dnscrypt-proxy 2.0.9b1 - Testers needed

[jedisct1]

A beta version is available with quite a few changes:

• Whitelists have been implemented: one a name matches a pattern in the whitelist, rules from the name-based and IP-based blacklists will be bypassed. Whitelists support the same patterns as blacklists, as well as time-based rules, so that some website can be normally blocked, but accessible on specific days or times of the day.
• Lists are now faster to load, and large lists require significantly less memory than before.
• New options have been added to disable TLS session tickets as well as use a specific cipher suite. See the example configuration file for a recommended configuration to speed up DoH servers on ARM such as Android devices and Raspberry Pi.
• The -service install command now remembers what the current directory was when the service was installed, in order to later load configuration files with relative paths.
• DoH: The "Cache-Control: max-age" header is now ignored.

This required quite a lot of internal changes. The blacklist code, in particular, has gone through many changes.

Since this is the most complicated code and also an important thing, testing is required before a new version can be released.

So, download 2.0.9b1 if you can, and try to find things that used to work okay in 2.0.8 and suddenly don't work any more.

Especially related to logging, blacklisting, time-based rules, DoH.

[Biggizen]

Thank you for implementing a whitelist!

I've tried the new version, but the service doesn't start. Its installed and present in the services list, but when I try to start it, it immediately terminates itself again with the error "1067".

[jedisct1]

@Biggizen Can you try to start it from the command-line, not as a service? Just by typing ./dnscrypt-proxy.exe?

[D1n0Bot]

Linux-arm working good.. no significant different in cpu processing with the cipher suite changes. I decided to use the better cipher for now.

No much delay in loading page or refreshing then after 15 Sec. TTL to Google DOH is 6ms.

No test whitelist as not using.

Memory usage seems slightly lower at around 11mb compared to 13mb in 2.0.8. Will do further stress test to confirm.

[CNMan]

win64 2.0.9b1

Microsoft Windows [版本 10.0.17623.1002]
(c) 2017 Microsoft Corporation。保留所有权利。

c:\ProgramFiles\DNSCrypt-Proxy>dnscrypt-proxy
panic: assignment to entry in nil map

goroutine 1 [running]:
main.(*PatternMatcher).Add(0xc0420a4410, 0xc04217602d, 0x8, 0x7676c0, 0x0, 0x6, 0x1, 0x0, 0x0)
        /home/travis/gopath/src/github.com/jedisct1/dnscrypt-proxy/dnscrypt-proxy/pattern_matcher.go:93 +0x47a
main.(*PluginBlockName).Init(0xc042156960, 0xc042140018, 0x0, 0x0)
        /home/travis/gopath/src/github.com/jedisct1/dnscrypt-proxy/dnscrypt-proxy/plugin_block_name.go:63 +0x3a8
main.InitPluginsGlobals(0xc042140268, 0xc042140018, 0x7f3b60, 0xc0420a3d28)
        /home/travis/gopath/src/github.com/jedisct1/dnscrypt-proxy/dnscrypt-proxy/plugins.go:79 +0x250
main.(*App).Start(0xc042140000, 0x823440, 0xc0420a3d10, 0x753560, 0xc042153570)
        /home/travis/gopath/src/github.com/jedisct1/dnscrypt-proxy/dnscrypt-proxy/main.go:83 +0x4f
github.com/jedisct1/dnscrypt-proxy/vendor/github.com/kardianos/service.(*windowsService).Run(0xc0420a3d10, 0x11, 0xc042087c98)
        /home/travis/gopath/src/github.com/jedisct1/dnscrypt-proxy/vendor/github.com/kardianos/service/service_windows.go:264 +0x74
main.main()
        /home/travis/gopath/src/github.com/jedisct1/dnscrypt-proxy/dnscrypt-proxy/main.go:73 +0x581

c:\ProgramFiles\DNSCrypt-Proxy>

[jedisct1]

@CNMan fixed, thanks!

[starcms]

No issues on my arm router (Linksys WRT1200AC) running openwrt/lede using blacklist generated by Adblock package

[jedisct1]

@starcms Great! If you are use cloudflare or doh-crypto-sx, did you try changing tls_cipher_suite?

[Biggizen]

@jedisct1 Executing the dnscrypt-proxy.exe doesn't start the service, no.

BTW: I'm on Win 10 x64.

[ajp2k13]

I'm running it now on my Pi 3B+ using Cloudflare and the cipher option, looks good so far.

[eroglyph]

I can confirm that using the new TLS cipher works great on my Pi. Thanks!

[jedisct1]

@Biggizen What exactly did you do? What did you see?

[VindicatorDS]

I'm using it on an WRT3200ACM with dual instances of dnscrypt-proxy (one (primary) with google and cloudflare and another (secundary) with just google). With the parameter tls_cipher_suite unset, I can connect to both google and cloudflare on the primary. With tls_cipher_suite = [52392, 49199], I can't connect to cloudflare. I'll try to collect more logs and test several suites.

Edit: Regardless of this cloudflare issue, all the rest seems OK.

tls_cipher_suite unset:

authpriv.notice sudo:     root : TTY=pts/0 ; PWD=/etc/hive/conf/dnscrypt-proxy ; USER=nobody ; COMMAND=/usr/sbin/dnscrypt-proxy-secundary -config /var/tmp/dnscrypt-proxy/secundary/dnscrypt-proxy.toml -syslog
daemon.notice dnscrypt-proxy[6617]: Source [/var/tmp/dnscrypt-proxy/secundary/public-resolvers.md] loaded
daemon.notice dnscrypt-proxy[6617]: dnscrypt-proxy 2.0.9b1
daemon.notice dnscrypt-proxy[6617]: Now listening to 127.0.0.1:5054 [UDP]
daemon.notice dnscrypt-proxy[6617]: Now listening to 127.0.0.1:5054 [TCP]
daemon.notice dnscrypt-proxy[6617]: Now listening to [::1]:5054 [UDP]
daemon.notice dnscrypt-proxy[6617]: Now listening to [::1]:5054 [TCP]
daemon.notice dnscrypt-proxy[6617]: [google] OK (DoH) - rtt: 38ms
daemon.notice dnscrypt-proxy[6617]: Server with the lowest initial latency: google (rtt: 38ms)
daemon.notice dnscrypt-proxy[6617]: dnscrypt-proxy is ready - live servers: 1
user.notice DNSoHTTPS-Dual: Starting primary...
user.notice DNSoHTTPS-Dual: enabling forwarding between daemons...
authpriv.notice sudo:     root : TTY=pts/0 ; PWD=/etc/hive/conf/dnscrypt-proxy ; USER=nobody ; COMMAND=/usr/sbin/dnscrypt-proxy -config /var/tmp/dnscrypt-proxy/primary/dnscrypt-proxy.toml -syslog
daemon.notice dnscrypt-proxy[6637]: Source [/var/tmp/dnscrypt-proxy/primary/public-resolvers.md] loaded
daemon.notice dnscrypt-proxy[6637]: dnscrypt-proxy 2.0.9b1
daemon.notice dnscrypt-proxy[6637]: Loading the set of forwarding rules from [forwarding-rules.txt]
daemon.notice dnscrypt-proxy[6637]: Now listening to 127.0.0.1:5053 [UDP]
daemon.notice dnscrypt-proxy[6637]: Now listening to 127.0.0.1:5053 [TCP]
daemon.notice dnscrypt-proxy[6637]: Now listening to [::1]:5053 [UDP]
daemon.notice dnscrypt-proxy[6637]: Now listening to [::1]:5053 [TCP]
daemon.notice dnscrypt-proxy[6637]: [cloudflare] OK (DoH) - rtt: 12ms
daemon.notice dnscrypt-proxy[6637]: [google] OK (DoH) - rtt: 40ms
daemon.notice dnscrypt-proxy[6637]: Server with the lowest initial latency: cloudflare (rtt: 12ms)
daemon.notice dnscrypt-proxy[6637]: dnscrypt-proxy is ready - live servers: 2
user.notice DNSoHTTPS-Dual: dnscrypt-proxy started successfully. Configuring dnsmasq...
daemon.info dnsmasq[6586]: exiting on receipt of SIGTERM
user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
user.notice dnsmasq: Allowing 127.0.0.0/8 responses
daemon.info dnsmasq[6763]: started, version 2.79 cachesize 1500
daemon.info dnsmasq[6763]: DNS service limited to local subnets
daemon.info dnsmasq[6763]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
daemon.info dnsmasq[6763]: DNSSEC validation enabled
daemon.warn dnsmasq[6763]: warning: ignoring resolv-file flag because no-resolv is set
daemon.info dnsmasq[6763]: using nameserver 127.0.0.1#5053

tls_cipher_suite = [52392, 49199]

user.notice DNSoHTTPS-Dual: Starting secundary...
authpriv.notice sudo:     root : TTY=pts/0 ; PWD=/etc/hive/conf/dnscrypt-proxy ; USER=nobody ; COMMAND=/usr/sbin/dnscrypt-proxy-secundary -config /var/tmp/dnscrypt-proxy/secundary/dnscrypt-proxy.toml -syslog
daemon.notice dnscrypt-proxy[7246]: Source [/var/tmp/dnscrypt-proxy/secundary/public-resolvers.md] loaded
daemon.notice dnscrypt-proxy[7246]: dnscrypt-proxy 2.0.9b1
daemon.notice dnscrypt-proxy[7246]: Now listening to 127.0.0.1:5054 [UDP]
daemon.notice dnscrypt-proxy[7246]: Now listening to 127.0.0.1:5054 [TCP]
daemon.notice dnscrypt-proxy[7246]: Now listening to [::1]:5054 [UDP]
daemon.notice dnscrypt-proxy[7246]: Now listening to [::1]:5054 [TCP]
2018 daemon.notice dnscrypt-proxy[7246]: [google] OK (DoH) - rtt: 40ms
2018 daemon.notice dnscrypt-proxy[7246]: Server with the lowest initial latency: google (rtt: 40ms)
2018 daemon.notice dnscrypt-proxy[7246]: dnscrypt-proxy is ready - live servers: 1
user.notice DNSoHTTPS-Dual: Starting primary...
user.notice DNSoHTTPS-Dual: enabling forwarding between daemons...
authpriv.notice sudo:     root : TTY=pts/0 ; PWD=/etc/hive/conf/dnscrypt-proxy ; USER=nobody ; COMMAND=/usr/sbin/dnscrypt-proxy -config /var/tmp/dnscrypt-proxy/primary/dnscrypt-proxy.toml -syslog
daemon.notice dnscrypt-proxy[7267]: Source [/var/tmp/dnscrypt-proxy/primary/public-resolvers.md] loaded
daemon.notice dnscrypt-proxy[7267]: dnscrypt-proxy 2.0.9b1
daemon.notice dnscrypt-proxy[7267]: Loading the set of forwarding rules from [forwarding-rules.txt]
daemon.notice dnscrypt-proxy[7267]: Now listening to 127.0.0.1:5053 [UDP]
daemon.notice dnscrypt-proxy[7267]: Now listening to 127.0.0.1:5053 [TCP]
daemon.notice dnscrypt-proxy[7267]: Now listening to [::1]:5053 [UDP]
daemon.notice dnscrypt-proxy[7267]: Now listening to [::1]:5053 [TCP]
daemon.notice dnscrypt-proxy[7267]: [google] OK (DoH) - rtt: 39ms
daemon.notice dnscrypt-proxy[7267]: Server with the lowest initial latency: google (rtt: 39ms)
daemon.notice dnscrypt-proxy[7267]: dnscrypt-proxy is ready - live servers: 1
user.notice DNSoHTTPS-Dual: dnscrypt-proxy started successfully. Configuring dnsmasq...
daemon.info dnsmasq[7219]: exiting on receipt of SIGTERM
user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
user.notice dnsmasq: Allowing 127.0.0.0/8 responses
daemon.info dnsmasq[7393]: started, version 2.79 cachesize 1500
daemon.info dnsmasq[7393]: DNS service limited to local subnets
daemon.info dnsmasq[7393]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
daemon.info dnsmasq[7393]: DNSSEC validation enabled
daemon.warn dnsmasq[7393]: warning: ignoring resolv-file flag because no-resolv is set

[jedisct1]

There are no mentions of Cloudflare here, only Google.

[jedisct1]

Oh my bad there is. Sorry, couldn't spot it in these noisy logs.

Make sure that your public-resolvers.md file is up to date. The best way is just to delete it along with the signature, and restart the server.

[VindicatorDS]

Sorry. You're right, It's my fault. Was using an old public-resolvers.md file.

All the rest seems OK. Thanks

[Biggizen]

What exactly did you do? What did you see?

1. I delete all old files in the program folder and extract the new zip-file into it, whithout modifying any file, so that there is a vanilla-2.0.9b1.

2. I run the service-install.bat (tried it with and without running the service-uninstall.bat before). Output:

Es sind keine Einträge in der Liste. [german for: There are no entries in the list.]

N:\Programme\Netz\DNSCrypt-Proxy>.\dnscrypt-proxy.exe -service install

N:\Programme\Netz\DNSCrypt-Proxy>.\dnscrypt-proxy.exe -service start
""
Thank you for using dnscrypt-proxy! Hit [RETURN] to finish

The service now is in the service list, but it doesn't start. When I try a manual start in the service list, Windows shows the following error message:

Fehler 1067: Der Prozess wurde unerwartet beendet. [german for: Error 1067: The process got terminated unexpectedly.]

When I try to start the service by executing the dnscrypt-proxy.exe - like you suggested - nothing happens.

[CNMan]

@Biggizen you need just rename example-dnscrypt-proxy.toml to dnscrypt-proxy.toml

[ginkel]

Excellent! On my Raspi3 DNS lookups through Cloudflare DoH are down to < 100 ms (max; typical: < 25 ms) from 300 ms when using the ChaCha20 ciphersuites with dnscrypt-proxy compiled for GOARM=7.

Thanks a lot!

[jedisct1]

Thread closed because a new beta was just released, with more exciting new features :)

[Biggizen]

@CNMan I had this done already, but thank you, though. My post was mistakable, because I said, that I didn't modify any file. Renaming the *.toml was indeed one - and the only one - little modification ;)

btw: beta2 works