diff options
author | Martin Polden <mpolden@mpolden.no> | 2020-05-09 12:32:38 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2020-05-09 12:34:13 +0200 |
commit | 63ba16fd5306f23af085eb0dd96838800cc2d976 (patch) | |
tree | 35dd7ccea857c7c6d5dd2a062bfb4811ab27f9d6 | |
parent | a0499585a5b66d2a7eb2d1c3b8b7a9346307e9fa (diff) |
Support TLS server name configuration
-rw-r--r-- | config_test.go | 4 | ||||
-rw-r--r-- | dns/dnsutil/dnsutil.go | 10 | ||||
-rw-r--r-- | zdnsrc | 21 |
3 files changed, 32 insertions, 3 deletions
diff --git a/config_test.go b/config_test.go index 2e5b909..32738d8 100644 --- a/config_test.go +++ b/config_test.go @@ -15,7 +15,7 @@ protocol = "udp" cache_size = 2048 resolvers = [ "192.0.2.1:53", - "192.0.2.2:53", + "192.0.2.2:53=example.com", ] hijack_mode = "zero" # or: empty, hosts hosts_refresh_interval = "48h" @@ -75,7 +75,7 @@ hijack = false {"DNS.Listen", conf.DNS.Listen, "0.0.0.0:53"}, {"DNS.Protocol", conf.DNS.Protocol, "udp"}, {"DNS.Resolvers[0]", conf.DNS.Resolvers[0], "192.0.2.1:53"}, - {"DNS.Resolvers[1]", conf.DNS.Resolvers[1], "192.0.2.2:53"}, + {"DNS.Resolvers[1]", conf.DNS.Resolvers[1], "192.0.2.2:53=example.com"}, {"DNS.HijackMode", conf.DNS.HijackMode, "zero"}, {"DNS.Database", conf.DNS.Database, "/tmp/log.db"}, {"DNS.LogMode", conf.DNS.LogModeString, "all"}, diff --git a/dns/dnsutil/dnsutil.go b/dns/dnsutil/dnsutil.go index 3b989c9..085e03e 100644 --- a/dns/dnsutil/dnsutil.go +++ b/dns/dnsutil/dnsutil.go @@ -1,7 +1,9 @@ package dnsutil import ( + "crypto/tls" "fmt" + "strings" "sync" "time" @@ -79,7 +81,13 @@ func NewClient(addr string, config Config) Client { if config.Network == "https" { r = http.NewClient(config.Timeout) } else { - r = &dns.Client{Net: config.Network, Timeout: config.Timeout} + var tlsConfig *tls.Config + parts := strings.SplitN(addr, "=", 2) + if len(parts) == 2 { + addr = parts[0] + tlsConfig = &tls.Config{ServerName: parts[1]} + } + r = &dns.Client{Net: config.Network, Timeout: config.Timeout, TLSConfig: tlsConfig} } return &client{resolver: r, address: addr} } @@ -1,3 +1,5 @@ +# -*- mode: conf-toml -*- + # Each commented option contains the default value. [dns] @@ -31,6 +33,17 @@ # Upstream DNS servers to use when answering queries. # +# Each entry has the following format: +# +# addr:port[=tls-name] +# +# The tls-name part is optional. Some DNS servers only have FQDNs in their +# certificate SAN field. This causes certificate validation to fail when +# connecting using an IP address. +# +# When tls-name is set it's used to verify the hostname of the returned +# certificate. This only makes sense in combination with the tcp-tls protocol. +# # The default is Cloudflare DNS servers, which support DNS-over-TLS. # https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/ # @@ -44,6 +57,14 @@ # resolvers = [ # "https://cloudflare-dns.com/dns-query", # ] +# +# Or using a specific TLS server name, for example with a UncensoredDNS servers +# (https://blog.uncensoreddns.org): +# +# resolvers = [ +# "89.233.43.71:853=unicast.censurfridns.dk", +# "91.239.100.100:853=anycast.censurfridns.dk", +# ] # Configure how to answer hijacked DNS requests. # |