+ DNS: "port_dns_over_quic" setting

This commit is contained in:
Simon Zolin 2020-08-27 15:03:07 +03:00
parent 07b6cc24b7
commit d53e32259a
8 changed files with 40 additions and 9 deletions

View File

@ -743,6 +743,7 @@ Response:
"server_name":"...", "server_name":"...",
"port_https":443, "port_https":443,
"port_dns_over_tls":853, "port_dns_over_tls":853,
"port_dns_over_quic":784,
"certificate_chain":"...", "certificate_chain":"...",
"private_key":"...", "private_key":"...",
"certificate_path":"...", "certificate_path":"...",
@ -774,6 +775,7 @@ Request:
"force_https":false, "force_https":false,
"port_https":443, "port_https":443,
"port_dns_over_tls":853, "port_dns_over_tls":853,
"port_dns_over_quic":784,
"certificate_chain":"...", "certificate_chain":"...",
"private_key":"...", "private_key":"...",
"certificate_path":"...", // if set, certificate_chain must be empty "certificate_path":"...", // if set, certificate_chain must be empty

View File

@ -92,6 +92,7 @@ type FilteringConfig struct {
// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS // TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
type TLSConfig struct { type TLSConfig struct {
TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"` TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"`
QUICListenAddr *net.UDPAddr `yaml:"-" json:"-"`
StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
@ -153,6 +154,10 @@ func (s *Server) createProxyConfig() (proxy.Config, error) {
MaxGoroutines: int(s.conf.MaxGoroutines), MaxGoroutines: int(s.conf.MaxGoroutines),
} }
if s.conf.QUICListenAddr != nil {
proxyConfig.QUICListenAddr = []*net.UDPAddr{s.conf.QUICListenAddr}
}
if s.conf.CacheSize != 0 { if s.conf.CacheSize != 0 {
proxyConfig.CacheEnabled = true proxyConfig.CacheEnabled = true
proxyConfig.CacheSizeBytes = int(s.conf.CacheSize) proxyConfig.CacheSizeBytes = int(s.conf.CacheSize)

View File

@ -270,7 +270,7 @@ func ValidateUpstreams(upstreams []string) error {
return nil return nil
} }
var protocols = []string{"tls://", "https://", "tcp://", "sdns://"} var protocols = []string{"tls://", "https://", "tcp://", "sdns://", "quic://"}
func validateUpstream(u string) (bool, error) { func validateUpstream(u string) (bool, error) {
// Check if user tries to specify upstream for domain // Check if user tries to specify upstream for domain

View File

@ -92,11 +92,12 @@ type dnsConfig struct {
} }
type tlsConfigSettings struct { type tlsConfigSettings struct {
Enabled bool `yaml:"enabled" json:"enabled"` // Enabled is the encryption (DOT/DOH/HTTPS) status Enabled bool `yaml:"enabled" json:"enabled"` // Enabled is the encryption (DOT/DOH/HTTPS) status
ServerName string `yaml:"server_name" json:"server_name,omitempty"` // ServerName is the hostname of your HTTPS/TLS server ServerName string `yaml:"server_name" json:"server_name,omitempty"` // ServerName is the hostname of your HTTPS/TLS server
ForceHTTPS bool `yaml:"force_https" json:"force_https,omitempty"` // ForceHTTPS: if true, forces HTTP->HTTPS redirect ForceHTTPS bool `yaml:"force_https" json:"force_https,omitempty"` // ForceHTTPS: if true, forces HTTP->HTTPS redirect
PortHTTPS int `yaml:"port_https" json:"port_https,omitempty"` // HTTPS port. If 0, HTTPS will be disabled PortHTTPS int `yaml:"port_https" json:"port_https,omitempty"` // HTTPS port. If 0, HTTPS will be disabled
PortDNSOverTLS int `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"` // DNS-over-TLS port. If 0, DOT will be disabled PortDNSOverTLS int `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"` // DNS-over-TLS port. If 0, DOT will be disabled
PortDNSOverQUIC uint16 `yaml:"port_dns_over_quic" json:"port_dns_over_quic,omitempty"` // DNS-over-QUIC port. If 0, DoQ will be disabled
// Allow DOH queries via unencrypted HTTP (e.g. for reverse proxying) // Allow DOH queries via unencrypted HTTP (e.g. for reverse proxying)
AllowUnencryptedDOH bool `yaml:"allow_unencrypted_doh" json:"allow_unencrypted_doh"` AllowUnencryptedDOH bool `yaml:"allow_unencrypted_doh" json:"allow_unencrypted_doh"`
@ -124,8 +125,9 @@ var config = configuration{
FiltersUpdateIntervalHours: 24, FiltersUpdateIntervalHours: 24,
}, },
TLS: tlsConfigSettings{ TLS: tlsConfigSettings{
PortHTTPS: 443, PortHTTPS: 443,
PortDNSOverTLS: 853, // needs to be passed through to dnsproxy PortDNSOverTLS: 853, // needs to be passed through to dnsproxy
PortDNSOverQUIC: 784,
}, },
logSettings: logSettings{ logSettings: logSettings{
LogCompress: false, LogCompress: false,

View File

@ -99,7 +99,9 @@ func getVersionResp(info update.VersionInfo) []byte {
Context.tls.WriteDiskConfig(&tlsConf) Context.tls.WriteDiskConfig(&tlsConf)
if runtime.GOOS != "windows" && if runtime.GOOS != "windows" &&
((tlsConf.Enabled && (tlsConf.PortHTTPS < 1024 || tlsConf.PortDNSOverTLS < 1024)) || ((tlsConf.Enabled && (tlsConf.PortHTTPS < 1024 ||
tlsConf.PortDNSOverTLS < 1024 ||
tlsConf.PortDNSOverQUIC < 1024)) ||
config.BindPort < 1024 || config.BindPort < 1024 ||
config.DNS.Port < 1024) { config.DNS.Port < 1024) {
// On UNIX, if we're running under a regular user, // On UNIX, if we're running under a regular user,

View File

@ -172,12 +172,20 @@ func generateServerConfig() dnsforward.ServerConfig {
Context.tls.WriteDiskConfig(&tlsConf) Context.tls.WriteDiskConfig(&tlsConf)
if tlsConf.Enabled { if tlsConf.Enabled {
newconfig.TLSConfig = tlsConf.TLSConfig newconfig.TLSConfig = tlsConf.TLSConfig
if tlsConf.PortDNSOverTLS != 0 { if tlsConf.PortDNSOverTLS != 0 {
newconfig.TLSListenAddr = &net.TCPAddr{ newconfig.TLSListenAddr = &net.TCPAddr{
IP: net.ParseIP(config.DNS.BindHost), IP: net.ParseIP(config.DNS.BindHost),
Port: tlsConf.PortDNSOverTLS, Port: tlsConf.PortDNSOverTLS,
} }
} }
if tlsConf.PortDNSOverQUIC != 0 {
newconfig.QUICListenAddr = &net.UDPAddr{
IP: net.ParseIP(config.DNS.BindHost),
Port: int(tlsConf.PortDNSOverQUIC),
}
}
} }
newconfig.TLSv12Roots = Context.tlsRoots newconfig.TLSv12Roots = Context.tlsRoots
newconfig.TLSCiphers = Context.tlsCiphers newconfig.TLSCiphers = Context.tlsCiphers
@ -225,6 +233,11 @@ func getDNSAddresses() []string {
addr := fmt.Sprintf("tls://%s:%d", tlsConf.ServerName, tlsConf.PortDNSOverTLS) addr := fmt.Sprintf("tls://%s:%d", tlsConf.ServerName, tlsConf.PortDNSOverTLS)
dnsAddresses = append(dnsAddresses, addr) dnsAddresses = append(dnsAddresses, addr)
} }
if tlsConf.PortDNSOverQUIC != 0 {
addr := fmt.Sprintf("quic://%s:%d", tlsConf.ServerName, tlsConf.PortDNSOverQUIC)
dnsAddresses = append(dnsAddresses, addr)
}
} }
return dnsAddresses return dnsAddresses

View File

@ -45,6 +45,7 @@ func tlsCreate(conf tlsConfigSettings) *TLSMod {
ServerName: conf.ServerName, ServerName: conf.ServerName,
PortHTTPS: conf.PortHTTPS, PortHTTPS: conf.PortHTTPS,
PortDNSOverTLS: conf.PortDNSOverTLS, PortDNSOverTLS: conf.PortDNSOverTLS,
PortDNSOverQUIC: conf.PortDNSOverQUIC,
AllowUnencryptedDOH: conf.AllowUnencryptedDOH, AllowUnencryptedDOH: conf.AllowUnencryptedDOH,
}} }}
} }
@ -267,6 +268,7 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
t.conf.ForceHTTPS = data.ForceHTTPS t.conf.ForceHTTPS = data.ForceHTTPS
t.conf.PortHTTPS = data.PortHTTPS t.conf.PortHTTPS = data.PortHTTPS
t.conf.PortDNSOverTLS = data.PortDNSOverTLS t.conf.PortDNSOverTLS = data.PortDNSOverTLS
t.conf.PortDNSOverQUIC = data.PortDNSOverQUIC
t.conf.CertificateChain = data.CertificateChain t.conf.CertificateChain = data.CertificateChain
t.conf.CertificatePath = data.CertificatePath t.conf.CertificatePath = data.CertificatePath
t.conf.CertificateChainData = data.CertificateChainData t.conf.CertificateChainData = data.CertificateChainData

View File

@ -1563,6 +1563,11 @@ components:
format: int32 format: int32
example: 853 example: 853
description: DNS-over-TLS port. If 0, DOT will be disabled. description: DNS-over-TLS port. If 0, DOT will be disabled.
port_dns_over_quic:
type: integer
format: int32
example: 784
description: DNS-over-QUIC port. If 0, DOQ will be disabled.
certificate_chain: certificate_chain:
type: string type: string
description: Base64 string with PEM-encoded certificates chain description: Base64 string with PEM-encoded certificates chain