From b55fb4f90a6313ab1c835579f259b590212ebad0 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 25 Apr 2018 19:14:02 +0300 Subject: [PATCH] DNScrypt-proxy --- .travis.yml | 2 +- config.cfg | 2 - docs/setup-roles.md | 3 +- .../dns_adblocking/templates/dnsmasq.conf.j2 | 2 +- roles/dns_encryption/defaults/main.yml | 14 +- .../files/apparmor.profile.dnscrypt-proxy | 23 + roles/dns_encryption/files/rc.dingo.sh | 40 -- .../dns_encryption/files/rc.dnscrypt-proxy.sh | 38 ++ .../dns_encryption/files/usr.local.bin.dingo | 13 - roles/dns_encryption/files/usr.sbin.unbound | 19 - roles/dns_encryption/handlers/main.yml | 9 +- roles/dns_encryption/tasks/dingo/freebsd.yml | 32 -- roles/dns_encryption/tasks/dingo/main.yml | 44 -- roles/dns_encryption/tasks/dingo/ubuntu.yml | 50 -- roles/dns_encryption/tasks/freebsd.yml | 51 ++ roles/dns_encryption/tasks/main.yml | 27 +- roles/dns_encryption/tasks/ubuntu.yml | 48 ++ roles/dns_encryption/tasks/unbound/main.yml | 27 - roles/dns_encryption/tasks/unbound/ubuntu.yml | 45 -- .../dns_encryption/templates/dingo.service.j2 | 20 - .../templates/dnscrypt-proxy.toml.j2 | 465 ++++++++++++++++++ .../dns_encryption/templates/unbound.conf.j2 | 29 -- 22 files changed, 654 insertions(+), 349 deletions(-) create mode 100644 roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy delete mode 100644 roles/dns_encryption/files/rc.dingo.sh create mode 100644 roles/dns_encryption/files/rc.dnscrypt-proxy.sh delete mode 100644 roles/dns_encryption/files/usr.local.bin.dingo delete mode 100644 roles/dns_encryption/files/usr.sbin.unbound delete mode 100644 roles/dns_encryption/tasks/dingo/freebsd.yml delete mode 100644 roles/dns_encryption/tasks/dingo/main.yml delete mode 100644 roles/dns_encryption/tasks/dingo/ubuntu.yml create mode 100644 roles/dns_encryption/tasks/freebsd.yml create mode 100644 roles/dns_encryption/tasks/ubuntu.yml delete mode 100644 roles/dns_encryption/tasks/unbound/main.yml delete mode 100644 roles/dns_encryption/tasks/unbound/ubuntu.yml delete mode 100644 roles/dns_encryption/templates/dingo.service.j2 create mode 100644 roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 delete mode 100644 roles/dns_encryption/templates/unbound.conf.j2 diff --git a/.travis.yml b/.travis.yml index 882aed691..6971d1ff8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -44,7 +44,7 @@ before_install: install: - sudo tar xf $HOME/lxc/cache.tar -C / || echo "Didn't extract cache." - export LXC_ROOTFS=/var/lib/lxc/$LXC_NAME/rootfs - - 'sudo lxc-create -n $LXC_NAME -t ubuntu -- -r $LXC_RELEASE --packages python || true' + - 'sudo lxc-create -n $LXC_NAME -t ubuntu -- -r $LXC_RELEASE --mirror http://mirrors.us.kernel.org/ubuntu --packages python || true' - 'sudo lxc-start -n $LXC_NAME && until (sudo lxc-info -n $LXC_NAME | grep -q ^IP:); do printf . && sleep 1; done && sleep 2' - export LXC_IP="$(sudo lxc-info -Hin $LXC_NAME)" - sudo /bin/bash -c "printf '\n$LXC_IP test.lxc\n' >> /etc/hosts" diff --git a/config.cfg b/config.cfg index 5e06ffc89..6c38dc93f 100644 --- a/config.cfg +++ b/config.cfg @@ -33,8 +33,6 @@ adblock_lists: dns_encryption: true # Possible values: google, cloudflare -# google: DNS over HTTPS. Dingo will be used -# cloudflare: DNS over TLS. Unbound will be used dns_encryption_provider: cloudflare # DNS servers which will be used if dns_encryption disabled diff --git a/docs/setup-roles.md b/docs/setup-roles.md index 7729d329f..1523d1817 100644 --- a/docs/setup-roles.md +++ b/docs/setup-roles.md @@ -21,8 +21,7 @@ * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations * **DNS encryption** - * Google DNS over HTTPS: Install the [dingo](https://github.com/pforemski/dingo) dns client - * CloudFlare DNS over TLS: Install [unbound](http://www.unbound.net/) resolver + * Install [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy) * Constrains dingo with AppArmor and cgroups CPU and memory limitations * **SSH Tunneling** * Adds a restricted `algo` group with no shell access and limited SSH forwarding options diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2 index b88a4e927..501f7568d 100644 --- a/roles/dns_adblocking/templates/dnsmasq.conf.j2 +++ b/roles/dns_adblocking/templates/dnsmasq.conf.j2 @@ -664,7 +664,7 @@ bind-interfaces # Include another lot of configuration options. #conf-file=/etc/dnsmasq.more.conf -conf-dir={{ config_prefix|default('/') }}etc/dnsmasq.d +conf-dir={{ config_prefix|default('/') }}etc/dnsmasq.d/,*.conf # Include all the files in a directory except those ending in .bak #conf-dir=/etc/dnsmasq.d,.bak diff --git a/roles/dns_encryption/defaults/main.yml b/roles/dns_encryption/defaults/main.yml index edf72c2ae..df031a903 100644 --- a/roles/dns_encryption/defaults/main.yml +++ b/roles/dns_encryption/defaults/main.yml @@ -1,15 +1,7 @@ --- listen_port: "{% if local_dns|d(false)|bool == true %}5353{% else %}53{% endif %}" -dingo_flags: -gdns:auto -port {{ listen_port }} -bind {{ local_service_ip }} +# the version used if the latest unavailable (in case of Github API rate limited) +dnscrypt_proxy_version: 2.0.10 apparmor_enabled: true -dingo_version_if_latest_unavailable: 0.13 dns_encryption: true -dns_encryption_provider: default -dns_encryption_servers: - cloudflare: - ipv4: - - 1.1.1.1@853 - - 1.0.0.1@853 - ipv6: - - 2606:4700:4700::1111@853 - - 2606:4700:4700::1001@853 +dns_encryption_provider: "*" diff --git a/roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy b/roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy new file mode 100644 index 000000000..a2e516392 --- /dev/null +++ b/roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy @@ -0,0 +1,23 @@ +#include + +/usr/sbin/dnscrypt-proxy { + #include + #include + #include + + capability chown, + capability dac_override, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_resource, + + /etc/dnscrypt-proxy.toml r, + /etc/ld.so.cache r, + /usr/sbin/dnscrypt-proxy mr, + /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv r, + /usr/local/lib/{@{multiarch}/,}libldns.so* mr, + /usr/local/lib/{@{multiarch}/,}libsodium.so* mr, + /run/dnscrypt-proxy.pid rw, + /run/systemd/notify rw, +} diff --git a/roles/dns_encryption/files/rc.dingo.sh b/roles/dns_encryption/files/rc.dingo.sh deleted file mode 100644 index 0d00fea84..000000000 --- a/roles/dns_encryption/files/rc.dingo.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -# PROVIDE: dingo -# REQUIRE: LOGIN -# BEFORE: securelevel -# KEYWORD: shutdown - -# Add the following lines to /etc/rc.conf to enable `dingo': -# -# dingo_enable="YES" -# dingo_flags="" -# -# See rsync(1) for rsyncd_flags -# - -. /etc/rc.subr - -name="dingo" -rcvar=dingo_enable -load_rc_config "$name" -command="/usr/local/bin/dingo" -pidfile="/var/run/$name.pid" -dingo_user="dingo" -start_cmd=dingo_start -stop_postcmd=dingo_stop - -: ${dingo_enable="NO"} -: ${dingo_flags=""} - -dingo_start() { - echo "Starting dingo..." - touch ${pidfile} && chown ${dingo_user} ${pidfile} - /usr/sbin/daemon -cS -T dingo -p ${pidfile} -u ${dingo_user} ${command} ${dingo_flags} -} - -dingo_stop() { - [ -f ${pidfile} ] && rm ${pidfile} -} - -run_rc_command "$1" diff --git a/roles/dns_encryption/files/rc.dnscrypt-proxy.sh b/roles/dns_encryption/files/rc.dnscrypt-proxy.sh new file mode 100644 index 000000000..da35d896a --- /dev/null +++ b/roles/dns_encryption/files/rc.dnscrypt-proxy.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +# PROVIDE: dnscrypt-proxy +# REQUIRE: LOGIN +# BEFORE: securelevel +# KEYWORD: shutdown + +# Add the following lines to /etc/rc.conf to enable `dnscrypt-proxy': +# +# dnscrypt_proxy_enable="YES" +# dnscrypt_proxy_flags="" +# +# See rsync(1) for rsyncd_flags +# + +. /etc/rc.subr + +name="dnscrypt-proxy" +rcvar=dnscrypt_proxy_enable +load_rc_config "$name" +pidfile="/var/run/$name.pid" +start_cmd=dnscrypt_proxy_start +stop_postcmd=dnscrypt_proxy_stop + +: ${dnscrypt_proxy_enable="NO"} +: ${dnscrypt_proxy_flags="-config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"} + +dnscrypt_proxy_start() { + echo "Starting dnscrypt-proxy..." + touch ${pidfile} + /usr/sbin/daemon -cS -T dnscrypt-proxy -p ${pidfile} /usr/dnscrypt-proxy/freebsd-amd64/dnscrypt-proxy ${dnscrypt_proxy_flags} +} + +dnscrypt_proxy_stop() { + [ -f ${pidfile} ] && rm ${pidfile} +} + +run_rc_command "$1" diff --git a/roles/dns_encryption/files/usr.local.bin.dingo b/roles/dns_encryption/files/usr.local.bin.dingo deleted file mode 100644 index 6520c63ee..000000000 --- a/roles/dns_encryption/files/usr.local.bin.dingo +++ /dev/null @@ -1,13 +0,0 @@ -#include - -/usr/local/bin/dingo { - #include - #include - - capability dac_override, - capability net_bind_service, - network inet raw, - - /proc/sys/net/core/somaxconn r, - /usr/local/bin/dingo mr, -} diff --git a/roles/dns_encryption/files/usr.sbin.unbound b/roles/dns_encryption/files/usr.sbin.unbound deleted file mode 100644 index 229e32a71..000000000 --- a/roles/dns_encryption/files/usr.sbin.unbound +++ /dev/null @@ -1,19 +0,0 @@ -#include - -/usr/sbin/unbound { - #include - #include - #include - - capability chown, - capability dac_override, - capability net_bind_service, - capability setgid, - capability setuid, - capability sys_resource, - - /etc/unbound/* r, - /run/unbound.pid rw, - /usr/sbin/unbound mr, - /var/lib/unbound/* rw, -} diff --git a/roles/dns_encryption/handlers/main.yml b/roles/dns_encryption/handlers/main.yml index ccaefca42..c46912b94 100644 --- a/roles/dns_encryption/handlers/main.yml +++ b/roles/dns_encryption/handlers/main.yml @@ -3,12 +3,7 @@ systemd: daemon_reload: true -- name: restart dingo +- name: restart dnscrypt-proxy service: - name: dingo - state: restarted - -- name: restart unbound - service: - name: unbound + name: dnscrypt-proxy state: restarted diff --git a/roles/dns_encryption/tasks/dingo/freebsd.yml b/roles/dns_encryption/tasks/dingo/freebsd.yml deleted file mode 100644 index 44d65a648..000000000 --- a/roles/dns_encryption/tasks/dingo/freebsd.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: FreeBSD | Download the latest binary - get_url: - url: "{{ item['browser_download_url'] }}" - dest: /usr/local/bin/dingo - mode: '0755' - force: true - with_items: "{{ dingo_latest['json']['assets'] }}" - no_log: true - when: '"freebsd-amd64" in item.name' - notify: restart dingo - -- name: FreeBSD | Configure rc script - copy: - src: rc.dingo.sh - dest: /usr/local/etc/rc.d/dingo - notify: restart dingo - -- name: FreeBSD | Configure dingo arguments - lineinfile: - path: /etc/rc.conf - regexp: '^dingo_flags=.*' - line: 'dingo_flags="{{ dingo_flags }}"' - notify: restart dingo - -- name: FreeBSD | Dingo enabled and started - service: - name: dingo - state: started - enabled: true - -- meta: flush_handlers diff --git a/roles/dns_encryption/tasks/dingo/main.yml b/roles/dns_encryption/tasks/dingo/main.yml deleted file mode 100644 index e5d08fd86..000000000 --- a/roles/dns_encryption/tasks/dingo/main.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -- block: - - name: Create dingo user - user: - name: dingo - comment: Dingo DNS-over-HTTPS Daemon - state: present - createhome: false - home: /nonexistent - shell: /usr/sbin/nologin - - - name: Retrive the latest binary - uri: - url: https://api.github.com/repos/pforemski/dingo/releases/latest - register: dingo_latest - ignore_errors: true - - - name: Set default dingo assets - set_fact: - dingo_latest: - json: - assets: - - name: dingo-freebsd-386 - browser_download_url: "https://github.com/pforemski/dingo/releases/download/{{ dingo_version_if_latest_unavailable }}/dingo-freebsd-386" - - name: dingo-freebsd-amd64 - browser_download_url: "https://github.com/pforemski/dingo/releases/download/{{ dingo_version_if_latest_unavailable }}/dingo-freebsd-amd64" - - name: dingo-linux-386 - browser_download_url: "https://github.com/pforemski/dingo/releases/download/{{ dingo_version_if_latest_unavailable }}/dingo-linux-386" - - name: dingo-linux-amd64 - browser_download_url: "https://github.com/pforemski/dingo/releases/download/{{ dingo_version_if_latest_unavailable }}/dingo-linux-amd64" - when: dingo_latest.failed - - - name: Include tasks for Ubuntu - include_tasks: ubuntu.yml - when: '"Ubuntu" in OS.stdout' - - - name: Include tasks for FreeBSD - include_tasks: freebsd.yml - when: '"FreeBSD" in OS.stdout' - rescue: - - debug: var=fail_hint - tags: always - - fail: - tags: always diff --git a/roles/dns_encryption/tasks/dingo/ubuntu.yml b/roles/dns_encryption/tasks/dingo/ubuntu.yml deleted file mode 100644 index d44ecdb9e..000000000 --- a/roles/dns_encryption/tasks/dingo/ubuntu.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: Ubuntu | Download the latest binary - get_url: - url: "{{ item['browser_download_url'] }}" - dest: /usr/local/bin/dingo - mode: '0755' - force: true - with_items: "{{ dingo_latest['json']['assets'] }}" - no_log: true - when: '"linux-amd64" in item.name' - notify: restart dingo - -- block: - - name: Ubuntu | Dingo profile for apparmor configured - copy: - src: usr.local.bin.dingo - dest: /etc/apparmor.d/usr.local.bin.dingo - owner: root - group: root - mode: 0600 - notify: restart dingo - - - name: Ubuntu | Enforce the dingo AppArmor policy - command: aa-enforce usr.local.bin.dingo - changed_when: false - tags: apparmor - when: apparmor_enabled|default(false)|bool == true - -- name: Ubuntu | Configure dingo - copy: - content: ARGS="{{ dingo_flags }}" - dest: /etc/default/dingo - notify: restart dingo - -- name: Ubuntu | Configure systemd unit - template: - src: dingo.service.j2 - dest: /etc/systemd/system/dingo.service - notify: - - daemon reload - - restart dingo - -- name: Ubuntu | Dingo enabled and started - systemd: - name: dingo - state: started - daemon_reload: true - enabled: true - -- meta: flush_handlers diff --git a/roles/dns_encryption/tasks/freebsd.yml b/roles/dns_encryption/tasks/freebsd.yml new file mode 100644 index 000000000..08e11905f --- /dev/null +++ b/roles/dns_encryption/tasks/freebsd.yml @@ -0,0 +1,51 @@ +--- +- name: FreeBSD | Ensure that the required directories exist + file: + path: "{{ item }}" + state: directory + with_items: + - "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/" + - /usr/dnscrypt-proxy/ + +- name: Required tools installed + package: + name: gtar + +- name: FreeBSD | Retrive the latest versions + uri: + url: https://api.github.com/repos/jedisct1/dnscrypt-proxy/releases/latest + register: dnscrypt_proxy_latest + ignore_errors: true + +- name: FreeBSD | Set default dnscrypt-proxy assets + set_fact: + dnscrypt_proxy_latest: + json: + assets: + - name: "dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz" + browser_download_url: "https://github.com/jedisct1/dnscrypt-proxy/releases/download/{{ dnscrypt_proxy_version }}/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz" + when: dnscrypt_proxy_latest.failed + +- name: FreeBSD | Download the latest archive + get_url: + url: "{{ item['browser_download_url'] }}" + dest: "/tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz" + mode: '0755' + force: true + with_items: "{{ dnscrypt_proxy_latest['json']['assets'] }}" + no_log: true + when: '"freebsd_amd64" in item.name' + notify: restart dnscrypt-proxy + +- name: FreeBSD | Extract the latest archive + unarchive: + remote_src: true + src: /tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz + dest: /usr/dnscrypt-proxy + +- name: FreeBSD | Configure rc script + copy: + src: rc.dnscrypt-proxy.sh + dest: /usr/local/etc/rc.d/dnscrypt-proxy + mode: "0755" + notify: restart dnscrypt-proxy diff --git a/roles/dns_encryption/tasks/main.yml b/roles/dns_encryption/tasks/main.yml index be1c3c599..49c8d6e8f 100644 --- a/roles/dns_encryption/tasks/main.yml +++ b/roles/dns_encryption/tasks/main.yml @@ -1,8 +1,23 @@ --- -- name: Include Dingo installation - import_tasks: dingo/main.yml - when: dns_encryption_provider == "google" +- name: Include tasks for Ubuntu + include_tasks: ubuntu.yml + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' -- name: Include Unbound installation - import_tasks: unbound/main.yml - when: dns_encryption_provider == "cloudflare" +- name: Include tasks for FreeBSD + include_tasks: freebsd.yml + when: ansible_distribution == 'FreeBSD' + +- name: dnscrypt-proxy configured + template: + src: dnscrypt-proxy.toml.j2 + dest: "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/dnscrypt-proxy.toml" + notify: + - restart dnscrypt-proxy + +- name: dnscrypt-proxy enabled and started + service: + name: dnscrypt-proxy + state: started + enabled: true + +- meta: flush_handlers diff --git a/roles/dns_encryption/tasks/ubuntu.yml b/roles/dns_encryption/tasks/ubuntu.yml new file mode 100644 index 000000000..7705a7768 --- /dev/null +++ b/roles/dns_encryption/tasks/ubuntu.yml @@ -0,0 +1,48 @@ +--- +- name: Add the repository + apt_repository: + state: present + codename: artful + repo: ppa:shevchuk/dnscrypt-proxy + +- name: Install dnscrypt-proxy + apt: + name: dnscrypt-proxy + state: latest + update_cache: true + +- block: + - name: Ubuntu | Unbound profile for apparmor configured + copy: + src: apparmor.profile.dnscrypt-proxy + dest: /etc/apparmor.d/usr.sbin.dnscrypt-proxy + owner: root + group: root + mode: 0600 + notify: restart dnscrypt-proxy + + - name: Ubuntu | Enforce the dnscrypt-proxy AppArmor policy + command: aa-enforce usr.sbin.dnscrypt-proxy + changed_when: false + tags: apparmor + when: apparmor_enabled|default(false)|bool == true + +- name: Ubuntu | Ensure that the dnscrypt-proxy service directory exist + file: + path: /etc/systemd/system/dnscrypt-proxy.service.d/ + state: directory + mode: 0755 + owner: root + group: root + +- name: Ubuntu | Setup the cgroup limitations for dnscrypt-proxy + copy: + dest: /etc/systemd/system/dnscrypt-proxy.service.d/100-CustomLimitations.conf + content: | + [Service] + MemoryLimit=16777216 + CPUAccounting=true + CPUQuota=5% + notify: + - daemon-reload + - restart dnscrypt-proxy diff --git a/roles/dns_encryption/tasks/unbound/main.yml b/roles/dns_encryption/tasks/unbound/main.yml deleted file mode 100644 index 657b9c73c..000000000 --- a/roles/dns_encryption/tasks/unbound/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- block: - - name: Unbound installed - package: - name: unbound - - - name: Unbound configured - template: - src: unbound.conf.j2 - dest: "{{ config_prefix|default('/') }}etc/unbound/unbound.conf" - notify: - - restart unbound - - - name: Include tasks for Ubuntu - include_tasks: ubuntu.yml - when: '"Ubuntu" in OS.stdout' - - - name: Unbound enabled and started - service: - name: unbound - state: started - enabled: true - rescue: - - debug: var=fail_hint - tags: always - - fail: - tags: always diff --git a/roles/dns_encryption/tasks/unbound/ubuntu.yml b/roles/dns_encryption/tasks/unbound/ubuntu.yml deleted file mode 100644 index 119d1c40e..000000000 --- a/roles/dns_encryption/tasks/unbound/ubuntu.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- block: - - name: Ubuntu | Unbound profile for apparmor configured - copy: - src: usr.sbin.unbound - dest: /etc/apparmor.d/usr.sbin.unbound - owner: root - group: root - mode: 0600 - notify: restart dingo - - - name: Ubuntu | Enforce the dingo AppArmor policy - command: aa-enforce usr.sbin.unbound - changed_when: false - tags: apparmor - when: apparmor_enabled|default(false)|bool == true - -- name: Ubuntu | Ensure that the dnsmasq service directory exist - file: - path: /etc/systemd/system/unbound.service.d/ - state: directory - mode: 0755 - owner: root - group: root - -- name: Ubuntu | Setup the cgroup limitations for Unbound - copy: - dest: /etc/systemd/system/unbound.service.d/100-CustomLimitations.conf - content: | - [Service] - MemoryLimit=16777216 - CPUAccounting=true - CPUQuota=5% - notify: - - daemon-reload - - restart unbound - -- name: Ubuntu | Unbound enabled and started - systemd: - name: unbound - state: started - daemon_reload: true - enabled: true - -- meta: flush_handlers diff --git a/roles/dns_encryption/templates/dingo.service.j2 b/roles/dns_encryption/templates/dingo.service.j2 deleted file mode 100644 index d2a10d6b9..000000000 --- a/roles/dns_encryption/templates/dingo.service.j2 +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Dingo DNS-over-HTTPS Daemon -Wants=network-online.target -After=network-online.target - -[Service] -Type=simple -Restart=on-failure -PIDFile=/var/run/dingo.pid -EnvironmentFile=-/etc/default/dingo -ExecStart=/usr/local/bin/dingo $ARGS -MemoryLimit=16777216 -CPUAccounting=true -CPUQuota=5% -User=dingo -Group=dingo -AmbientCapabilities=CAP_NET_BIND_SERVICE - -[Install] -WantedBy=multi-user.target diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 new file mode 100644 index 000000000..5afeb2ef6 --- /dev/null +++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 @@ -0,0 +1,465 @@ + +############################################## +# # +# dnscrypt-proxy configuration # +# # +############################################## + +## This is an example configuration file. +## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml" +## +## Online documentation is available here: https://dnscrypt.info/doc + + + +################################## +# Global settings # +################################## + +## List of servers to use +## +## Servers from the "public-resolvers" source (see down below) can +## be viewed here: https://dnscrypt.info/public-servers +## +## If this line is commented, all registered servers matching the require_* filters +## will be used. +## +## The proxy will automatically pick the fastest, working servers from the list. +## Remove the leading # first to enable this; lines starting with # are ignored. + +server_names = ['{{ dns_encryption_provider }}'{% if ipv6_support|d(false)|bool == true and dns_encryption_provider == "cloudflare" %}, '{{ dns_encryption_provider }}-ipv6' {% endif %} ] + + +## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. +## Note: When using systemd socket activation, choose an empty set (i.e. [] ). + +listen_addresses = ['{{ local_service_ip }}:{{ listen_port }}'] + + +## Maximum number of simultaneous client connections to accept + +max_clients = 250 + + +## Require servers (from static + remote sources) to satisfy specific properties + +# Use servers reachable over IPv4 +ipv4_servers = true + +# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity +ipv6_servers = {{ ipv6_support|default(false) | bool | lower }} + +# Use servers implementing the DNSCrypt protocol +dnscrypt_servers = true + +# Use servers implementing the DNS-over-HTTPS protocol +doh_servers = true + + +## Require servers defined by remote sources to satisfy specific properties + +# Server must support DNS security extensions (DNSSEC) +require_dnssec = true + +# Server must not log user queries (declarative) +require_nolog = true + +# Server must not enforce its own blacklist (for parental control, ads blocking...) +require_nofilter = true + + + +## Always use TCP to connect to upstream servers + +force_tcp = false + + +## How long a DNS query will wait for a response, in milliseconds + +timeout = 2500 + + +## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds + +keepalive = 30 + + +## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random' + +lb_strategy = 'p2' + + +## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors) + +log_level = 2 + + +## log file for the application + +# log_file = 'dnscrypt-proxy.log' + + +## Use the system logger (syslog on Unix, Event Log on Windows) + +use_syslog = true + + +## Delay, in minutes, after which certificates are reloaded + +cert_refresh_delay = 240 + + +## DNSCrypt: Create a new, unique key for every single DNS query +## This may improve privacy but can also have a significant impact on CPU usage +## Only enable if you don't have a lot of network load + +dnscrypt_ephemeral_keys = true + + +## DoH: Disable TLS session tickets - increases privacy but also latency + +tls_disable_session_tickets = true + + +## DoH: Use a specific cipher suite instead of the server preference +## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 +## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 +## +## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...), +## the following suite improves performance. +## This may also help on Intel CPUs running 32-bit operating systems. +## +## Keep tls_cipher_suite empty if you have issues fetching sources or +## connecting to some DoH servers. Google and Cloudflare are fine with it. + +tls_cipher_suite = [49195] + + +## Fallback resolver +## This is a normal, non-encrypted DNS resolver, that will be only used +## for one-shot queries when retrieving the initial resolvers list, and +## only if the system DNS configuration doesn't work. +## No user application queries will ever be leaked through this resolver, +## and it will not be used after IP addresses of resolvers URLs have been found. +## It will never be used if lists have already been cached, and if stamps +## don't include host names without IP addresses. +## It will not be used if the configured system DNS works. +## A resolver supporting DNSSEC is recommended. This may become mandatory. +## +## People in China may need to use 114.114.114.114:53 here. +## Other popular options include 8.8.8.8 and 1.1.1.1. + +fallback_resolver = '1.1.1.1:53' + + +## Never try to use the system DNS settings; unconditionally use the +## fallback resolver. + +ignore_system_dns = true + + +## Automatic log files rotation + +# Maximum log files size in MB +log_files_max_size = 10 + +# How long to keep backup files, in days +log_files_max_age = 7 + +# Maximum log files backups to keep (or 0 to keep all backups) +log_files_max_backups = 1 + + + +######################### +# Filters # +######################### + +## Immediately respond to IPv6-related queries with an empty response +## This makes things faster when there is no IPv6 connectivity, but can +## also cause reliability issues with some stub resolvers. In +## particular, enabling this on macOS is not recommended. + +block_ipv6 = false + + + +################################################################################## +# Route queries for specific domains to a dedicated set of servers # +################################################################################## + +## Example map entries (one entry per line): +## example.com 9.9.9.9 +## example.net 9.9.9.9,8.8.8.8,1.1.1.1 + +# forwarding_rules = 'forwarding-rules.txt' + + + +############################### +# Cloaking rules # +############################### + +## Cloaking returns a predefined address for a specific name. +## In addition to acting as a HOSTS file, it can also return the IP address +## of a different name. It will also do CNAME flattening. +## +## Example map entries (one entry per line) +## example.com 10.1.1.1 +## www.google.com forcesafesearch.google.com + +# cloaking_rules = 'cloaking-rules.txt' + + + +########################### +# DNS cache # +########################### + +## Enable a DNS cache to reduce latency and outgoing traffic + +cache = true + + +## Cache size + +cache_size = 512 + + +## Minimum TTL for cached entries + +cache_min_ttl = 600 + + +## Maximum TTL for cached entries + +cache_max_ttl = 86400 + + +## TTL for negatively cached entries + +cache_neg_ttl = 60 + + + +############################### +# Query logging # +############################### + +## Log client queries to a file + +[query_log] + + ## Path to the query log file (absolute, or relative to the same directory as the executable file) + + # file = 'query.log' + + + ## Query log format (currently supported: tsv and ltsv) + + format = 'tsv' + + + ## Do not log these query types, to reduce verbosity. Keep empty to log everything. + + # ignored_qtypes = ['DNSKEY', 'NS'] + + + +############################################ +# Suspicious queries logging # +############################################ + +## Log queries for nonexistent zones +## These queries can reveal the presence of malware, broken/obsolete applications, +## and devices signaling their presence to 3rd parties. + +[nx_log] + + ## Path to the query log file (absolute, or relative to the same directory as the executable file) + + # file = 'nx.log' + + + ## Query log format (currently supported: tsv and ltsv) + + format = 'tsv' + + + +###################################################### +# Pattern-based blocking (blacklists) # +###################################################### + +## Blacklists are made of one pattern per line. Example of valid patterns: +## +## example.com +## =example.com +## *sex* +## ads.* +## ads*.example.* +## ads*.example[0-9]*.com +## +## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/ +## A script to build blacklists from public feeds can be found in the +## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code. + +[blacklist] + + ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + + # blacklist_file = 'blacklist.txt' + + + ## Optional path to a file logging blocked queries + + # log_file = 'blocked.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + +########################################################### +# Pattern-based IP blocking (IP blacklists) # +########################################################### + +## IP blacklists are made of one pattern per line. Example of valid patterns: +## +## 127.* +## fe80:abcd:* +## 192.168.1.4 + +[ip_blacklist] + + ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) + + # blacklist_file = 'ip-blacklist.txt' + + + ## Optional path to a file logging blocked queries + + # log_file = 'ip-blocked.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + +###################################################### +# Pattern-based whitelisting (blacklists bypass) # +###################################################### + +## Whitelists support the same patterns as blacklists +## If a name matches a whitelist entry, the corresponding session +## will bypass names and IP filters. +## +## Time-based rules are also supported to make some websites only accessible at specific times of the day. + +[whitelist] + + ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file) + + # whitelist_file = 'whitelist.txt' + + + ## Optional path to a file logging whitelisted queries + + # log_file = 'whitelisted.log' + + + ## Optional log format: tsv or ltsv (default: tsv) + + # log_format = 'tsv' + + + +########################################## +# Time access restrictions # +########################################## + +## One or more weekly schedules can be defined here. +## Patterns in the name-based blocklist can optionally be followed with @schedule_name +## to apply the pattern 'schedule_name' only when it matches a time range of that schedule. +## +## For example, the following rule in a blacklist file: +## *.youtube.* @time-to-sleep +## would block access to YouTube only during the days, and period of the days +## define by the 'time-to-sleep' schedule. +## +## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00 +## {after= '9:00', before='18:00'} matches 9:00-18:00 + +[schedules] + + # [schedules.'time-to-sleep'] + # mon = [{after='21:00', before='7:00'}] + # tue = [{after='21:00', before='7:00'}] + # wed = [{after='21:00', before='7:00'}] + # thu = [{after='21:00', before='7:00'}] + # fri = [{after='23:00', before='7:00'}] + # sat = [{after='23:00', before='7:00'}] + # sun = [{after='21:00', before='7:00'}] + + # [schedules.'work'] + # mon = [{after='9:00', before='18:00'}] + # tue = [{after='9:00', before='18:00'}] + # wed = [{after='9:00', before='18:00'}] + # thu = [{after='9:00', before='18:00'}] + # fri = [{after='9:00', before='17:00'}] + + + +######################### +# Servers # +######################### + +## Remote lists of available servers +## Multiple sources can be used simultaneously, but every source +## requires a dedicated cache file. +## +## Refer to the documentation for URLs of public sources. +## +## A prefix can be prepended to server names in order to +## avoid collisions if different sources share the same for +## different servers. In that case, names listed in `server_names` +## must include the prefixes. +## +## If the `urls` property is missing, cache files and valid signatures +## must be already present; This doesn't prevent these cache files from +## expiring after `refresh_delay` hours. + +[sources] + + ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers + + [sources.'public-resolvers'] + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] + cache_file = 'public-resolvers.md' + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + refresh_delay = 72 + prefix = '' + + ## Another example source, with resolvers censoring some websites not appropriate for children + ## This is a subset of the `public-resolvers` list, so enabling both is useless + + # [sources.'parental-control'] + # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md'] + # cache_file = 'parental-control.md' + # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + + + +## Optional, local, static list of additional servers +## Mostly useful for testing your own servers. + +[static] + + # [static.'google'] + # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA' diff --git a/roles/dns_encryption/templates/unbound.conf.j2 b/roles/dns_encryption/templates/unbound.conf.j2 deleted file mode 100644 index 5aac7eefd..000000000 --- a/roles/dns_encryption/templates/unbound.conf.j2 +++ /dev/null @@ -1,29 +0,0 @@ -server: - access-control: 127.0.0.1/32 allow - access-control: {{ vpn_network }} allow - access-control: {{ vpn_network_ipv6 }} allow - access-control: {{ local_service_ip }}/32 allow - cache-max-ttl: 14400 - cache-min-ttl: 600 - do-tcp: yes - hide-identity: yes - hide-version: yes - interface: {{ local_service_ip }}@{{ listen_port }} - minimal-responses: yes - prefetch: yes - qname-minimisation: yes - rrset-roundrobin: yes - ssl-upstream: yes - use-caps-for-id: yes - verbosity: 1 - -forward-zone: - name: "." -{% for host in dns_encryption_servers['cloudflare']['ipv4'] %} - forward-addr: {{ host }} -{% endfor %} -{% if ipv6_support|d("") == "yes" %} -{% for host in dns_encryption_servers['cloudflare']['ipv6'] %} - forward-addr: {{ host }} -{% endfor %} -{% endif %}