Anonymized DNS is here

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "encrypted-dns"
-version = "0.2.10"
+version = "0.3.0"
 authors = ["Frank Denis <github@pureftpd.org>"]
 edition = "2018"
 description = "A modern encrypted DNS server (DNSCrypt v2, Anonymized DNSCrypt, DoH)"
@@ -21,7 +21,7 @@ derivative = "1.0.3"
 dnsstamps = "0.1.2"
 env_logger = { version="0.7.0", default-features = false, features = ["humantime"]}
 failure = "0.1.6"
-futures-preview = { version = "=0.3.0-alpha.19", features = ["async-await", "unstable", "cfg-target-has-atomic"] }
+futures-preview = { version = "=0.3.0-alpha.19", features = ["async-await"] }
 jemallocator = "0.3.2"
 libsodium-sys-stable="1.18.1"
 log = { version = "0.4.8", features = ["std", "release_max_level_debug"] }

README.md

@@ -9,7 +9,7 @@ An easy to install, high-performance, zero maintenance proxy to run an encrypted
 The proxy aims at supporting the following protocols:
 
 - [DNSCrypt v2](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/DNSCRYPT-V2-PROTOCOL.txt)
-- [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt) (WIP)
+- [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt)
 - DNS-over-HTTP (DoH)
 
 All of these can be served simultaneously, on the same port (usually port 443). The proxy automatically detects what protocol is being used by each client.
@@ -108,3 +108,7 @@ Domains can be filtered directly by the proxy, see the `[filtering]` section of
 ## Prometheus metrics
 
 Prometheus metrics can optionally be enabled in order to monitor performance, cache efficiency, and more.
+
+## Anonymized DNSCrypt
+
+Enabling Anonymized DNSCrypt allows the server to be used as an encrypted DNS relay.

example-encrypted-dns.toml

@@ -189,4 +189,17 @@ key_cache_capacity = 10000
 
 [anonymized_dns]
 
+
+# Enable relaying support for Anonymized DNS
+
 enabled = false
+
+
+# Allowed upstream ports
+
+allowed_ports = [ 443 ]
+
+
+# Blacklisted upstream IP addresses
+
+blacklisted_ips = [ "93.184.216.34" ]

src/anonymized_dns.rs

@@ -39,8 +39,15 @@ pub async fn handle_anonymized_dns(
     globals.varz.anonymized_queries.inc();
 
     ensure!(ip.is_global(), "Forbidden upstream address");
+    ensure!(
+        !globals.anonymized_dns_blacklisted_ips.contains(&ip),
+        "Blacklisted upstream IP"
+    );
     let port = BigEndian::read_u16(&encrypted_packet[16..18]);
-    ensure!([443].contains(&port), "Forbidden upstream port");
+    ensure!(
+        globals.anonymized_dns_allowed_ports.contains(&port),
+        "Forbidden upstream port"
+    );
     let upstream_address = SocketAddr::new(ip, port);
     ensure!(
         !globals.listen_addrs.contains(&upstream_address)

src/config.rs

@@ -12,6 +12,8 @@ use tokio::prelude::*;
 #[derive(Serialize, Deserialize, Debug, Clone)]
 pub struct AnonymizedDNSConfig {
     pub enabled: bool,
+    pub allowed_ports: Vec<u16>,
+    pub blacklisted_ips: Vec<IpAddr>,
 }
 
 #[cfg(feature = "metrics")]

src/globals.rs

@@ -8,7 +8,7 @@ use crate::varz::*;
 use parking_lot::{Mutex, RwLock};
 use siphasher::sip128::SipHasher13;
 use std::collections::vec_deque::VecDeque;
-use std::net::SocketAddr;
+use std::net::{IpAddr, SocketAddr};
 use std::path::PathBuf;
 use std::sync::atomic::AtomicU32;
 use std::sync::Arc;
@@ -40,8 +40,10 @@ pub struct Globals {
     pub hasher: SipHasher13,
     pub cache: Cache,
     pub blacklist: Option<BlackList>,
+    pub anonymized_dns_enabled: bool,
+    pub anonymized_dns_allowed_ports: Vec<u16>,
+    pub anonymized_dns_blacklisted_ips: Vec<IpAddr>,
     #[cfg(feature = "metrics")]
     #[derivative(Debug = "ignore")]
     pub varz: Varz,
-    pub anonymized_dns_enabled: bool,
 }

src/main.rs

@@ -557,6 +557,16 @@ fn main() -> Result<(), Error> {
         }
         let stamp = stamp.serialize().unwrap();
         info!("DNS Stamp: {}", stamp);
+
+        if let Some(anonymized_dns) = &config.anonymized_dns {
+            if anonymized_dns.enabled {
+                let relay_stamp = dnsstamps::DNSCryptRelayBuilder::new()
+                    .with_addr(listen_addr_s.external.to_string())
+                    .serialize()
+                    .unwrap();
+                info!("DNS Stamp for Anonymized DNS relaying: {}", relay_stamp);
+            }
+        }
     }
     if matches.is_present("dry-run") {
         return Ok(());
@@ -584,10 +594,16 @@ fn main() -> Result<(), Error> {
                 .map_err(|e| format_err!("Unable to load the blacklist [{:?}]: [{}]", path, e))?,
         ),
     };
-    let anonymized_dns_enabled = match config.anonymized_dns {
-        None => false,
-        Some(anonymized_dns) => anonymized_dns.enabled,
-    };
+    let (anonymized_dns_enabled, anonymized_dns_allowed_ports, anonymized_dns_blacklisted_ips) =
+        match config.anonymized_dns {
+            None => (false, vec![], vec![]),
+            Some(anonymized_dns) => (
+                anonymized_dns.enabled,
+                anonymized_dns.allowed_ports,
+                anonymized_dns.blacklisted_ips,
+            ),
+        };
+
     let globals = Arc::new(Globals {
         runtime: runtime.clone(),
         state_file: state_file.to_path_buf(),
@@ -616,9 +632,11 @@ fn main() -> Result<(), Error> {
         hasher,
         cache,
         blacklist,
+        anonymized_dns_enabled,
+        anonymized_dns_allowed_ports,
+        anonymized_dns_blacklisted_ips,
         #[cfg(feature = "metrics")]
         varz: Varz::default(),
-        anonymized_dns_enabled,
     });
     let updater = DNSCryptEncryptionParamsUpdater::new(globals.clone());
     if !state_is_new {