dnsproxy: add three new features

This commit adds the following features: 1. UCI support for local DNS over HTTPS/TLS/QUIC server. 2. UCI support for using private reverse DNS. 3. procd jail with CAP_NET_BIND_SERVICE, allowing dnsproxy to serve on standard ports directly. Signed-off-by: Emily H. <battery_tag708@simplelogin.com>
2024-04-30 11:03:38 +00:00 · 2024-04-30 11:03:38 +00:00 · 5df794e343
parent 490866d752
commit 5df794e343
4 changed files with 56 additions and 1 deletions
--- a/net/dnsproxy/Makefile
+++ b/net/dnsproxy/Makefile
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=dnsproxy
 PKG_VERSION:=0.70.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
@ -45,6 +45,8 @@ endef
 define Package/dnsproxy/install
 	$(call GoPackage/Package/Install/Bin,$(1))

+	$(INSTALL_DIR) $(1)/etc/capabilities/
+	$(INSTALL_DATA) $(CURDIR)/files/dnsproxy.json $(1)/etc/capabilities/dnsproxy.json
 	$(INSTALL_DIR) $(1)/etc/config/
 	$(INSTALL_CONF) $(CURDIR)/files/dnsproxy.config $(1)/etc/config/dnsproxy
 	$(INSTALL_DIR) $(1)/etc/init.d/
--- a/net/dnsproxy/files/dnsproxy.config
+++ b/net/dnsproxy/files/dnsproxy.config
@ -37,8 +37,19 @@ config dnsproxy 'edns'
 	option enabled '0'
 	option edns_addr ''

+config dnsproxy 'private_rdns'
+	option enabled '0'
+	list upstream '127.0.0.1:53'
+
 config dnsproxy 'servers'
 	list bootstrap 'tls://8.8.8.8'
 	list fallback 'tls://9.9.9.9'
 	list upstream 'tls://1.1.1.1'

+config dnsproxy 'tls'
+	option enabled '0'
+	option tls_crt ''
+	option tls_key ''
+	option https_port '8443'
+	option tls_port '853'
+	option quic_port '853'
--- a/net/dnsproxy/files/dnsproxy.init
+++ b/net/dnsproxy/files/dnsproxy.init
@ -66,6 +66,11 @@ load_config_list() {

 	is_empty "bogus_nxdomain" "ip_addr" || config_list_foreach "bogus_nxdomain" "ip_addr" "append_param '--bogus-nxdomain'"

+	is_enabled "private_rdns" "enabled" && {
+		append_param "--use-private-rdns"
+		config_list_foreach "private_rdns" "upstream" "append_param '--private-rdns-upstream'"
+	}
+
 	for i in "bootstrap" "fallback" "upstream"; do
 		is_empty "servers" "$i" || config_list_foreach "servers" "$i" "append_param '--$i'"
 	done
@ -95,6 +100,14 @@ load_config_param() {
 		append_param "--edns"
 		append_param_arg "edns" "edns_addr" "--edns-addr"
 	}
+
+	is_enabled "tls" "enabled" && {
+		append_param_arg "tls" "tls_crt" "--tls-crt"
+		append_param_arg "tls" "tls_key" "--tls-key"
+		append_param_arg "tls" "https_port" "--https-port"
+		append_param_arg "tls" "tls_port" "--tls-port"
+		append_param_arg "tls" "quic_port" "--quic-port"
+	}
 }

 start_service() {
@ -102,6 +115,11 @@ start_service() {

 	is_enabled "global" "enabled" || return 1

+	local log_file tls_crt tls_key
+	config_get log_file global log_file
+	config_get tls_crt tls tls_crt
+	config_get tls_key tls tls_key
+
 	procd_open_instance "$CONF"
 	procd_set_param command "$PROG"

@ -114,6 +132,13 @@ start_service() {
 	procd_set_param stderr 1
 	procd_set_param user dnsproxy

+	procd_add_jail dnsproxy ronly log
+	procd_set_param capabilities "/etc/capabilities/dnsproxy.json"
+	procd_add_jail_mount "/etc/ssl/certs/ca-certificates.crt"
+	[ -z "$log_file" ] || procd_add_jail_mount_rw "$log_file"
+	[ -z "$tls_crt" ] || procd_add_jail_mount "$tls_crt"
+	[ -z "$tls_key" ] || procd_add_jail_mount "$tls_key"
+
 	procd_close_instance
 }

--- a/net/dnsproxy/files/dnsproxy.json
+++ b/net/dnsproxy/files/dnsproxy.json
@ -0,0 +1,17 @@
+{
+	"bounding": [
+		"CAP_NET_BIND_SERVICE"
+	],
+	"effective": [
+		"CAP_NET_BIND_SERVICE"
+	],
+	"ambient": [
+		"CAP_NET_BIND_SERVICE"
+	],
+	"permitted": [
+		"CAP_NET_BIND_SERVICE"
+	],
+	"inheritable": [
+		"CAP_NET_BIND_SERVICE"
+	]
+}