Merge branch 'master' of github.com:jedisct1/rust-doh

* 'master' of github.com:jedisct1/rust-doh: Bump, just for the import fix It's just proxy_cache Add some documentation Update deps cmd argument validation and remote hostname support
2025-04-03 04:57:37 +03:00 · 2019-08-12 16:08:45 +02:00 · 2019-08-12 16:08:45 +02:00 · c65ce1210d
commit c65ce1210d
parent 10a99040e1 46cdc9168d
4 changed files with 71 additions and 9 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "doh-proxy"
-version = "0.1.18"
+version = "0.1.19"
 authors = ["Frank Denis <github@pureftpd.org>"]
 description = "A DNS-over-HTTPS (DoH) proxy"
 keywords = ["dns","https","doh","proxy"]
@ -16,12 +16,12 @@ tls = ["native-tls", "tokio-tls"]

 [dependencies]
 base64 = "0.10"
-clap = "2"
-futures = "0.1.27"
-hyper = "0.12.30"
+clap = "2.33.0"
+futures = "0.1.28"
+hyper = "0.12.33"
 jemallocator = "0"
 native-tls = { version = "0.2.3", optional = true }
-tokio = "0.1.21"
+tokio = "0.1.22"
 tokio-current-thread = "0.1.6"
 tokio-timer = "0.2.11"
 tokio-tls = { version = "0.2.1", optional = true }
--- a/README.md
+++ b/README.md
@ -70,6 +70,30 @@ In order to enable built-in HTTPS support, add the `--tls-cert-path` option to s

 Once HTTPS is enabled, HTTP connections will not be accepted.

+## Operational recommendations
+
+* DoH can easily be detected and blocked using SNI inspection. As a mitigation, DoH endpoints should preferably share the same virtual host as existing, popular websites, rather than being on dedicated virtual hosts.
+* When using DoH, DNS stamps should include a resolver IP address in order to remove a dependency on non-encrypted, non-authenticated, easy-to-block resolvers.
+* Unlike DNSCrypt where users must explicitly trust a DNS server public key, the security of DoH relies on traditional public Certificate Authorities. Additional root certificates (required by governments, security software, enterprise gateways) installed on a client immediately make DoH vulnerable to MITM. In order to prevent this, DNS stamps should include the hash of the parent certificate.
+* TLS certificates are tied to host names. But domains expire, get reassigned and switch hands all the time. If a domain originally used for a DoH service gets a new, possibly malicious owner, clients still configured to use the service will blindly keep trusting it if the CA is the same. As a mitigation, the CA should sign an intermediate certificate (the only one present in the stamp), itself used to sign the name used by the DoH server. While commercial CAs offer this, Let's Encrypt currently doesn't.
+* Make sure that the front-end supports HTTP/2 and TLS 1.3.
+
+## Example usage with Nginx
+
+In an existing `server`, a `/doh` endpoint can be exposed that way:
+
+```text
+location /doh {
+  proxy_pass http://127.0.0.1:3000;
+}
+```
+
+This example assumes that the DoH proxy is listening locally to port `3000`.
+
+HTTP caching can be added (see the `proxy_cache_path` and `proxy_cache` directives in the Nginx documentation), but be aware that a DoH server will quickly create a gigantic amount of files.
+
+Use the online [DNS stamp calculator](https://dnscrypt.info/stamps/) to compute the stamp for your server, and the `dnscrypt-proxy -show-certs` command to print the TLS certificate signatures to be added it.
+
 ## Clients

 `doh-proxy` can be used with [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy)
@ -77,4 +101,4 @@ as a client.

 `doh-proxy` is currently being used by the `doh.crypto.sx` public DNS resolver.

-Other public DoH servers can be found here: [public encrypted DNS servers](https://dnscrypt.info/public-servers).
+An extensive list of public DoH servers can be found here: [public encrypted DNS servers](https://dnscrypt.info/public-servers).
--- a/src/main.rs
+++ b/src/main.rs
@ -17,6 +17,7 @@ use hyper::server::conn::Http;
 use hyper::service::Service;
 use hyper::{Body, Method, Request, Response, StatusCode};
 use std::io;
+use std::net::{SocketAddr, ToSocketAddrs};

 #[cfg(feature = "tls")]
 use native_tls::{self, Identity};
@ -25,8 +26,7 @@ use native_tls::{self, Identity};
 use std::fs::File;

 #[cfg(feature = "tls")]
-use std::io::{self, Read};
-use std::net::SocketAddr;
+use std::io::Read;

 #[cfg(feature = "tls")]
 use std::path::{Path, PathBuf};
@ -487,6 +487,8 @@ fn main() {
 }

 fn parse_opts(inner_doh: &mut InnerDoH) {
+    use crate::utils::{verify_remote_server, verify_sock_addr};
+
    let max_clients = MAX_CLIENTS.to_string();
    let timeout_sec = TIMEOUT_SEC.to_string();
    let min_ttl = MIN_TTL.to_string();
@ -501,6 +503,7 @@ fn parse_opts(inner_doh: &mut InnerDoH) {
                .long("listen-address")
                .takes_value(true)
                .default_value(LISTEN_ADDRESS)
+                .validator(verify_sock_addr)
                .help("Address to listen to"),
        )
        .arg(
@ -509,6 +512,7 @@ fn parse_opts(inner_doh: &mut InnerDoH) {
                .long("server-address")
                .takes_value(true)
                .default_value(SERVER_ADDRESS)
+                .validator(verify_remote_server)
                .help("Address to connect to"),
        )
        .arg(
@ -517,6 +521,7 @@ fn parse_opts(inner_doh: &mut InnerDoH) {
                .long("local-bind-address")
                .takes_value(true)
                .default_value(LOCAL_BIND_ADDRESS)
+                .validator(verify_sock_addr)
                .help("Address to connect from"),
        )
        .arg(
@ -599,7 +604,14 @@ fn parse_opts(inner_doh: &mut InnerDoH) {

    let matches = options.get_matches();
    inner_doh.listen_address = matches.value_of("listen_address").unwrap().parse().unwrap();
-    inner_doh.server_address = matches.value_of("server_address").unwrap().parse().unwrap();
+
+    inner_doh.server_address = matches
+        .value_of("server_address")
+        .unwrap()
+        .to_socket_addrs()
+        .unwrap()
+        .next()
+        .unwrap();
    inner_doh.local_bind_address = matches
        .value_of("local_bind_address")
        .unwrap()
--- a/src/utils.rs
+++ b/src/utils.rs
@ -1,5 +1,31 @@
+use std::net::{SocketAddr, ToSocketAddrs};
+
 pub(crate) fn padding_string(input_size: usize, block_size: usize) -> String {
    let block_size_ = block_size - 1;
    let padding_len = block_size_ - ((input_size + block_size_) & block_size_);
    String::from_utf8(vec![b'X'; padding_len]).unwrap()
 }
+
+// functions to verify the startup arguments as correct
+pub(crate) fn verify_sock_addr(arg_val: String) -> Result<(), String> {
+    match arg_val.parse::<SocketAddr>() {
+        Ok(_addr) => Ok(()),
+        Err(_) => Err(format!(
+            "Could not parse \"{}\" as a valid socket address (with port).",
+            arg_val
+        )),
+    }
+}
+
+pub(crate) fn verify_remote_server(arg_val: String) -> Result<(), String> {
+    match arg_val.to_socket_addrs() {
+        Ok(mut addr_iter) => match addr_iter.next() {
+            Some(_) => Ok(()),
+            None => Err(format!(
+                "Could not parse \"{}\" as a valid remote uri",
+                arg_val
+            )),
+        },
+        Err(err) => Err(format!("{}", err)),
+    }
+}