Enclosed a diff for bringing net/dnscrypt-proxy to 2.0.17. IMHO this is not a regular update as it is more like a new tool (that does the same + introduces new features) with the same name. For example upstream has left C and switched to golang.
The update itself is interesting as it combines DNS traffic encryption and authentication, caching, filtering, et cetera. Full feature list can be found at https://github.com/jedisct1/dnscrypt-proxy I contacted MAINTAINER who responded with "The diff looks good to me, and it’s great that the new version makes the port much simpler." His feedback has been addressed in the diff. Daemon per default listens on 127.0.0.1:53, and switches to a different system user after listening sockets have been created. /var/dnscrypt-proxy is used to store the DNS server list, which is retrieved automatically by dnscrypt-proxy. I had to employ @conflict and @pkgpath markers in PLIST to enable upgrading from the previous version. Tested on amd64. Adding a note to current.html is probably a good thing as the configuration has changed significantly. I'm not sure if it is wise to update this port at this point in time. Maybe after the freeze? Other opinions? Comments? diff --git Makefile Makefile index 8d55b9c6e98..717d573c30c 100644 --- Makefile +++ Makefile @@ -1,76 +1,44 @@ -# $OpenBSD: Makefile,v 1.36 2018/09/04 12:46:16 espie Exp $ +# $OpenBSD$ -COMMENT-main= secure communications between a DNS client and resolver -COMMENT-plugins= example plugins for dnscrypt-proxy +COMMENT = flexible DNS proxy, with support for encrypted DNS protocols -# upstream has moved on to 2.x and old distfiles are no longer available; -# using mirrored files for now but port needs updating to the golang-based -# 2.0 version. -V= 1.9.5 -REVISION= 3 -DISTNAME= dnscrypt-proxy-${V} -PKGNAME-main= dnscrypt-proxy-${V} -PKGNAME-plugins= dnscrypt-proxy-plugins-${V} -REVISION-main= 4 +GH_ACCOUNT = jedisct1 +GH_PROJECT = dnscrypt-proxy +GH_TAGNAME = 2.0.17 -R= 20171030 -DISTFILES= ${DISTNAME}${EXTRACT_SUFX} \ - dnscrypt-resolvers.$R.csv -EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} +CATEGORIES = net -CATEGORIES= net +HOMEPAGE = https://dnscrypt.info/ -MASTER_SITES= https://spacehopper.org/mirrors/ +MAINTAINER = Frank Denis <dnscr...@pureftpd.org> -HOMEPAGE= https://dnscrypt.info/ +# ISC +PERMIT_PACKAGE_CDROM = Yes -MAINTAINER= Frank Denis <dnscr...@pureftpd.org> +WANTLIB = c pthread -# BSD -PERMIT_PACKAGE_CDROM= Yes +MODULES = lang/go +MODGO_TYPE = bin +MODGO_ENV = PATH="${PORTPATH}" HOME="${PORTHOME}" -MULTI_PACKAGES= -main -plugins +FILES = example-blacklist.txt \ + example-cloaking-rules.txt \ + example-dnscrypt-proxy.toml \ + example-forwarding-rules.txt \ + example-whitelist.txt -commonWANTLIB= execinfo kvm m sodium pthread +post-patch: + ${SUBST_CMD} ${WRKDIST}/dnscrypt-proxy/example-dnscrypt-proxy.toml -WANTLIB-main= ${commonWANTLIB} c ltdl -WANTLIB-plugins= ${commonWANTLIB} crypto ldns +do-build: + cd ${WRKSRC}/dnscrypt-proxy && ${MODGO_CMD} build -commonLIB_DEPENDS= devel/libexecinfo \ - security/libsodium - -LIB_DEPENDS-main= ${commonLIB_DEPENDS} \ - devel/libtool,-ltdl -LIB_DEPENDS-plugins= ${commonLIB_DEPENDS} \ - net/ldns/libldns - -CONFIGURE_STYLE= gnu -CONFIGURE_ENV+= CPPFLAGS=-I${LOCALBASE}/include \ - LDFLAGS=-L${LOCALBASE}/lib \ - ac_cv_header_uuid_uuid_h=no - -CONFIGURE_ARGS+= --enable-plugins \ - --enable-plugins-root \ - --enable-pie=no -# Don't force PIE, it's broken on at least arm. OpenBSD enables it -# by default on arch where it works anyway. - -# for tests -USE_GMAKE= yes - -DOCS= README-PLUGINS.markdown \ - README.markdown \ - DNSCRYPT-V2-PROTOCOL.txt - -# there is also a config file in newer versions; it can be specified on -# the command-line, but it's incompatible with specifying other options there, -# so we can't force daemonizing, causing issues for the rc script. - -post-install: - ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/dnscrypt-proxy - cd ${WRKSRC}; ${INSTALL_DATA} ${DOCS} ${PREFIX}/share/doc/dnscrypt-proxy - ${INSTALL_DATA} ${FULLDISTDIR}/dnscrypt-resolvers.$R.csv \ - ${PREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv - rm -f ${PREFIX}/lib/dnscrypt-proxy/*.la +do-install: + ${INSTALL_PROGRAM} ${WRKSRC}/dnscrypt-proxy/dnscrypt-proxy ${PREFIX}/bin/ + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/dnscrypt-proxy +.for file in ${FILES} + ${INSTALL_DATA} ${WRKSRC}/dnscrypt-proxy/${file} \ + ${PREFIX}/share/examples/dnscrypt-proxy +.endfor .include <bsd.port.mk> diff --git distinfo distinfo index 447b59244a9..3812907d989 100644 --- distinfo +++ distinfo @@ -1,4 +1,2 @@ -SHA256 (dnscrypt-proxy-1.9.5.tar.gz) = ZAIfq7fVurC69oF5bZDs0glfuBOB5vsxelMgOQJak5k= -SHA256 (dnscrypt-resolvers.20171030.csv) = n0tq1qaeNeafRJYAShytOEAWJwQMm+JJNXbWlmzsL9w= -SIZE (dnscrypt-proxy-1.9.5.tar.gz) = 1663954 -SIZE (dnscrypt-resolvers.20171030.csv) = 27283 +SHA256 (dnscrypt-proxy-2.0.17.tar.gz) = fE/8x7iwdHRiLnKPHAGbeb0tNb4HTL7dz6Sc2DxxebA= +SIZE (dnscrypt-proxy-2.0.17.tar.gz) = 3364933 diff --git patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml new file mode 100644 index 00000000000..dd9b4e1b22b --- /dev/null +++ patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml @@ -0,0 +1,32 @@ +$OpenBSD$ + +Index: dnscrypt-proxy/example-dnscrypt-proxy.toml +--- dnscrypt-proxy/example-dnscrypt-proxy.toml.orig ++++ dnscrypt-proxy/example-dnscrypt-proxy.toml +@@ -33,7 +33,7 @@ + ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. + ## Note: When using systemd socket activation, choose an empty set (i.e. [] ). + +-listen_addresses = ['127.0.0.1:53', '[::1]:53'] ++listen_addresses = ['127.0.0.1:53'] + + + ## Maximum number of simultaneous client connections to accept +@@ -46,7 +46,7 @@ max_clients = 250 + ## Note (2): this feature is not compatible with systemd socket activation. + ## Note (3): when using -pidfile, the PID file directory must be writable by the new user + +-# user_name = 'nobody' ++user_name = '_dnscrypt-proxy' + + + ## Require servers (from static + remote sources) to satisfy specific properties +@@ -482,7 +482,7 @@ cache_neg_max_ttl = 600 + + [sources.'public-resolvers'] + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] +- cache_file = 'public-resolvers.md' ++ cache_file = '${LOCALSTATEDIR}/dnscrypt-proxy/public-resolvers.md' + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + refresh_delay = 72 + prefix = '' diff --git pkg/DESCR pkg/DESCR new file mode 100644 index 00000000000..b61753c6f23 --- /dev/null +++ pkg/DESCR @@ -0,0 +1,10 @@ +DNSCrypt-proxy provides a local service which can be used directly as your +local resolver or as a DNS forwarder, encrypting requests using the DNSCrypt +protocol and passing them to an upstream server. + +The DNSCrypt protocol is very similar to DNSCurve, but focuses on securing +communications between a client and its first-level resolver. + +While not providing end-to-end security, it protects the local network, +which is often the weakest point of the chain, against man-in-the-middle +attacks. It also provides some confidentiality to DNS queries. diff --git pkg/DESCR-main pkg/DESCR-main deleted file mode 100644 index e19cb0e1d89..00000000000 --- pkg/DESCR-main +++ /dev/null @@ -1,15 +0,0 @@ -DNSCrypt-proxy provides a local service which can be used directly as your -local resolver or as a DNS forwarder, encrypting requests using the DNSCrypt -protocol and passing them to an upstream server. - -The DNSCrypt protocol is very similar to DNSCurve, but focuses on securing -communications between a client and its first-level resolver. - -DNSCurve improves confidentiality and integrity of DNS requests using -high-speed, high-security elliptic-curve cryptography. It aims to secure -the entire chain down to authoritative servers. However, it only works -with authoritative servers that explicitly support the protocol. - -While not providing end-to-end security, it protects the local network, -which is often the weakest point of the chain, against man-in-the-middle -attacks. It also provides some confidentiality to DNS queries. diff --git pkg/DESCR-plugins pkg/DESCR-plugins deleted file mode 100644 index e766b2d4a1d..00000000000 --- pkg/DESCR-plugins +++ /dev/null @@ -1,17 +0,0 @@ -A collection of plugins for dnscrypt-proxy. - -- example-ldns-aaaa-blocking: This plugin returns an empty response to -AAAA queries. - -- example-ldns-blocking: This plugin returns a REFUSED response if the -query name is in a list of blacklisted names, or if at least one of -the returned IP addresses happens to be in a list of blacklisted IPs. - -- example-ldns-forward-after-nxdomain: This plugin falls back to using -the standard resolution mechanism after receiving an NXDOMAIN response. - -- example-ldns-logging: This plugin logs the client queries to the -standard output (default) or to a file. - -- example-ldns-opendns-deviceid: This plugin is only useful when using -OpenDNS with specific routers and enterprise products. diff --git pkg/PLIST pkg/PLIST new file mode 100644 index 00000000000..439189506fe --- /dev/null +++ pkg/PLIST @@ -0,0 +1,19 @@ +@comment $OpenBSD: PLIST,v$ +@conflict dnscrypt-proxy-plugins-* +@pkgpath net/dnscrypt-proxy +@pkgpath net/dnscrypt-proxy,-main +@pkgpath net/dnscrypt-proxy,-utils +@newgroup _dnscrypt-proxy:688 +@newuser _dnscrypt-proxy:688:_dnscrypt-proxy:daemon:dnscrypt-proxy user:/var/empty:/sbin/nologin +@rcscript ${RCDIR}/dnscrypt_proxy +@extraunexec rm -rf /var/dnscrypt-proxy/* +@bin bin/dnscrypt-proxy +share/doc/pkg-readmes/${PKGSTEM} +share/examples/dnscrypt-proxy/ +share/examples/dnscrypt-proxy/example-blacklist.txt +share/examples/dnscrypt-proxy/example-cloaking-rules.txt +share/examples/dnscrypt-proxy/example-dnscrypt-proxy.toml +@sample ${SYSCONFDIR}/dnscrypt-proxy.conf +share/examples/dnscrypt-proxy/example-forwarding-rules.txt +share/examples/dnscrypt-proxy/example-whitelist.txt +@sample ${LOCALSTATEDIR}/dnscrypt-proxy/ diff --git pkg/PLIST-main pkg/PLIST-main deleted file mode 100644 index bd03192851b..00000000000 --- pkg/PLIST-main +++ /dev/null @@ -1,23 +0,0 @@ -@comment $OpenBSD: PLIST-main,v 1.7 2018/09/04 12:46:16 espie Exp $ -@newgroup _dnscrypt-proxy:688 -@newuser _dnscrypt-proxy:688:_dnscrypt-proxy:daemon:dnscrypt-proxy user:/var/empty:/sbin/nologin -@bin bin/hostip -include/dnscrypt/ -include/dnscrypt/plugin.h -include/dnscrypt/private.h -include/dnscrypt/version.h -lib/dnscrypt-proxy/ -@man man/man8/dnscrypt-proxy.8 -@man man/man8/hostip.8 -@bin sbin/dnscrypt-proxy -share/dnscrypt-proxy/ -share/dnscrypt-proxy/dnscrypt-resolvers.csv -share/dnscrypt-proxy/minisign.pub -share/doc/dnscrypt-proxy/ -share/doc/dnscrypt-proxy/COPYING -share/doc/dnscrypt-proxy/DNSCRYPT-V2-PROTOCOL.txt -share/doc/dnscrypt-proxy/README-PLUGINS.markdown -share/doc/dnscrypt-proxy/README.markdown -share/doc/dnscrypt-proxy/dnscrypt-proxy.conf -share/doc/pkg-readmes/${PKGSTEM} -@rcscript ${RCDIR}/dnscrypt_proxy diff --git pkg/PLIST-plugins pkg/PLIST-plugins deleted file mode 100644 index b120ce6102d..00000000000 --- pkg/PLIST-plugins +++ /dev/null @@ -1,9 +0,0 @@ -@comment $OpenBSD: PLIST-plugins,v 1.3 2017/01/04 21:52:20 sthen Exp $ -lib/dnscrypt-proxy/libdcplugin_example.so -lib/dnscrypt-proxy/libdcplugin_example_cache.so -lib/dnscrypt-proxy/libdcplugin_example_ldns_aaaa_blocking.so -lib/dnscrypt-proxy/libdcplugin_example_ldns_blocking.so -lib/dnscrypt-proxy/libdcplugin_example_ldns_forwarding.so -lib/dnscrypt-proxy/libdcplugin_example_ldns_opendns_deviceid.so -lib/dnscrypt-proxy/libdcplugin_example_ldns_opendns_set_client_ip.so -lib/dnscrypt-proxy/libdcplugin_example_logging.so diff --git pkg/README pkg/README new file mode 100644 index 00000000000..706eebc809c --- /dev/null +++ pkg/README @@ -0,0 +1,27 @@ +$OpenBSD$ + ++----------------------------------------------------------------------- +| Running ${PKGSTEM} on OpenBSD ++----------------------------------------------------------------------- + +dnscrypt-proxy listens for DNS queries on a local address and forwards +them to a DNSCrypt resolver over an encrypted channel. + +To use this package, two things are required. + +Firstly, validate that ${SYSCONFDIR}/dnscrypt-proxy.conf fits your needs, +and start the daemon: + +# rcctl enable dnscrypt_proxy +# rcctl start dnscrypt_proxy + +Secondly, set /etc/resolv.conf to perform queries from dnscrypt-proxy: + +nameserver 127.0.0.1 +lookup file bind + +Note: If fetching your IP address dynamically, dhclient(8) will normally +update resolv.conf with network-provided DNS servers. This can be avoided +by using "ignore domain-name, domain-name-servers;" in /etc/dhclient.conf. + +For more information, see https://dnscrypt.info/ diff --git pkg/README-main pkg/README-main deleted file mode 100644 index 20742f34dc7..00000000000 --- pkg/README-main +++ /dev/null @@ -1,89 +0,0 @@ -$OpenBSD: README-main,v 1.10 2018/09/04 12:46:16 espie Exp $ - -+----------------------------------------------------------------------- -| Running ${PKGSTEM} on OpenBSD -+----------------------------------------------------------------------- - -Basic setup -=========== - -dnscrypt-proxy listens for DNS queries on a local address and forwards -them to a DNSCrypt resolver over an encrypted channel. - -To use this package, two things are required. - -Firstly, choose an upstream server. There is no default: the package -lets you make a conscious decision about who to trust. A list of public -servers is in ${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv. -It may be easier to read online: https://dnscrypt.org/dnscrypt-resolvers.html - -Choose one and configure it: - -# rcctl enable dnscrypt_proxy -# rcctl set dnscrypt_proxy flags -E -m1 -R __YOUR_CHOICE__ -# rcctl start dnscrypt_proxy - -Replace __YOUR_CHOICE__ with one of the names from the first column -(e.g. "cisco", "cs-nl", "dnscrypt-eu.nl"), or use the word "random" to -select a random resolver at startup (chosen from those that claim that -they use DNSSEC and do not log requests). - -Secondly, set /etc/resolv.conf to perform queries from dnscrypt-proxy: - -nameserver 127.0.0.1 -lookup file bind - -Note: If fetching your IP address dynamically, dhclient(8) will normally -update resolv.conf with network-provided DNS servers. This can be avoided -by using "ignore domain-name, domain-name-servers;" in /etc/dhclient.conf. - - -Caching -======= - -dnscrypt-proxy does not cache queries. Performance can be improved by -configuring a local caching DNS resolver to forward requests via -dnscrypt-proxy. - -In this configuration, the caching resolver should listen on port 53, -and dnscrypt-proxy should be configured to use an alternative port. -For example: - -# rcctl set dnscrypt_proxy flags -E -m1 -R __YOUR_CHOICE__ -a 127.0.0.1:40 -# rcctl restart dnscrypt_proxy - -And an example configuration to use this with Unbound: - -# cat /var/unbound/etc/unbound.conf -server: - interface: 127.0.0.1 - do-not-query-localhost: no - hide-identity: yes - hide-version: yes - # enable dnssec; fetches trust anchor at startup: - auto-trust-anchor-file: "/var/unbound/db/root.key" - # provide service to other local machines, if needed: - #interface: 192.168.1.1 - #access-control: 192.168.1.0/24 allow - -remote-control: - control-enable: yes - control-use-cert: no - control-interface: /var/run/unbound.sock - -forward-zone: - name: "." - forward-addr: 127.0.0.1@40 - #forward-addr: 127.0.0.1@41 # example failover server, see below - -The dnscrypt-proxy utility does not support failover resolvers; as described -in "Using DNSCrypt in combination with a DNS cache" on https://dnscrypt.org/, -you will need to run a second instance of it for DNS redundancy. This can be -handled by rcctl(8) by adding a symbolic link to the script: - -# ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2 -# rcctl enable dnscrypt_proxy2 -# rcctl set dnscrypt_proxy2 flags -E -m1 -R __SECOND_CHOICE__ -a 127.0.0.1:41 -# rcctl start dnscrypt_proxy2 - -For more information, see https://dnscrypt.org/ diff --git pkg/dnscrypt_proxy.rc pkg/dnscrypt_proxy.rc index 6be59fc24b9..8fb62bae5d3 100644 --- pkg/dnscrypt_proxy.rc +++ pkg/dnscrypt_proxy.rc @@ -2,10 +2,14 @@ # # $OpenBSD: dnscrypt_proxy.rc,v 1.4 2018/01/11 19:27:05 rpe Exp $ -daemon="${TRUEPREFIX}/sbin/dnscrypt-proxy -d --user=_dnscrypt-proxy" +daemon="${TRUEPREFIX}/bin/dnscrypt-proxy" +daemon_flags="-config ${SYSCONFDIR}/dnscrypt-proxy.conf" . /etc/rc.d/rc.subr +pexp="${daemon}${daemon_flags:+ ${daemon_flags}}.*" + +rc_bg=YES rc_reload=NO rc_cmd $1
