default to cloudflare dns, upgrade to dnscrypt 2+ for DoH support

oznu · Apr 6, 2018 · 1f5d86f · 1f5d86f
1 parent 469583d
commit 1f5d86f
Show file tree

Hide file tree

Showing 7 changed files with 454 additions and 65 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,29 +1,30 @@
 FROM oznu/s6-alpine:3.7
 
-# Install dependencies and build dnscrypt-proxy (NOT enabled by default)
+ENV DEBUG=0 \
+  NS1=1.1.1.1 \
+  NS2=1.0.0.1 \
+  AUTO_UPDATE=1 \
+  BLACKLIST_URL=https://raw.githubusercontent.com/oznu/dns-zone-blacklist/master/dnsmasq/dnsmasq-server.blacklist \
+  DNS_CRYPT_SERVERS=cloudflare,cloudflare-ipv6 \
+  DNSCRYPT_VERSION=2.0.8 
+
 RUN set -xe \
-  && sed -i 's/edge\/community/edge\/testing/g' /etc/apk/repositories \
-  && apk add --no-cache dnsmasq curl libsodium-dev \
-  && apk add --no-cache --virtual .build-deps make g++ gcc python \
-  && curl -fSLO --compressed "https://github.com/jedisct1/dnscrypt-proxy/releases/download/1.9.5/dnscrypt-proxy-1.9.5.tar.bz2" \
-  && tar jxf "dnscrypt-proxy-1.9.5.tar.bz2" \
-  && cd "dnscrypt-proxy-1.9.5" \
-  && ./configure --with-plugins \
-  && make -j$(getconf _NPROCESSORS_ONLN) \
-  && make install \
-  && cd .. \
-  && rm -rf "dnscrypt-proxy-1.9.5" "dnscrypt-proxy-1.9.5.tar.bz2" \
-  && apk del .build-deps
+  && apk add --no-cache dnsmasq curl
+
+# Install dnscrypt-proxy
+RUN case "${ARCH}" in \
+    amd64) PROXY_ARCH='i386';; \
+    armhf) PROXY_ARCH='arm';; \
+    aarch64) PROXY_ARCH='arm64';; \
+    *) echo "unsupported architecture"; exit 1 ;; \
+  esac \
+  && curl -fSLO "https://github.com/jedisct1/dnscrypt-proxy/releases/download/${DNSCRYPT_VERSION}/dnscrypt-proxy-linux_${PROXY_ARCH}-${DNSCRYPT_VERSION}.tar.gz" \
+  && tar -xzf dnscrypt-proxy-linux_${PROXY_ARCH}-${DNSCRYPT_VERSION}.tar.gz \
+  && mv linux-${PROXY_ARCH} /dnscrypt \
+  && rm -rf dnscrypt-proxy-linux_${PROXY_ARCH}-${DNSCRYPT_VERSION}.tar.gz
 
 COPY root /
 
 VOLUME ["/config"]
 
 EXPOSE 53 53/udp
-
-ENV NS1=8.8.8.8 NS2=8.8.4.4 DEBUG=0 AUTO_UPDATE=1 \
-  DNSCRYPT=0 \
-  DNSCRYPT_RESOLVER_ADDR=208.67.220.220:443 \
-  DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.opendns.com \
-  DNSCRYPT_PROVIDER_KEY=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79 \
-  BLACKLIST_URL=https://raw.githubusercontent.com/oznu/dns-zone-blacklist/master/dnsmasq/dnsmasq-server.blacklist
diff --git a/Dockerfile.raspberry-pi b/Dockerfile.raspberry-pi
@@ -1,29 +1,30 @@
 FROM oznu/s6-alpine:3.7-armhf
 
-# Install dependencies and build dnscrypt-proxy (NOT enabled by default)
+ENV DEBUG=0 \
+  NS1=1.1.1.1 \
+  NS2=1.0.0.1 \
+  AUTO_UPDATE=1 \
+  BLACKLIST_URL=https://raw.githubusercontent.com/oznu/dns-zone-blacklist/master/dnsmasq/dnsmasq-server.blacklist \
+  DNS_CRYPT_SERVERS=cloudflare,cloudflare-ipv6 \
+  DNSCRYPT_VERSION=2.0.8 
+
 RUN set -xe \
-  && sed -i 's/edge\/community/edge\/testing/g' /etc/apk/repositories \
-  && apk add --no-cache dnsmasq curl libsodium-dev \
-  && apk add --no-cache --virtual .build-deps make g++ gcc python \
-  && curl -fSLO --compressed "https://github.com/jedisct1/dnscrypt-proxy/releases/download/1.9.5/dnscrypt-proxy-1.9.5.tar.bz2" \
-  && tar jxf "dnscrypt-proxy-1.9.5.tar.bz2" \
-  && cd "dnscrypt-proxy-1.9.5" \
-  && ./configure --with-plugins \
-  && make -j$(getconf _NPROCESSORS_ONLN) \
-  && make install \
-  && cd .. \
-  && rm -rf "dnscrypt-proxy-1.9.5" "dnscrypt-proxy-1.9.5.tar.bz2" \
-  && apk del .build-deps
+  && apk add --no-cache dnsmasq curl
+
+# Install dnscrypt-proxy
+RUN case "${ARCH}" in \
+    amd64) PROXY_ARCH='i386';; \
+    armhf) PROXY_ARCH='arm';; \
+    aarch64) PROXY_ARCH='arm64';; \
+    *) echo "unsupported architecture"; exit 1 ;; \
+  esac \
+  && curl -fSLO "https://github.com/jedisct1/dnscrypt-proxy/releases/download/${DNSCRYPT_VERSION}/dnscrypt-proxy-linux_${PROXY_ARCH}-${DNSCRYPT_VERSION}.tar.gz" \
+  && tar -xzf dnscrypt-proxy-linux_${PROXY_ARCH}-${DNSCRYPT_VERSION}.tar.gz \
+  && mv linux-${PROXY_ARCH} /dnscrypt \
+  && rm -rf dnscrypt-proxy-linux_${PROXY_ARCH}-${DNSCRYPT_VERSION}.tar.gz
 
 COPY root /
 
 VOLUME ["/config"]
 
 EXPOSE 53 53/udp
-
-ENV NS1=8.8.8.8 NS2=8.8.4.4 DEBUG=0 AUTO_UPDATE=1 \
-  DNSCRYPT=0 \
-  DNSCRYPT_RESOLVER_ADDR=208.67.220.220:443 \
-  DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.opendns.com \
-  DNSCRYPT_PROVIDER_KEY=B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79 \
-  BLACKLIST_URL=https://raw.githubusercontent.com/oznu/dns-zone-blacklist/master/dnsmasq/dnsmasq-server.blacklist
diff --git a/README.md b/README.md
@@ -29,9 +29,10 @@ Automatic blacklist updates are enabled by default.
 docker run --restart=always \
   -p 53:53/tcp -p 53:53/udp \
   -e DEBUG=0 \
-  -e NS1=8.8.8.8 -e NS2=8.8.4.4 \
+  -e NS1=1.1.1.1 -e NS2=1.0.0.1 \
   -e AUTO_UPDATE=1 \
   -e BRANCH=master \
+  -e DNSCRYPT=0 \
   -v </path/to/config>:/config \
   oznu/dns-ad-blocker
 ```
@@ -41,10 +42,11 @@ The parameters are split into two halves, separated by a colon, the left hand si
 * `--restart=always` - ensure the container restarts automatically after host reboot.
 * `-p 53:53/tcp -p 53:53/udp` - expose port 53 on TCP and UDP to the host, **required**.
 * `-e DEBUG` - enables debug mode if set to `-e DEBUG=1`. For verbose logging (including source IP) set `-e DEBUG=2`.
-* `-e NS1 -e NS2` - override the default forward lookup servers. Defaults to Google's DNS servers (8.8.8.8, 8.8.4.4).
+* `-e NS1 -e NS2` - override the default forward lookup servers. Defaults to Cloudflares's DNS servers (1.1.1.1, 1.0.0.1).
 * `-e AUTO_UPDATE` - to disable automatic updates to the blacklist set `-e AUTO_UPDATE=0`. Automatic updates are enabled by default.
 * `-e BLACKLIST_URL` - the url where the blacklist should be downloaded from, useful if you want to lock the blacklist to a specific branch.
 * `-e WHITELIST` - a list of domains to exclude from the blacklist (comma separated, no spaces) eg. `-e WHITELIST=www.oz.nu,hub.docker.com`
+* `-e DNSCRYPT=1` - enable [DNSCrypt](https://dnscrypt.info/), disabled by default. See below for more details.
 * `-v /config` - any files with the `.conf` suffix included in the mounted volume will be included in the dnsmasq config.
 
 ## AD Blocking
@@ -69,10 +71,8 @@ docker run  -d --restart=always -p 53:53/tcp -p 53:53/udp -e DNSCRYPT=1 oznu/dns
 ```
 
 * ```-e DNSCRYPT``` - To enable DNSCrypt set ```DNSCRYPT=1```. Disabled by default.
-* ```-e DNSCRYPT_RESOLVER_ADDR``` - the DNSCrypt-capable resolver IP address with an optional port. Defaults to OpenDNS (208.67.220.220:443).
-* ```-e DNSCRYPT_PROVIDER_NAME``` -  the fully-qualified name of the DNSCrypt certificate provider. Defaults to OpenDNS (2.dnscrypt-cert.opendns.com).
-* ```-e DNSCRYPT_PROVIDER_KEY``` - the DNSCrypt provider public key. Defaults to OpenDNS.
+* ```-e DNS_CRYPT_SERVERS``` - a comma seperated (no spaces) list of servers to use. Defaults to `cloudflare,cloudflare-ipv6`.
 
 **Enabling DNSCrypt will override the ```NS1``` and ```NS2``` forward lookup server options.**
 
-See [offical list of DNSCrypt resolvers](https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv) for alternative providers if you don't want to use OpenDNS.
+See [the offical list of DNSCrypt resolvers](https://dnscrypt.info/public-servers) for alternative providers if you don't want to use Cloudflare DNS.
diff --git a/root/etc/cont-init.d/40-setup b/root/etc/cont-init.d/40-setup
@@ -11,17 +11,18 @@ echo "BLACKLIST URL: $BLACKLIST_URL"
 # Enable/Disable DNSCrypt - Default = OFF
 if [ "$DNSCRYPT" = "1" ]; then
   echo "DNSCRYPT: Enabled"
-  echo "DNSCRYPT RESOLVER ADDRESS: $DNSCRYPT_RESOLVER_ADDR"
-  echo "DNSCRYPT PROVIDER NAME: $DNSCRYPT_PROVIDER_NAME"
-  echo "DNSCRYPT PROVIDER KEY: $DNSCRYPT_PROVIDER_KEY"
+
+  if [ ! -z "$DNS_CRYPT_SERVERS" ]; then
+    for job in $(echo "$DNS_CRYPT_SERVERS" | tr "," " "); do
+      export _DNS_CRYPT_SERVERS="$_DNS_CRYPT_SERVERS'${job}', "
+    done
+
+    sed -i "s/server_names =.*/server_names = [$_DNS_CRYPT_SERVERS]/" /etc/dnscrypt-proxy.toml
+  fi
 
   sed -i "s/server=.* # NS1.*/server=127.0.0.1#40 # NS1/" /etc/dnsmasq.conf
   sed -i "s/server=.* # NS2.*/server=127.0.0.1#40 # NS2/" /etc/dnsmasq.conf
 
-  sed -i "s/ResolverAddress .*/ResolverAddress $DNSCRYPT_RESOLVER_ADDR/" /etc/dnscrypt-proxy.conf
-  sed -i "s/ProviderName .*/ProviderName $DNSCRYPT_PROVIDER_NAME/" /etc/dnscrypt-proxy.conf
-  sed -i "s/ProviderKey .*/ProviderKey $DNSCRYPT_PROVIDER_KEY/" /etc/dnscrypt-proxy.conf
-
   # Allow the dnscrypt-proxy to start
   [ -d /etc/services.d/.dnscrypt-proxy ] && mv /etc/services.d/.dnscrypt-proxy /etc/services.d/dnscrypt-proxy
 else

diff --git a/root/etc/dnscrypt-proxy.conf b/root/etc/dnscrypt-proxy.conf