From 8602a697cc46b4dcfbe58f5cab999b5f137a3237 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Wed, 19 Jun 2019 17:31:43 +0200 Subject: [PATCH] dnscrypt-proxy as a dns adblocker (#1480) * Move DNS adblocking to dnscrypt-proxy * Update docs * remove unneeded variable dnscrypt_proxy_version * Update to the latest dnscrypt-proxy version * install.sh fix * spelling --- config.cfg | 1 + docs/cloud-do.md | 2 +- docs/deploy-from-ansible.md | 4 +- ...-from-script-or-cloud-init-to-localhost.md | 2 +- input.yml | 14 +- install.sh | 7 +- playbooks/cloud-post.yml | 2 +- playbooks/cloud-pre.yml | 2 +- roles/dns/defaults/main.yml | 10 + .../50-dnscrypt-proxy-unattended-upgrades | 0 .../files/apparmor.profile.dnscrypt-proxy | 0 .../{dns_encryption => dns}/handlers/main.yml | 0 roles/dns/tasks/dns_adblocking.yml | 20 + .../{dns_encryption => dns}/tasks/freebsd.yml | 0 roles/{dns_encryption => dns}/tasks/main.yml | 8 +- .../{dns_encryption => dns}/tasks/ubuntu.yml | 1 - .../templates/adblock.sh.j2 | 26 +- .../templates/dnscrypt-proxy.toml.j2 | 104 ++- .../templates/ip-blacklist.txt.j2 | 0 roles/dns_adblocking/handlers/main.yml | 9 - roles/dns_adblocking/tasks/freebsd.yml | 12 - roles/dns_adblocking/tasks/main.yml | 47 -- roles/dns_adblocking/tasks/ubuntu.yml | 33 - .../templates/100-CustomLimitations.conf.j2 | 5 - .../dns_adblocking/templates/dnsmasq.conf.j2 | 678 ------------------ .../templates/usr.sbin.dnsmasq.j2 | 28 - roles/dns_encryption/defaults/main.yml | 13 - roles/strongswan/defaults/main.yml | 2 +- roles/strongswan/templates/ipsec.conf.j2 | 2 +- roles/wireguard/defaults/main.yml | 2 +- server.yml | 15 +- tests/cloud-init.sh | 2 +- tests/local-deploy.sh | 2 +- 33 files changed, 170 insertions(+), 883 deletions(-) create mode 100644 roles/dns/defaults/main.yml rename roles/{dns_encryption => dns}/files/50-dnscrypt-proxy-unattended-upgrades (100%) rename roles/{dns_encryption => dns}/files/apparmor.profile.dnscrypt-proxy (100%) rename roles/{dns_encryption => dns}/handlers/main.yml (100%) create mode 100644 roles/dns/tasks/dns_adblocking.yml rename roles/{dns_encryption => dns}/tasks/freebsd.yml (100%) rename roles/{dns_encryption => dns}/tasks/main.yml (88%) rename roles/{dns_encryption => dns}/tasks/ubuntu.yml (95%) rename roles/{dns_adblocking => dns}/templates/adblock.sh.j2 (54%) rename roles/{dns_encryption => dns}/templates/dnscrypt-proxy.toml.j2 (78%) rename roles/{dns_encryption => dns}/templates/ip-blacklist.txt.j2 (100%) delete mode 100644 roles/dns_adblocking/handlers/main.yml delete mode 100644 roles/dns_adblocking/tasks/freebsd.yml delete mode 100644 roles/dns_adblocking/tasks/main.yml delete mode 100644 roles/dns_adblocking/tasks/ubuntu.yml delete mode 100644 roles/dns_adblocking/templates/100-CustomLimitations.conf.j2 delete mode 100644 roles/dns_adblocking/templates/dnsmasq.conf.j2 delete mode 100644 roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2 delete mode 100644 roles/dns_encryption/defaults/main.yml diff --git a/config.cfg b/config.cfg index 2b440b4..d7f345e 100644 --- a/config.cfg +++ b/config.cfg @@ -62,6 +62,7 @@ adblock_lists: # Enable DNS encryption. # If 'false', 'dns_servers' should be specified below. +# DNS encryption can not be disabled if DNS adblocking is enabled dns_encryption: true # DNS servers which will be used if 'dns_encryption' is 'true'. Multiple diff --git a/docs/cloud-do.md b/docs/cloud-do.md index 3c6a0a5..ced8d69 100644 --- a/docs/cloud-do.md +++ b/docs/cloud-do.md @@ -84,7 +84,7 @@ ansible-playbook main.yml -e "provider=digitalocean server_name=algo ondemand_cellular=true ondemand_wifi=true - local_dns=false + dns_adblocking=false ssh_tunneling=false windows=false store_cakey=true diff --git a/docs/deploy-from-ansible.md b/docs/deploy-from-ansible.md index 8429430..ee52dec 100644 --- a/docs/deploy-from-ansible.md +++ b/docs/deploy-from-ansible.md @@ -15,7 +15,7 @@ ansible-playbook main.yml -e "provider=digitalocean server_name=algo ondemand_cellular=false ondemand_wifi=false - local_dns=true + dns_adblocking=true ssh_tunneling=true windows=false store_cakey=true @@ -32,7 +32,7 @@ See below for more information about variables and roles. - `ondemand_cellular` (Optional) VPN On Demand when connected to cellular networks with IPsec. Default: false - `ondemand_wifi` - (Optional. See `ondemand_wifi_exclude`) VPN On Demand when connected to WiFi networks with IPsec. Default: false - `ondemand_wifi_exclude` (Required if `ondemand_wifi` set) - WiFi networks to exclude from using the VPN. Comma-separated values -- `local_dns` - (Optional) Enable a DNS resolver. Default: false +- `dns_adblocking` - (Optional) Enable a DNS resolver. Default: false - `ssh_tunneling` - (Optional) Enable SSH tunneling for each user. Default: false - `windows` - (Optional) Enables compatible ciphers and key exchange to support Windows clients, less secure. Default: false - `store_cakey` - (Optional) Whether or not keep the CA key (required to add users in the future, but less secure). Default: false diff --git a/docs/deploy-from-script-or-cloud-init-to-localhost.md b/docs/deploy-from-script-or-cloud-init-to-localhost.md index 2e4308a..3a6472a 100644 --- a/docs/deploy-from-script-or-cloud-init-to-localhost.md +++ b/docs/deploy-from-script-or-cloud-init-to-localhost.md @@ -20,7 +20,7 @@ The command will prepare the environment and install AlgoVPN with the default pa `ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list. `WINDOWS` - To support Windows 10 or Linux Desktop clients. Default: false. `STORE_CAKEY` - To retain the CA key. (required to add users in the future, but less secure). Default: false. -`LOCAL_DNS` - To install an ad blocking DNS resolver. Default: false. +`DNS_ADBLOCKING` - To install an ad blocking DNS resolver. Default: false. `SSH_TUNNELING` - Enable SSH tunneling for each user. Default: false. `ENDPOINT` - The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE, Azure or Vultr if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address. `USERS` - list of VPN users. Comma-separated list. Default: user1. diff --git a/input.yml b/input.yml index 659977a..763b2cd 100644 --- a/input.yml +++ b/input.yml @@ -7,7 +7,7 @@ server_name: algo ondemand_cellular: false ondemand_wifi: false - local_dns: false + dns_adblocking: false ssh_tunneling: false windows: false store_cakey: false @@ -99,10 +99,10 @@ - name: DNS adblocking prompt pause: prompt: | - Do you want to install an ad blocking DNS resolver on this VPN server? + Do you want to enable DNS ad blocking on this VPN server? [y/N] - register: _local_dns - when: local_dns is undefined + register: _dns_adblocking + when: dns_adblocking is undefined - name: SSH tunneling prompt pause: @@ -133,9 +133,9 @@ {%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input|length > 0 -%} {{ _ondemand_wifi_exclude.user_input | b64encode }} {%- else %}{{ '_null' | b64encode }}{% endif %} - algo_local_dns: >- - {% if local_dns is defined %}{{ local_dns | bool }} - {%- elif _local_dns.user_input is defined %}{{ booleans_map[_local_dns.user_input] | default(defaults['local_dns']) }} + algo_dns_adblocking: >- + {% if dns_adblocking is defined %}{{ dns_adblocking | bool }} + {%- elif _dns_adblocking.user_input is defined %}{{ booleans_map[_dns_adblocking.user_input] | default(defaults['dns_adblocking']) }} {%- else %}false{% endif %} algo_ssh_tunneling: >- {% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }} diff --git a/install.sh b/install.sh index 5c7cf50..ff3e343 100644 --- a/install.sh +++ b/install.sh @@ -8,7 +8,7 @@ ONDEMAND_WIFI="${3:-${ONDEMAND_WIFI:-false}}" ONDEMAND_WIFI_EXCLUDE="${4:-${ONDEMAND_WIFI_EXCLUDE:-_null}}" WINDOWS="${5:-${WINDOWS:-false}}" STORE_CAKEY="${6:-${STORE_CAKEY:-false}}" -LOCAL_DNS="${7:-${LOCAL_DNS:-false}}" +DNS_ADBLOCKING="${7:-${DNS_ADBLOCKING:-false}}" SSH_TUNNELING="${8:-${SSH_TUNNELING:-false}}" ENDPOINT="${9:-${ENDPOINT:-localhost}}" USERS="${10:-${USERS:-user1}}" @@ -20,6 +20,7 @@ ANSIBLE_EXTRA_ARGS="${14:-${ANSIBLE_EXTRA_ARGS}}" cd /opt/ installRequirements() { + export DEBIAN_FRONTEND=noninteractive apt-get update apt-get install \ software-properties-common \ @@ -38,7 +39,7 @@ installRequirements() { getAlgo() { [ ! -d "algo" ] && git clone "https://github.com/${REPO_SLUG}" -b "${REPO_BRANCH}" algo cd algo - + python -m virtualenv --python="$(command -v python2)" .venv # shellcheck source=/dev/null . .venv/bin/activate @@ -92,7 +93,7 @@ deployAlgo() { -e "ondemand_wifi_exclude=${ONDEMAND_WIFI_EXCLUDE}" \ -e "windows=${WINDOWS}" \ -e "store_cakey=${STORE_CAKEY}" \ - -e "local_dns=${LOCAL_DNS}" \ + -e "dns_adblocking=${DNS_ADBLOCKING}" \ -e "ssh_tunneling=${SSH_TUNNELING}" \ -e "endpoint=$ENDPOINT" \ -e "users=$(echo "$USERS" | jq -Rc 'split(",")')" \ diff --git a/playbooks/cloud-post.yml b/playbooks/cloud-post.yml index 0ada114..95eacfe 100644 --- a/playbooks/cloud-post.yml +++ b/playbooks/cloud-post.yml @@ -15,7 +15,7 @@ algo_ondemand_cellular: "{{ algo_ondemand_cellular }}" algo_ondemand_wifi: "{{ algo_ondemand_wifi }}" algo_ondemand_wifi_exclude: "{{ algo_ondemand_wifi_exclude }}" - algo_local_dns: "{{ algo_local_dns }}" + algo_dns_adblocking: "{{ algo_dns_adblocking }}" algo_ssh_tunneling: "{{ algo_ssh_tunneling }}" algo_windows: "{{ algo_windows }}" algo_store_cakey: "{{ algo_store_cakey }}" diff --git a/playbooks/cloud-pre.yml b/playbooks/cloud-pre.yml index 710702c..1a5c87b 100644 --- a/playbooks/cloud-pre.yml +++ b/playbooks/cloud-pre.yml @@ -10,7 +10,7 @@ 'algo_ondemand_wifi_exclude "{{ algo_ondemand_wifi_exclude }}"' \ 'algo_windows "{{ algo_windows }}"' \ {% endif %} - 'algo_local_dns "{{ algo_local_dns }}"' \ + 'algo_dns_adblocking "{{ algo_dns_adblocking }}"' \ 'algo_ssh_tunneling "{{ algo_ssh_tunneling }}"' \ 'wireguard_enabled "{{ wireguard_enabled }}"' \ 'dns_encryption "{{ dns_encryption }}"' \ diff --git a/roles/dns/defaults/main.yml b/roles/dns/defaults/main.yml new file mode 100644 index 0000000..cdfa1c9 --- /dev/null +++ b/roles/dns/defaults/main.yml @@ -0,0 +1,10 @@ +--- +algo_dns_adblocking: false +apparmor_enabled: true +dns_encryption: true +ipv6_support: false +dnscrypt_servers: + ipv4: + - cloudflare + ipv6: + - cloudflare-ipv6 diff --git a/roles/dns_encryption/files/50-dnscrypt-proxy-unattended-upgrades b/roles/dns/files/50-dnscrypt-proxy-unattended-upgrades similarity index 100% rename from roles/dns_encryption/files/50-dnscrypt-proxy-unattended-upgrades rename to roles/dns/files/50-dnscrypt-proxy-unattended-upgrades diff --git a/roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy b/roles/dns/files/apparmor.profile.dnscrypt-proxy similarity index 100% rename from roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy rename to roles/dns/files/apparmor.profile.dnscrypt-proxy diff --git a/roles/dns_encryption/handlers/main.yml b/roles/dns/handlers/main.yml similarity index 100% rename from roles/dns_encryption/handlers/main.yml rename to roles/dns/handlers/main.yml diff --git a/roles/dns/tasks/dns_adblocking.yml b/roles/dns/tasks/dns_adblocking.yml new file mode 100644 index 0000000..5ef9024 --- /dev/null +++ b/roles/dns/tasks/dns_adblocking.yml @@ -0,0 +1,20 @@ +--- +- name: Adblock script created + template: + src: adblock.sh.j2 + dest: /usr/local/sbin/adblock.sh + owner: root + group: "{{ root_group|default('root') }}" + mode: 0755 + +- name: Adblock script added to cron + cron: + name: Adblock hosts update + minute: "{{ range(0, 60) | random }}" + hour: "{{ range(0, 24) | random }}" + job: /usr/local/sbin/adblock.sh + user: root + +- name: Update adblock hosts + command: /usr/local/sbin/adblock.sh + changed_when: false diff --git a/roles/dns_encryption/tasks/freebsd.yml b/roles/dns/tasks/freebsd.yml similarity index 100% rename from roles/dns_encryption/tasks/freebsd.yml rename to roles/dns/tasks/freebsd.yml diff --git a/roles/dns_encryption/tasks/main.yml b/roles/dns/tasks/main.yml similarity index 88% rename from roles/dns_encryption/tasks/main.yml rename to roles/dns/tasks/main.yml index 5740703..6f1169e 100644 --- a/roles/dns_encryption/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -21,10 +21,14 @@ notify: - restart dnscrypt-proxy +- name: Include DNS adblocking tasks + import_tasks: dns_adblocking.yml + when: algo_dns_adblocking + +- meta: flush_handlers + - name: dnscrypt-proxy enabled and started service: name: dnscrypt-proxy state: started enabled: true - -- meta: flush_handlers diff --git a/roles/dns_encryption/tasks/ubuntu.yml b/roles/dns/tasks/ubuntu.yml similarity index 95% rename from roles/dns_encryption/tasks/ubuntu.yml rename to roles/dns/tasks/ubuntu.yml index 198da88..1691e81 100644 --- a/roles/dns_encryption/tasks/ubuntu.yml +++ b/roles/dns/tasks/ubuntu.yml @@ -4,7 +4,6 @@ state: present codename: "{{ ansible_distribution_release }}" repo: ppa:shevchuk/dnscrypt-proxy - when: ansible_distribution_version is version_compare('19.04', '<') register: result until: result is succeeded retries: 10 diff --git a/roles/dns_adblocking/templates/adblock.sh.j2 b/roles/dns/templates/adblock.sh.j2 similarity index 54% rename from roles/dns_adblocking/templates/adblock.sh.j2 rename to roles/dns/templates/adblock.sh.j2 index 08af362..cc74f98 100644 --- a/roles/dns_adblocking/templates/adblock.sh.j2 +++ b/roles/dns/templates/adblock.sh.j2 @@ -3,13 +3,13 @@ TEMP="$(mktemp)" TEMP_SORTED="$(mktemp)" -DNSMASQ_WHITELIST="/var/lib/dnsmasq/white.list" -DNSMASQ_BLACKLIST="/var/lib/dnsmasq/black.list" -DNSMASQ_BLOCKHOSTS="{{ config_prefix|default('/') }}etc/dnsmasq.d/block.hosts.conf" +WHITELIST="/etc/dnscrypt-proxy/white.list" +BLACKLIST="/etc/dnscrypt-proxy/black.list" +BLOCKHOSTS="{{ config_prefix|default('/') }}etc/dnscrypt-proxy/blacklist.txt" BLOCKLIST_URLS="{% for url in adblock_lists %}{{ url }} {% endfor %}" #Delete the old block.hosts to make room for the updates -rm -f $DNSMASQ_BLOCKHOSTS +rm -f $BLOCKHOSTS echo 'Downloading hosts lists...' #Download and process the files needed to make the lists (enable/add more, if you want) @@ -18,28 +18,28 @@ for url in $BLOCKLIST_URLS; do done #Add black list, if non-empty -if [ -s "$DNSMASQ_BLACKLIST" ] +if [ -s "$BLACKLIST" ] then echo 'Adding blacklist...' - cat $DNSMASQ_BLACKLIST >> "$TEMP" + cat $BLACKLIST >> "$TEMP" fi #Sort the download/black lists -awk '/^[^#]/ { print "local=/" $1 "/" }' "$TEMP" | sort -u > "$TEMP_SORTED" +awk '/^[^#]/ { print $1 }' "$TEMP" | sort -u > "$TEMP_SORTED" #Filter (if applicable) -if [ -s "$DNSMASQ_WHITELIST" ] +if [ -s "$WHITELIST" ] then #Filter the blacklist, suppressing whitelist matches # This is relatively slow =-( echo 'Filtering white list...' - grep -v -E "^[[:space:]]*$" $DNSMASQ_WHITELIST | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - "$TEMP_SORTED" > $DNSMASQ_BLOCKHOSTS + grep -v -E "^[[:space:]]*$" $WHITELIST | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - "$TEMP_SORTED" > $BLOCKHOSTS else - cat "$TEMP_SORTED" > $DNSMASQ_BLOCKHOSTS + cat "$TEMP_SORTED" > $BLOCKHOSTS fi -echo 'Restarting dnsmasq service...' -#Restart the dnsmasq service -systemctl restart dnsmasq.service +echo 'Restarting dns service...' +#Restart the dns service +systemctl restart dnscrypt-proxy.service exit 0 diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns/templates/dnscrypt-proxy.toml.j2 similarity index 78% rename from roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 rename to roles/dns/templates/dnscrypt-proxy.toml.j2 index a084a9d..5fa8839 100644 --- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns/templates/dnscrypt-proxy.toml.j2 @@ -37,7 +37,10 @@ ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. ## Note: When using systemd socket activation, choose an empty set (i.e. [] ). -listen_addresses = ['{{ local_service_ip }}:{{ listen_port }}'{% if ipv6_support %}, '[{{ local_service_ipv6 }}]:{{ listen_port }}'{% endif %}] +listen_addresses = [ + '{{ local_service_ip }}:53'{% if ipv6_support %}, + '[{{ local_service_ipv6 }}]:53'{% endif %} + ] ## Maximum number of simultaneous client connections to accept @@ -45,6 +48,14 @@ listen_addresses = ['{{ local_service_ip }}:{{ listen_port }}'{% if ipv6_suppor max_clients = 250 +## Switch to a different system user after listening sockets have been created. +## Note (1): this feature is currently unsupported on Windows. +## Note (2): this feature is not compatible with systemd socket activation. +## Note (3): when using -pidfile, the PID file directory must be writable by the new user + +# user_name = 'nobody' + + ## Require servers (from static + remote sources) to satisfy specific properties # Use servers reachable over IPv4 @@ -71,13 +82,32 @@ require_nolog = true # Server must not enforce its own blacklist (for parental control, ads blocking...) require_nofilter = true +# Server names to avoid even if they match all criteria +disabled_server_names = [] -## Always use TCP to connect to upstream servers +## Always use TCP to connect to upstream servers. +## This can be useful if you need to route everything through Tor. +## Otherwise, leave this to `false`, as it doesn't improve security +## (dnscrypt-proxy will always encrypt everything even using UDP), and can +## only increase latency. force_tcp = false +## SOCKS proxy +## Uncomment the following line to route all TCP connections to a local Tor node +## Tor doesn't support UDP, so set `force_tcp` to `true` as well. + +# proxy = "socks5://127.0.0.1:9050" + + +## HTTP/HTTPS proxy +## Only for DoH servers + +# http_proxy = "http://127.0.0.1:8888" + + ## How long a DNS query will wait for a response, in milliseconds timeout = 2500 @@ -88,10 +118,22 @@ timeout = 2500 keepalive = 30 -## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random' +## Use the REFUSED return code for blocked responses +## Setting this to `false` means that some responses will be lies. +## Unfortunately, `false` appears to be required for Android 8+ + +refused_code_in_responses = false + + +## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random' lb_strategy = 'p2' +## Set to `true` to constantly try to estimate the latency of all the resolvers +## and adjust the load-balancing parameters accordingly, or to `false` to disable. + +# lb_estimator = true + ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors) @@ -130,6 +172,8 @@ tls_disable_session_tickets = true ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 +## 4865 = TLS_AES_128_GCM_SHA256 +## 4867 = TLS_CHACHA20_POLY1305_SHA256 ## ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...), ## the following suite improves performance. @@ -138,7 +182,7 @@ tls_disable_session_tickets = true ## Keep tls_cipher_suite empty if you have issues fetching sources or ## connecting to some DoH servers. Google and Cloudflare are fine with it. -# tls_cipher_suite = [49195] +# tls_cipher_suite = [52392, 49199] ## Fallback resolver @@ -158,12 +202,40 @@ tls_disable_session_tickets = true fallback_resolver = '{% if ansible_distribution == "FreeBSD" %}{{ ansible_dns.nameservers.0 }}:53{% else %}127.0.0.53:53{% endif %}' -## Never try to use the system DNS settings; unconditionally use the -## fallback resolver. +## Never let dnscrypt-proxy try to use the system DNS settings; +## unconditionally use the fallback resolver. ignore_system_dns = true +## Maximum time (in seconds) to wait for network connectivity before +## initializing the proxy. +## Useful if the proxy is automatically started at boot, and network +## connectivity is not guaranteed to be immediately available. +## Use 0 to not test for connectivity at all (not recommended), +## and -1 to wait as much as possible. + +netprobe_timeout = 60 + +## Address and port to try initializing a connection to, just to check +## if the network is up. It can be any address and any port, even if +## there is nothing answering these on the other side. Just don't use +## a local address, as the goal is to check for Internet connectivity. +## On Windows, a datagram with a single, nul byte will be sent, only +## when the system starts. +## On other operating systems, the connection will be initialized +## but nothing will be sent at all. + +netprobe_address = "1.1.1.1:53" + + +## Offline mode - Do not use any remote encrypted servers. +## The proxy will remain fully functional to respond to queries that +## plugins can handle directly (forwarding, cloaking, ...) + +# offline_mode = false + + ## Automatic log files rotation # Maximum log files size in MB @@ -183,8 +255,9 @@ log_files_max_backups = 1 ## Immediately respond to IPv6-related queries with an empty response ## This makes things faster when there is no IPv6 connectivity, but can -## also cause reliability issues with some stub resolvers. In -## particular, enabling this on macOS is not recommended. +## also cause reliability issues with some stub resolvers. +## Do not enable if you added a validating resolver such as dnsmasq in front +## of the proxy. block_ipv6 = false @@ -319,7 +392,7 @@ cache_neg_max_ttl = 600 ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) - # blacklist_file = 'blacklist.txt' + {{ "blacklist_file = 'blacklist.txt'" if algo_dns_adblocking else "" }} ## Optional path to a file logging blocked queries @@ -452,9 +525,16 @@ cache_neg_max_ttl = 600 urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] cache_file = '/tmp/public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' - refresh_delay = 72 prefix = '' + ## Quad9 over DNSCrypt - https://quad9.net/ + + # [sources.quad9-resolvers] + # urls = ["https://www.quad9.net/quad9-resolvers.md"] + # minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN" + # cache_file = "quad9-resolvers.md" + # prefix = "quad9-" + ## Another example source, with resolvers censoring some websites not appropriate for children ## This is a subset of the `public-resolvers` list, so enabling both is useless @@ -470,5 +550,5 @@ cache_neg_max_ttl = 600 [static] - # [static.'google'] - # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA' + # [static.'myserver'] + # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg' diff --git a/roles/dns_encryption/templates/ip-blacklist.txt.j2 b/roles/dns/templates/ip-blacklist.txt.j2 similarity index 100% rename from roles/dns_encryption/templates/ip-blacklist.txt.j2 rename to roles/dns/templates/ip-blacklist.txt.j2 diff --git a/roles/dns_adblocking/handlers/main.yml b/roles/dns_adblocking/handlers/main.yml deleted file mode 100644 index 85cbe32..0000000 --- a/roles/dns_adblocking/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: restart dnsmasq - service: name=dnsmasq state=restarted - -- name: restart apparmor - service: name=apparmor state=restarted - -- name: daemon-reload - systemd: - daemon_reload: true diff --git a/roles/dns_adblocking/tasks/freebsd.yml b/roles/dns_adblocking/tasks/freebsd.yml deleted file mode 100644 index 1b73921..0000000 --- a/roles/dns_adblocking/tasks/freebsd.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- - -- name: FreeBSD / HardenedBSD | Enable dnsmasq - lineinfile: dest=/etc/rc.conf regexp=^dnsmasq_enable= line='dnsmasq_enable="YES"' - -- name: The dnsmasq additional directories created - file: - dest: "{{ item }}" - state: directory - mode: '0755' - with_items: - - "{{ config_prefix|default('/') }}etc/dnsmasq.d" diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml deleted file mode 100644 index 49cfa16..0000000 --- a/roles/dns_adblocking/tasks/main.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -- name: Dnsmasq installed - package: name=dnsmasq - -- name: The dnsmasq directory created - file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup - -- include_tasks: ubuntu.yml - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - -- include_tasks: freebsd.yml - when: ansible_distribution == 'FreeBSD' - -- name: Dnsmasq configured - template: - src: dnsmasq.conf.j2 - dest: "{{ config_prefix|default('/') }}etc/dnsmasq.conf" - notify: - - restart dnsmasq - -- name: Adblock script created - template: - src: adblock.sh.j2 - dest: /usr/local/sbin/adblock.sh - owner: root - group: "{{ root_group|default('root') }}" - mode: 0755 - -- name: Adblock script added to cron - cron: - name: Adblock hosts update - minute: "{{ range(0, 60) | random }}" - hour: "{{ range(0, 24) | random }}" - job: /usr/local/sbin/adblock.sh - user: root - -- name: Update adblock hosts - command: /usr/local/sbin/adblock.sh - changed_when: false - -- meta: flush_handlers - -- name: Dnsmasq enabled and started - service: - name: dnsmasq - state: started - enabled: yes diff --git a/roles/dns_adblocking/tasks/ubuntu.yml b/roles/dns_adblocking/tasks/ubuntu.yml deleted file mode 100644 index 33b62f2..0000000 --- a/roles/dns_adblocking/tasks/ubuntu.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: Ubuntu | Dnsmasq profile for apparmor configured - template: - src: usr.sbin.dnsmasq.j2 - dest: /etc/apparmor.d/usr.sbin.dnsmasq - owner: root - group: root - mode: 0600 - when: apparmor_enabled|default(false)|bool - notify: - - restart dnsmasq - -- name: Ubuntu | Enforce the dnsmasq AppArmor policy - command: aa-enforce usr.sbin.dnsmasq - when: apparmor_enabled|default(false)|bool - tags: ['apparmor'] - -- name: Ubuntu | Ensure that the dnsmasq service directory exist - file: - path: /etc/systemd/system/dnsmasq.service.d/ - state: directory - mode: 0755 - owner: root - group: root - -- name: Ubuntu | Setup the cgroup limitations for the ipsec daemon - template: - src: 100-CustomLimitations.conf.j2 - dest: /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf - notify: - - daemon-reload - - restart dnsmasq diff --git a/roles/dns_adblocking/templates/100-CustomLimitations.conf.j2 b/roles/dns_adblocking/templates/100-CustomLimitations.conf.j2 deleted file mode 100644 index 30e5359..0000000 --- a/roles/dns_adblocking/templates/100-CustomLimitations.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -[Service] -MemoryHigh=128M -MemoryMax=192M -CPUAccounting=true -CPUQuota=20% diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2 deleted file mode 100644 index f06c24b..0000000 --- a/roles/dns_adblocking/templates/dnsmasq.conf.j2 +++ /dev/null @@ -1,678 +0,0 @@ -# Configuration file for dnsmasq. -# -# Format is one option per line, legal options are the same -# as the long options legal on the command line. See -# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. - -# Listen on this specific port instead of the standard DNS port -# (53). Setting this to zero completely disables DNS function, -# leaving only DHCP and/or TFTP. -#port=5353 - -# The following two options make you a better netizen, since they -# tell dnsmasq to filter out queries which the public DNS cannot -# answer, and which load the servers (especially the root servers) -# unnecessarily. If you have a dial-on-demand link they also stop -# these requests from bringing up the link unnecessarily. - -# Never forward plain names (without a dot or domain part) -#domain-needed -# Never forward addresses in the non-routed address spaces. -#bogus-priv - -# Uncomment these to enable DNSSEC validation and caching: -# (Requires dnsmasq to be built with DNSSEC option.) -#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf -#dnssec - -# Replies which are not DNSSEC signed may be legitimate, because the domain -# is unsigned, or may be forgeries. Setting this option tells dnsmasq to -# check that an unsigned reply is OK, by finding a secure proof that a DS -# record somewhere between the root and the domain does not exist. -# The cost of setting this is that even queries in unsigned domains will need -# one or more extra DNS queries to verify. -#dnssec-check-unsigned - -# Uncomment this to filter useless windows-originated DNS requests -# which can trigger dial-on-demand links needlessly. -# Note that (amongst other things) this blocks all SRV requests, -# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. -# This option only affects forwarding, SRV records originating for -# dnsmasq (via srv-host= lines) are not suppressed by it. -#filterwin2k - -# Change this line if you want dns to get its upstream servers from -# somewhere other that /etc/resolv.conf -#resolv-file= - -# By default, dnsmasq will send queries to any of the upstream -# servers it knows about and tries to favour servers to are known -# to be up. Uncommenting this forces dnsmasq to try each query -# with each server strictly in the order they appear in -# /etc/resolv.conf -#strict-order - -# If you don't want dnsmasq to read /etc/resolv.conf or any other -# file, getting its servers from this file instead (see below), then -# uncomment this. -no-resolv - -# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv -# files for changes and re-read them then uncomment this. -#no-poll - -# Add other name servers here, with domain specs if they are for -# non-public domains. -#server=/localnet/192.168.0.1 - -# Example of routing PTR queries to nameservers: this will send all -# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 -#server=/3.168.192.in-addr.arpa/10.1.2.3 - -# Add local-only domains here, queries in these domains are answered -# from /etc/hosts or DHCP only. -#local=/localnet/ - -# Add domains which you want to force to an IP address here. -# The example below send any host in double-click.net to a local -# web-server. -#address=/double-click.net/127.0.0.1 - -# --address (and --server) work with IPv6 addresses too. -#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 - -# Add the IPs of all queries to yahoo.com, google.com, and their -# subdomains to the vpn and search ipsets: -#ipset=/yahoo.com/google.com/vpn,search - -# You can control how dnsmasq talks to a server: this forces -# queries to 10.1.2.3 to be routed via eth1 -# server=10.1.2.3@eth1 -{% if dns_encryption %} -server={{ local_service_ip }}#5353 -{% if ipv6_support -%} -server={{ local_service_ipv6 }}#5353 -{% endif %} -{% else %} -{% for host in dns_servers.ipv4 %} -server={{ host }} -{% endfor %} -stop-dns-rebind -{% endif %} - -# and this sets the source (ie local) address used to talk to -# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that -# IP on the machine, obviously). -# server=10.1.2.3@192.168.1.1#55 - -# If you want dnsmasq to change uid and gid to something other -# than the default, edit the following lines. -user=dnsmasq -group=nogroup - -# If you want dnsmasq to listen for DHCP and DNS requests only on -# specified interfaces (and the loopback) give the name of the -# interface (eg eth0) here. -# Repeat the line for more than one interface. -#interface=lo -# Or you can specify which interface _not_ to listen on -#except-interface= -# Or which to listen on by address (remember to include 127.0.0.1 if -# you use this.) -listen-address=127.0.0.1,::1,{{ local_service_ipv6 }},{{ local_service_ip }} -# If you want dnsmasq to provide only DNS service on an interface, -# configure it as shown above, and then use the following line to -# disable DHCP and TFTP on it. -#no-dhcp-interface= - -# On systems which support it, dnsmasq binds the wildcard address, -# even when it is listening on only some interfaces. It then discards -# requests that it shouldn't reply to. This has the advantage of -# working even when interfaces come and go and change address. If you -# want dnsmasq to really bind only the interfaces it is listening on, -# uncomment this option. About the only time you may need this is when -# running another nameserver on the same machine. -bind-interfaces - -# If you don't want dnsmasq to read /etc/hosts, uncomment the -# following line. -#no-hosts -# or if you want it to read another file, as well as /etc/hosts, use -# this. -# addn-hosts=/var/lib/dnsmasq/block.hosts - -# Set this (and domain: see below) if you want to have a domain -# automatically added to simple names in a hosts-file. -#expand-hosts - -# Set the domain for dnsmasq. this is optional, but if it is set, it -# does the following things. -# 1) Allows DHCP hosts to have fully qualified domain names, as long -# as the domain part matches this setting. -# 2) Sets the "domain" DHCP option thereby potentially setting the -# domain of all systems configured by DHCP -# 3) Provides the domain part for "expand-hosts" -#domain=thekelleys.org.uk - -# Set a different domain for a particular subnet -#domain=wireless.thekelleys.org.uk,192.168.2.0/24 - -# Same idea, but range rather then subnet -#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 - -# Uncomment this to enable the integrated DHCP server, you need -# to supply the range of addresses available for lease and optionally -# a lease time. If you have more than one network, you will need to -# repeat this for each network on which you want to supply DHCP -# service. -#dhcp-range=192.168.0.50,192.168.0.150,12h - -# This is an example of a DHCP range where the netmask is given. This -# is needed for networks we reach the dnsmasq DHCP server via a relay -# agent. If you don't know what a DHCP relay agent is, you probably -# don't need to worry about this. -#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h - -# This is an example of a DHCP range which sets a tag, so that -# some DHCP options may be set only for this network. -#dhcp-range=set:red,192.168.0.50,192.168.0.150 - -# Use this DHCP range only when the tag "green" is set. -#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h - -# Specify a subnet which can't be used for dynamic address allocation, -# is available for hosts with matching --dhcp-host lines. Note that -# dhcp-host declarations will be ignored unless there is a dhcp-range -# of some type for the subnet in question. -# In this case the netmask is implied (it comes from the network -# configuration on the machine running dnsmasq) it is possible to give -# an explicit netmask instead. -#dhcp-range=192.168.0.0,static - -# Enable DHCPv6. Note that the prefix-length does not need to be specified -# and defaults to 64 if missing/ -#dhcp-range=1234::2, 1234::500, 64, 12h - -# Do Router Advertisements, BUT NOT DHCP for this subnet. -#dhcp-range=1234::, ra-only - -# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and -# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack -# hosts. Use the DHCPv4 lease to derive the name, network segment and -# MAC address and assume that the host will also have an -# IPv6 address calculated using the SLAAC algorithm. -#dhcp-range=1234::, ra-names - -# Do Router Advertisements, BUT NOT DHCP for this subnet. -# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) -#dhcp-range=1234::, ra-only, 48h - -# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA -# so that clients can use SLAAC addresses as well as DHCP ones. -#dhcp-range=1234::2, 1234::500, slaac - -# Do Router Advertisements and stateless DHCP for this subnet. Clients will -# not get addresses from DHCP, but they will get other configuration information. -# They will use SLAAC for addresses. -#dhcp-range=1234::, ra-stateless - -# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses -# from DHCPv4 leases. -#dhcp-range=1234::, ra-stateless, ra-names - -# Do router advertisements for all subnets where we're doing DHCPv6 -# Unless overridden by ra-stateless, ra-names, et al, the router -# advertisements will have the M and O bits set, so that the clients -# get addresses and configuration from DHCPv6, and the A bit reset, so the -# clients don't use SLAAC addresses. -#enable-ra - -# Supply parameters for specified hosts using DHCP. There are lots -# of valid alternatives, so we will give examples of each. Note that -# IP addresses DO NOT have to be in the range given above, they just -# need to be on the same network. The order of the parameters in these -# do not matter, it's permissible to give name, address and MAC in any -# order. - -# Always allocate the host with Ethernet address 11:22:33:44:55:66 -# The IP address 192.168.0.60 -#dhcp-host=11:22:33:44:55:66,192.168.0.60 - -# Always set the name of the host with hardware address -# 11:22:33:44:55:66 to be "fred" -#dhcp-host=11:22:33:44:55:66,fred - -# Always give the host with Ethernet address 11:22:33:44:55:66 -# the name fred and IP address 192.168.0.60 and lease time 45 minutes -#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m - -# Give a host with Ethernet address 11:22:33:44:55:66 or -# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume -# that these two Ethernet interfaces will never be in use at the same -# time, and give the IP address to the second, even if it is already -# in use by the first. Useful for laptops with wired and wireless -# addresses. -#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 - -# Give the machine which says its name is "bert" IP address -# 192.168.0.70 and an infinite lease -#dhcp-host=bert,192.168.0.70,infinite - -# Always give the host with client identifier 01:02:02:04 -# the IP address 192.168.0.60 -#dhcp-host=id:01:02:02:04,192.168.0.60 - -# Always give the Infiniband interface with hardware address -# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the -# ip address 192.168.0.61. The client id is derived from the prefix -# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of -# hex digits of the hardware address. -#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 - -# Always give the host with client identifier "marjorie" -# the IP address 192.168.0.60 -#dhcp-host=id:marjorie,192.168.0.60 - -# Enable the address given for "judge" in /etc/hosts -# to be given to a machine presenting the name "judge" when -# it asks for a DHCP lease. -#dhcp-host=judge - -# Never offer DHCP service to a machine whose Ethernet -# address is 11:22:33:44:55:66 -#dhcp-host=11:22:33:44:55:66,ignore - -# Ignore any client-id presented by the machine with Ethernet -# address 11:22:33:44:55:66. This is useful to prevent a machine -# being treated differently when running under different OS's or -# between PXE boot and OS boot. -#dhcp-host=11:22:33:44:55:66,id:* - -# Send extra options which are tagged as "red" to -# the machine with Ethernet address 11:22:33:44:55:66 -#dhcp-host=11:22:33:44:55:66,set:red - -# Send extra options which are tagged as "red" to -# any machine with Ethernet address starting 11:22:33: -#dhcp-host=11:22:33:*:*:*,set:red - -# Give a fixed IPv6 address and name to client with -# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 -# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. -# Note also the they [] around the IPv6 address are obligatory. -#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] - -# Ignore any clients which are not specified in dhcp-host lines -# or /etc/ethers. Equivalent to ISC "deny unknown-clients". -# This relies on the special "known" tag which is set when -# a host is matched. -#dhcp-ignore=tag:!known - -# Send extra options which are tagged as "red" to any machine whose -# DHCP vendorclass string includes the substring "Linux" -#dhcp-vendorclass=set:red,Linux - -# Send extra options which are tagged as "red" to any machine one -# of whose DHCP userclass strings includes the substring "accounts" -#dhcp-userclass=set:red,accounts - -# Send extra options which are tagged as "red" to any machine whose -# MAC address matches the pattern. -#dhcp-mac=set:red,00:60:8C:*:*:* - -# If this line is uncommented, dnsmasq will read /etc/ethers and act -# on the ethernet-address/IP pairs found there just as if they had -# been given as --dhcp-host options. Useful if you keep -# MAC-address/host mappings there for other purposes. -#read-ethers - -# Send options to hosts which ask for a DHCP lease. -# See RFC 2132 for details of available options. -# Common options can be given to dnsmasq by name: -# run "dnsmasq --help dhcp" to get a list. -# Note that all the common settings, such as netmask and -# broadcast address, DNS server and default route, are given -# sane defaults by dnsmasq. You very likely will not need -# any dhcp-options. If you use Windows clients and Samba, there -# are some options which are recommended, they are detailed at the -# end of this section. - -# Override the default route supplied by dnsmasq, which assumes the -# router is the same machine as the one running dnsmasq. -#dhcp-option=3,1.2.3.4 - -# Do the same thing, but using the option name -#dhcp-option=option:router,1.2.3.4 - -# Override the default route supplied by dnsmasq and send no default -# route at all. Note that this only works for the options sent by -# default (1, 3, 6, 12, 28) the same line will send a zero-length option -# for all other option numbers. -#dhcp-option=3 - -# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 -#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 - -# Send DHCPv6 option. Note [] around IPv6 addresses. -#dhcp-option=option6:dns-server,[1234::77],[1234::88] - -# Send DHCPv6 option for nameservers as the machine running -# dnsmasq and another. -#dhcp-option=option6:dns-server,[::],[1234::88] - -# Ask client to poll for option changes every six hours. (RFC4242) -#dhcp-option=option6:information-refresh-time,6h - -# Set option 58 client renewal time (T1). Defaults to half of the -# lease time if not specified. (RFC2132) -#dhcp-option=option:T1:1m - -# Set option 59 rebinding time (T2). Defaults to 7/8 of the -# lease time if not specified. (RFC2132) -#dhcp-option=option:T2:2m - -# Set the NTP time server address to be the same machine as -# is running dnsmasq -#dhcp-option=42,0.0.0.0 - -# Set the NIS domain name to "welly" -#dhcp-option=40,welly - -# Set the default time-to-live to 50 -#dhcp-option=23,50 - -# Set the "all subnets are local" flag -#dhcp-option=27,1 - -# Send the etherboot magic flag and then etherboot options (a string). -#dhcp-option=128,e4:45:74:68:00:00 -#dhcp-option=129,NIC=eepro100 - -# Specify an option which will only be sent to the "red" network -# (see dhcp-range for the declaration of the "red" network) -# Note that the tag: part must precede the option: part. -#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 - -# The following DHCP options set up dnsmasq in the same way as is specified -# for the ISC dhcpcd in -# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt -# adapted for a typical dnsmasq installation where the host running -# dnsmasq is also the host running samba. -# you may want to uncomment some or all of them if you use -# Windows clients and Samba. -#dhcp-option=19,0 # option ip-forwarding off -#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) -#dhcp-option=45,0.0.0.0 # netbios datagram distribution server -#dhcp-option=46,8 # netbios node type - -# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. -#dhcp-option=252,"\n" - -# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client -# probably doesn't support this...... -#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com - -# Send RFC-3442 classless static routes (note the netmask encoding) -#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 - -# Send vendor-class specific options encapsulated in DHCP option 43. -# The meaning of the options is defined by the vendor-class so -# options are sent only when the client supplied vendor class -# matches the class given here. (A substring match is OK, so "MSFT" -# matches "MSFT" and "MSFT 5.0"). This example sets the -# mtftp address to 0.0.0.0 for PXEClients. -#dhcp-option=vendor:PXEClient,1,0.0.0.0 - -# Send microsoft-specific option to tell windows to release the DHCP lease -# when it shuts down. Note the "i" flag, to tell dnsmasq to send the -# value as a four-byte integer - that's what microsoft wants. See -# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true -#dhcp-option=vendor:MSFT,2,1i - -# Send the Encapsulated-vendor-class ID needed by some configurations of -# Etherboot to allow is to recognise the DHCP server. -#dhcp-option=vendor:Etherboot,60,"Etherboot" - -# Send options to PXELinux. Note that we need to send the options even -# though they don't appear in the parameter request list, so we need -# to use dhcp-option-force here. -# See http://syslinux.zytor.com/pxe.php#special for details. -# Magic number - needed before anything else is recognised -#dhcp-option-force=208,f1:00:74:7e -# Configuration file name -#dhcp-option-force=209,configs/common -# Path prefix -#dhcp-option-force=210,/tftpboot/pxelinux/files/ -# Reboot time. (Note 'i' to send 32-bit value) -#dhcp-option-force=211,30i - -# Set the boot filename for netboot/PXE. You will only need -# this is you want to boot machines over the network and you will need -# a TFTP server; either dnsmasq's built in TFTP server or an -# external one. (See below for how to enable the TFTP server.) -#dhcp-boot=pxelinux.0 - -# The same as above, but use custom tftp-server instead machine running dnsmasq -#dhcp-boot=pxelinux,server.name,192.168.1.100 - -# Boot for Etherboot gPXE. The idea is to send two different -# filenames, the first loads gPXE, and the second tells gPXE what to -# load. The dhcp-match sets the gpxe tag for requests from gPXE. -#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. -#dhcp-boot=tag:!gpxe,undionly.kpxe -#dhcp-boot=mybootimage - -# Encapsulated options for Etherboot gPXE. All the options are -# encapsulated within option 175 -#dhcp-option=encap:175, 1, 5b # priority code -#dhcp-option=encap:175, 176, 1b # no-proxydhcp -#dhcp-option=encap:175, 177, string # bus-id -#dhcp-option=encap:175, 189, 1b # BIOS drive code -#dhcp-option=encap:175, 190, user # iSCSI username -#dhcp-option=encap:175, 191, pass # iSCSI password - -# Test for the architecture of a netboot client. PXE clients are -# supposed to send their architecture as option 93. (See RFC 4578) -#dhcp-match=peecees, option:client-arch, 0 #x86-32 -#dhcp-match=itanics, option:client-arch, 2 #IA64 -#dhcp-match=hammers, option:client-arch, 6 #x86-64 -#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 - -# Do real PXE, rather than just booting a single file, this is an -# alternative to dhcp-boot. -#pxe-prompt="What system shall I netboot?" -# or with timeout before first available action is taken: -#pxe-prompt="Press F8 for menu.", 60 - -# Available boot services. for PXE. -#pxe-service=x86PC, "Boot from local disk" - -# Loads /pxelinux.0 from dnsmasq TFTP server. -#pxe-service=x86PC, "Install Linux", pxelinux - -# Loads /pxelinux.0 from TFTP server at 1.2.3.4. -# Beware this fails on old PXE ROMS. -#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 - -# Use bootserver on network, found my multicast or broadcast. -#pxe-service=x86PC, "Install windows from RIS server", 1 - -# Use bootserver at a known IP address. -#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 - -# If you have multicast-FTP available, -# information for that can be passed in a similar way using options 1 -# to 5. See page 19 of -# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf - - -# Enable dnsmasq's built-in TFTP server -#enable-tftp - -# Set the root directory for files available via FTP. -#tftp-root=/var/ftpd - -# Do not abort if the tftp-root is unavailable -#tftp-no-fail - -# Make the TFTP server more secure: with this set, only files owned by -# the user dnsmasq is running as will be send over the net. -#tftp-secure - -# This option stops dnsmasq from negotiating a larger blocksize for TFTP -# transfers. It will slow things down, but may rescue some broken TFTP -# clients. -#tftp-no-blocksize - -# Set the boot file name only when the "red" tag is set. -#dhcp-boot=tag:red,pxelinux.red-net - -# An example of dhcp-boot with an external TFTP server: the name and IP -# address of the server are given after the filename. -# Can fail with old PXE ROMS. Overridden by --pxe-service. -#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 - -# If there are multiple external tftp servers having a same name -# (using /etc/hosts) then that name can be specified as the -# tftp_servername (the third option to dhcp-boot) and in that -# case dnsmasq resolves this name and returns the resultant IP -# addresses in round robin fashion. This facility can be used to -# load balance the tftp load among a set of servers. -#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name - -# Set the limit on DHCP leases, the default is 150 -#dhcp-lease-max=150 - -# The DHCP server needs somewhere on disk to keep its lease database. -# This defaults to a sane location, but if you want to change it, use -# the line below. -#dhcp-leasefile=/var/lib/misc/dnsmasq.leases - -# Set the DHCP server to authoritative mode. In this mode it will barge in -# and take over the lease for any client which broadcasts on the network, -# whether it has a record of the lease or not. This avoids long timeouts -# when a machine wakes up on a new network. DO NOT enable this if there's -# the slightest chance that you might end up accidentally configuring a DHCP -# server for your campus/company accidentally. The ISC server uses -# the same option, and this URL provides more information: -# http://www.isc.org/files/auth.html -#dhcp-authoritative - -# Run an executable when a DHCP lease is created or destroyed. -# The arguments sent to the script are "add" or "del", -# then the MAC address, the IP address and finally the hostname -# if there is one. -#dhcp-script=/bin/echo - -# Set the cachesize here. -#cache-size=150 - -# If you want to disable negative caching, uncomment this. -#no-negcache - -# Normally responses which come from /etc/hosts and the DHCP lease -# file have Time-To-Live set as zero, which conventionally means -# do not cache further. If you are happy to trade lower load on the -# server for potentially stale date, you can set a time-to-live (in -# seconds) here. -#local-ttl= - -# If you want dnsmasq to detect attempts by Verisign to send queries -# to unregistered .com and .net hosts to its sitefinder service and -# have dnsmasq instead return the correct NXDOMAIN response, uncomment -# this line. You can add similar lines to do the same for other -# registries which have implemented wildcard A records. -#bogus-nxdomain=64.94.110.11 - -# If you want to fix up DNS results from upstream servers, use the -# alias option. This only works for IPv4. -# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 -#alias=1.2.3.4,5.6.7.8 -# and this maps 1.2.3.x to 5.6.7.x -#alias=1.2.3.0,5.6.7.0,255.255.255.0 -# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 -#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 - -# Change these lines if you want dnsmasq to serve MX records. - -# Return an MX record named "maildomain.com" with target -# servermachine.com and preference 50 -#mx-host=maildomain.com,servermachine.com,50 - -# Set the default target for MX records created using the localmx option. -#mx-target=servermachine.com - -# Return an MX record pointing to the mx-target for all local -# machines. -#localmx - -# Return an MX record pointing to itself for all local machines. -#selfmx - -# Change the following lines if you want dnsmasq to serve SRV -# records. These are useful if you want to serve ldap requests for -# Active Directory and other windows-originated DNS requests. -# See RFC 2782. -# You may add multiple srv-host lines. -# The fields are ,,,, -# If the domain part if missing from the name (so that is just has the -# service and protocol sections) then the domain given by the domain= -# config option is used. (Note that expand-hosts does not need to be -# set for this to work.) - -# A SRV record sending LDAP for the example.com domain to -# ldapserver.example.com port 389 -#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 - -# A SRV record sending LDAP for the example.com domain to -# ldapserver.example.com port 389 (using domain=) -#domain=example.com -#srv-host=_ldap._tcp,ldapserver.example.com,389 - -# Two SRV records for LDAP, each with different priorities -#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 -#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 - -# A SRV record indicating that there is no LDAP server for the domain -# example.com -#srv-host=_ldap._tcp.example.com - -# The following line shows how to make dnsmasq serve an arbitrary PTR -# record. This is useful for DNS-SD. (Note that the -# domain-name expansion done for SRV records _does_not -# occur for PTR records.) -#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" - -# Change the following lines to enable dnsmasq to serve TXT records. -# These are used for things like SPF and zeroconf. (Note that the -# domain-name expansion done for SRV records _does_not -# occur for TXT records.) - -#Example SPF. -#txt-record=example.com,"v=spf1 a -all" - -#Example zeroconf -#txt-record=_http._tcp.example.com,name=value,paper=A4 - -# Provide an alias for a "local" DNS name. Note that this _only_ works -# for targets which are names from DHCP or /etc/hosts. Give host -# "bert" another name, bertrand -#cname=bertrand,bert - -# For debugging purposes, log each DNS query as it passes through -# dnsmasq. -#log-queries - -# Log lots of extra information about DHCP transactions. -#log-dhcp - -# Include another lot of configuration options. -#conf-file=/etc/dnsmasq.more.conf -conf-dir={{ config_prefix|default('/') }}etc/dnsmasq.d/,*.conf - -# Include all the files in a directory except those ending in .bak -#conf-dir=/etc/dnsmasq.d,.bak - -# Include all files in a directory which end in .conf -# conf-dir=/etc/dnsmasq.d/,*.conf -# diff --git a/roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2 b/roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2 deleted file mode 100644 index 25a5637..0000000 --- a/roles/dns_adblocking/templates/usr.sbin.dnsmasq.j2 +++ /dev/null @@ -1,28 +0,0 @@ -#include - -/usr/sbin/dnsmasq { - #include - #include - - capability net_bind_service, - capability setgid, - capability setuid, - capability dac_override, - network inet raw, - - /etc/dnsmasq.conf r, - /etc/dnsmasq.d/ r, - /etc/dnsmasq.d/* r, - /var/lib/dnsmasq/ r, - /var/lib/dnsmasq/block.hosts r, - /etc/dnsmasq.d-available/ r, - /etc/dnsmasq.d-available/* r, - - /usr/sbin/dnsmasq mr, - - /{,var/}run/*dnsmasq*.pid w, - /{,var/}run/dnsmasq-forwarders.conf r, - /{,var/}run/dnsmasq/ r, - /{,var/}run/dnsmasq/* rw, - -} diff --git a/roles/dns_encryption/defaults/main.yml b/roles/dns_encryption/defaults/main.yml deleted file mode 100644 index 1869e6a..0000000 --- a/roles/dns_encryption/defaults/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -algo_local_dns: false -listen_port: "{% if algo_local_dns %}5353{% else %}53{% endif %}" -# the version used if the latest unavailable (in case of Github API rate limited) -dnscrypt_proxy_version: 2.0.10 -apparmor_enabled: true -dns_encryption: true -ipv6_support: false -dnscrypt_servers: - ipv4: - - cloudflare - ipv6: - - cloudflare-ipv6 diff --git a/roles/strongswan/defaults/main.yml b/roles/strongswan/defaults/main.yml index de25120..962899c 100644 --- a/roles/strongswan/defaults/main.yml +++ b/roles/strongswan/defaults/main.yml @@ -9,7 +9,7 @@ algo_ondemand_wifi: false algo_ondemand_wifi_exclude: '_null' algo_windows: false algo_store_cakey: false -algo_local_dns: false +algo_dns_adblocking: false ipv6_support: false dns_encryption: true domain: false diff --git a/roles/strongswan/templates/ipsec.conf.j2 b/roles/strongswan/templates/ipsec.conf.j2 index 3f0a402..02c5190 100644 --- a/roles/strongswan/templates/ipsec.conf.j2 +++ b/roles/strongswan/templates/ipsec.conf.j2 @@ -30,7 +30,7 @@ conn %default right=%any rightauth=pubkey rightsourceip={{ strongswan_network }},{{ strongswan_network_ipv6 }} -{% if algo_local_dns or dns_encryption %} +{% if algo_dns_adblocking or dns_encryption %} rightdns={{ local_service_ip }}{{ ',' + local_service_ipv6 if ipv6_support else '' }} {% else %} rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml index 2774d04..190ab61 100644 --- a/roles/wireguard/defaults/main.yml +++ b/roles/wireguard/defaults/main.yml @@ -5,7 +5,7 @@ wireguard_pki_path: "{{ wireguard_config_path }}/.pki/" wireguard_interface: wg0 keys_clean_all: false wireguard_dns_servers: >- - {% if local_dns|default(false)|bool or dns_encryption|default(false)|bool %} + {% if algo_dns_adblocking|default(false)|bool or dns_encryption|default(false)|bool %} {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} {% else %} {% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} diff --git a/server.yml b/server.yml index 5c9b183..9a0d395 100644 --- a/server.yml +++ b/server.yml @@ -12,14 +12,11 @@ tags: common - import_role: - name: dns_encryption - when: dns_encryption - tags: dns_encryption - - - import_role: - name: dns_adblocking - when: algo_local_dns - tags: dns_adblocking + name: dns + when: + - algo_dns_adblocking or + dns_encryption + tags: dns - import_role: name: wireguard @@ -51,7 +48,7 @@ algo_ondemand_cellular: {{ algo_ondemand_cellular }} algo_ondemand_wifi: {{ algo_ondemand_wifi }} algo_ondemand_wifi_exclude: {{ algo_ondemand_wifi_exclude }} - algo_local_dns: {{ algo_local_dns }} + algo_dns_adblocking: {{ algo_dns_adblocking }} algo_ssh_tunneling: {{ algo_ssh_tunneling }} algo_windows: {{ algo_windows }} algo_store_cakey: {{ algo_store_cakey }} diff --git a/tests/cloud-init.sh b/tests/cloud-init.sh index e6d3209..19d3030 100755 --- a/tests/cloud-init.sh +++ b/tests/cloud-init.sh @@ -6,7 +6,7 @@ export ONDEMAND_WIFI=true export ONDEMAND_WIFI_EXCLUDE=test1,test2 export WINDOWS=true export STORE_CAKEY=true -export LOCAL_DNS=true +export DNS_ADBLOCKING=true export SSH_TUNNELING=true export ENDPOINT=10.0.8.100 export USERS=desktop,user1,user2 diff --git a/tests/local-deploy.sh b/tests/local-deploy.sh index 7699469..f452fe4 100755 --- a/tests/local-deploy.sh +++ b/tests/local-deploy.sh @@ -2,7 +2,7 @@ set -ex -DEPLOY_ARGS="provider=local server=10.0.8.100 ssh_user=ubuntu endpoint=10.0.8.100 apparmor_enabled=false ondemand_cellular=true ondemand_wifi=true ondemand_wifi_exclude=test local_dns=true ssh_tunneling=true windows=true store_cakey=true install_headers=false tests=true local_service_ip=172.16.0.1" +DEPLOY_ARGS="provider=local server=10.0.8.100 ssh_user=ubuntu endpoint=10.0.8.100 apparmor_enabled=false ondemand_cellular=true ondemand_wifi=true ondemand_wifi_exclude=test dns_adblocking=true ssh_tunneling=true windows=true store_cakey=true install_headers=false tests=true local_service_ip=172.16.0.1" if [ "${DEPLOY}" == "docker" ] then