dnscrypt: multiple anonmyized relays per server

Author: ignoramous

intra/dnscrypt/crypto.go

@@ -97,7 +97,7 @@ func encrypt(
 	var paddedLength int
 	if useudp { // using udp
 		paddedLength = xdns.MaxDNSUDPSafePacketSize
-	} else if serverInfo.RelayTCPAddr != nil { // tcp, with relay
+	} else if len(serverInfo.RelayTCPAddrs) > 0 { // tcp, with relay
 		paddedLength = xdns.MaxDNSPacketSize
 	} else { // tcp, without relay
 		minQuestionSize := QueryOverhead + len(packet)

intra/dnscrypt/multiserver.go

@@ -20,6 +20,7 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
+	"math/rand"
 	"net"
 	"strings"
 	"sync"
@@ -81,10 +82,16 @@ var (
 	errNoConn          = errors.New("dnscrypt: no connection")
 )
 
-func udpExchange(pid string, serverInfo *serverinfo, sharedKey *[32]byte, encryptedQuery []byte, clientNonce []byte) ([]byte, error) {
+func chooseAny[t net.Addr](s []t) t {
+	return s[rand.Intn(len(s))]
+}
+
+func udpExchange(pid string, serverInfo *serverinfo, sharedKey *[32]byte, encryptedQuery []byte, clientNonce []byte) (res []byte, relay net.Addr, err error) {
 	upstreamAddr := serverInfo.UDPAddr
-	if serverInfo.RelayUDPAddr != nil {
-		upstreamAddr = serverInfo.RelayUDPAddr
+	userelay := len(serverInfo.RelayUDPAddrs) > 0
+	if userelay {
+		upstreamAddr = chooseAny(serverInfo.RelayUDPAddrs)
+		relay = upstreamAddr
 	}
 
 	pc, err := serverInfo.dialudp(pid, upstreamAddr)
@@ -93,14 +100,14 @@ func udpExchange(pid string, serverInfo *serverinfo, sharedKey *[32]byte, encryp
 			err = errNoConn
 		}
 		log.E("dnscrypt: udp: dialing %s; hasConn? %s(%t); err: %v", serverInfo, pid, pc != nil, err)
-		return nil, err
+		return
 	}
 
 	defer pc.Close()
 	if err = pc.SetDeadline(time.Now().Add(timeout8s)); err != nil {
-		return nil, err
+		return
 	}
-	if serverInfo.RelayUDPAddr != nil {
+	if userelay {
 		prepareForRelay(serverInfo.UDPAddr.IP, serverInfo.UDPAddr.Port, &encryptedQuery)
 	}
 	// TODO: use a pool
@@ -111,27 +118,31 @@ func udpExchange(pid string, serverInfo *serverinfo, sharedKey *[32]byte, encryp
 		core.Recycle(bptr)
 	}()
 	for tries := 2; tries > 0; tries-- {
-		if _, err := pc.Write(encryptedQuery); err != nil {
+		if _, err = pc.Write(encryptedQuery); err != nil {
 			log.E("dnscrypt: udp: [%s] write err; [%v]", serverInfo.Name, err)
-			return nil, err
+			return
 		}
-		length, err := pc.Read(encryptedResponse)
+		var length int
+		length, err = pc.Read(encryptedResponse)
 		if err == nil {
 			encryptedResponse = encryptedResponse[:length]
 			break
 		} else if tries <= 0 {
 			log.E("dnscrypt: udp: [%s] read err; quit [%v]", serverInfo.Name, err)
-			return nil, err
+			return
 		}
 		log.D("dnscrypt: udp: [%s] read err; retry [%v]", serverInfo.Name, err)
 	}
-	return decrypt(serverInfo, sharedKey, encryptedResponse, clientNonce)
+	res, err = decrypt(serverInfo, sharedKey, encryptedResponse, clientNonce)
+	return
 }
 
-func tcpExchange(pid string, serverInfo *serverinfo, sharedKey *[32]byte, encryptedQuery []byte, clientNonce []byte) ([]byte, error) {
+func tcpExchange(pid string, serverInfo *serverinfo, sharedKey *[32]byte, encryptedQuery []byte, clientNonce []byte) (res []byte, relay net.Addr, err error) {
 	upstreamAddr := serverInfo.TCPAddr
-	if serverInfo.RelayTCPAddr != nil {
-		upstreamAddr = serverInfo.RelayTCPAddr
+	userelay := len(serverInfo.RelayTCPAddrs) > 0
+	if userelay {
+		upstreamAddr = chooseAny(serverInfo.RelayTCPAddrs)
+		relay = upstreamAddr
 	}
 
 	pc, err := serverInfo.dialtcp(pid, upstreamAddr)
@@ -140,31 +151,32 @@ func tcpExchange(pid string, serverInfo *serverinfo, sharedKey *[32]byte, encryp
 			err = errNoConn
 		}
 		log.E("dnscrypt: tcp: dialing %s; hasConn? %s(%t); err: %v", serverInfo, pid, pc != nil, err)
-		return nil, err
+		return
 	}
 	defer pc.Close()
-	if derr := pc.SetDeadline(time.Now().Add(timeout8s)); derr != nil {
-		log.E("dnscrypt: tcp: err deadline: %v", derr)
-		return nil, derr
+	if err = pc.SetDeadline(time.Now().Add(timeout8s)); err != nil {
+		log.E("dnscrypt: tcp: err deadline: %v", err)
+		return
 	}
-	if serverInfo.RelayTCPAddr != nil {
+	if userelay {
 		prepareForRelay(serverInfo.TCPAddr.IP, serverInfo.TCPAddr.Port, &encryptedQuery)
 	}
 	encryptedQuery, err = xdns.PrefixWithSize(encryptedQuery)
 	if err != nil {
 		log.E("dnscrypt: tcp: prefix(q) %s err: %v", serverInfo, err)
-		return nil, err
+		return
 	}
-	if _, werr := pc.Write(encryptedQuery); werr != nil {
-		log.E("dnscrypt: tcp: err write: %v", serverInfo, werr)
-		return nil, werr
+	if _, err = pc.Write(encryptedQuery); err != nil {
+		log.E("dnscrypt: tcp: err write: %v", serverInfo, err)
+		return
 	}
 	encryptedResponse, err := xdns.ReadPrefixed(&pc)
 	if err != nil {
 		log.E("dnscrypt: tcp: read(enc) %s err %v", serverInfo, err)
-		return nil, err
+		return
 	}
-	return decrypt(serverInfo, sharedKey, encryptedResponse, clientNonce)
+	res, err = decrypt(serverInfo, sharedKey, encryptedResponse, clientNonce)
+	return
 }
 
 func prepareForRelay(ip net.IP, port int, eq *[]byte) {
@@ -177,7 +189,7 @@ func prepareForRelay(ip net.IP, port int, eq *[]byte) {
 	*eq = relayedQuery
 }
 
-func query(pid string, packet []byte, serverInfo *serverinfo, useudp bool) (response []byte, qerr *dnsx.QueryError) {
+func query(pid string, packet []byte, serverInfo *serverinfo, useudp bool) (response []byte, relay net.Addr, qerr *dnsx.QueryError) {
 	if len(packet) < xdns.MinDNSPacketSize {
 		qerr = dnsx.NewBadQueryError(errQueryTooShort)
 		return
@@ -235,7 +247,7 @@ func query(pid string, packet []byte, serverInfo *serverinfo, useudp bool) (resp
 		}
 
 		if useudp {
-			response, err = udpExchange(pid, serverInfo, sharedKey, encryptedQuery, clientNonce)
+			response, relay, err = udpExchange(pid, serverInfo, sharedKey, encryptedQuery, clientNonce)
 		}
 		tcpfallback := useudp && err != nil
 		if tcpfallback {
@@ -244,7 +256,7 @@ func query(pid string, packet []byte, serverInfo *serverinfo, useudp bool) (resp
 		// if udp errored out, try over tcp; or use tcp if udp is disabled
 		if tcpfallback || !useudp {
 			useudp = false // switched to tcp
-			response, err = tcpExchange(pid, serverInfo, sharedKey, encryptedQuery, clientNonce)
+			response, relay, err = tcpExchange(pid, serverInfo, sharedKey, encryptedQuery, clientNonce)
 		}
 
 		if err != nil {
@@ -291,14 +303,15 @@ func query(pid string, packet []byte, serverInfo *serverinfo, useudp bool) (resp
 // resolve resolves incoming DNS query, data
 func resolve(network string, data []byte, si *serverinfo, smm *x.DNSSummary) (response []byte, err error) {
 	var qerr *dnsx.QueryError
+	var anonrelayaddr net.Addr
 
 	before := time.Now()
 
 	proto, pid := xdns.Net2ProxyID(network)
 	useudp := proto == dnsx.NetTypeUDP
 
 	// si may be nil
-	response, qerr = query(pid, data, si, useudp)
+	response, anonrelayaddr, qerr = query(pid, data, si, useudp)
 
 	after := time.Now()
 
@@ -309,8 +322,8 @@ func resolve(network string, data []byte, si *serverinfo, smm *x.DNSSummary) (re
 	var anonrelay string
 	if si != nil {
 		resolver = si.HostName
-		if si.RelayTCPAddr != nil {
-			anonrelay = si.RelayTCPAddr.IP.String()
+		if anonrelayaddr != nil { // may be nil
+			anonrelay = anonrelayaddr.String()
 		}
 	}
 
@@ -326,7 +339,7 @@ func resolve(network string, data []byte, si *serverinfo, smm *x.DNSSummary) (re
 	smm.RCode = xdns.Rcode(ans)
 	smm.RTtl = xdns.RTtl(ans)
 	smm.Server = resolver
-	smm.RelayServer = anonrelay
+	smm.RelayServer = anonrelay // may be empty
 	smm.Status = status
 
 	noAnonRelay := len(anonrelay) <= 0
@@ -394,15 +407,15 @@ func (proxy *DcMulti) start() error {
 	curve25519.ScalarBaseMult(&proxy.proxyPublicKey, &proxy.proxySecretKey)
 
 	_, err := proxy.Refresh()
-	if len(proxy.serversInfo.registeredServers) > 0 {
+	if proxy.serversInfo.len() > 0 {
 		go func(ctx context.Context) {
 			for {
 				select {
 				case <-ctx.Done():
 					log.I("dnscrypt: cert refresh stopped")
 					return
 				default:
-					hasServers := len(proxy.serversInfo.registeredServers) > 0
+					hasServers := proxy.serversInfo.len() > 0
 					allDead := len(proxy.liveServers) == 0
 					delay := certRefreshDelay
 					if hasServers && allDead {

intra/dnscrypt/servers.go

@@ -54,8 +54,8 @@ type serverinfo struct {
 	HostName           string
 	UDPAddr            *net.UDPAddr
 	TCPAddr            *net.TCPAddr
-	RelayUDPAddr       *net.UDPAddr
-	RelayTCPAddr       *net.TCPAddr
+	RelayUDPAddrs      []*net.UDPAddr
+	RelayTCPAddrs      []*net.TCPAddr
 	status             int
 	proxies            ipn.Proxies // proxy-provider, may be nil
 	relay              ipn.Proxy   // proxy relay to use, may be nil
@@ -199,14 +199,11 @@ func fetchDNSCryptServerInfo(proxy *DcMulti, name string, stamp stamps.ServerSta
 		stamp.ServerPk = serverPk
 	}
 
-	// relayudpaddr and relaytcpaddr may be nil, even if err == nil
-	relayudpaddr, relaytcpaddr, err := route(proxy, name)
-	if err != nil {
-		return serverinfo{}, err
-	}
+	// relayudpaddrs and relaytcpaddrs may be nil, even if err == nil
+	relayudpaddrs, relaytcpaddrs := route(proxy)
 	// iff tcp relay is unset, unset udp relay too
-	if relaytcpaddr == nil {
-		relayudpaddr = nil
+	if len(relaytcpaddrs) <= 0 {
+		relayudpaddrs = nil
 	}
 	// note: relays are not used to fetch certs due to multiple issues reported by users
 	certInfo, err := fetchCurrentDNSCryptCert(proxy, &name, stamp.ServerPk, stamp.ServerAddrStr, stamp.ProviderName)
@@ -243,14 +240,14 @@ func fetchDNSCryptServerInfo(proxy *DcMulti, name string, stamp stamps.ServerSta
 		Name:               name,
 		UDPAddr:            udpaddr,
 		TCPAddr:            tcpaddr,
-		RelayTCPAddr:       relaytcpaddr,
-		RelayUDPAddr:       relayudpaddr,
+		RelayTCPAddrs:      relaytcpaddrs,
+		RelayUDPAddrs:      relayudpaddrs,
 		proxies:            px,
 		relay:              relay,
 		dialer:             dialer,
 		est:                core.NewP50Estimator(),
 	}
-	log.I("dnscrypt: (%s) setup: %s; relay? %t", name, si.HostName, relay != nil)
+	log.I("dnscrypt: (%s) setup: %s; anonrelay? %t, proxy? %t", name, si.HostName, relaytcpaddrs != nil, relay != nil)
 	return si, nil
 }
 
@@ -259,45 +256,43 @@ func fetchDoHServerInfo(proxy *DcMulti, name string, stamp stamps.ServerStamp) (
 	return serverinfo{}, errors.New("unsupported protocol")
 }
 
-func route(proxy *DcMulti, name string) (udpaddr *net.UDPAddr, tcpaddr *net.TCPAddr, err error) {
-	relayNames := proxy.routes
-	if relayNames == nil { // no err, no relays
+func route(proxy *DcMulti) (udpaddrs []*net.UDPAddr, tcpaddrs []*net.TCPAddr) {
+	relays := proxy.routes
+	if len(relays) <= 0 { // no err, no relays
 		return
 	}
 
-	var relayName string
-	if len(relayNames) > 0 {
-		candidate := rand.Intn(len(relayNames))
-		relayName = relayNames[candidate]
-	}
-	var relayCandidateStamp *stamps.ServerStamp
-	if len(relayName) == 0 {
-		err = fmt.Errorf("route declared for [%s] but no relays", name)
-		return
-	} else if relayStamp, serr := stamps.NewServerStampFromString(relayName); serr == nil {
-		relayCandidateStamp = &relayStamp
-	}
+	udpaddrs = make([]*net.UDPAddr, 0, len(relays))
+	tcpaddrs = make([]*net.TCPAddr, 0, len(relays))
+	for _, rr := range relays {
+		var rrstamp *stamps.ServerStamp
+		if len(rr) == 0 {
+			log.W("dnscrypt: route: skip empty relay")
+			continue
+		} else if relayStamp, serr := stamps.NewServerStampFromString(rr); serr == nil {
+			rrstamp = &relayStamp
+		}
 
-	if relayCandidateStamp == nil {
-		relayCandidateStamp = &stamps.ServerStamp{
-			ServerAddrStr: relayName, // may be a hostname or ip-address
-			Proto:         stamps.StampProtoTypeDNSCryptRelay,
+		if rrstamp == nil {
+			rrstamp = &stamps.ServerStamp{
+				ServerAddrStr: rr, // may be a hostname or ip-address
+				Proto:         stamps.StampProtoTypeDNSCryptRelay,
+			}
 		}
-	}
 
-	s, p := hostport(relayCandidateStamp.ServerAddrStr)
-	if relayCandidateStamp != nil && (relayCandidateStamp.Proto == stamps.StampProtoTypeDNSCrypt ||
-		relayCandidateStamp.Proto == stamps.StampProtoTypeDNSCryptRelay) {
-		var ips []netip.Addr
-		if ips, err = dialers.Resolve(s); err == nil && len(ips) > 0 {
-			ipp := netip.AddrPortFrom(ips[0], p) // TODO: randomize?
-			tcpaddr = net.TCPAddrFromAddrPort(ipp)
-			udpaddr = net.UDPAddrFromAddrPort(ipp)
+		host, port := hostport(rrstamp.ServerAddrStr)
+		if rrstamp != nil && (rrstamp.Proto == stamps.StampProtoTypeDNSCrypt ||
+			rrstamp.Proto == stamps.StampProtoTypeDNSCryptRelay) {
+			if ips, err := dialers.Resolve(host); err == nil && len(ips) > 0 {
+				ipp := netip.AddrPortFrom(ips[0], port) // TODO: randomize?
+				tcpaddrs = append(tcpaddrs, net.TCPAddrFromAddrPort(ipp))
+				udpaddrs = append(udpaddrs, net.UDPAddrFromAddrPort(ipp))
+			} else {
+				log.W("dnscrypt: route: zero ips for relay [%s] for server [%s]; err [%v]", rr, host, err)
+			}
 		} else {
-			err = fmt.Errorf("zero ips for relay [%s@%s] for server [%s]; err [%v]", relayName, s, name, err)
+			log.W("dnscrypt: route: invalid relay [%s]", rr)
 		}
-	} else {
-		err = fmt.Errorf("invalid relay [%s] for server [%s]", relayName, name)
 	}
 	return
 }
@@ -324,8 +319,8 @@ func (s *serverinfo) String() string {
 	if s.TCPAddr != nil {
 		serveraddr = s.TCPAddr.String()
 	}
-	if s.RelayTCPAddr != nil {
-		relayaddr = s.RelayTCPAddr.String()
+	if s.RelayTCPAddrs != nil {
+		relayaddr = chooseAny(s.RelayTCPAddrs).String()
 	}
 
 	return serverid + ":" + servername + "/" + serveraddr + "<=>" + relayaddr