network/dnscrypt-proxy: Updated for version 1.4.1.

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
This commit is contained in:
T3slider 2014-10-05 23:38:01 +07:00 committed by Willy Sudiarto Raharjo
parent 7d79d34559
commit 1bbffca294
10 changed files with 542 additions and 4 deletions

View file

@ -4,3 +4,8 @@ resolver or as a DNS forwarder, encrypting and authenticating requests using the
DNSCrypt protocol and passing them to an upstream server. DNSCrypt protocol and passing them to an upstream server.
By default dnscrypt-proxy is configured to use OpenDNS' servers. By default dnscrypt-proxy is configured to use OpenDNS' servers.
Be sure to read README.Slackware for information on configuring/running
dnscrypt-proxy as a daemon!
Optional dependency: ldns

View file

@ -0,0 +1,56 @@
A. Setup
An init script and configuration file have been provided to run dnscrypt-proxy
as a daemon. To configure dnscrypt-proxy, edit /etc/default/dnscrypt-proxy with
the desired settings. By default dnscrypt-proxy will use an OpenDNS server and
will run on localhost (127.0.0.1), port 53.
The configuration file is setup to use a dnscrypt user by default, and to
chroot into that user's home directory to maximize security. In order to use
the default configuration you should create a dnscrypt user and group with the
following commands:
groupadd -g 293 dnscrypt
useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt
If you decide to use another user you should edit the CHROOTDIR and USER
options in /etc/default/dnscrypt-proxy (there are example settings provided for
the user 'nobody').
In order to send all DNS requests through dnscrypt-proxy, you will need to
update /etc/resolv.conf to point to localhost. If using dhcpcd, the easiest way
to set dnscrypt-proxy as the primary (but not exclusive) dns resolver is to
create file /etc/resolv.conf.head with the following line:
nameserver 127.0.0.1
You may also have to add the following line to enable EDNS:
options edns0
To start dnscrypt-proxy automatically at system start, add the following to
/etc/rc.d/rc.local:
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy start
fi
To properly stop dnscrypt-proxy on system shutdown, add the following to
/etc/rc.d/rc.local_shutdown:
if [ -x /etc/rc.d/rc.dnscrypt-proxy ]; then
/etc/rc.d/rc.dnscrypt-proxy stop
fi
B. DNS Cache
dnscrypt-proxy is just a DNS resolver and does not cache DNS queries. In order
to minimize the number of external DNS lookups, you can also run a local
caching DNS server. A sample configuration for dnsmasq (included with
Slackware) is provided at /usr/doc/dnscrypt-proxy-@VERSION@/dnsmasq.conf. A
sample configuration for bind/named that also does local DNSSEC validation (if
supported by the upstream DNS server) is also provided at
/usr/doc/dnscrypt-proxy-@VERSION@/named.conf. Both configurations run on port
53, forwarding lookups to dnscrypt-proxy running on port 55. In order to use
these configurations you will need to change the port dnscrypt-proxy runs on in
/etc/default/dnscrypt-proxy.

View file

@ -22,8 +22,13 @@
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Thanks to Larry Hajali for work on README.Slackware, some configure options,
# the basis for the sample dnsmasq configuration, the logrotate configuration,
# and the idea for an init script. His contributions significantly improved the
# value of this script!
PRGNAM=dnscrypt-proxy PRGNAM=dnscrypt-proxy
VERSION=${VERSION:-1.4.0} VERSION=${VERSION:-1.4.1}
BUILD=${BUILD:-1} BUILD=${BUILD:-1}
TAG=${TAG:-_SBo} TAG=${TAG:-_SBo}
@ -78,6 +83,11 @@ CXXFLAGS="$SLKCFLAGS" \
--localstatedir=/var \ --localstatedir=/var \
--mandir=/usr/man \ --mandir=/usr/man \
--docdir=/usr/doc/$PRGNAM-$VERSION \ --docdir=/usr/doc/$PRGNAM-$VERSION \
--enable-plugins \
--enable-plugins-root \
--enable-static=no \
--disable-ltdl-install \
--without-included-ltdl \
--build=$ARCH-slackware-linux --build=$ARCH-slackware-linux
make make
@ -86,14 +96,24 @@ make install-strip DESTDIR=$PKG
find $PKG/usr/man -type f -exec gzip -9 {} \; find $PKG/usr/man -type f -exec gzip -9 {} \;
for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
mkdir -p $PKG/var/{run,log}/$PRGNAM $PKG/etc/default
chmod 0700 $PKG/var/{run,log}/$PRGNAM
sed "s/@VERSION@/$VERSION/" $CWD/$PRGNAM.default > $PKG/etc/default/$PRGNAM.new
install -D -m 0755 $CWD/rc.$PRGNAM $PKG/etc/rc.d/rc.$PRGNAM.new
install -D -m 0644 $CWD/$PRGNAM.logrotate $PKG/etc/logrotate.d/$PRGNAM.new
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
cp -a \ cp -a \
AUTHORS ChangeLog COPYING INSTALL NEWS README README-PLUGINS.markdown README.markdown TECHNOTES THANKS \ AUTHORS ChangeLog COPYING INSTALL NEWS README README-PLUGINS.markdown README.markdown TECHNOTES THANKS \
$PKG/usr/doc/$PRGNAM-$VERSION $PKG/usr/doc/$PRGNAM-$VERSION
sed "s/@VERSION@/$VERSION/g" $CWD/README.Slackware > $PKG/usr/doc/$PRGNAM-$VERSION/README.Slackware
cat $CWD/dnsmasq.conf > $PKG/usr/doc/$PRGNAM-$VERSION/dnsmasq.conf
cat $CWD/named.conf > $PKG/usr/doc/$PRGNAM-$VERSION/named.conf
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
mkdir -p $PKG/install mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc cat $CWD/slack-desc > $PKG/install/slack-desc
cat $CWD/doinst.sh > $PKG/install/doinst.sh
cd $PKG cd $PKG
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} /sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}

View file

@ -0,0 +1,72 @@
# /etc/default/dnscrypt-proxy
# This file contains the configuration settings for dnscrypt-proxy. This file
# supports configuring and running multiple instances (see the bottom of this
# file for a sample secondary configuration).
# CHROOTDIR should be the same path as the USER's home directory.
# For the standard dnscrypt user this should be "/run/dnscrypt". For nobody,
# this should be "/".
CHROOTDIR[0]="/run/dnscrypt"
#CHROOTDIR[0]="/"
# The local address and (optional) port to listen on. The default port is 53.
LOCALADDRESS[0]="127.0.0.1:53"
# The pid file for this instance. PIDFILE must always be specified for each
# instance!
PIDFILE[0]="/var/run/dnscrypt-proxy/dnscrypt-proxy-0.pid"
# Runs the daemon as the following user and chroots to that user's home
# directory (this is a security feature -- it is best not to change this!)
USER[0]="dnscrypt"
#USER[0]="nobody"
# If RESOLVERNAME is set, then RESOLVERADDRESS, PROVIDERNAME, and
# PROVIDERKEY will be ignored. RESOLVERNAME should be the name of a resolver
# from RESOLVERSLIST (the first column).
RESOLVERNAME[0]="opendns"
# Specify the location of the resolver list, used if RESOLVERNAME is set.
RESOLVERSLIST[0]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
# If RESOLVERNAME is unset, RESOLVERADDRESS, PROVIDERNAME and PROVIDERKEY are
# the settings of the remote DNSCrypt provider.
#RESOLVERADDRESS[0]="208.67.220.220:443"
#PROVIDERNAME[0]="2.dnscrypt-cert.opendns.com"
#PROVIDERKEY[0]="B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79"
# Transparently add an OPT pseudo-RR to outgoing queries in order to enable
# the EDNS0 extension mechanism. The payload size is the size of the largest
# response we accept from the resolver before retrying over TCP. This feature
# is enabled by default, with a payload size of 1252 bytes. Any value below
# 512 disables it.
#EDNSPAYLOADSIZE[0]="1252"
# Set the maximum number of simultaneous active requests (default 250).
#MAXACTIVEREQUESTS[0]="250"
# Use TCP instead of UDP. This is slower than UDP, and this workaround should
# never be used except when bypassing a filter is actually required. Moreover,
# multiple queries over a single TCP connection aren't supported yet.
# Don't use this unless you have to. Defaults to off ("no").
#TCPONLY[0]="no"
# Load the following plugins. None are loaded by default. See
# /usr/doc/dnscrypt-proxy-@VERSION@/README-PLUGINS.markdown for more
# information.
#PLUGINS[0]="libdcplugin_example,--ips=/etc/blk-ips,--domains=/etc/blk-names \
#libdcplugin_example_logging,/var/log/dns.log"
# Where and what to log. The default LOGLEVEL is LOG_INFO.
#LOGLEVEL[0]="LOG_INFO"
LOGFILE[0]="/var/log/dnscrypt-proxy/dnscrypt-proxy.log"
# A simple example configuration for a second instance
#CHROOTDIR[1]="/run/dnscrypt"
#LOCALADDRESS[1]="127.0.0.2:53"
#PIDFILE[1]="/var/run/dnscrypt-proxy/dnscrypt-proxy-1.pid"
#USER[1]="dnscrypt"
#RESOLVERNAME[1]="cloudns-can"
#RESOLVERSLIST[1]="/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
#LOGFILE[1]="/var/log/dnscrypt-proxy/dnscrypt-proxy-1.log"

View file

@ -1,8 +1,8 @@
PRGNAM="dnscrypt-proxy" PRGNAM="dnscrypt-proxy"
VERSION="1.4.0" VERSION="1.4.1"
HOMEPAGE="http://dnscrypt.org/" HOMEPAGE="http://dnscrypt.org/"
DOWNLOAD="http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.4.0.tar.bz2" DOWNLOAD="http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.4.1.tar.bz2"
MD5SUM="40b5b73f5042330b86084460d7c839c6" MD5SUM="f9d59b23fcad864af7db7d6304fda77f"
DOWNLOAD_x86_64="" DOWNLOAD_x86_64=""
MD5SUM_x86_64="" MD5SUM_x86_64=""
REQUIRES="libsodium" REQUIRES="libsodium"

View file

@ -0,0 +1,9 @@
/var/log/dnscrypt-proxy/*log {
weekly
rotate 7
copytruncate
delaycompress
compress
notifempty
missingok
}

View file

@ -0,0 +1,21 @@
# Use dnsmasq as a caching DNS forwarder to dnscrypt-proxy. This configuration
# assumes dnscrypt-proxy is running on port 55.
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Don't use /etc/resolv.conf. Forward all queries to dnscrypt-proxy.
no-resolv
# Use the resolver on localhost port 55 (dnscrypt-proxy)
server=127.0.0.1#55
# Listen on localhost. Default port 53
listen-address=127.0.0.1
# Pass on the upstream DNSSEC flag. Only enable this if you trust the upstream
# resolver.
#proxy-dnssec

View file

@ -0,0 +1,27 @@
config() {
NEW="$1"
OLD="$(dirname $NEW)/$(basename $NEW .new)"
# If there's no config file by that name, mv it over:
if [ ! -r $OLD ]; then
mv $NEW $OLD
elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
# toss the redundant copy
rm $NEW
fi
# Otherwise, we leave the .new copy for the admin to consider...
}
preserve_perms() {
NEW="$1"
OLD="$(dirname $NEW)/$(basename $NEW .new)"
if [ -e $OLD ]; then
cp -a $OLD ${NEW}.incoming
cat $NEW > ${NEW}.incoming
mv ${NEW}.incoming $NEW
fi
config $NEW
}
preserve_perms etc/rc.d/rc.dnscrypt-proxy.new
config etc/default/dnscrypt-proxy.new
config etc/logrotate.d/dnscrypt-proxy.new

View file

@ -0,0 +1,153 @@
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
forwarders { 127.0.0.1 port 55; };
forward only;
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
allow-transfer { "none"; };
allow-query { 127.0.0.1; };
listen-on { 127.0.0.1; };
};
//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "caching-example/named.root";
};
zone "localhost" IN {
type master;
file "caching-example/localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
// RFC 1918. These shouldn't be necessary but empty-zones-enable isn't
// working properly...
zone "10.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "16.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "17.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "18.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "19.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "20.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "21.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "22.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "23.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "24.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "25.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "26.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "27.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "28.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "29.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "30.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "31.172.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
zone "168.192.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
logging {
category edns-disabled { null; };
};

View file

@ -0,0 +1,175 @@
#!/bin/bash
CONFIGFILE="/etc/default/dnscrypt-proxy"
DAEMON="/usr/sbin/dnscrypt-proxy"
. $CONFIGFILE
start_instance() {
if [ -z ${PIDFILE[$1]} ]; then
echo "No configuration for instance $1 found!"
return
fi
if [ -r ${PIDFILE[$1]} ]; then
echo "dnscrypt-proxy (instance $1) already running!"
return
fi
# dnscrypt-proxy will work without this, but it drops privileges before
# seeding the PRNG. libevent tries to work around a missing /dev/urandom
# but it's safer just to make sure it is available in the chroot.
if [ -n "${CHROOTDIR[$1]}" ]; then
if [ "$(readlink -f ${CHROOTDIR[$1]})" != "/" ]; then
if [ ! -d ${CHROOTDIR[$1]} ]; then
mkdir -p ${CHROOTDIR[$1]}
chmod 755 ${CHROOTDIR[$1]}
fi
if [ ! -d ${CHROOTDIR[$1]}/dev ]; then
mkdir -p ${CHROOTDIR[$1]}/dev
chmod 755 ${CHROOTDIR[$1]}/dev
fi
if [ ! -c ${CHROOTDIR[$1]}/dev/urandom ]; then
mknod -m 666 ${CHROOTDIR[$1]}/dev/urandom c 1 9
fi
fi
fi
OPTIONS="-d"
if [ -n "${LOCALADDRESS[$1]}" ]; then
OPTIONS="${OPTIONS} --local-address=${LOCALADDRESS[$1]}"
fi
if [ -n "${PIDFILE[$1]}" ]; then
OPTIONS="${OPTIONS} --pidfile=${PIDFILE[$1]}"
fi
if [ -n "${USER[$1]}" ]; then
OPTIONS="${OPTIONS} --user=${USER[$1]}"
fi
if [ -n "${RESOLVERNAME[$1]}" ]; then
OPTIONS="${OPTIONS} --resolver-name=${RESOLVERNAME[$1]}"
fi
if [ -n "${RESOLVERSLIST[$1]}" ]; then
OPTIONS="${OPTIONS} --resolvers-list=${RESOLVERSLIST[$1]}"
fi
if [ -z "${RESOLVERNAME[$1]}" ] && [ -n "${RESOLVERADDRESS[$1]}" ]; then
OPTIONS="${OPTIONS} --resolver-address=${RESOLVERADDRESS[$1]}"
fi
if [ -z "${RESOLVERNAME[$1]}" ] && [ -n "${PROVIDERNAME[$1]}" ]; then
OPTIONS="${OPTIONS} --provider-name=${PROVIDERNAME[$1]}"
fi
if [ -z "${RESOLVERNAME[$1]}" ] && [ -n "${PROVIDERKEY[$1]}" ]; then
OPTIONS="${OPTIONS} --provider-key=${PROVIDERKEY[$1]}"
fi
if [ -n "${EDNSPAYLOADSIZE[$1]}" ]; then
OPTIONS="${OPTIONS} --edns-payload-size=${EDNSPAYLOADSIZE[$1]}"
fi
if [ -n "${MAXACTIVEREQUESTS[$1]}" ]; then
OPTIONS="${OPTIONS} --max-active-requests=${MAXACTIVEREQUESTS[$1]}"
fi
if [ "${TCPONLY[$1]}" == "yes" ]; then
OPTIONS="${OPTIONS} --tcp-only"
fi
if [ -n "${PLUGINS[$1]}" ]; then
for plugin in ${PLUGINS[$1]}
do
OPTIONS="${OPTIONS} --plugin=${plugin}"
done
fi
if [ -n "${LOGLEVEL[$1]}" ]; then
OPTIONS="${OPTIONS} --loglevel=${LOGLEVEL[$1]}"
fi
if [ -n "${LOGFILE[$1]}" ]; then
OPTIONS="${OPTIONS} --logfile=${LOGFILE[$1]}"
fi
$DAEMON $OPTIONS
}
stop_instance() {
if [ -z ${PIDFILE[$1]} ]; then
echo "No configuration for instance $1 found!"
return
fi
if [ ! -r ${PIDFILE[$1]} ]; then
echo "dnscrypt-proxy (instance $1) is not running!"
return
fi
echo "Stopping dnscrypt-proxy (instance $1)..."
kill $(cat ${PIDFILE[$1]})
}
status_instance() {
if [ -z ${PIDFILE[$1]} ]; then
echo "No configuration for instance $1 found!"
return
fi
if [ ! -r ${PIDFILE[$1]} ]; then
echo "dnscrypt-proxy (instance $1) is not running."
return
fi
PID=$(cat ${PIDFILE[$1]})
if [ -z "$PID" ]; then
echo "PID file is empty! dnscrypt-proxy (instance $1) does not appear to be running, but there is a stale PID file."
elif kill -0 $PID ; then
echo "dnscrypt-proxy (instance $1) is running."
else
echo "dnscrypt-proxy (instance $1) is not running, but there is a stale PID file."
fi
}
start() {
for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))`
do
start_instance $i
done
}
stop() {
for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))`
do
stop_instance $i
done
}
status() {
for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))`
do
status_instance $i
done
}
case "$1" in
'start')
start
;;
'stop')
stop
;;
'restart')
stop
start
;;
'status')
status
;;
*_start)
INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
start_instance $INSTANCE
;;
*_stop)
INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
stop_instance $INSTANCE
;;
*_restart)
INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
stop_instance $INSTANCE
sleep 1
start_instance $INSTANCE
;;
*_status)
INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
status_instance $INSTANCE
;;
*)
echo "Usage: $0 {start|stop|restart|status|#_start|#_stop|#_restart}"
exit 1
;;
esac