Giters

netblue30 / fdns

Firejail DNS-over-HTTPS Proxy Server

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Add a way to update /etc/servers

rusty-snake opened this issue · comments

commented

In this regard it makes me wonder if seperately releasing an updated server file is a useful feature to add to fdns - if possible.

As long as the format didn't change, it's a simple wget/curl. We could add it like sudo fdns --update-server-list.

Much better way to implement it indeed!

From: #55 (comment)

AA prevents writing to /etc/fdns:

fdns/etc/apparmor/usr.bin.fdns

Line 28 in dcc0c07

/etc/fdns/** r,

commented

The guys at dnscrypt (https://github.com/DNSCrypt/dnscrypt-resolvers/tree/master/v3) are running something based on public/private key for their lists. Probably they keep the list on github and the private key is embedded in the program. I'll look into it.

commented

The guys at dnscrypt (https://github.com/DNSCrypt/dnscrypt-resolvers/tree/master/v3) are running something based on public/private key for their lists. Probably they keep the list on github and the private key is embedded in the program. I'll look into it.

They use minisign and reference a cache file / minisign key in their configuration file tying things together. Quite nice actually.

commented

The way we do it today: we start the proxy and test servers from the list at random in the geographical zone where the proxy is located (Asia-Pacific, Americas, Europe). We find two servers working, and pick the fastest one. If the first one responds in under 80 ms and it has a keepalive timer 110 seconds or higher, we don't bother with the second one.

So far we have:

  • Europe: 99 servers
  • Americas: 40 servers
  • Asia-Pacific: 35 servers

The numbers are still going up. We can survive if for any reason half the servers are down. At any time some of them are broken, usually expired SSL certificates - it takes them a few days to come back.

I guess the model is the one from Tor network. They have thousands of exit nodes (most exit nodes are resolving dns locally). I don't know how they download the initial list. I assume the list is never stored on the client computer. They also have very good geolocation for the client - the packet is tor-geoipdb in Debian.

So let's keep this open for now, hopefully the number of servers goes up and we just update the list from time to time.