diff --git a/network/dnscrypt-proxy/README b/network/dnscrypt-proxy/README index 658045cb40..a84642b31a 100644 --- a/network/dnscrypt-proxy/README +++ b/network/dnscrypt-proxy/README @@ -4,3 +4,8 @@ resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server. By default dnscrypt-proxy is configured to use OpenDNS' servers. + +Be sure to read README.Slackware for information on configuring/running +dnscrypt-proxy as a daemon! + +Optional dependency: ldns diff --git a/network/dnscrypt-proxy/README.Slackware b/network/dnscrypt-proxy/README.Slackware new file mode 100644 index 0000000000..5fbdc46986 --- /dev/null +++ b/network/dnscrypt-proxy/README.Slackware @@ -0,0 +1,56 @@ +A. Setup + +An init script and configuration file have been provided to run dnscrypt-proxy +as a daemon. To configure dnscrypt-proxy, edit /etc/default/dnscrypt-proxy with +the desired settings. By default dnscrypt-proxy will use an OpenDNS server and +will run on localhost (127.0.0.1), port 53. + +The configuration file is setup to use a dnscrypt user by default, and to +chroot into that user's home directory to maximize security. In order to use +the default configuration you should create a dnscrypt user and group with the +following commands: + + groupadd -g 293 dnscrypt + useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt + +If you decide to use another user you should edit the CHROOTDIR and USER +options in /etc/default/dnscrypt-proxy (there are example settings provided for +the user 'nobody'). + +In order to send all DNS requests through dnscrypt-proxy, you will need to +update /etc/resolv.conf to point to localhost. If using dhcpcd, the easiest way +to set dnscrypt-proxy as the primary (but not exclusive) dns resolver is to +create file /etc/resolv.conf.head with the following line: + + nameserver 127.0.0.1 + +You may also have to add the following line to enable EDNS: + + options edns0 + +To start dnscrypt-proxy automatically at system start, add the following to +/etc/rc.d/rc.local: + + if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then + /etc/rc.d/rc.dnscrypt-proxy start + fi + +To properly stop dnscrypt-proxy on system shutdown, add the following to +/etc/rc.d/rc.local_shutdown: + + if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then + /etc/rc.d/rc.dnscrypt-proxy stop + fi + +B. DNS Cache + +dnscrypt-proxy is just a DNS resolver and does not cache DNS queries. In order +to minimize the number of external DNS lookups, you can also run a local +caching DNS server. A sample configuration for dnsmasq (included with +Slackware) is provided at /usr/doc/dnscrypt-proxy-@VERSION@/dnsmasq.conf. A +sample configuration for bind/named that also does local DNSSEC validation (if +supported by the upstream DNS server) is also provided at +/usr/doc/dnscrypt-proxy-@VERSION@/named.conf. Both configurations run on port +53, forwarding lookups to dnscrypt-proxy running on port 55. In order to use +these configurations you will need to change the port dnscrypt-proxy runs on in +/etc/default/dnscrypt-proxy. diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild b/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild index 17334bf201..ae10eaeb15 100644 --- a/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild +++ b/network/dnscrypt-proxy/dnscrypt-proxy.SlackBuild @@ -22,8 +22,13 @@ # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# Thanks to Larry Hajali for work on README.Slackware, some configure options, +# the basis for the sample dnsmasq configuration, the logrotate configuration, +# and the idea for an init script. His contributions significantly improved the +# value of this script! + PRGNAM=dnscrypt-proxy -VERSION=${VERSION:-1.4.0} +VERSION=${VERSION:-1.4.1} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} @@ -78,6 +83,11 @@ CXXFLAGS="$SLKCFLAGS" \ --localstatedir=/var \ --mandir=/usr/man \ --docdir=/usr/doc/$PRGNAM-$VERSION \ + --enable-plugins \ + --enable-plugins-root \ + --enable-static=no \ + --disable-ltdl-install \ + --without-included-ltdl \ --build=$ARCH-slackware-linux make @@ -86,14 +96,24 @@ make install-strip DESTDIR=$PKG find $PKG/usr/man -type f -exec gzip -9 {} \; for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done +mkdir -p $PKG/var/{run,log}/$PRGNAM $PKG/etc/default +chmod 0700 $PKG/var/{run,log}/$PRGNAM +sed "s/@VERSION@/$VERSION/" $CWD/$PRGNAM.default > $PKG/etc/default/$PRGNAM.new +install -D -m 0755 $CWD/rc.$PRGNAM $PKG/etc/rc.d/rc.$PRGNAM.new +install -D -m 0644 $CWD/$PRGNAM.logrotate $PKG/etc/logrotate.d/$PRGNAM.new + mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION cp -a \ AUTHORS ChangeLog COPYING INSTALL NEWS README README-PLUGINS.markdown README.markdown TECHNOTES THANKS \ $PKG/usr/doc/$PRGNAM-$VERSION +sed "s/@VERSION@/$VERSION/g" $CWD/README.Slackware > $PKG/usr/doc/$PRGNAM-$VERSION/README.Slackware +cat $CWD/dnsmasq.conf > $PKG/usr/doc/$PRGNAM-$VERSION/dnsmasq.conf +cat $CWD/named.conf > $PKG/usr/doc/$PRGNAM-$VERSION/named.conf cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild mkdir -p $PKG/install cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh cd $PKG /sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.default b/network/dnscrypt-proxy/dnscrypt-proxy.default new file mode 100644 index 0000000000..b1b70406be --- /dev/null +++ b/network/dnscrypt-proxy/dnscrypt-proxy.default @@ -0,0 +1,72 @@ +# /etc/default/dnscrypt-proxy + +# This file contains the configuration settings for dnscrypt-proxy. This file +# supports configuring and running multiple instances (see the bottom of this +# file for a sample secondary configuration). + +# CHROOTDIR should be the same path as the USER's home directory. +# For the standard dnscrypt user this should be "/run/dnscrypt". For nobody, +# this should be "/". +CHROOTDIR[0]="/run/dnscrypt" +#CHROOTDIR[0]="/" + +# The local address and (optional) port to listen on. The default port is 53. +LOCALADDRESS[0]="127.0.0.1:53" + +# The pid file for this instance. PIDFILE must always be specified for each +# instance! +PIDFILE[0]="/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid" + +# Runs the daemon as the following user and chroots to that user's home +# directory (this is a security feature -- it is best not to change this!) +USER[0]="dnscrypt" +#USER[0]="nobody" + +# If RESOLVERNAME is set, then RESOLVERADDRESS, PROVIDERNAME, and +# PROVIDERKEY will be ignored. RESOLVERNAME should be the name of a resolver +# from RESOLVERSLIST (the first column). +RESOLVERNAME[0]="opendns" + +# Specify the location of the resolver list, used if RESOLVERNAME is set. +RESOLVERSLIST[0]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv" + +# If RESOLVERNAME is unset, RESOLVERADDRESS, PROVIDERNAME and PROVIDERKEY are +# the settings of the remote DNSCrypt provider. +#RESOLVERADDRESS[0]="208.67.220.220:443" +#PROVIDERNAME[0]="2.dnscrypt-cert.opendns.com" +#PROVIDERKEY[0]="B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79" + +# Transparently add an OPT pseudo-RR to outgoing queries in order to enable +# the EDNS0 extension mechanism. The payload size is the size of the largest +# response we accept from the resolver before retrying over TCP. This feature +# is enabled by default, with a payload size of 1252 bytes. Any value below +# 512 disables it. +#EDNSPAYLOADSIZE[0]="1252" + +# Set the maximum number of simultaneous active requests (default 250). +#MAXACTIVEREQUESTS[0]="250" + +# Use TCP instead of UDP. This is slower than UDP, and this workaround should +# never be used except when bypassing a filter is actually required. Moreover, +# multiple queries over a single TCP connection aren't supported yet. +# Don't use this unless you have to. Defaults to off ("no"). +#TCPONLY[0]="no" + +# Load the following plugins. None are loaded by default. See +# /usr/doc/dnscrypt-proxy-@VERSION@/README-PLUGINS.markdown for more +# information. +#PLUGINS[0]="libdcplugin_example,--ips=/etc/blk-ips,--domains=/etc/blk-names \ +#libdcplugin_example_logging,/var/log/dns.log" + +# Where and what to log. The default LOGLEVEL is LOG_INFO. +#LOGLEVEL[0]="LOG_INFO" +LOGFILE[0]="/var/log/dnscrypt-proxy/dnscrypt-proxy.log" + +# A simple example configuration for a second instance +#CHROOTDIR[1]="/run/dnscrypt" +#LOCALADDRESS[1]="127.0.0.2:53" +#PIDFILE[1]="/var/run/dnscrypt-proxy/dnscrypt-proxy-1.pid" +#USER[1]="dnscrypt" +#RESOLVERNAME[1]="cloudns-can" +#RESOLVERSLIST[1]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv" +#LOGFILE[1]="/var/log/dnscrypt-proxy/dnscrypt-proxy-1.log" diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.info b/network/dnscrypt-proxy/dnscrypt-proxy.info index fe317649bd..7b415c0f40 100644 --- a/network/dnscrypt-proxy/dnscrypt-proxy.info +++ b/network/dnscrypt-proxy/dnscrypt-proxy.info @@ -1,8 +1,8 @@ PRGNAM="dnscrypt-proxy" -VERSION="1.4.0" +VERSION="1.4.1" HOMEPAGE="http://dnscrypt.org/" -DOWNLOAD="http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.4.0.tar.bz2" -MD5SUM="40b5b73f5042330b86084460d7c839c6" +DOWNLOAD="http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.4.1.tar.bz2" +MD5SUM="f9d59b23fcad864af7db7d6304fda77f" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="libsodium" diff --git a/network/dnscrypt-proxy/dnscrypt-proxy.logrotate b/network/dnscrypt-proxy/dnscrypt-proxy.logrotate new file mode 100644 index 0000000000..884ad989e1 --- /dev/null +++ b/network/dnscrypt-proxy/dnscrypt-proxy.logrotate @@ -0,0 +1,9 @@ +/var/log/dnscrypt-proxy/*log { + weekly + rotate 7 + copytruncate + delaycompress + compress + notifempty + missingok +} diff --git a/network/dnscrypt-proxy/dnsmasq.conf b/network/dnscrypt-proxy/dnsmasq.conf new file mode 100644 index 0000000000..9700cb2df9 --- /dev/null +++ b/network/dnscrypt-proxy/dnsmasq.conf @@ -0,0 +1,21 @@ +# Use dnsmasq as a caching DNS forwarder to dnscrypt-proxy. This configuration +# assumes dnscrypt-proxy is running on port 55. + +# Never forward plain names (without a dot or domain part) +domain-needed + +# Never forward addresses in the non-routed address spaces. +bogus-priv + +# Don't use /etc/resolv.conf. Forward all queries to dnscrypt-proxy. +no-resolv + +# Use the resolver on localhost port 55 (dnscrypt-proxy) +server=127.0.0.1#55 + +# Listen on localhost. Default port 53 +listen-address=127.0.0.1 + +# Pass on the upstream DNSSEC flag. Only enable this if you trust the upstream +# resolver. +#proxy-dnssec diff --git a/network/dnscrypt-proxy/doinst.sh b/network/dnscrypt-proxy/doinst.sh new file mode 100644 index 0000000000..11fd7612c2 --- /dev/null +++ b/network/dnscrypt-proxy/doinst.sh @@ -0,0 +1,27 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +preserve_perms etc/rc.d/rc.dnscrypt-proxy.new +config etc/default/dnscrypt-proxy.new +config etc/logrotate.d/dnscrypt-proxy.new diff --git a/network/dnscrypt-proxy/named.conf b/network/dnscrypt-proxy/named.conf new file mode 100644 index 0000000000..b416855f26 --- /dev/null +++ b/network/dnscrypt-proxy/named.conf @@ -0,0 +1,153 @@ +options { + directory "/var/named"; + /* + * If there is a firewall between you and nameservers you want + * to talk to, you might need to uncomment the query-source + * directive below. Previous versions of BIND always asked + * questions using port 53, but BIND 8.1 uses an unprivileged + * port by default. + */ + // query-source address * port 53; + forwarders { 127.0.0.1 port 55; }; + forward only; + dnssec-enable yes; + dnssec-validation auto; + dnssec-lookaside auto; + allow-transfer { "none"; }; + allow-query { 127.0.0.1; }; + listen-on { 127.0.0.1; }; +}; + +// +// a caching only nameserver config +// +zone "." IN { + type hint; + file "caching-example/named.root"; +}; + +zone "localhost" IN { + type master; + file "caching-example/localhost.zone"; + allow-update { none; }; +}; + +zone "0.0.127.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +// RFC 1918. These shouldn't be necessary but empty-zones-enable isn't +// working properly... +zone "10.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "16.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "17.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "18.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "19.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "20.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "21.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "22.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "23.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "24.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "25.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "26.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "27.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "28.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "29.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "30.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "31.172.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +zone "168.192.in-addr.arpa" IN { + type master; + file "caching-example/named.local"; + allow-update { none; }; +}; + +logging { + category edns-disabled { null; }; +}; diff --git a/network/dnscrypt-proxy/rc.dnscrypt-proxy b/network/dnscrypt-proxy/rc.dnscrypt-proxy new file mode 100644 index 0000000000..84eb12c74d --- /dev/null +++ b/network/dnscrypt-proxy/rc.dnscrypt-proxy @@ -0,0 +1,175 @@ +#!/bin/bash + +CONFIGFILE="/etc/default/dnscrypt-proxy" +DAEMON="/usr/sbin/dnscrypt-proxy" + +. $CONFIGFILE + +start_instance() { + if [ -z ${PIDFILE[$1]} ]; then + echo "No configuration for instance $1 found!" + return + fi + if [ -r ${PIDFILE[$1]} ]; then + echo "dnscrypt-proxy (instance $1) already running!" + return + fi + + # dnscrypt-proxy will work without this, but it drops privileges before + # seeding the PRNG. libevent tries to work around a missing /dev/urandom + # but it's safer just to make sure it is available in the chroot. + if [ -n "${CHROOTDIR[$1]}" ]; then + if [ "$(readlink -f ${CHROOTDIR[$1]})" != "/" ]; then + if [ ! -d ${CHROOTDIR[$1]} ]; then + mkdir -p ${CHROOTDIR[$1]} + chmod 755 ${CHROOTDIR[$1]} + fi + if [ ! -d ${CHROOTDIR[$1]}/dev ]; then + mkdir -p ${CHROOTDIR[$1]}/dev + chmod 755 ${CHROOTDIR[$1]}/dev + fi + if [ ! -c ${CHROOTDIR[$1]}/dev/urandom ]; then + mknod -m 666 ${CHROOTDIR[$1]}/dev/urandom c 1 9 + fi + fi + fi + + OPTIONS="-d" + if [ -n "${LOCALADDRESS[$1]}" ]; then + OPTIONS="${OPTIONS} --local-address=${LOCALADDRESS[$1]}" + fi + if [ -n "${PIDFILE[$1]}" ]; then + OPTIONS="${OPTIONS} --pidfile=${PIDFILE[$1]}" + fi + if [ -n "${USER[$1]}" ]; then + OPTIONS="${OPTIONS} --user=${USER[$1]}" + fi + if [ -n "${RESOLVERNAME[$1]}" ]; then + OPTIONS="${OPTIONS} --resolver-name=${RESOLVERNAME[$1]}" + fi + if [ -n "${RESOLVERSLIST[$1]}" ]; then + OPTIONS="${OPTIONS} --resolvers-list=${RESOLVERSLIST[$1]}" + fi + if [ -z "${RESOLVERNAME[$1]}" ] && [ -n "${RESOLVERADDRESS[$1]}" ]; then + OPTIONS="${OPTIONS} --resolver-address=${RESOLVERADDRESS[$1]}" + fi + if [ -z "${RESOLVERNAME[$1]}" ] && [ -n "${PROVIDERNAME[$1]}" ]; then + OPTIONS="${OPTIONS} --provider-name=${PROVIDERNAME[$1]}" + fi + if [ -z "${RESOLVERNAME[$1]}" ] && [ -n "${PROVIDERKEY[$1]}" ]; then + OPTIONS="${OPTIONS} --provider-key=${PROVIDERKEY[$1]}" + fi + if [ -n "${EDNSPAYLOADSIZE[$1]}" ]; then + OPTIONS="${OPTIONS} --edns-payload-size=${EDNSPAYLOADSIZE[$1]}" + fi + if [ -n "${MAXACTIVEREQUESTS[$1]}" ]; then + OPTIONS="${OPTIONS} --max-active-requests=${MAXACTIVEREQUESTS[$1]}" + fi + if [ "${TCPONLY[$1]}" == "yes" ]; then + OPTIONS="${OPTIONS} --tcp-only" + fi + if [ -n "${PLUGINS[$1]}" ]; then + for plugin in ${PLUGINS[$1]} + do + OPTIONS="${OPTIONS} --plugin=${plugin}" + done + fi + if [ -n "${LOGLEVEL[$1]}" ]; then + OPTIONS="${OPTIONS} --loglevel=${LOGLEVEL[$1]}" + fi + if [ -n "${LOGFILE[$1]}" ]; then + OPTIONS="${OPTIONS} --logfile=${LOGFILE[$1]}" + fi + $DAEMON $OPTIONS +} + +stop_instance() { + if [ -z ${PIDFILE[$1]} ]; then + echo "No configuration for instance $1 found!" + return + fi + if [ ! -r ${PIDFILE[$1]} ]; then + echo "dnscrypt-proxy (instance $1) is not running!" + return + fi + echo "Stopping dnscrypt-proxy (instance $1)..." + kill $(cat ${PIDFILE[$1]}) +} + +status_instance() { + if [ -z ${PIDFILE[$1]} ]; then + echo "No configuration for instance $1 found!" + return + fi + if [ ! -r ${PIDFILE[$1]} ]; then + echo "dnscrypt-proxy (instance $1) is not running." + return + fi + PID=$(cat ${PIDFILE[$1]}) + if [ -z "$PID" ]; then + echo "PID file is empty! dnscrypt-proxy (instance $1) does not appear to be running, but there is a stale PID file." + elif kill -0 $PID ; then + echo "dnscrypt-proxy (instance $1) is running." + else + echo "dnscrypt-proxy (instance $1) is not running, but there is a stale PID file." + fi +} + +start() { + for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` + do + start_instance $i + done +} + +stop() { + for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` + do + stop_instance $i + done +} + +status() { + for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` + do + status_instance $i + done +} + +case "$1" in + 'start') + start + ;; + 'stop') + stop + ;; + 'restart') + stop + start + ;; + 'status') + status + ;; + *_start) + INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` + start_instance $INSTANCE + ;; + *_stop) + INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` + stop_instance $INSTANCE + ;; + *_restart) + INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` + stop_instance $INSTANCE + sleep 1 + start_instance $INSTANCE + ;; + *_status) + INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` + status_instance $INSTANCE + ;; + *) + echo "Usage: $0 {start|stop|restart|status|#_start|#_stop|#_restart}" + exit 1 + ;; +esac