dyne / dnscrypt-proxy Goto Github PK

Hi folks,
The original script that retrieves all online DNS being awfully slooow, I found a modification that reduces it to ~1'30 (instead of 30') as my tests have shown that if a DNS is online, it'll answer in less a second :

cd contrib
cp resolvers-check.sh resolvers-check.sh_ORG

Then, edit resolvers-check.sh as follow :

#!/bin/bash

IMPORTANT: The following modification will not work if you leave it to: #!/bin/sh !

res=0
while read line; do
  if [ "x${IPV4_ONLY}" != "x" ]; then
    n=$(echo "$line" | egrep -c ',\[[0-9a-fA-F:]+\](:[0-9]+)?,')
    if [ $n -ne 0 ]; then
      continue
    fi
  fi
  resolver_name=$(echo "$line" | cut -d, -f1)

# NB: Above code is unmodified - just a beacon - modif is below.

  ( cmdpid=$BASHPID;
    (sleep 1; kill $cmdpid) & \
    while ! eval "${DNSCRYPT_PROXY} -L ${CSV_FILE} -R ${resolver_name} -t ${MARGIN} -m 1"
        do
            :
        done )

# NB: /Modification - Code below is genuine

  if [ $? -eq 0 ]; then
    echo "$line"
    echo "+ ${resolver_name} - OK" >&2
  else
    echo "- ${resolver_name} - Failed" >&2
    res=1
  fi
done

This modification will spit a lot of gargles when running (due to the nature of the code (return code test), I did not found a way to avoid that, may be some more experienced user can do that) but it will only cost you 90s instead of… 1800s.
 
My ¢2.

After extensive testing we noticed the REUSABLE_PORT flag really breaks most ARM builds: for some reason Linux kernels built on ARM do not support them. This issue was introduced in 79f3ad9 and is addressed already in various commits: 0a0160b and d1c1916 and 8ff4d77.

Removing the flag alltogether solves the issue, while I'm not entirely sure the initial intention of "allowing round-robining to multiple dnscrypt-proxy daemons on a single port" is really enabled by it.

We use the following diff in Dowse as a fix and it may be worth considering mergin, unless anyone strongly relies on this RR feature:

diff --git a/src/proxy/tcp_request.c b/src/proxy/tcp_request.c
index 7ad3efc..cdb6a69 100644
--- a/src/proxy/tcp_request.c
+++ b/src/proxy/tcp_request.c
@@ -560,7 +560,7 @@ tcp_listener_bind(ProxyContext * const proxy_context)
 #endif
     if (proxy_context->tcp_listener_handle == -1) {
         unsigned int flags = LEV_OPT_CLOSE_ON_FREE | LEV_OPT_CLOSE_ON_EXEC |
-                             LEV_OPT_REUSEABLE | LEV_OPT_REUSEABLE_PORT |
+                             LEV_OPT_REUSEABLE |
                              LEV_OPT_DEFERRED_ACCEPT;
         for (;;) {
             proxy_context->tcp_conn_listener =
diff --git a/src/proxy/udp_request.c b/src/proxy/udp_request.c
index 455e907..a14822e 100644
--- a/src/proxy/udp_request.c
+++ b/src/proxy/udp_request.c
@@ -492,7 +492,6 @@ udp_listener_kill_oldest_request(ProxyContext * const proxy_context)
 int
 udp_listener_bind(ProxyContext * const proxy_context)
 {
-    int optval = 1;
     if (proxy_context->udp_listener_handle == -1) {
         if ((proxy_context->udp_listener_handle = socket
              (proxy_context->local_sockaddr.ss_family,
@@ -501,9 +500,6 @@ udp_listener_bind(ProxyContext * const proxy_context)
                             "Unable to create a socket (UDP)");
             return -1;
         }
-#if defined(__linux__) && defined(SO_REUSEPORT) && !defined(NO_REUSEPORT)
-        setsockopt(proxy_context->udp_listener_handle, SOL_SOCKET, SO_REUSEPORT, &optval, sizeof(optval));
-#endif
         if (bind(proxy_context->udp_listener_handle,
                  (struct sockaddr *) &proxy_context->local_sockaddr,
                  proxy_context->local_sockaddr_len) != 0) {

Hey there,
I have been using dnscrypt for ~2 years now and experienced several times already that the dns resolver of my choice went offline for a few days (cisco, dnscrypt.eu-nl, d0wn,...).

Could you add an option to the dnscrypt-proxy.conf to specify a 2nd resolver in case the first one goes offline? This is smth that you can usually also set with most network managers on windows,linux,android and even iOS.

Basically, something like https://github.com/simonclausen/dnscrypt-autoinstall but with Dyne's explicit blessing?

Hello. I'm looking for Quad9 (9.9.9.9)'s dnscrypt information. It's not included in dnscrypt-resolvers.csv and I haven't been able to locate it anywhere else.
Does anyone know what it is and/or how to find it - specifically the provider public key?

===
So far, I've found
PROVIDER_NAME=2.dnscrypt-cert.quad9.net
RESOLVER_IP=9.9.9.9 -e RESOLVER_PORT=8443
but I can't find the PROVIDER_KEY value.

I want to run the gists/dnscrypt-proxy docker container which need this information.

Thanks in advance for any assistance or guidance,
AditS

Just use Google Cloud Platform built this server. No log. Can you add to the list?

Stamp for dnscrypt-proxy 2.x:
sdns://AQcAAAAAAAAAEzEwNC4xOTguMTEwLjExNTo0NDMgg2u3HcgDDo2XsrKL05-UK3r6Z7RGMKwymuTIQ4fQZegkMi5kbnNjcnlwdC1jZXJ0LmRucy5xdWFsaXR5b2xvZ3kuY29t

Parameters for dnscrypt-proxy 1.x:
dnscrypt-proxy --provider-key=836B:B71D:C803:0E8D:97B2:B28B:D39F:942B:7AFA:67B4:4630:AC32:9AE4:C843:87D0:65E8
--resolver-address=104.198.110.115:443
--provider-name=2.dnscrypt-cert.dns.qualityology.com

Bad news, there is a vulnerability in the ldns_blocking plugin.

An IPv4 address present in the set of IPs to blocked will be blocked for an A query.

However, IPv4 addresses can also be encoded as IPv6 addresses. For example ::ffff:216.58.201.142 is equivalent to 216.58.201.142.

With an AAAA record containing such an IPv4-in-IPv6 address, the ldns_blocking plugin will not spot the IPv4 address and let the query go through.

CUrl is an example of a client that will connect to the IPv4 address even though it was obtained from an AAAA record, and I guess many HTTP clients and browsers will behave the same way. A malicious website can thus bypass IP-based DNS filters.

The old CSV file understood by dnscrypt-proxy v2 C++ is not up to date and a lot of things have changed, among them the birth of the "DNS stamp" protocol https://github.com/DNSCrypt/dnscrypt-proxy/wiki/stamps which is a base64url encoded string containing all information for each server.

This needs a script to use online information and compile a CSV that is understood by our dnscrypt-proxy so that it can be easily configured. The current list of online v2 servers actually works well, one can just try to:

• pick one from https://github.com/DNSCrypt/dnscrypt-resolvers/tree/master/v2
• decode the DNS stamp with https://dnscrypt.info/stamps/
• configure it by command-line arguments or inside dnscrypt-proxy.conf

For example at the time of writing this issue this v2 server works well with dnscrypt-proxy:

ProviderName    2.dnscrypt-cert.ams-dnscrypt-nl
ProviderKey     a5874bdaf4168298fbec1c9c997502be5a3946fdd71b2e7ef3d48e2777acd45a
ResolverAddress 89.38.131.38:4343

Many and big thanks for maintaining the "DNSCrypt-proxy codebase without the intention of adding any new features, just patch bugs" as you explain it on your README.markdown.

I've been using DNSCrypt-Proxy for years, at this time the latest dnscrypt-proxy-win64-full-1.9.5
That the code be no longer updated is one thing but that the regularly updated dnscrypt-resolvers.csv be out of reach from where I'd always download it, that is from the DNSCrypt-Proxy Downloads page is another.

Fortunately this dnscrypt-resolvers.csv is available here.
For those like me who need a direct download link to be able to update without opening the browser, here's a direct download link for the dnscrypt-resolvers.csv maintained here.

Thanks again.

Anyone know what to put into the CSV to use Cloudflare? The CSV is missing a bunch of DNS services... Including Google.

Is there a way to add this resolvers to the resolvers list?
https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/opennic.md

I can write the PR if you guide me on how to get the necessary information.

I have the app in OpenWrt and I don't know how to configure it with this provider.

I get this result after downloading the latest dnscrypt-proxy and get acquainted with the program...

`C:\Users\generic\Downloads>minisign -G
Please enter a password to protect the secret key.

Password:
Password (one more time):
Deriving a key from the password in order to encrypt the secret key... done

The secret key was saved as C:\Users\generic.minisign\minisign.key - Keep it se
cret!
The public key was saved as minisign.pub - That one can be public.

Files signed using this key pair can be verified with the following command:

minisign -Vm -P RWSrhtlidAACV5p0p84A8xMwgLUCwS9EorqVECrf8XHP2pJ+iSBlKWv1

C:\Users\generic\Downloads>minisign.exe -Vm "dnscrypt-proxy-win64-2.0.25.zip" -P
minisign.pub
base64 conversion failed - was an actual public key given?

C:\Users\generic\Downloads>minisign.exe -Vm "dnscrypt-proxy-win64-2.0.25.zip" -P
RWSrhtlidAACV5p0p84A8xMwgLUCwS9EorqVECrf8XHP2pJ+iSBlKWv1
Signature key id in dnscrypt-proxy-win64-2.0.25.zip.minisig is 79833371EA15D7E4
but the key id in the public key is 5702007462D986AB

C:\Users\generic\Downloads>minisign.exe -Vm "dnscrypt-proxy-win64-2.0.25.zip" -p
minisign.pub
Signature key id in dnscrypt-proxy-win64-2.0.25.zip.minisig is 79833371EA15D7E4
but the key id in the public key is 5702007462D986AB`

What's happening here?

This project was taken offline by its creator and maintainer Frank Denis on the 6th December 2018, after announcing in November 2017 that the project needs a new maintainer.

6 december 2018?

CloudFlare has launched its DNS service, announced as the fastest ever, it should be included in the list of options here :)
I am not a developer but a promoter of internet security!
Here is the link to more info:
https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/
THanks!

I presume since dnscrypt.org is no longer owned or maintained by @jedisct1, it should be removed from the public proxy csv file. Or perhaps it can be updated to the new server if it can still serve requests to dns-crypt v.1.9.x clients?

I'd been using fr.dnscrypt.org as one of three resolvers and only today realised it was not working....

Is there really any reason to use continue using DNSCrypt? Aren’t the odds of a DNS misdirect minuscule anyway?

Just last week I was checking for updates and found sites which said the project was dead.
Then I found out the list was being maintained here.

But for the past week or so the app hasn’t worked at all for me.
When I connect to ANY server my connection is dropped.

And although Network Diagnostic shows red for Internet and Server, DNSCrypt still says it’s connected.

Even tried removing all the static servers I’d entered in the Advanced tab just in case it made any difference, which of course it didn’t.

Are any servers still working for others?

Take contact with @jedisct1 if possible and import the repository that was once, or decide to start from scratch. Anyone compelled to open his/her own issues and pull-reqs here please wait a few days for us to realise if we can port the old github repo or not.