From c4879a21f7f6fbd9642dea0ca525ced079ca568a Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Fri, 10 Jan 2025 12:10:20 +0100 Subject: [PATCH] Trim unneeded entries These servers never supported the DNSCrypt v2 protocol, and have been a pain to maintain compatibility with. But the main issue is that in some countries, they are now lying resolvers, *except* for the certificate. That makes it difficult to reliably detect that they are lying resolvers. From a user perspective in these countries, it appears that DNS queries randomly fail, when they are hitting these servers. I tried to think of different ways to detect this, but couldn't find anything satisfactory. Maybe if they properly implement the DNSCrypt protocol some day, they will take it as an opportunity to also fix that bug, and return consistent error codes, even for the certificates. --- dnscrypt-proxy/config.go | 1 - dnscrypt-proxy/example-dnscrypt-proxy.toml | 6 +----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/dnscrypt-proxy/config.go b/dnscrypt-proxy/config.go index 8e8ae8db..d382c40a 100644 --- a/dnscrypt-proxy/config.go +++ b/dnscrypt-proxy/config.go @@ -154,7 +154,6 @@ func newConfig() Config { BlockedQueryResponse: "hinfo", BrokenImplementations: BrokenImplementationsConfig{ FragmentsBlocked: []string{ - "cisco", "cisco-ipv6", "cisco-familyshield", "cisco-familyshield-ipv6", "cleanbrowsing-adult", "cleanbrowsing-adult-ipv6", "cleanbrowsing-family", "cleanbrowsing-family-ipv6", "cleanbrowsing-security", "cleanbrowsing-security-ipv6", }, }, diff --git a/dnscrypt-proxy/example-dnscrypt-proxy.toml b/dnscrypt-proxy/example-dnscrypt-proxy.toml index d0cb6b9f..e7374c89 100644 --- a/dnscrypt-proxy/example-dnscrypt-proxy.toml +++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml @@ -774,10 +774,6 @@ format = 'tsv' [broken_implementations] -## Cisco servers currently cannot handle queries larger than 1472 bytes, and don't -## truncate responses larger than questions as expected by the DNSCrypt protocol. -## This prevents large responses from being received over UDP and over relays. -## ## Older versions of the `dnsdist` server software had a bug with queries larger ## than 1500 bytes. This is fixed since `dnsdist` version 1.5.0, but ## some server may still run an outdated version. @@ -785,7 +781,7 @@ format = 'tsv' ## The list below enables workarounds to make non-relayed usage more reliable ## until the servers are fixed. -fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cisco-sandbox', 'cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6'] +fragments_blocked = ['cleanbrowsing-adult', 'cleanbrowsing-adult-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-security', 'cleanbrowsing-security-ipv6']