Add https-dns-proxy package, remove initial redirect to 5353 when started

2025-02-12 10:31:51 +00:00 · 2020-04-10 15:10:38 +02:00 · 2020-04-10 15:10:38 +02:00 · 6c730f1463
commit 6c730f1463
parent 02317e2caf
4 changed files with 337 additions and 0 deletions
--- a/https-dns-proxy/Makefile
+++ b/https-dns-proxy/Makefile
@ -0,0 +1,36 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=https-dns-proxy
+PKG_VERSION:=2019-12-03
+PKG_RELEASE=5
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy
+PKG_SOURCE_DATE:=2019-12-03
+PKG_SOURCE_VERSION:=2adeafb67cbe8d67148219c48334856ae4f3bd75
+PKG_MIRROR_HASH:=58088baa092cd9634652d65f9b5650db88d2e102cb370710654db7b15f2f0e42
+PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>
+PKG_LICENSE:=MIT
+PKG_LICENSE_FILES:=LICENSE
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+CMAKE_OPTIONS += -DCLANG_TIDY_EXE=
+
+define Package/https-dns-proxy
+	SECTION:=net
+	CATEGORY:=Network
+	TITLE:=DNS Over HTTPS Proxy
+	DEPENDS:=+libcares +libcurl +libev +ca-bundle
+	CONFLICTS:=https_dns_proxy
+endef
+
+define Package/https-dns-proxy/install
+	$(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d ${1}/etc/config
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/https_dns_proxy $(1)/usr/sbin/https-dns-proxy
+	$(INSTALL_BIN) ./files/https-dns-proxy.init $(1)/etc/init.d/https-dns-proxy
+	$(INSTALL_CONF) ./files/https-dns-proxy.config $(1)/etc/config/https-dns-proxy
+endef
+
+$(eval $(call BuildPackage,https-dns-proxy))
--- a/https-dns-proxy/files/README.md
+++ b/https-dns-proxy/files/README.md
@ -0,0 +1,95 @@
+# DNS Over HTTPS Proxy (https-dns-proxy)
+
+A lean RFC8484-compatible (no JSON API support) DNS-over-HTTPS (DoH) proxy service which supports DoH servers ran by AdGuard, CleanBrowsing, Cloudflare, Google, ODVR (nic.cz) and Quad9. Please see the [README](https://github.com/stangri/openwrt_packages/blob/master/https-dns-proxy/files/README.md) for further information. Based on [@aarond10](https://github.com/aarond10)'s [https-dns-proxy](https://github.com/aarond10/https_dns_proxy).
+
+## Features
+
+- [RFC8484](https://tools.ietf.org/html/rfc8484)-compatible DoH Proxy.
+- Compact size.
+- Web UI (```luci-app-https-dns-proxy```) available.
+- (By default) automatically updates DNSMASQ settings to use DoH proxy when it's started and reverts to old DNSMASQ resolvers when DoH proxy is stopped.
+
+## Screenshots (luci-app-https-dns-proxy)
+
+![screenshot](https://raw.githubusercontent.com/stangri/openwrt_packages/master/screenshots/https-dns-proxy/screenshot01.png "https-dns-proxy screenshot")
+
+## Requirements
+
+This proxy requires the following packages to be installed on your router: ```libc```, ```libcares```, ```libcurl```, ```libev```, ```ca-bundle```. They will be automatically installed when you're installing ```https-dns-proxy```.
+
+## Unmet Dependencies
+
+If you are running a development (trunk/snapshot) build of OpenWrt/LEDE Project on your router and your build is outdated (meaning that packages of the same revision/commit hash are no longer available and when you try to satisfy the [requirements](#requirements) you get errors), please flash either current LEDE release image or current development/snapshot image.
+
+## How To Install
+
+Install ```https-dns-proxy``` and ```luci-app-https-dns-proxy``` packages from Web UI or run the following in the command line:
+
+```sh
+opkg update; opkg install https-dns-proxy luci-app-https-dns-proxy;
+```
+
+## Default Settings
+
+Default configuration has service enabled and starts the service with Google and Cloudflare DoH servers. In most configurations, you will keep the default ```DNSMASQ``` service installed to handle requests from devices in your local network and point ```DNSMASQ``` to use ```https-dns-proxy``` for name resolution.
+
+By default, the service will intelligently override existing ```DNSMASQ``` servers settings on start to use the DoH servers and restores original ```DNSMASQ``` servers on stop. See the [Configuration Settings](#configuration-settings) section below for more information and how to disable this behavior.
+
+## Configuration Settings
+
+Configuration contains the (named) "main" config section where you can configure which ```DNSMASQ``` settings the service will automatically affect and the typed (unnamed) https-dns-proxy instance settings. The original config file is included below:
+
+```text
+config main 'config'
+  option update_dnsmasq_config '*'
+
+config https-dns-proxy
+  option bootstrap_dns '8.8.8.8,8.8.4.4'
+  option resolver_url 'https://dns.google/dns-query'
+  option listen_addr '127.0.0.1'
+  option listen_port '5053'
+  option user 'nobody'
+  option group 'nogroup'
+
+config https-dns-proxy
+  option bootstrap_dns '1.1.1.1,1.0.0.1'
+  option resolver_url 'https://cloudflare-dns.com/dns-query'
+  option listen_addr '127.0.0.1'
+  option listen_port '5054'
+  option user 'nobody'
+  option group 'nogroup'
+```
+
+The ```update_dnsmasq_config``` option can be set to dash (set to ```'-'``` to not change ```DNSMASQ``` server settings on start/stop), can be set to ```'*'``` to affect all ```DNSMASQ``` instance server settings or have a space-separated list of ```DNSMASQ``` instances to affect (like ```'0 4 5'```). If this option is omitted, the default setting is ```'*'```.
+
+Starting with ```https-dns-proxy``` version ```2019-12-03-3``` and higher, when the service is set to update the DNSMASQ servers setting on start/stop, it does not override entries which contain either ```#``` or ```/```, so the entries like listed below will be kept in use:
+
+```test
+  list server '/onion/127.0.0.1#65453'
+  list server '/openwrt.org/8.8.8.8'
+  list server '/pool.ntp.org/8.8.8.8'
+  list server '127.0.0.1#15353'
+  list server '127.0.0.1#55353'
+  list server '127.0.0.1#65353'
+```
+
+The https-dns-proxy instance settings are:
+
+|Parameter|Type|Default|Description|
+| --- | --- | --- | --- |
+|bootstrap_dns|IP Address||The non-encrypted DNS servers to be used to resolve the DoH server name on start.|
+|edns_subnet|Subnet||EDNS Subnet address can be supplied to supported DoH servers to provide local resolution results.|
+|listen_addr|IP Address|127.0.0.1|The local IP address to listen to requests.|
+|listen_port|port|5053 and up|If this setting is omitted, the service will start the first https-dns-proxy instance on port 5053, second on 5054 and so on.|
+|logfile|Full filepath||Full filepath to the file to log the instance events to.|
+|resolver_url|URL||The https URL to the RFC8484-compatible resolver.|
+|proxy_server|URL||Local proxy server to use when accessing resolvers.|
+|user|String|nobody|Local user to run instance under.|
+|group|String|nogroup|Local group to run instance under.|
+|use_http1|Boolean|0|If set to 1, use HTTP/1 on installations with broken/outdated ```curl``` package. Included for posterity reasons, you will most likely not ever need it on OpenWrt.|
+|verbosity|Integer|0|logging verbosity level. fatal = 0, error = 1, warning = 2, info = 3, debug = 4|
+|use_ipv6_resolvers_only|Boolean|0|If set to 1, Forces IPv6 DNS resolvers instead of IPv4|
+
+## Thanks
+
+This OpenWrt package wouldn't have been possible without [@aarond10](https://github.com/aarond10)'s [https-dns-proxy](https://github.com/aarond10/https_dns_proxy) and his active participation in the OpenWrt package itself. Special thanks to [@jow-](https://github.com/jow-) for general package/luci guidance.
--- a/https-dns-proxy/files/https-dns-proxy.config
+++ b/https-dns-proxy/files/https-dns-proxy.config
@ -0,0 +1,18 @@
+config main 'config'
+	option update_dnsmasq_config '*'
+
+config https-dns-proxy
+	option bootstrap_dns '8.8.8.8,8.8.4.4'
+	option resolver_url 'https://dns.google/dns-query'
+	option listen_addr '127.0.0.1'
+	option listen_port '5053'
+	option user 'nobody'
+	option group 'nogroup'
+
+config https-dns-proxy
+	option bootstrap_dns '1.1.1.1,1.0.0.1'
+	option resolver_url 'https://cloudflare-dns.com/dns-query'
+	option listen_addr '127.0.0.1'
+	option listen_port '5054'
+	option user 'nobody'
+	option group 'nogroup'
--- a/https-dns-proxy/files/https-dns-proxy.init
+++ b/https-dns-proxy/files/https-dns-proxy.init
@ -0,0 +1,188 @@
+#!/bin/sh /etc/rc.common
+# Copyright 2019 Stan Grishin (stangri@melmac.net)
+# shellcheck disable=SC2039
+
+export START=80
+export USE_PROCD=1
+
+dnsmasqConfig=''
+
+PROG=/usr/sbin/https-dns-proxy
+
+xappend() { param="$param $1"; }
+
+append_bool() {
+	local section="$1"
+	local option="$2"
+	local value="$3"
+	local default="$4"
+	local _loctmp
+	[ -z "$default" ] && default="0"
+	config_get_bool _loctmp "$section" "$option" "$default"
+	[ "$_loctmp" != "0" ] && xappend "$value"
+}
+
+append_parm() {
+	local section="$1"
+	local option="$2"
+	local switch="$3"
+	local default="$4"
+	local _loctmp
+	config_get _loctmp "$section" "$option" "$default"
+	[ -z "$_loctmp" ] && return 0
+	xappend "$switch $_loctmp"
+}
+
+start_instance() {
+	local cfg="$1" param listen_addr listen_port i
+
+	append_parm "$cfg" 'listen_addr' '-a' '127.0.0.1'
+	append_parm "$cfg" 'listen_port' '-p' "$p"
+	append_parm "$cfg" 'bootstrap_dns' '-b'
+	append_parm "$cfg" 'resolver_url' '-r'
+	append_parm "$cfg" 'user' '-u' 'nobody'
+	append_parm "$cfg" 'group' '-g' 'nogroup'
+	append_parm "$cfg" 'edns_subnet' '-e'
+	append_parm "$cfg" 'proxy_server' '-t'
+	append_parm "$cfg" 'logfile' '-l'
+	append_bool "$cfg" 'use_http1' '-x'
+	config_get_bool ipv6_resolvers_only "$cfg" 'use_ipv6_resolvers_only' '0'
+	config_get verbosity "$cfg" 'verbosity' "0"
+
+# shellcheck disable=SC2086,SC2154
+	for i in $(seq 1 $verbosity); do
+		xappend "-v"
+	done
+# shellcheck disable=SC2154
+	if [ "$ipv6_resolvers_only" = 0 ]; then
+		xappend "-4"
+	fi
+
+	procd_open_instance
+# shellcheck disable=SC2086
+	procd_set_param command ${PROG} ${param}
+	procd_set_param stderr 1
+	procd_set_param stdout 1
+	procd_set_param respawn
+	procd_close_instance
+
+	config_get listen_addr "$cfg" 'listen_addr' '127.0.0.1'
+	config_get listen_port "$cfg" 'listen_port' "$p"
+
+	if [ "$dnsmasqConfig" = "*" ]; then
+		config_load 'dhcp'
+		config_foreach dnsmasq_add_doh_server 'dnsmasq' "${listen_addr}" "${listen_port}"
+	elif [ -n "$dnsmasqConfig" ]; then
+		for i in $dnsmasqConfig; do
+			dnsmasq_add_doh_server "@dnsmasq[${i}]" "${listen_addr}" "${listen_port}"
+		done
+	fi
+	p="$((p+1))"
+}
+
+service_triggers() {
+	procd_add_reload_trigger 'https-dns-proxy'
+}
+
+start_service() {
+	local p=5053
+	config_load 'https-dns-proxy'
+	config_get dnsmasqConfig	'config' 'update_dnsmasq_config' '*'
+	dhcp_backup 'create'
+	config_load 'https-dns-proxy'
+	config_foreach start_instance 'https-dns-proxy'
+	if [ "$p" != "5053" ] && [ "$dnsmasqConfig" = "*" ]; then
+		uci -q del_list "dhcp.@dnsmasq[0].server=127.0.0.1#5353"
+	fi
+	if [ -n "$(uci -q changes dhcp)" ]; then
+		uci -q commit dhcp
+		[ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq restart >/dev/null 2>&1
+	fi
+}
+
+stop_service() {
+	config_load 'https-dns-proxy'
+	config_get dnsmasqConfig	'config' 'update_dnsmasq_config' '*'
+	dhcp_backup 'restore'
+	if [ -n "$(uci -q changes dhcp)" ]; then
+		uci -q commit dhcp
+		[ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq restart >/dev/null 2>&1
+	fi
+}
+
+service_triggers() {
+		procd_add_reload_trigger 'https-dns-proxy'
+}
+
+dnsmasq_add_doh_server() {
+	local cfg="$1" address="$2" port="$3"
+	case $address in
+		0.0.0.0|::ffff:0.0.0.0) address='127.0.0.1';;
+		::) address='::1';;
+	esac
+	uci -q del_list "dhcp.${cfg}.server=${address}#${port}"
+	uci -q add_list "dhcp.${cfg}.server=${address}#${port}"
+}
+
+dnsmasq_create_server_backup() {
+	local cfg="$1"
+	local i
+	uci -q get "dhcp.${cfg}" >/dev/null || return 0
+	if ! uci -q get "dhcp.${cfg}.doh_backup_noresolv" >/dev/null; then
+		if [ -z "$(uci -q get "dhcp.${cfg}.noresolv")" ]; then
+			uci -q set "dhcp.${cfg}.noresolv=1"
+			uci -q set "dhcp.${cfg}.doh_backup_noresolv=-1"
+		elif [ "$(uci -q get "dhcp.${cfg}.noresolv")" != "1" ]; then
+			uci -q set "dhcp.${cfg}.noresolv=1"
+			uci -q set "dhcp.${cfg}.doh_backup_noresolv=0"
+		fi
+	fi
+	if ! uci -q get "dhcp.${cfg}.doh_backup_server" >/dev/null; then
+		for i in $(uci -q get "dhcp.${cfg}.server"); do
+			uci -q add_list "dhcp.${cfg}.doh_backup_server=$i"
+			if [ "$i" = "${i//127.0.0.1}" ] && [ "$i" = "$(echo "$i" | tr -d /)" ]; then
+				uci -q del_list "dhcp.${cfg}.server=$i"
+			fi
+		done
+	fi
+}
+
+dnsmasq_restore_server_backup() {
+	local cfg="$1"
+	local i
+	uci -q get "dhcp.${cfg}" >/dev/null || return 0
+	if uci -q get "dhcp.${cfg}.doh_backup_noresolv" >/dev/null; then
+		if [ "$(uci -q get "dhcp.${cfg}.doh_backup_noresolv")" = "0" ]; then
+			uci -q set "dhcp.${cfg}.noresolv=0"
+		else 
+			uci -q del "dhcp.${cfg}.noresolv"
+		fi
+		uci -q del "dhcp.${cfg}.doh_backup_noresolv"
+	fi
+	if uci -q get "dhcp.${cfg}.doh_backup_server" >/dev/null; then
+		uci -q del "dhcp.${cfg}.server"
+		for i in $(uci -q get "dhcp.${cfg}.doh_backup_server"); do
+			uci -q add_list "dhcp.${cfg}.server=$i"
+		done
+	uci -q del "dhcp.${cfg}.doh_backup_server"
+	fi
+}
+
+dhcp_backup() {
+	local i
+	config_load 'dhcp'
+	case "$1" in
+		create)
+			if [ "$dnsmasqConfig" = "*" ]; then
+				config_foreach dnsmasq_create_server_backup 'dnsmasq'
+			elif [ -n "$dnsmasqConfig" ]; then
+				for i in $dnsmasqConfig; do
+					dnsmasq_create_server_backup "@dnsmasq[${i}]"
+				done
+			fi
+			;;
+		restore)
+			config_foreach dnsmasq_restore_server_backup 'dnsmasq'
+			;;
+	esac
+}