Add support for Anonymized DNS

5 years ago · 498fdb782d
parent f0ccbe88c4
commit 498fdb782d
4 changed files with 95 additions and 38 deletions
--- a/2
+++ b/2
@ -37,7 +37,7 @@ ENV RUSTFLAGS "-C link-arg=-s"
 RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
    curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain nightly && \
    export PATH="$HOME/.cargo/bin:$PATH" && \
-    echo "Compiling encrypted-dns version 0.2.10" && \
+    echo "Compiling encrypted-dns version 0.3.1" && \
    cargo install encrypted-dns && \
    mkdir -p /opt/encrypted-dns/sbin && \
    mv ~/.cargo/bin/encrypted-dns /opt/encrypted-dns/sbin/ && \
--- a/README.md
+++ b/README.md
@ -13,6 +13,8 @@ to get your resolver up and running.
 Table of Contents
 =================

+- [DNSCrypt server Docker image](#dnscrypt-server-docker-image)
+- [Table of Contents](#table-of-contents)
 - [Quickstart](#quickstart)
 - [Installation](#installation)
 - [Customizing Unbound](#customizing-unbound)
@ -20,6 +22,8 @@ Table of Contents
  - [Troubleshooting](#troubleshooting)
 - [Details](#details)
 - [Kubernetes](#kubernetes)
+- [Anonymized DNS](#anonymized-dns)
+- [TLS (including HTTPS and DoH) forwarding](#tls-including-https-and-doh-forwarding)
 - [Join the network](#join-the-network)

 Quickstart
@ -135,6 +139,16 @@ in minutes.
 To get your public key just view the logs for the `dnscrypt-init` job. The public
 IP for your server is merely the `dnscrypt` service address.

+Anonymized DNS
+==============
+
+The server can be configured as a relay for the Anonymized DNSCrypt protocol by adding the `-A` switch to the `init` command.
+
+TLS (including HTTPS and DoH) forwarding
+========================================
+
+If the DNS server is listening to port `443`, but you still want to have a web (or DoH) service accessible on that port, add the `-T` switch followed by the backend server IP and port to the `init` command (for example: `-T 10.0.0.1:4443`).
+
 Join the network
 ================

--- a/encrypted-dns.toml.in
+++ b/encrypted-dns.toml.in
@ -161,3 +161,37 @@ key_cache_capacity = 10000
 [filtering]

@DOMAIN_BLACKLIST_CONFIGURATION@
+
+
+
+#########################
+#        Metrics        #
+#########################
+
+# [metrics]
+
+# type = "prometheus"
+# listen_addr = "0.0.0.0:9100"
+# path = "/metrics"
+
+
+
+################################
+#        Anonymized DNS        #
+################################
+
+[anonymized_dns]
+
+# Enable relaying support for Anonymized DNS
+
+enabled = @ANONDNS_ENABLED@
+
+
+# Allowed upstream ports
+
+allowed_ports = [ 443 ]
+
+
+# Blacklisted upstream IP addresses
+
+blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ]
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -22,12 +22,16 @@ init() {
        exit $?
    fi

-    while getopts "h?N:E:T:" opt; do
+    anondns_enabled="false"
+    anondns_blacklisted_ips=""
+
+    while getopts "h?N:E:T:A" opt; do
        case "$opt" in
        h | \?) usage ;;
        N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
        E) ext_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
        T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
+        A) anondns_enabled="true" ;;
        esac
    done
    [ -z "$provider_name" ] && usage
@ -67,6 +71,8 @@ init() {
        -e "s#@EXTERNAL_IPV4@#${ext_address}#" \
        -e "s#@TLS_PROXY_CONFIGURATION@#${tls_proxy_configuration}#" \
        -e "s#@DOMAIN_BLACKLIST_CONFIGURATION@#${domain_blacklist_configuration}#" \
+        -e "s#@ANONDNS_ENABLEDN@#${anondns_enabled}#" \
+        -e "s#@ANONDNS_BLACKLISTED_IPS@#${anondns_blacklisted_ips}#" \
        "$CONFIG_FILE_TEMPLATE" >"$CONFIG_FILE"

    mkdir -p -m 700 "${STATE_DIR}"
@ -176,9 +182,12 @@ Commands
 * init -N <provider_name> -E <external ip>:<port>
 initialize the container for a server accessible at ip <external ip> on port
 <port>, for a provider named <provider_name>. This is required only once.
+
 If TLS connections to the same port have to be redirected to a HTTPS server
 (e.g. for DoH), add -T <https server ip>:<port>

+To enable Anonymized DNS relaying, add -A.
+
 * start (default command): start the resolver and the dnscrypt server proxy.
 Ports 443/udp and 443/tcp have to be publicly exposed.