On 2017/11/08 16:53, Vinícius Zavam wrote: > " -R, --resolver-name=<name>: name of the resolver to use, from the > list of available resolvers (see -L). Or random for a random > resolver accessible over IPv4, that doesn't log and supports > DNSSEC "
> Index: net/dnscrypt-proxy/Makefile > =================================================================== > RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v > retrieving revision 1.31 > diff -u -a -r1.31 Makefile > --- net/dnscrypt-proxy/Makefile 2 Aug 2017 09:32:40 -0000 1.31 > +++ net/dnscrypt-proxy/Makefile 8 Nov 2017 16:39:28 -0000 > @@ -4,14 +4,15 @@ > COMMENT-plugins= example plugins for dnscrypt-proxy > > V= 1.9.5 > +REVISION-main= 1 start with 0 > + > DISTNAME= dnscrypt-proxy-${V} > PKGNAME-main= dnscrypt-proxy-${V} > PKGNAME-plugins= dnscrypt-proxy-plugins-${V} > > CATEGORIES= net > > -MASTER_SITES= https://download.dnscrypt.org/dnscrypt-proxy/ \ > - https://download.dnscrypt.org/dnscrypt-proxy/old/ > +MASTER_SITES= https://download.dnscrypt.org/dnscrypt-proxy/ don't remove this, it's harmless for now, and keeps the port working in the future if 1.9.5 moves to old/. > -DNSCrypt does _not_ cache queries, so the recommended way to use it is > -as a forwarder for a DNS cache like Unbound. The following unbound.conf > -example may be used as a guideline: > +DNSCrypt does _not_ cache queries, so the recommended way to use it is to > forward > +queries and combine it with any DNS caching software like Unbound. > +The following unbound.conf example may be used as a guideline: original line-wrapping flows better. > server: > - interface: 127.0.0.1 > - interface: 192.168.1.1 # additional addresses to listen on > - access-control: 192.168.1.0/24 allow # who's allowed to make queries > + interface: 127.0.0.1 > + # interface: 192.168.1.1 # additional addresses to > listen on > + # access-control: 192.168.1.0/24 allow # who's allowed to make queries > do-not-query-localhost: no > - hide-identity: yes > - hide-version: yes > + hide-identity: yes > + hide-version: yes > > forward-zone: > name: "." > - forward-addr: 127.0.0.1@40 > - #forward-addr: 127.0.0.1@41 # example failover server, see below > + forward-addr: 127.0.0.1@5301 > + # forward-addr: 127.0.0.1@5302 # example failover server, > see below needless shuffling of whitespace. is there a particular reason to change ports? > A list of resolvers providing DNSCrypt service is available at > ${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv. > -Choose one (there is no default) and configure it, for example: > +This package picks a random resolver from its resolvers list. A random > resolver > +supposedly doesn't keep logs, and supports DNSSEC, says the manpage. > + > +If you want to configure ${FULLPKGNAME} with a custom resolver, here is an > example: > > rcctl enable dnscrypt_proxy > -rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a 127.0.0.1:40 > +rcctl set dnscrypt_proxy flags -E -m1 -R random -a 127.0.0.1:5301 the old one was an example of using a custom resolver - the new one is an example of using a random resolver. > rcctl start dnscrypt_proxy > > The dnscrypt-proxy utility does not support failover resolvers; as described > @@ -43,7 +46,8 @@ > > ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2 > rcctl enable dnscrypt_proxy2 > -rcctl set dnscrypt_proxy2 flags -E -m1 -R dnscrypt.eu-dk -a 127.0.0.1:41 > +rcctl set dnscrypt_proxy2 flags -E -m1 -R random -a 127.0.0.1:5302 > rcctl start dnscrypt_proxy2 > > For more information, see https://dnscrypt.org/ > + needless whitespace at eol. > Index: net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc > =================================================================== > RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc,v > retrieving revision 1.3 > diff -u -a -r1.3 dnscrypt_proxy.rc > --- net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc 4 Feb 2016 14:29:25 -0000 > 1.3 > +++ net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc 8 Nov 2017 16:39:28 -0000 > @@ -4,6 +4,10 @@ > > daemon="${TRUEPREFIX}/sbin/dnscrypt-proxy -d --user=_dnscrypt-proxy" > > +# defaults to use a random resolver; > +# supposedly doesn't keep logs, and supports DNSSEC. > +daemon_flags="-R random" > + > . /etc/rc.d/rc.subr > > rc_reload=NO I don't think we should do this. Better if it's a conscious decision as whoever you're resolving from is in a very trusted position. The only change along these lines that I'd consider is adding a mention of "-R random" in the README as an alternative to selecting a specific resolver..