From 498fdb782d444b199745c0e493bfb9f2dcfbbefa Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Mon, 14 Oct 2019 12:50:49 +0200
Subject: [PATCH] Add support for Anonymized DNS

---
 Dockerfile            |  2 +-
 README.md             | 14 ++++++++
 encrypted-dns.toml.in | 34 ++++++++++++++++++
 entrypoint.sh         | 83 ++++++++++++++++++++++++-------------------
 4 files changed, 95 insertions(+), 38 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0f590c9..050d635 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,7 +37,7 @@ ENV RUSTFLAGS "-C link-arg=-s"
 RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
     curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain nightly && \
     export PATH="$HOME/.cargo/bin:$PATH" && \
-    echo "Compiling encrypted-dns version 0.2.10" && \
+    echo "Compiling encrypted-dns version 0.3.1" && \
     cargo install encrypted-dns && \
     mkdir -p /opt/encrypted-dns/sbin && \
     mv ~/.cargo/bin/encrypted-dns /opt/encrypted-dns/sbin/ && \
diff --git a/README.md b/README.md
index b8b43eb..fa61aff 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,8 @@ to get your resolver up and running.
 Table of Contents
 =================
 
+- [DNSCrypt server Docker image](#dnscrypt-server-docker-image)
+- [Table of Contents](#table-of-contents)
 - [Quickstart](#quickstart)
 - [Installation](#installation)
 - [Customizing Unbound](#customizing-unbound)
@@ -20,6 +22,8 @@ Table of Contents
   - [Troubleshooting](#troubleshooting)
 - [Details](#details)
 - [Kubernetes](#kubernetes)
+- [Anonymized DNS](#anonymized-dns)
+- [TLS (including HTTPS and DoH) forwarding](#tls-including-https-and-doh-forwarding)
 - [Join the network](#join-the-network)
 
 Quickstart
@@ -135,6 +139,16 @@ in minutes.
 To get your public key just view the logs for the `dnscrypt-init` job. The public
 IP for your server is merely the `dnscrypt` service address.
 
+Anonymized DNS
+==============
+
+The server can be configured as a relay for the Anonymized DNSCrypt protocol by adding the `-A` switch to the `init` command.
+
+TLS (including HTTPS and DoH) forwarding
+========================================
+
+If the DNS server is listening to port `443`, but you still want to have a web (or DoH) service accessible on that port, add the `-T` switch followed by the backend server IP and port to the `init` command (for example: `-T 10.0.0.1:4443`).
+
 Join the network
 ================
 
diff --git a/encrypted-dns.toml.in b/encrypted-dns.toml.in
index c6f15b6..66a12ec 100644
--- a/encrypted-dns.toml.in
+++ b/encrypted-dns.toml.in
@@ -161,3 +161,37 @@ key_cache_capacity = 10000
 [filtering]
 
 @DOMAIN_BLACKLIST_CONFIGURATION@
+
+
+
+#########################
+#        Metrics        #
+#########################
+
+# [metrics]
+
+# type = "prometheus"
+# listen_addr = "0.0.0.0:9100"
+# path = "/metrics"
+
+
+
+################################
+#        Anonymized DNS        #
+################################
+
+[anonymized_dns]
+
+# Enable relaying support for Anonymized DNS
+
+enabled = @ANONDNS_ENABLED@
+
+
+# Allowed upstream ports
+
+allowed_ports = [ 443 ]
+
+
+# Blacklisted upstream IP addresses
+
+blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ]
\ No newline at end of file
diff --git a/entrypoint.sh b/entrypoint.sh
index 6757731..c40ad49 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -22,28 +22,32 @@ init() {
         exit $?
     fi
 
-    while getopts "h?N:E:T:" opt; do
+    anondns_enabled="false"
+    anondns_blacklisted_ips=""
+
+    while getopts "h?N:E:T:A" opt; do
         case "$opt" in
-            h | \?) usage ;;
-            N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-            E) ext_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-            T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
+        h | \?) usage ;;
+        N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
+        E) ext_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
+        T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
+        A) anondns_enabled="true" ;;
         esac
     done
     [ -z "$provider_name" ] && usage
     case "$provider_name" in
-        .*) usage ;;
-        2.dnscrypt-cert.*) ;;
-        *) provider_name="2.dnscrypt-cert.${provider_name}" ;;
+    .*) usage ;;
+    2.dnscrypt-cert.*) ;;
+    *) provider_name="2.dnscrypt-cert.${provider_name}" ;;
     esac
 
     [ -z "$ext_address" ] && usage
     case "$ext_address" in
-        .*) usage ;;
-        0.*)
-            echo "Do not use 0.0.0.0, use an actual external IP address" >&2
-            exit 1
-            ;;
+    .*) usage ;;
+    0.*)
+        echo "Do not use 0.0.0.0, use an actual external IP address" >&2
+        exit 1
+        ;;
     esac
 
     tls_proxy_configuration=""
@@ -59,7 +63,7 @@ init() {
 
     echo "Provider name: [$provider_name]"
 
-    echo "$provider_name" > "${KEYS_DIR}/provider_name"
+    echo "$provider_name" >"${KEYS_DIR}/provider_name"
     chmod 644 "${KEYS_DIR}/provider_name"
 
     sed \
@@ -67,7 +71,9 @@ init() {
         -e "s#@EXTERNAL_IPV4@#${ext_address}#" \
         -e "s#@TLS_PROXY_CONFIGURATION@#${tls_proxy_configuration}#" \
         -e "s#@DOMAIN_BLACKLIST_CONFIGURATION@#${domain_blacklist_configuration}#" \
-        "$CONFIG_FILE_TEMPLATE" > "$CONFIG_FILE"
+        -e "s#@ANONDNS_ENABLEDN@#${anondns_enabled}#" \
+        -e "s#@ANONDNS_BLACKLISTED_IPS@#${anondns_blacklisted_ips}#" \
+        "$CONFIG_FILE_TEMPLATE" >"$CONFIG_FILE"
 
     mkdir -p -m 700 "${STATE_DIR}"
     chown _encrypted-dns:_encrypted-dns "${STATE_DIR}"
@@ -77,7 +83,7 @@ init() {
         /opt/encrypted-dns/sbin/encrypted-dns \
             --config "$CONFIG_FILE" \
             --import-from-dnscrypt-wrapper "${KEYS_DIR}/secret.key" \
-            --dry-run > /dev/null || exit 1
+            --dry-run >/dev/null || exit 1
         mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated"
     fi
 
@@ -107,22 +113,22 @@ legacy_compat() {
     if [ -f "${LEGACY_KEYS_DIR}/provider-info.txt" ] && [ -f "${LEGACY_KEYS_DIR}/provider_name" ]; then
         echo "Using [${LEGACY_KEYS_DIR}] for keys" >&2
         mkdir -p "${KEYS_DIR}"
-        mv -f "${KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt.migrated" 2> /dev/null || :
-        ln -s "${LEGACY_KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt" 2> /dev/null || :
-        mv -f "${KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name.migrated" 2> /dev/null || :
-        ln -s "${LEGACY_KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name" 2> /dev/null || :
-        mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated" 2> /dev/null || :
-        ln -s "${LEGACY_KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key" 2> /dev/null || :
+        mv -f "${KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt.migrated" 2>/dev/null || :
+        ln -s "${LEGACY_KEYS_DIR}/provider-info.txt" "${KEYS_DIR}/provider-info.txt" 2>/dev/null || :
+        mv -f "${KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name.migrated" 2>/dev/null || :
+        ln -s "${LEGACY_KEYS_DIR}/provider_name" "${KEYS_DIR}/provider_name" 2>/dev/null || :
+        mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated" 2>/dev/null || :
+        ln -s "${LEGACY_KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key" 2>/dev/null || :
         mkdir -p -m 700 "${LEGACY_STATE_DIR}"
         chown _encrypted-dns:_encrypted-dns "${LEGACY_STATE_DIR}"
-        mv -f "$STATE_DIR" "${STATE_DIR}.migrated" 2> /dev/null || :
-        ln -s "$LEGACY_STATE_DIR" "${STATE_DIR}" 2> /dev/null || :
+        mv -f "$STATE_DIR" "${STATE_DIR}.migrated" 2>/dev/null || :
+        ln -s "$LEGACY_STATE_DIR" "${STATE_DIR}" 2>/dev/null || :
     fi
     if [ -f "${LEGACY_LISTS_DIR}/blacklist.txt" ]; then
         echo "Using [${LEGACY_LISTS_DIR}] for lists" >&2
         mkdir -p "${LISTS_DIR}"
-        mv -f "${LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt.migrated" 2> /dev/null || :
-        ln -s "${LEGACY_LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt" 2> /dev/null || :
+        mv -f "${LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt.migrated" 2>/dev/null || :
+        ln -s "${LEGACY_LISTS_DIR}/blacklist.txt" "${LISTS_DIR}/blacklist.txt" 2>/dev/null || :
     fi
 }
 
@@ -155,13 +161,13 @@ start() {
         /opt/encrypted-dns/sbin/encrypted-dns \
             --config "$CONFIG_FILE" \
             --import-from-dnscrypt-wrapper "${KEYS_DIR}/secret.key" \
-            --dry-run > /dev/null || exit 1
+            --dry-run >/dev/null || exit 1
         mv -f "${KEYS_DIR}/secret.key" "${KEYS_DIR}/secret.key.migrated"
     fi
     /opt/encrypted-dns/sbin/encrypted-dns \
         --config "$CONFIG_FILE" --dry-run |
         tee "${KEYS_DIR}/provider-info.txt"
-    exec /etc/runit/2 < /dev/null > /dev/null 2> /dev/null
+    exec /etc/runit/2 </dev/null >/dev/null 2>/dev/null
 }
 
 shell() {
@@ -169,16 +175,19 @@ shell() {
 }
 
 usage() {
-    cat << EOT
+    cat <<EOT
 Commands
 ========
 
 * init -N <provider_name> -E <external ip>:<port>
 initialize the container for a server accessible at ip <external ip> on port
 <port>, for a provider named <provider_name>. This is required only once.
+
 If TLS connections to the same port have to be redirected to a HTTPS server
 (e.g. for DoH), add -T <https server ip>:<port>
 
+To enable Anonymized DNS relaying, add -A.
+
 * start (default command): start the resolver and the dnscrypt server proxy.
 Ports 443/udp and 443/tcp have to be publicly exposed.
 
@@ -193,12 +202,12 @@ EOT
 }
 
 case "$action" in
-    start) start ;;
-    init)
-        shift
-        init "$@"
-        ;;
-    provider-info) provider_info ;;
-    shell) shell ;;
-    *) usage ;;
+start) start ;;
+init)
+    shift
+    init "$@"
+    ;;
+provider-info) provider_info ;;
+shell) shell ;;
+*) usage ;;
 esac