.dockerignore

+# Ignore everything except for explicitly allowed stuff.
+*
+!build/docker

.github/workflows/build.yaml

 name: Build
 
 'env':
-  'GO_VERSION': '1.19'
+  'GO_VERSION': '1.20'
 
 'on':
   'push':

.github/workflows/docker.yml

+'name': Docker
+
+'env':
+  'GO_VERSION': '1.20'
+
+'on':
+  'push':
+    'tags':
+      - 'v*'
+    # Builds from the master branch will be pushed with the `dev` tag.
+    'branches':
+      - 'master'
+
+'jobs':
+  'docker':
+    'runs-on': 'ubuntu-latest'
+    'steps':
+      - 'name': 'Checkout'
+        'uses': 'actions/checkout@v3'
+        'with':
+          'fetch-depth': 0
+      - 'name': 'Set up Go'
+        'uses': 'actions/setup-go@v3'
+        'with':
+          'go-version': '${{ env.GO_VERSION }}'
+      - 'name': 'Set up Go modules cache'
+        'uses': 'actions/cache@v2'
+        'with':
+          'path': '~/go/pkg/mod'
+          'key': "${{ runner.os }}-go-${{ hashFiles('go.sum') }}"
+          'restore-keys': '${{ runner.os }}-go-'
+      - 'name': 'Set up QEMU'
+        'uses': 'docker/setup-qemu-action@v1'
+      - 'name': 'Set up Docker Buildx'
+        'uses': 'docker/setup-buildx-action@v1'
+      - 'name': 'Publish to Docker Hub'
+        'env':
+          'DOCKER_USER': ${{ secrets.DOCKER_USER }}
+          'DOCKER_PASSWORD': ${{ secrets.DOCKER_PASSWORD }}
+        'run': |-
+          set -e -u -x
+
+          RELEASE_VERSION="${GITHUB_REF##*/}"
+          if [[ "${RELEASE_VERSION}" != v* ]]; then RELEASE_VERSION='dev'; fi
+          echo "RELEASE_VERSION=\"${RELEASE_VERSION}\"" >> $GITHUB_ENV
+
+          docker login \
+            -u="${DOCKER_USER}" \
+            -p="${DOCKER_PASSWORD}"
+
+          make \
+            VERSION="${RELEASE_VERSION}" \
+            DOCKER_IMAGE_NAME="adguard/dnsproxy" \
+            DOCKER_OUTPUT="type=image,name=adguard/dnsproxy,push=true" \
+            VERBOSE="1" \
+            docker
+
+  'notify':
+    'needs':
+      - 'docker'
+    'if':
+      ${{ always() &&
+      (
+      github.event_name == 'push' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+      )
+      }}
+    'runs-on': ubuntu-latest
+    'steps':
+      - 'name': Conclusion
+        'uses': technote-space/workflow-conclusion-action@v1
+      - 'name': Send Slack notif
+        'uses': 8398a7/action-slack@v3
+        'with':
+          'status': ${{ env.WORKFLOW_CONCLUSION }}
+          'fields': workflow, repo, message, commit, author, eventName,ref
+        'env':
+          'GITHUB_TOKEN': ${{ secrets.GITHUB_TOKEN }}
+          'SLACK_WEBHOOK_URL': ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/lint.yaml

@@ -20,7 +20,7 @@ jobs:
       - name: setup-go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.19.x
+          go-version: 1.20.x
 
       - uses: actions/checkout@v3
 

Makefile

@@ -12,6 +12,7 @@
 # See https://unix.stackexchange.com/q/646255/105635.
 GO.MACRO = $${GO:-go}
 GOPROXY = https://goproxy.cn|https://proxy.golang.org|direct
+COMMIT = $$( git rev-parse --short HEAD )
 DIST_DIR=build
 OUT = dnsproxy
 RACE = 0
@@ -19,6 +20,7 @@ VERBOSE = 0
 VERSION = dev
 
 ENV = env\
+	COMMIT='$(COMMIT)'\
 	DIST_DIR='$(DIST_DIR)'\
 	GO="$(GO.MACRO)"\
 	GOPROXY='$(GOPROXY)'\
@@ -39,6 +41,9 @@ test:    ; $(ENV) RACE='1' "$(SHELL)" ./scripts/make/test.sh
 release: clean
 	$(ENV) "$(SHELL)" ./scripts/make/release.sh
 
+docker: release
+	$(ENV) "$(SHELL)" ./scripts/make/build-docker.sh
+
 # A quick check to make sure that all supported operating systems can be
 # typechecked and built successfully.
 os-check:

README.md

@@ -5,10 +5,11 @@
 
 # DNS Proxy <!-- omit in toc -->
 
-A simple DNS proxy server that supports all existing DNS protocols including `DNS-over-TLS`, `DNS-over-HTTPS`, `DNSCrypt`, and `DNS-over-QUIC`. Moreover, it can work as a `DNS-over-HTTPS`, `DNS-over-TLS` or `DNS-over-QUIC` server.
-
-> Note that `DNS-over-QUIC` support is experimental, don't use it in production.
+A simple DNS proxy server that supports all existing DNS protocols including
+`DNS-over-TLS`, `DNS-over-HTTPS`, `DNSCrypt`, and `DNS-over-QUIC`. Moreover,
+it can work as a `DNS-over-HTTPS`, `DNS-over-TLS` or `DNS-over-QUIC` server.
 
+- [How to install](#how-to-install)
 - [How to build](#how-to-build)
 - [Usage](#usage)
 - [Examples](#examples)
@@ -22,6 +23,17 @@ A simple DNS proxy server that supports all existing DNS protocols including `DN
   - [EDNS Client Subnet](#edns-client-subnet)
   - [Bogus NXDomain](#bogus-nxdomain)
 
+## How to install
+
+There are several options how to install `dnsproxy`.
+
+1. Grab the binary for your device/OS from the [Releases][releases] page.
+2. Use the [official Docker image][docker].
+3. Build it yourself (see the instruction below).
+
+[releases]: https://github.com/AdguardTeam/dnsproxy/releases
+[docker]: https://hub.docker.com/r/adguard/dnsproxy
+
 ## How to build
 
 You will need Go v1.19 or later.

bamboo-specs/bamboo.yaml

@@ -4,7 +4,7 @@ plan:
     name: dnsproxy - Build and run tests
     project-key: GO
 variables:
-    dockerGo: 'golang:1.19.10'
+    dockerGo: 'golang:1.20.7'
     dockerLint: golangci/golangci-lint:v1.53
 version: 2
 

docker/Dockerfile

+# A docker file for scripts/make/build-docker.sh.
+
+FROM alpine:3.18
+
+ARG BUILD_DATE
+ARG VERSION
+ARG VCS_REF
+
+LABEL\
+	maintainer="AdGuard Team <devteam@adguard.com>" \
+	org.opencontainers.image.authors="AdGuard Team <devteam@adguard.com>" \
+	org.opencontainers.image.created=$BUILD_DATE \
+	org.opencontainers.image.description="Simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support" \
+	org.opencontainers.image.documentation="https://github.com/AdguardTeam/dnsproxy" \
+	org.opencontainers.image.licenses="Apache-2.0" \
+	org.opencontainers.image.revision=$VCS_REF \
+	org.opencontainers.image.source="https://github.com/AdguardTeam/dnsproxy" \
+	org.opencontainers.image.title="dnsproxy" \
+	org.opencontainers.image.url="https://github.com/AdguardTeam/dnsproxy" \
+	org.opencontainers.image.vendor="AdGuard" \
+	org.opencontainers.image.version=$VERSION
+
+# Update certificates.
+RUN apk --no-cache add ca-certificates libcap tzdata && \
+	mkdir -p /opt/dnsproxy && chown -R nobody: /opt/dnsproxy
+
+ARG DIST_DIR
+ARG TARGETARCH
+ARG TARGETOS
+ARG TARGETVARIANT
+
+COPY --chown=nobody:nogroup\
+	./${DIST_DIR}/docker/dnsproxy_${TARGETOS}_${TARGETARCH}_${TARGETVARIANT}\
+	/opt/dnsproxy/dnsproxy
+COPY --chown=nobody:nogroup\
+    ./${DIST_DIR}/docker/config.yaml\
+    /opt/dnsproxy/config.yaml
+
+RUN setcap 'cap_net_bind_service=+eip' /opt/dnsproxy/dnsproxy
+
+# 53     : TCP, UDP : DNS
+# 80     : TCP      : HTTP
+# 443    : TCP, UDP : HTTPS, DNS-over-HTTPS (incl. HTTP/3), DNSCrypt (main)
+# 853    : TCP, UDP : DNS-over-TLS, DNS-over-QUIC
+# 5443   : TCP, UDP : DNSCrypt (alt)
+# 6060   : TCP      : HTTP (pprof)
+EXPOSE 53/tcp 53/udp \
+       80/tcp \
+       443/tcp 443/udp \
+       853/tcp 853/udp \
+       5443/tcp 5443/udp \
+       6060/tcp
+
+WORKDIR /opt/dnsproxy
+
+ENTRYPOINT ["/opt/dnsproxy/dnsproxy"]
+CMD ["--config-path=/opt/dnsproxy/config.yaml"]

docker/README.md

+# DNS Proxy
+
+A simple DNS proxy server that supports all existing DNS protocols including
+`DNS-over-TLS`, `DNS-over-HTTPS`, `DNSCrypt`, and `DNS-over-QUIC`. Moreover,
+it can work as a `DNS-over-HTTPS`, `DNS-over-TLS` or `DNS-over-QUIC` server.
+
+Learn more about dnsproxy and its full capabilities in
+its [Github repo][dnsproxy].
+
+[dnsproxy]: https://github.com/AdguardTeam/dnsproxy
+
+## Quick start
+
+### Pull the Docker image
+
+This command will pull the latest stable version:
+
+```shell
+docker pull adguard/dnsproxy
+```
+
+### Run the container
+
+Run the container with the default configuration (see `config.yaml.dist` in the
+repository) and expose DNS ports.
+
+```shell
+docker run --name dnsproxy \
+  -p 53:53/tcp -p 53:53/udp \
+  adguard/dnsproxy
+```
+
+Run the container with command-line args configuration and expose DNS ports.
+
+```shell
+docker run --name dnsproxy_google_dns \
+  -p 53:53/tcp -p 53:53/udp \
+  adguard/dnsproxy \
+  -u 8.8.8.8:53
+```
+
+Run the container with a configuration file and expose DNS ports.
+
+```shell
+docker run --name dnsproxy_google_dns \
+  -p 53:53/tcp -p 53:53/udp \
+  -v $PWD/config.yaml:/opt/dnsproxy/config.yaml \
+  adguard/dnsproxy
+```

go.mod

 module github.com/AdguardTeam/dnsproxy
 
-go 1.19
+go 1.20
 
 require (
-	github.com/AdguardTeam/golibs v0.13.4
+	github.com/AdguardTeam/golibs v0.14.0
 	github.com/ameshkov/dnscrypt/v2 v2.2.6
 	github.com/ameshkov/dnsstamps v1.0.3
 	github.com/beefsack/go-rate v0.0.0-20220214233405-116f4ca011a0
@@ -13,9 +13,9 @@ require (
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/quic-go/quic-go v0.36.1
 	github.com/stretchr/testify v1.8.4
-	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
-	golang.org/x/net v0.11.0
-	golang.org/x/sys v0.9.0
+	golang.org/x/exp v0.0.0-20230807204917-050eac23e9de
+	golang.org/x/net v0.12.0
+	golang.org/x/sys v0.10.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -33,9 +33,9 @@ require (
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-19 v0.3.2 // indirect
 	github.com/quic-go/qtls-go1-20 v0.2.2 // indirect
-	golang.org/x/crypto v0.10.0 // indirect
-	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/text v0.10.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/mod v0.11.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/tools v0.9.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 )

go.sum

-github.com/AdguardTeam/golibs v0.13.4 h1:ACTwIR1pEENBijHcEWtiMbSh4wWQOlIHRxmUB8oBHf8=
-github.com/AdguardTeam/golibs v0.13.4/go.mod h1:wkJ6EUsN4np/9Gp7+9QeooY9E2U2WCLJYAioLCzkHsI=
+github.com/AdguardTeam/golibs v0.14.0 h1:/vfJshXBVaevMuBgzAIr+F64XdNqZL+j9F33GXJmgeQ=
+github.com/AdguardTeam/golibs v0.14.0/go.mod h1:hOtcb8dPfKcFjWTPA904hTA4dl1aWvzeebdJpE72IPk=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
 github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=
@@ -16,14 +16,12 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/pprof v0.0.0-20230111200839-76d1ae5aea2b h1:8htHrh2bw9c7Idkb7YNac+ZpTqLMjRpI+FWu51ltaQc=
 github.com/google/pprof v0.0.0-20230111200839-76d1ae5aea2b/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
@@ -37,11 +35,9 @@ github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/onsi/ginkgo/v2 v2.7.0 h1:/XxtEV3I3Eif/HobnVx9YmJgk8ENdRsuUmM+fLCFNow=
-github.com/onsi/ginkgo/v2 v2.7.0/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo=
 github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
 github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
-github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E=
+github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -52,36 +48,31 @@ github.com/quic-go/qtls-go1-19 v0.3.2 h1:tFxjCFcTQzK+oMxG6Zcvp4Dq8dx4yD3dDiIiyc8
 github.com/quic-go/qtls-go1-19 v0.3.2/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
 github.com/quic-go/qtls-go1-20 v0.2.2 h1:WLOPx6OY/hxtTxKV1Zrq20FtXtDEkeY00CGQm8GEa3E=
 github.com/quic-go/qtls-go1-20 v0.2.2/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
-github.com/quic-go/quic-go v0.35.1 h1:b0kzj6b/cQAf05cT0CkQubHM31wiA+xH3IBkxP62poo=
-github.com/quic-go/quic-go v0.35.1/go.mod h1:+4CVgVppm0FNjpG3UcX8Joi/frKOH7/ciD5yGcwOO1g=
 github.com/quic-go/quic-go v0.36.1 h1:WsG73nVtnDy1TiACxFxhQ3TqaW+DipmqzLEtNlAwZyY=
 github.com/quic-go/quic-go v0.36.1/go.mod h1:zPetvwDlILVxt15n3hr3Gf/I3mDf7LpLKPhR4Ez0AZQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
-golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
-golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
-golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/exp v0.0.0-20230807204917-050eac23e9de h1:l5Za6utMv/HsBWWqzt4S8X17j+kt1uVETUX5UFhn2rE=
+golang.org/x/exp v0.0.0-20230807204917-050eac23e9de/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk=
-golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
+golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
-golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
+golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
+golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -90,20 +81,18 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
-golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
 golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -113,7 +102,6 @@ google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscL
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

internal/netutil/netutil.go

@@ -24,30 +24,37 @@ func SortIPAddrs(addrs []net.IPAddr, preferIPv6 bool) {
 		return
 	}
 
-	slices.SortStableFunc(addrs, func(addrA, addrB net.IPAddr) (sortsBefore bool) {
+	slices.SortStableFunc(addrs, func(addrA, addrB net.IPAddr) (res int) {
 		// Assume that len(addrs) is mostly small, so these conversions aren't
 		// as expensive as they could have been.
 		a, err := glnetutil.IPToAddrNoMapped(addrA.IP)
 		if err != nil {
-			return false
+			return 1
 		}
 
 		b, err := glnetutil.IPToAddrNoMapped(addrB.IP)
 		if err != nil {
-			return false
+			return -1
 		}
 
-		aIs4 := a.Is4()
-		bIs4 := b.Is4()
-		if aIs4 != bIs4 {
-			if aIs4 {
-				return !preferIPv6
+		aIs4, bIs4 := a.Is4(), b.Is4()
+		if aIs4 == bIs4 {
+			return a.Compare(b)
+		}
+
+		if aIs4 {
+			if preferIPv6 {
+				return 1
 			}
 
-			return preferIPv6
+			return -1
+		}
+
+		if preferIPv6 {
+			return -1
 		}
 
-		return a.Less(b)
+		return 1
 	})
 }
 
@@ -59,21 +66,30 @@ func SortNetIPAddrs(addrs []netip.Addr, preferIPv6 bool) {
 		return
 	}
 
-	slices.SortStableFunc(addrs, func(addrA, addrB netip.Addr) (sortsBefore bool) {
+	slices.SortStableFunc(addrs, func(addrA, addrB netip.Addr) (res int) {
 		if !addrA.IsValid() {
-			return false
+			return 1
 		} else if !addrB.IsValid() {
-			return true
+			return -1
 		}
 
-		if aIs4, bIs4 := addrA.Is4(), addrB.Is4(); aIs4 != bIs4 {
-			if aIs4 {
-				return !preferIPv6
+		aIs4, bIs4 := addrA.Is4(), addrB.Is4()
+		if aIs4 != bIs4 {
+			return addrA.Compare(addrB)
+		}
+
+		if aIs4 {
+			if preferIPv6 {
+				return 1
 			}
 
-			return preferIPv6
+			return -1
+		}
+
+		if preferIPv6 {
+			return -1
 		}
 
-		return addrA.Less(addrB)
+		return 1
 	})
 }

scripts/make/build-docker.sh

+#!/bin/sh
+
+verbose="${VERBOSE:-0}"
+
+if [ "$verbose" -gt '0' ]
+then
+	set -x
+	debug_flags='--debug=1'
+else
+	set +x
+	debug_flags='--debug=0'
+fi
+readonly debug_flags
+
+set -e -f -u
+
+# Require these to be set.
+commit="${COMMIT:?please set COMMIT}"
+dist_dir="${DIST_DIR:?please set DIST_DIR}"
+version="${VERSION:?please set VERSION}"
+readonly commit dist_dir version
+
+# Allow users to use sudo.
+sudo_cmd="${SUDO:-}"
+readonly sudo_cmd
+
+docker_platforms="\
+linux/386,\
+linux/amd64,\
+linux/arm/v6,\
+linux/arm/v7,\
+linux/arm64,\
+linux/ppc64le"
+readonly docker_platforms
+
+build_date="$( date -u +'%Y-%m-%dT%H:%M:%SZ' )"
+readonly build_date
+
+# Set DOCKER_IMAGE_NAME to 'adguard/dnsproxy' if you want (and are allowed)
+# to push to DockerHub.
+docker_image_name="${DOCKER_IMAGE_NAME:-dnsproxy-dev}"
+readonly docker_image_name
+
+# Set DOCKER_OUTPUT to 'type=image,name=adguard/dnsproxy,push=true' if you
+# want (and are allowed) to push to DockerHub.
+#
+# If you want to inspect the resulting image using commands like "docker image
+# ls", change type to docker and also set docker_platforms to a single platform.
+#
+# See https://github.com/docker/buildx/issues/166.
+docker_output="${DOCKER_OUTPUT:-type=image,name=${docker_image_name},push=false}"
+readonly docker_output
+
+docker_version_tag="--tag=${docker_image_name}:${version}"
+docker_channel_tag="--tag=${docker_image_name}:latest"
+
+# If version is set to 'dev' or empty, only set the version tag and avoid
+# polluting the "latest" tag.
+if [ "${version:-}" = 'dev' ] || [ "${version:-}" = '' ]
+then
+  docker_channel_tag=""
+fi
+
+readonly docker_version_tag docker_channel_tag
+
+# Copy the binaries into a new directory under new names, so that it's easier to
+# COPY them later.  DO NOT remove the trailing underscores.  See file
+# docker/Dockerfile.
+dist_docker="${dist_dir}/docker"
+readonly dist_docker
+
+mkdir -p "$dist_docker"
+cp "${dist_dir}/linux-386/dnsproxy"\
+	"${dist_docker}/dnsproxy_linux_386_"
+cp "${dist_dir}/linux-amd64/dnsproxy"\
+	"${dist_docker}/dnsproxy_linux_amd64_"
+cp "${dist_dir}/linux-arm64/dnsproxy"\
+	"${dist_docker}/dnsproxy_linux_arm64_"
+cp "${dist_dir}/linux-arm6/dnsproxy"\
+	"${dist_docker}/dnsproxy_linux_arm_v6"
+cp "${dist_dir}/linux-arm7/dnsproxy"\
+	"${dist_docker}/dnsproxy_linux_arm_v7"
+cp "${dist_dir}/linux-ppc64le/dnsproxy"\
+	"${dist_docker}/dnsproxy_linux_ppc64le_"
+
+# Prepare the default configuration for the Docker image.
+cp ./config.yaml.dist "${dist_docker}/config.yaml"
+
+# Don't use quotes with $docker_version_tag and $docker_channel_tag, because we
+# want word splitting and or an empty space if tags are empty.
+#
+# TODO(a.garipov): Once flag --tag of docker buildx build supports commas, use
+# them instead.
+$sudo_cmd docker\
+	"$debug_flags"\
+	buildx build\
+	--build-arg BUILD_DATE="$build_date"\
+	--build-arg DIST_DIR="$dist_dir"\
+	--build-arg VCS_REF="$commit"\
+	--build-arg VERSION="$version"\
+	--output "$docker_output"\
+	--platform "$docker_platforms"\
+	$docker_version_tag\
+	$docker_channel_tag\
+	-f ./docker/Dockerfile\
+	.

scripts/make/release.sh

@@ -55,16 +55,26 @@ darwin   amd64     0   0
 darwin   arm64     0   0
 freebsd  386       0   0
 freebsd  amd64     0   0
+freebsd  arm       5   0
 freebsd  arm       6   0
+freebsd  arm       7   0
 freebsd  arm64     0   0
 linux    386       0   0
 linux    amd64     0   0
+linux    arm       5   0
 linux    arm       6   0
+linux    arm       7   0
 linux    arm64     0   0
 linux    mips      0   softfloat
+linux    mips64    0   softfloat
+linux    mips64le  0   softfloat
 linux    mipsle    0   softfloat
+linux    ppc64le   0   0
+openbsd  amd64     0   0
+openbsd  arm64     0   0
 windows  386       0   0
-windows  amd64     0   0"
+windows  amd64     0   0
+windows  arm64     0   0"
 readonly platforms
 
 build() {

upstream/upstream.go

@@ -51,24 +51,6 @@ type QUICTraceFunc func(
 // Options for AddressToUpstream func.  With these options we can configure the
 // upstream properties.
 type Options struct {
-	// Bootstrap is a list of DNS servers to be used to resolve
-	// DNS-over-HTTPS/DNS-over-TLS hostnames.  Plain DNS, DNSCrypt, or
-	// DNS-over-HTTPS/DNS-over-TLS with IP addresses (not hostnames) could be
-	// used.
-	Bootstrap []string
-
-	// Timeout is the default upstream timeout.  It's also used as a timeout for
-	// bootstrap DNS requests.  Zero value disables the timeout.
-	Timeout time.Duration
-
-	// List of IP addresses of the upstream DNS server.  If not empty, bootstrap
-	// DNS servers won't be used at all.
-	ServerIPAddrs []net.IP
-
-	// HTTPVersions is a list of HTTP versions that should be supported by the
-	// DNS-over-HTTPS client.  If not set, HTTP/1.1 and HTTP/2 will be used.
-	HTTPVersions []HTTPVersion
-
 	// VerifyServerCertificate is used to set the VerifyPeerCertificate property
 	// of the *tls.Config for DNS-over-HTTPS, DNS-over-QUIC, and DNS-over-TLS.
 	VerifyServerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
@@ -86,6 +68,32 @@ type Options struct {
 	// connection and logging every packet that goes through.
 	QUICTracer QUICTraceFunc
 
+	// RootCAs is the CertPool that must be used by all upstreams.  Redefining
+	// RootCAs makes sense on iOS to overcome the 15MB memory limit of the
+	// NEPacketTunnelProvider.
+	RootCAs *x509.CertPool
+
+	// CipherSuites is a custom list of TLSv1.2 ciphers.
+	CipherSuites []uint16
+
+	// Bootstrap is a list of DNS servers to be used to resolve
+	// DNS-over-HTTPS/DNS-over-TLS hostnames.  Plain DNS, DNSCrypt, or
+	// DNS-over-HTTPS/DNS-over-TLS with IP addresses (not hostnames) could be
+	// used.
+	Bootstrap []string
+
+	// List of IP addresses of the upstream DNS server.  If not empty, bootstrap
+	// DNS servers won't be used at all.
+	ServerIPAddrs []net.IP
+
+	// HTTPVersions is a list of HTTP versions that should be supported by the
+	// DNS-over-HTTPS client.  If not set, HTTP/1.1 and HTTP/2 will be used.
+	HTTPVersions []HTTPVersion
+
+	// Timeout is the default upstream timeout.  It's also used as a timeout for
+	// bootstrap DNS requests.  Zero value disables the timeout.
+	Timeout time.Duration
+
 	// InsecureSkipVerify disables verifying the server's certificate.
 	InsecureSkipVerify bool
 
@@ -106,6 +114,9 @@ func (o *Options) Clone() (clone *Options) {
 		VerifyDNSCryptCertificate: o.VerifyDNSCryptCertificate,
 		InsecureSkipVerify:        o.InsecureSkipVerify,
 		PreferIPv6:                o.PreferIPv6,
+		QUICTracer:                o.QUICTracer,
+		RootCAs:                   o.RootCAs,
+		CipherSuites:              o.CipherSuites,
 	}
 }
 
@@ -143,16 +154,6 @@ const (
 	defaultPortDoQ = 853
 )
 
-// RootCAs is the CertPool that must be used by all upstreams.  Redefining
-// RootCAs makes sense on iOS to overcome the 15MB memory limit of the
-// NEPacketTunnelProvider.
-//
-// TODO(ameshkov): remove this and replace with an upstream option.
-var RootCAs *x509.CertPool
-
-// CipherSuites is a custom list of TLSv1.2 ciphers.
-var CipherSuites []uint16
-
 // AddressToUpstream converts addr to an Upstream using the specified options.
 // addr can be either a URL, or a plain address, either a domain name or an IP.
 //

upstream/upstream_doh.go

@@ -105,8 +105,8 @@ func newDoH(addr *url.URL, opts *Options) (u Upstream, err error) {
 		},
 		tlsConf: &tls.Config{
 			ServerName:   addr.Hostname(),
-			RootCAs:      RootCAs,
-			CipherSuites: CipherSuites,
+			RootCAs:      opts.RootCAs,
+			CipherSuites: opts.CipherSuites,
 			// Use the default capacity for the LRU cache.  It may be useful to
 			// store several caches since the user may be routed to different
 			// servers in case there's load balancing on the server-side.

upstream/upstream_dot.go

@@ -65,8 +65,8 @@ func newDoT(addr *url.URL, opts *Options) (ups Upstream, err error) {
 		getDialer: getDialer,
 		tlsConf: &tls.Config{
 			ServerName:   addr.Hostname(),
-			RootCAs:      RootCAs,
-			CipherSuites: CipherSuites,
+			RootCAs:      opts.RootCAs,
+			CipherSuites: opts.CipherSuites,
 			// Use the default capacity for the LRU cache.  It may be useful to
 			// store several caches since the user may be routed to different
 			// servers in case there's load balancing on the server-side.

upstream/upstream_quic.go

@@ -112,8 +112,8 @@ func newDoQ(addr *url.URL, opts *Options) (u Upstream, err error) {
 		},
 		tlsConf: &tls.Config{
 			ServerName:   addr.Hostname(),
-			RootCAs:      RootCAs,
-			CipherSuites: CipherSuites,
+			RootCAs:      opts.RootCAs,
+			CipherSuites: opts.CipherSuites,
 			// Use the default capacity for the LRU cache.  It may be useful to
 			// store several caches since the user may be routed to different
 			// servers in case there's load balancing on the server-side.