Accepting request 860171 from home:namtrac:branches:server:dns

- Update to version 2.0.45 * Configuration changes (to be required in versions 2.1.x): - [blacklist] has been renamed to [blocked_names] - [ip_blacklist] has been renamed to [blocked_ips] - [whitelist] has been renamed to [allowed_names] - generate-domains-blacklist.py has been renamed to generate-domains-blocklist.py, and the configuration files have been renamed as well. * dnscrypt-proxy -resolve has been completely revamped, and now requires the configuration file to be accessible. It will send a query to an IP address of the dnscrypt-proxy server by default. Sending queries to arbitrary servers is also supported with the new -resolve name,address syntax. * Relay lists can be set to * for automatic relay selection. When a wildcard is used, either for the list of servers or relays, the proxy ensures that relays and servers are on distinct networks. * Lying resolvers are detected and reported. * New return code: NOT_READY for queries received before the proxy has been initialized. * Server lists can't be older than a week any more, even if directory permissions are incorrect and cache files cannot be written. * New feature: allowed_ips, to configure a set of IP addresses to never block no matter what DNS name resolves to them. * Hard-coded IP addresses can be immediately returned for test queries sent by operating systems in order to check for connectivity and captive portals. Such responses can be sent even before an interface is considered as enabled by the operating system. This can be configured in a new section called [captive_portals]. * On Linux, OpenBSD and FreeBSD, listen_addresses can now include IP addresses that haven't been assigned to an interface yet. * generate-domains-blocklist.py: regular expressions are now ignored in time-based entries. OBS-URL: https://build.opensuse.org/request/show/860171 OBS-URL: https://build.opensuse.org/package/show/server:dns/dnscrypt-proxy?expand=0&rev=30
2021-01-04 18:36:28 +00:00 · 2021-01-04 18:36:28 +00:00 · 1fd8aa9304
commit 1fd8aa9304
parent 15cfb9547b
5 changed files with 74 additions and 32 deletions
--- a/dnscrypt-proxy-2.0.44.tar.gz
+++ b/dnscrypt-proxy-2.0.44.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c2c9968f07a414e973ec5734f4598d756a35c32beedb18268590ea1355794237
-size 2279842
--- a/dnscrypt-proxy-2.0.45.tar.gz
+++ b/dnscrypt-proxy-2.0.45.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f7aac28c6a60404683d436072b89d18ed3bb309f8d8a95c8e87ad250da190821
+size 2721610
--- a/dnscrypt-proxy.changes
+++ b/dnscrypt-proxy.changes
@ -1,3 +1,51 @@
+-------------------------------------------------------------------
+Mon Jan  4 11:45:57 UTC 2021 - Ismail Dönmez <idonmez@suse.com>
+
+- Update to version 2.0.45
+  * Configuration changes (to be required in versions 2.1.x):
+    - [blacklist] has been renamed to [blocked_names]
+    - [ip_blacklist] has been renamed to [blocked_ips]
+    - [whitelist] has been renamed to [allowed_names]
+    - generate-domains-blacklist.py has been renamed to
+      generate-domains-blocklist.py, and the configuration files
+      have been renamed as well.
+  * dnscrypt-proxy -resolve has been completely revamped, and now
+    requires the configuration file to be accessible. It will send
+    a query to an IP address of the dnscrypt-proxy server by default.
+    Sending queries to arbitrary servers is also supported with the
+    new -resolve name,address syntax.
+  * Relay lists can be set to * for automatic relay selection.
+    When a wildcard is used, either for the list of servers or relays,
+    the proxy ensures that relays and servers are on distinct networks.
+  * Lying resolvers are detected and reported.
+  * New return code: NOT_READY for queries received before the proxy
+    has been initialized.
+  * Server lists can't be older than a week any more, even if directory
+    permissions are incorrect and cache files cannot be written.
+  * New feature: allowed_ips, to configure a set of IP addresses to never
+    block no matter what DNS name resolves to them.
+  * Hard-coded IP addresses can be immediately returned for test queries
+    sent by operating systems in order to check for connectivity and captive portals.
+    Such responses can be sent even before an interface is considered as enabled by the
+    operating system. This can be configured in a new section called [captive_portals].
+  * On Linux, OpenBSD and FreeBSD, listen_addresses can now include IP addresses
+    that haven't been assigned to an interface yet.
+  * generate-domains-blocklist.py: regular expressions are now ignored in time-based entries.
+  * Minor bug fixes and logging improvements.
+  * Cloaking plugin: if an entry has multiple IP addresses for a type, all the IP
+    addresses are now returned instead of a random one.
+  * Static entries can now include DNSCrypt relays.
+  * Name blocking: aliases relying on SVCB and HTTPS records can now be blocked in
+    addition to aliases via regular CNAME records.
+  * EDNS-Client-Subnet information can be added to outgoing queries. Instead of sending
+    the actual client IP, ECS information is user configurable, and IP addresses will be
+    randomly chosen for every query.
+  * Initial DoH queries are now checked using random names in order to properly measure
+    CDNs such as Tencent that ignore the padding.
+  * DoH: the max-stale cache control directive is now present in queries.
+  * Logs can now be sent to /dev/stdout instead of actual files.
+  * New download mirror (https://download.dnscrypt.net) for resolvers, relays and parental-control.
+
 -------------------------------------------------------------------
 Wed Jul 22 01:43:47 UTC 2020 - Bernhard Wiedemann <bwiedemann@suse.com>

--- a/dnscrypt-proxy.spec
+++ b/dnscrypt-proxy.spec
@ -1,7 +1,7 @@
 #
 # spec file for package dnscrypt-proxy
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #

+
 %define _buildshell /bin/bash
 %define user_group  dnscrypt
 %define config_dir  %{_sysconfdir}/%{name}
@ -24,7 +25,7 @@
 %define vlic_dir  vendored

 Name:           dnscrypt-proxy
-Version:        2.0.44
+Version:        2.0.45
 Release:        0
 Summary:        A tool for securing communications between a client and a DNS resolver
 License:        ISC
@ -43,11 +44,11 @@ Source5:        install_licenses.sh
 Source6:        README.openSUSE
 # Example how to override socket unit
 Source7:        %{name}.socket.conf
-BuildRequires:  golang(API) >= 1.14
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
 BuildRequires:  shadow
 BuildRequires:  systemd-rpm-macros
+BuildRequires:  golang(API) >= 1.14
 BuildRequires:  pkgconfig(libsystemd)
 # For systemd pidfile solution.
 Requires:       bash
@ -82,7 +83,7 @@ cp ./%{name}.toml.default ./%{name}.toml
 sed -i "s/## This is an example configuration file./## This is a configuration file./" ./dnscrypt-proxy.toml

 # python path instead of env
-sed -i "1s/#! \/usr\/bin\/env python3/#! \/usr\/bin\/python3/" utils/generate-domains-blacklists/generate-domains-blacklist.py
+sed -i "1s/#! \/usr\/bin\/env python3/#! \/usr\/bin\/python3/" utils/generate-domains-blocklist/generate-domains-blocklist.py

 %build
 cd %{name}
@ -100,26 +101,18 @@ install -D -d -m 0755 %{buildroot}%{_datadir}/%{name}/
 # Binary
 install -D -m 0755 %{name}/%{name} %{buildroot}%{_sbindir}/%{name}

-# blacklist generator
-cp -a utils/generate-domains-blacklists/ %{buildroot}%{_datadir}/%{name}/
-
-# Config file examples
-install -D -m 0644 ./%{name}/example-%{name}.toml %{buildroot}/%{_docdir}/%{name}/example-%{name}.toml
-install -D -m 0644 ./%{name}.toml.default %{buildroot}/%{_docdir}/%{name}/%{name}.toml.default
-install -D -m 0644 ./%{name}/example-blacklist.txt %{buildroot}/%{_docdir}/%{name}/example-blacklist.txt
-install -D -m 0644 ./%{name}/example-ip-blacklist.txt %{buildroot}/%{_docdir}/%{name}/example-ip-blacklist.txt
-install -D -m 0644 ./%{name}/example-cloaking-rules.txt %{buildroot}/%{_docdir}/%{name}/example-cloaking-rules.txt
-install -D -m 0644 ./%{name}/example-forwarding-rules.txt %{buildroot}/%{_docdir}/%{name}/example-forwarding-rules.txt
-install -D -m 0644 ./%{name}/example-whitelist.txt %{buildroot}/%{_docdir}/%{name}/example-whitelist.txt
+# blocklist generator
+cp -a utils/generate-domains-blocklist/ %{buildroot}%{_datadir}/%{name}/

 # Config files
 install -D -m 0640 ./%{name}.toml %{buildroot}/%{config_dir}/%{name}.toml
 install -D -m 0640 ./%{name}.toml.default %{buildroot}/%{config_dir}/%{name}.toml.default
-install -D -m 0640 ./%{name}/example-blacklist.txt %{buildroot}/%{config_dir}/blacklist.txt
-install -D -m 0640 ./%{name}/example-ip-blacklist.txt %{buildroot}/%{config_dir}/ip-blacklist.txt
+install -D -m 0640 ./%{name}/example-blocked-names.txt %{buildroot}/%{config_dir}/blocked-names.txt
+install -D -m 0640 ./%{name}/example-blocked-ips.txt %{buildroot}/%{config_dir}/blocked-ips.txt
 install -D -m 0640 ./%{name}/example-cloaking-rules.txt %{buildroot}/%{config_dir}/cloaking-rules.txt
 install -D -m 0640 ./%{name}/example-forwarding-rules.txt %{buildroot}/%{config_dir}/forwarding-rules.txt
-install -D -m 0640 ./%{name}/example-whitelist.txt %{buildroot}/%{config_dir}/whitelist.txt
+install -D -m 0640 ./%{name}/example-allowed-names.txt %{buildroot}/%{config_dir}/allowed-names.txt
+install -D -m 0640 ./%{name}/example-allowed-ips.txt %{buildroot}/%{config_dir}/allowed-ips.txt

 # Systemd
 install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
@ -156,12 +149,15 @@ getent passwd %{user_group} >/dev/null || %{_sbindir}/useradd -r -g %{user_group
 %service_del_postun %{services}

 %files
+%doc ChangeLog README.md README.openSUSE %{name}.socket.conf
+%doc dnscrypt-proxy/example-*
 %config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/%{name}.toml
-%config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/blacklist.txt
-%config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/ip-blacklist.txt
+%config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/blocked-names.txt
+%config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/blocked-ips.txt
 %config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/cloaking-rules.txt
 %config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/forwarding-rules.txt
-%config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/whitelist.txt
+%config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/allowed-names.txt
+%config(noreplace) %attr(-,root,%{user_group}) %{config_dir}/allowed-ips.txt
 %config %attr(-,root,%{user_group}) %{config_dir}/%{name}.toml.default
 %{_sbindir}/%{name}
 %{_sbindir}/rc%{name}
@ -171,8 +167,6 @@ getent passwd %{user_group} >/dev/null || %{_sbindir}/useradd -r -g %{user_group
 %dir %attr(0750,root,%{user_group}) %{config_dir}
 %dir %attr(0750,%{user_group},%{user_group}) %{home_dir}
 %dir %attr(0750,%{user_group},%{user_group}) %{log_dir}
-%{_docdir}/%{name}/
-%doc ChangeLog README.md README.openSUSE %{name}.socket.conf
 %license LICENSE
 %{_licensedir}/%{name}/%{vlic_dir}/

--- a/example-dnscrypt-proxy.toml.sed
+++ b/example-dnscrypt-proxy.toml.sed
@ -13,12 +13,12 @@ s/# cert_file = "localhost.pem"/# cert_file = '\/etc\/dnscrypt-proxy\/localhost.
 s/# cert_key_file = "localhost.pem"/# cert_key_file = '\/etc\/dnscrypt-proxy\/localhost.pem'/
 s/  # file = 'query.log'/  # file = '\/var\/log\/dnscrypt-proxy\/query.log'/
 s/  # file = 'nx.log'/  # file = '\/var\/log\/dnscrypt-proxy\/nx.log'/
-s/  # blacklist_file = 'blacklist.txt'/  # blacklist_file = '\/etc\/dnscrypt-proxy\/blacklist.txt'/
-s/  # log_file = 'blocked.log'/  # log_file = '\/var\/log\/dnscrypt-proxy\/blocked.log'/
-s/  # blacklist_file = 'ip-blacklist.txt'/# blacklist_file = '\/etc\/dnscrypt-proxy\/ip-blacklist.txt'/
-s/  # log_file = 'ip-blocked.log'/  # log_file = '\/var\/log\/dnscrypt-proxy\/ip-blocked.log'/
-s/  # whitelist_file = 'whitelist.txt'/# blacklist_file = '\/etc\/dnscrypt-proxy\/whitelist.txt'/
-s/  # log_file = 'whitelisted.log'/  # log_file = '\/var\/log\/dnscrypt-proxy\/whitelisted.log'/
+s/  # blocked_names_file = 'blocked-names.txt'/# blacklist_file = '\/etc\/dnscrypt-proxy\/blocked-names.txt'/
+s/  # log_file = 'blocked-names.log'/  # log_file = '\/var\/log\/dnscrypt-proxy\/blocked-names.log'/
+s/  # blocked_ips_file = 'blocked-ips.txt'/  # blacklist_file = '\/etc\/dnscrypt-proxy\/blocked-ips.txt'/
+s/  # log_file = 'blocked-ips.log'/  # log_file = '\/var\/log\/dnscrypt-proxy\/blocked-ips.log'/
+s/  # allowed_names_file = 'allowed-names.txt'/# blacklist_file = '\/etc\/dnscrypt-proxy\/allowed-names.txt'/
+s/  # log_file = 'allowed-names.log'/  # log_file = '\/var\/log\/dnscrypt-proxy\/allowed-names.log'/
 s/  cache_file = 'public-resolvers.md'/  cache_file = '\/var\/lib\/dnscrypt-proxy\/public-resolvers.md'/
 s/  cache_file = 'relays.md'/  cache_file = '\/var\/lib\/dnscrypt-proxy\/relays.md'/
 s/  #  cache_file = "quad9-resolvers.md"/  #  cache_file = '\/var\/lib\/dnscrypt-proxy\/quad9-resolvers.md'/