+ DNS: "port_dns_over_quic" setting

This commit is contained in:
Simon Zolin 2020-08-27 15:03:07 +03:00
parent 07b6cc24b7
commit d53e32259a
8 changed files with 40 additions and 9 deletions

View File

@ -743,6 +743,7 @@ Response:
"server_name":"...",
"port_https":443,
"port_dns_over_tls":853,
"port_dns_over_quic":784,
"certificate_chain":"...",
"private_key":"...",
"certificate_path":"...",
@ -774,6 +775,7 @@ Request:
"force_https":false,
"port_https":443,
"port_dns_over_tls":853,
"port_dns_over_quic":784,
"certificate_chain":"...",
"private_key":"...",
"certificate_path":"...", // if set, certificate_chain must be empty

View File

@ -92,6 +92,7 @@ type FilteringConfig struct {
// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
type TLSConfig struct {
TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"`
QUICListenAddr *net.UDPAddr `yaml:"-" json:"-"`
StrictSNICheck bool `yaml:"strict_sni_check" json:"-"` // Reject connection if the client uses server name (in SNI) that doesn't match the certificate
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
@ -153,6 +154,10 @@ func (s *Server) createProxyConfig() (proxy.Config, error) {
MaxGoroutines: int(s.conf.MaxGoroutines),
}
if s.conf.QUICListenAddr != nil {
proxyConfig.QUICListenAddr = []*net.UDPAddr{s.conf.QUICListenAddr}
}
if s.conf.CacheSize != 0 {
proxyConfig.CacheEnabled = true
proxyConfig.CacheSizeBytes = int(s.conf.CacheSize)

View File

@ -270,7 +270,7 @@ func ValidateUpstreams(upstreams []string) error {
return nil
}
var protocols = []string{"tls://", "https://", "tcp://", "sdns://"}
var protocols = []string{"tls://", "https://", "tcp://", "sdns://", "quic://"}
func validateUpstream(u string) (bool, error) {
// Check if user tries to specify upstream for domain

View File

@ -97,6 +97,7 @@ type tlsConfigSettings struct {
ForceHTTPS bool `yaml:"force_https" json:"force_https,omitempty"` // ForceHTTPS: if true, forces HTTP->HTTPS redirect
PortHTTPS int `yaml:"port_https" json:"port_https,omitempty"` // HTTPS port. If 0, HTTPS will be disabled
PortDNSOverTLS int `yaml:"port_dns_over_tls" json:"port_dns_over_tls,omitempty"` // DNS-over-TLS port. If 0, DOT will be disabled
PortDNSOverQUIC uint16 `yaml:"port_dns_over_quic" json:"port_dns_over_quic,omitempty"` // DNS-over-QUIC port. If 0, DoQ will be disabled
// Allow DOH queries via unencrypted HTTP (e.g. for reverse proxying)
AllowUnencryptedDOH bool `yaml:"allow_unencrypted_doh" json:"allow_unencrypted_doh"`
@ -126,6 +127,7 @@ var config = configuration{
TLS: tlsConfigSettings{
PortHTTPS: 443,
PortDNSOverTLS: 853, // needs to be passed through to dnsproxy
PortDNSOverQUIC: 784,
},
logSettings: logSettings{
LogCompress: false,

View File

@ -99,7 +99,9 @@ func getVersionResp(info update.VersionInfo) []byte {
Context.tls.WriteDiskConfig(&tlsConf)
if runtime.GOOS != "windows" &&
((tlsConf.Enabled && (tlsConf.PortHTTPS < 1024 || tlsConf.PortDNSOverTLS < 1024)) ||
((tlsConf.Enabled && (tlsConf.PortHTTPS < 1024 ||
tlsConf.PortDNSOverTLS < 1024 ||
tlsConf.PortDNSOverQUIC < 1024)) ||
config.BindPort < 1024 ||
config.DNS.Port < 1024) {
// On UNIX, if we're running under a regular user,

View File

@ -172,12 +172,20 @@ func generateServerConfig() dnsforward.ServerConfig {
Context.tls.WriteDiskConfig(&tlsConf)
if tlsConf.Enabled {
newconfig.TLSConfig = tlsConf.TLSConfig
if tlsConf.PortDNSOverTLS != 0 {
newconfig.TLSListenAddr = &net.TCPAddr{
IP: net.ParseIP(config.DNS.BindHost),
Port: tlsConf.PortDNSOverTLS,
}
}
if tlsConf.PortDNSOverQUIC != 0 {
newconfig.QUICListenAddr = &net.UDPAddr{
IP: net.ParseIP(config.DNS.BindHost),
Port: int(tlsConf.PortDNSOverQUIC),
}
}
}
newconfig.TLSv12Roots = Context.tlsRoots
newconfig.TLSCiphers = Context.tlsCiphers
@ -225,6 +233,11 @@ func getDNSAddresses() []string {
addr := fmt.Sprintf("tls://%s:%d", tlsConf.ServerName, tlsConf.PortDNSOverTLS)
dnsAddresses = append(dnsAddresses, addr)
}
if tlsConf.PortDNSOverQUIC != 0 {
addr := fmt.Sprintf("quic://%s:%d", tlsConf.ServerName, tlsConf.PortDNSOverQUIC)
dnsAddresses = append(dnsAddresses, addr)
}
}
return dnsAddresses

View File

@ -45,6 +45,7 @@ func tlsCreate(conf tlsConfigSettings) *TLSMod {
ServerName: conf.ServerName,
PortHTTPS: conf.PortHTTPS,
PortDNSOverTLS: conf.PortDNSOverTLS,
PortDNSOverQUIC: conf.PortDNSOverQUIC,
AllowUnencryptedDOH: conf.AllowUnencryptedDOH,
}}
}
@ -267,6 +268,7 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
t.conf.ForceHTTPS = data.ForceHTTPS
t.conf.PortHTTPS = data.PortHTTPS
t.conf.PortDNSOverTLS = data.PortDNSOverTLS
t.conf.PortDNSOverQUIC = data.PortDNSOverQUIC
t.conf.CertificateChain = data.CertificateChain
t.conf.CertificatePath = data.CertificatePath
t.conf.CertificateChainData = data.CertificateChainData

View File

@ -1563,6 +1563,11 @@ components:
format: int32
example: 853
description: DNS-over-TLS port. If 0, DOT will be disabled.
port_dns_over_quic:
type: integer
format: int32
example: 784
description: DNS-over-QUIC port. If 0, DOQ will be disabled.
certificate_chain:
type: string
description: Base64 string with PEM-encoded certificates chain