Merge branch 'master' of github.com:DNSCrypt/dnscrypt-proxy

Author: Gedsh

.github/workflows/releases.yml

@@ -83,7 +83,7 @@ jobs:
           prerelease: false
 
       - name: Upload release assets
-        uses: softprops/action-gh-release@c43d7637b9b9ce3e953168c325d27253a5d48d8e
+        uses: softprops/action-gh-release@ab50eebb6488051c6788d97fa95232267c6a4e23
         if: startsWith(github.ref, 'refs/tags/')
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

ChangeLog

@@ -1,3 +1,21 @@
+# Version 2.1.8
+ - Dependencies have been updated, notably the QUIC implementation,
+which could be vulnerable to denial-of-service attacks.
+ - In forwarding rules, the target can now optionally include a
+non-standard DNS port number. The port number is also now optional when
+using IPv6.
+ - An annoying log message related to permissions on Windows has been
+suppressed.
+ - Resolver IP addresses can now be refreshed more frequently.
+Additionally, jitter has been introduced to prevent all resolvers from
+being refreshed simultaneously. Further changes have been implemented
+to mitigate issues arising from multiple concurrent attempts to resolve
+a resolver's IP address.
+ - An empty value for "tls_cipher_suite" is now equivalent to leaving
+the property undefined. Previously, it disabled all TLS cipher suites,
+which had little practical justification.
+ - In forwarding rules, an optional `*.` prefix is now accepted.
+
 # Version 2.1.7
  - This version reintroduces support for XSalsa20 enryption in DNSCrypt,
 which was removed in 2.1.6. Unfortunately, a bunch of servers still

README.md

@@ -3,9 +3,6 @@
 [![Financial Contributors on Open Collective](https://opencollective.com/dnscrypt/all/badge.svg?label=financial+contributors)](https://opencollective.com/dnscrypt)
 [![DNSCrypt-Proxy Release](https://img.shields.io/github/release/dnscrypt/dnscrypt-proxy.svg?label=Latest%20Release&style=popout)](https://github.com/dnscrypt/dnscrypt-proxy/releases/latest)
 [![Build Status](https://github.com/DNSCrypt/dnscrypt-proxy/actions/workflows/releases.yml/badge.svg)](https://github.com/DNSCrypt/dnscrypt-proxy/actions/workflows/releases.yml)
-![CodeQL scan](https://github.com/DNSCrypt/dnscrypt-proxy/workflows/CodeQL%20scan/badge.svg)
-![ShiftLeft Scan](https://github.com/DNSCrypt/dnscrypt-proxy/workflows/ShiftLeft%20Scan/badge.svg)
-[![#dnscrypt-proxy:matrix.org](https://img.shields.io/matrix/dnscrypt-proxy:matrix.org.svg?label=DNSCrypt-Proxy%20Matrix%20Chat&server_fqdn=matrix.org&style=popout)](https://matrix.to/#/#dnscrypt-proxy:matrix.org)
 
 ## Overview
 

dnscrypt-proxy/coldstart.go

@@ -170,6 +170,12 @@ func ColdStart(proxy *Proxy) (*CaptivePortalHandler, error) {
 		if err != nil {
 			continue
 		}
+		if strings.Contains(ipsStr, "*") {
+			return nil, fmt.Errorf(
+				"A captive portal rule must use an exact host name at line %d",
+				1+lineNo,
+			)
+		}
 		var ips []net.IP
 		for _, ip := range strings.Split(ipsStr, ",") {
 			ipStr := strings.TrimSpace(ip)

dnscrypt-proxy/common.go

@@ -6,12 +6,9 @@ import (
 	"errors"
 	"net"
 	"os"
-	"path"
 	"strconv"
 	"strings"
 	"unicode"
-
-	"github.com/jedisct1/dlog"
 )
 
 type CryptoConstruction uint16
@@ -167,31 +164,3 @@ func ReadTextFile(filename string) (string, error) {
 }
 
 func isDigit(b byte) bool { return b >= '0' && b <= '9' }
-
-func maybeWritableByOtherUsers(p string) (bool, string, error) {
-	p = path.Clean(p)
-	for p != "/" && p != "." {
-		st, err := os.Stat(p)
-		if err != nil {
-			return false, p, err
-		}
-		mode := st.Mode()
-		if mode.Perm()&2 != 0 && !(st.IsDir() && mode&os.ModeSticky == os.ModeSticky) {
-			return true, p, nil
-		}
-		p = path.Dir(p)
-	}
-	return false, "", nil
-}
-
-func WarnIfMaybeWritableByOtherUsers(p string) {
-	if ok, px, err := maybeWritableByOtherUsers(p); ok {
-		if px == p {
-			dlog.Criticalf("[%s] is writable by other system users - If this is not intentional, it is recommended to fix the access permissions", p)
-		} else {
-			dlog.Warnf("[%s] can be modified by other system users because [%s] is writable by other users - If this is not intentional, it is recommended to fix the access permissions", p, px)
-		}
-	} else if err != nil {
-		dlog.Warnf("Error while checking if [%s] is accessible: [%s] : [%s]", p, px, err)
-	}
-}

dnscrypt-proxy/example-blocked-ips.txt

@@ -2,7 +2,8 @@
 #        IP blocklist        #
 ##############################
 
-## Rules for IP-based response blocking
+## Rules for blocking DNS responses if they contain
+## IP addresses matching patterns.
 ##
 ## Sample feeds of suspect IP addresses:
 ## - https://github.com/stamparm/ipsum

dnscrypt-proxy/example-dnscrypt-proxy.toml

@@ -221,11 +221,12 @@ cert_refresh_delay = 240
 ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
 ##
 ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
-## the following suite improves performance.
+## uncommenting the following line may improve performance.
 ## This may also help on Intel CPUs running 32-bit operating systems.
+## However, this can cause issues fetching sources or connecting to some HTTP servers,
+## and should not be set on regular CPUs.
 ##
-## Keep tls_cipher_suite empty if you have issues fetching sources or
-## connecting to some DoH servers.
+## Keep tls_cipher_suite undefined to let the app automatically choose secure parameters.
 
 # tls_cipher_suite = [52392, 49199]
 

dnscrypt-proxy/example-forwarding-rules.txt

@@ -36,7 +36,11 @@
 # example.com      9.9.9.9,8.8.8.8
 
 ## Forward queries to a resolver using IPv6
-# ipv6.example.com [2001:DB8::42]:53
+# ipv6.example.com [2001:DB8::42]
+
+## Forward to a non-standard port number
+# x.example.com    192.168.0.1:1053
+# y.example.com    [2001:DB8::42]:1053
 
 ## Forward queries for .onion names to a local Tor client
 ## Tor must be configured with the following in the torrc file:

dnscrypt-proxy/main.go

@@ -15,7 +15,7 @@ import (
 )
 
 const (
-	AppVersion            = "2.1.7"
+	AppVersion            = "2.1.8"
 	DefaultConfigFileName = "dnscrypt-proxy.toml"
 )
 

dnscrypt-proxy/permcheck_others.go

@@ -0,0 +1,7 @@
+//go:build !unix
+
+package main
+
+func WarnIfMaybeWritableByOtherUsers(p string) {
+	// No-op
+}