encrypted-dns 0.9.19

A modern encrypted DNS server (DNSCrypt v2, Anonymized DNSCrypt, DoH)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187

use std::fs;
use std::mem;
use std::net::{IpAddr, SocketAddr};
use std::path::{Path, PathBuf};

use tokio::io::AsyncWriteExt;

use crate::crypto::*;
use crate::dnscrypt_certs::*;
use crate::errors::*;

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct AccessControlConfig {
    pub enabled: bool,
    pub tokens: Vec<String>,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct RateLimitConfig {
    pub enabled: bool,
    pub max_queries_per_second: u32,
    pub capacity: usize,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct AnonymizedDNSConfig {
    pub enabled: bool,
    pub allowed_ports: Vec<u16>,
    pub allow_non_reserved_ports: Option<bool>,
    pub blacklisted_ips: Vec<IpAddr>,
}

#[cfg(feature = "metrics")]
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct MetricsConfig {
    pub r#type: String,
    pub listen_addr: SocketAddr,
    pub path: String,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct DNSCryptConfig {
    pub enabled: Option<bool>,
    pub provider_name: String,
    pub key_cache_capacity: usize,
    pub dnssec: bool,
    pub no_filters: bool,
    pub no_logs: bool,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct TLSConfig {
    pub upstream_addr: Option<SocketAddr>,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct ListenAddrConfig {
    pub local: SocketAddr,
    pub external: SocketAddr,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct FilteringConfig {
    pub domain_blacklist: Option<PathBuf>,
    pub undelegated_list: Option<PathBuf>,
    pub ignore_unqualified_hostnames: Option<bool>,
}

fn deserialize_upstream_addrs<'de, D>(deserializer: D) -> Result<Vec<SocketAddr>, D::Error>
where
    D: serde::Deserializer<'de>,
{
    use serde::Deserialize;

    #[derive(Deserialize)]
    #[serde(untagged)]
    enum SingleOrVec {
        Single(SocketAddr),
        Vec(Vec<SocketAddr>),
    }

    match SingleOrVec::deserialize(deserializer)? {
        SingleOrVec::Single(addr) => Ok(vec![addr]),
        SingleOrVec::Vec(addrs) => Ok(addrs),
    }
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct Config {
    pub listen_addrs: Vec<ListenAddrConfig>,
    pub external_addr: Option<IpAddr>,
    #[serde(
        alias = "upstream_addr",
        deserialize_with = "deserialize_upstream_addrs"
    )]
    pub upstream_addrs: Vec<SocketAddr>,
    pub state_file: PathBuf,
    pub udp_timeout: u32,
    pub tcp_timeout: u32,
    pub udp_max_active_connections: u32,
    pub tcp_max_active_connections: u32,
    pub cache_capacity: usize,
    pub cache_ttl_min: u32,
    pub cache_ttl_max: u32,
    pub cache_ttl_error: u32,
    pub user: Option<String>,
    pub group: Option<String>,
    pub chroot: Option<String>,
    pub filtering: FilteringConfig,
    pub dnscrypt: DNSCryptConfig,
    pub tls: TLSConfig,
    pub daemonize: bool,
    pub pid_file: Option<PathBuf>,
    pub log_file: Option<PathBuf>,
    pub my_ip: Option<String>,
    pub client_ttl_holdon: Option<u32>,
    #[cfg(feature = "metrics")]
    pub metrics: Option<MetricsConfig>,
    pub anonymized_dns: Option<AnonymizedDNSConfig>,
    pub access_control: Option<AccessControlConfig>,
    pub rate_limit: Option<RateLimitConfig>,
}

impl Config {
    pub fn from_string(toml_str: &str) -> Result<Config, Error> {
        let config: Config = match toml::from_str(toml_str) {
            Ok(config) => config,
            Err(e) => bail!("Parse error in the configuration file: {}", e),
        };
        if config.upstream_addrs.is_empty() {
            bail!("At least one upstream address must be specified");
        }
        Ok(config)
    }

    pub fn from_path(path: impl AsRef<Path>) -> Result<Config, Error> {
        let toml_str = fs::read_to_string(path)?;
        Config::from_string(&toml_str)
    }
}

#[derive(Serialize, Deserialize, Debug)]
pub struct State {
    pub provider_kp: SignKeyPair,
    pub dnscrypt_encryption_params_set: Vec<DNSCryptEncryptionParams>,
}

impl State {
    pub fn with_key_pair(provider_kp: SignKeyPair, key_cache_capacity: usize) -> Self {
        let dnscrypt_encryption_params_set =
            DNSCryptEncryptionParams::new(&provider_kp, key_cache_capacity, None);
        State {
            provider_kp,
            dnscrypt_encryption_params_set,
        }
    }

    pub fn new(key_cache_capacity: usize) -> Self {
        let provider_kp = SignKeyPair::new();
        State::with_key_pair(provider_kp, key_cache_capacity)
    }

    pub async fn async_save(&self, path: impl AsRef<Path>) -> Result<(), Error> {
        let path = path.as_ref();
        let path_tmp = path.with_extension("tmp");
        let mut fpb = tokio::fs::OpenOptions::new();
        let fpb = fpb.create(true).write(true).truncate(true);
        let mut fp = fpb.open(&path_tmp).await?;
        let state_str = toml::to_string(&self)?;
        fp.write_all(state_str.as_bytes()).await?;
        fp.sync_data().await?;
        mem::drop(fp);
        tokio::fs::rename(path_tmp, path).await?;
        let dir = tokio::fs::File::open(path.parent().unwrap_or_else(|| Path::new("."))).await?;
        dir.sync_all().await?;
        Ok(())
    }

    pub fn from_file(path: impl AsRef<Path>, key_cache_capacity: usize) -> Result<Self, Error> {
        let state_str = fs::read_to_string(path)?;
        let mut state: State = toml::from_str(&state_str)?;
        for params_set in &mut state.dnscrypt_encryption_params_set {
            params_set.add_key_cache(key_cache_capacity);
        }
        Ok(state)
    }
}