Merge branch 'master' of github.com:DNSCrypt/dnscrypt-proxy

Author: Gedsh

ChangeLog

@@ -1,3 +1,24 @@
+# Version 2.1.14 (not released yet)
+
+# Version 2.1.13
+ - Fixed race conditions in WebSocket handling for the monitoring dashboard,
+improving stability and preventing potential crashes.
+ - Manual configuration reload via SIGHUP is now supported regardless of the
+hot-reload setting, providing more flexibility for system administrators.
+ - Fixed a regression in IP prefix matching for allow/block lists that could
+cause incorrect filtering behavior.
+ - The monitoring dashboard now properly displays blocked queries counter and
+tracks blocked queries in the UI.
+ - Improved error handling in the cache plugin initialization.
+ - Enhanced the forward plugin to return the last valid response when
+encountering only errors, improving resilience.
+ - Fixed various UI issues including scrolling behavior, WebSocket reconnection
+handling, and response time calculations.
+ - Updated the example configuration with current Quad9 source URLs.
+ - The generate-domains-blocklist script now handles poor network conditions
+more gracefully.
+ - Improved handling of DNS64 trampoline queries to prevent potential issues.
+
 # Version 2.1.12
  - A new Weighted Power of Two (WP2) load balancing strategy has been
 implemented as the default, providing improved distribution across resolvers.

dnscrypt-proxy/common.go

@@ -4,12 +4,18 @@ import (
 	"bytes"
 	"encoding/binary"
 	"errors"
+	"fmt"
+	"io"
 	"net"
 	"os"
 	"strconv"
 	"strings"
 	"sync"
+	"time"
 	"unicode"
+
+	iradix "github.com/hashicorp/go-immutable-radix"
+	"github.com/jedisct1/dlog"
 )
 
 type CryptoConstruction uint16
@@ -171,3 +177,151 @@ func ReadTextFile(filename string) (string, error) {
 }
 
 func isDigit(b byte) bool { return b >= '0' && b <= '9' }
+
+// ExtractClientIPStr extracts client IP string from pluginsState based on protocol
+func ExtractClientIPStr(pluginsState *PluginsState) (string, bool) {
+	switch pluginsState.clientProto {
+	case "udp":
+		return (*pluginsState.clientAddr).(*net.UDPAddr).IP.String(), true
+	case "tcp", "local_doh":
+		return (*pluginsState.clientAddr).(*net.TCPAddr).IP.String(), true
+	default:
+		return "", false
+	}
+}
+
+// FormatLogLine formats a log line based on the specified format (tsv or ltsv)
+func FormatLogLine(format, clientIP, qName, reason string, additionalFields ...string) (string, error) {
+	if format == "tsv" {
+		now := time.Now()
+		year, month, day := now.Date()
+		hour, minute, second := now.Clock()
+		tsStr := fmt.Sprintf("[%d-%02d-%02d %02d:%02d:%02d]", year, int(month), day, hour, minute, second)
+
+		line := fmt.Sprintf("%s\t%s\t%s\t%s", tsStr, clientIP, StringQuote(qName), StringQuote(reason))
+		for _, field := range additionalFields {
+			line += fmt.Sprintf("\t%s", StringQuote(field))
+		}
+		return line + "\n", nil
+	} else if format == "ltsv" {
+		line := fmt.Sprintf("time:%d\thost:%s\tqname:%s\tmessage:%s", time.Now().Unix(), clientIP, StringQuote(qName), StringQuote(reason))
+
+		// For LTSV format, additional fields are added with specific labels
+		for i, field := range additionalFields {
+			if i == 0 {
+				line += fmt.Sprintf("\tip:%s", StringQuote(field))
+			} else {
+				line += fmt.Sprintf("\tfield%d:%s", i, StringQuote(field))
+			}
+		}
+		return line + "\n", nil
+	}
+	return "", fmt.Errorf("unexpected log format: [%s]", format)
+}
+
+// WritePluginLog writes a log entry for plugin actions
+func WritePluginLog(logger io.Writer, format, clientIP, qName, reason string, additionalFields ...string) error {
+	if logger == nil {
+		return errors.New("Log file not initialized")
+	}
+
+	line, err := FormatLogLine(format, clientIP, qName, reason, additionalFields...)
+	if err != nil {
+		return err
+	}
+
+	_, err = logger.Write([]byte(line))
+	return err
+}
+
+// ParseTimeBasedRule parses a rule line that may contain time-based restrictions (@timerange)
+func ParseTimeBasedRule(line string, lineNo int, allWeeklyRanges *map[string]WeeklyRanges) (rulePart string, weeklyRanges *WeeklyRanges, err error) {
+	parts := strings.Split(line, "@")
+	timeRangeName := ""
+
+	if len(parts) == 2 {
+		rulePart = strings.TrimSpace(parts[0])
+		timeRangeName = strings.TrimSpace(parts[1])
+	} else if len(parts) > 2 {
+		return "", nil, fmt.Errorf("syntax error at line %d -- Unexpected @ character", 1+lineNo)
+	} else {
+		rulePart = line
+	}
+
+	if len(timeRangeName) > 0 {
+		if weeklyRangesX, ok := (*allWeeklyRanges)[timeRangeName]; ok {
+			weeklyRanges = &weeklyRangesX
+		} else {
+			return "", nil, fmt.Errorf("time range [%s] not found at line %d", timeRangeName, 1+lineNo)
+		}
+	}
+
+	return rulePart, weeklyRanges, nil
+}
+
+// ParseIPRule parses and validates an IP rule line
+func ParseIPRule(line string, lineNo int) (cleanLine string, trailingStar bool, err error) {
+	ip := net.ParseIP(line)
+	trailingStar = strings.HasSuffix(line, "*")
+
+	if len(line) < 2 || (ip != nil && trailingStar) {
+		return "", false, fmt.Errorf("suspicious IP rule [%s] at line %d", line, lineNo)
+	}
+
+	cleanLine = line
+	if trailingStar {
+		cleanLine = cleanLine[:len(cleanLine)-1]
+	}
+	if strings.HasSuffix(cleanLine, ":") || strings.HasSuffix(cleanLine, ".") {
+		cleanLine = cleanLine[:len(cleanLine)-1]
+	}
+	if len(cleanLine) == 0 {
+		return "", false, fmt.Errorf("empty IP rule at line %d", lineNo)
+	}
+	if strings.Contains(cleanLine, "*") {
+		return "", false, fmt.Errorf("invalid rule: [%s] - wildcards can only be used as a suffix at line %d", line, lineNo)
+	}
+
+	return strings.ToLower(cleanLine), trailingStar, nil
+}
+
+// ProcessConfigLines processes configuration file lines, calling the processor function for each non-empty line
+func ProcessConfigLines(lines string, processor func(line string, lineNo int) error) error {
+	for lineNo, line := range strings.Split(lines, "\n") {
+		line = TrimAndStripInlineComments(line)
+		if len(line) == 0 {
+			continue
+		}
+		if err := processor(line, lineNo); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// LoadIPRules loads IP rules from text lines into radix tree and map structures
+func LoadIPRules(lines string, prefixes *iradix.Tree, ips map[string]interface{}) (*iradix.Tree, error) {
+	err := ProcessConfigLines(lines, func(line string, lineNo int) error {
+		cleanLine, trailingStar, lineErr := ParseIPRule(line, lineNo)
+		if lineErr != nil {
+			dlog.Error(lineErr)
+			return nil // Continue processing (matching existing behavior)
+		}
+
+		if trailingStar {
+			prefixes, _, _ = prefixes.Insert([]byte(cleanLine), 0)
+		} else {
+			ips[cleanLine] = true
+		}
+		return nil
+	})
+	return prefixes, err
+}
+
+// InitializePluginLogger initializes a logger for a plugin if the log file is configured
+func InitializePluginLogger(logFile, format string, maxSize, maxAge, maxBackups int) (io.Writer, string) {
+	if len(logFile) > 0 {
+		return Logger(maxSize, maxAge, maxBackups, logFile), format
+	}
+	return nil, ""
+}

dnscrypt-proxy/config.go

@@ -461,7 +461,7 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
 	if len(proxy.userName) > 0 && !proxy.child {
 		proxy.dropPrivilege(proxy.userName, FileDescriptors)
 		return errors.New(
-			"Dropping privileges is not supporting on this operating system. Unset `user_name` in the configuration file",
+			"Dropping privileges is not supported on this operating system. Unset `user_name` in the configuration file",
 		)
 	}
 
@@ -471,7 +471,7 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
 			return err
 		}
 		if len(proxy.registeredServers) == 0 {
-			return errors.New("None of the servers listed in the server_names list was found in the configured sources.")
+			return errors.New("None of the servers listed in the server_names list were found in the configured sources.")
 		}
 	}
 

dnscrypt-proxy/example-allowed-names.txt

@@ -7,13 +7,14 @@
 ##
 ## Example of valid patterns:
 ##
-## ads.*         | matches anything with an "ads." prefix
-## *.example.com | matches example.com and all names within that zone such as www.example.com
-## example.com   | identical to the above
-## =example.com  | allows example.com but not *.example.com
-## *sex*         | matches any name containing that substring
-## ads[0-9]*     | matches "ads" followed by one or more digits
-## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
+## ads.*                    | matches anything with an "ads." prefix
+## *.example.com            | matches example.com and all names within that zone such as www.example.com
+## example.com              | identical to the above
+## =example.com             | allows example.com but not *.example.com
+## [a-z0-9\-_]*.example.com | allows *.example.com but not example.com
+## *sex*                    | matches any name containing that substring
+## ads[0-9]*                | matches "ads" followed by one or more digits
+## ads*.example*            | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
 
 
 # That one may be blocked due to 'tracker' being in the name.

dnscrypt-proxy/example-blocked-names.txt

@@ -7,13 +7,14 @@
 ##
 ## Example of valid patterns:
 ##
-## ads.*         | matches anything with an "ads." prefix
-## *.example.com | matches example.com and all names within that zone such as www.example.com
-## example.com   | identical to the above
-## =example.com  | block example.com but not *.example.com
-## *sex*         | matches any name containing that substring
-## ads[0-9]*     | matches "ads" followed by one or more digits
-## ads*.example* | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
+## ads.*                    | matches anything with an "ads." prefix
+## *.example.com            | matches example.com and all names within that zone such as www.example.com
+## example.com              | identical to the above
+## =example.com             | blocks example.com but not *.example.com
+## [a-z0-9\-_]*.example.com | blocks *.example.com but not example.com
+## *sex*                    | matches any name containing that substring
+## ads[0-9]*                | matches "ads" followed by one or more digits
+## ads*.example*            | *, ? and [] can be used anywhere, but prefixes/suffixes are faster
 
 ad.*
 ads.*

dnscrypt-proxy/example-dnscrypt-proxy.toml

@@ -346,7 +346,7 @@ bootstrap_resolvers = ['9.9.9.11:53', '8.8.8.8:53']
 ##   to the system DNS
 ##
 ## (*) this is incompatible with systemd sockets.
-## `listen_addrs` must not be empty.
+## `listen_addresses` must not be empty.
 
 ignore_system_dns = true
 
@@ -790,7 +790,7 @@ prefix = ''
 ### Quad9
 
 # [sources.quad9-resolvers]
-#   urls = ['https://www.quad9.net/quad9-resolvers.md']
+#   urls = ['https://quad9.net/dnscrypt/quad9-resolvers.md', 'https://raw.githubusercontent.com/Quad9DNS/dnscrypt-settings/main/dnscrypt/quad9-resolvers.md']
 #   minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
 #   cache_file = 'quad9-resolvers.md'
 #   prefix = 'quad9-'
@@ -851,7 +851,7 @@ fragments_blocked = [
 
 [doh_client_x509_auth]
 
-## Use a X509 certificate to authenticate yourself when connecting to DoH servers.
+## Use an X509 certificate to authenticate yourself when connecting to DoH servers.
 ## This is only useful if you are operating your own, private DoH server(s).
 ## 'creds' maps servers to certificates, and supports multiple entries.
 ## If you are not using the standard root CA, an optional "root_ca"

dnscrypt-proxy/hot_reload.go

@@ -1,45 +1,46 @@
 package main
 
 import (
-	"os"
-	"os/signal"
-	"syscall"
-
 	"github.com/jedisct1/dlog"
 )
 
 // InitHotReload sets up hot-reloading for configuration files
 func (proxy *Proxy) InitHotReload() error {
-	// Check if hot reload is enabled
-	if !proxy.enableHotReload {
+	// Check if hot reload is enabled and platform has SIGHUP
+	if !proxy.enableHotReload && !HasSIGHUP {
 		dlog.Notice("Hot reload is disabled")
 		return nil
 	}
 
-	dlog.Notice("Hot reload is enabled")
-
-	// Create a new configuration watcher
-	configWatcher := NewConfigWatcher(1000) // Check every second
-
 	// Find plugins that support hot-reloading
 	plugins := []Plugin{}
 
 	// Add query plugins
 	proxy.pluginsGlobals.RLock()
 	if proxy.pluginsGlobals.queryPlugins != nil {
-		for _, plugin := range *proxy.pluginsGlobals.queryPlugins {
-			plugins = append(plugins, plugin)
-		}
+		plugins = append(plugins, *proxy.pluginsGlobals.queryPlugins...)
 	}
 
 	// Add response plugins
 	if proxy.pluginsGlobals.responsePlugins != nil {
-		for _, plugin := range *proxy.pluginsGlobals.responsePlugins {
-			plugins = append(plugins, plugin)
-		}
+		plugins = append(plugins, *proxy.pluginsGlobals.responsePlugins...)
 	}
 	proxy.pluginsGlobals.RUnlock()
 
+	// Setup SIGHUP handler for manual reload
+	setupSignalHandler(proxy, plugins)
+
+	// Check if hot reload is enabled
+	if !proxy.enableHotReload {
+		dlog.Notice("Hot reload is disabled")
+		return nil
+	}
+
+	dlog.Notice("Hot reload is enabled")
+
+	// Create a new configuration watcher
+	configWatcher := NewConfigWatcher(1000) // Check every second
+
 	// Register plugins for config watching
 	for _, plugin := range plugins {
 		switch p := plugin.(type) {
@@ -100,32 +101,5 @@ func (proxy *Proxy) InitHotReload() error {
 		}
 	}
 
-	// Setup SIGHUP handler for manual reload
-	setupSignalHandler(proxy, plugins)
-
 	return nil
 }
-
-// setupSignalHandler sets up a SIGHUP handler to manually trigger reloads
-func setupSignalHandler(proxy *Proxy, plugins []Plugin) {
-	sigChan := make(chan os.Signal, 1)
-	signal.Notify(sigChan, syscall.SIGHUP)
-
-	go func() {
-		for {
-			sig := <-sigChan
-			if sig == syscall.SIGHUP {
-				dlog.Notice("Received SIGHUP signal, reloading configurations")
-
-				// Reload each plugin that supports hot-reloading
-				for _, plugin := range plugins {
-					if err := plugin.Reload(); err != nil {
-						dlog.Errorf("Failed to reload plugin [%s]: %v", plugin.Name(), err)
-					} else {
-						dlog.Noticef("Successfully reloaded plugin [%s]", plugin.Name())
-					}
-				}
-			}
-		}
-	}()
-}

dnscrypt-proxy/main.go

@@ -15,7 +15,7 @@ import (
 )
 
 const (
-	AppVersion            = "2.1.12"
+	AppVersion            = "2.1.13"
 	DefaultConfigFileName = "dnscrypt-proxy.toml"
 )