Update binary and add exception in iptables for fallback resolver.

2018-09-10 00:57:24 +07:00 · 2018-09-10 00:57:24 +07:00 · 16174e9c58
parent a0a7b90f53
commit 16174e9c58
6 changed files with 33 additions and 6 deletions
--- a/binary/dnscrypt-proxy-arm
+++ b/binary/dnscrypt-proxy-arm
--- a/binary/dnscrypt-proxy-arm64
+++ b/binary/dnscrypt-proxy-arm64
--- a/binary/dnscrypt-proxy-x86
+++ b/binary/dnscrypt-proxy-x86
--- a/binary/dnscrypt-proxy-x86_64
+++ b/binary/dnscrypt-proxy-x86_64
--- a/common/service.sh
+++ b/common/service.sh
@ -12,10 +12,10 @@ for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
 	then
 		$MODDIR/system/xbin/dnscrypt-proxy -config $MODDIR/system/etc/dnscrypt-proxy/dnscrypt-proxy.toml &
 		sleep 15
-		iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5354
-		iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5354
-		ip6tables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination [::1]:5354
-		ip6tables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination [::1]:5354
+		iptables -t nat -A OUTPUT -p tcp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
+		iptables -t nat -A OUTPUT -p udp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
+		ip6tables -t nat -A OUTPUT -p tcp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination [::1]:5354
+		ip6tables -t nat -A OUTPUT -p udp ! -d 1.1.1.1 --dport 53 -j DNAT --to-destination [::1]:5354
 		break;
 	else
 		sleep 5
--- a/config/example-dnscrypt-proxy.toml
+++ b/config/example-dnscrypt-proxy.toml
@ -27,7 +27,7 @@
 ## The proxy will automatically pick the fastest, working servers from the list.
 ## Remove the leading # first to enable this; lines starting with # are ignored.

-# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
+# server_names = ['cloudflare', 'google']


 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
@ -41,6 +41,18 @@ listen_addresses = ['127.0.0.1:53', '[::1]:53']
 max_clients = 250


+## Switch to a non-privileged system user after listening sockets have been created.
+## Two processes will be running.
+## The first one will keep root privileges, but is only a supervisor, that does nothing
+## except create the sockets, manage the service, and restart it if it crashes.
+## The second process is the service itself, and that one will always run as a different
+## user.
+## Note (1): this feature is currently unsupported on Windows.
+## Note (2): this feature is not compatible with systemd socket activation.
+
+# user_name = 'nobody'
+
+
 ## Require servers (from static + remote sources) to satisfy specific properties

 # Use servers reachable over IPv4
@ -77,6 +89,14 @@ require_nofilter = true
 force_tcp = false


+## HTTP / SOCKS proxy
+## Uncomment the following line to route all TCP connections to a local Tor node
+## Tor doesn't support UDP, so set `force_tcp` to `true` as well.
+
+# proxy = "socks5://127.0.0.1:9050"
+
+
+
 ## How long a DNS query will wait for a response, in milliseconds

 timeout = 2500
@ -154,7 +174,7 @@ cert_refresh_delay = 240
 ## People in China may need to use 114.114.114.114:53 here.
 ## Other popular options include 8.8.8.8 and 1.1.1.1.

-fallback_resolver = '9.9.9.9:53'
+fallback_resolver = '1.1.1.1:53'


 ## Never let dnscrypt-proxy try to use the system DNS settings;
@ -172,6 +192,13 @@ ignore_system_dns = false
 netprobe_timeout = 30


+## Offline mode - Do not use any remote encrypted servers.
+## The proxy will remain fully functional to respond to queries that
+## plugins can handle directly (forwarding, cloaking, ...)
+
+# offline_mode = false
+
+
 ## Automatic log files rotation

 # Maximum log files size in MB