dns/dnscrypt-proxy: Fix ODoH servers not working

[levelad]

Adding the dnscrypt variable "odoh_servers" to make dnscrypt work with ODoH relay and target servers.

Referring to:

#3783
#3810
#4367

This is my first ever fork and pull request, so bear with me. :)

[fichtner]

BTW, so far so good. Thanks for doing this 😊

[levelad]

I patched my 5 commits to my local OPNsense but it still doesn't seem to work.

I conducted these tests:

1. "Use Oblivious-DNS-over-HTTPS Servers" disabled, Server List empty, Relay List empty -> Works (expectedly)
2. "Use Oblivious-DNS-over-HTTPS Servers" enabled, Server List empty, Relay List empty -> Works (unexpectedly)
3. "Use Oblivious-DNS-over-HTTPS Servers" enabled, Server List filled with "odoh-crypto-sx", Relay List empty -> Doesn't work (expectedly)
4. "Use Oblivious-DNS-over-HTTPS Servers" enabled, Server List filled with "odoh-crypto-sx", Relay List filled with "odohrelay-crypto-sx" -> Doesn't work (unexpectedly)

Something must still be missing. @ilikenwf do you have any idea?

Edit: I found the problem, the dnscrypt ODoH server and relay lists are not yet added to the dnscrypt-proxy.toml file. Trying to figure out if I can add these.

[levelad]

Yay, ODoH is finally working! Tested using odoh-crypto-sx and odohrelay-crypto-sx.

[2024-11-30 15:25:45] [NOTICE] dnscrypt-proxy is ready - live servers: 1	
[2024-11-30 15:25:45] [NOTICE] Server with the lowest initial latency: odoh-crypto-sx (rtt: 45ms)	
[2024-11-30 15:25:45] [NOTICE] [odoh-crypto-sx] OK (ODoH) - rtt: 45ms	
[2024-11-30 15:25:38] [NOTICE] Anonymizing queries for [odoh-crypto-sx] via [odohrelay-crypto-sx]	
[2024-11-30 15:25:32] [NOTICE] Loading the set of forwarding rules from [forwarding-rules.txt]	
[2024-11-30 15:25:32] [NOTICE] Loading the set of cloaking rules from [cloaking-rules.txt]	
[2024-11-30 15:25:32] [NOTICE] Firefox workaround initialized	
[2024-11-30 15:25:32] [NOTICE] Loading the set of allowed names from [whitelist.txt]	
[2024-11-30 15:25:32] [NOTICE] Anonymized DNS: routing everything via [odohrelay-crypto-sx]	
[2024-11-30 15:25:32] [NOTICE] Source [odoh-relays] loaded	
[2024-11-30 15:25:32] [NOTICE] Source [odoh-servers] loaded	
[2024-11-30 15:25:32] [NOTICE] Source [relays] loaded	
[2024-11-30 15:25:32] [NOTICE] Source [public-resolvers] loaded	
[2024-11-30 15:25:32] [NOTICE] Now listening to 0.0.0.0:53 [TCP]	
[2024-11-30 15:25:32] [NOTICE] Now listening to 0.0.0.0:53 [UDP]	
[2024-11-30 15:25:32] [NOTICE] Network connectivity detected	
[2024-11-30 15:25:32] [NOTICE] dnscrypt-proxy 2.1.5

I don't know why but even if ODoH is checked and there are no target and relay servers manually entered other servers still seem to work.

Maybe somebody else wants to test this also. I also noticed "Require DNSSEC" even works when the relay doesn't support it, so it just applies to the target server.

[levelad]

So what are the next steps, can this be merged now or did I miss anything?

[L1ghtn1ng]

Can the minisign_key not be hardcoded? As depending what that key is used for, having it hard coded and not unique per instance would be a security issue, so that would need to be fixed.

[L1ghtn1ng]

Just seen the docs for it and it says to use that key so all good on that front