Add support for client IP address encryption

Author: jedisct1

dnscrypt-proxy/common.go

@@ -190,6 +190,15 @@ func ExtractClientIPStr(pluginsState *PluginsState) (string, bool) {
 	}
 }
 
+// ExtractClientIPStrEncrypted extracts and optionally encrypts client IP string
+func ExtractClientIPStrEncrypted(pluginsState *PluginsState, ipCryptConfig *IPCryptConfig) (string, bool) {
+	ipStr, ok := ExtractClientIPStr(pluginsState)
+	if !ok || ipCryptConfig == nil {
+		return ipStr, ok
+	}
+	return ipCryptConfig.EncryptIPString(ipStr), ok
+}
+
 // FormatLogLine formats a log line based on the specified format (tsv or ltsv)
 func FormatLogLine(format, clientIP, qName, reason string, additionalFields ...string) (string, error) {
 	if format == "tsv" {

dnscrypt-proxy/config.go

@@ -105,6 +105,7 @@ type Config struct {
 	DoHClientX509AuthLegacy  DoHClientX509AuthConfig     `toml:"tls_client_auth"`
 	DNS64                    DNS64Config                 `toml:"dns64"`
 	EDNSClientSubnet         []string                    `toml:"edns_client_subnet"`
+	IPEncryption             IPEncryptionConfig          `toml:"ip_encryption"`
 }
 
 func newConfig() Config {
@@ -291,6 +292,11 @@ type DNS64Config struct {
 	Resolvers []string `toml:"resolver"`
 }
 
+type IPEncryptionConfig struct {
+	Key       string `toml:"key"`
+	Algorithm string `toml:"algorithm"`
+}
+
 type CaptivePortalsConfig struct {
 	MapFile string `toml:"map_file"`
 }
@@ -443,6 +449,11 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
 	// Configure DNS64
 	configureDNS64(proxy, &config)
 
+	// Configure IP encryption
+	if err := configureIPEncryption(proxy, &config); err != nil {
+		return err
+	}
+
 	// Configure source restrictions
 	configureSourceRestrictions(proxy, flags, &config)
 
@@ -538,6 +549,19 @@ func configureDNS64(proxy *Proxy, config *Config) {
 	proxy.dns64Resolvers = config.DNS64.Resolvers
 }
 
+// configureIPEncryption - Helper function for IP encryption
+func configureIPEncryption(proxy *Proxy, config *Config) error {
+	ipCryptConfig, err := NewIPCryptConfig(
+		config.IPEncryption.Key,
+		config.IPEncryption.Algorithm,
+	)
+	if err != nil {
+		return fmt.Errorf("IP encryption configuration error: %w", err)
+	}
+	proxy.ipCryptConfig = ipCryptConfig
+	return nil
+}
+
 func (config *Config) printRegisteredServers(proxy *Proxy, jsonOutput bool, includeRelays bool) error {
 	var summary []ServerSummary
 	if includeRelays {

dnscrypt-proxy/example-dnscrypt-proxy.toml

@@ -949,6 +949,36 @@ skip_incompatible = false
 # resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
 
 
+###############################################################################
+#                           IP Encryption                                      #
+###############################################################################
+
+[ip_encryption]
+
+## Encrypt client IP addresses in plugin logs using IPCrypt
+## This provides privacy for client IP addresses while maintaining
+## the ability to distinguish between different clients in logs
+
+## Encryption algorithm (default: "none")
+## - "none": No encryption (default)
+## - "ipcrypt-deterministic": Deterministic encryption (same IP always encrypts to same value) - requires 16-byte key
+## - "ipcrypt-nd": Non-deterministic encryption with 8-byte tweak - requires 16-byte key
+## - "ipcrypt-ndx": Non-deterministic encryption with 16-byte tweak (extended) - requires 32-byte key
+
+algorithm = "none"
+
+## Encryption key in hexadecimal format (required if algorithm is not "none")
+## Key size depends on algorithm:
+## - ipcrypt-deterministic: 32 hex chars (16 bytes) - Generate with: openssl rand -hex 16
+## - ipcrypt-nd: 32 hex chars (16 bytes) - Generate with: openssl rand -hex 16
+## - ipcrypt-ndx: 64 hex chars (32 bytes) - Generate with: openssl rand -hex 32
+## Example for deterministic/nd: key = "1234567890abcdef1234567890abcdef"
+## Example for ndx: key = "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
+## IMPORTANT: Keep this key secret and store it securely
+
+# key = ""
+
+
 ###############################################################################
 #                            Monitoring UI                                     #
 ###############################################################################

dnscrypt-proxy/plugin_allow_ip.go

@@ -15,6 +15,7 @@ type PluginAllowedIP struct {
 	allowedIPs      map[string]interface{}
 	logger          io.Writer
 	format          string
+	ipCryptConfig   *IPCryptConfig
 
 	// Hot-reloading support
 	rwLock          sync.RWMutex
@@ -50,6 +51,7 @@ func (plugin *PluginAllowedIP) Init(proxy *Proxy) error {
 	}
 
 	plugin.logger, plugin.format = InitializePluginLogger(proxy.allowedIPLogFile, proxy.allowedIPFormat, proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups)
+	plugin.ipCryptConfig = proxy.ipCryptConfig
 
 	return nil
 }
@@ -169,7 +171,7 @@ func (plugin *PluginAllowedIP) Eval(pluginsState *PluginsState, msg *dns.Msg) er
 		pluginsState.sessionData["whitelisted"] = true
 		if plugin.logger != nil {
 			qName := pluginsState.qName
-			clientIPStr, ok := ExtractClientIPStr(pluginsState)
+			clientIPStr, ok := ExtractClientIPStrEncrypted(pluginsState, plugin.ipCryptConfig)
 			if !ok {
 				// Ignore internal flow.
 				return nil

dnscrypt-proxy/plugin_allow_name.go

@@ -14,6 +14,7 @@ type PluginAllowName struct {
 	patternMatcher  *PatternMatcher
 	logger          io.Writer
 	format          string
+	ipCryptConfig   *IPCryptConfig
 
 	// Hot-reloading support
 	rwLock         sync.RWMutex
@@ -47,6 +48,7 @@ func (plugin *PluginAllowName) Init(proxy *Proxy) error {
 	}
 
 	plugin.logger, plugin.format = InitializePluginLogger(proxy.allowNameLogFile, proxy.allowNameFormat, proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups)
+	plugin.ipCryptConfig = proxy.ipCryptConfig
 
 	return nil
 }
@@ -153,7 +155,7 @@ func (plugin *PluginAllowName) Eval(pluginsState *PluginsState, msg *dns.Msg) er
 	if allowList {
 		pluginsState.sessionData["whitelisted"] = true
 		if plugin.logger != nil {
-			clientIPStr, ok := ExtractClientIPStr(pluginsState)
+			clientIPStr, ok := ExtractClientIPStrEncrypted(pluginsState, plugin.ipCryptConfig)
 			if !ok {
 				// Ignore internal flow.
 				return nil

dnscrypt-proxy/plugin_block_ip.go

@@ -15,6 +15,7 @@ type PluginBlockIP struct {
 	blockedIPs      map[string]interface{}
 	logger          io.Writer
 	format          string
+	ipCryptConfig   *IPCryptConfig
 
 	// Hot-reloading support
 	rwLock          sync.RWMutex
@@ -50,6 +51,7 @@ func (plugin *PluginBlockIP) Init(proxy *Proxy) error {
 	}
 
 	plugin.logger, plugin.format = InitializePluginLogger(proxy.blockIPLogFile, proxy.blockIPFormat, proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups)
+	plugin.ipCryptConfig = proxy.ipCryptConfig
 
 	return nil
 }
@@ -174,7 +176,7 @@ func (plugin *PluginBlockIP) Eval(pluginsState *PluginsState, msg *dns.Msg) erro
 		pluginsState.returnCode = PluginsReturnCodeReject
 		if plugin.logger != nil {
 			qName := pluginsState.qName
-			clientIPStr, ok := ExtractClientIPStr(pluginsState)
+			clientIPStr, ok := ExtractClientIPStrEncrypted(pluginsState, plugin.ipCryptConfig)
 			if !ok {
 				// Ignore internal flow.
 				return nil

dnscrypt-proxy/plugin_block_name.go

@@ -14,6 +14,7 @@ type BlockedNames struct {
 	patternMatcher  *PatternMatcher
 	logger          io.Writer
 	format          string
+	ipCryptConfig   *IPCryptConfig
 }
 
 const aliasesLimit = 8
@@ -44,7 +45,7 @@ func (blockedNames *BlockedNames) check(pluginsState *PluginsState, qName string
 	pluginsState.action = PluginsActionReject
 	pluginsState.returnCode = PluginsReturnCodeReject
 	if blockedNames.logger != nil {
-		clientIPStr, ok := ExtractClientIPStr(pluginsState)
+		clientIPStr, ok := ExtractClientIPStrEncrypted(pluginsState, blockedNames.ipCryptConfig)
 		if !ok {
 			// Ignore internal flow.
 			return false, nil
@@ -86,6 +87,7 @@ func (plugin *PluginBlockName) Init(proxy *Proxy) error {
 	xBlockedNames := BlockedNames{
 		allWeeklyRanges: proxy.allWeeklyRanges,
 		patternMatcher:  NewPatternMatcher(),
+		ipCryptConfig:   proxy.ipCryptConfig,
 	}
 
 	if err := plugin.loadRules(lines, &xBlockedNames); err != nil {

dnscrypt-proxy/plugin_nx_log.go

@@ -4,16 +4,16 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"net"
 	"time"
 
 	"github.com/jedisct1/dlog"
 	"github.com/miekg/dns"
 )
 
 type PluginNxLog struct {
-	logger io.Writer
-	format string
+	logger        io.Writer
+	format        string
+	ipCryptConfig *IPCryptConfig
 }
 
 func (plugin *PluginNxLog) Name() string {
@@ -27,6 +27,7 @@ func (plugin *PluginNxLog) Description() string {
 func (plugin *PluginNxLog) Init(proxy *Proxy) error {
 	plugin.logger = Logger(proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups, proxy.nxLogFile)
 	plugin.format = proxy.nxLogFormat
+	plugin.ipCryptConfig = proxy.ipCryptConfig
 
 	return nil
 }
@@ -43,13 +44,8 @@ func (plugin *PluginNxLog) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 	if msg.Rcode != dns.RcodeNameError {
 		return nil
 	}
-	var clientIPStr string
-	switch pluginsState.clientProto {
-	case "udp":
-		clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-	case "tcp", "local_doh":
-		clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
-	default:
+	clientIPStr, ok := ExtractClientIPStrEncrypted(pluginsState, plugin.ipCryptConfig)
+	if !ok {
 		// Ignore internal flow.
 		return nil
 	}

dnscrypt-proxy/plugin_query_log.go

@@ -4,7 +4,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"net"
 	"strings"
 	"time"
 
@@ -16,6 +15,7 @@ type PluginQueryLog struct {
 	logger        io.Writer
 	format        string
 	ignoredQtypes []string
+	ipCryptConfig *IPCryptConfig
 }
 
 func (plugin *PluginQueryLog) Name() string {
@@ -30,6 +30,7 @@ func (plugin *PluginQueryLog) Init(proxy *Proxy) error {
 	plugin.logger = Logger(proxy.logMaxSize, proxy.logMaxAge, proxy.logMaxBackups, proxy.queryLogFile)
 	plugin.format = proxy.queryLogFormat
 	plugin.ignoredQtypes = proxy.queryLogIgnoredQtypes
+	plugin.ipCryptConfig = proxy.ipCryptConfig
 
 	return nil
 }
@@ -43,13 +44,8 @@ func (plugin *PluginQueryLog) Reload() error {
 }
 
 func (plugin *PluginQueryLog) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
-	var clientIPStr string
-	switch pluginsState.clientProto {
-	case "udp":
-		clientIPStr = (*pluginsState.clientAddr).(*net.UDPAddr).IP.String()
-	case "tcp", "local_doh":
-		clientIPStr = (*pluginsState.clientAddr).(*net.TCPAddr).IP.String()
-	default:
+	clientIPStr, ok := ExtractClientIPStrEncrypted(pluginsState, plugin.ipCryptConfig)
+	if !ok {
 		// Ignore internal flow.
 		return nil
 	}

dnscrypt-proxy/proxy.go

@@ -106,6 +106,7 @@ type Proxy struct {
 	SourceDoH                     bool
 	SourceODoH                    bool
 	listenersMu                   sync.Mutex
+	ipCryptConfig                 *IPCryptConfig
 }
 
 func (proxy *Proxy) registerUDPListener(conn *net.UDPConn) {