2a03:f80:852:151:236:20:236:1:54     :::*
LISTEN  0       128     151.236.20.236:54                    *:*
LISTEN  0       128     :::22                                :::*
LISTEN  0       128     *:22                                 *:*
LISTEN  0       128     127.0.0.1:9050                       *:*
LISTEN  0       128     2a03:f80:852:151:236:20:236:1:443    :::*
LISTEN  0       128     *:2812                               *:*
LISTEN  0       128     2a03:f80:852:151:236:20:236:1:1053   :::*
LISTEN  0       128     151.236.20.236:1053                  *:*
LISTEN  0       128     2a03:f80:852:151:236:20:236:1:27015  :::*
LISTEN  0       128     151.236.20.236:27015                 *:*
root@fvz-rec-hk-nt-01:~# /usr/local/sbin/dnscrypt-wrapper -U -r 127.0.0.1:53 -a 151.236.20.236:443 --crypt-secretkey-file=/etc/dnscrypt-wrapper/crypt_secret.key --crypt-publickey-file=/etc/dnscrypt-wrapper/crypt_public.key --provider-cert-file=/etc/dnscrypt-wrapper/dnscrypt.cert --provider-name=2.fvz-rec-hk-nt-01.dnscrypt-cert.meo.ws  -VV
V
[32088] 02 Jul 12:22:24.073 [info] [main.c:318] Crypt public key fingerprint: C311:BD17:3CE5:D12F:4CE8:033B:275A:DF44:7EAC:D207:32DB:FF6E:DE22:3E03:537A:7B74
[32088] 02 Jul 12:22:24.073 [warning] [debug.c:93] Crashed by signal: 11
[32088] 02 Jul 12:22:24.073 [warning] [debug.c:94] --- STACK TRACE
[32088] 02 Jul 12:22:24.073 [warning] [debug.c:96] Failed assertion: <no assertion failed> (<no file>:0)
[32088] 02 Jul 12:22:24.074 [warning] [debug.c:98] --- STACK TRACE
[0x407fd8]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x273a)[0x7f8200aa5aaa]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x273a)[0x7f8200aa5aaa]
/lib/x86_64-linux-gnu/libc.so.6(vsnprintf+0xa2)[0x7f8200acb512]
[0x406ea3]
[0x40684b]
[0x403831]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f8200a7eead]
[0x403c9d]
Segmentation fault

But, this appears to only happen on this server with this IP and this Port only; other IPs or Ports seem to work fine:

root@fvz-rec-hk-nt-01:~# /usr/local/sbin/dnscrypt-wrapper -U -r 127.0.0.1:53 -a 151.236.20.236:12345 --crypt-secretkey-file=/etc/dnscrypt-wrapper/crypt_secret.key --crypt-publickey-file=/etc/dnscrypt-wrapper/crypt_public.key --provider-cert-file=/etc/dnscrypt-wrapper/dnscrypt.cert --provider-name=2.fvz-rec-hk-nt-01.dnscrypt-cert.meo.ws  -
VVV
[32123] 02 Jul 12:28:54.848 [info] [main.c:318] Crypt public key fingerprint: C311:BD17:3CE5:D12F:4CE8:033B:275A:DF44:7EAC:D207:32DB:FF6E:DE22:3E03:537A:7B74
^C
root@fvz-rec-hk-nt-01:~# /usr/local/sbin/dnscrypt-wrapper -U -r 127.0.0.1:53 -a 151.236.20.236:12345 --crypt-secretkey-file=/etc/dnscrypt-wrapper/crypt_secret.key --crypt-publickey-file=/etc/dnscrypt-wrapper/crypt_public.key --provider-cert-file=/etc/dnscrypt-wrapper/dnscrypt.cert --provider-name=2.fvz-rec-hk-nt-01.dnscrypt-cert.meo.ws  -VVV
[32124] 02 Jul 12:28:59.673 [info] [main.c:318] Crypt public key fingerprint: C311:BD17:3CE5:D12F:4CE8:033B:275A:DF44:7EAC:D207:32DB:FF6E:DE22:3E03:537A:7B74
^C
root@fvz-rec-hk-nt-01:~# /usr/local/sbin/dnscrypt-wrapper -U -r 127.0.0.1:53 -a 151.236.20.236:12345 --crypt-secretkey-file=/etc/dnscrypt-wrapper/crypt_secret.key --crypt-publickey-file=/etc/dnscrypt-wrapper/crypt_public.key --provider-cert-file=/etc/dnscrypt-wrapper/dnscrypt.cert --provider-name=2.fvz-rec-hk-nt-01.dnscrypt-cert.meo.ws  -VVV
[32129] 02 Jul 12:29:01.920 [info] [main.c:318] Crypt public key fingerprint: C311:BD17:3CE5:D12F:4CE8:033B:275A:DF44:7EAC:D207:32DB:FF6E:DE22:3E03:537A:7B74
^C

Multiples instances of dnscrypt-wrapper

Hello!

Thank you for programm!

I try to run 2 instances of dnscrypt-wrapper, but get this message:
[err] [udp_request.c:536] Unable to bind (UDP) [Address already in use] for second instance.

How I can swith to a new configuration with zero downtime?
If I set a different listening port for dnscrypt-wrapper - clients don't know the new port.

Ubuntu 10.04.3 LTS
dnscrypt-wrapper --version
dnscrypt-wrapper 0.2.2.g6136535

installation error

When attempting to issue make or make install command returns the following error:

"Makefile", line 16: Missing dependency operator
"Makefile", line 18: Need an operator
make: fatal errors encountered -- cannot continue

Running on FreeBSD 9.2
libevent 2.0.21
libsodium 0.4.5

So I removed those lines and retried, but then received the following error:

root@dns1:~/dnscrypt-wrapper # make
cc -O2 -pipe  -c dnscrypt.c
In file included from dnscrypt.c:1:
dnscrypt.h:5:26: error: event2/event.h: No such file or directory
dnscrypt.h:6:29: error: event2/listener.h: No such file or directory
dnscrypt.h:7:32: error: event2/bufferevent.h: No such file or directory
dnscrypt.h:8:27: error: event2/buffer.h: No such file or directory
dnscrypt.h:9:25: error: event2/util.h: No such file or directory
dnscrypt.h:10:20: error: sodium.h: No such file or directory
In file included from dnscrypt.h:73,
                 from dnscrypt.c:1:
udp_request.h:17: error: 'crypto_box_NONCEBYTES' undeclared here (not in a funct                                     ion)
udp_request.h:18: error: 'crypto_box_BEFORENMBYTES' undeclared here (not in a fu                                     nction)
udp_request.h:20: error: field 'client_sockaddr' has incomplete type
udp_request.h:24: error: expected specifier-qualifier-list before 'evutil_socket                                     _t'
In file included from dnscrypt.h:78,
                 from dnscrypt.c:1:
cert.h:16: error: 'crypto_box_PUBLICKEYBYTES' undeclared here (not in a function                                     )
In file included from dnscrypt.c:1:
dnscrypt.h:89: error: field 'local_sockaddr' has incomplete type
dnscrypt.h:90: error: field 'resolver_sockaddr' has incomplete type
dnscrypt.h:91: error: expected specifier-qualifier-list before 'ev_socklen_t'
dnscrypt.h: In function 'print_binary_string':
dnscrypt.h:144: error: 'for' loop initial declaration used outside C99 mode
dnscrypt.h: In function 'print_binary_string_hex':
dnscrypt.h:166: error: 'for' loop initial declaration used outside C99 mode
dnscrypt.h: At top level:
dnscrypt.h:200: error: 'crypto_box_MACBYTES' undeclared here (not in a function)
dnscrypt.c: In function 'dnscrypt_key_to_fingerprint':
dnscrypt.c:42: error: 'crypto_box_SECRETKEYBYTES' undeclared (first use in this                                      function)
dnscrypt.c:42: error: (Each undeclared identifier is reported only once
dnscrypt.c:42: error: for each function it appears in.)
dnscrypt.c: In function 'dnscrypt_fingerprint_to_key':
dnscrypt.c:114: error: type of formal parameter 1 is incomplete
dnscrypt.c: In function 'dnscrypt_server_uncurve':
dnscrypt.c:182: error: 'struct context' has no member named 'crypt_secretkey'
dnscrypt.c:190: error: 'crypto_box_BOXZEROBYTES' undeclared (first use in this f                                     unction)
dnscrypt.c: In function 'add_server_nonce':
dnscrypt.c:220: error: 'struct context' has no member named 'nonce_ts_last'
dnscrypt.c:221: error: 'struct context' has no member named 'nonce_ts_last'
dnscrypt.c:223: error: 'struct context' has no member named 'nonce_ts_last'
dnscrypt.c: In function 'dnscrypt_server_curve':
dnscrypt.c:256: error: 'struct context' has no member named 'crypt_secretkey'
dnscrypt.c:257: error: 'crypto_box_BOXZEROBYTES' undeclared (first use in this f                                     unction)
dnscrypt.c:257: error: 'crypto_box_ZEROBYTES' undeclared (first use in this func                                     tion)
*** [dnscrypt.o] Error code 1

Stop in /root/dnscrypt-wrapper.
root@dns1:~/dnscrypt-wrapper # make install
cc -O2 -pipe  -c dnscrypt.c
In file included from dnscrypt.c:1:
dnscrypt.h:5:26: error: event2/event.h: No such file or directory
dnscrypt.h:6:29: error: event2/listener.h: No such file or directory
dnscrypt.h:7:32: error: event2/bufferevent.h: No such file or directory
dnscrypt.h:8:27: error: event2/buffer.h: No such file or directory
dnscrypt.h:9:25: error: event2/util.h: No such file or directory
dnscrypt.h:10:20: error: sodium.h: No such file or directory
In file included from dnscrypt.h:73,
                 from dnscrypt.c:1:
udp_request.h:17: error: 'crypto_box_NONCEBYTES' undeclared here (not in a funct                                     ion)
udp_request.h:18: error: 'crypto_box_BEFORENMBYTES' undeclared here (not in a fu                                     nction)
udp_request.h:20: error: field 'client_sockaddr' has incomplete type
udp_request.h:24: error: expected specifier-qualifier-list before 'evutil_socket                                     _t'
In file included from dnscrypt.h:78,
                 from dnscrypt.c:1:
cert.h:16: error: 'crypto_box_PUBLICKEYBYTES' undeclared here (not in a function                                     )
In file included from dnscrypt.c:1:
dnscrypt.h:89: error: field 'local_sockaddr' has incomplete type
dnscrypt.h:90: error: field 'resolver_sockaddr' has incomplete type
dnscrypt.h:91: error: expected specifier-qualifier-list before 'ev_socklen_t'
dnscrypt.h: In function 'print_binary_string':
dnscrypt.h:144: error: 'for' loop initial declaration used outside C99 mode
dnscrypt.h: In function 'print_binary_string_hex':
dnscrypt.h:166: error: 'for' loop initial declaration used outside C99 mode
dnscrypt.h: At top level:
dnscrypt.h:200: error: 'crypto_box_MACBYTES' undeclared here (not in a function)
dnscrypt.c: In function 'dnscrypt_key_to_fingerprint':
dnscrypt.c:42: error: 'crypto_box_SECRETKEYBYTES' undeclared (first use in this                                      function)
dnscrypt.c:42: error: (Each undeclared identifier is reported only once
dnscrypt.c:42: error: for each function it appears in.)
dnscrypt.c: In function 'dnscrypt_fingerprint_to_key':
dnscrypt.c:114: error: type of formal parameter 1 is incomplete
dnscrypt.c: In function 'dnscrypt_server_uncurve':
dnscrypt.c:182: error: 'struct context' has no member named 'crypt_secretkey'
dnscrypt.c:190: error: 'crypto_box_BOXZEROBYTES' undeclared (first use in this f                                     unction)
dnscrypt.c: In function 'add_server_nonce':
dnscrypt.c:220: error: 'struct context' has no member named 'nonce_ts_last'
dnscrypt.c:221: error: 'struct context' has no member named 'nonce_ts_last'
dnscrypt.c:223: error: 'struct context' has no member named 'nonce_ts_last'
dnscrypt.c: In function 'dnscrypt_server_curve':
dnscrypt.c:256: error: 'struct context' has no member named 'crypt_secretkey'
dnscrypt.c:257: error: 'crypto_box_BOXZEROBYTES' undeclared (first use in this f                                     unction)
dnscrypt.c:257: error: 'crypto_box_ZEROBYTES' undeclared (first use in this func                                     tion)
*** [dnscrypt.o] Error code 1

Stop in /root/dnscrypt-wrapper.

Where can I find the configure file in your source?

By your compilation instruction, where can I find the ./configure? may you miss this file in your git source?

Incorrect date in logs

Hi @cofyc ,

Thanks for awesome work,
I just install a dnscrypt-proxy server today with docker images,
and found there was an error in log file.

Jul 30 14:42:02 lenbox dnscrypt-proxy[18666]: [INFO] This certificate is valid
Jul 30 14:42:02 lenbox dnscrypt-proxy[18666]: [INFO] Chosen certificate #1469859743 is valid from [2016-07-31] to [2016-07-32]

As far as i know, thers is no 2016-07-32 exist. 😂

Not a big issue through, I will submit a PR if get some time.

[ERROR] Unable to retrieve server certificate

Ello,

I've been trying to setup dnscrypt-wrapper on my server, followed the instructions from the README.
Problem is, I get the error [ERROR] Unable to retrieve server certificate when I try to connect with dnscrypt-proxy...

After I followed all the instructions I did this:
dnscrypt-wrapper -r 127.0.0.1:5333 -a 128.199.56.201:4434 --crypt-secretkey-file=secret.key --crypt-publickey-file=public.key --provider-cert-file=dnscrypt.cert --provider-name=2.dnscrypt-cert.megalicious.org -V

It gives me the crypt public key fingerprint, but nothing more.

Then, I try to connect with dnscrypt-proxy:
dnscrypt-proxy -a 127.0.0.1:5333 --resolver-address=128.199.56.201:4434 --provider-name 2.dnscrypt-cert.megalicious.org -r 127.0.0.1:54 --provider-key=8EAE:E1C1:2C9A:F21E:F3C6:A070:B54D:4161:9ACE:61CF:515D:B337:97C0:8B06:1C4D:26E5

Which outputs:

[NOTICE] Starting dnscrypt-proxy 1.4.1
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[ERROR] Unable to retrieve server certificates
[INFO] Refetching server certificates

And it keeps repeating the last 2 lines.

dig 2.dnscrypt-cert.megalicious.org txt gives:


; <<>> DiG 9.9.2-P2 <<>> 2.dnscrypt-cert.megalicious.org txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4337
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;2.dnscrypt-cert.megalicious.org. IN    TXT

;; ANSWER SECTION:
2.dnscrypt-cert.megalicious.org. 552 IN TXT "DNSC0000010000002019178132179011163x143151244224p1820312521209225A203138M020g172h127175$215217189>+A 150157xu237034009159*0040112150012480341651709173&s1752091450092500041271380180011241252226x128202234=177168211016U-155029147137j007V135199024243`T7PYqwfz" "t0001TZU|V\;136252"

;; AUTHORITY SECTION:
megalicious.org.    3648    IN  NS  ns3176.dns.dyn.com.
megalicious.org.    3648    IN  NS  ns1129.dns.dyn.com.
megalicious.org.    3648    IN  NS  ns2137.dns.dyn.com.
megalicious.org.    3648    IN  NS  ns4149.dns.dyn.com.

;; ADDITIONAL SECTION:
ns1129.dns.dyn.com. 64284   IN  A   208.76.58.129
ns2137.dns.dyn.com. 166875  IN  A   208.76.59.137

;; Query time: 15 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Nov  5 18:46:21 2014
;; MSG SIZE  rcvd: 473

Where could I have done wrong? I suppose it's something obvious because I'm rather new to this subject...

configure: WARNING: was libsodium compiled with --enable-minimal

Saw this today. Is this just a precautionary warning or there is impact on dnscrypt-wrapper?

Bonus (perhaps related) question: what enables support for xchacha20?

Unable to generate short-term keys

I run the latest docker-image https://github.com/jedisct1/dnscrypt-server-docker on an Ubuntu server.
But the dnscrypt-wrapper is not able to generate some short-term keys or even a certificate (he short-term folder is empty).

When i try to generate them manually on the docker console i get:

./dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=1.key
Generate crypt key pair...[3179] 16 Dec 07:17:19.460 [warning] [debug.c:93] Crashed by signal: 4
[3179] 16 Dec 07:17:19.460 [warning] [debug.c:94] --- STACK TRACE
[3179] 16 Dec 07:17:19.460 [warning] [debug.c:96] Failed assertion: <no assertion failed> (<no file>:0)
[3179] 16 Dec 07:17:19.460 [warning] [debug.c:98] --- STACK TRACE
[0x408528]
/opt/libsodium/lib/libsodium.so.18(+0x79c73)[0x7fbecf608c73]
/opt/libsodium/lib/libsodium.so.18(+0x79c73)[0x7fbecf608c73]
Illegal instruction (core dumped)

System:

Linux de 4.1.13-x86_64
Ubuntu 14.04.3
Docker version 1.9.1, build a34a1d5

无法生成crypt_public.key

我的系统是Centos 6 x86，根据http://03k.org/dnscrypt-wrapper-usage.html进行的操作。但是在命令行执行dnscrypt-wrapper --gen-crypt-keypair，显示如下：
Generate crypt key pair... ok.
Secret key stored in crypt_secret.key
无法生成crypt_public.key 。请各位朋友帮忙分析一下。

dnscrypt-proxy connect failed with server certificate

Hi, I notice my router dnscrypt-proxy logs as followings ...

Sun Sep 10 07:30:47 2017 [INFO] Refetching server certificates
Sun Sep 10 07:30:47 2017 [ERROR] Unable to retrieve server certificates
Sun Sep 10 07:30:50 2017 [INFO] Refetching server certificates
Sun Sep 10 07:30:50 2017 [ERROR] Unable to retrieve server certificates
Sun Sep 10 07:30:56 2017 [INFO] Refetching server certificates
Sun Sep 10 07:30:56 2017 [ERROR] Unable to retrieve server certificates
Sun Sep 10 07:31:05 2017 [INFO] Refetching server certificates
Sun Sep 10 07:31:10 2017 [ERROR] Unable to retrieve server certificates
Sun Sep 10 07:31:22 2017 [INFO] Refetching server certificates
Sun Sep 10 07:31:22 2017 [ERROR] Unable to retrieve server certificates
Sun Sep 10 07:31:37 2017 [INFO] Refetching server certificates
Sun Sep 10 07:31:38 2017 [ERROR] Unable to retrieve server certificates

but, when I retry several times, it worked now.

I don't know why.

Thanks

nslookup: can't resolve 'fbcdn-profile-a.akamaihd.net': Name or service not known

while wrapper using this --resolver-address=203.80.96.10, client lookup fbcdn-profile-a.akamaihd.net return Name or service not known .
change to --resolver-address=8.8.8.8 work fine,
and 'nslookup fbcdn-profile-a.akamaihd.net 203.80.96.10' on server site work fine too

unsupported server protocol version

你好！我部署好服务器端后，用dnscrypt-proxy --test参数测试出现unsupported server protocol version，请问有办法解决吗？

centos6下无法安装

执行 make install 后提示错误
make[1]: Entering directory /root/dnscrypt-wrapper/argparse' cc -o argparse.o -c -Wall -O3 -g -ggdb -fPIC argparse.c ar rcs libargparse.a argparse.o make[1]: Leaving directory/root/dnscrypt-wrapper/argparse'
LINK dnscrypt-wrapper
udp_request.o: In function udp_request_kill': udp_request.c:(.text+0x3f): undefined reference toevent_get_callback_arg'
udp_request.c:(.text+0x50): undefined reference to event_free' udp_request.c:(.text+0x66): undefined reference toevent_free'
udp_request.o: In function udp_listener_stop': udp_request.c:(.text+0x5ec): undefined reference toevent_free'
udp_request.o: In function udp_listener_start': udp_request.c:(.text+0x658): undefined reference toevent_new'
udp_request.c:(.text+0x69b): undefined reference to event_new' udp_request.o: In functionsendto_with_retry':
udp_request.c:(.text+0x7aa): undefined reference to event_get_callback_arg' udp_request.c:(.text+0x83d): undefined reference toevent_get_callback_arg'
udp_request.c:(.text+0x873): undefined reference to event_free' udp_request.c:(.text+0x8cb): undefined reference toevent_get_callback_arg'
udp_request.c:(.text+0x933): undefined reference to event_new' udp_request.o: In functionresolver_to_proxy_cb':
udp_request.c:(.text+0xa9a): undefined reference to evutil_sockaddr_cmp' udp_request.o: In functionsendto_with_retry_timer_cb':
udp_request.c:(.text+0xdac): undefined reference to event_get_fd' udp_request.o: In functionclient_to_proxy_cb':
udp_request.c:(.text+0x10e1): undefined reference to event_new' udp_request.o: In functionudp_listener_bind':
udp_request.c:(.text+0x1787): undefined reference to evutil_make_socket_closeonexec' udp_request.c:(.text+0x17e5): undefined reference toevutil_make_socket_closeonexec'
udp_request.c:(.text+0x183a): undefined reference to evutil_closesocket' udp_request.c:(.text+0x1881): undefined reference toevutil_closesocket'
tcp_request.o: In function tcp_listener_start': tcp_request.c:(.text+0x11): undefined reference toevconnlistener_enable'
tcp_request.o: In function tcp_listener_bind': tcp_request.c:(.text+0x112): undefined reference toevconnlistener_new'
tcp_request.c:(.text+0x12a): undefined reference to evconnlistener_disable' tcp_request.c:(.text+0x13f): undefined reference toevconnlistener_set_error_cb'
tcp_request.c:(.text+0x170): undefined reference to evconnlistener_free' tcp_request.o: In functiontcp_accept_error_cb':
tcp_request.c:(.text+0x22c): undefined reference to evconnlistener_disable' tcp_request.c:(.text+0x277): undefined reference toevent_new'
tcp_request.o: In function tcp_accept_timer_cb': tcp_request.c:(.text+0x29c): undefined reference toevent_free'
tcp_request.o: In function tcp_request_kill': tcp_request.c:(.text+0x2e9): undefined reference toevent_free'
tcp_request.o: In function tcp_connection_cb': tcp_request.c:(.text+0x448): undefined reference tobufferevent_socket_new'
tcp_request.c:(.text+0x46b): undefined reference to bufferevent_socket_new' tcp_request.c:(.text+0x4be): undefined reference toevent_new'
tcp_request.c:(.text+0x530): undefined reference to bufferevent_socket_connect' tcp_request.c:(.text+0x59c): undefined reference toevutil_closesocket'
tcp_request.o: In function tcp_listener_stop': tcp_request.c:(.text+0x65c): undefined reference toevconnlistener_free'
tcp_request.o: In function resolver_proxy_read_cb': tcp_request.c:(.text+0x6b3): undefined reference tobufferevent_get_input'
tcp_request.c:(.text+0x6f9): undefined reference to evbuffer_get_length' tcp_request.c:(.text+0x712): undefined reference toevbuffer_pullup'
tcp_request.c:(.text+0x814): undefined reference to evbuffer_get_length' tcp_request.o: In functionproxy_resolver_event_cb':
tcp_request.c:(.text+0x911): undefined reference to bufferevent_getfd' tcp_request.o: In functionclient_proxy_read_cb':
tcp_request.c:(.text+0x95d): undefined reference to bufferevent_get_input' tcp_request.c:(.text+0x988): undefined reference toevbuffer_get_length'
tcp_request.c:(.text+0x9d7): undefined reference to evbuffer_remove_buffer' tcp_request.c:(.text+0xb5c): undefined reference toevbuffer_get_length'
tcp_request.o: In function tcp_accept_timer_cb': tcp_request.c:(.text+0x2b4): undefined reference toevconnlistener_enable'
main.o: In function sockaddr_from_ip_and_port.clone.0': main.c:(.text+0x185): undefined reference toevutil_parse_sockaddr_port'
main.c:(.text+0x1cd): undefined reference to `evutil_parse_sockaddr_port'
collect2: ld returned 1 exit status
make: *** [dnscrypt-wrapper] Error 1

dnscrypt-wrapper 0.3 does not accept documented syntax for key rotation

The documentation says to use this syntax when allowing both old and new key to work temporarily.

dnscrypt-wrapper --resolver-address=8.8.8.8:53 --listen-address=0.0.0.0:443
--provider-name=2.dnscrypt-cert.yechengfu.com
--crypt-secretkey-file=1.key,2.key --provider-cert-file=2.cert

This worked fine in 1.2.0

I upgraded to 1.3.0 and now that syntax generates this error.

[24984] 17 Aug 05:30:28.290 [err] [main.c:287] could not match secret key 1 with a certificate.

I can successfully start by specifying both certificates like so.

dnscrypt-wrapper --resolver-address=8.8.8.8:53 --listen-address=0.0.0.0:443
--provider-name=2.dnscrypt-cert.yechengfu.com
--crypt-secretkey-file=1.key,2.key --provider-cert-file=1.cert,2.cert

I dont know if this actually wont break anything tho.

So either there is a bug or documentation needs updating.

dnscrypt-wrapper through Docker

dnscrypt-proxy's log reports error when trying to connect the dnscrypt-wrapper running inside a docker container( but through host's tcp port mapped)
the error message is : [ERROR] Unable to retrieve server certificates

so I tried running the dnscrypt-proxy directly inside the container too and it worked.

Now I am confused with this result. Is this docker's network mapping issue or some kind of restrictions with the dnscrypt itself.

Specify number of days for cert (other than 365)

I made a patch to add option --gen-cert-file-days to specify certificate validity other then 365 days.
One example is setting it for 3 or 5 years.
Another is experimenting with short numbers of days.

I've got it ready and tested, but I've just have one question: If you think this is a good feature, shall we allow <= 0 validity in days? i.e. to generate a cert that's already expired (for testing) ?

Crash

Hi,

my dnscrypt-wrapper crashed today. Sadly, I don't have a core dump or any logs. Haven't found anything in the system logs.
It's been up since Oct 20th or something. I'm going to enable core dumps and see if I catch it again, I don't thing it's OOM, probably something else.

Will keep you posted if I find anything.

[Q] How to create TXT record for BIND (fingerprint)

Hi Guys,

Sorry to bother you all but I have been trying to figure out what the correct way to generate the fingerprint for my new OpenNIC/DNSCRYPT bind server record.

When I created the keys, it generated the records for tinydns and also nsd but looking at the records they generated they are not the same (content wise) which I half expected it just be the syntax thats different, but this doesn't appear to be so. If it was the same, then I would of just created a usual TXT record in bind and then the job would be done but they are nothing really similar which surprised me.

Could someone please be so kind and give me a hint on what I need to do to create/generate the TXT or SRV records needed. Thank you.

p.s. I know that: $ dnscrypt-wrapper --show-provider-publickey-fingerprint --provider-publickey-file generates the fingerprint from the key file, but how to generate the code/syntax for bind type of record. Thank you.

Build error on OpenBSD 5.5

Hi,

I'm trying to build this on OpenBSD 5.5, using a similar command to your instructions for FreeBSD. It seems to be failing during linking:

# gmake LDFLAGS='-L/usr/local/include/event2 -L/usr/local/lib' CFLAGS=-I/usr/local/include

  LINK dnscrypt-wrapper
rfc1035.o(.text+0x7d0): In function `extract_name':
: warning: sprintf() is often misused, please use snprintf()
udp_request.o(.text+0x43): In function `udp_request_kill':
: undefined reference to `event_get_callback_arg'
udp_request.o(.text+0x57): In function `udp_request_kill':
: undefined reference to `event_free'
udp_request.o(.text+0x73): In function `udp_request_kill':
: undefined reference to `event_free'
udp_request.o(.text+0x19c): In function `udp_listener_stop':
: undefined reference to `event_free'
udp_request.o(.text+0x1fe): In function `udp_listener_start':
: undefined reference to `event_new'
udp_request.o(.text+0x24b): In function `udp_listener_start':
: undefined reference to `event_new'
udp_request.o(.text+0x399): In function `sendto_with_retry':
: undefined reference to `event_get_callback_arg'
udp_request.o(.text+0x419): In function `sendto_with_retry':
: undefined reference to `event_new'
udp_request.o(.text+0x475): In function `sendto_with_retry':
: undefined reference to `event_get_callback_arg'
udp_request.o(.text+0x4e8): In function `sendto_with_retry':
: undefined reference to `event_free'
udp_request.o(.text+0x517): In function `sendto_with_retry':
: undefined reference to `event_get_callback_arg'
udp_request.o(.text+0x668): In function `resolver_to_proxy_cb':
: undefined reference to `evutil_sockaddr_cmp'
udp_request.o(.text+0x81f): In function `sendto_with_retry_timer_cb':
: undefined reference to `event_get_fd'
udp_request.o(.text+0xcde): In function `client_to_proxy_cb':
: undefined reference to `event_new'
udp_request.o(.text+0xf38): In function `udp_listener_bind':
: undefined reference to `evutil_make_socket_closeonexec'
udp_request.o(.text+0xfc0): In function `udp_listener_bind':
: undefined reference to `evutil_make_socket_closeonexec'
udp_request.o(.text+0x101a): In function `udp_listener_bind':
: undefined reference to `evutil_closesocket'
udp_request.o(.text+0x104f): In function `udp_listener_bind':
: undefined reference to `evutil_closesocket'
tcp_request.o(.text+0x31): In function `tcp_accept_error_cb':
: undefined reference to `evconnlistener_disable'
tcp_request.o(.text+0x79): In function `tcp_accept_error_cb':
: undefined reference to `event_new'
tcp_request.o(.text+0x9c): In function `tcp_accept_timer_cb':
: undefined reference to `event_free'
tcp_request.o(.text+0xee): In function `tcp_request_kill':
: undefined reference to `event_free'
tcp_request.o(.text+0x2a0): In function `tcp_connection_cb':
: undefined reference to `bufferevent_socket_new'
tcp_request.o(.text+0x2c3): In function `tcp_connection_cb':
: undefined reference to `bufferevent_socket_new'
tcp_request.o(.text+0x31d): In function `tcp_connection_cb':
: undefined reference to `event_new'
tcp_request.o(.text+0x395): In function `tcp_connection_cb':
: undefined reference to `bufferevent_socket_connect'
tcp_request.o(.text+0x404): In function `tcp_connection_cb':
: undefined reference to `evutil_closesocket'
tcp_request.o(.text+0x465): In function `proxy_resolver_event_cb':
: undefined reference to `bufferevent_getfd'
tcp_request.o(.text+0x50c): In function `tcp_listener_stop':
: undefined reference to `evconnlistener_free'
tcp_request.o(.text+0x576): In function `tcp_listener_start':
: undefined reference to `evconnlistener_enable'
tcp_request.o(.text+0x64e): In function `tcp_listener_bind':
: undefined reference to `evconnlistener_new_bind'
tcp_request.o(.text+0x662): In function `tcp_listener_bind':
: undefined reference to `evconnlistener_disable'
tcp_request.o(.text+0x679): In function `tcp_listener_bind':
: undefined reference to `evconnlistener_set_error_cb'
tcp_request.o(.text+0x6a6): In function `tcp_listener_bind':
: undefined reference to `evconnlistener_free'
tcp_request.o(.text+0x704): In function `resolver_proxy_read_cb':
: undefined reference to `bufferevent_get_input'
tcp_request.o(.text+0x777): In function `resolver_proxy_read_cb':
: undefined reference to `evbuffer_get_length'
tcp_request.o(.text+0x78d): In function `resolver_proxy_read_cb':
: undefined reference to `evbuffer_pullup'
tcp_request.o(.text+0x834): In function `resolver_proxy_read_cb':
: undefined reference to `evbuffer_get_length'
tcp_request.o(.text+0x964): In function `client_proxy_read_cb':
: undefined reference to `bufferevent_get_input'
tcp_request.o(.text+0x98f): In function `client_proxy_read_cb':
: undefined reference to `evbuffer_get_length'
tcp_request.o(.text+0xa7e): In function `client_proxy_read_cb':
: undefined reference to `evbuffer_remove_buffer'
tcp_request.o(.text+0xb86): In function `client_proxy_read_cb':
: undefined reference to `evbuffer_get_length'
tcp_request.o(.text+0xb4): In function `tcp_accept_timer_cb':
: undefined reference to `evconnlistener_enable'
main.o(.text+0x17e): In function `sockaddr_from_ip_and_port':
: undefined reference to `evutil_parse_sockaddr_port'
main.o(.text+0x214): In function `sockaddr_from_ip_and_port':
: undefined reference to `evutil_parse_sockaddr_port'
collect2: ld returned 1 exit status
Makefile:181: recipe for target 'dnscrypt-wrapper' failed
gmake: *** [dnscrypt-wrapper] Error 1

Both libsodium and libevent2 are installed, as well as gmake and autoconf.

Thanks.

ubuntu 14.10 运行出错...

全部重新安装了dnscrypt-wrapper，clone最新的版本，结果输入
./dnscrypt-wrapper -r 8.8.8.8:53 -a 0.0.0.0:443 --crypt-secretkey-file=crypt_secret.key --crypt-publickey-file=crypt_public.key --provider-cert-file=dnscrypt.cert --provider-name=2.dnscrypt-cert.yechengfu.com
后就没响应了....求帮忙解决下

Tag a new release?

Hi!

Version 0.2.2 was released a while back, and quite a lot of things happened since.

XChaCha20 support would be good to have, especially since Unbound just added support for it.

Do you think you could tag version 0.3.0 soon?

/dnscrypt-wrapper-0.2.2/debug.c:82: undefined reference to `backtrace'

准备在 docker 容器 alpine:edge 中尝试

已安装 autoconf bsd-compat-headers build-base curl libevent-dev libexecinfo-dev libsodium-dev

make install 时出错：

/dnscrypt-wrapper-0.2.2 # make configure
  GEN configure
/dnscrypt-wrapper-0.2.2 # ./configure --prefix=/usr
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for gar... no
checking for ar... ar
checking for gtar... no
checking for tar... tar
checking for event_base_new in -levent... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking event2/event.h usability... yes
checking event2/event.h presence... yes
checking for event2/event.h... yes
checking for sodium_init in -lsodium... yes
configure: creating ./config.status
config.status: creating config.mak.autogen
config.status: executing config.mak.autogen commands

Configuration summary:

    Support for event library: yes
    Support for sodium library: yes

/dnscrypt-wrapper-0.2.2 # make install
  CC dnscrypt.o
  CC udp_request.o
  CC tcp_request.o
  CC edns.o
  CC logger.o
  CC rfc1035.o
  CC safe_rw.o
  CC cert.o
  CC pidfile.o
  CC debug.o
  CC main.o
make[1]: Entering directory '/dnscrypt-wrapper-0.2.2/argparse'
cc -o argparse.o -c -Wall -fPIC -O3 -g -ggdb argparse.c
ar rcs libargparse.a argparse.o
make[1]: Leaving directory '/dnscrypt-wrapper-0.2.2/argparse'
  LINK dnscrypt-wrapper
debug.o: In function `log_stack_trace':
/dnscrypt-wrapper-0.2.2/debug.c:82: undefined reference to `backtrace'
/dnscrypt-wrapper-0.2.2/debug.c:87: undefined reference to `backtrace_symbols_fd'
collect2: error: ld returned 1 exit status
make: *** [Makefile:192: dnscrypt-wrapper] Error 1
/dnscrypt-wrapper-0.2.2 #

Sending server certificate also over tcp

Trying to make request for certificate and getting it back. Looks like it is not supported yet?
DNSCrypt/dnscrypt-proxy#374

段错误 (core dumped)

在centos7上布置好了dnscrypt-wrapper 可是怎么运行不了多久就会出现段错误 (core dumped)呀，抓狂了一下午，求菊苴指导

[2697] 28 Nov 09:02:40.899 [debug] client to proxy cb
[2697] 28 Nov 09:02:40.984 [debug] resolver to proxy cb
[2697] 28 Nov 09:02:41.054 [debug] client to proxy cb
[2697] 28 Nov 09:02:41.055 [debug] client to proxy cb
[2697] 28 Nov 09:02:41.056 [debug] client to proxy cb
[2697] 28 Nov 09:02:41.058 [debug] resolver to proxy cb
[2697] 28 Nov 09:02:41.059 [debug] resolver to proxy cb
段错误
[root@localhost dnscrypt-wrapper]#

SUPPORT CLIENT VERSION?

DNSCrypt-proxy 1.6.0
[ERROR] Unsupported server protocol version

Identifying the license

Hello,

It appears that the text in the COPYING file exactly matches the ISC license, but the release notes for v0.2.2 instead say that this project switched from the GPLv2 license to BSD 0-Clause. That seems incorrect, since the BSD 0-Clause license doesn't require the copying of the copyright and permission notices, but COPYING (and the ISC license) do. So, am I correct that the release note mentioning BSD 0-Clause is just an error, and that this project is instead released under the ISC license?

I ask only because I maintain the FreeBSD port of your project, and FreeBSD requires that I identify the license of your code, so I wanted to make sure that ISC is correct. Thanks for your help, and for all your work!

install on openbsd 5.7

I am attempting to build on openbsd 5.7 following the instructions provided however, I get the following error.
Makefile:189: recipe for target 'dnscrypt.o' failed
gmake: *** [dnscrypt.o] Error 1

Suspicious certificate received

I'm using the docker image from dnscrypt-proxy.
The proxy is working with resolvers inside the resolver list.

I tested dnscrypt-wrapper compiled with libsodium master and with the provided docker image.

I get the Suspicious certificate received error from the proxy every time.

Change to key rotation every 24 hours

Many servers I tried use 1 year rotating keys that are bad for forward secrecy. I think they use dnscrypt-wrapper defaults. Could the defaults be changed to 24 hours as per specification so everyone upgrading the wrapper will make their service more secure?

The problem is described in DNSCrypt/dnscrypt-proxy#520

[INFO] The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
dnscrypt-proxy will complain about PFS for anything more than 24 hours.

See this post for a practical example that works fine (I use this dns service with no problems) https://dnscrypt.pl/2017/02/26/how-key-rotation-is-automated/

bin versus sbin

While there may be situations where you would not start dnscrypt-wrapper as the root user, in most of the use cases I can imagine you would. Supporting this, the --listen-address option defaults to port 53 (which requires root to bind to) and I believe the --user option can only be used if you launch as root. Because of this, would it make more sense for dnscrypt-wrapper to install into the "sbin" directory rather than "bin"?

dnscrypt-wrapper start with systemctl failed.

Following is a example

/usr/sbin/dnscrypt-wrapper \
    -r 8.8.4.4:53 \
    -a 0.0.0.0:22335 \
    --provider-name=2.dnscrypt-cert.domain.com \
    --crypt-secretkey-file=/root/.dnskey/1.key \
    --provider-cert-file=/root/.dnskey/1.cert \
    -d \
    -VVV \
    -l /tmp/dnscrypt-wrapper.log

It worked when invoked from terminal in VPS, but, when start with
systemctl, it failed.

这个是什么问题，所有的dns都是这种

[29615] 09 Aug 00:35:07.522 [debug] [udp_request.c:446] resolver to proxy cb
[29615] 09 Aug 00:35:07.522 [debug] [udp_request.c:487] Received a reply that doesn't match any active query
[29615] 09 Aug 00:35:07.522 [debug] [udp_request.c:446] resolver to proxy cb
[29615] 09 Aug 00:35:07.522 [debug] [udp_request.c:487] Received a reply that doesn't match any active query
[29615] 09 Aug 00:35:07.522 [debug] [udp_request.c:446] resolver to proxy cb
[29615] 09 Aug 00:35:07.522 [debug] [udp_request.c:487] Received a reply that doesn't match any active query
[29615] 09 Aug 00:35:07.522 [debug] [udp_request.c:446] resolver to proxy cb
[29615] 09 Aug 00:35:07.522 [debug] [udp_request.c:487] Received a reply that doesn't match any active query