Thursday, October 31, 2019

Re: update net/dnscrypt-proxy 2.0.30

net/dnscrypt-proxy 2.0.31 was just released to fix two regressions on
October 31, 2019. The diff is pasted below.

https://github.com/DNSCrypt/dnscrypt-proxy/releases/tag/2.0.31

"This version fixes two regressions introduced in version 2.0.29: DoH
server couldn't be reached over IPv6 any more, and the proxy couldn't be
interrupted while servers were being benchmarked."

Steps to reproduce the latter regression in 2.0.30:
1. Make sure server_names is commented out in /etc/dnscrypt-proxy.toml
# server_names = ['scaleway-fr' ...]

2. enable logging to /var/log/messages
log_level = 2
use_syslog = true

3. start dnscrypt-proxy
# /etc/rc.d/dnscrypt-proxy restart

4. as /var/log/messages prints out pings to various servers:
Oct 31 12:34:55 dust2 dnscrypt-proxy[29789]: [cs-usil] OK (DNSCrypt) - rtt: 78ms
Oct 31 12:35:00 dust2 dnscrypt-proxy[29789]: [cs-nl2] OK (DNSCrypt) - rtt: 155ms

Attempt to restart dnscrypt-proxy
# /etc/rc.d/dnscrypt-proxy restart

5. it prints and gets stuck on: "dnscrypt-proxy" instead of
"dnscrypt-proxy(OK) dnscrypt-proxy(OK)"

With 2.0.31 it restarts reliably while pinging to various servers. I had
noticed this in 2.0.30 but did not investigate further. Sorry for not
noting it in my test report. I successfully tested on amd64.

Feedback and tests are welcome.

Nam Nguyen writes:

> Nam Nguyen writes:
>
>> The main addition in 2.0.29 is anonymized DNS. "Routes are indirect ways
>> to reach DNSCrypt servers. A route maps a server name ("server_name") to
>> one or more relays that will be used to connect to that server."
>>
>> /var/dnscrypt-proxy/relays.md is now added to the port and is
>> populated after an initial run of dnscrypt-proxy.
>>
>> In /etc/dnscrypt-proxy.toml, I have the following:
>>
>> server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
>>
>> routes = [
>> { server_name='google', via=['anon-kama', 'anon-scaleway'] },
>> { server_name='cloudflare', via=['anon-kama', 'anon-scaleway'] },
>> ]
>>
>> However, I am not sure how to actually confirm that the anonymous DNS
>> relays are used. If I enable query logging:
>>
>> [query_log]
>> file = '/var/dnscrypt-proxy/query.log'
>>
>> $ touch /var/dnscrypt-proxy/query.log
>> $ chown _dnscrypt-proxy /var/dnscrypt-proxy/query.log
>>
>> I see logged queries of the form:
>>
>> [2019-10-30 17:57:02] 127.0.0.1 openbsd.org A PASS 59ms cloudflare
>>
>> with no mention of the anonymous DNS relay used. It seems that logging
>> the relay used is not yet implemented. Overall, I tested 2.0.30 on amd64
>> and it works, unbreaking 2.0.29.
>
> Correction: logging with the relay used is actually implemented.
>
> After someone told me I could use tcpdump, I was able to investigate
> this further.
>
> /var/dnscrypt-proxy/query.log:
> [2019-10-30 18:57:03] 127.0.0.1 104.238.153.46.vultr.com A PASS 225ms scaleway-fr
> [2019-10-30 18:57:03] 127.0.0.1 104.238.153.46.vultr.com.my.domain A NXDOMAIN 180ms scaleway-fr
>
> /etc/dnscrypt-proxy.toml:
> server_names = ['scaleway-fr']
>
> routes = [
> { server_name='scaleway-fr', via=['anon-inconnu'] },
> ]
>
> scaleway-fr is in France. anon-inconnu, the relay, is in Seattle, WA.
>
> With routes turned off, I was using scaleway-fr.
> # tcpdump -i re0
> 18:43:36.615199 192.168.1.5.18818 > scaleway-fr.dnscrypt.info.443: udp 512
>
> With routes turned on, I was instead using anon-inconnu.
> # tcpdump -i re0
> 18:59:00.926864 192.168.1.5.10477 > 104.238.153.46.vultr.com.443: udp 540
> 18:59:01.096732 104.238.153.46.vultr.com.443 > 192.168.1.5.10477: udp 304 [tos 0x20]
>
> Finally, there is no DNS over HTTPS (DoH) relay yet
> (https://github.com/DNSCrypt/dnscrypt-proxy/issues/993). This explains
> the behavior in my original e-mail. Google and Cloudflare are DoH
> servers, and tcpdump revealed that queries were sent directly to them.
>
> # Use servers implementing the DNSCrypt protocol
> dnscrypt_servers = true
>
> # Use servers implementing the DNS-over-HTTPS protocol
> doh_servers = false
>
> Anonymized DNS does not work with DoH servers and works with DNSCrypt
> servers.

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.45
diff -u -p -u -p -r1.45 Makefile
--- Makefile 15 Oct 2019 04:18:20 -0000 1.45
+++ Makefile 31 Oct 2019 19:50:28 -0000
@@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor

GH_ACCOUNT = jedisct1
GH_PROJECT = dnscrypt-proxy
-GH_TAGNAME = 2.0.28
+GH_TAGNAME = 2.0.31

CATEGORIES = net

Index: distinfo
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/distinfo,v
retrieving revision 1.21
diff -u -p -u -p -r1.21 distinfo
--- distinfo 15 Oct 2019 04:18:20 -0000 1.21
+++ distinfo 31 Oct 2019 19:50:28 -0000
@@ -1,2 +1,2 @@
-SHA256 (dnscrypt-proxy-2.0.28.tar.gz) = K6KDQ97RUjPGnCNTzOFZqyrU5+troBjK9JXh5dMz2G0=
-SIZE (dnscrypt-proxy-2.0.28.tar.gz) = 2620245
+SHA256 (dnscrypt-proxy-2.0.31.tar.gz) = tdF65WhW5Xl7WdhivMsDj/iRrAvxWVNOmpN7DwzDV3c=
+SIZE (dnscrypt-proxy-2.0.31.tar.gz) = 2640523
Index: patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml,v
retrieving revision 1.6
diff -u -p -u -p -r1.6 patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
--- patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 15 Oct 2019 04:18:20 -0000 1.6
+++ patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 31 Oct 2019 19:50:28 -0000
@@ -12,7 +12,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p


## Require servers (from static + remote sources) to satisfy specific properties
-@@ -525,7 +525,7 @@ cache_neg_max_ttl = 600
+@@ -537,7 +537,7 @@ cache_neg_max_ttl = 600

[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
@@ -21,3 +21,12 @@ Index: dnscrypt-proxy/example-dnscrypt-p
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
prefix = ''

+@@ -545,7 +545,7 @@ cache_neg_max_ttl = 600
+
+ [sources.'relays']
+ urls = ['https://github.com/DNSCrypt/dnscrypt-resolvers/raw/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
+- cache_file = 'relays.md'
++ cache_file = '${LOCALSTATEDIR}/dnscrypt-proxy/relays.md'
+ minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+ refresh_delay = 72
+ prefix = ''

No comments:

Post a Comment