diff --git a/control.go b/control.go index 2674585c..0f8dcea5 100644 --- a/control.go +++ b/control.go @@ -12,6 +12,8 @@ import ( "strings" "time" + "github.com/AdguardTeam/dnsproxy/upstream" + "github.com/AdguardTeam/AdGuardHome/dnsforward" "github.com/miekg/dns" @@ -204,7 +206,7 @@ func handleTestUpstreamDNS(w http.ResponseWriter, r *http.Request) { func checkDNS(input string) error { log.Printf("Checking if DNS %s works...", input) - u, err := dnsforward.AddressToUpstream(input, "") + u, err := upstream.AddressToUpstream(input, "") if err != nil { return fmt.Errorf("Failed to choose upstream for %s: %s", input, err) } diff --git a/dns.go b/dns.go index 42894336..16ceceff 100644 --- a/dns.go +++ b/dns.go @@ -7,6 +7,7 @@ import ( "github.com/AdguardTeam/AdGuardHome/dnsfilter" "github.com/AdguardTeam/AdGuardHome/dnsforward" + "github.com/AdguardTeam/dnsproxy/upstream" "github.com/joomcode/errorx" ) @@ -37,7 +38,7 @@ func generateServerConfig() dnsforward.ServerConfig { } for _, u := range config.DNS.UpstreamDNS { - upstream, err := dnsforward.AddressToUpstream(u, config.DNS.BootstrapDNS) + upstream, err := upstream.AddressToUpstream(u, config.DNS.BootstrapDNS) if err != nil { log.Printf("Couldn't get upstream: %s", err) // continue, just ignore the upstream @@ -67,7 +68,8 @@ func reconfigureDNSServer() error { return fmt.Errorf("Refusing to reconfigure forwarding DNS server: not running") } - err := dnsServer.Reconfigure(generateServerConfig()) + config := generateServerConfig() + err := dnsServer.Reconfigure(&config) if err != nil { return errorx.Decorate(err, "Couldn't start forwarding DNS server") } diff --git a/dnsforward/bootstrap.go b/dnsforward/bootstrap.go deleted file mode 100644 index 2d263871..00000000 --- a/dnsforward/bootstrap.go +++ /dev/null @@ -1,107 +0,0 @@ -package dnsforward - -import ( - "context" - "crypto/tls" - "fmt" - "net" - "net/url" - "strings" - "sync" - - "github.com/joomcode/errorx" -) - -type bootstrapper struct { - address string // in form of "tls://one.one.one.one:853" - resolver *net.Resolver // resolver to use to resolve hostname, if neccessary - resolved string // in form "IP:port" - resolvedConfig *tls.Config - sync.Mutex -} - -func toBoot(address, bootstrapAddr string) bootstrapper { - var resolver *net.Resolver - if bootstrapAddr != "" { - resolver = &net.Resolver{ - PreferGo: true, - Dial: func(ctx context.Context, network, address string) (net.Conn, error) { - d := net.Dialer{} - return d.DialContext(ctx, network, bootstrapAddr) - }, - } - } - return bootstrapper{ - address: address, - resolver: resolver, - } -} - -// will get usable IP address from Address field, and caches the result -func (n *bootstrapper) get() (string, *tls.Config, error) { - // TODO: RLock() here but atomically upgrade to Lock() if fast path doesn't work - n.Lock() - if n.resolved != "" { // fast path - retval, tlsconfig := n.resolved, n.resolvedConfig - n.Unlock() - return retval, tlsconfig, nil - } - - // - // slow path - // - - defer n.Unlock() - - justHostPort := n.address - if strings.Contains(n.address, "://") { - url, err := url.Parse(n.address) - if err != nil { - return "", nil, errorx.Decorate(err, "Failed to parse %s", n.address) - } - - justHostPort = url.Host - } - - // convert host to IP if neccessary, we know that it's scheme://hostname:port/ - - // get a host without port - host, port, err := net.SplitHostPort(justHostPort) - if err != nil { - return "", nil, fmt.Errorf("bootstrapper requires port in address %s", n.address) - } - - // if it's an IP - ip := net.ParseIP(host) - if ip != nil { - n.resolved = justHostPort - return n.resolved, nil, nil - } - - // - // if it's a hostname - // - - resolver := n.resolver // no need to check for nil resolver -- documented that nil is default resolver - addrs, err := resolver.LookupIPAddr(context.TODO(), host) - if err != nil { - return "", nil, errorx.Decorate(err, "Failed to lookup %s", host) - } - for _, addr := range addrs { - // TODO: support ipv6, support multiple ipv4 - if addr.IP.To4() == nil { - continue - } - ip = addr.IP - break - } - - if ip == nil { - // couldn't find any suitable IP address - return "", nil, fmt.Errorf("Couldn't find any suitable IP address for host %s", host) - } - - n.resolved = net.JoinHostPort(ip.String(), port) - n.resolvedConfig = &tls.Config{ServerName: host} - return n.resolved, n.resolvedConfig, nil -} diff --git a/dnsforward/cache.go b/dnsforward/cache.go deleted file mode 100644 index 568f284c..00000000 --- a/dnsforward/cache.go +++ /dev/null @@ -1,225 +0,0 @@ -package dnsforward - -import ( - "encoding/binary" - "log" - "math" - "strings" - "sync" - "time" - - "github.com/miekg/dns" -) - -type item struct { - m *dns.Msg - when time.Time -} - -type cache struct { - items map[string]item - - sync.RWMutex -} - -func (c *cache) Get(request *dns.Msg) (*dns.Msg, bool) { - if request == nil { - return nil, false - } - ok, key := key(request) - if !ok { - log.Printf("Get(): key returned !ok") - return nil, false - } - - c.RLock() - item, ok := c.items[key] - c.RUnlock() - if !ok { - return nil, false - } - // get item's TTL - ttl := findLowestTTL(item.m) - // zero TTL? delete and don't serve it - if ttl == 0 { - c.Lock() - delete(c.items, key) - c.Unlock() - return nil, false - } - // too much time has passed? delete and don't serve it - if time.Since(item.when) >= time.Duration(ttl)*time.Second { - c.Lock() - delete(c.items, key) - c.Unlock() - return nil, false - } - response := item.fromItem(request) - return response, true -} - -func (c *cache) Set(m *dns.Msg) { - if m == nil { - return // no-op - } - if !isRequestCacheable(m) { - return - } - if !isResponseCacheable(m) { - return - } - ok, key := key(m) - if !ok { - return - } - - i := toItem(m) - - c.Lock() - if c.items == nil { - c.items = map[string]item{} - } - c.items[key] = i - c.Unlock() -} - -// check only request fields -func isRequestCacheable(m *dns.Msg) bool { - // truncated messages aren't valid - if m.Truncated { - log.Printf("Refusing to cache truncated message") - return false - } - - // if has wrong number of questions, also don't cache - if len(m.Question) != 1 { - log.Printf("Refusing to cache message with wrong number of questions") - return false - } - - // only OK or NXdomain replies are cached - switch m.Rcode { - case dns.RcodeSuccess: - case dns.RcodeNameError: // that's an NXDomain - case dns.RcodeServerFailure: - return false // quietly refuse, don't log - default: - log.Printf("%s: Refusing to cache message with rcode: %s", m.Question[0].Name, dns.RcodeToString[m.Rcode]) - return false - } - - return true -} - -func isResponseCacheable(m *dns.Msg) bool { - ttl := findLowestTTL(m) - if ttl == 0 { - return false - } - - return true -} - -func findLowestTTL(m *dns.Msg) uint32 { - var ttl uint32 = math.MaxUint32 - found := false - - if m.Answer != nil { - for _, r := range m.Answer { - if r.Header().Ttl < ttl { - ttl = r.Header().Ttl - found = true - } - } - } - - if m.Ns != nil { - for _, r := range m.Ns { - if r.Header().Ttl < ttl { - ttl = r.Header().Ttl - found = true - } - } - } - - if m.Extra != nil { - for _, r := range m.Extra { - if r.Header().Rrtype == dns.TypeOPT { - continue // OPT records use TTL for other purposes - } - if r.Header().Ttl < ttl { - ttl = r.Header().Ttl - found = true - } - } - } - - if found == false { - return 0 - } - - return ttl -} - -// key is binary little endian in sequence: -// uint16(qtype) then uint16(qclass) then name -func key(m *dns.Msg) (bool, string) { - if len(m.Question) != 1 { - log.Printf("got msg with len(m.Question) != 1: %d", len(m.Question)) - return false, "" - } - - bb := strings.Builder{} - b := make([]byte, 2) - binary.LittleEndian.PutUint16(b, m.Question[0].Qtype) - bb.Write(b) - binary.LittleEndian.PutUint16(b, m.Question[0].Qclass) - bb.Write(b) - name := strings.ToLower(m.Question[0].Name) - bb.WriteString(name) - return true, bb.String() -} - -func toItem(m *dns.Msg) item { - return item{ - m: m, - when: time.Now(), - } -} - -func (i *item) fromItem(request *dns.Msg) *dns.Msg { - response := &dns.Msg{} - response.SetReply(request) - - response.Authoritative = false - response.AuthenticatedData = i.m.AuthenticatedData - response.RecursionAvailable = i.m.RecursionAvailable - response.Rcode = i.m.Rcode - - ttl := findLowestTTL(i.m) - timeleft := math.Round(float64(ttl) - time.Since(i.when).Seconds()) - var newttl uint32 - if timeleft > 0 { - newttl = uint32(timeleft) - } - for _, r := range i.m.Answer { - answer := dns.Copy(r) - answer.Header().Ttl = newttl - response.Answer = append(response.Answer, answer) - } - for _, r := range i.m.Ns { - ns := dns.Copy(r) - ns.Header().Ttl = newttl - response.Ns = append(response.Ns, ns) - } - for _, r := range i.m.Extra { - // don't return OPT records as these are hop-by-hop - if r.Header().Rrtype == dns.TypeOPT { - continue - } - extra := dns.Copy(r) - extra.Header().Ttl = newttl - response.Extra = append(response.Extra, extra) - } - return response -} diff --git a/dnsforward/cache_test.go b/dnsforward/cache_test.go deleted file mode 100644 index c9f4577e..00000000 --- a/dnsforward/cache_test.go +++ /dev/null @@ -1,144 +0,0 @@ -package dnsforward - -import ( - "strings" - "testing" - - "github.com/go-test/deep" - "github.com/miekg/dns" -) - -func RR(rr string) dns.RR { - r, err := dns.NewRR(rr) - if err != nil { - panic(err) - } - return r -} - -// deepEqual is same as deep.Equal, except: -// * ignores Id when comparing -// * question names are not case sensetive -func deepEqualMsg(left *dns.Msg, right *dns.Msg) []string { - temp := *left - temp.Id = right.Id - for i := range left.Question { - left.Question[i].Name = strings.ToLower(left.Question[i].Name) - } - for i := range right.Question { - right.Question[i].Name = strings.ToLower(right.Question[i].Name) - } - return deep.Equal(&temp, right) -} - -func TestCacheSanity(t *testing.T) { - cache := cache{} - request := dns.Msg{} - request.SetQuestion("google.com.", dns.TypeA) - _, ok := cache.Get(&request) - if ok { - t.Fatal("empty cache replied with positive response") - } -} - -type tests struct { - cache []testEntry - cases []testCase -} - -type testEntry struct { - q string - t uint16 - a []dns.RR -} - -type testCase struct { - q string - t uint16 - a []dns.RR - ok bool -} - -func TestCache(t *testing.T) { - tests := tests{ - cache: []testEntry{ - {q: "google.com.", t: dns.TypeA, a: []dns.RR{RR("google.com. 3600 IN A 8.8.8.8")}}, - }, - cases: []testCase{ - {q: "google.com.", t: dns.TypeA, a: []dns.RR{RR("google.com. 3600 IN A 8.8.8.8")}, ok: true}, - {q: "google.com.", t: dns.TypeMX, ok: false}, - }, - } - runTests(t, tests) -} - -func TestCacheMixedCase(t *testing.T) { - tests := tests{ - cache: []testEntry{ - {q: "gOOgle.com.", t: dns.TypeA, a: []dns.RR{RR("google.com. 3600 IN A 8.8.8.8")}}, - }, - cases: []testCase{ - {q: "gOOgle.com.", t: dns.TypeA, a: []dns.RR{RR("google.com. 3600 IN A 8.8.8.8")}, ok: true}, - {q: "google.com.", t: dns.TypeA, a: []dns.RR{RR("google.com. 3600 IN A 8.8.8.8")}, ok: true}, - {q: "GOOGLE.COM.", t: dns.TypeA, a: []dns.RR{RR("google.com. 3600 IN A 8.8.8.8")}, ok: true}, - {q: "gOOgle.com.", t: dns.TypeMX, ok: false}, - {q: "google.com.", t: dns.TypeMX, ok: false}, - {q: "GOOGLE.COM.", t: dns.TypeMX, ok: false}, - }, - } - runTests(t, tests) -} - -func TestZeroTTL(t *testing.T) { - tests := tests{ - cache: []testEntry{ - {q: "gOOgle.com.", t: dns.TypeA, a: []dns.RR{RR("google.com. 0 IN A 8.8.8.8")}}, - }, - cases: []testCase{ - {q: "google.com.", t: dns.TypeA, ok: false}, - {q: "google.com.", t: dns.TypeA, ok: false}, - {q: "google.com.", t: dns.TypeA, ok: false}, - {q: "google.com.", t: dns.TypeMX, ok: false}, - {q: "google.com.", t: dns.TypeMX, ok: false}, - {q: "google.com.", t: dns.TypeMX, ok: false}, - }, - } - runTests(t, tests) -} - -func runTests(t *testing.T, tests tests) { - t.Helper() - cache := cache{} - for _, tc := range tests.cache { - reply := dns.Msg{} - reply.SetQuestion(tc.q, tc.t) - reply.Response = true - reply.Answer = tc.a - cache.Set(&reply) - } - for _, tc := range tests.cases { - request := dns.Msg{} - request.SetQuestion(tc.q, tc.t) - val, ok := cache.Get(&request) - if diff := deep.Equal(ok, tc.ok); diff != nil { - t.Error(diff) - } - if tc.a != nil { - if ok == false { - continue - } - reply := dns.Msg{} - reply.SetQuestion(tc.q, tc.t) - reply.Response = true - reply.Answer = tc.a - cache.Set(&reply) - if diff := deepEqualMsg(val, &reply); diff != nil { - t.Error(diff) - } else { - if diff := deep.Equal(val, reply); diff == nil { - t.Error("different message ID were not caught") - } - } - } - } -} diff --git a/dnsforward/dnsforward.go b/dnsforward/dnsforward.go index 5c21ae99..fb0f8012 100644 --- a/dnsforward/dnsforward.go +++ b/dnsforward/dnsforward.go @@ -1,18 +1,24 @@ package dnsforward import ( + "errors" "fmt" - "log" "net" - "reflect" "strings" "sync" "time" "github.com/AdguardTeam/AdGuardHome/dnsfilter" + "github.com/AdguardTeam/dnsproxy/proxy" + "github.com/AdguardTeam/dnsproxy/upstream" "github.com/joomcode/errorx" "github.com/miekg/dns" - gocache "github.com/patrickmn/go-cache" + log "github.com/sirupsen/logrus" +) + +const ( + safeBrowsingBlockHost = "standard-block.dns.adguard.com" + parentalBlockHost = "family-block.dns.adguard.com" ) // Server is the main way to start a DNS server. @@ -26,66 +32,18 @@ import ( // // The zero Server is empty and ready for use. type Server struct { - udpListen *net.UDPConn + dnsProxy *proxy.Proxy // DNS proxy instance - dnsFilter *dnsfilter.Dnsfilter - - cache cache - - ratelimitBuckets *gocache.Cache // where the ratelimiters are stored, per IP + dnsFilter *dnsfilter.Dnsfilter // DNS filter instance sync.RWMutex ServerConfig } -const ( - safeBrowsingBlockHost = "standard-block.dns.adguard.com" - parentalBlockHost = "family-block.dns.adguard.com" -) - -// uncomment this block to have tracing of locks -/* -func (s *Server) Lock() { - pc := make([]uintptr, 10) // at least 1 entry needed - runtime.Callers(2, pc) - f := runtime.FuncForPC(pc[0]) - file, line := f.FileLine(pc[0]) - fmt.Fprintf(os.Stderr, "%s:%d %s() -> Lock() -> in progress\n", path.Base(file), line, path.Base(f.Name())) - s.RWMutex.Lock() - fmt.Fprintf(os.Stderr, "%s:%d %s() -> Lock() -> done\n", path.Base(file), line, path.Base(f.Name())) -} -func (s *Server) RLock() { - pc := make([]uintptr, 10) // at least 1 entry needed - runtime.Callers(2, pc) - f := runtime.FuncForPC(pc[0]) - file, line := f.FileLine(pc[0]) - fmt.Fprintf(os.Stderr, "%s:%d %s() -> RLock() -> in progress\n", path.Base(file), line, path.Base(f.Name())) - s.RWMutex.RLock() - fmt.Fprintf(os.Stderr, "%s:%d %s() -> RLock() -> done\n", path.Base(file), line, path.Base(f.Name())) -} -func (s *Server) Unlock() { - pc := make([]uintptr, 10) // at least 1 entry needed - runtime.Callers(2, pc) - f := runtime.FuncForPC(pc[0]) - file, line := f.FileLine(pc[0]) - fmt.Fprintf(os.Stderr, "%s:%d %s() -> Unlock() -> in progress\n", path.Base(file), line, path.Base(f.Name())) - s.RWMutex.Unlock() - fmt.Fprintf(os.Stderr, "%s:%d %s() -> Unlock() -> done\n", path.Base(file), line, path.Base(f.Name())) -} -func (s *Server) RUnlock() { - pc := make([]uintptr, 10) // at least 1 entry needed - runtime.Callers(2, pc) - f := runtime.FuncForPC(pc[0]) - file, line := f.FileLine(pc[0]) - fmt.Fprintf(os.Stderr, "%s:%d %s() -> RUnlock() -> in progress\n", path.Base(file), line, path.Base(f.Name())) - s.RWMutex.RUnlock() - fmt.Fprintf(os.Stderr, "%s:%d %s() -> RUnlock() -> done\n", path.Base(file), line, path.Base(f.Name())) -} -*/ - +// FilteringConfig represents the DNS filtering configuration of AdGuard Home type FilteringConfig struct { - ProtectionEnabled bool `yaml:"protection_enabled"` - FilteringEnabled bool `yaml:"filtering_enabled"` + ProtectionEnabled bool `yaml:"protection_enabled"` // whether or not use any of dnsfilter features + FilteringEnabled bool `yaml:"filtering_enabled"` // whether or not use filter lists BlockedResponseTTL uint32 `yaml:"blocked_response_ttl"` // if 0, then default is used (3600) QueryLogEnabled bool `yaml:"querylog_enabled"` Ratelimit int `yaml:"ratelimit"` @@ -96,11 +54,12 @@ type FilteringConfig struct { dnsfilter.Config `yaml:",inline"` } +// ServerConfig represents server configuration. // The zero ServerConfig is empty and ready for use. type ServerConfig struct { - UDPListenAddr *net.UDPAddr // if nil, then default is is used (port 53 on *) - Upstreams []Upstream - Filters []dnsfilter.Filter + UDPListenAddr *net.UDPAddr // UDP listen address + Upstreams []upstream.Upstream // Configured upstreams + Filters []dnsfilter.Filter // A list of filters to use FilteringConfig } @@ -109,103 +68,47 @@ type ServerConfig struct { var defaultValues = ServerConfig{ UDPListenAddr: &net.UDPAddr{Port: 53}, FilteringConfig: FilteringConfig{BlockedResponseTTL: 3600}, - Upstreams: []Upstream{ - //// dns over HTTPS - // &dnsOverHTTPS{boot: toBoot("https://1.1.1.1/dns-query", "")}, - // &dnsOverHTTPS{boot: toBoot("https://dns.google.com/experimental", "")}, - // &dnsOverHTTPS{boot: toBoot("https://doh.cleanbrowsing.org/doh/security-filter/", "")}, - // &dnsOverHTTPS{boot: toBoot("https://dns10.quad9.net/dns-query", "")}, - // &dnsOverHTTPS{boot: toBoot("https://doh.powerdns.org", "")}, - // &dnsOverHTTPS{boot: toBoot("https://doh.securedns.eu/dns-query", "")}, - - //// dns over TLS - // &dnsOverTLS{boot: toBoot("tls://8.8.8.8:853", "")}, - // &dnsOverTLS{boot: toBoot("tls://8.8.4.4:853", "")}, - // &dnsOverTLS{boot: toBoot("tls://1.1.1.1:853", "")}, - // &dnsOverTLS{boot: toBoot("tls://1.0.0.1:853", "")}, - - //// plainDNS - &plainDNS{boot: toBoot("8.8.8.8:53", "")}, - &plainDNS{boot: toBoot("8.8.4.4:53", "")}, - &plainDNS{boot: toBoot("1.1.1.1:53", "")}, - &plainDNS{boot: toBoot("1.0.0.1:53", "")}, - }, } -// -// packet loop -// -func (s *Server) packetLoop() { - log.Printf("Entering packet handle loop") - b := make([]byte, dns.MaxMsgSize) - for { - s.RLock() - conn := s.udpListen - s.RUnlock() - if conn == nil { - log.Printf("udp socket has disappeared, exiting loop") - break - } - n, addr, err := conn.ReadFrom(b) - // documentation says to handle the packet even if err occurs, so do that first - if n > 0 { - // make a copy of all bytes because ReadFrom() will overwrite contents of b on next call - // we need the contents to survive the call because we're handling them in goroutine - p := make([]byte, n) - copy(p, b) - go s.handlePacket(p, addr, conn) // ignore errors - } - if err != nil { - if isConnClosed(err) { - log.Printf("ReadFrom() returned because we're reading from a closed connection, exiting loop") - // don't try to nullify s.udpListen here, because s.udpListen could be already re-bound to listen - break - } - log.Printf("Got error when reading from udp listen: %s", err) +func init() { + defaultDNS := []string{"8.8.8.8:53", "8.8.4.4:53"} + + defaultUpstreams := make([]upstream.Upstream, 0) + for _, addr := range defaultDNS { + u, err := upstream.AddressToUpstream(addr, "") + if err == nil { + defaultUpstreams = append(defaultUpstreams, u) } } + defaultValues.Upstreams = defaultUpstreams } -// -// Control functions -// - +// Start starts the DNS server func (s *Server) Start(config *ServerConfig) error { s.Lock() defer s.Unlock() + return s.startInternal(config) +} + +// startInternal starts without locking +func (s *Server) startInternal(config *ServerConfig) error { if config != nil { s.ServerConfig = *config } - // TODO: handle being called Start() second time after Stop() - if s.udpListen == nil { - log.Printf("Creating UDP socket") - var err error - addr := s.UDPListenAddr - if addr == nil { - addr = defaultValues.UDPListenAddr - } - s.udpListen, err = net.ListenUDP("udp", addr) - if err != nil { - s.udpListen = nil - return errorx.Decorate(err, "Couldn't listen to UDP socket") - } - log.Println(s.udpListen.LocalAddr(), s.UDPListenAddr) + + if s.dnsFilter != nil || s.dnsProxy != nil { + return errors.New("DNS server is already started") } - if s.dnsFilter == nil { - log.Printf("Creating dnsfilter") - s.dnsFilter = dnsfilter.New(&s.Config) - // add rules only if they are enabled - if s.FilteringEnabled { - s.dnsFilter.AddRules(s.Filters) - } + err := s.initDNSFilter() + if err != nil { + return err } log.Printf("Loading stats from querylog") - err := fillStatsFromQueryLog() + err = fillStatsFromQueryLog() if err != nil { - log.Printf("Failed to load stats from querylog: %s", err) - return err + return errorx.Decorate(err, "failed to load stats from querylog") } once.Do(func() { @@ -214,22 +117,66 @@ func (s *Server) Start(config *ServerConfig) error { go statsRotator() }) - go s.packetLoop() + // TODO: Add TCPListenAddr + proxyConfig := proxy.Config{ + UDPListenAddr: s.UDPListenAddr, + Ratelimit: s.Ratelimit, + RatelimitWhitelist: s.RatelimitWhitelist, + RefuseAny: s.RefuseAny, + CacheEnabled: true, + Upstreams: s.Upstreams, + Handler: s.handleDNSRequest, + } + if proxyConfig.UDPListenAddr == nil { + proxyConfig.UDPListenAddr = defaultValues.UDPListenAddr + } + + if len(proxyConfig.Upstreams) == 0 { + proxyConfig.Upstreams = defaultValues.Upstreams + } + + // Initialize and start the DNS proxy + s.dnsProxy = &proxy.Proxy{Config: proxyConfig} + return s.dnsProxy.Start() +} + +// Initializes the DNS filter +func (s *Server) initDNSFilter() error { + log.Printf("Creating dnsfilter") + s.dnsFilter = dnsfilter.New(&s.Config) + // add rules only if they are enabled + if s.FilteringEnabled { + err := s.dnsFilter.AddRules(s.Filters) + if err != nil { + return errorx.Decorate(err, "could not initialize dnsfilter") + } + } return nil } +// Stop stops the DNS server func (s *Server) Stop() error { s.Lock() defer s.Unlock() - if s.udpListen != nil { - err := s.udpListen.Close() - s.udpListen = nil + return s.stopInternal() +} + +// stopInternal stops without locking +func (s *Server) stopInternal() error { + if s.dnsProxy != nil { + err := s.dnsProxy.Stop() + s.dnsProxy = nil if err != nil { - return errorx.Decorate(err, "Couldn't close UDP listening socket") + return errorx.Decorate(err, "could not stop the DNS server properly") } } + if s.dnsFilter != nil { + s.dnsFilter.Destroy() + s.dnsFilter = nil + } + // flush remainder to file logBufferLock.Lock() flushBuffer := logBuffer @@ -244,283 +191,55 @@ func (s *Server) Stop() error { return nil } +// IsRunning returns true if the DNS server is running func (s *Server) IsRunning() bool { s.RLock() isRunning := true - if s.udpListen == nil { + if s.dnsProxy == nil { isRunning = false } s.RUnlock() return isRunning } -// -// Server reconfigure -// - -func (s *Server) reconfigureListenAddr(new ServerConfig) error { - oldAddr := s.UDPListenAddr - if oldAddr == nil { - oldAddr = defaultValues.UDPListenAddr - } - newAddr := new.UDPListenAddr - if newAddr == nil { - newAddr = defaultValues.UDPListenAddr - } - if newAddr.Port == 0 { - return errorx.IllegalArgument.New("new port cannot be 0") - } - if reflect.DeepEqual(oldAddr, newAddr) { - // do nothing, the addresses are exactly the same - log.Printf("Not going to rebind because addresses are same: %v -> %v", oldAddr, newAddr) - return nil - } - - // rebind, using a strategy: - // * if ports are different, bind new first, then close old - // * if ports are same, close old first, then bind new - var newListen *net.UDPConn - var err error - if oldAddr.Port != newAddr.Port { - log.Printf("Rebinding -- ports are different so bind first then close") - newListen, err = net.ListenUDP("udp", newAddr) - if err != nil { - return errorx.Decorate(err, "Couldn't bind to %v", newAddr) - } - s.Lock() - if s.udpListen != nil { - err = s.udpListen.Close() - s.udpListen = nil - } - s.Unlock() - if err != nil { - return errorx.Decorate(err, "Couldn't close UDP listening socket") - } - } else { - log.Printf("Rebinding -- ports are same so close first then bind") - s.Lock() - if s.udpListen != nil { - err = s.udpListen.Close() - s.udpListen = nil - } - s.Unlock() - if err != nil { - return errorx.Decorate(err, "Couldn't close UDP listening socket") - } - newListen, err = net.ListenUDP("udp", newAddr) - if err != nil { - return errorx.Decorate(err, "Couldn't bind to %v", newAddr) - } - } +// Reconfigure applies the new configuration to the DNS server +func (s *Server) Reconfigure(config *ServerConfig) error { s.Lock() - s.udpListen = newListen - s.UDPListenAddr = new.UDPListenAddr - s.Unlock() - log.Println(s.udpListen.LocalAddr(), s.UDPListenAddr) + defer s.Unlock() - go s.packetLoop() // the old one has quit, use new one + log.Print("Start reconfiguring the server") + err := s.stopInternal() + if err != nil { + return errorx.Decorate(err, "could not reconfigure the server") + } + err = s.startInternal(config) + if err != nil { + return errorx.Decorate(err, "could not reconfigure the server") + } return nil } -func (s *Server) reconfigureBlockedResponseTTL(new ServerConfig) { - newVal := new.BlockedResponseTTL - if newVal == 0 { - newVal = defaultValues.BlockedResponseTTL - } - oldVal := s.BlockedResponseTTL - if oldVal == 0 { - oldVal = defaultValues.BlockedResponseTTL - } - if newVal != oldVal { - s.BlockedResponseTTL = new.BlockedResponseTTL - } -} - -func (s *Server) reconfigureUpstreams(new ServerConfig) { - newVal := new.Upstreams - if len(newVal) == 0 { - newVal = defaultValues.Upstreams - } - oldVal := s.Upstreams - if len(oldVal) == 0 { - oldVal = defaultValues.Upstreams - } - if reflect.DeepEqual(newVal, oldVal) { - // they're exactly the same, do nothing - return - } - s.Upstreams = new.Upstreams -} - -func (s *Server) reconfigureFiltering(new ServerConfig) { - newFilters := new.Filters - if len(newFilters) == 0 { - newFilters = defaultValues.Filters - } - oldFilters := s.Filters - if len(oldFilters) == 0 { - oldFilters = defaultValues.Filters - } - - needUpdate := false - if !reflect.DeepEqual(newFilters, oldFilters) { - needUpdate = true - } - - if !reflect.DeepEqual(new.FilteringConfig, s.FilteringConfig) { - needUpdate = true - } - - if !needUpdate { - // nothing to do, everything is same - return - } - - // TODO: instead of creating new dnsfilter, change existing one's settings and filters - dnsFilter := dnsfilter.New(&new.Config) // sets safebrowsing, safesearch and parental - - // add rules only if they are enabled - if new.FilteringEnabled { - dnsFilter.AddRules(newFilters) - } - - s.Lock() - oldDNSFilter := s.dnsFilter - s.dnsFilter = dnsFilter - s.FilteringConfig = new.FilteringConfig - s.Unlock() - - oldDNSFilter.Destroy() -} - -func (s *Server) Reconfigure(new ServerConfig) error { - s.reconfigureBlockedResponseTTL(new) - s.reconfigureUpstreams(new) - s.reconfigureFiltering(new) - - err := s.reconfigureListenAddr(new) - if err != nil { - return errorx.Decorate(err, "Couldn't reconfigure to new listening address %+v", new.UDPListenAddr) - } - return nil -} - -// -// packet handling functions -// - -// handlePacketInternal processes the incoming packet bytes and returns with an optional response packet. -// -// If an empty dns.Msg is returned, do not try to send anything back to client, otherwise send contents of dns.Msg. -// -// If an error is returned, log it, don't try to generate data based on that error. -func (s *Server) handlePacketInternal(msg *dns.Msg, addr net.Addr, conn *net.UDPConn) (*dns.Msg, *dnsfilter.Result, Upstream, error) { - // log.Printf("Got packet %d bytes from %s: %v", len(p), addr, p) - // - // DNS packet byte format is valid - // - // any errors below here require a response to client - // log.Printf("Unpacked: %v", msg.String()) - if len(msg.Question) != 1 { - log.Printf("Got invalid number of questions: %v", len(msg.Question)) - return s.genServerFailure(msg), nil, nil, nil - } - - if msg.Question[0].Qtype == dns.TypeANY && s.RefuseAny { - return s.genNotImpl(msg), nil, nil, nil - } - - // we need upstream to resolve A records - upstream := s.chooseUpstream() - - host := strings.TrimSuffix(msg.Question[0].Name, ".") - // use dnsfilter before cache -- changed settings or filters would require cache invalidation otherwise - var res dnsfilter.Result - var err error - if s.ProtectionEnabled { - res, err = s.dnsFilter.CheckHost(host) - if err != nil { - log.Printf("dnsfilter failed to check host '%s': %s", host, err) - return s.genServerFailure(msg), &res, nil, err - } else if res.IsFiltered { - log.Printf("Host %s is filtered, reason - '%s', matched rule: '%s'", host, res.Reason, res.Rule) - switch res.Reason { - case dnsfilter.FilteredSafeBrowsing: - return s.genArecord(msg, safeBrowsingBlockHost, upstream), &res, nil, nil - case dnsfilter.FilteredParental: - return s.genArecord(msg, parentalBlockHost, upstream), &res, nil, nil - } - return s.genNXDomain(msg), &res, nil, nil - } - } - - { - val, ok := s.cache.Get(msg) - if ok && val != nil { - return val, &res, nil, nil - } - } - - // TODO: replace with single-socket implementation - reply, err := upstream.Exchange(msg) - if err != nil { - log.Printf("talking to upstream failed for host '%s': %s", host, err) - return s.genServerFailure(msg), &res, upstream, err - } - if reply == nil { - log.Printf("SHOULD NOT HAPPEN upstream returned empty message for host '%s'. Request is %v", host, msg.String()) - return s.genServerFailure(msg), &res, upstream, nil - } - - s.cache.Set(reply) - - return reply, &res, upstream, nil -} - -func (s *Server) handlePacket(p []byte, addr net.Addr, conn *net.UDPConn) { +// handleDNSRequest filters the incoming DNS requests and writes them to the query log +func (s *Server) handleDNSRequest(p *proxy.Proxy, d *proxy.DNSContext) error { start := time.Now() - ip, _, err := net.SplitHostPort(addr.String()) + + // use dnsfilter before cache -- changed settings or filters would require cache invalidation otherwise + res, err := s.filterDNSRequest(d) if err != nil { - log.Printf("Failed to split %v into host/port: %s", addr, err) - // not a fatal error, move on + return err } - // ratelimit based on IP only, protects CPU cycles and outbound connections - if s.isRatelimited(ip) { - // log.Printf("Ratelimiting %s based on IP only", ip) - return // do nothing, don't reply, we got ratelimited - } - - msg := &dns.Msg{} - err = msg.Unpack(p) - if err != nil { - log.Printf("got invalid DNS packet: %s", err) - return // do nothing - } - - reply, result, upstream, err := s.handlePacketInternal(msg, addr, conn) - - if reply != nil { - // ratelimit based on reply size now - replysize := reply.Len() - if s.isRatelimitedForReply(ip, replysize) { - log.Printf("Ratelimiting %s based on IP and size %d", ip, replysize) - return // do nothing, don't reply, we got ratelimited - } - - // we're good to respond - rerr := s.respond(reply, addr, conn) - if rerr != nil { - log.Printf("Couldn't respond to UDP packet: %s", err) + if d.Res == nil { + // request was not filtered so let it be processed further + err = p.Resolve(d) + if err != nil { + return err } } - // - // query logging and stats counters - // - shouldLog := true + msg := d.Req // don't log ANY request if refuseAny is enabled if len(msg.Question) >= 1 && msg.Question[0].Qtype == dns.TypeANY && s.RefuseAny { @@ -530,35 +249,64 @@ func (s *Server) handlePacket(p []byte, addr net.Addr, conn *net.UDPConn) { if s.QueryLogEnabled && shouldLog { elapsed := time.Since(start) upstreamAddr := "" - if upstream != nil { - upstreamAddr = upstream.Address() + if d.Upstream != nil { + upstreamAddr = d.Upstream.Address() } - logRequest(msg, reply, result, elapsed, ip, upstreamAddr) + logRequest(msg, d.Res, res, elapsed, d.Addr.String(), upstreamAddr) } + + return nil } -// -// packet sending functions -// +// filterDNSRequest applies the dnsFilter and sets d.Res if the request was filtered +func (s *Server) filterDNSRequest(d *proxy.DNSContext) (*dnsfilter.Result, error) { + msg := d.Req + host := strings.TrimSuffix(msg.Question[0].Name, ".") -func (s *Server) respond(resp *dns.Msg, addr net.Addr, conn *net.UDPConn) error { - // log.Printf("Replying to %s with %s", addr, resp) - resp.Compress = true - bytes, err := resp.Pack() + s.RLock() + protectionEnabled := s.ProtectionEnabled + dnsFilter := s.dnsFilter + s.RUnlock() + + if !protectionEnabled { + return nil, nil + } + + var res dnsfilter.Result + var err error + + res, err = dnsFilter.CheckHost(host) if err != nil { - return errorx.Decorate(err, "Couldn't convert message into wire format") + // Return immediately if there's an error + return nil, errorx.Decorate(err, "dnsfilter failed to check host '%s'", host) + } else if res.IsFiltered { + log.Debugf("Host %s is filtered, reason - '%s', matched rule: '%s'", host, res.Reason, res.Rule) + d.Res = s.genDNSFilterMessage(d, &res) } - n, err := conn.WriteTo(bytes, addr) - if n == 0 && isConnClosed(err) { - return err + + return &res, err +} + +// genDNSFilterMessage generates a DNS message corresponding to the filtering result +func (s *Server) genDNSFilterMessage(d *proxy.DNSContext, result *dnsfilter.Result) *dns.Msg { + m := d.Req + + if m.Question[0].Qtype != dns.TypeA { + return s.genNXDomain(m) } - if n != len(bytes) { - return fmt.Errorf("WriteTo() returned with %d != %d", n, len(bytes)) + + switch result.Reason { + case dnsfilter.FilteredSafeBrowsing: + return s.genBlockedHost(m, safeBrowsingBlockHost, d.Upstream) + case dnsfilter.FilteredParental: + return s.genBlockedHost(m, parentalBlockHost, d.Upstream) + default: + if result.Ip != nil { + return s.genARecord(m, result.Ip) + } + + return s.genNXDomain(m) } - if err != nil { - return errorx.Decorate(err, "WriteTo() returned error") - } - return nil } func (s *Server) genServerFailure(request *dns.Msg) *dns.Msg { @@ -568,29 +316,19 @@ func (s *Server) genServerFailure(request *dns.Msg) *dns.Msg { return &resp } -func (s *Server) genNotImpl(request *dns.Msg) *dns.Msg { +func (s *Server) genARecord(request *dns.Msg, ip net.IP) *dns.Msg { resp := dns.Msg{} - resp.SetRcode(request, dns.RcodeNotImplemented) - resp.RecursionAvailable = true - resp.SetEdns0(1452, false) // NOTIMPL without EDNS is treated as 'we don't support EDNS', so explicitly set it + resp.SetReply(request) + answer, err := dns.NewRR(fmt.Sprintf("%s %d A %s", request.Question[0].Name, s.BlockedResponseTTL, ip.String())) + if err != nil { + log.Warnf("Couldn't generate A record for up replacement host '%s': %s", ip.String(), err) + return s.genServerFailure(request) + } + resp.Answer = append(resp.Answer, answer) return &resp } -func (s *Server) genArecord(request *dns.Msg, newAddr string, upstream Upstream) *dns.Msg { - addr := net.ParseIP(newAddr) - if addr != nil { - // this is an IP address, return it - resp := dns.Msg{} - resp.SetReply(request) - answer, err := dns.NewRR(fmt.Sprintf("%s %d A %s", request.Question[0].Name, s.BlockedResponseTTL, newAddr)) - if err != nil { - log.Printf("Couldn't generate A record for up replacement host '%s': %s", newAddr, err) - return s.genServerFailure(request) - } - resp.Answer = append(resp.Answer, answer) - return &resp - } - +func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, upstream upstream.Upstream) *dns.Msg { // look up the hostname, TODO: cache replReq := dns.Msg{} replReq.SetQuestion(dns.Fqdn(newAddr), request.Question[0].Qtype) diff --git a/dnsforward/dnsforward_test.go b/dnsforward/dnsforward_test.go index 26dabb4b..fe638c42 100644 --- a/dnsforward/dnsforward_test.go +++ b/dnsforward/dnsforward_test.go @@ -3,6 +3,9 @@ package dnsforward import ( "net" "testing" + "time" + + "github.com/AdguardTeam/AdGuardHome/dnsfilter" "github.com/miekg/dns" ) @@ -14,12 +17,9 @@ func TestServer(t *testing.T) { if err != nil { t.Fatalf("Failed to start server: %s", err) } - if s.udpListen == nil { - t.Fatal("Started server has nil udpListen") - } // server is running, send a message - addr := s.udpListen.LocalAddr() + addr := s.dnsProxy.Addr("udp") req := dns.Msg{} req.Id = dns.Id() req.RecursionDesired = true @@ -44,6 +44,171 @@ func TestServer(t *testing.T) { err = s.Stop() if err != nil { - t.Fatalf("DNS server %s failed to stop: %s", addr, err) + t.Fatalf("DNS server failed to stop: %s", err) } } + +func TestInvalidRequest(t *testing.T) { + s := Server{} + s.UDPListenAddr = &net.UDPAddr{Port: 0} + err := s.Start(nil) + if err != nil { + t.Fatalf("Failed to start server: %s", err) + } + + // server is running, send a message + addr := s.dnsProxy.Addr("udp") + req := dns.Msg{} + req.Id = dns.Id() + req.RecursionDesired = true + + // send a DNS request without question + client := dns.Client{Net: "udp", Timeout: 500 * time.Millisecond} + _, _, err = client.Exchange(&req, addr.String()) + if err != nil { + t.Fatalf("got a response to an invalid query") + } + + err = s.Stop() + if err != nil { + t.Fatalf("DNS server failed to stop: %s", err) + } +} + +func TestBlockedRequest(t *testing.T) { + s := createTestServer() + err := s.Start(nil) + if err != nil { + t.Fatalf("Failed to start server: %s", err) + } + addr := s.dnsProxy.Addr("udp") + + // + // NXDomain blocking + // + req := dns.Msg{} + req.Id = dns.Id() + req.RecursionDesired = true + req.Question = []dns.Question{ + {Name: "nxdomain.example.org.", Qtype: dns.TypeA, Qclass: dns.ClassINET}, + } + + reply, err := dns.Exchange(&req, addr.String()) + if err != nil { + t.Fatalf("Couldn't talk to server %s: %s", addr, err) + } + if reply.Rcode != dns.RcodeNameError { + t.Fatalf("Wrong response: %s", reply.String()) + } + + err = s.Stop() + if err != nil { + t.Fatalf("DNS server failed to stop: %s", err) + } +} + +func TestBlockedByHosts(t *testing.T) { + s := createTestServer() + err := s.Start(nil) + if err != nil { + t.Fatalf("Failed to start server: %s", err) + } + addr := s.dnsProxy.Addr("udp") + + // + // Hosts blocking + // + req := dns.Msg{} + req.Id = dns.Id() + req.RecursionDesired = true + req.Question = []dns.Question{ + {Name: "host.example.org.", Qtype: dns.TypeA, Qclass: dns.ClassINET}, + } + + reply, err := dns.Exchange(&req, addr.String()) + if err != nil { + t.Fatalf("Couldn't talk to server %s: %s", addr, err) + } + if len(reply.Answer) != 1 { + t.Fatalf("DNS server %s returned reply with wrong number of answers - %d", addr, len(reply.Answer)) + } + if a, ok := reply.Answer[0].(*dns.A); ok { + if !net.IPv4(127, 0, 0, 1).Equal(a.A) { + t.Fatalf("DNS server %s returned wrong answer instead of 8.8.8.8: %v", addr, a.A) + } + } else { + t.Fatalf("DNS server %s returned wrong answer type instead of A: %v", addr, reply.Answer[0]) + } + + err = s.Stop() + if err != nil { + t.Fatalf("DNS server failed to stop: %s", err) + } +} + +func TestBlockedBySafeBrowsing(t *testing.T) { + s := createTestServer() + err := s.Start(nil) + if err != nil { + t.Fatalf("Failed to start server: %s", err) + } + addr := s.dnsProxy.Addr("udp") + + // + // Safebrowsing blocking + // + req := dns.Msg{} + req.Id = dns.Id() + req.RecursionDesired = true + req.Question = []dns.Question{ + {Name: "wmconvirus.narod.ru.", Qtype: dns.TypeA, Qclass: dns.ClassINET}, + } + reply, err := dns.Exchange(&req, addr.String()) + if err != nil { + t.Fatalf("Couldn't talk to server %s: %s", addr, err) + } + if len(reply.Answer) != 1 { + t.Fatalf("DNS server %s returned reply with wrong number of answers - %d", addr, len(reply.Answer)) + } + if a, ok := reply.Answer[0].(*dns.A); ok { + addrs, lookupErr := net.LookupHost(safeBrowsingBlockHost) + if lookupErr != nil { + t.Fatalf("cannot resolve %s due to %s", safeBrowsingBlockHost, lookupErr) + } + + found := false + for _, blockAddr := range addrs { + if blockAddr == a.A.String() { + found = true + } + } + + if !found { + t.Fatalf("DNS server %s returned wrong answer: %v", addr, a.A) + } + } else { + t.Fatalf("DNS server %s returned wrong answer type instead of A: %v", addr, reply.Answer[0]) + } + + err = s.Stop() + if err != nil { + t.Fatalf("DNS server failed to stop: %s", err) + } +} + +func createTestServer() *Server { + s := Server{} + s.UDPListenAddr = &net.UDPAddr{Port: 0} + s.FilteringConfig.FilteringEnabled = true + s.FilteringConfig.ProtectionEnabled = true + s.FilteringConfig.SafeBrowsingEnabled = true + s.Filters = make([]dnsfilter.Filter, 0) + + rules := []string{ + "||nxdomain.example.org^", + "127.0.0.1 host.example.org", + } + filter := dnsfilter.Filter{ID: 1, Rules: rules} + s.Filters = append(s.Filters, filter) + return &s +} diff --git a/dnsforward/helpers.go b/dnsforward/helpers.go deleted file mode 100644 index 52b65c87..00000000 --- a/dnsforward/helpers.go +++ /dev/null @@ -1,50 +0,0 @@ -package dnsforward - -import ( - "fmt" - "net" - "os" - "path" - "runtime" - "strings" -) - -func isConnClosed(err error) bool { - if err == nil { - return false - } - nerr, ok := err.(*net.OpError) - if !ok { - return false - } - - if strings.Contains(nerr.Err.Error(), "use of closed network connection") { - return true - } - - return false -} - -// --------------------- -// debug logging helpers -// --------------------- -func _Func() string { - pc := make([]uintptr, 10) // at least 1 entry needed - runtime.Callers(2, pc) - f := runtime.FuncForPC(pc[0]) - return path.Base(f.Name()) -} - -func trace(format string, args ...interface{}) { - pc := make([]uintptr, 10) // at least 1 entry needed - runtime.Callers(2, pc) - f := runtime.FuncForPC(pc[0]) - var buf strings.Builder - buf.WriteString(fmt.Sprintf("%s(): ", path.Base(f.Name()))) - text := fmt.Sprintf(format, args...) - buf.WriteString(text) - if len(text) == 0 || text[len(text)-1] != '\n' { - buf.WriteRune('\n') - } - fmt.Fprint(os.Stderr, buf.String()) -} diff --git a/dnsforward/querylog.go b/dnsforward/querylog.go index d449990d..7058a3b9 100644 --- a/dnsforward/querylog.go +++ b/dnsforward/querylog.go @@ -3,7 +3,6 @@ package dnsforward import ( "encoding/json" "fmt" - "log" "net/http" "strconv" "strings" @@ -12,6 +11,7 @@ import ( "github.com/AdguardTeam/AdGuardHome/dnsfilter" "github.com/miekg/dns" + log "github.com/sirupsen/logrus" ) const ( @@ -53,6 +53,7 @@ func logRequest(question *dns.Msg, answer *dns.Msg, result *dnsfilter.Result, el return } } + if answer != nil { a, err = answer.Pack() if err != nil { diff --git a/dnsforward/querylog_file.go b/dnsforward/querylog_file.go index 9ea8ef95..43a93093 100644 --- a/dnsforward/querylog_file.go +++ b/dnsforward/querylog_file.go @@ -5,11 +5,12 @@ import ( "compress/gzip" "encoding/json" "fmt" - "log" "os" "sync" "time" + log "github.com/sirupsen/logrus" + "github.com/go-test/deep" ) @@ -191,15 +192,12 @@ func genericLoader(onEntry func(entry *logEntry) error, needMore func() bool, ti var d *json.Decoder if enableGzip { - trace("Creating gzip reader") zr, err := gzip.NewReader(f) if err != nil { log.Printf("Failed to create gzip reader: %s", err) continue } defer zr.Close() - - trace("Creating json decoder") d = json.NewDecoder(zr) } else { d = json.NewDecoder(f) diff --git a/dnsforward/querylog_top.go b/dnsforward/querylog_top.go index b78dea79..26c896fa 100644 --- a/dnsforward/querylog_top.go +++ b/dnsforward/querylog_top.go @@ -3,7 +3,6 @@ package dnsforward import ( "bytes" "fmt" - "log" "net/http" "os" "path" @@ -14,6 +13,8 @@ import ( "sync" "time" + log "github.com/sirupsen/logrus" + "github.com/bluele/gcache" "github.com/miekg/dns" ) diff --git a/dnsforward/ratelimit.go b/dnsforward/ratelimit.go deleted file mode 100644 index 9ea8d216..00000000 --- a/dnsforward/ratelimit.go +++ /dev/null @@ -1,80 +0,0 @@ -package dnsforward - -import ( - "log" - "sort" - "time" - - "github.com/beefsack/go-rate" - gocache "github.com/patrickmn/go-cache" -) - -func (s *Server) limiterForIP(ip string) interface{} { - if s.ratelimitBuckets == nil { - s.ratelimitBuckets = gocache.New(time.Hour, time.Hour) - } - - // check if ratelimiter for that IP already exists, if not, create - value, found := s.ratelimitBuckets.Get(ip) - if !found { - value = rate.New(s.Ratelimit, time.Second) - s.ratelimitBuckets.Set(ip, value, time.Hour) - } - - return value -} - -func (s *Server) isRatelimited(ip string) bool { - if s.Ratelimit == 0 { // 0 -- disabled - return false - } - if len(s.RatelimitWhitelist) > 0 { - i := sort.SearchStrings(s.RatelimitWhitelist, ip) - - if i < len(s.RatelimitWhitelist) && s.RatelimitWhitelist[i] == ip { - // found, don't ratelimit - return false - } - } - - value := s.limiterForIP(ip) - rl, ok := value.(*rate.RateLimiter) - if !ok { - log.Println("SHOULD NOT HAPPEN: non-bool entry found in safebrowsing lookup cache") - return false - } - - allow, _ := rl.Try() - return !allow -} - -func (s *Server) isRatelimitedForReply(ip string, size int) bool { - if s.Ratelimit == 0 { // 0 -- disabled - return false - } - if len(s.RatelimitWhitelist) > 0 { - i := sort.SearchStrings(s.RatelimitWhitelist, ip) - - if i < len(s.RatelimitWhitelist) && s.RatelimitWhitelist[i] == ip { - // found, don't ratelimit - return false - } - } - - value := s.limiterForIP(ip) - rl, ok := value.(*rate.RateLimiter) - if !ok { - log.Println("SHOULD NOT HAPPEN: non-bool entry found in safebrowsing lookup cache") - return false - } - - // For large UDP responses we try more times, effectively limiting per bandwidth - // The exact number of times depends on the response size - for i := 0; i < size/1000; i++ { - allow, _ := rl.Try() - if !allow { // not allowed -> ratelimited - return true - } - } - return false -} diff --git a/dnsforward/ratelimit_test.go b/dnsforward/ratelimit_test.go deleted file mode 100644 index ed6f5ce9..00000000 --- a/dnsforward/ratelimit_test.go +++ /dev/null @@ -1,42 +0,0 @@ -package dnsforward - -import ( - "testing" -) - -func TestRatelimiting(t *testing.T) { - // rate limit is 1 per sec - p := Server{} - p.Ratelimit = 1 - - limited := p.isRatelimited("127.0.0.1") - - if limited { - t.Fatal("First request must have been allowed") - } - - limited = p.isRatelimited("127.0.0.1") - - if !limited { - t.Fatal("Second request must have been ratelimited") - } -} - -func TestWhitelist(t *testing.T) { - // rate limit is 1 per sec with whitelist - p := Server{} - p.Ratelimit = 1 - p.RatelimitWhitelist = []string{"127.0.0.1", "127.0.0.2", "127.0.0.125"} - - limited := p.isRatelimited("127.0.0.1") - - if limited { - t.Fatal("First request must have been allowed") - } - - limited = p.isRatelimited("127.0.0.1") - - if limited { - t.Fatal("Second request must have been allowed due to whitelist") - } -} diff --git a/dnsforward/standalone/.gitignore b/dnsforward/standalone/.gitignore deleted file mode 100644 index 5f81988c..00000000 --- a/dnsforward/standalone/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/standalone \ No newline at end of file diff --git a/dnsforward/standalone/standalone.go b/dnsforward/standalone/standalone.go deleted file mode 100644 index ae3e6d13..00000000 --- a/dnsforward/standalone/standalone.go +++ /dev/null @@ -1,51 +0,0 @@ -package main - -import ( - "log" - "net" - "net/http" - _ "net/http/pprof" - "os" - "os/signal" - "runtime" - "syscall" - "time" - - "github.com/AdguardTeam/AdGuardHome/dnsforward" -) - -// -// main function -// -func main() { - go func() { - log.Println(http.ListenAndServe("localhost:6060", nil)) - }() - go func() { - for range time.Tick(time.Second) { - log.Printf("goroutines = %d", runtime.NumGoroutine()) - } - }() - s := dnsforward.Server{} - err := s.Start(nil) - if err != nil { - panic(err) - } - time.Sleep(time.Second) - err = s.Stop() - if err != nil { - panic(err) - } - err = s.Start(&dnsforward.ServerConfig{UDPListenAddr: &net.UDPAddr{Port: 53535}}) - if err != nil { - panic(err) - } - err = s.Reconfigure(dnsforward.ServerConfig{UDPListenAddr: &net.UDPAddr{Port: 53, IP: net.ParseIP("0.0.0.0")}}) - if err != nil { - panic(err) - } - log.Printf("Now serving DNS") - signal_channel := make(chan os.Signal) - signal.Notify(signal_channel, syscall.SIGINT, syscall.SIGTERM) - <-signal_channel -} diff --git a/dnsforward/stats.go b/dnsforward/stats.go index 9cfe5f58..2befcad2 100644 --- a/dnsforward/stats.go +++ b/dnsforward/stats.go @@ -3,11 +3,12 @@ package dnsforward import ( "encoding/json" "fmt" - "log" "net/http" "sync" "time" + log "github.com/sirupsen/logrus" + "github.com/AdguardTeam/AdGuardHome/dnsfilter" ) diff --git a/dnsforward/upstream.go b/dnsforward/upstream.go deleted file mode 100644 index 3746ff8a..00000000 --- a/dnsforward/upstream.go +++ /dev/null @@ -1,313 +0,0 @@ -package dnsforward - -import ( - "bytes" - "fmt" - "io/ioutil" - "log" - "math/rand" - "net" - "net/http" - "net/url" - "strings" - "sync" - "time" - - "github.com/jedisct1/go-dnsstamps" - - "github.com/ameshkov/dnscrypt" - "github.com/joomcode/errorx" - "github.com/miekg/dns" -) - -const defaultTimeout = time.Second * 10 - -type Upstream interface { - Exchange(m *dns.Msg) (*dns.Msg, error) - Address() string -} - -// -// plain DNS -// -type plainDNS struct { - boot bootstrapper - preferTCP bool -} - -var defaultUDPClient = dns.Client{ - Timeout: defaultTimeout, - UDPSize: dns.MaxMsgSize, -} - -var defaultTCPClient = dns.Client{ - Net: "tcp", - UDPSize: dns.MaxMsgSize, - Timeout: defaultTimeout, -} - -// Address returns the original address that we've put in initially, not resolved one -func (p *plainDNS) Address() string { return p.boot.address } - -func (p *plainDNS) Exchange(m *dns.Msg) (*dns.Msg, error) { - addr, _, err := p.boot.get() - if err != nil { - return nil, err - } - if p.preferTCP { - reply, _, err := defaultTCPClient.Exchange(m, addr) - return reply, err - } - - reply, _, err := defaultUDPClient.Exchange(m, addr) - if err != nil && reply != nil && reply.Truncated { - log.Printf("Truncated message was received, retrying over TCP, question: %s", m.Question[0].String()) - reply, _, err = defaultTCPClient.Exchange(m, addr) - } - - return reply, err -} - -// -// DNS-over-TLS -// -type dnsOverTLS struct { - boot bootstrapper - pool *TLSPool - - sync.RWMutex // protects pool -} - -func (p *dnsOverTLS) Address() string { return p.boot.address } - -func (p *dnsOverTLS) Exchange(m *dns.Msg) (*dns.Msg, error) { - var pool *TLSPool - p.RLock() - pool = p.pool - p.RUnlock() - if pool == nil { - p.Lock() - // lazy initialize it - p.pool = &TLSPool{boot: &p.boot} - p.Unlock() - } - - p.RLock() - poolConn, err := p.pool.Get() - p.RUnlock() - if err != nil { - return nil, errorx.Decorate(err, "Failed to get a connection from TLSPool to %s", p.Address()) - } - c := dns.Conn{Conn: poolConn} - err = c.WriteMsg(m) - if err != nil { - poolConn.Close() - return nil, errorx.Decorate(err, "Failed to send a request to %s", p.Address()) - } - - reply, err := c.ReadMsg() - if err != nil { - poolConn.Close() - return nil, errorx.Decorate(err, "Failed to read a request from %s", p.Address()) - } - p.RLock() - p.pool.Put(poolConn) - p.RUnlock() - return reply, nil -} - -// -// DNS-over-https -// -type dnsOverHTTPS struct { - boot bootstrapper -} - -func (p *dnsOverHTTPS) Address() string { return p.boot.address } - -func (p *dnsOverHTTPS) Exchange(m *dns.Msg) (*dns.Msg, error) { - addr, tlsConfig, err := p.boot.get() - if err != nil { - return nil, errorx.Decorate(err, "Couldn't bootstrap %s", p.boot.address) - } - - buf, err := m.Pack() - if err != nil { - return nil, errorx.Decorate(err, "Couldn't pack request msg") - } - bb := bytes.NewBuffer(buf) - - // set up a custom request with custom URL - url, err := url.Parse(p.boot.address) - if err != nil { - return nil, errorx.Decorate(err, "Couldn't parse URL %s", p.boot.address) - } - req := http.Request{ - Method: "POST", - URL: url, - Body: ioutil.NopCloser(bb), - Header: make(http.Header), - Host: url.Host, - } - url.Host = addr - req.Header.Set("Content-Type", "application/dns-message") - client := http.Client{ - Transport: &http.Transport{TLSClientConfig: tlsConfig}, - } - resp, err := client.Do(&req) - if resp != nil && resp.Body != nil { - defer resp.Body.Close() - } - if err != nil { - return nil, errorx.Decorate(err, "Couldn't do a POST request to '%s'", addr) - } - - body, err := ioutil.ReadAll(resp.Body) - if err != nil { - return nil, errorx.Decorate(err, "Couldn't read body contents for '%s'", addr) - } - if resp.StatusCode != http.StatusOK { - return nil, fmt.Errorf("Got an unexpected HTTP status code %d from '%s'", resp.StatusCode, addr) - } - if len(body) == 0 { - return nil, fmt.Errorf("Got an unexpected empty body from '%s'", addr) - } - response := dns.Msg{} - err = response.Unpack(body) - if err != nil { - return nil, errorx.Decorate(err, "Couldn't unpack DNS response from '%s': body is %s", addr, string(body)) - } - return &response, nil -} - -// -// DNSCrypt -// -type dnsCrypt struct { - boot bootstrapper - client *dnscrypt.Client // DNSCrypt client properties - serverInfo *dnscrypt.ServerInfo // DNSCrypt server info - - sync.RWMutex // protects DNSCrypt client -} - -func (p *dnsCrypt) Address() string { return p.boot.address } - -func (p *dnsCrypt) Exchange(m *dns.Msg) (*dns.Msg, error) { - - var client *dnscrypt.Client - var serverInfo *dnscrypt.ServerInfo - - p.RLock() - client = p.client - serverInfo = p.serverInfo - p.RUnlock() - - now := uint32(time.Now().Unix()) - if client == nil || serverInfo == nil || (serverInfo != nil && serverInfo.ServerCert.NotAfter < now) { - p.Lock() - - // Using "udp" for DNSCrypt upstreams by default - client = &dnscrypt.Client{Timeout: defaultTimeout, AdjustPayloadSize: true} - si, _, err := client.Dial(p.boot.address) - - if err != nil { - p.Unlock() - return nil, errorx.Decorate(err, "Failed to fetch certificate info from %s", p.Address()) - } - - p.client = client - p.serverInfo = si - serverInfo = si - p.Unlock() - } - - reply, _, err := client.Exchange(m, serverInfo) - - if err, ok := err.(net.Error); ok && err.Timeout() { - // If request times out, it is possible that the server configuration has been changed. - // It is safe to assume that the key was rotated (for instance, as it is described here: https://dnscrypt.pl/2017/02/26/how-key-rotation-is-automated/). - // We should re-fetch the server certificate info so that the new requests were not failing. - p.Lock() - p.client = nil - p.serverInfo = nil - p.Unlock() - } - - return reply, err -} - -func (s *Server) chooseUpstream() Upstream { - upstreams := s.Upstreams - if upstreams == nil { - upstreams = defaultValues.Upstreams - } - if len(upstreams) == 0 { - panic("SHOULD NOT HAPPEN: no default upstreams specified") - } - if len(upstreams) == 1 { - return upstreams[0] - } - n := rand.Intn(len(upstreams)) - upstream := upstreams[n] - return upstream -} - -func AddressToUpstream(address string, bootstrap string) (Upstream, error) { - if strings.Contains(address, "://") { - url, err := url.Parse(address) - if err != nil { - return nil, errorx.Decorate(err, "Failed to parse %s", address) - } - switch url.Scheme { - case "sdns": - stamp, err := dnsstamps.NewServerStampFromString(address) - if err != nil { - return nil, errorx.Decorate(err, "Failed to parse %s", address) - } - - switch stamp.Proto { - case dnsstamps.StampProtoTypeDNSCrypt: - return &dnsCrypt{boot: toBoot(url.String(), bootstrap)}, nil - case dnsstamps.StampProtoTypeDoH: - return AddressToUpstream(fmt.Sprintf("https://%s%s", stamp.ProviderName, stamp.Path), bootstrap) - } - - return nil, fmt.Errorf("Unsupported protocol %v in %s", stamp.Proto, address) - case "dns": - if url.Port() == "" { - url.Host += ":53" - } - return &plainDNS{boot: toBoot(url.Host, bootstrap)}, nil - case "tcp": - if url.Port() == "" { - url.Host += ":53" - } - return &plainDNS{boot: toBoot(url.Host, bootstrap), preferTCP: true}, nil - case "tls": - if url.Port() == "" { - url.Host += ":853" - } - return &dnsOverTLS{boot: toBoot(url.String(), bootstrap)}, nil - case "https": - if url.Port() == "" { - url.Host += ":443" - } - return &dnsOverHTTPS{boot: toBoot(url.String(), bootstrap)}, nil - default: - // assume it's plain DNS - if url.Port() == "" { - url.Host += ":53" - } - return &plainDNS{boot: toBoot(url.String(), bootstrap)}, nil - } - } - - // we don't have scheme in the url, so it's just a plain DNS host:port - _, _, err := net.SplitHostPort(address) - if err != nil { - // doesn't have port, default to 53 - address = net.JoinHostPort(address, "53") - } - return &plainDNS{boot: toBoot(address, bootstrap)}, nil -} diff --git a/dnsforward/upstream_pool.go b/dnsforward/upstream_pool.go deleted file mode 100644 index ca597808..00000000 --- a/dnsforward/upstream_pool.go +++ /dev/null @@ -1,74 +0,0 @@ -package dnsforward - -import ( - "crypto/tls" - "net" - "sync" - - "github.com/joomcode/errorx" -) - -// Upstream TLS pool. -// -// Example: -// pool := TLSPool{Address: "tls://1.1.1.1:853"} -// netConn, err := pool.Get() -// if err != nil {panic(err)} -// c := dns.Conn{Conn: netConn} -// q := dns.Msg{} -// q.SetQuestion("google.com.", dns.TypeA) -// log.Println(q) -// err = c.WriteMsg(&q) -// if err != nil {panic(err)} -// r, err := c.ReadMsg() -// if err != nil {panic(err)} -// log.Println(r) -// pool.Put(c.Conn) -type TLSPool struct { - boot *bootstrapper - - // connections - conns []net.Conn - connsMutex sync.Mutex // protects conns -} - -func (n *TLSPool) Get() (net.Conn, error) { - address, tlsConfig, err := n.boot.get() - if err != nil { - return nil, err - } - - // get the connection from the slice inside the lock - var c net.Conn - n.connsMutex.Lock() - num := len(n.conns) - if num > 0 { - last := num - 1 - c = n.conns[last] - n.conns = n.conns[:last] - } - n.connsMutex.Unlock() - - // if we got connection from the slice, return it - if c != nil { - // log.Printf("Returning existing connection to %s", host) - return c, nil - } - - // we'll need a new connection, dial now - // log.Printf("Dialing to %s", address) - conn, err := tls.Dial("tcp", address, tlsConfig) - if err != nil { - return nil, errorx.Decorate(err, "Failed to connect to %s", address) - } - return conn, nil -} - -func (n *TLSPool) Put(c net.Conn) { - if c == nil { - return - } - n.connsMutex.Lock() - n.conns = append(n.conns, c) - n.connsMutex.Unlock() -} diff --git a/dnsforward/upstream_test.go b/dnsforward/upstream_test.go deleted file mode 100644 index 3db97fbe..00000000 --- a/dnsforward/upstream_test.go +++ /dev/null @@ -1,123 +0,0 @@ -package dnsforward - -import ( - "net" - "testing" - - "github.com/miekg/dns" -) - -func TestUpstreams(t *testing.T) { - - upstreams := []struct { - address string - bootstrap string - }{ - { - address: "8.8.8.8:53", - bootstrap: "8.8.8.8:53", - }, - { - address: "1.1.1.1", - bootstrap: "", - }, - { - address: "tcp://1.1.1.1:53", - bootstrap: "", - }, - { - address: "176.103.130.130:5353", - bootstrap: "", - }, - { - address: "tls://1.1.1.1", - bootstrap: "", - }, - { - address: "tls://9.9.9.9:853", - bootstrap: "", - }, - { - address: "tls://security-filter-dns.cleanbrowsing.org", - bootstrap: "8.8.8.8:53", - }, - { - address: "tls://adult-filter-dns.cleanbrowsing.org:853", - bootstrap: "8.8.8.8:53", - }, - { - address: "https://cloudflare-dns.com/dns-query", - bootstrap: "8.8.8.8:53", - }, - { - address: "https://dns.google.com/experimental", - bootstrap: "8.8.8.8:53", - }, - { - address: "https://doh.cleanbrowsing.org/doh/security-filter/", - bootstrap: "", - }, - { - // AdGuard DNS (DNSCrypt) - address: "sdns://AQIAAAAAAAAAFDE3Ni4xMDMuMTMwLjEzMDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20", - bootstrap: "", - }, - { - // Cisco OpenDNS (DNSCrypt) - address: "sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ", - bootstrap: "8.8.8.8:53", - }, - { - // Cloudflare DNS (DoH) - address: "sdns://AgcAAAAAAAAABzEuMC4wLjGgENk8mGSlIfMGXMOlIlCcKvq7AVgcrZxtjon911-ep0cg63Ul-I8NlFj4GplQGb_TTLiczclX57DvMV8Q-JdjgRgSZG5zLmNsb3VkZmxhcmUuY29tCi9kbnMtcXVlcnk", - bootstrap: "8.8.8.8:53", - }, - { - // doh-cleanbrowsing-security (https://doh.cleanbrowsing.org/doh/security-filter/) - address: "sdns://AgMAAAAAAAAAAAAVZG9oLmNsZWFuYnJvd3Npbmcub3JnFS9kb2gvc2VjdXJpdHktZmlsdGVyLw", - bootstrap: "8.8.8.8:53", - }, - { - // Google (DNS-over-HTTPS) - address: "sdns://AgUAAAAAAAAAACAe9iTP_15r07rd8_3b_epWVGfjdymdx-5mdRZvMAzBuQ5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs", - bootstrap: "8.8.8.8:53", - }, - } - for _, test := range upstreams { - - t.Run(test.address, func(t *testing.T) { - u, err := AddressToUpstream(test.address, test.bootstrap) - if err != nil { - t.Fatalf("Failed to generate upstream from address %s: %s", test.address, err) - } - - checkUpstream(t, u, test.address) - }) - } -} - -func checkUpstream(t *testing.T, u Upstream, addr string) { - t.Helper() - - req := dns.Msg{} - req.Id = dns.Id() - req.RecursionDesired = true - req.Question = []dns.Question{ - {Name: "google-public-dns-a.google.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}, - } - - reply, err := u.Exchange(&req) - if err != nil { - t.Fatalf("Couldn't talk to upstream %s: %s", addr, err) - } - if len(reply.Answer) != 1 { - t.Fatalf("DNS upstream %s returned reply with wrong number of answers - %d", addr, len(reply.Answer)) - } - if a, ok := reply.Answer[0].(*dns.A); ok { - if !net.IPv4(8, 8, 8, 8).Equal(a.A) { - t.Fatalf("DNS upstream %s returned wrong answer instead of 8.8.8.8: %v", addr, a.A) - } - } else { - t.Fatalf("DNS upstream %s returned wrong answer type instead of A: %v", addr, reply.Answer[0]) - } -} diff --git a/go.mod b/go.mod index 4d648f47..f9e7fb74 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,7 @@ module github.com/AdguardTeam/AdGuardHome require ( + github.com/AdguardTeam/dnsproxy v0.9.1 github.com/StackExchange/wmi v0.0.0-20180725035823-b12b22c5341f // indirect github.com/ameshkov/dnscrypt v1.0.0 github.com/beefsack/go-rate v0.0.0-20180408011153-efa7637bb9b6 @@ -12,12 +13,15 @@ require ( github.com/joomcode/errorx v0.1.0 github.com/miekg/dns v1.1.1 github.com/patrickmn/go-cache v2.1.0+incompatible + github.com/pkg/errors v0.8.0 github.com/shirou/gopsutil v2.18.10+incompatible github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4 // indirect + github.com/sirupsen/logrus v1.2.0 go.uber.org/goleak v0.10.0 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9 - golang.org/x/net v0.0.0-20181217023233-e147a9138326 - golang.org/x/sys v0.0.0-20181217223516-dcdaa6325bcb // indirect + golang.org/x/net v0.0.0-20181220203305-927f97764cc3 + golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 // indirect + golang.org/x/sys v0.0.0-20181221143128-b4a75ba826a6 // indirect gopkg.in/asaskevich/govalidator.v4 v4.0.0-20160518190739-766470278477 gopkg.in/yaml.v2 v2.2.1 ) diff --git a/go.sum b/go.sum index 11fbdf77..63dd1508 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,13 @@ +github.com/AdguardTeam/dnsproxy v0.9.0 h1:doHDmVE9bV1fhiBV8rX76WWaSAB9w1H3u8WIiez5OFs= +github.com/AdguardTeam/dnsproxy v0.9.0/go.mod h1:CKZVVknYdoHVirXqqbALEkC+DBY65yCQrzSKYS78GoE= +github.com/AdguardTeam/dnsproxy v0.9.1 h1:+F6jqrVOrUjpbzhALjtbwqHfxW4M2YS3mYdhGxLXQ08= +github.com/AdguardTeam/dnsproxy v0.9.1/go.mod h1:CKZVVknYdoHVirXqqbALEkC+DBY65yCQrzSKYS78GoE= github.com/StackExchange/wmi v0.0.0-20180725035823-b12b22c5341f h1:5ZfJxyXo8KyX8DgGXC5B7ILL8y51fci/qYz2B4j8iLY= github.com/StackExchange/wmi v0.0.0-20180725035823-b12b22c5341f/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY= github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA= github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw= github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635/go.mod h1:lmLxL+FV291OopO93Bwf9fQLQeLyt33VJRUg5VJ30us= -github.com/ameshkov/dnscrypt v0.0.0-20181217090431-1215bb8b150f h1:vOaSvI9B3wqzV1g8raDeVzRJnq5RHQxsz0MVXudxdNU= -github.com/ameshkov/dnscrypt v0.0.0-20181217090431-1215bb8b150f/go.mod h1:EC7Z1GguyEEwhuLXrcgkRTE3GdyPDSWq2OXefhydGWo= github.com/ameshkov/dnscrypt v1.0.0 h1:Y7YexPCxtVCTDXlXu9n17+1H5YS25vftx8vV8Dhuu+E= github.com/ameshkov/dnscrypt v1.0.0/go.mod h1:EC7Z1GguyEEwhuLXrcgkRTE3GdyPDSWq2OXefhydGWo= github.com/beefsack/go-rate v0.0.0-20180408011153-efa7637bb9b6 h1:KXlsf+qt/X5ttPGEjR0tPH1xaWWoKBEg9Q1THAj2h3I= @@ -29,10 +31,16 @@ github.com/jedisct1/go-dnsstamps v0.0.0-20180418170050-1e4999280f86 h1:Olj4M6T1o github.com/jedisct1/go-dnsstamps v0.0.0-20180418170050-1e4999280f86/go.mod h1:j/ONpSHHmPgDwmFKXg9vhQvIjADe/ft1X4a3TVOmp9g= github.com/jedisct1/xsecretbox v0.0.0-20180508184500-7a679c0bcd9a h1:2nyBWKszM41RO/gt5ElUXigAFiRgJ9KifHDlWOlw0lc= github.com/jedisct1/xsecretbox v0.0.0-20180508184500-7a679c0bcd9a/go.mod h1:YlN58h704uRFD0BwsEGTq+7Wx+WG2i7P49bc+HwHyAY= +github.com/jessevdk/go-flags v1.4.0 h1:4IU2WS7AumrZ/40jfhf4QVDMsQwqA7VEHozFRrGARJA= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jmcvetta/randutil v0.0.0-20150817122601-2bb1b664bcff h1:6NvhExg4omUC9NfA+l4Oq3ibNNeJUdiAF3iBVB0PlDk= +github.com/jmcvetta/randutil v0.0.0-20150817122601-2bb1b664bcff/go.mod h1:ddfPX8Z28YMjiqoaJhNBzWHapTHXejnB5cDCUWDwriw= github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc= github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= github.com/joomcode/errorx v0.1.0 h1:QmJMiI1DE1UFje2aI1ZWO/VMT5a32qBoXUclGOt8vsc= github.com/joomcode/errorx v0.1.0/go.mod h1:kgco15ekB6cs+4Xjzo7SPeXzx38PbJzBwbnu9qfVNHQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/markbates/oncer v0.0.0-20181014194634-05fccaae8fc4 h1:Mlji5gkcpzkqTROyE4ZxZ8hN7osunMb2RuGVrbvMvCc= github.com/markbates/oncer v0.0.0-20181014194634-05fccaae8fc4/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/miekg/dns v1.1.1 h1:DVkblRdiScEnEr0LR9nTnEQqHYycjkXW9bOjd+2EL2o= @@ -47,14 +55,18 @@ github.com/shirou/gopsutil v2.18.10+incompatible h1:cy84jW6EVRPa5g9HAHrlbxMSIjBh github.com/shirou/gopsutil v2.18.10+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4 h1:udFKJ0aHUL60LboW/A+DfgoHVedieIzIXE8uylPue0U= github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4/go.mod h1:qsXQc7+bwAM3Q1u/4XEfrquwF8Lw7D7y5cD8CuHnfIc= +github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= go.uber.org/goleak v0.10.0 h1:G3eWbSNIskeRqtsN/1uI5B+eP73y3JUuBsv9AZjehb4= go.uber.org/goleak v0.10.0/go.mod h1:VCZuO8V8mFPlL0F5J5GK1rtHV3DrFcQ1R8ryq7FK0aI= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9 h1:mKdxBk7AujPs8kU4m80U72y/zjbZ3UcXC7dClwKbUI0= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/net v0.0.0-20181102091132-c10e9556a7bc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -62,14 +74,20 @@ golang.org/x/net v0.0.0-20181213202711-891ebc4b82d6 h1:gT0Y6H7hbVPUtvtk0YGxMXPgN golang.org/x/net v0.0.0-20181213202711-891ebc4b82d6/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181217023233-e147a9138326 h1:iCzOf0xz39Tstp+Tu/WwyGjUXCk34QhQORRxBeXXTA4= golang.org/x/net v0.0.0-20181217023233-e147a9138326/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3 h1:eH6Eip3UpmR+yM/qI9Ijluzb1bNv/cAU/n+6l8tRSis= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f h1:wMNYb4v58l5UBM7MYRLPG6ZhfOqbKu7X5eyFl8ZhKvA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f h1:Bl/8QSvNqXvPGPGXa2z5xUTmV7VDcZyvRZ+QQXkXTZQ= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181213200352-4d1cda033e06 h1:0oC8rFnE+74kEmuHZ46F6KHsMr5Gx2gUQPuNz28iQZM= golang.org/x/sys v0.0.0-20181213200352-4d1cda033e06/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181217223516-dcdaa6325bcb h1:zzdd4xkMwu/GRxhSUJaCPh4/jil9kAbsU7AUmXboO+A= golang.org/x/sys v0.0.0-20181217223516-dcdaa6325bcb/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181221143128-b4a75ba826a6 h1:IcgEB62HYgAhX0Nd/QrVgZlxlcyxbGQHElLUhW2X4Fo= +golang.org/x/sys v0.0.0-20181221143128-b4a75ba826a6/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= gopkg.in/asaskevich/govalidator.v4 v4.0.0-20160518190739-766470278477 h1:5xUJw+lg4zao9W4HIDzlFbMYgSgtvNVHh00MEHvbGpQ= gopkg.in/asaskevich/govalidator.v4 v4.0.0-20160518190739-766470278477/go.mod h1:QDV1vrFSrowdoOba0UM8VJPUZONT7dnfdLsM+GG53Z8= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=