netblue30 / fdns Goto Github PK

View Code? Open in Web Editor NEW

115.0 115.0 29.0 10.84 MB

Firejail DNS-over-HTTPS Proxy Server

License: GNU General Public License v3.0

Makefile 2.07% M4 4.30% Shell 6.04% C 87.59%

fdns's People

Contributors

Stargazers

Watchers

fdns's Issues

fdns resolver process 0 killed by seccomp - syscall 11 (munmap)

$ apk info fdns

fdns-0.9.68-r1 description:
Firejail DNS-over-HTTPS proxy server

fdns-0.9.68-r1 webpage:
https://github.com/netblue30/fdns

fdns-0.9.68-r1 installed size:
2456 KiB

$ doas fdns

Testing server tiarap
   Tags: geocast, Americas, AsiaPacific, Europe
   SSL/TLS connection: 2040.41 ms
   DoH query average: 463.93 ms
   DoH/Do53 bandwidth ratio: 3.50
   Keepalive: 40 seconds

Testing server blahdns-sg
   Tags: Singapore, AsiaPacific, adblocker
   Error: server blahdns-sg failed

Testing fallback server: quad9 (9.9.9.9) - 228.95 ms

fdns starting
connecting to tiarap server
listening on 127.1.1.1
469 filter entries added from /etc/fdns/trackers
8940 filter entries added from /etc/fdns/fp-trackers
10158 filter entries added from /etc/fdns/coinblocker
60945 filter entries added from /etc/fdns/adblocker
ip 172.67.173.59
05:29:23 (1) SSL connection opened to 172.67.173.59
ip 172.67.173.59
05:29:23 (0) SSL connection opened to 172.67.173.59
05:29:24 (0) h2 transport up
05:29:24 (1) h2 transport up
05:29:27 (0) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
05:29:35 (1) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
05:29:40 (1) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
05:29:45 (1) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
Error: fdns resolver process 1 killed by seccomp - syscall 11 (munmap)
05:29:48 (1) Error: fdns resolver process 1 killed by seccomp - syscall 11 (munmap)
Error: resolver 1 (pid 3638) terminated, restarting it...
ip 172.67.173.59
05:30:03 (1) SSL connection opened to 172.67.173.59
05:30:04 (1) h2 transport up
Error: fdns resolver process 0 killed by seccomp - syscall 11 (munmap)
05:30:07 (0) Error: fdns resolver process 0 killed by seccomp - syscall 11 (munmap)
Error: resolver 0 (pid 3637) terminated, restarting it...
469 filter entries added from /etc/fdns/trackers
8940 filter entries added from /etc/fdns/fp-trackers
10158 filter entries added from /etc/fdns/coinblocker
60945 filter entries added from /etc/fdns/adblocker
ip 172.67.173.59
05:30:15 (0) SSL connection opened to 172.67.173.59
05:30:16 (0) h2 transport up
05:30:36 (1) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
05:30:41 (1) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
05:30:46 (1) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
Error: fdns resolver process 1 killed by seccomp - syscall 11 (munmap)
05:30:49 (1) Error: fdns resolver process 1 killed by seccomp - syscall 11 (munmap)
Error: fdns resolver process 0 killed by seccomp - syscall 11 (munmap)
Error: resolver 1 (pid 3697) terminated, restarting it...
05:30:58 (0) Error: fdns resolver process 0 killed by seccomp - syscall 11 (munmap)
Error: resolver 0 (pid 3700) terminated, restarting it...
ip 172.67.173.59
05:31:03 (1) SSL connection opened to 172.67.173.59
05:31:04 (1) h2 transport up

Commit https://github.com/netblue30/fdns/commit/0fa2904e501608290bb36ad726bfce6d0e6341ca breaks build

Recent commits seem to have broken build from git master. Bisecting points to 0fa2904 as the breakage point:

$ git clone https://github.com/netblue30/fdns.git
$ cd fdns
$ ./configure --prefix=/usr
$ make
[...]
gcc  -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -pie -Wl,-z,relro -Wl,-z,now -lpthread -o fdns cache.o dns.o dnsdb.o filter.o forwarder.o frontend.o h2.o hpack_static.o huffman.o lint.o log.o main.o net.o procs.o resolver.o security.o server.o shmem.o ssl.o timetrace.o whitelist.o  -lssl -lcrypto -lrt  -lseccomp  
/usr/bin/ld: dns.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: dnsdb.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: filter.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: forwarder.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: frontend.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: h2.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: huffman.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/../fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: lint.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: log.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: main.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: net.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: procs.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: resolver.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: security.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: server.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: shmem.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: ssl.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
/usr/bin/ld: whitelist.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: multiple definition of `h2_transport'; cache.o:/home/glitsj16/fdns-git/src/fdns/src/fdns/fdns.h:388: first defined here
collect2: error: ld returned 1 exit status
make[1]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/fdns'
make[1]: *** [Makefile:9: fdns] Error 1
make: *** [Makefile:21: src/fdns] Error 2

configure logic potentially breaks apparmor and systemd unit

After a few recent commits (ab48358 and 318ee24) it dawned on me that our configure logic seems to assume --prefix=/usr is present. If that prefix is absent (which is the default if not explicitly added when packaging), things start to break rather badly. Especially the apparmor files and the systemd unit are affected.

Let's check what happens when a user uses ./configure --enable-apparmor:

fdns binary ends up in /usr/local/bin/fdns
apparmor files go to /usr/local/etc/apparmor.d/{usr.bin.fdns,local/usr.bin.fdns}
systemd unit ends up in /usr/local/etc/fdns/fdns.service

Problems:

/usr/local/etc/apparmor.d/usr.bin.fdns refers to /usr/bin/fdns and /etc/fdns/**, both of which are NON-EXISTING paths on such a setup, breaking apparmor support
even though ./configure --help states that without the --systemd=DIR option, a copy of the unit file is installed in ${sysconfdir}/fdns directory, that file itself references ExecStart=/usr/bin/fdns, which obviously does not exist

IMHO we should improve the current configuration logic and avoid such breakage.

fdns --monitor - Waiting for fdns to start...

After the introduction of the cashpack library I have experienced build and run issues with fdns build from git on Arch Linux. It's been a bit more complicated than usual to do proper testing due to several factors being involved, and I'm not 100% certain that my current build (which has the run issues) is causing these issues or something I messed-up during build. Nonetheless, I wanted to throw it out here.

Arch Linux has gcc-10 now, and I needed to edit my PKGBUILD for fdns-git slightly to account for that. Adding -fcommon to CFLAGS took care of a linker failure during 'make install'. This is not specific to fdns though, I had to do similar stuff for other packages too with the new gcc-10.

Unrelated to the above the build process kept throwing more unexpected errors. One about xxd not being detected during ./configure was simply due to not having vim installed on my arch machine. That made me wonder a bit, I never needed vim (more specificly xxd) before, but I installed it. Sure enough, the error disappeared and ./configure succeeded after doing so.

During 'make' I encountered the biggest hurdle:

[...]
godecode.go:32:2: cannot find package "golang_org/x/net/http2/hpack" in any of:
	/usr/lib/go/src/golang_org/x/net/http2/hpack (from $GOROOT)
[...]

After some digging,it turned out that this was introduced by the recent cashpack library incorporation via 3571311 (which is also the reason why xxd is now needed at build-time by the way).

$ makepkg

`
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking for ranlib... ranlib
checking whether C compiler accepts -mindirect-branch=thunk... yes
checking whether C compiler accepts -mretpoline... no
checking whether C compiler accepts -fstack-clash-protection... yes
checking whether C compiler accepts -fstack-protector-strong... yes
checking for main in -lpthread... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking pthread.h usability... yes
checking pthread.h presence... yes
checking for pthread.h... yes
checking for main in -lseccomp... yes
checking seccomp.h usability... yes
checking seccomp.h presence... yes
checking for seccomp.h... yes
libseccomp library found
checking for pkg-config... pkg-config
checking whether compiling and linking against OpenSSL works... yes
OpenSSL library found
cashpack-0.3/
cashpack-0.3/inc/
cashpack-0.3/inc/uncrustify.cfg
cashpack-0.3/inc/hpack_assert.h
cashpack-0.3/inc/dbg.h
cashpack-0.3/inc/hpack.h.in
cashpack-0.3/inc/tbl/
cashpack-0.3/inc/tbl/hpack_pseudo_headers.h
cashpack-0.3/inc/tbl/hpack_tbl.h
cashpack-0.3/inc/tbl/hpack_huffman.h
cashpack-0.3/inc/tbl/hpack_static.h
cashpack-0.3/inc/hpack_priv.h
cashpack-0.3/inc/Makefile.in
cashpack-0.3/inc/hpack.h
cashpack-0.3/inc/Makefile.am
cashpack-0.3/inc/cpp_ignore
cashpack-0.3/configure.ac
cashpack-0.3/README.rst
cashpack-0.3/cashpack.spec.in
cashpack-0.3/m4/
cashpack-0.3/m4/cashpack.m4
cashpack-0.3/m4/libtool.m4
cashpack-0.3/m4/ltversion.m4
cashpack-0.3/m4/ld-version-script.m4
cashpack-0.3/m4/ltsugar.m4
cashpack-0.3/m4/lt~obsolete.m4
cashpack-0.3/m4/ltoptions.m4
cashpack-0.3/tst/
cashpack-0.3/tst/rfc7541_c_6_3
cashpack-0.3/tst/rfc7541_c_3_3
cashpack-0.3/tst/hdecode.c
cashpack-0.3/tst/hpack_huf
cashpack-0.3/tst/rfc7541_c_2_4
cashpack-0.3/tst/rfc7541_c_5_1
cashpack-0.3/tst/godecode.go
cashpack-0.3/tst/rfc7541_c_5_3
cashpack-0.3/tst/ngdecode.c
cashpack-0.3/tst/rfc7541_c_3_1
cashpack-0.3/tst/hpack_arg
cashpack-0.3/tst/common.sh
cashpack-0.3/tst/rfc7541_c_2_2
cashpack-0.3/tst/rfc7541_4_3
cashpack-0.3/tst/tst.c
cashpack-0.3/tst/hpack_enc
cashpack-0.3/tst/hencode.c
cashpack-0.3/tst/rfc7540_4_3
cashpack-0.3/tst/rfc7541_c_4_3
cashpack-0.3/tst/hex_decode
cashpack-0.3/tst/hex_encode
cashpack-0.3/tst/rfc7541_c_6_1
cashpack-0.3/tst/rfc7230_3_2
cashpack-0.3/tst/rfc7541_c_6_2
cashpack-0.3/tst/rfc7541_6_3
cashpack-0.3/tst/rfc7541_c_3_2
cashpack-0.3/tst/rfc7540_8_1_2
cashpack-0.3/tst/rfc7541_4_1
cashpack-0.3/tst/rfc7541_c_4_2
cashpack-0.3/tst/hpack_arg.c
cashpack-0.3/tst/hpack_cov
cashpack-0.3/tst/rfc7541_6_1
cashpack-0.3/tst/rfc7541_c_5_2
cashpack-0.3/tst/rfc7541_c_2_1
cashpack-0.3/tst/bincheck
cashpack-0.3/tst/Makefile.in
cashpack-0.3/tst/rfc7541_5_1
cashpack-0.3/tst/rfc7541_4_2
cashpack-0.3/tst/Makefile.am
cashpack-0.3/tst/rfc7541_4_4
cashpack-0.3/tst/hpack_tbl
cashpack-0.3/tst/hpack_dec
cashpack-0.3/tst/tst.h
cashpack-0.3/tst/rfc7541_2_3_3
cashpack-0.3/tst/rfc7541_2_3_2
cashpack-0.3/tst/hexcheck
cashpack-0.3/tst/rfc7541_5_2
cashpack-0.3/tst/afl_fuzz
cashpack-0.3/tst/rfc7541_c_2_3
cashpack-0.3/tst/rfc7541_c_4_1
cashpack-0.3/tst/fdecode.c
cashpack-0.3/lib/
cashpack-0.3/lib/hpack_huf.c
cashpack-0.3/lib/cashpack.pc.in
cashpack-0.3/lib/hpack.c
cashpack-0.3/lib/hpack_val.c
cashpack-0.3/lib/hpiencode.c
cashpack-0.3/lib/hpack_tbl.c
cashpack-0.3/lib/Makefile.in
cashpack-0.3/lib/hpack_enc.c
cashpack-0.3/lib/hpack_int.c
cashpack-0.3/lib/Makefile.am
cashpack-0.3/lib/cashpack.map
cashpack-0.3/lib/hpack_dec.c
cashpack-0.3/Makefile.in
cashpack-0.3/Makefile.am
cashpack-0.3/build-aux/
cashpack-0.3/build-aux/config.guess
cashpack-0.3/build-aux/test-driver
cashpack-0.3/build-aux/missing
cashpack-0.3/build-aux/ltmain.sh
cashpack-0.3/build-aux/compile
cashpack-0.3/build-aux/depcomp
cashpack-0.3/build-aux/install-sh
cashpack-0.3/build-aux/config.sub
cashpack-0.3/cashpack.spec
cashpack-0.3/man/
cashpack-0.3/man/requests.txt
cashpack-0.3/man/hpack_encode.3.rst
cashpack-0.3/man/hpack_strerror.3
cashpack-0.3/man/hpr2rst.c
cashpack-0.3/man/hpack_error.3
cashpack-0.3/man/hpack_encode.3
cashpack-0.3/man/hpack_tables.3
cashpack-0.3/man/hpack_index.3.rst
cashpack-0.3/man/cashpack.3
cashpack-0.3/man/hpack_alloc.3
cashpack-0.3/man/hpack_encoder.3
cashpack-0.3/man/hpack_static.3
cashpack-0.3/man/hpack_resize.3
cashpack-0.3/man/cashdumb.c
cashpack-0.3/man/hpack_dump.c
cashpack-0.3/man/hpack_decode.3
cashpack-0.3/man/cashdump.c
cashpack-0.3/man/hpack_trim.3
cashpack-0.3/man/Makefile.in
cashpack-0.3/man/hpack_dynamic.3
cashpack-0.3/man/hpack_limit.3
cashpack-0.3/man/hpe2rst.c
cashpack-0.3/man/Makefile.am
cashpack-0.3/man/hpack_decode.3.rst
cashpack-0.3/man/hpack_alloc.3.rst
cashpack-0.3/man/hpack_decoder.3
cashpack-0.3/man/hpf2rst.c
cashpack-0.3/man/frames.hex
cashpack-0.3/man/hpack_error.3.rst
cashpack-0.3/man/cashpack.3.rst
cashpack-0.3/man/hpack_dump.3
cashpack-0.3/man/hpack_index.3
cashpack-0.3/man/hpack_free.3
cashpack-0.3/LICENSE
cashpack-0.3/configure
cashpack-0.3/aclocal.m4
cashpack-0.3/gen/
cashpack-0.3/gen/hpack_huf_enc.c
cashpack-0.3/gen/gen.h
cashpack-0.3/gen/hpack_huf_enc.h
cashpack-0.3/gen/hpack_huf_dec.c
cashpack-0.3/gen/Makefile.in
cashpack-0.3/gen/hpack_huf_dec.h
cashpack-0.3/gen/Makefile.am
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define EXTENSIONS... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking whether make supports nested variables... yes
checking dependency style of gcc... gcc3
checking whether make supports nested variables... (cached) yes
checking whether build environment is sane... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @file support... no
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... no
checking if : is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for a sed that does not truncate output... (cached) /usr/bin/sed
checking for gawk... (cached) gawk
checking for gcc option to accept ISO C99... none needed
checking for preprocessor stringizing operator... yes
checking if LD -Wl,--version-script works... yes
checking whether the compiler accepts -Werror... yes
checking whether the compiler accepts -Wall... yes
checking whether the compiler accepts -W... yes
checking whether the compiler accepts -Wstrict-prototypes... yes
checking whether the compiler accepts -Wmissing-prototypes... yes
checking whether the compiler accepts -Wpointer-arith... yes
checking whether the compiler accepts -Wreturn-type... yes
checking whether the compiler accepts -Wcast-qual... yes
checking whether the compiler accepts -Wwrite-strings... yes
checking whether the compiler accepts -Wswitch... yes
checking whether the compiler accepts -Wshadow... yes
checking whether the compiler accepts -Wunused-parameter... yes
checking whether the compiler accepts -Wcast-align... yes
checking whether the compiler accepts -Wchar-subscripts... yes
checking whether the compiler accepts -Winline... yes
checking whether the compiler accepts -Wnested-externs... yes
checking whether the compiler accepts -Wredundant-decls... yes
checking whether the compiler accepts -Wold-style-definition... yes
checking whether the compiler accepts -Wmissing-variable-declarations... no
checking whether the compiler accepts -Wextra... yes
checking whether the compiler accepts -Wmissing-declarations... yes
checking whether the compiler accepts -Wredundant-decls... yes
checking whether the compiler accepts -Wsign-compare... yes
checking whether the compiler accepts -Wunused-result... yes
checking whether the compiler accepts -errwarn=%all... no
checking whether the compiler accepts -errtags=yes... no
checking whether the compiler accepts -Wsparse-all... no
checking whether the compiler accepts -Wsparse-error... no
checking whether the compiler accepts -pedantic... yes
checking whether the compiler accepts -std=c99... yes
checking whether the compiler accepts -D_POSIX_C_SOURCE=200809L... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for NGHTTP2... yes
checking for golang >= 1.7... yes
checking for hexdump... hexdump
checking for rst2man.py... rst2man.py
checking for uncrustify... no
checking for valgrind... no
checking for RFC 7541-compatible hexdumps... yes
checking for working bindumps to hexdumps conversions... yes
checking that generated files are newer than configure... done
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating cashpack.spec
config.status: creating gen/Makefile
config.status: creating inc/Makefile
config.status: creating lib/Makefile
config.status: creating lib/cashpack.pc
config.status: creating man/Makefile
config.status: creating tst/Makefile
config.status: executing depfiles commands
config.status: executing libtool commands
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/common.mk
config.status: creating src/fdns/Makefile
config.status: creating test/src/fdnstress/Makefile

Configuration options:
prefix: /usr
sysconfdir: /etc
Spectre compiler patch: yes
EXTRA_LDFLAGS:
EXTRA_CFLAGS: -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong
fatal warnings:
Gcov instrumentation:

/usr/bin/make -C src/cashpack-0.3
./mkman.sh 0.9.63 src/man/fdns.txt fdns.1
make[1]: Entering directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3'
Making all in gen
make[2]: Entering directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/gen'
CC hpack_huf_dec.o
CC hpack_huf_enc.o
CCLD hpack_huf_dec.gen
CCLD hpack_huf_enc.gen
GEN hpack_huf_enc.h
GEN hpack_huf_dec.h
/usr/bin/make all-am
make[3]: Entering directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/gen'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/gen'
make[2]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/gen'
Making all in inc
make[2]: Entering directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/inc'
/usr/bin/make all-am
make[3]: Entering directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/inc'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/inc'
make[2]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/inc'
Making all in lib
make[2]: Entering directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/lib'
CC hpack.lo
CC hpack_dec.lo
CC hpack_enc.lo
CC hpack_huf.lo
CC hpack_int.lo
CC hpack_tbl.lo
CC hpack_val.lo
CC hpiencode.o
CCLD hpiencode
CCLD libhpack.la
/usr/bin/ar: u' modifier ignored since D' is the default (see `U')
make[2]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/lib'
Making all in man
make[2]: Entering directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/man'
CC cashdumb.o
CC cashdump.o
CC hpack_dump.o
CC hpe2rst.o
CC hpf2rst.o
CC hpr2rst.o
GEN cashdump.hex
GEN cashdump.src
GEN cashdumb.src
GEN cashdumb.txt
CCLD cashdumb
GEN hpack_dump.src
CCLD cashdump
CCLD hpack_dump
CCLD hpe2rst.gen
CCLD hpf2rst.gen
CCLD hpr2rst.gen
GEN hpe2rst.rst
GEN cashdump.out
GEN cashdumb.out
/usr/bin/ls: ./cashdump: Unknown error 22096
GEN hpr2rst.rst
GEN hpf2rst.rst
GEN hpack_error.3
GEN cashpack.3
GEN hpack_encode.3
make[2]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/man'
Making all in tst
make[2]: Entering directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/tst'
CC hpack_arg.o
CC tst.o
CC fdecode.o
CC hdecode.o
CC hencode.o
CC ngdecode-tst.o
CC ngdecode-ngdecode.o
GO src
CCLD hpack_arg
CCLD hdecode
CCLD fdecode
CCLD hencode
CCLD ngdecode
GO godecode
godecode.go:32:2: cannot find package "golang_org/x/net/http2/hpack" in any of:
/usr/lib/go/src/golang_org/x/net/http2/hpack (from $GOROOT)
/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/tst/src/golang_org/x/net/http2/hpack (from $GOPATH)
make[2]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3/tst'
make[2]: Entering directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3'
make[2]: Nothing to be done for 'all-am'.
make[2]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3'
make[1]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/cashpack-0.3'
/usr/bin/make -C src/fdns
/usr/bin/make -C test/src/fdnstress
make[1]: Entering directory '/home/glitsj16/fdns-git/src/fdns/src/fdns'
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c cache.c -o cache.o
make[1]: Entering directory '/home/glitsj16/fdns-git/src/fdns/test/src/fdnstress'
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c main.c -o main.o
gcc -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -pie -Wl,-z,relro -Wl,-z,now -lpthread -o fdnstress main.o -lanl
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c dns.c -o dns.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c dnsdb.c -o dnsdb.o
make[1]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/test/src/fdnstress'
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c filter.c -o filter.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c forwarder.c -o forwarder.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c frontend.c -o frontend.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c h2.c -o h2.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c lint.c -o lint.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c log.c -o log.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c main.c -o main.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c net.c -o net.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c procs.c -o procs.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c resolver.c -o resolver.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c security.c -o security.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c server.c -o server.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c shmem.c -o shmem.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c ssl.c -o ssl.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c timetrace.c -o timetrace.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fcommon -ggdb -O2 -DVERSION='"0.9.63"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -c whitelist.c -o whitelist.o
gcc -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -pie -Wl,-z,relro -Wl,-z,now -lpthread -o fdns cache.o dns.o dnsdb.o filter.o forwarder.o frontend.o h2.o lint.o log.o main.o net.o procs.o resolver.o security.o server.o shmem.o ssl.o timetrace.o whitelist.o ../cashpack-0.3/lib/.libs/libhpack.a -lssl -lcrypto -lrt -lseccomp
make[1]: Leaving directory '/home/glitsj16/fdns-git/src/fdns/src/fdns'

Took a long time to figure this one out, playing with the GOPATH env var didn't do anything useful, but eventually I decided to try adding a go-related symlink on my machine: sudo ln -fs /usr/lib/go/src/vendor/golang.org/ /usr/lib/go/src/golang_org. That seems to have enabled me to get a succesful fdns build from master. Seems, because I'm not fully convinced this is the proper way to deal with the observed error at all.

At run-time I wasn't getting much further either. Seeing several Error LANrx: invalid DNS section counts: 1 0 0 1, dropped lines in my fdns log convinced me it was time to report this here. But like I said, this could all be false-positives due to my way of dealing with the cashpack errors.

$ /usr/bin/fdns --debug-h2 --proxy-addr-any --server=appliedprivacy

`
Testing server appliedprivacy
(-1) h2 rx stream 0, len 12, type 0x04 SETTINGS, flags 0x00 ()
(-1) h2 rx stream 0, len 0, type 0x04 SETTINGS, flags 0x01 (end stream,)
(-1) h2 tx stream 15, len 143, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 tx query example.com stream 15, len 48, type 0x00 DATA, flags 0x01 (end stream,)
(-1) h2 rx stream 0, len 4, type 0x08 UNKNOWN, flags 0x00 ()
(-1) h2 rx stream 15, len 53, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 rx stream 15, len 88, type 0x00 DATA, flags 0x01 (end stream,)
SSL connection opened in 212.42 ms
(-1) h2 tx stream 17, len 143, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 tx query example.com stream 17, len 48, type 0x00 DATA, flags 0x01 (end stream,)
(-1) h2 rx stream 17, len 9, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 rx stream 17, len 88, type 0x00 DATA, flags 0x01 (end stream,)
(-1) h2 tx stream 19, len 143, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 tx query example.com stream 19, len 48, type 0x00 DATA, flags 0x01 (end stream,)
(-1) h2 rx stream 19, len 9, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 rx stream 19, len 88, type 0x00 DATA, flags 0x01 (end stream,)
(-1) h2 tx stream 21, len 143, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 tx query example.com stream 21, len 48, type 0x00 DATA, flags 0x01 (end stream,)
(-1) h2 rx stream 21, len 9, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 rx stream 21, len 88, type 0x00 DATA, flags 0x01 (end stream,)
(-1) h2 tx stream 23, len 143, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 tx query example.com stream 23, len 48, type 0x00 DATA, flags 0x01 (end stream,)
(-1) h2 rx stream 23, len 9, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 rx stream 23, len 88, type 0x00 DATA, flags 0x01 (end stream,)
(-1) h2 tx stream 25, len 143, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 tx query example.com stream 25, len 48, type 0x00 DATA, flags 0x01 (end stream,)
(-1) h2 rx stream 25, len 9, type 0x01 HEADERS, flags 0x04 (end headers,)
(-1) h2 rx stream 25, len 88, type 0x00 DATA, flags 0x01 (end stream,)
DoH response average 31.96 ms
fdns starting
connecting to appliedprivacy server
non-profit, Austria, Europe
listening on all available interfaces
342 filter entries added from /etc/fdns/trackers
5277 filter entries added from /etc/fdns/fp-trackers
51399 filter entries added from /etc/fdns/adblocker
12604 filter entries added from /etc/fdns/coinblocker
(0) SSL connection opened
(1) SSL connection opened
(0) h2 rx stream 0, len 12, type 0x04 SETTINGS, flags 0x00 ()
(0) h2 rx stream 0, len 0, type 0x04 SETTINGS, flags 0x01 (end stream,)
(0) h2 tx stream 15, len 143, type 0x01 HEADERS, flags 0x04 (end headers,)
(0) h2 tx query example.com stream 15, len 48, type 0x00 DATA, flags 0x01 (end stream,)
(2) SSL connection opened
(0) h2 rx stream 0, len 4, type 0x08 UNKNOWN, flags 0x00 ()
(0) h2 rx stream 15, len 53, type 0x01 HEADERS, flags 0x04 (end headers,)
(0) h2 rx stream 15, len 88, type 0x00 DATA, flags 0x01 (end stream,)
(1) h2 rx stream 0, len 12, type 0x04 SETTINGS, flags 0x00 ()
(1) h2 rx stream 0, len 0, type 0x04 SETTINGS, flags 0x01 (end stream,)
(1) h2 tx stream 15, len 143, type 0x01 HEADERS, flags 0x04 (end headers,)
(1) h2 tx query example.com stream 15, len 48, type 0x00 DATA, flags 0x01 (end stream,)
(1) h2 rx stream 0, len 4, type 0x08 UNKNOWN, flags 0x00 ()
(1) h2 rx stream 15, len 53, type 0x01 HEADERS, flags 0x04 (end headers,)
(1) h2 rx stream 15, len 88, type 0x00 DATA, flags 0x01 (end stream,)
(2) h2 rx stream 0, len 12, type 0x04 SETTINGS, flags 0x00 ()
(2) h2 rx stream 0, len 0, type 0x04 SETTINGS, flags 0x01 (end stream,)
(2) h2 tx stream 15, len 143, type 0x01 HEADERS, flags 0x04 (end headers,)
(2) h2 tx query example.com stream 15, len 48, type 0x00 DATA, flags 0x01 (end stream,)
(2) h2 rx stream 0, len 4, type 0x08 UNKNOWN, flags 0x00 ()
(2) h2 rx stream 15, len 53, type 0x01 HEADERS, flags 0x04 (end headers,)
(2) h2 rx stream 15, len 88, type 0x00 DATA, flags 0x01 (end stream,)
(0) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(0) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(1) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(2) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(1) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(2) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
zx2c4.com, encrypted
(0) h2 tx stream 17, len 143, type 0x01 HEADERS, flags 0x04 (end headers,)
(0) h2 tx query stream 17, len 27, type 0x00 DATA, flags 0x01 (end stream,)
(0) h2 rx stream 17, len 32, type 0x01 HEADERS, flags 0x04 (end headers,)
(0) h2 rx stream 17, len 43, type 0x00 DATA, flags 0x01 (end stream,)
(1) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(2) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(1) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(2) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(0) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(0) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(1) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(2) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(1) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(2) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(2) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
(0) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(0) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(2) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
(2) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
(1) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(2) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(1) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(2) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(0) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(0) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(1) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(2) h2 tx stream 0, len 8, type 0x06 PING, flags 0x00 ()
(1) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
(2) h2 rx stream 0, len 8, type 0x06 PING, flags 0x01 (end stream,)
signal 15 caught, shutting down all resolvers

Yet another DoH resolver

In your Server list, you may want to add https://doh.bortzmeyer.fr

The no-logging policy here (in french) : https://doh.bortzmeyer.fr/policy

linux mint 21

new rather limited technically person

On installing mint 21 upgrade when trying to open sudo fdns get error message cannot open because libssl.so.1.1 is missing. I have tried upgrading and saving both fdns and libssl.so.1.1 as an orphan package, uninstalling before upgrade and doing a totally clean install after upgrade but the same message appears. Cannot find any way to reinstall libssl.so.1.1 - any advice please?

Arch Support + Entry within Community Repo

I really love this project and its the best dns over https build i have seen so far. dnscrypt-proxy and stubby are litteraly nothing more than a weak joke compared with the worked you delievered. So its very sad that every arch based distro is not able to use it. If there is anyway that i can get working on arch please let me know (im new to this distro so im sorry for not knowing)

makepkg
result in: Error PKGBuild does not exist.

It would be great if there would be a way for users to easly install it.

the arch community repo would be the best way for newbie GNU/Linux desktop users and if you submit it with your signing keys, we can be sure its clean.

I love your random start up changing / so distributing the dns request on different providers per start. all thumbs up, the last time i checked
using a socks5 for fdns wasn't possible, is it now?
or compatible with proxychains? last time i checked over Ubuntu it resulted in fdns wasn't working anymore. as i said sad because this project is insane and the best doh packages out there!

Off topic:
i don't know for sure but, it is quite important at least for:
Is the /etc/hosts file considered, i have blocked a few domains for privacy reasons.
otherwise it would be good to parse an argument for using / ignoring the content of the hosts file. im sorry if this is already handled, i haven't checked out this project for a while.

Otherwise

"The filters are configurable, the user can add his own hosts filter."
Please add a reference for README.md how to add new domains to blocklist
i think in early versions of it, i edited them but since an update for the filter list got downloaded my own entries were away. it would be nice if more non pro tech users could come in the comfort of this project.

keep up the good work. i checked your support wordpress site sadly you havent droped any info for donations so far.

bugs/enhancements

I'll take over #13 - easy fix!
I'll add support for average time measurements for DoH request/response and some other minor things, maybe some fixes for Firetools in order to support the measurements there also
we need to disable dnswarden servers, they are moving to a different set of addresses - https://github.com/bhanupratapys/dnswarden - in this moment the servers are down, DnsCrypt support also down.

Option to disable ipv6

During prolonged use of fdns --monitor the stats view it offers gets polluted rather quickly when ipv6 is not enabled on your machine. It's filled with (ipv6) dropped entrees and the high rate of its dropped counter might confuse the user into thinking something is wrong. Would it be possible to have a knob to disable ipv6?

* stack smashing detected *: terminated

$ sudo fdns --server=iriseden 

Testing server iriseden
   Tags: France, Europe, OpenNIC
Alert: SSL3 alert write:warning:close notify
*** stack smashing detected ***: terminated
Error: cannot connect to server iriseden

$ fdns --version
fdns version 0.9.64
$ grep PRETTY_NAME /etc/os-release
PRETTY_NAME="Fedora 32 (Workstation Edition)"

Update service ports for Quad9 DNS services

Hello -
We're happy that the various service types for Quad9 are included in your list of available DoH servers. However, the service port shown in the servers configuration file is 5053, which is an unsupported port that was "pre-standard". It may be deprecated at some point in the future, or rate-limited now or in the future in ways that cause unexpected results for your user base. We would suggest that you convert to port 443, which is the supported port number for DoH services.

fdns resolver processes getting killed by seccomp - syscall 270 (pselect6)

Hello,

this issue appeared after a recent update to my system (bullseye). When I start fdns, it gets instantly killed by seccomp. How can I solve this issue? I've noticed that similar issue appeared about 1.5 h earlier to on archlinux, but solution doesn't seem to work for me.

Testing server dnsforfamily
   Tags: family, Germany, Europe
   SSL/TLS connection: 442.18 ms
   DoH query average: 71.49 ms
   DoH/Do53 bandwidth ratio: 3.33
   Keepalive: 140 to 170 seconds

Testing fallback server: quad9 (9.9.9.9) - 36.46 ms

fdns starting
connecting to dnsforfamily server
listening on 127.1.1.1
346 filter entries added from /etc/fdns/trackers
7415 filter entries added from /etc/fdns/fp-trackers
50788 filter entries added from /etc/fdns/adblocker
10265 filter entries added from /etc/fdns/coinblocker
45 filter entries added from /etc/fdns/bulkmailers
(1) Alert: SSL3 alert write:warning:close notify
(0) Alert: SSL3 alert write:warning:close notify
ip 95.217.213.94
18:22:58 (1) SSL connection opened to 95.217.213.94
ip 95.217.213.94
18:22:58 (0) SSL connection opened to 95.217.213.94
18:22:58 (1) h2 transport up
Error: fdns resolver process 1 killed by seccomp - syscall 270 (pselect6)
18:22:58 (1) Error: fdns resolver process 1 killed by seccomp - syscall 270 (pselect6)
Error: resolver 1 (pid 3364) terminated, restarting it...
Error: fdns resolver process 0 killed by seccomp - syscall 270 (pselect6)
18:22:58 (0) h2 transport up
18:22:58 (0) Error: fdns resolver process 0 killed by seccomp - syscall 270 (pselect6)
(1) Alert: SSL3 alert write:warning:close notify
Error: resolver 0 (pid 3363) terminated, restarting it...
ip 95.217.213.94
18:23:02 (1) SSL connection opened to 95.217.213.94
18:23:02 (1) h2 transport up
Error: fdns resolver process 1 killed by seccomp - syscall 270 (pselect6)
18:23:02 (1) Error: fdns resolver process 1 killed by seccomp - syscall 270 (pselect6)
346 filter entries added from /etc/fdns/trackers
7415 filter entries added from /etc/fdns/fp-trackers
50788 filter entries added from /etc/fdns/adblocker
10265 filter entries added from /etc/fdns/coinblocker
45 filter entries added from /etc/fdns/bulkmailers
(0) Alert: SSL3 alert write:warning:close notify
Error: resolver 1 (pid 3367) terminated, restarting it...
ip 95.217.213.94
18:23:05 (0) SSL connection opened to 95.217.213.94
Error: fdns resolver process 0 killed by seccomp - syscall 270 (pselect6)
18:23:05 (0) h2 transport up
18:23:05 (0) Error: fdns resolver process 0 killed by seccomp - syscall 270 (pselect6)
(1) Alert: SSL3 alert write:warning:close notify
Error: resolver 0 (pid 3369) terminated, restarting it...
ip 95.217.213.94
18:23:08 (1) SSL connection opened to 95.217.213.94
18:23:08 (1) h2 transport up
Error: fdns resolver process 1 killed by seccomp - syscall 270 (pselect6)
18:23:08 (1) Error: fdns resolver process 1 killed by seccomp - syscall 270 (pselect6)

Grateful for any help

Error: fdns worker process 1 killed by seccomp - syscall 32 (dup)

After suspend to RAM and reconnecting:

(1) Suspend detected, restarting SSL connection
(1) Alert: SSL3 alert write:warning:close notify
(2) Suspend detected, restarting SSL connection
(2) Alert: SSL3 alert write:warning:close notify
(0) Suspend detected, restarting SSL connection
(0) Alert: SSL3 alert write:warning:close notify
Restarting worker process 0
Restarting worker process 1
Restarting worker process 2
349 filter entries added from /etc/fdns/trackers
24643 filter entries added from /etc/fdns/adblocker
incoming data
incoming data
incoming data
incoming data
incoming data
incoming data
***, not encrypted
Error: fdns worker process 1 killed by seccomp - syscall 32 (dup)
(1) Warning: sending requests in clear
(1) Error: fdns worker process 1 killed by seccomp - syscall 32 (dup)
incoming data
incoming data
incoming data
incoming data
Error: worker 1 (pid ***) terminated, restarting it...
(2) SSL connection opened
(0) SSL connection opened
(1) SSL connection opened

OS: Fedora 31
fdns: 138f6af

Firejail blocks bittorrent

How do you configure firejail from interfering with bittorrent clients/ports being connectable? I had to remove all my symlinks.

make fedora patches superfluous

ATM I've two patches for fedora in https://github.com/netblue30/fdns/tree/master/platform/fedora.

disable-apparmor.patch

This one removes the install command from the Makefile which installs the AA profiles. This could simply make superfluous by a ./configure --disable-apparmor (but I lack the autotools skills 😭 ).

install-units-to-unitdir.patch

(on x86_64) Fedora uses /usr/lib for architecture independent stuff (e.g. internal config-files) and /usr/lib64 for architecture specific stuff (e.g. shared-objects). So libdir is /usr/lib64, but unitdir (the place where systemd-units are expected) is /usr/lib/systemd

build failures

$ ./configure && make
...
/usr/bin/ld: XXX.o:/home/user/fdns/src/fdns/fdns.h:270: multiple definition of `arg_fallback_server'; cache.o:/home/user/fdns/src/fdns/fdns.h:270: first defined here
...

$ ./configure --enable-fatal-warnings && make
...
server.c:36:2: error: missing initializer for field ‘website’ of ‘DnsServer’ {aka ‘struct dnsserver_t’} [-Werror=missing-field-initializers]
   36 |  { NULL, 0, "adguard", "94.140.14.14"}, // adblock
      |  ^
In file included from server.c:19:
fdns.h:164:8: note: ‘website’ declared here
  164 |  char *website; // website
      |        ^~~~~~~
server.c:37:2: error: missing initializer for field ‘website’ of ‘DnsServer’ {aka ‘struct dnsserver_t’} [-Werror=missing-field-initializers]
   37 |  { NULL, 0, "cleanbrowsing", "185.228.168.9"}, // security
      |  ^
In file included from server.c:19:
fdns.h:164:8: note: ‘website’ declared here
  164 |  char *website; // website
      |        ^~~~~~~
server.c:38:2: error: missing initializer for field ‘website’ of ‘DnsServer’ {aka ‘struct dnsserver_t’} [-Werror=missing-field-initializers]
   38 |  { NULL, 0, "cloudflare", "1.1.1.2"},  // security
      |  ^
In file included from server.c:19:
fdns.h:164:8: note: ‘website’ declared here
  164 |  char *website; // website
      |        ^~~~~~~
server.c:39:2: error: missing initializer for field ‘website’ of ‘DnsServer’ {aka ‘struct dnsserver_t’} [-Werror=missing-field-initializers]
   39 |  { NULL, 0, "nextdns", "45.90.28.141" }, // security
      |  ^
In file included from server.c:19:
fdns.h:164:8: note: ‘website’ declared here
  164 |  char *website; // website
      |        ^~~~~~~
server.c:40:2: error: missing initializer for field ‘website’ of ‘DnsServer’ {aka ‘struct dnsserver_t’} [-Werror=missing-field-initializers]
   40 |  { NULL, 0, "quad9", "9.9.9.9"}  // security
      |  ^
In file included from server.c:19:
fdns.h:164:8: note: ‘website’ declared here
  164 |  char *website; // website
      |        ^~~~~~~
cc1: all warnings being treated as errors

Cache not working

Hi, I'm currently testing fdns as my main DNS rsolver. I made a systemd service file to start fdns at boot:

[Unit]
Description=Firejail DNS-over-HTTPS Proxy Server
Documentation=man:fdns(1)
After=network.target
Before=network-online.target nss-lookup.target
Wants=nss-lookup.target

[Service]
ExecStart=/usr/bin/fdns --proxy-addr-any --server=powerdns

[Install]
WantedBy=multi-user.target

Everything seems to work great, except caching. Using fdns --monitor I never see any changes in the cached items count. Running with --debug didn't throw any light on this behavior. For the record, the OS is Arch Linux. Manually built fdns from git and I'm assuming/expecting running dig (on the same domain) twice would count the second run as cached and show a query time close to 0 msec. Instead I only see a reduced query time, but nothing close to what I would expect:

$ dig google.com

; <<>> DiG 9.14.7 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7680
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		90	IN	A	172.217.26.46

;; Query time: 194 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 16 17:10:47 CET 2019
;; MSG SIZE  rcvd: 55


$ dig google.com

; <<>> DiG 9.14.7 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7680
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		88	IN	A	172.217.26.46

;; Query time: 69 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 16 17:10:47 CET 2019
;; MSG SIZE  rcvd: 55

Is something extra needed for caching to work? Or is this not implemented yet?

Failed to start Firejail DoH Proxy Server on Raspberry PI (boot)

I'm trying to set up fdns on raspberry pi 4 (ubuntu server 64) as network server. So far works great, but somehow it won't start on boot.

● fdns.service - Firejail DoH Proxy Server
     Loaded: loaded (/etc/systemd/system/fdns.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Fri 2021-07-16 20:06:45 UTC; 33s ago
       Docs: man:fdns(1)
    Process: 1666 ExecStart=/usr/bin/fdns --proxy-addr=192.168.0.110 (code=exited, status=1/FAILURE)
   Main PID: 1666 (code=exited, status=1/FAILURE)

Jul 16 20:06:45 pi systemd[1]: fdns.service: Scheduled restart job, restart counter is at 5.
Jul 16 20:06:45 pi systemd[1]: Stopped Firejail DoH Proxy Server.
Jul 16 20:06:45 pi systemd[1]: fdns.service: Start request repeated too quickly.
Jul 16 20:06:45 pi systemd[1]: fdns.service: Failed with result 'exit-code'.
Jul 16 20:06:45 pi systemd[1]: Failed to start Firejail DoH Proxy Server.

but work just fine with "sudo systemctl start fdns"

user@pi:~$ sudo systemctl start fdns
user@pi:~$ sudo systemctl status fdns
● fdns.service - Firejail DoH Proxy Server
     Loaded: loaded (/etc/systemd/system/fdns.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-07-16 20:09:39 UTC; 2s ago
       Docs: man:fdns(1)
   Main PID: 1720 (fdns)
      Tasks: 2 (limit: 2101)
     CGroup: /system.slice/fdns.service
             └─1720 /usr/bin/fdns --proxy-addr=192.168.0.110

Jul 16 20:09:39 pi systemd[1]: Started Firejail DoH Proxy Server.
Jul 16 20:09:39 pi fdns[1721]: Testing server ahadns-pl
Jul 16 20:09:39 pi fdns[1721]:    Tags: adblocker, Poland, Europe
Jul 16 20:09:40 pi fdns[1721]:    SSL/TLS connection: 162.47 ms
Jul 16 20:09:41 pi fdns[1721]:    DoH query average: 27.49 ms
Jul 16 20:09:41 pi fdns[1721]:    DoH/Do53 bandwidth ratio: 5.21
Jul 16 20:09:41 pi fdns[1721]:    Keepalive: 140 to 170 seconds

I have compile and install fdns as recomended (btw install fails to copy fdns.service to /etc/systemd/system/)

    $ ./configure --prefix=/usr
    $ make
    $ sudo make install-strip

and using https://github.com/netblue30/fdns/blob/master/etc/fdns.service
with following modifications:

#ExecStart=/usr/bin/fdns
ExecStart=/usr/bin/fdns --proxy-addr=192.168.0.110
# FJ: --protocol=unix,inet,inet6 (Breaks --proxy-addr, see #15)
# RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

Any ideas?

Also Firefox DoH (if activated) will bypass fdns even if started with "firejail --dns=192.168.0.110 firefox-esr".

If apps with buildin DoH can bypass fdns... Hmmm ?

Always get "Error LANrx: invalid DNS section counts: 1 0 0 1, dropped" when using `dig`

I test fdns on my VM debian 10. fdns build and run with no error, but when i test it with dig, it's always failed with error: "Error LANrx: invalid DNS section counts: 1 0 0 1, dropped"

Input:
dig @127.1.1.1 twitter.com

; <<>> DiG 9.16.8 <<>> @127.1.1.1 twitter.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Log:

~/src/fdns# fdns

Testing server fossdaily
   Tags: Australia, AsiaPacific, adblocker
   Error: server fossdaily failed

Testing server dnslify2
   Tags: AsiaPacific, Singapore
   SSL/TLS connection: 104.39 ms
   DoH query average: 20.01 ms
   DoH/Do53 bandwidth ratio: 2.04
   Keepalive: 20 to 25 seconds

Testing server commsone4
   Tags: Yekaterinburg, Russia, AsiaPacific, adblocker
   SSL/TLS connection: 149.15 ms
   DoH query average: 30.04 ms
   DoH/Do53 bandwidth ratio: 2.60
   Keepalive: 550 to 590 seconds
fdns starting
connecting to dnslify2 server
listening on 127.1.1.1
345 filter entries added from /usr/local/etc/fdns/trackers
7415 filter entries added from /usr/local/etc/fdns/fp-trackers
50788 filter entries added from /usr/local/etc/fdns/adblocker
10265 filter entries added from /usr/local/etc/fdns/coinblocker
07:27:17 (0) SSL connection opened
07:27:17 (2) SSL connection opened
07:27:17 (1) SSL connection opened
07:27:17 (0) h2 transport up
07:27:17 (1) h2 transport up
07:27:17 (2) h2 transport up
07:27:33 (2) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
07:27:38 (2) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
07:27:43 (2) Error LANrx: invalid DNS section counts: 1 0 0 1, dropped
^Csignal 2 caught, shutting down all resolvers

BTW: Can we manually specified the listen ip:port and fallback dns server's IP:PORT?

fdns and network namespaces

Is it possible to use fdns and a network namespace?
I tried but it didn't work

What's the best way to start fdns instances for firejail as a user?

If want to use fdns together with firejail --dns, so that a sandbox has it's own resolver. You need to get root to start fdns. That's a bit annoying if you need to enter your PW and bad to script if you use sudo. So what can be done to do this automatically.

obvious: add a NOPASSWD rule to sudo. However you wound need to create new rules for every used --withelist argument because sudo has no support for regexp and * matches everything (including spaces). Example rule: john ALL=(ALL) NOPASSWD: /usr/bin/fdns --proxy-addr=127.70.74.[0-9]
I created a heavy SUID-binary which starts fdns https://github.com/rusty-snake/fdns4users. However, that's still no good solution as you don't want more suids on your system.

Has anyone found a good solution? Polkit maybe.

FDNS available for other platform ?

I own a pi4 with LIBREELEC and ask to netblue if an ARM version could be release for FDNS ?
Thanks.

Mispelled Link

Hello,

In your guides, there's a spelling mistake in a link:

git clone https://gihub.com/netblue30/fdns

In the above link notice "gihub" instead of "github".

It's silly but drives you crazy if not spotted and all articles/guides on the Net seem to have picked the mispelled link.

Thank You!

Functional state of the fdns.service

After some very nice work by @rusty-snake the fdns systemd service unit got much improved hardening (see f3ec669, eb5cd4b, 285de74 and 4b3f545). To ensure we can offer support for as many distro's as possible, I extensively tested fdns on both Arch Linux and Ubuntu 16.04 LTS over the last week. On the verge of 2020 the latter is indeed aging, but still officially supported and working very nicely (both as desktop and server). Specifically, testing these OS'es offered an opportunity to compare older (v229) versus newer (v244) versions of systemd. Below are my findings, perhaps this needs to be discussed somewhere and this is as good a place as any.

Let's start with the unit type. As common for daemons, Type=forking was preferred over Type=simple. After all fdns has this nice --daemonize switch, so why not use it? Although the forking type could be enhanced with additional PIDFile= and possibly also RemainAfterExit=yes stanzas (according to man systemd.service), I would like to suggest to go with Type=simple nonetheless. Testing showed this to be the more reliable option on both systems. Views may differ offcourse, and other opinions are very welcome. Just note that if we opt for simple we'll need to drop the --daemonize in ExecStart= lines.

Another crucial part of the systemd hardening is the ProtectSystem option. As is, this is currently qualified as strict. I noticed two drawbacks in this context:

occasionally causes 'can not create /run/fdns' errors on Arch;
is unsupported on older systemd versions (like Ubuntu 16.04 LTS).
Luckily there's a way around this. If we would instead go for something like...

ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/run

... the observed drawbacks are alleviated without loosing (too) much on the hardening front IMHO. Do note that newer systemd uses ReadOnlyPaths/ReadWritePaths, but both dialects seem to be fully supported.

That's about it, ugh! @rusty-snake could perhaps come up with scores for these suggested changes, so we can have some sort of stick for measuring its impact :)

Enjoy the holidays

No IPv6 addresses in etc/servers?

The list of servers has only IPv4 addresses, even for the servers that do have IPv6.

Add a way to update /etc/servers

In this regard it makes me wonder if seperately releasing an updated server file is a useful feature to add to fdns - if possible.

As long as the format didn't change, it's a simple wget/curl. We could add it like sudo fdns --update-server-list.

Much better way to implement it indeed!

From: #55 (comment)

AA prevents writing to /etc/fdns:

fdns/etc/apparmor/usr.bin.fdns

Line 28 in dcc0c07

/etc/fdns/** r,

support for multiple fdns instances

It would be greate if we can run multiple instances of fdns at the same time. Especially for #35 is this needed.

blacklist for domain names

opposite of #35.

Examples:

$ fdns --blacklist=fonts.googleaps.com --blacklist-file=clownflare

But there are hosts-files, aren't there? Yes, but they don't allow blacklists per instances (#39), only global.

Add --allow-local-doh option

From @rusty-snake in #32

The ESNI implementation of firefox requires ATM that firefox resolves DNs itself suing its own DoH implementation. See the bugzilla ticket [1]. Some users might want this. Therefore it would be help full to have an --allow-local-doh options.

ESNI references:
about:config: network.security.esni.enabled
https://bugzilla.mozilla.org/show_bug.cgi?id=1500289 [1]
https://www.cloudflare.com/ssl/encrypted-sni (Test)
https://en.wikipedia.org/wiki/ESNI
https://blog.cloudflare.com/esni/

fdns fails to start on Arch Linux with apparmor

The current apparmor profile doesn't take into account that on Arch Linux /etc/ssl/certs/ca-certificates.crt is a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. When auditd.service is enabled, this stops fdns from resolving.

$ /usr/bin/fdns --proxy-addr=127.0.0.1 --server=appliedprivacy
$ fdns --monitor=127.0.0.1
Testing server appliedprivacy
   Tags: non-profit, Austria, Europe
fdns starting
connecting to appliedprivacy server
listening on 127.0.0.1
22:14:11 (1) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
345 filter entries added from /etc/fdns/trackers
7415 filter entries added from /etc/fdns/fp-trackers
50788 filter entries added from /etc/fdns/adblocker
10265 filter entries added from /etc/fdns/coinblocker
Error: resolver 1 (pid 94234) terminated, restarting it...
22:14:11 (0) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 0 (pid 94233) terminated, restarting it...
22:14:11 (2) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
345 filter entries added from /etc/fdns/trackers
7415 filter entries added from /etc/fdns/fp-trackers
50788 filter entries added from /etc/fdns/adblocker
10265 filter entries added from /etc/fdns/coinblocker
Error: resolver 2 (pid 94235) terminated, restarting it...
22:14:13 (0) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 0 (pid 94237) terminated, restarting it...
22:14:13 (1) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 1 (pid 94236) terminated, restarting it...
22:14:16 (2) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
345 filter entries added from /etc/fdns/trackers
7415 filter entries added from /etc/fdns/fp-trackers
50788 filter entries added from /etc/fdns/adblocker
10265 filter entries added from /etc/fdns/coinblocker
Error: resolver 2 (pid 94260) terminated, restarting it...
22:14:16 (0) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 0 (pid 94261) terminated, restarting it...
22:14:18 (1) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 1 (pid 94279) terminated, restarting it...
22:14:18 (2) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
345 filter entries added from /etc/fdns/trackers
7415 filter entries added from /etc/fdns/fp-trackers
50788 filter entries added from /etc/fdns/adblocker
10265 filter entries added from /etc/fdns/coinblocker
Error: resolver 2 (pid 94280) terminated, restarting it...
22:14:21 (0) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 0 (pid 94286) terminated, restarting it...
22:14:21 (1) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 1 (pid 94287) terminated, restarting it...
22:14:23 (2) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
345 filter entries added from /etc/fdns/trackers
7415 filter entries added from /etc/fdns/fp-trackers
50788 filter entries added from /etc/fdns/adblocker
10265 filter entries added from /etc/fdns/coinblocker
Error: resolver 2 (pid 94310) terminated, restarting it...
22:14:23 (0) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 0 (pid 94311) terminated, restarting it...
22:14:26 (2) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 2 (pid 94353) terminated, restarting it...
22:14:26 (1) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
345 filter entries added from /etc/fdns/trackers
7415 filter entries added from /etc/fdns/fp-trackers
50788 filter entries added from /etc/fdns/adblocker
10265 filter entries added from /etc/fdns/coinblocker
Error: resolver 1 (pid 94352) terminated, restarting it...
22:14:28 (0) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 0 (pid 94385) terminated, restarting it...
22:14:28 (2) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
Error: resolver 2 (pid 94386) terminated, restarting it...
22:14:31 (1) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt
345 filter entries added from /etc/fdns/trackers
7415 filter entries added from /etc/fdns/fp-trackers
50788 filter entries added from /etc/fdns/adblocker
10265 filter entries added from /etc/fdns/coinblocker
Error: resolver 1 (pid 94409) terminated, restarting it...
22:14:31 (0) Error: cannot find SSL certificate /etc/ssl/certs/ca-certificates.crt

I'm testing a fix that also enables users to create site-specific additions and overrides for 'usr.bin.fdns' in /etc/apparmor.d/local/usr.bin.fdns. Will report on that asap.

libseccomp error

hi.

on my mac.
git clone https://github.com/netblue30/fdns
cd fdns
./configure --prefix=/usr
it shows:
...
checking for main in -lseccomp... no
configure: error: *** libseccomp not installed ***
yudeMacBook-Air:fdns brite$ brew install libseccomp
Updating Homebrew...
^C
Error: No available formula with the name "libseccomp"
==> Searching for a previously deleted formula (in the last month)...
Warning: homebrew/core is shallow clone. To get complete history run:
git -C "$(brew --repo homebrew/core)" fetch --unshallow

Error: No previously deleted formula found.
==> Searching for similarly named formulae...
Error: No similarly named formulae found.
==> Searching taps...
==> Searching taps on GitHub...
Error: No formulae found in taps.
yudeMacBook-Air:fdns brite$

how to install libseccomp on mac?

Fedora: "Failed to enable unit: Unit file fdns.service does not exist."

What is the simplest way to automatically run FDNS at boot in Fedora?
The instructions don't work on F34 here:

On systemd systems, you can start FDNS when the system is starting by enabling its unit.
# systemctl enable fdns.service
Failed to enable unit: Unit file fdns.service does not exist.

Regression with 'speed-up, strict DNS parsing on lan packets' commit

Hi, I played around some more today with fdns built from git master. I'm seeing loads of consecutive errors with 4f5798b:

(0) Error: rx local invalid header
(0) Error: PACKET DROPPED

Although DNS resolution is working, something seems to be off (the keep-alive is affected?). You can see logs from both fdns with and without the offending commit. For good measure I added a log of fdns with the --debug flag for the latest git master code too. HTH.

Regards

Add a --pid-file options like dnsmasq for example

Add a --pid-file options like dnsmasq for example. Presumable it's better to treat the argument as filename in /run/fdns rather then a path becuase of the systemd/apparmor sandbox.

Why?

In #51 was a discussion on how to start different fdns instances with block/whitelist for firejail sandboxes. However, stopping those instances is difficult, because you can not kill processes belonging to an other user and allowing unprivileged users to kill arbitrary processes is a security-hole. But a polkit rule to allow a user to start pkill with a path to a pid-file should be safe.

Polkit rule:

polkit.addRule(function(action, subject) {
    const USER = "john";
    const PROGRAM = "/usr/bin/pkill";

    const RE = new RegExp(`^${PROGRAM} -F /run/fdns/[A-Za-z0-9._-]+-[0-9]+$`);

    // Debugging: uncomment to see the final RegExp
    //polkit.log(RE.toString());

    if (action.id === "org.freedesktop.policykit.exec" &&
        action.lookup("program") === PROGRAM &&
        RE.test(action.lookup("command_line")) &&
        subject.user === USER && subject.local && subject.active) {
        return polkit.Result.YES;
    }
});

So at the end you could have a script that looks like this:

#!/bin/bash

PROGRAM="openshot-qt"
FIREJAIL_ARGS=()
PROXY_ADDR="127.70.74.68"
ALLOWED_DOMAINS=()
BLOCKED_DOMAINS=(google-analytics.com)
# TODO: unique logfile
FDNS_LOG_FILE="$HOME/fdns-log.txt"

whitelist=()
for domain in "${ALLOWED_DOMAINS[@]}"; do
        whitelist+=("--whitelist=$domain")
done

blocklist=()
for domain in "${BLOCKED_DOMAINS[@]}"; do
        blocklist+=("--blocklist=$domain")
done

echo -e "\n\n===> fdns --proxy-addr=$PROXY_ADDR ${whitelist[@]} ${blocklist[@]} <===\n" >> $FDNS_LOG_FILE
pkexec fdns --pid-file="$PROGRAM-$$" "--proxy-addr=$PROXY_ADDR" "${whitelist[@]}" ${blocklist[@]} >> $FDNS_LOG_FILE &

sleep 10s

firejail --dns=$PROXY_ADDR "${FIREJAIL_ARGS[@]}" "$PROGRAM"

pkexec pkill -F "/run/fdns/$PROGRAM-$$"

can't login DNS error for outlook.live.com

1: using apt update on mint 19.3 will not work after fdns is loaded
2: outlook.live.com (microsoft outlook mail) dns error
3: github git command will not work after fdns is loaded

you can imagine how i bypassed verification code when the recovery email will not login just so that i can login to github for this issue

using developer fdns version 0.9.65 i had to add 1.1.1.1 as fallback works for apt update but not outlook.live.com

Enhancement picking fastest proxy in the list -not only closest

Dnscrypt do on every start response latancy check, and pick the fastest one in the serverlist - not closest one.

Could you bring this function inside fdns?

Thanks and

Best regards

fdns and network sandbox - how to get them work together ?

Hello,

I use fdns on antiX Linux 21 with runit as a init process, and connman as a connection manager. Standard "sudo fdns --daemonize" then "firejail dns=127.1.1.1 palemoon" works well, and "fdns --monitor" let see the name resolution working.

However on MX Linux 21, I cannot get this working. I added "--nodnsproxy" for connmand options. "sudo fdns" shows this kind of output :

fdns starting
connecting to ffmuc2 server
listening on 127.1.1.1
470 filter entries added from /etc/fdns/trackers
8940 filter entries added from /etc/fdns/fp-trackers
10158 filter entries added from /etc/fdns/coinblocker
60945 filter entries added from /etc/fdns/adblocker
(0) Alert: SSL3 alert write:warning:close notify
(1) Alert: SSL3 alert write:warning:close notify
ip 5.1.66.255
09:38:49 (0) SSL connection opened to 5.1.66.255
ip 5.1.66.255
09:38:49 (1) SSL connection opened to 5.1.66.255
09:38:50 (0) h2 transport up
09:38:50 (1) h2 transport up
09:38:51 (0) keepalive 142
incoming data
(1) Alert: SSL3 alert write:warning:close notify
09:39:55 (1) SSL connection closed

"fdns -monitor"

127.1.1.1 ffmuc2 ENCRYPTED (DoH 0.00 ms, 170 s)
requests 0, drop 0, cache 0, fwd 0, fallback 0

(1) SSL connection opened to 5.1.66.255
(1) h2 transport up
(0) SSL connection opened to 5.1.66.255
(0) h2 transport up
(1) SSL connection closed
(0) SSL connection closed
(1) SSL connection opened to 5.1.66.255
(1) h2 transport up
(0) SSL connection opened to 5.1.66.255
(0) h2 transport up

And palemoon or librewolf don't want to connect to anything. What should I check or change ?

more quad9 addresses

quad9 has some more addresses, see 1 and 2. Do we want to these addresses?

[Q] Default for AAAA queries

manpage:

--allow-all-queries
Allow all DNS query types; by default only A and AAA are allowed.

--ipv6
Allow AAAA requests.

So what is the default for AAAA queries?

build from git master broken

With 3d616de I'm seeing ld errors and the build fails on Arch Linux.

$ pacman -Q gcc libseccomp openssl
gcc 11.1.0-1
libseccomp 2.5.1-2
openssl 1.1.1.k-1

build log

Configuration options:
prefix: /usr
sysconfdir: /etc
systemd directory: /usr/lib/systemd/system
Spectre compiler patch: no
apparmor: -DHAVE_APPARMOR
seccomp: -DHAVE_SECCOMP
EXTRA_LDFLAGS:
EXTRA_CFLAGS: -fstack-clash-protection -fstack-protector-strong
fatal warnings:
Gcov instrumentation:

make -C src/fdns
make -C test/src/fdnstress
make[1]: Entering directory '/build/fdns-git/src/fdns/src/fdns'
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c cache.c -o cache.o
make[1]: Entering directory '/build/fdns-git/src/fdns/test/src/fdnstress'
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c main.c -o main.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c dns.c -o dns.o
gcc -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -pie -Wl,-z,relro -Wl,-z,now -lpthread -lseccomp -o fdnstress main.o -lanl
make[1]: Leaving directory '/build/fdns-git/src/fdns/test/src/fdnstress'
make -C src/nxdomain
make[1]: Entering directory '/build/fdns-git/src/fdns/src/nxdomain'
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c nxdomain.c -o nxdomain.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c dnsdb.c -o dnsdb.o
gcc -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -pie -Wl,-z,relro -Wl,-z,now -lpthread -lseccomp -o nxdomain nxdomain.o
make[1]: Leaving directory '/build/fdns-git/src/fdns/src/nxdomain'
./mkman.sh 0.9.67 src/man/fdns.txt fdns.1
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c dot.c -o dot.o
./mkman.sh 0.9.67 src/man/nxdomain.txt nxdomain.1
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c filter.c -o filter.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c forwarder.c -o forwarder.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c frontend.c -o frontend.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c h11.c -o h11.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c h2.c -o h2.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c hpack_static.c -o hpack_static.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c huffman.c -o huffman.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c lint.c -o lint.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c log.c -o log.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c main.c -o main.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c net.c -o net.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c procs.c -o procs.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c resolver.c -o resolver.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c security.c -o security.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c server.c -o server.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c shmem.c -o shmem.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c ssl.c -o ssl.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c timetrace.c -o timetrace.o
gcc -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection -ggdb -O2 -DVERSION='"0.9.67"' -DHAVE_SECCOMP -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/fdns"' -DLIBDIR='"/usr/lib"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -c whitelist.c -o whitelist.o
gcc -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -pie -Wl,-z,relro -Wl,-z,now -lpthread -lseccomp -o fdns cache.o dns.o dnsdb.o dot.o filter.o forwarder.o frontend.o h11.o h2.o hpack_static.o huffman.o lint.o log.o main.o net.o procs.o resolver.o security.o server.o shmem.o ssl.o timetrace.o whitelist.o -lssl -lcrypto -lrt
/usr/bin/ld: security.o: in function trap_handler_resolver': /build/fdns-git/src/fdns/src/fdns/security.c:89: undefined reference to seccomp_syscall_resolve_num_arch'
/usr/bin/ld: security.o: in function seccomp_resolver': /build/fdns-git/src/fdns/src/fdns/security.c:131: undefined reference to seccomp_arch_native'
/usr/bin/ld: /build/fdns-git/src/fdns/src/fdns/security.c:132: undefined reference to seccomp_init' /usr/bin/ld: /build/fdns-git/src/fdns/src/fdns/security.c:145: undefined reference to seccomp_syscall_resolve_name'
/usr/bin/ld: /build/fdns-git/src/fdns/src/fdns/security.c:145: undefined reference to seccomp_rule_add' /usr/bin/ld: /build/fdns-git/src/fdns/src/fdns/security.c:150: undefined reference to seccomp_load'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:9: fdns] Error 1
make[1]: Leaving directory '/build/fdns-git/src/fdns/src/fdns'
make: *** [Makefile:23: src/fdns] Error 2
==> ERROR: A failure occurred in build().
Aborting...

fdns too many in-addr.arpa (PTR), dropped

hello, i use fdns version 0.9.67 built yesterday 2-3-2022 on Linux Mint Cinnamon 19.3
since a few days ago i am receiving much more dropped reverse lookup i believe they are.
please forgive my github non-protocol if i do not post the info needed.

needless to say is this normal? 2 minutes after i get on the internet from a fresh boot i get this:
`127.1.1.1 ahadns-westus-dot ENCRYPTED (DoT 34.85 ms, 25 s)
requests 1942, drop 1883, cache 7, fwd 0, fallback 0

26.114.82.140.in-addr.arpa (PTR), dropped
65.217.250.142.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
154.110.199.185.in-addr.arpa (PTR), dropped
110.33.251.142.in-addr.arpa (PTR), dropped
78.33.251.142.in-addr.arpa (PTR), dropped
206.69.250.142.in-addr.arpa (PTR), dropped
133.108.199.185.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
65.217.250.142.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
154.110.199.185.in-addr.arpa (PTR), dropped
110.33.251.142.in-addr.arpa (PTR), dropped
78.33.251.142.in-addr.arpa (PTR), dropped
206.69.250.142.in-addr.arpa (PTR), dropped
133.108.199.185.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
65.217.250.142.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
154.110.199.185.in-addr.arpa (PTR), dropped
110.33.251.142.in-addr.arpa (PTR), dropped
78.33.251.142.in-addr.arpa (PTR), dropped
206.69.250.142.in-addr.arpa (PTR), dropped
133.108.199.185.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
65.217.250.142.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
154.110.199.185.in-addr.arpa (PTR), dropped
110.33.251.142.in-addr.arpa (PTR), dropped
78.33.251.142.in-addr.arpa (PTR), dropped
206.69.250.142.in-addr.arpa (PTR), dropped
133.108.199.185.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
65.217.250.142.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
154.110.199.185.in-addr.arpa (PTR), dropped
154.110.199.185.in-addr.arpa (PTR), dropped
112.255.30.192.in-addr.arpa (PTR), dropped
133.108.199.185.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
154.110.199.185.in-addr.arpa (PTR), dropped
112.255.30.192.in-addr.arpa (PTR), dropped
133.108.199.185.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
112.255.30.192.in-addr.arpa (PTR), dropped
133.108.199.185.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
112.255.30.192.in-addr.arpa (PTR), dropped
133.108.199.185.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
112.255.30.192.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
112.255.30.192.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
112.255.30.192.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
112.255.30.192.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
112.255.30.192.in-addr.arpa (PTR), dropped
26.114.82.140.in-addr.arpa (PTR), dropped
2x 208.219.67.45.in-addr.arpa (PTR), dropped
44x 196.62.29.193.in-addr.arpa (PTR), dropped
`
is this normal behavior? or am i somehow targeted and flooded with these lookups?
thank you developments.

creative commons redirects to a domain listed in adblocker

The adblocker file lists licensebuttons.net which seems to be used to display for example creative commons icons like https://i.creativecommons.org/l/by-sa/4.0/80x15.png. Requests to PNGs are redirected to that domain. Why is the domain in the adblocker list?

queries are logged in the journal

After 3a54e19 all resolved hostnames are logged in the journal. This has two drawback:

spamming of the journal
privacy unfriendly

We should stop this by default.

Solution

fdns is quite by default, unless --verbose is specified.
Normal fdns output woud be the following. (Alll expect github.com, encrypted and so on)

	SSL connection opened in 240.98 ms
	DoH response average 30.05 ms
fdns starting
connecting to adguard server
listening on 127.1.1.1
369 filter entries added from /etc/fdns/trackers
5606 filter entries added from /etc/fdns/fp-trackers
24057 filter entries added from /etc/fdns/adblocker
12612 filter entries added from /etc/fdns/coinblocker
(2) SSL connection opened
(0) SSL connection opened
(1) SSL connection opened

--quite/--silent fdns has his normal output unless this option is give, then it output nothing.
--nolog fdns has full output by default, but with this option it drops the output of queries.

first-party trackers (CNAME Cloaking)

current situation

First-party-trackers are blocked by the fp-trackers list. (Huge list)

what I have in mind

CNAMEs are matched against the nextdns list.

strange auto logout | session kick = back in login screen [ubuntu bionic]

within a virtual machine i often like 10-30% get a kick out of the login session of ubuntu bionic and im back in the login screen. appeared most of the times when there was a issue with the internet connection.

never reaches the point of ssl connection opened before being kicked or the filters

so dont reaches the point of
fdns starting
connecting to adguard server
listening on 127.1.1.1

a few more providers would be nice, at all a nice project

stats don't get cleared after shutting down the systemd service

Fdns stats in /dev/shm/fdns-stats stay lingering on the system after stopping the systemd service. I suspect this also affects users who don't use the systemd unit. This has two side-effects that I find confusing:

when fdns --monitor is running, stopping the fdns systemd service doesn't terminate fdns --monitor output (nor is there any indication the service is in fact dead);
when the fdns systemd service is stopped, it is still possible to run fdns --monitor, which happily reports all the earlier stats.

Perhaps this could be improved upon. For now I added an ExecPostStop command to clean it up, but that's not a full alternative. IMHO this should be done by fdns itself.

Side-note: I realize the decision to put the stats into /dev/shm probably has to do with the original plan to integrate fdns into firejail, but rkhunter and the likes frown upon finding files in /dev/shm. Perhaps a small note is welcome that informs the user of what's going on exactly...

Add support for libssl 3?

I am using Ubuntu 22.04 which has replaced libssl1.1 with libssl3 , Considering adding support for libssl3?

fdns --proxies: Segmentation fault (core dumped) if /run/fdns is not present

STR:

If any fdns instances are running: stop them and delete /run/fdns (and maybe /dev/shm/fdns-* too).
Run fdns --proxies
See

pid fb,
Segmentation fault (core dumped)

Create /run/fdns (sudo mkdir /run/fdns)
Run fdns --proxies again
See blank line -- no segfault

$ fdns --version
fdns version 0.9.64
$ grep PRETTY_NAME /etc/os-release
PRETTY_NAME="Fedora 32 (Workstation Edition)"

fdns resolver processes getting killed by seccomp - syscall 230 (clock_nanosleep)

Issue noticed today on Arch with fdns from git master. I guess this is due to the recently upgraded openssl package.

Testing server appliedprivacy
	SSL connection opened in 165.52 ms
	DoH response average 29.41 ms
fdns starting
connecting to appliedprivacy server
	non-profit, Austria, Europe
listening on all available interfaces
342 filter entries added from /etc/fdns/trackers
5277 filter entries added from /etc/fdns/fp-trackers
51399 filter entries added from /etc/fdns/adblocker
12604 filter entries added from /etc/fdns/coinblocker
90 filter entries added from /etc/fdns/doh
1577 filter entries added from /etc/fdns/hosts
(0) SSL connection opened
(2) SSL connection opened
(1) SSL connection opened
Error: fdns resolver process 1 killed by seccomp - syscall 230 (clock_nanosleep)
zx2c4.com, encrypted
(1) Error: fdns resolver process 1 killed by seccomp - syscall 230 (clock_nanosleep)
Error: resolver 1 (pid 365882) terminated, restarting it...
(1) SSL connection opened
Error: fdns resolver process 1 killed by seccomp - syscall 230 (clock_nanosleep)
zx2c4.com, encrypted
(1) Error: fdns resolver process 1 killed by seccomp - syscall 230 (clock_nanosleep)
Error: fdns resolver process 2 killed by seccomp - syscall 230 (clock_nanosleep)
zx2c4.com, encrypted
(2) Error: fdns resolver process 2 killed by seccomp - syscall 230 (clock_nanosleep)
Error: resolver 1 (pid 366801) terminated, restarting it...
Error: resolver 2 (pid 365883) terminated, restarting it...
(1) SSL connection opened
(2) SSL connection opened
Error: fdns resolver process 1 killed by seccomp - syscall 230 (clock_nanosleep)
zx2c4.com, encrypted
(1) Error: fdns resolver process 1 killed by seccomp - syscall 230 (clock_nanosleep)
Error: resolver 1 (pid 366840) terminated, restarting it...
(1) SSL connection opened
signal 15 caught, shutting down all resolvers
tag index 1

I'll make a PR to add clock_nanosleep to etc/resolvers.seccomp.

whitelist for domain names

A whitelist of allowed domain names would be very nice for use with single firejail sandboxes.

Example:

$ sudo fdns --proxy-addr=127.1.2.3 --wh-dn=mozilla.org --wh-dn=gmail.com
$ firejail --dns=127.1.2.3 thunderbird

Maybe it is better to put the whitelist in a file.

netblue30 / fdns Goto Github PK

fdns's People

Contributors

Stargazers

Watchers

Forkers

fdns's Issues

disable-apparmor.patch

install-units-to-unitdir.patch

Why?

current situation

what I have in mind

Recommend Projects

Recommend Topics

Recommend Org