Secureoperator Versions Save

Changes

• Adds Quad9 support (#30, thanks @loganaden)
• Minor README changes (#31)

Known Issues

• None

Version Info

output of secure-operator --help:

A DNS-protocol proxy for Google's DNS-over-HTTPS service.

Usage:

  secure-operator [options]

Options:

  -auto-edns-subnet
    	By default, we use an EDNS subnet of 0.0.0.0/0 which does not reveal your
    	IP address or subnet to authoratative DNS servers. If privacy of your IP
    	address is not a concern and you want to take advantage of an authoratative
    	server determining the best DNS results for you, set this flag. This flag
    	specifies that Google should choose what subnet to send; if you'd like to
    	specify your own subnet, use the -edns-subnet option.
  -cloudflare
    	Use Cloudflare defaults. When set, the following options will be used
    	unless explicitly overridden:
    		dns-servers: 1.0.0.1,1.1.1.1
    		params: ct=application/dns-json
    		endpoint: https://cloudflare-dns.com/dns-query
  -dns-servers string
    	DNS Servers used to look up the endpoint; system default is used if absent.
    	Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
    	The port section is optional, and 53 will be used by default.
  -edns-subnet string
    	Specify a subnet to be sent in the edns0-client-subnet option; by default
    	we specify that this option should not be used, for privacy. If
    	-auto-edns-subnet is used, the value specified here is ignored.
    	        (default "0.0.0.0/0")
  -endpoint string
    	DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
  -endpoint-ips string
    	IPs of the DNS-over-HTTPS endpoint; if provided, endpoint lookup is
    	skipped, and the host value in "endpoint" is sent as the Host header. Comma
    	separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
    	randomly chosen for each request, failed requests are not retried.
  -google
    	Use Google defaults. When set, the following options will be used unless
    	explicitly overridden:
    		dns-servers: 8.8.8.8,8.8.4.4
    		endpoint: https://dns.google.com/resolve
  -header value
    	Additional headers to be sent with http requests, as Key=Value; specify
    	multiple as:
    	    -header Key-1=Value-1-1 -header Key-1=Value1-2 -header Key-2=Value-2
  -level string
    	Log level, one of: debug, info, warn, error, fatal, panic (default "info")
  -listen [host]:port
    	listen address, as [host]:port (default ":53")
  -no-pad
    	Disable padding of Google DNS-over-HTTPS requests to identical length
  -param value
    	Additional query parameters to be sent with http requests, as key=value;
    	specify multiple as:
    	    -param key1=value1-1 -param key1=value1-2 -param key2=value2
  -quad9
    	Use Quad9 defaults. When set, the following options will be used
    	unless explicitly overriden:
    		dns-servers: 9.9.9.9, 149.112.112.112
    		params: ct=application/dns-json
    		endpoint : https://dns.quad9.net/dns-query
  -tcp
    	Listen on TCP (default true)
  -udp
    	Listen on UDP (default true)

Changes

• Fixes a build issue in v4.0.0 where release binaries were not automatically built by CI

This version is code identical to v4.0.0

Known Issues

• None

Version Info

output of secure-operator --help:

A DNS-protocol proxy for Google's DNS-over-HTTPS service.

Usage:

  secure-operator [options]

Options:

  -auto-edns-subnet
    	By default, we use an EDNS subnet of 0.0.0.0/0 which does not reveal your
    	IP address or subnet to authoratative DNS servers. If privacy of your IP
    	address is not a concern and you want to take advantage of an authoratative
    	server determining the best DNS results for you, set this flag. This flag
    	specifies that Google should choose what subnet to send; if you'd like to
    	specify your own subnet, use the -edns-subnet option.
  -cloudflare
    	Use Cloudflare defaults. When set, the following options will be used
    	unless explicitly overridden:
    		dns-servers: 1.0.0.1,1.1.1.1
    		params: ct=application/dns-json
    		endpoint: https://cloudflare-dns.com/dns-query
  -dns-servers string
    	DNS Servers used to look up the endpoint; system default is used if absent.
    	Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
    	The port section is optional, and 53 will be used by default.
  -edns-subnet string
    	Specify a subnet to be sent in the edns0-client-subnet option; by default
    	we specify that this option should not be used, for privacy. If
    	-auto-edns-subnet is used, the value specified here is ignored.
    	        (default "0.0.0.0/0")
  -endpoint string
    	DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
  -endpoint-ips string
    	IPs of the DNS-over-HTTPS endpoint; if provided, endpoint lookup is
    	skipped, and the host value in "endpoint" is sent as the Host header. Comma
    	separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
    	randomly chosen for each request, failed requests are not retried.
  -google
    	Use Google defaults. When set, the following options will be used unless
    	explicitly overridden:
    		dns-servers: 8.8.8.8,8.8.4.4
    		endpoint: https://dns.google.com/resolve
  -header value
    	Additional headers to be sent with http requests, as Key=Value; specify
    	multiple as:
    	    -header Key-1=Value-1-1 -header Key-1=Value1-2 -header Key-2=Value-2
  -level string
    	Log level, one of: debug, info, warn, error, fatal, panic (default "info")
  -listen [host]:port
    	listen address, as [host]:port (default ":53")
  -no-pad
    	Disable padding of Google DNS-over-HTTPS requests to identical length
  -param value
    	Additional query parameters to be sent with http requests, as key=value;
    	specify multiple as:
    	    -param key1=value1-1 -param key1=value1-2 -param key2=value2
  -tcp
    	Listen on TCP (default true)
  -udp
    	Listen on UDP (default true)

Changes

• Add provider defaults: specify -google or -cloudflare at the command line to get sane defaults for those providers (#27)
• When doing DNS lookups for the DNS-over-HTTPS host, try available DNS servers in order, then fail if none respond. Previously, one would be tried at random, and if it failed we wouldn't move on to the next. (#29)

This involves some API changes when instantiating the SimpleDNSClient, now allowing an options struct to be passed.

Known Issues

• Binaries were not built for this version due to a build misconfiguration

Version Info

output of secure-operator --help:

A DNS-protocol proxy for Google's DNS-over-HTTPS service.

Usage:

  secure-operator [options]

Options:

  -auto-edns-subnet
    	By default, we use an EDNS subnet of 0.0.0.0/0 which does not reveal your
    	IP address or subnet to authoratative DNS servers. If privacy of your IP
    	address is not a concern and you want to take advantage of an authoratative
    	server determining the best DNS results for you, set this flag. This flag
    	specifies that Google should choose what subnet to send; if you'd like to
    	specify your own subnet, use the -edns-subnet option.
  -cloudflare
    	Use Cloudflare defaults. When set, the following options will be used
    	unless explicitly overridden:
    		dns-servers: 1.0.0.1,1.1.1.1
    		params: ct=application/dns-json
    		endpoint: https://cloudflare-dns.com/dns-query
  -dns-servers string
    	DNS Servers used to look up the endpoint; system default is used if absent.
    	Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
    	The port section is optional, and 53 will be used by default.
  -edns-subnet string
    	Specify a subnet to be sent in the edns0-client-subnet option; by default
    	we specify that this option should not be used, for privacy. If
    	-auto-edns-subnet is used, the value specified here is ignored.
    	        (default "0.0.0.0/0")
  -endpoint string
    	DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
  -endpoint-ips string
    	IPs of the DNS-over-HTTPS endpoint; if provided, endpoint lookup is
    	skipped, and the host value in "endpoint" is sent as the Host header. Comma
    	separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
    	randomly chosen for each request, failed requests are not retried.
  -google
    	Use Google defaults. When set, the following options will be used unless
    	explicitly overridden:
    		dns-servers: 8.8.8.8,8.8.4.4
    		endpoint: https://dns.google.com/resolve
  -header value
    	Additional headers to be sent with http requests, as Key=Value; specify
    	multiple as:
    	    -header Key-1=Value-1-1 -header Key-1=Value1-2 -header Key-2=Value-2
  -level string
    	Log level, one of: debug, info, warn, error, fatal, panic (default "info")
  -listen [host]:port
    	listen address, as [host]:port (default ":53")
  -no-pad
    	Disable padding of Google DNS-over-HTTPS requests to identical length
  -param value
    	Additional query parameters to be sent with http requests, as key=value;
    	specify multiple as:
    	    -param key1=value1-1 -param key1=value1-2 -param key2=value2
  -tcp
    	Listen on TCP (default true)
  -udp
    	Listen on UDP (default true)

Changes

• Support sending EDNS information to upstream DNS-over-HTTPS server, or optionally specifying none and letting the server decide.
• New flags were added to the binary for optionally specifying EDNS manually, or allowing Google to decide the behavior for you. The default behavior (disable EDNS) is unchanged.

Warning: prior to this release, secureoperator always sent 0.0.0.0/0 to upstream, which Google interprets as "send no value to authoritative servers for EDNS". In this release, it's possible to enable EDNS, which may reveal your IP address (or a portion of it) to authoritative DNS servers.

The default of both the binary release and the securoperator library is to use the old behavior (sending 0.0.0.0/0) however future versions of the library will default to letting Google decide the behavior. This will be changed at version 4. The behavior of the binary release will not change.

If you use secureoperator as a library; it's recommended that you begin specifying your preferred EDNS settings now, so that you're prepared for when the default changes in the future. To specify the current behavior:

provider, err := secop.NewGDNSProvider(*endpoint, &secop.GDNSOptions{
	UseEDNSsubnetOption: true,
	EDNSSubnet:          secop.GoogleEDNSSentinelValue,
})

For the version 3 release, the UseEDNSsubnetOption: true is required to be specified, otherwise EDNSSubnet value will be ignored. This is because the zero value of EDNSSubnet (a blank string) means "allow Google to specify EDNS". In version 4, UseEDNSsubnetOption will be removed and that behavior will become default in the library.

Please open an issue if you have any questions about this behavior or change.

Known Issues

• None

Version Info

output of secure-operator --help:

A DNS-protocol proxy for Google's DNS-over-HTTPS service.

Usage:

  secure-operator [options]

Options:

  -auto-edns-subnet
    	By default, we use an EDNS subnet of 0.0.0.0/0 which does not reveal your
        IP address or subnet to authoratative DNS servers. If privacy of your IP
        address is not a concern and you want to take advantage of an authoratative
        server determining the best DNS results for you, set this flag. This flag
        specifies that Google should choose what subnet to send; if you'd like to
        specify your own subnet, use the -edns-subnet option.
  -dns-servers string
    	DNS Servers used to look up the endpoint; system default is used if absent.
        Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
        The port section is optional, and 53 will be used by default.
  -edns-subnet string
    	Specify a subnet to be sent in the edns0-client-subnet option; by default
        we specify that this option should not be used, for privacy. If
        -auto-edns-subnet is used, the value specified here is ignored.
        (default "0.0.0.0/0")
  -endpoint string
    	Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
  -endpoint-ips string
    	IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
        skipped, and the host value in "endpoint" is sent as the Host header. Comma
        separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
        randomly chosen for each request, failed requests are not retried.
  -level string
    	Log level, one of: debug, info, warn, error, fatal, panic (default "info")
  -listen [host]:port
    	listen address, as [host]:port (default ":53")
  -no-pad
    	Disable padding of Google DNS-over-HTTPS requests to identical length
  -tcp
    	Listen on TCP (default true)
  -udp
    	Listen on UDP (default true)

Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v3.0.0

Changes

• Use the latest dep lockfile formats
• Ensure latest deps

Known Issues

• None

Version Info

output of secure-operator --help:

A DNS-protocol proxy for Google's DNS-over-HTTPS service.

Usage:

  secure-operator [options]

Options:

  -dns-servers string
    	DNS Servers used to look up the endpoint; system default is used if absent.
        Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
        The port section is optional, and 53 will be used by default.
  -endpoint string
    	Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
  -endpoint-ips string
    	IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
        skipped, and the host value in "endpoint" is sent as the Host header. Comma
        separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
        randomly chosen for each request, failed requests are not retried.
  -level string
    	Log level, one of: debug, info, warn, error, fatal, panic (default "info")
  -listen [host]:port
    	listen address, as [host]:port (default ":53")
  -no-pad
    	Disable padding of Google DNS-over-HTTPS requests to identical length
  -tcp
    	Listen on TCP (default true)
  -udp
    	Listen on UDP (default true)

Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v2.2.1

Changes

• Support latest Go versions (1.8, 1.9)
• Drop support for deprecated Go versions (1.7)
• Add new method for returning errors from dns.RR generation from DNSRR
  • Fixes bugs where a bad record could cause responses to hang
  • Deprecate old method which swallowed error
• (Developer) Use dep to manage deps; remove godep

Known Issues

• None

Version Info

output of secure-operator --help:

A DNS-protocol proxy for Google's DNS-over-HTTPS service.

Usage:

  secure-operator [options]

Options:

  -dns-servers string
    	DNS Servers used to look up the endpoint; system default is used if absent.
        Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
        The port section is optional, and 53 will be used by default.
  -endpoint string
    	Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
  -endpoint-ips string
    	IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
        skipped, and the host value in "endpoint" is sent as the Host header. Comma
        separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
        randomly chosen for each request, failed requests are not retried.
  -level string
    	Log level, one of: debug, info, warn, error, fatal, panic (default "info")
  -listen [host]:port
    	listen address, as [host]:port (default ":53")
  -no-pad
    	Disable padding of Google DNS-over-HTTPS requests to identical length
  -tcp
    	Listen on TCP (default true)
  -udp
    	Listen on UDP (default true)

Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v2.2.0

Changes

• Support all DNS record types — #9 (thanks chenhw2)

Known Issues

• None

Version Info

output of secure-operator --help:

A DNS-protocol proxy for Google's DNS-over-HTTPS service.

Usage:

  secure-operator [options]

Options:

  -dns-servers string
    	DNS Servers used to look up the endpoint; system default is used if absent.
        Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
        The port section is optional, and 53 will be used by default.
  -endpoint string
    	Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
  -endpoint-ips string
    	IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
        skipped, and the host value in "endpoint" is sent as the Host header. Comma
        separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
        randomly chosen for each request, failed requests are not retried.
  -level string
    	Log level, one of: debug, info, warn, error, fatal, panic (default "info")
  -listen [host]:port
    	listen address, as [host]:port (default ":53")
  -no-pad
    	Disable padding of Google DNS-over-HTTPS requests to identical length
  -tcp
    	Listen on TCP (default true)
  -udp
    	Listen on UDP (default true)

Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v2.1.0

Changes

• Google DNS Provider fixes — #8 (thanks toffaletti)
  • reuse http.Client
  • set timeouts
  • limit connection pool size
• Seed math.rand on startup — #7 (suggestion from reddit user ar1819)

Known Issues

• None

Version Info

output of secure-operator --help:

A DNS-protocol proxy for Google's DNS-over-HTTPS service.

Usage:

  secure-operator [options]

Options:

  -dns-servers string
    	DNS Servers used to look up the endpoint; system default is used if absent.
        Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
        The port section is optional, and 53 will be used by default.
  -endpoint string
    	Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
  -endpoint-ips string
    	IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
        skipped, and the host value in "endpoint" is sent as the Host header. Comma
        separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
        randomly chosen for each request, failed requests are not retried.
  -level string
    	Log level, one of: debug, info, warn, error, fatal, panic (default "info")
  -listen [host]:port
    	listen address, as [host]:port (default ":53")
  -no-pad
    	Disable padding of Google DNS-over-HTTPS requests to identical length
  -tcp
    	Listen on TCP (default true)
  -udp
    	Listen on UDP (default true)

Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v2.0.1

Changes

• Add option to specify DNS resolvers, rather than using the system resolver
• Add option to specify Google endpoint IPs
• Improved help messages

Known Issues

• None

Version Info

output of secure-operator --help:

A DNS-protocol proxy for Google's DNS-over-HTTPS service.

Usage:

  secure-operator [options]

Options:

  -dns-servers string
    	DNS Servers used to look up the endpoint; system default is used if absent.
        Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
        The port section is optional, and 53 will be used by default.
  -endpoint string
    	Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
  -endpoint-ips string
    	IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
        skipped, and the host value in "endpoint" is sent as the Host header. Comma
        separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
        randomly chosen for each request, failed requests are not retried.
  -level string
    	Log level, one of: debug, info, warn, error, fatal, panic (default "info")
  -listen [host]:port
    	listen address, as [host]:port (default ":53")
  -no-pad
    	Disable padding of Google DNS-over-HTTPS requests to identical length
  -tcp
    	Listen on TCP (default true)
  -udp
    	Listen on UDP (default true)

Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v2.0.0

Changes

• Fixes a misleading help message
• Updates README with versioning/compatibility policy

Known Issues

• None

Version Info

output of secure-operator --help:

  -endpoint string
        Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
  -level string
        Log level, one of: debug, info, warn, error, fatal, panic (default "info")
  -listen [host]:port
        listen address, as [host]:port (default ":53")
  -pad
        Pad Google DNS-over-HTTPS requests to identical length (default true)
  -tcp
        Listen on TCP (default true)
  -udp
        Listen on UDP (default true)

Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v1.1.1