Merge branch 'AdguardTeam:master' into clientauth

.github/workflows/build.yaml

@@ -1,7 +1,7 @@
 name: Build
 
 'env':
-  'GO_VERSION': '1.16'
+  'GO_VERSION': '1.17'
 
 'on':
   'push':
@@ -14,26 +14,20 @@ name: Build
 jobs:
   tests:
     runs-on: ${{ matrix.os }}
-    env:
-      GO111MODULE: "on"
     strategy:
       matrix:
         os:
           - windows-latest
           - macos-latest
           - ubuntu-latest
-
     steps:
       - uses: actions/checkout@master
-
       - uses: actions/setup-go@v2
         with:
           go-version: '${{ env.GO_VERSION }}'
-
       - name: Run tests
         run: |-
-          go test -mod=vendor -race -v -bench="." -coverprofile="coverage.txt" -covermode=atomic ./...
-
+          make test
       - name: Upload coverage
         uses: codecov/codecov-action@v1
         if: "success() && matrix.os == 'ubuntu-latest'"
@@ -45,50 +39,22 @@ jobs:
     needs:
       - tests
     runs-on: ubuntu-latest
-    env:
-      GO111MODULE: "on"
     steps:
       - uses: actions/checkout@master
-
       - uses: actions/setup-go@v2
         with:
           go-version: '${{ env.GO_VERSION }}'
-
-      - name: Prepare environment
+      - name: Build release
         run: |-
+          set -e -u -x
+
           RELEASE_VERSION="${GITHUB_REF##*/}"
           if [[ "${RELEASE_VERSION}" != v* ]]; then RELEASE_VERSION='dev'; fi
           echo "RELEASE_VERSION=\"${RELEASE_VERSION}\"" >> $GITHUB_ENV
 
-      # Win
-      - run: GOOS=windows GOARCH=386 VERSION=${RELEASE_VERSION} make release
-      - run: GOOS=windows GOARCH=amd64 VERSION=${RELEASE_VERSION} make release
-
-      # MacOS
-      - run: GOOS=darwin GOARCH=amd64 VERSION=${RELEASE_VERSION} make release
-
-      # Linux X86
-      - run: GOOS=linux GOARCH=386 VERSION=${RELEASE_VERSION} make release
-      - run: GOOS=linux GOARCH=amd64 VERSION=${RELEASE_VERSION} make release
-
-      # Linux ARM
-      - run: GOOS=linux GOARCH=arm GOARM=6 VERSION=${RELEASE_VERSION} make release
-      - run: GOOS=linux GOARCH=arm64 VERSION=${RELEASE_VERSION} make release
-
-      # Linux MIPS/MIPSLE
-      - run: GOOS=linux GOARCH=mips GOMIPS=softfloat VERSION=${RELEASE_VERSION} make release
-      - run: GOOS=linux GOARCH=mipsle GOMIPS=softfloat VERSION=${RELEASE_VERSION} make release
-
-      # FreeBSD X86
-      - run: GOOS=freebsd GOARCH=386 VERSION=${RELEASE_VERSION} make release
-      - run: GOOS=freebsd GOARCH=amd64 VERSION=${RELEASE_VERSION} make release
-
-      # FreeBSD ARM/ARM64
-      - run: GOOS=freebsd GOARCH=arm GOARM=6 VERSION=${RELEASE_VERSION} make release
-      - run: GOOS=freebsd GOARCH=arm64 VERSION=${RELEASE_VERSION} make release
-
-      - run: ls -l build/dnsproxy-*
+          make VERBOSE=1 VERSION="${RELEASE_VERSION}" release
 
+          ls -l build/dnsproxy-*
       - name: Create release
         if: startsWith(github.ref, 'refs/tags/v')
         id: create_release
@@ -100,7 +66,6 @@ jobs:
           release_name: Release ${{ github.ref }}
           draft: false
           prerelease: false
-
       - name: Upload
         if: startsWith(github.ref, 'refs/tags/v')
         uses: xresloader/upload-to-github-release@v1
@@ -125,7 +90,6 @@ jobs:
     steps:
       - name: Conclusion
         uses: technote-space/workflow-conclusion-action@v1
-
       - name: Send Slack notif
         uses: 8398a7/action-slack@v3
         with:

.github/workflows/lint.yaml

@@ -23,7 +23,7 @@ jobs:
         with:
           # This field is required.  Dont set the patch version to always use
           # the latest patch version.
-          version: v1.32
+          version: v1.43
   notify:
     needs:
       - golangci
@@ -47,7 +47,7 @@ jobs:
         uses: 8398a7/action-slack@v3
         with:
           status: ${{ env.WORKFLOW_CONCLUSION }}
-          fields: workflow, repo, message, commit, author, eventName,ref
+          fields: workflow, repo, message, commit, author, eventName, ref
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

.golangci.yml

@@ -36,7 +36,6 @@ linters:
     - dupl
     - gocyclo
     - goimports
-    - golint
     - gosec
     - misspell
     - stylecheck
@@ -62,7 +61,7 @@ issues:
     - G302
     # errcheck defer Close
     - error return value not checked \(defer .*\.Close()\)
-    # gosec: False positive is triggered by 'src, err := ioutil.ReadFile(filename)'
+    # gosec: False positive is triggered by 'src, err := os.ReadFile(filename)'
     - Potential file inclusion via variable
     # gosec: TLS InsecureSkipVerify may be true
     # We have a configuration option that allows to do this

Makefile

@@ -1,43 +1,48 @@
-NAME=dnsproxy
-BASE_BUILDDIR=build
-BUILDNAME=$(GOOS)-$(GOARCH)$(GOARM)
-BUILDDIR=$(BASE_BUILDDIR)/$(BUILDNAME)
-VERSION?=dev
+# Keep the Makefile POSIX-compliant.  We currently allow hyphens in
+# target names, but that may change in the future.
+#
+# See https://pubs.opengroup.org/onlinepubs/9699919799/utilities/make.html.
+.POSIX:
 
-ifeq ($(GOOS),windows)
-  ext=.exe
-  archiveCmd=zip -9 -r $(NAME)-$(BUILDNAME)-$(VERSION).zip $(BUILDNAME)
-else
-  ext=
-  archiveCmd=tar czpvf $(NAME)-$(BUILDNAME)-$(VERSION).tar.gz $(BUILDNAME)
-endif
+# Don't name this macro "GO", because GNU Make apparenly makes it an
+# exported environment variable with the literal value of "${GO:-go}",
+# which is not what we need.  Use a dot in the name to make sure that
+# users don't have an environment variable with the same name.
+#
+# See https://unix.stackexchange.com/q/646255/105635.
+GO.MACRO = $${GO:-go}
+GOPROXY = https://goproxy.cn|https://proxy.golang.org|direct
+DIST_DIR=build
+OUT = dnsproxy
+RACE = 0
+VERBOSE = 0
+VERSION = dev
 
-.PHONY: default
-default: build
+ENV = env\
+	DIST_DIR='$(DIST_DIR)'\
+	GO="$(GO.MACRO)"\
+	GOPROXY='$(GOPROXY)'\
+	OUT='$(OUT)'\
+	RACE='$(RACE)'\
+	VERBOSE='$(VERBOSE)'\
+	VERSION='$(VERSION)'\
 
-build: clean test
-	go build -mod=vendor
+# Keep the line above blank.
 
-release: check-env-release
-	mkdir -p $(BUILDDIR)
-	cp LICENSE $(BUILDDIR)/
-	cp README.md $(BUILDDIR)/
-	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build -mod=vendor -ldflags "-s -w -X main.VersionString=$(VERSION)" -o $(BUILDDIR)/$(NAME)$(ext)
-	cd $(BASE_BUILDDIR) ; $(archiveCmd)
+# Keep this target first, so that a naked make invocation triggers
+# a full build.
+build:   ; $(ENV) "$(SHELL)" ./scripts/make/build.sh
 
-test:
-	go test -race -v -bench=. ./...
+clean:   ; $(ENV) $(GO.MACRO) clean && rm -f -r '$(DIST_DIR)'
+test:    ; $(ENV) RACE='1' "$(SHELL)" ./scripts/make/test.sh
 
-clean:
-	go clean
-	rm -rf $(BASE_BUILDDIR)
+release: clean
+	$(ENV) "$(SHELL)" ./scripts/make/release.sh
 
-check-env-release:
-	@ if [ "$(GOOS)" = "" ]; then \
-		echo "Environment variable GOOS not set"; \
-		exit 1; \
-	fi
-	@ if [ "$(GOARCH)" = "" ]; then \
-		echo "Environment variable GOOS not set"; \
-		exit 1; \
-	fi
+# A quick check to make sure that all supported operating systems can be
+# typechecked and built successfully.
+os-check:
+	env GOOS='darwin'  "$(GO.MACRO)" vet ./...
+	env GOOS='freebsd' "$(GO.MACRO)" vet ./...
+	env GOOS='linux'   "$(GO.MACRO)" vet ./...
+	env GOOS='windows' "$(GO.MACRO)" vet ./...

README.md

@@ -24,7 +24,7 @@ A simple DNS proxy server that supports all existing DNS protocols including `DN
 
 ## How to build
 
-You will need go v1.15 or later.
+You will need Go v1.16 or later.
 
 ```shell
 $ go build -mod=vendor
@@ -76,8 +76,9 @@ Application Options:
       --dns64-prefix=    If specified, this is the DNS64 prefix dnsproxy will be using when it works as a DNS64 server. If not
                          specified, dnsproxy uses the 'Well-Known Prefix' 64:ff9b::
       --ipv6-disabled    If specified, all AAAA requests will be replied with NoError RCode and empty answer
-      --bogus-nxdomain=  Transform responses that contain at least one of the given IP addresses into NXDOMAIN. Can be
-                         specified multiple times.
+      --bogus-nxdomain=  Transform the responses containing at least a single IP
+                         that matches specified addresses and CIDRs into
+                         NXDOMAIN.  Can be specified multiple times.
       --udp-buf-size=    Set the size of the UDP buffer in bytes. A value <= 0 will use the system default. (default: 0)
       --max-go-routines= Set the maximum number of go routines. A value <= 0 will not not set a maximum. (default: 0)
       --version          Prints the program version
@@ -269,10 +270,20 @@ Now even if your IP address is 192.168.0.1 and it's not a public IP, the proxy w
 
 ### Bogus NXDomain
 
-This option is similar to dnsmasq `bogus-nxdomain`. If specified, `dnsproxy` transforms responses that contain at least one of the given IP addresses into `NXDOMAIN`. Can be specified multiple times.
+This option is similar to dnsmasq `bogus-nxdomain`.  `dnsproxy` will transform
+responses that contain at least a single IP address which is also specified by
+the option into `NXDOMAIN`. Can be specified multiple times.
 
-In the example below, we use AdGuard DNS server that returns `0.0.0.0` for blocked domains, and transform them to `NXDOMAIN`.
+In the example below, we use AdGuard DNS server that returns `0.0.0.0` for
+blocked domains, and transform them to `NXDOMAIN`.
 
 ```
 ./dnsproxy -u 94.140.14.14:53 --bogus-nxdomain=0.0.0.0
 ```
+
+CIDR ranges are supported as well.  The following will respond with `NXDOMAIN`
+instead of responses containing any IP from `192.168.0.0`-`192.168.255.255`:
+
+```
+./dnsproxy -u 192.168.0.15:53 --bogus-nxdomain=192.168.0.0/16
+```

bamboo-specs/bamboo.yaml

@@ -5,7 +5,7 @@ plan:
   key: DNSPROXYSPECS
   name: dnsproxy - Build and run tests
 variables:
-  dockerGo: adguard/golang-ubuntu:3.3
+  dockerGo: adguard/golang-ubuntu:4.0
 
 stages:
   - Tests:
@@ -29,16 +29,16 @@ Test:
         interpreter: SHELL
         scripts:
           - |-
-            set -x
-            set -e
+            set -e -f -u -x
+
             go version
             golangci-lint --version
 
-            # Run linter
+            # Run linter.
             golangci-lint run
 
-            # Run tests
-            go test -race -v -bench=. -coverprofile=coverage.txt ./...
+            # Run tests.
+            make VERBOSE=1 test
   final-tasks:
     - clean
   requirements:

fastip/fastest.go

@@ -67,7 +67,16 @@ func (f *FastestAddr) ExchangeFastest(req *dns.Msg, ups []upstream.Upstream) (
 	}
 
 	host := strings.ToLower(req.Question[0].Name)
-	ips := f.extractIPs(replies)
+
+	ips := make([]net.IP, 0, len(replies))
+	for _, r := range replies {
+		for _, rr := range r.Resp.Answer {
+			ip := proxyutil.IPFromRR(rr)
+			if ip != nil && !containsIP(ips, ip) {
+				ips = append(ips, ip)
+			}
+		}
+	}
 
 	if pingRes := f.pingAll(host, ips); pingRes != nil {
 		return f.prepareReply(pingRes, replies)
@@ -88,7 +97,7 @@ func (f *FastestAddr) prepareReply(pingRes *pingResult, replies []upstream.Excha
 ) {
 	ip := pingRes.ipp.IP
 	for _, r := range replies {
-		if hasAns(r.Resp, ip) {
+		if hasInAns(r.Resp, ip) {
 			m = r.Resp
 			u = r.Upstream
 
@@ -128,10 +137,10 @@ func (f *FastestAddr) prepareReply(pingRes *pingResult, replies []upstream.Excha
 	return m, u, nil
 }
 
-// hasAns returns true if m contains ip in its answer section.
-func hasAns(m *dns.Msg, ip net.IP) (ok bool) {
+// hasInAns returns true if m contains ip in its Answer section.
+func hasInAns(m *dns.Msg, ip net.IP) (ok bool) {
 	for _, rr := range m.Answer {
-		respIP := proxyutil.GetIPFromDNSRecord(rr)
+		respIP := proxyutil.IPFromRR(rr)
 		if respIP != nil && respIP.Equal(ip) {
 			return true
 		}
@@ -140,20 +149,6 @@ func hasAns(m *dns.Msg, ip net.IP) (ok bool) {
 	return false
 }
 
-// extractIPs extracts all IP addresses from results.
-func (f *FastestAddr) extractIPs(results []upstream.ExchangeAllResult) (ips []net.IP) {
-	for _, r := range results {
-		for _, rr := range r.Resp.Answer {
-			ip := proxyutil.GetIPFromDNSRecord(rr)
-			if ip != nil && !containsIP(ips, ip) {
-				ips = append(ips, ip)
-			}
-		}
-	}
-
-	return ips
-}
-
 // containsIP returns true if ips contains the ip.
 func containsIP(ips []net.IP, ip net.IP) (ok bool) {
 	if len(ips) == 0 {