Bump

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "encrypted-dns"
-version = "0.3.0"
+version = "0.3.1"
 authors = ["Frank Denis <github@pureftpd.org>"]
 edition = "2018"
 description = "A modern encrypted DNS server (DNSCrypt v2, Anonymized DNSCrypt, DoH)"

README.md

@@ -6,11 +6,11 @@ An easy to install, high-performance, zero maintenance proxy to run an encrypted
 
 ## Protocols
 
-The proxy aims at supporting the following protocols:
+The proxy supports the following protocols:
 
 - [DNSCrypt v2](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/DNSCRYPT-V2-PROTOCOL.txt)
 - [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt)
-- DNS-over-HTTP (DoH)
+- DNS-over-HTTP (DoH) forwarding
 
 All of these can be served simultaneously, on the same port (usually port 443). The proxy automatically detects what protocol is being used by each client.
 

src/anonymized_dns.rs

@@ -65,6 +65,12 @@ pub async fn handle_anonymized_dns(
         encrypted_packet_len > 8 && [0u8, 0, 0, 0, 0, 0, 0, 1] != encrypted_packet[..8],
         "Protocol confusion with QUIC"
     );
+    debug_assert!(DNSCRYPT_UDP_QUERY_MIN_SIZE > ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len());
+    ensure!(
+        encrypted_packet[..ANONYMIZED_DNSCRYPT_QUERY_MAGIC.len()]
+            != ANONYMIZED_DNSCRYPT_QUERY_MAGIC,
+        "Loop detected"
+    );
     let mut ext_socket = UdpSocket::bind(&globals.external_addr).await?;
     ext_socket.connect(&upstream_address).await?;
     ext_socket.send(&encrypted_packet).await?;