dnscrypt / doh-server Goto Github PK
View Code? Open in Web Editor NEWFast, mature, secure DoH and ODoH server proxy written in Rust. Previously known as doh-proxy and rust-doh.
License: MIT License
Fast, mature, secure DoH and ODoH server proxy written in Rust. Previously known as doh-proxy and rust-doh.
License: MIT License
The recently released doh-proxy_0.9.6_amd64.deb package is incompatible with Debian's current 11.6 stable version, whereas prior doh-proxy_0.9.4_amd64.deb installs and works fine.
Attempting to upgrade the package results in
The following packages have unmet dependencies:
doh-proxy : Depends: libc6 (>= 2.34) but 2.31-13+deb11u5 is to be installed
# apt list libc6
libc6/stable,stable-updates,now 2.31-13+deb11u5 amd64 [installed]
I created this issue under the assumption that the package is intended for Debian Bullseye systems. If this is not the case, feel free to close.
hi frank
when i try to start doh-proxy the following problem commes
doh-proxy -l 127.0.2.1:8443 -u 127.0.1.1
thread 'main' panicked at 'called Result::unwrap()
on an Err
value: AddrParseError(())', libcore/result.rs:945:5
note: Run with RUST_BACKTRACE=1
for a backtrace.
any idear how to solfe it?
andi
error[E0252]: the name io
is defined multiple times
--> /root/.cargo/registry/src/github.com-1ecc6299db9ec823/doh-proxy-0.1.18/src/main.rs:25:15
|
16 | use std::io;
| ------- previous import of the module io
here
...
25 | use std::io::{self, Read};
| ^^^^ io
reimported here
|
= note: io
must be defined only once in the type namespace of this module
error: aborting due to previous error
For more information about this error, try rustc --explain E0252
.
Caused by:
process didn't exit successfully: rustc --edition=2018 --crate-name doh_proxy /root/.cargo/registry/src/github.com-1ecc6299db9ec823/doh-proxy-0.1.18/src/main.rs --color always --crate-type bin --emit=dep-info,link -C opt-level=3 -C panic=abort -C lto --cfg 'feature="default"' --cfg 'feature="native-tls"' --cfg 'feature="tls"' --cfg 'feature="tokio-tls"' -C metadata=cffeb22e3ad2f0c3 -C extra-filename=-cffeb22e3ad2f0c3 --out-dir /tmp/cargo-install6XyuyA/release/deps -L dependency=/tmp/cargo-install6XyuyA/release/deps --extern base64=/tmp/cargo-install6XyuyA/release/deps/libbase64-83bd12a2f1c22022.rlib --extern clap=/tmp/cargo-install6XyuyA/release/deps/libclap-12a2426cfc8d9168.rlib --extern futures=/tmp/cargo-install6XyuyA/release/deps/libfutures-0b2795350e2671b9.rlib --extern hyper=/tmp/cargo-install6XyuyA/release/deps/libhyper-95e091012f0d2f4b.rlib --extern jemallocator=/tmp/cargo-install6XyuyA/release/deps/libjemallocator-e7cf02575ab39621.rlib --extern native_tls=/tmp/cargo-install6XyuyA/release/deps/libnative_tls-eac274159ed46ecd.rlib --extern tokio=/tmp/cargo-install6XyuyA/release/deps/libtokio-5198fd330784692c.rlib --extern tokio_current_thread=/tmp/cargo-install6XyuyA/release/deps/libtokio_current_thread-479ea91b5e4a969c.rlib --extern tokio_timer=/tmp/cargo-install6XyuyA/release/deps/libtokio_timer-5b3be34850fba5ed.rlib --extern tokio_tls=/tmp/cargo-install6XyuyA/release/deps/libtokio_tls-96d8918332b526f1.rlib --cap-lints allow -L native=/tmp/cargo-install6XyuyA/release/build/jemalloc-sys-d3b1b44e8bfa3941/out/build/lib
(exit code: 1)
rustup
cargo 1.36.0 (c4fcfb725 2019-05-15)
rustc 1.36.0 (a53f9df32 2019-07-03)
ii libssl-dev:amd64 1.1.1-1ubuntu2.1~18.04.4 amd64 Secure Sockets Layer toolkit - development files
ii libssl-doc 1.1.1-1ubuntu2.1~18.04.4 all Secure Sockets Layer toolkit - development documentation
ii libssl1.0.0:amd64 1.0.2n-1ubuntu5.3 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl1.1:amd64 1.1.1-1ubuntu2.1~18.04.4 amd64 Secure Sockets Layer toolkit - shared libraries
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
LESSCLOSE=/usr/bin/lesspipe %s %s
LANG=en_US.UTF-8
S_COLORS=auto
XDG_SESSION_ID=93
USER=root
PWD=/root
HOME=/root
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
SSH_TTY=/dev/pts/0
MAIL=/var/mail/root
TERM=xterm
SHELL=/bin/bash
SHLVL=1
LOGNAME=root
XDG_RUNTIME_DIR=/run/user/0
PATH=/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/usr/local/cmake-3.14.2-Linux-x86_64/bin
LESSOPEN=| /usr/bin/lesspipe %s
_=/usr/bin/env
Hi
i try make test with self signed (pem format)
./doh-proxy -l 10.100.102.20:3000 -u 127.0.0.1:53 --tls-cert-path server.pem (your pem)
and this continue be on http:
print "Listening on http://10.100.102.20:3000/dns-query"
what i doing wrong ?
This is more than likely me, but I'm having an issue getting my SSL certs to work....
I'm running doh-proxy in a self built docker container built on alpine
rust, cargo and make were all added to the container and "cargo install doh-proxy" was run with no errors. I've then copied /root/,cargo/bin/doh-proxy into /usr/local/sbin
I've exported an SSL cert from LetsEncrypt, with a key, in PEM format. I've validated they match (cert & private key) thus:
$ openssl x509 -modulus -noout -in cert.pem | openssl md5
(stdin)= 3b083eec165234ec62cb363a695d0490
$ openssl rsa -modulus -noout -in key.pem | openssl md5
(stdin)= 3b083eec165234ec62cb363a695d0490
But when I then come to run:
doh-proxy -l my-internal-ip:443 -u my-internal-dns:53 -I /ssl/cert.pem -i /ssl/key.pem
I get this:
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Custom { kind: InvalidInput, error: "No private keys found" }', /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libdoh-0.3.3/src/lib.rs:271:22
stack backtrace:
0: 0x5620afabb0a2 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hae7cf1fc581aa961
1: 0x5620af9eaffd - core::fmt::write::hfe2c8093814b6a4f
2: 0x5620afab8b44 - std::io::Write::write_fmt::h822f7d43868b3215
3: 0x5620afab164d - std::panicking::default_hook::{{closure}}::hd6d9da84065c93c3
4: 0x5620afab1180 - std::panicking::rust_panic_with_hook::h0a6b442be258a78b
5: 0x5620afab0d1a - rust_begin_unwind
6: 0x5620af9e9f00 - core::panicking::panic_fmt::h5bed57e7f82612a2
7: 0x5620af9ea052 - core::result::unwrap_failed::h4c1a6aae239037fc
8: 0x5620af976b69 - libdoh::DoH::entrypoint::{{closure}}::h8ee67cf2788831d3
9: 0x5620af999487 - doh_proxy::main::h3ba43cb3cc69a362
10: 0x5620afabb373 - std::sys_common::backtrace::__rust_begin_short_backtrace::hd71ec9b2e16d0095
11: 0x5620af99bcd0 - main
12: 0x7f4f90ae71ef - <unknown>
Aborted (core dumped)
If I use your localhost.pem it starts however. What's up with my certs?
To make #29 easier, do you think it would be possible to support reading a configuration from a toml file? Something like:
doh-proxy -c /etc/doh-proxy.toml
OS: Debian 9 / Alpine Linux 3.7
cargo 0.24.0 (45043115c 2017-12-05) / 0.22.0-r3
dns@dns:~# sudo cargo install doh-proxy
Updating registry `https://github.com/rust-lang/crates.io-index`
Installing doh-proxy v0.1.2
Downloading tokio-io v0.1.5
Downloading hyper v0.11.18
Compiling take v0.1.0
Compiling futures-await-await-macro v0.1.0
Compiling futures v0.1.18
Compiling unicode-width v0.1.4
Compiling smallvec v0.2.1
Compiling bitflags v1.0.1
Compiling version_check v0.1.3
Compiling ansi_term v0.10.2
Compiling strsim v0.7.0
Compiling scoped-tls v0.1.0
Compiling slab v0.3.0
Compiling safemem v0.2.0
Compiling libc v0.2.36
Compiling slab v0.4.0
Compiling unicode-xid v0.1.0
Compiling language-tags v0.2.2
Compiling httparse v1.2.4
Compiling lazycell v0.6.0
Compiling vec_map v0.8.0
Compiling percent-encoding v1.0.1
Compiling byteorder v1.2.1
Compiling cfg-if v0.1.2
Compiling textwrap v0.9.0
Compiling unicase v2.1.0
Compiling tokio-service v0.1.0
Compiling relay v0.1.1
Compiling tokio-timer v0.1.2
Compiling proc-macro2 v0.1.10
error[E0554]: #![feature] may not be used on the stable release channel
--> .cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-0.1.10/src/lib.rs:22:34
|
22 | #![cfg_attr(feature = "nightly", feature(proc_macro))]
| ^^^^^^^^^^^^^^^^^^^^
error: aborting due to previous error
error: Could not compile `proc-macro2`.
warning: build failed, waiting for other jobs to finish...
error: failed to compile `doh-proxy v0.1.2`, intermediate artifacts can be found at `/tmp/cargo-install.oUYH9w39z3Qu`
Caused by:
build failed
Can we have Windows precompiled binaries?
doh-proxy 0.3.4
build with:
cargo install doh-proxy --no-default-features
error:
error[E0063]: missing fields `tls_cert_key_path`, `tls_cert_path` in initializer of `libdoh::Globals`
--> .cargo/registry/src/github.com-1ecc6299db9ec823/doh-proxy-0.3.4/src/main.rs:26:23
|
26 | let mut globals = Globals {
|
^^^^^^^ missing `tls_cert_key_path`, `tls_cert_path`
error: aborting due to previous error
doh-proxy
Hi. I tried today to compile this project with the nightly version of the rust toolchain:
$ rustc +nightly --version
rustc 1.35.0-nightly (52e885628 2019-03-15)
I am on linux. The output is:
$ cargo +nightly build
Compiling version_check v0.1.4
Compiling byteorder v1.3.1
Compiling libc v0.2.43
Compiling nodrop v0.1.12
Compiling cfg-if v0.1.5
Compiling scopeguard v0.3.3
Compiling memoffset v0.2.1
Compiling futures v0.1.23
Compiling slab v0.4.1
Compiling lazycell v0.6.0
Compiling cc v1.0.18
Compiling fs_extra v1.1.0
Compiling fnv v1.0.6
Compiling itoa v0.4.2
Compiling httparse v1.3.2
Compiling try-lock v0.2.2
Compiling string v0.1.1
Compiling indexmap v1.0.1
Compiling unicode-width v0.1.5
Compiling bitflags v1.0.3
Compiling strsim v0.7.0
Compiling ansi_term v0.11.0
Compiling vec_map v0.8.1
Compiling crossbeam-utils v0.3.2
Compiling log v0.4.3
Compiling arrayvec v0.4.7
Compiling lazy_static v1.1.0
Compiling iovec v0.1.2
Compiling net2 v0.2.33
Compiling rand v0.4.3
Compiling num_cpus v1.8.0
Compiling time v0.1.40
Compiling atty v0.2.11
Compiling textwrap v0.10.0
Compiling jemalloc-sys v0.1.8
Compiling mio v0.6.15
Compiling clap v2.32.0
Compiling bytes v0.4.9
Compiling base64 v0.10.1
Compiling crossbeam-utils v0.6.5
Compiling crossbeam-epoch v0.4.3
Compiling want v0.0.6
Compiling futures-cpupool v0.1.8
Compiling tokio-io v0.1.7
Compiling http v0.1.10
Compiling crossbeam-deque v0.3.1
Compiling tokio-executor v0.1.6
Compiling tokio-codec v0.1.0
Compiling tokio-threadpool v0.1.5
Compiling tokio-reactor v0.1.3
Compiling tokio-timer v0.2.5
Compiling tokio-current-thread v0.1.5
Compiling tokio-udp v0.1.1
Compiling tokio-tcp v0.1.1
Compiling tokio-fs v0.1.3
Compiling tokio v0.1.7
Compiling h2 v0.1.12
Compiling hyper v0.12.8
Compiling jemallocator v0.1.9
Compiling doh-proxy v0.1.11 (/home/leo/Documents/coding/doh-dns/rust-doh)
warning: unused import: `tokio::prelude::FutureExt`
--> src/main.rs:21:5
|
21 | use tokio::prelude::FutureExt;
| ^^^^^^^^^^^^^^^^^^^^^^^^^
|
= note: #[warn(unused_imports)] on by default
error[E0599]: no method named `timeout` found for type `hyper::server::conn::Connection<tokio_tcp::stream::TcpStream, DoH>` in the current scope
--> src/main.rs:269:14
|
269 | .timeout(timeout)
| ^^^^^^^
error: aborting due to previous error
For more information about this error, try `rustc --explain E0599`.
error: Could not compile `doh-proxy`.
To learn more, run the command again with --verbose.
Sample query string:
ct=&dns=+DUBAAABAAAAAAAAA2Rucwdtb3JoaWxsA2NvbQAAAQAB
ct=&dns=/xYBAAABAAAAAAAAA2Rucwdtb3JoaWxsA2NvbQAAHAAB
Test with Curl always return error 400:
curl -vH 'content-type: application/dns-message' "https://doh.crypto.sx/dns-query?ct=&dns=/xYBAAABAAAAAAAAA2Rucwdtb3JoaWxsA2NvbQAAHAAB"
HTTP/2 400
< date: Wed, 15 Jan 2020 18:01:17 GMT
< content-length: 0
< set-cookie: __cfduid=dd236d441da4037131ec70ba85c5b1c7e1579111276; expires=Fri, 14-Feb-20 18:01:16 GMT; path=/; domain=.crypto.sx; HttpOnly; SameSite=Lax; Secure
< cf-cache-status: BYPASS
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 5559c1088d57da00-SIN
doh-proxy version: 0.3.8+git0404b8f , built from source.
# doh-proxy -i ./fullchain.cer -I ./privkey.pem
Listening on https://127.0.0.1:3000/dns-query
TLS certificates error: No private keys found
TLS certificates error: No private keys found
TLS certificates error: No private keys found
TLS certificates error: No private keys found
TLS certificates error: No private keys found
...
fullchain.cer and privkey.pem work well for nginx server.
What is problem here?
Hi Frank,
thanks for the great event yesterday!
We noticed https://github.com/DNSCrypt/encrypted-dns-server has prometheus metrics,
will there also be prometheus metrics in doh-server (especially for the ODoH part)?
thanks!
btw: we are looking forward to the release of the ODoH relay code!
It would be convenient to have a bundled service file, e.g. the one suggested in this tutorial.
For your convenience:
`rust-doh.service
[Unit]
Description=DOH HTTP Proxy on %I
After=syslog.target network.target
Before=nginx.target
[Service]
Type=simple
ExecStart=/bin/doh-httpproxy --upstream-resolver ::1 --level DEBUG --listen-address=::1 --port %I
Restart=always
User=doh-proxy
Group=doh-proxy
[Install]
WantedBy=multi-user.target
`
From comparing the response behavior of rust-doh with doh-httpproxy it appears that rust-doh closes the connection instead of returning 415 Unsupported Media Type
when clients send an unsupported content-type.
Can you confirm that? What do you think about returning 415 in such cases?
thanks!
This is the second part of #20 for future consideration (just so it does not get forgotten).
Returning something on a timeout seems to be too complicated for my knowledge of Rust and Tokio. The timeout is on the socket itself, and once it fires, the HTTP layer is not accessible any more.
Something I may revisit once async I/O in Rust stabilizes and becomes a bit more friendly.
Hi,
I tried to use doh-proxy connecting to my unbound server on localhost:53.
./.cargo/bin/doh-proxy -u localhost:53
Unfortunatly this setup produces 500 internal server error on all queries.
As I'm running a dual-stack host, the -u argument resolves to [::1]:53.
Tracing the process shows that it is trying to talk to [::1]:53 from a socket bound to 0.0.0.0:0.
So using -b [::0]:0 fixes the proxy.
But I think that if using ipv6 for -u, one should switch to IPv6 for the default bind address too.
I'm not sure what problem cause dig slower than rust-doh
Before I use this https://github.com/m13253/dns-over-https as doh-server
my client using dnscrypt-proxy to do DNS resolution. I try to dig some domain and normally it takes under 80 ms. While I switch to rust-doh, it takes about 250ms?
Maybe rust-doh doesn't support JSON format only DNS-message format make it slower?
I'm considering uploading doh-proxy to debian. Would that work for you? Also if there's anything you want me to keep in mind while packaging this please let me know.
On Ubuntu 18.04 x64 with cargo 0.26.0-ubuntu2 and rustc 1.25.0+dfsg1+llvm-0ubuntu1:
apt install cargo
cargo install doh-proxy
*snip*
Compiling doh-proxy v0.1.10
error[E0658]: non-reference pattern used to match a reference (see issue #42640)
--> src/main.rs:70:13
|
70 | Error::Timeout => "Timeout",
| ^^^^^^^^^^^^^^ help: consider using a reference: `&Error::Timeout`
error[E0658]: non-reference pattern used to match a reference (see issue #42640)
--> src/main.rs:71:13
|
71 | Error::Incomplete => "Incomplete",
| ^^^^^^^^^^^^^^^^^ help: consider using a reference: `&Error::Incomplete`
error[E0658]: non-reference pattern used to match a reference (see issue #42640)
--> src/main.rs:72:13
|
72 | Error::TooLarge => "TooLarge",
| ^^^^^^^^^^^^^^^ help: consider using a reference: `&Error::TooLarge`
error[E0658]: non-reference pattern used to match a reference (see issue #42640)
--> src/main.rs:73:13
|
73 | Error::Hyper(_) => self.description(),
| ^^^^^^^^^^^^^^^ help: consider using a reference: `&Error::Hyper(_)`
error: aborting due to 4 previous errors
error: failed to compile `doh-proxy v0.1.10`, intermediate artifacts can be found at `/tmp/cargo-install.IQSeqCsRfb1p`
Caused by:
Could not compile `doh-proxy`.
To learn more, run the command again with --verbose.
Thanks for the release ๐ Unfortunately crates.io doesn't know about it yet.
Hyper 0.12 completely changed its API compared to previous versions.
Since rust-doh
is a very simple server, I thought the migration would be straightfoward.
But it's not. I couldn't get anything to work using Hyper 0.12. Documentation and examples are pretty much nonexistent, besides a stateless echo server.
As anything involving Futures and Tokio, compiler errors are useless.
So, this is a call for help.
I have set up an instance of doh-proxy at https://www.chaz6.com/dns-query (via an nginx proxy). I have verified it works with doh-stub, however when I set the following in Firefox (both latest stable and beta), dns resolution fails, and I am unsure what is wrong.
network.trr.uri = https://www.chaz6.com/dns-query
network.trr.mode = 3
network.trr.bootstrapAddress = 176.9.40.67
I would appreciate any help to find out what is broken.
cloudflared release: cloudflared version 2019.6.0 (built 2019-06-04-1650 UTC)
rust-doh release: 0.1.17
clouldflared send: "Content-type: application/dns-udpwireformat"
rust-doh reply : "415 Unsupported Media Type"
related to this commit?
ref: https://tools.ietf.org/id/draft-ietf-doh-dns-over-https-05.html#rfc.section.7.1
cargo install doh-proxy
failed:
[...]
Compiling tokio-io v0.1.5
Compiling tokio-core v0.1.12
Compiling tokio v0.1.1
error[E0283]: type annotations required: cannot resolve `_: std::convert::Into<mio::Ready>`
--> .cargo/registry/src/github.com-1ecc6299db9ec823/tokio-0.1.1/src/reactor/mod.rs:472:15
|
472 | hup() | UnixReady::aio().into()
| ^
|
= note: required because of the requirements on the impl of `std::ops::BitOr<_>` for `mio::Ready`
error[E0599]: no method named `is_aio` found for type `&mio::Ready` in the current scope
--> .cargo/registry/src/github.com-1ecc6299db9ec823/tokio-0.1.1/src/reactor/mod.rs:490:15
|
490 | ready.is_aio()
| ^^^^^^
error: aborting due to 2 previous errors
error: failed to compile `doh-proxy v0.1.5`, intermediate artifacts can be found at `/tmp/cargo-install.w2YK4Rw6Sysm`
Caused by:
Could not compile `tokio`.
To learn more, run the command again with --verbose.
$ rustc -V
rustc 1.22.1
$ freebsd-version
11.1-RELEASE-p6
This fix was merged: tokio-rs/tokio#142, see commit tokio-rs/tokio@ab25943 .
So you may either wait for a release or fetch tokio via git + branch
syntax in Cargo.toml
Fixes: tokio-rs/tokio#158
$ cargo install doh-proxy --version 0.1.10
$ /usr/local/bin/doh-proxy -V
doh-proxy
$ /usr/local/bin/doh-proxy --version
doh-proxy
When I start with:
./doh-proxy -p /dns-query -u 172.17.0.2:553 -H mydomain.org -i /opt/acme.sh/certs/mydomain.org/fullchain.pem -I /opt/acme.sh/certs/mydomain.org/mydomain.org.pkcs8.pem
I get a crash:
thread 'main' panicked at 'Mismatch between definition and access of `tls_cert_path`. Could not downcast to TypeId { t: 2123382240168030213 }, need to downcast to TypeId { t: 9339889987678504387 }
', /home/myusername/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/error.rs:30:9
I made sure the keyfile was converted to pkcs8 and I converted the fullchain also to pem format, but I get the same error when I use the fullchain.cer file instead of the fullchain.pem file. I also tried putting everything in one file (fullchain en key) and then use the same for -i en -I but always the same result. I use certificates from the acme script, in this case ZeroSSL. Should I switch to Let's Encrypt? or is this a bug or shortcomming in clap?
Hi Frank
in the enviroment of my server crash problem, question, could you add a feature logfile and loglevel?
exampel
doh-proxy
-l, --logfile FILE
-lv, --loglevel LEVEL (1, 2, 3, 4, 5)
When I try to use a v6 address for --server-address
, I only get 500s back from doh-proxy
.
I attempted to use both Google's public DNS (2001:4860:4860::8888) and a listener on localhost (::1), both caused 500s. Using a doh-proxy
compiled from latest commit here.
dig
that you can query a public v6 server, such as Google's.$ dig @2001:4860:4860:0:0:0:0:8888 github.com
/doh-proxy -u [2001:4860:4860:0:0:0:0:8888]:53
. This should setup doh-query
to use the same upstream DNS server we just tested.doh-proxy
for a name. I used the libcurl doh client. Receive a 500 error in reply.$ ./doh github.com http://localhost:3000/dns-query
Probe for A got response: 500
Probe for AAAA got response: 500
Frankly both ipv6 and doh are somewhat new to me. Feel free to close the issue if you can't reproduce, it may be a problem with my network.
$ uname -ra
Linux 5.2.0-arch2-1-ARCH #1 SMP PREEMPT Mon Jul 8 18:18:54 UTC 2019 x86_64 GNU/Linux
$ cargo --version
cargo 1.37.0-nightly (4c1fa54d1 2019-06-24)
$ rustc --version
rustc 1.38.0-nightly (78ca1bda3 2019-07-08)
$ ip a s
// snip
3: wlp59s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether bc:a8:a6:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 100.66.xxx.xxx/20 brd 100.66.xxx.255 scope global dynamic noprefixroute wlp59s0
valid_lft 34699sec preferred_lft 34699sec
inet6 2610:48:xxxx:xxxx::xxxx/128 scope global dynamic noprefixroute
valid_lft 78384sec preferred_lft 45984sec
inet6 fe80::825e:2247:765d:337/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Hi,
I'm trying rust-doh with dnscrypt-proxy (and Firefox 60 DoH).
With both clients, I get the error message server error: Incomplete
for every DoH request
# /root/.cargo/bin/doh-proxy -u [::1]:53
Listening on http://127.0.0.1:3000
server error: Incomplete
server error: Incomplete
server error: Incomplete
server error: Incomplete
server error: Incomplete
server error: Incomplete
server error: Incomplete
server error: Incomplete
The webserver logs look sane:
185.xx.xx.xx - - [29/May/2018:15:07:29 +0200] "POST /dns-query HTTP/2.0" 502 16
185.xx.xx.xx - - [29/May/2018:15:07:29 +0200] "GET /dns-query?body=yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA&ct=&dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA&random_padding=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/2.0" 502 16
The webserver is a caddy (https://caddyserver.com/)
Any hints how to troubleshoot this issue?
Makes it difficult to do via SSH on a remote server
Listening on http://127.0.0.1:3000/dns-query
thread 'doh-proxy' panicked at 'executor must be set', /home/username/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.13.1/src/common/exec.rs:51:21
stack backtrace:
0: 0x562d810c24d3 - backtrace::backtrace::libunwind::trace::h65597d255cb1398b
at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/libunwind.rs:88
1: 0x562d810c24d3 - backtrace::backtrace::trace_unsynchronized::hd4f479d7150ec4a0
at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/mod.rs:66
2: 0x562d810c24d3 - std::sys_common::backtrace::_print_fmt::h015072984a2b172c
at src/libstd/sys_common/backtrace.rs:77
3: 0x562d810c24d3 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h6df05d3335f32194
at src/libstd/sys_common/backtrace.rs:61
4: 0x562d8107a1cc - core::fmt::write::h1f444f4312eb6c27
at src/libcore/fmt/mod.rs:1028
5: 0x562d810c1a86 - std::io::Write::write_fmt::h8d147888220078ef
at src/libstd/io/mod.rs:1412
6: 0x562d810c1716 - std::sys_common::backtrace::_print::h8a6df0fa81d6af62
at src/libstd/sys_common/backtrace.rs:65
7: 0x562d810c1716 - std::sys_common::backtrace::print::h6f05b4733407e509
at src/libstd/sys_common/backtrace.rs:50
8: 0x562d810c1716 - std::panicking::default_hook::{{closure}}::h0d0a23bd02315dd8
at src/libstd/panicking.rs:188
9: 0x562d810c0f6a - std::panicking::default_hook::h8d15a9aecb4efac6
at src/libstd/panicking.rs:205
10: 0x562d810c0f6a - std::panicking::rust_panic_with_hook::hbe174577402a475d
at src/libstd/panicking.rs:464
11: 0x562d80fe8834 - std::panicking::begin_panic::hc235e45295fb5bab
12: 0x562d80fe5039 - std::future::get_task_context::h592c3be0a4e2aeef
13: 0x562d8100fcf2 - <std::future::GenFuture<T> as core::future::future::Future>::poll::h458574a92e461cd8
14: 0x562d81007b1b - tokio::task::raw::poll::hfc8674d7a89fa136
15: 0x562d810d959f - tokio::runtime::thread_pool::worker::GenerationGuard::run_task::h8ddd3c8b6b5c413e
16: 0x562d810d717d - tokio::runtime::thread_pool::worker::Worker::run::h9f22101ef8cd3d40
17: 0x562d810d5b95 - tokio::task::raw::poll::h47a4c137b63bfa8c
18: 0x562d810d5247 - tokio::runtime::blocking::pool::Inner::run::{{closure}}::{{closure}}::h38b83961965e2ec7
19: 0x562d810d4ce4 - std::sys_common::backtrace::__rust_begin_short_backtrace::hac71e489158b8bc6
20: 0x562d810d48cf - core::ops::function::FnOnce::call_once{{vtable.shim}}::h9bd6fffaf87f089a
21: 0x562d810cd6bf - <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h3534c64212330b0c
at /rustc/73528e339aae0f17a15ffa49a8ac608f50c6cf14/src/liballoc/boxed.rs:942
22: 0x562d810ce3fc - <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h338c10574a337ece
at /rustc/73528e339aae0f17a15ffa49a8ac608f50c6cf14/src/liballoc/boxed.rs:942
23: 0x562d810ce3fc - std::sys_common::thread::start_thread::h761ac6d57710d65d
at src/libstd/sys_common/thread.rs:13
24: 0x562d810ce3fc - std::sys::unix::thread::Thread::new::thread_start::h61c012ef60f933c0
at src/libstd/sys/unix/thread.rs:79
25: 0x7f8a032a16db - start_thread
26: 0x7f8a0224e88f - __clone
27: 0x0 - <unknown>
Aborted (core dumped)
I tried:
doh-proxy -l "127.0.0.1:3000 ; [::1]:3000"
doh-proxy -l "127.0.0.1:3000 , [::1]:3000"
doh-proxy -l "127.0.0.1:3000" -l "[::1]:3000"
All of these did not work.
Hello,
It seems the given parameter for the IP of the resolver is not taken into account.
When I check your code, I don't see your proxy making any use the of Doh Struct and still using the constant you defined a the beginning.
I've just set up a rust-doh server successfully. As I'm filling a table here to get an encoded DNS Stamp, the Certificate hash (SHA256) blank has confused me.
As I can see there are two comma-separated hashes of the certificate have been encoded in Cloudflare's DNS Stamp, I have no idea about how they are generated nor which certificate's fingerprint could match one of them.
Tested with dnscrypt-proxy: 2.0.46-beta1
dnscrypt-proxy.toml configuration:
server_names = ['jp.tiarap.org-odoh']
[anonymized_dns]
routes = [
{ server_name='*', via=['odohrelay-crypto-sx'] },
]
[static]
[static.'jp.tiarap.org-odoh']
stamp = 'sdns://BQcAAAAAAAAADWpwLnRpYXJhcC5vcmcFL29kb2g'
env DEBUG=1 ./dnscrypt-proxy
[2021-06-08 19:34:39] [NOTICE] Firefox workaround initialized
[2021-06-08 19:34:39] [DEBUG] Refreshing certificates
[2021-06-08 19:34:39] [DEBUG] Resolving [jp.tiarap.org] using bootstrap resolvers over udp
[2021-06-08 19:34:39] [DEBUG] [jp.tiarap.org] IP address [104.21.65.60] added to the cache, valid for 12h0m0s
[2021-06-08 19:34:40] [NOTICE] Anonymizing queries for [jp.tiarap.org-odoh] via [odohrelay-crypto-sx]
[2021-06-08 19:34:40] [DEBUG] Pausing after ODoH configuration retrieval
[2021-06-08 19:34:44] [DEBUG] Pausing done
[2021-06-08 19:34:44] [DEBUG] Resolving [odoh-relay.edgecompute.app] using bootstrap resolvers over udp
[2021-06-08 19:34:45] [DEBUG] [odoh-relay.edgecompute.app] IP address [199.232.45.51] added to the cache, valid for 12h0m0s
[2021-06-08 19:34:45] [WARNING] Unable to decrypt response from [jp.tiarap.org-odoh]: [Malformed response]
[2021-06-08 19:34:45] [INFO] Trying to fetch the [jp.tiarap.org-odoh] configuration again
[2021-06-08 19:34:45] [NOTICE] Anonymizing queries for [jp.tiarap.org-odoh] via [odohrelay-crypto-sx]
[2021-06-08 19:34:45] [DEBUG] Pausing after ODoH configuration retrieval
[2021-06-08 19:34:46] [DEBUG] Pausing done
[2021-06-08 19:34:46] [WARNING] Unable to decrypt response from [jp.tiarap.org-odoh]: [Malformed response]
Working fine with other relays:
[anonymized_dns]
routes = [
{ server_name='*', via=['odohrelay-surf', 'odohrelay-bcn'] },
]
[2021-06-08 19:39:22] [NOTICE] Anonymized DNS: routing everything via [odohrelay-surf odohrelay-bcn]
[2021-06-08 19:39:22] [NOTICE] Firefox workaround initialized
[2021-06-08 19:39:22] [DEBUG] Refreshing certificates
[2021-06-08 19:39:22] [DEBUG] Resolving [jp.tiarap.org] using bootstrap resolvers over udp
[2021-06-08 19:39:22] [DEBUG] [jp.tiarap.org] IP address [172.67.158.198] added to the cache, valid for 12h0m0s
[2021-06-08 19:39:23] [NOTICE] Anonymizing queries for [jp.tiarap.org-odoh] via [odohrelay-surf]
[2021-06-08 19:39:23] [DEBUG] Pausing after ODoH configuration retrieval
[2021-06-08 19:39:26] [DEBUG] Pausing done
[2021-06-08 19:39:28] [INFO] [jp.tiarap.org-odoh] TLS version: 304 - Protocol: h2 - Cipher suite: 4865
[2021-06-08 19:39:28] [DEBUG] Advertised relay cert: [CN=odoh1.surfdomeinen.nl] [39388d8e34076afa433b7e4742d75ca03ec927e33ebe4864047db96f227c2896]
[2021-06-08 19:39:28] [DEBUG] Advertised relay cert: [CN=R3,O=Let's Encrypt,C=US] [444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce]
[2021-06-08 19:39:28] [DEBUG] Advertised relay cert: [CN=ISRG Root X1,O=Internet Security Research Group,C=US] [11b102e6b1f63e528984d6025f32b138241fc88bbd7519574d70c9832d53e1e8]
[2021-06-08 19:39:28] [NOTICE] [jp.tiarap.org-odoh] OK (ODoH) - rtt: 548ms
[2021-06-08 19:39:28] [NOTICE] Server with the lowest initial latency: jp.tiarap.org-odoh (rtt: 548ms)
[2021-06-08 19:39:28] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Recently I have been getting the following with dnscrypt-proxy "[ERROR] Webserver returned code 429".
I am not sure what may be the cause of this.
Nothing has been updated or changed on the server except recently newer version(s) of rust-doh.
When I restart rust-doh, it accepts connections again.
I think this would be a common usecase, having this documented would be awesome.
Hey,
I've configured doh-server to run behind encrypted-dns-server. Both are running in docker containers. The dnscrypt service is based on dnscrypt-server-docker.
I've directed dnscrypt-proxy (static configuration). Unexpectedly I saw warnings around HTTP/2
[2021-01-03 11:48:08] [WARNING] [dohdo] does not support HTTP/2
[2021-01-03 11:48:08] [NOTICE] [dohdo] OK (DoH) - rtt: 8ms
[2021-01-03 11:48:08] [WARNING] [dohv] does not support HTTP/2
[2021-01-03 11:48:08] [NOTICE] [dohv] OK (DoH) - rtt: 6ms
Did I misunderstand https://github.com/jedisct1/doh-server#accepting-both-dnscrypt-and-doh-connections-on-port-443 or should that support HTTP/2?
Since this is a binary project it should distribute its Cargo.lock. Some distros depend on it for reproducible builds.
I'm using the version installed from crates. When I try to use Let's Encrypt cert/key it doesn't work:
doh-proxy --listen-address 127.0.0.1:3001 --tls-cert-key-path privkey.pem --tls-cert-path fullchain.pem
I get a SSL_ERROR_RX_MALFORMED_CERTIFICATE
error in the browser and a * error:1416F09F:SSL routines:tls_process_server_certificate:length mismatch
error via curl. It does work when I use the self-signed certificate provided. Maybe rustls doesn't like the format used by Let's Encrypt?
Two rust-doh instances running version 0.1.15 crashed with:
thread 'tokio-runtime-worker-0' panicked at 'index out of bounds:
the len is 0 but the index is 4', doh-proxy-0.1.15/src/dns.rs:9:16
They were not running with RUST_BACKTRACE=1
, but they do now.
I'll add more information here as it becomes available.
I got this error when I tried updating rust-doh to 0.1.8 in my docker image:
$ cargo install doh-proxy --version 0.1.8 --root /usr/local/
[...]
Compiling doh-proxy v0.1.8
error[E0046]: not all trait items implemented, missing: `description`
--> src/main.rs:70:1
|
70 | impl std::error::Error for Error {}
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ missing `description` in implementation
|
= note: `description` from trait: `fn(&Self) -> &str`
error: aborting due to previous error
For more information about this error, try `rustc --explain E0046`.
error: failed to compile `doh-proxy v0.1.8`, intermediate artifacts can be found at `/tmp/cargo-install1fPzaU`
Caused by:
Could not compile `doh-proxy`.
To learn more, run the command again with --verbose.
Hi,
our setup:
nginx -> rust-doh -> unbound
In a small fraction (~1 out of 1000 queries) nginx returns the HTTP 502 response code which suggests that rust-doh had an issue with the request and returned something unexpected.
We never see HTTP 502 response codes when using
https://github.com/facebookexperimental/doh-proxy
Since apparently there are no rust-doh logs (#11) it is hard to further debug this.
version: 0.1.15
Hello, I am using this to directly connect to my browser, ร la recursive unbound <--> doh-server <--> firefox
. Whilst it works amazing, I'd love support for TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
to be added to the crypto primitives, as the server side runs on an ARM SBC.
I am suggesting a preferred cryptographic cipher flag in the means of -s, --cipher-suite
followed by an integer representing the cipher.
## DoH: Use a specific cipher suite instead of the server preference
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
## 4865 = TLS_AES_128_GCM_SHA256
## 4867 = TLS_CHACHA20_POLY1305_SHA256
Preferably all of them. If this is stupid or you are occupied with more important tasks and must close this issue, do not hesitate. I will be able to respect it.
% cargo install doh-proxy
...
Compiling tokio-threadpool v0.1.7
Compiling parking_lot v0.6.4
Compiling tokio-reactor v0.1.6
error[E0658]: use of unstable library feature 'thread_local_state': state querying was recently added (see issue #27716)
--> /home/stephane/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-reactor-0.1.6/src/sharded_rwlock.rs:158:18
|
158 | REGISTRATION.try_with(|reg| reg.index).unwrap_or(0)
| ^^^^^^^^
error: aborting due to previous error
error: Could not compile `tokio-reactor`.
warning: build failed, waiting for other jobs to finish...
error: failed to compile `doh-proxy v0.1.10`, intermediate artifacts can be found at `/tmp/cargo-install.rmjXAghhsfKL`
Caused by:
build failed
Complete n00b in Rust so I'm afraid I cannot find the cause myself.
% cargo --version
cargo 0.26.0
% rustc --version
rustc 1.25.0
Hello,
I noticed that if the configured upstream dns server has the truncate bit set, the doh-proxy does not retry via TCP. I think the standard is that a resolver should retry via TCP, if that tc bit is set. Is this a bug, or can there be anything configured?
Depending on the dns server, the doh-proxy returns either an empty response to the client or an error. I received an empty response when the server returned in his answer Additional data
type OPT (9.9.9.9). If there was no additional data (1.1.1.1), then the client returns a message that the query failed.
doh-proxy started with default 9.9.9.9
marco@dust ~/m/g/p/doh-server (master)> ~/.cargo/bin/doh-proxy --allow-odoh-post --tls-cert-key-path localhost.pem --tls-cert-path localhost.pem
DNS query
marco@dust ~> kdig @127.0.0.1 -p 3000 +https +tls-ca=/Users/marco/mydata/git/public/doh-server/localhost.pem +tls-host=localhost akamai.com txt
;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA512)-(AES-256-GCM)
;; HTTP session (HTTP/2-POST)-(localhost/dns-query)-(status: 200)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 0
;; Flags: qr tc rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; PADDING: 25 B
;; QUESTION SECTION:
;; akamai.com. IN TXT
;; Received 68 B
;; Time 2021-06-08 22:46:25 CEST
;; From 127.0.0.1@3000(TCP) in 27.2 ms
doh-proxy started with cloudflare
marco@dust ~/m/g/p/doh-server (master)> ~/.cargo/bin/doh-proxy --allow-odoh-post --tls-cert-key-path localhost.pem --tls-cert-path localhost.pem --server-address 1.1.1.1:53
DNS query
marco@dust ~> kdig @127.0.0.1 -p 3000 +https +tls-ca=/Users/marco/mydata/git/public/doh-server/localhost.pem +tls-host=localhost akamai.com txt
;; WARNING: TLS, peer took too long to respond
;; ERROR: failed to query server 127.0.0.1@3000(TCP)
Besides the tcp retry, some dns servers seem to respond differently. If you try a lookup multiple times with 9.9.9.9 you will eventually get a large udp response, with fragmented packets.
We keep seeing 406 Not Acceptable
from rust-doh when client send HTTP GET
:
rust-doh: 0.1.17
user-agent: dnscrypt-proxy
HTTP Method: GET
Request URI Path: dns-query
Request URI Parameter: ct=
Request URI Parameter: dns=
I was so excited about this doh-server but found no tutorial on how to set it up. Iranian regime is closing all DoH servers. We have to create our own DoH server to fight this censorship
please do add a tutorial
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.