v2.0.0-alpha3

[mosajjal]

sniproxy v2 now has an official alpha release! there are a lot of changes since v1 and even since a few commits ago in v2. native DoH support is here!

Test and provide feedback. I'm sure this release is buggy af

[prooshani]

Ok, lets see what's going on here...
Soon I will update you with my results.

[mosajjal]

so in summary, looks like everything is working as expected except for DoQ upstream?
setting DoH server is a client behavior. I think you can either set it to https://my.domain.com/dns-query or my.domain.com.

DoH returns real IP rather than sniproxy's IP.

oh yeah you're right. DoH's upstream should go back to sniproxy's own DNS. this is a bug.

[mosajjal]

this log is shown when an override ACL is hit. sniproxy's internal DoH server is implemented as a localhost TCP connection on a random port (in your case on port 34211), this shows that ACL is working and redirecting your DoH message to DoH. This log needs will probably be in debug level in v2 rather than info.

as for your other issue, I'd be keen to see how you get on with debugging. I'll do some real world testing against v2 as well when I get the chance.

this is fixed in the latest commit. log is debug

[mosajjal]

so in summary, looks like everything is working as expected except for DoQ upstream?
setting DoH server is a client behavior. I think you can either set it to https://my.domain.com/dns-query or my.domain.com.

DoH returns real IP rather than sniproxy's IP.

oh yeah you're right. DoH's upstream should go back to sniproxy's own DNS. this is a bug.

this should also be fixed in the latest commit.

[mosajjal]

This is bizarre! I can resolve any query on DNS client, dig from any server or client, nslookup it and etc. I don't know what is the issue with the router DNS!? Maybe double-NAT or any other ISP level restriction. For your reference, I have 5 DNS server on different locations to test different DNS servers and different scenarios to both make my DNS queries more secure and also defeat geo-blocking restrictions. Yesterday, I have tried a nice combination of sniproxy as a upstream for dnsproxy ( by AdGuard )... I let the sniproxy v2 (not this latest version with DoH) to resolve just udp queries on port 54. At the other part, for dnsproxy, just forwarded all DNS queries upstreamed to sniproxy on port 54 and activated TCP, TLS, HTTPS and Quic on their standard ports on it (DNSPROXY). And the result was very ok! I mean, I could resolve all protocols without issue tested by DNS clients. However, the router based tests failed and I had not enough time to find the issue and today you just introduced DoH version of sniproxy v2 so I let that alone for now. I may have some small misconfigs due to numerous scenarios I have tested recently. I am so confused now and need to think about it more deeply.

this screams "midbox" and MITM of DNS in ISP level. they don't do it on any other port other than 53 so it makes sense that the issue went away when you switched ports. they also don't do it on TCP either so you might benefit from trying that out.

[prooshani]

This is bizarre! I can resolve any query on DNS client, dig from any server or client, nslookup it and etc. I don't know what is the issue with the router DNS!? Maybe double-NAT or any other ISP level restriction. For your reference, I have 5 DNS server on different locations to test different DNS servers and different scenarios to both make my DNS queries more secure and also defeat geo-blocking restrictions. Yesterday, I have tried a nice combination of sniproxy as a upstream for dnsproxy ( by AdGuard )... I let the sniproxy v2 (not this latest version with DoH) to resolve just udp queries on port 54. At the other part, for dnsproxy, just forwarded all DNS queries upstreamed to sniproxy on port 54 and activated TCP, TLS, HTTPS and Quic on their standard ports on it (DNSPROXY). And the result was very ok! I mean, I could resolve all protocols without issue tested by DNS clients. However, the router based tests failed and I had not enough time to find the issue and today you just introduced DoH version of sniproxy v2 so I let that alone for now. I may have some small misconfigs due to numerous scenarios I have tested recently. I am so confused now and need to think about it more deeply.

this screams "midbox" and MITM of DNS in ISP level. they don't do it on any other port other than 53 so it makes sense that the issue went away when you switched ports. they also don't do it on TCP either so you might benefit from trying that out.

Unfortunately it seems like that this is not the issue!
My router besides standard UDP DNS accepts DoT only and believe me, it still not working with SNIProxy.
I can set other premium DNS resolvers, like AdGuard or ControlD on UDP and they work well.
If the MITM or MidBox was the issue they couldn't work as well.

I could able to setup other DNS servers (Technitium to be exact) which was working well with DoT only and even I was able to open censored websites, like twitter, youtube and etc., without any VPN connection while all IP location services was located me in IR.
Netflix was loaded with Iran location, Twitter was loading Trends for Iran, youtube was showing my location and suggestion for Iran...

I think I lost my path to what I was looking for and now I am just running blindly to find my way out of this.
Anyway, I am keen to test sniproxy at any level and will not look into it as an absolute resolution for my issues for now.
I believe one day sniproxy wil be the solution for me and many others.

[mosajjal]

if your router works for ~60 seconds and stops working, but dig etc work fine, it could potentially be due to TCP keep-alive for the upstream DNS connection. I've fixed it a couple of times and I haven't seen the issue for a long time but couldn't hurt to rule that one out too. run sniproxy in debug log and see if there's any EOF or use of closed pipe errors popping up.

[prooshani]

I will test that.

[prooshani]

DoH stopped working with this recent commit.

SNI proxy log:

level=ERROR msg="Finished parsing the Extension block without finding an SN block" service=https
level=WARN msg="dns: bad rdata" service=https

DNS Client log:
Error! The SSL connection could not be established, see inner exception. Received an unexpected EOF or 0 bytes from the transport stream.

If I choose DNS Upstream rather than https type, tcp or udp for example, the output logs are:

SNI Proxy log:
invalid DNS type "" in upstream ""
DNS Client Log:
Error! Response status code does not indicate success: 503 (Service Unavailable).

[mosajjal]

made some changes in DoQ, DoH and ACLs. it should be more stable now. check plese :)

[holygrolli]

thanks for you work @mosajjal
I try to run my setup with v2.0.0-alpha3 but I am kind of lost with the setup.

First: the very basic setup seems to work! I query sniproxy on port 53 for netflix.com and get successfull level=INFO msg="returned sniproxy address for domain" service=dns fqdn=netflix.com.
I can also curl it and get a log level=INFO msg="establishing connection" service=https remote=54.170.196.176:443 source=xx.xx.xx.xx:61663 host=netflix.com.

Here are my issues:

1. I set log_level: debug and get no debug logs, for example no info about connecting through my configured socks5 (but it works, see above)
2. I provided a domain list containing only two domains. But I always get the ip of sniproxy returned no matter what domain I configured

see here my config:

general:
  # Upsteam DNS URI. examples: Upstream DNS URI. examples: udp://1.1.1.1:53, tcp://1.1.1.1:53, tcp-tls://1.1.1.1:853, https://dns.google/dns-query
  upstream_dns: udp://8.8.8.8:53
  # Use a SOCKS proxy for upstream HTTP/HTTPS traffic. Example: socks5://admin:
  upstream_socks5: socks5://100.80.14.76:1080
  # DNS Port to listen on. Should remain 53 in most cases
  bind_dns_over_udp: "0.0.0.0:53"
  # enable DNS over TCP. empty disables it. example: "127.0.0.1:53"
  bind_dns_over_tcp:
  # enable DNS over TLS. empty disables it. example: "127.0.0.1:853"
  bind_dns_over_tls:
  # enable DNS over QUIC. empty disables it. example: "127.0.0.1:8853"
  bind_dns_over_quic:
  # Path to the certificate for DoH, DoT and DoQ. eg: /tmp/mycert.pem
  tls_cert:
  # Path to the certificate key for DoH, DoT and DoQ. eg: /tmp/mycert.key
  tls_key:
  # HTTP Port to listen on. Should remain 80 in most cases
  bind_http: "0.0.0.0:80"
  # HTTPS Port to listen on. Should remain 443 in most cases
  bind_https: "0.0.0.0:443"
  # Enable prometheus endpoint on IP:PORT. example: 127.0.0.1:8080. Always exposes /metrics and only supports HTTP
  bind_prometheus:
  # Interface used for outbound TLS connections. uses OS prefered one if empty
  interface:
  # Public IPv4 of the server, reply address of DNS A queries
  public_ipv4:
  # Public IPv6 of the server, reply address of DNS AAAA queries
  public_ipv6:
  # log level for the application. choices: debug, info, warn, error
  log_level: debug

acl:
  geoip:
    enabled: false
    priority: 10
    # strictly blocked countries
    blocked:
    # allowed countries
    allowed:
    # Path to the MMDB file. eg: /tmp/Country.mmdb, https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb
    path:
    # Interval to re-fetch the MMDB file
    refresh_interval: 24h0m0s
  # domain filtering
  domain:
    enabled: true # false means ALL domains will be allowed to go through the proxy
    # priority of the domain filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order
    priority: 20
    # Path to the domain list. eg: /tmp/domainlist.csv. Look at the example file for the format.
    path: /root/sniproxy/domains.csv
    # Interval to re-fetch the domain list
    refresh_interval: 0h2m0s
  # IP/CIDR filtering
  cidr:
    enabled: false
    # priority of the cidr filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order
    priority: 30
    # Path to the CIDR list. eg: /tmp/cidr.csv. Look at the example file for the format.
    path:
    # Interval to re-fetch the domain list
    refresh_interval: 1h0m0s
  # FQDN override. This ACL is used to override the destination IP to not be the one resolved by the upstream DNS or the proxy itself, rather a custom IP and port
  # if the destination is HTTP, it uses tls_cert and tls_key certificate to terminate the original connection.
  override:
    enabled: false
    # priority of the override filter. lower priority means it's checked first. if multiple filters have the same priority, they're checked in random order
    priority: 40

the domain.csv only contains two entries:

netflix.com.,suffix
netflix.de,suffix

any ideas?

[mosajjal]

that's for checking @holygrolli!

both issues acknowledged. in the latest commit (which is not a release yet) the DNS issue is fixed. as for the logging, I'm thinking of changing the logging platform back to a more standard one that doesn't have so many issues. planning to release 2.0.0-beta1 this week. both issues should be fixed by then.

[mosajjal]

let's close this and continue over at #45. please make sure you're using the latest version!