aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Polden <mpolden@mpolden.no>2020-05-09 12:32:38 +0200
committerMartin Polden <mpolden@mpolden.no>2020-05-09 12:34:13 +0200
commit63ba16fd5306f23af085eb0dd96838800cc2d976 (patch)
tree35dd7ccea857c7c6d5dd2a062bfb4811ab27f9d6
parenta0499585a5b66d2a7eb2d1c3b8b7a9346307e9fa (diff)
Support TLS server name configuration
Diffstat
-rw-r--r--config_test.go4
-rw-r--r--dns/dnsutil/dnsutil.go10
-rw-r--r--zdnsrc21
3 files changed, 32 insertions, 3 deletions
diff --git a/config_test.go b/config_test.go
index 2e5b909..32738d8 100644
--- a/config_test.go
+++ b/config_test.go
@@ -15,7 +15,7 @@ protocol = "udp"
cache_size = 2048
resolvers = [
"192.0.2.1:53",
- "192.0.2.2:53",
+ "192.0.2.2:53=example.com",
]
hijack_mode = "zero" # or: empty, hosts
hosts_refresh_interval = "48h"
@@ -75,7 +75,7 @@ hijack = false
{"DNS.Listen", conf.DNS.Listen, "0.0.0.0:53"},
{"DNS.Protocol", conf.DNS.Protocol, "udp"},
{"DNS.Resolvers[0]", conf.DNS.Resolvers[0], "192.0.2.1:53"},
- {"DNS.Resolvers[1]", conf.DNS.Resolvers[1], "192.0.2.2:53"},
+ {"DNS.Resolvers[1]", conf.DNS.Resolvers[1], "192.0.2.2:53=example.com"},
{"DNS.HijackMode", conf.DNS.HijackMode, "zero"},
{"DNS.Database", conf.DNS.Database, "/tmp/log.db"},
{"DNS.LogMode", conf.DNS.LogModeString, "all"},
diff --git a/dns/dnsutil/dnsutil.go b/dns/dnsutil/dnsutil.go
index 3b989c9..085e03e 100644
--- a/dns/dnsutil/dnsutil.go
+++ b/dns/dnsutil/dnsutil.go
@@ -1,7 +1,9 @@
package dnsutil
import (
+ "crypto/tls"
"fmt"
+ "strings"
"sync"
"time"
@@ -79,7 +81,13 @@ func NewClient(addr string, config Config) Client {
if config.Network == "https" {
r = http.NewClient(config.Timeout)
} else {
- r = &dns.Client{Net: config.Network, Timeout: config.Timeout}
+ var tlsConfig *tls.Config
+ parts := strings.SplitN(addr, "=", 2)
+ if len(parts) == 2 {
+ addr = parts[0]
+ tlsConfig = &tls.Config{ServerName: parts[1]}
+ }
+ r = &dns.Client{Net: config.Network, Timeout: config.Timeout, TLSConfig: tlsConfig}
}
return &client{resolver: r, address: addr}
}
diff --git a/zdnsrc b/zdnsrc
index 5e0b97e..0c5e4ce 100644
--- a/zdnsrc
+++ b/zdnsrc
@@ -1,3 +1,5 @@
+# -*- mode: conf-toml -*-
+
# Each commented option contains the default value.
[dns]
@@ -31,6 +33,17 @@
# Upstream DNS servers to use when answering queries.
#
+# Each entry has the following format:
+#
+# addr:port[=tls-name]
+#
+# The tls-name part is optional. Some DNS servers only have FQDNs in their
+# certificate SAN field. This causes certificate validation to fail when
+# connecting using an IP address.
+#
+# When tls-name is set it's used to verify the hostname of the returned
+# certificate. This only makes sense in combination with the tcp-tls protocol.
+#
# The default is Cloudflare DNS servers, which support DNS-over-TLS.
# https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/
#
@@ -44,6 +57,14 @@
# resolvers = [
# "https://cloudflare-dns.com/dns-query",
# ]
+#
+# Or using a specific TLS server name, for example with a UncensoredDNS servers
+# (https://blog.uncensoreddns.org):
+#
+# resolvers = [
+# "89.233.43.71:853=unicast.censurfridns.dk",
+# "91.239.100.100:853=anycast.censurfridns.dk",
+# ]
# Configure how to answer hijacked DNS requests.
#