qdm12 · Jul 11, 2023
diff --git a/‎.github/labels.yml
+1-1 b/‎.github/labels.yml
+1-1
diff --git a/‎Dockerfile
+2-6 b/‎Dockerfile
+2-6
diff --git a/‎README.md
-1 b/‎README.md
-1
diff --git a/‎cmd/gluetun/main.go
+2-16 b/‎cmd/gluetun/main.go
+2-16
diff --git a/‎go.mod
+14-4 b/‎go.mod
+14-4
diff --git a/‎go.sum
+373-68 b/‎go.sum
+373-68
diff --git a/‎internal/configuration/settings/dnsblacklist.go
+11-9 b/‎internal/configuration/settings/dnsblacklist.go
+11-9
diff --git a/‎internal/configuration/settings/settings_test.go
+2-9 b/‎internal/configuration/settings/settings_test.go
+2-9
diff --git a/‎internal/configuration/settings/unbound.go
+16-128 b/‎internal/configuration/settings/unbound.go
+16-128
diff --git a/‎internal/configuration/settings/unbound_test.go
+4-15 b/‎internal/configuration/settings/unbound_test.go
+4-15
diff --git a/‎internal/configuration/sources/env/unbound.go
-15 b/‎internal/configuration/sources/env/unbound.go
-15
diff --git a/‎internal/constants/colors.go
-4 b/‎internal/constants/colors.go
-4
diff --git a/‎internal/dns/interfaces.go
-15 b/‎internal/dns/interfaces.go
-15
diff --git a/‎internal/dns/logger.go
+5-1 b/‎internal/dns/logger.go
+5-1
diff --git a/‎internal/dns/logs.go
-75 b/‎internal/dns/logs.go
-75
diff --git a/‎internal/dns/logs_test.go
-48 b/‎internal/dns/logs_test.go
-48
diff --git a/‎internal/dns/loop.go
+9-7 b/‎internal/dns/loop.go
+9-7
diff --git a/‎internal/dns/plaintext.go
+23-24 b/‎internal/dns/plaintext.go
+23-24
diff --git a/‎internal/dns/run.go
+13-18 b/‎internal/dns/run.go
+13-18
diff --git a/‎internal/dns/settings.go
+33 b/‎internal/dns/settings.go
+33
diff --git a/‎internal/dns/setup.go
+29-33 b/‎internal/dns/setup.go
+29-33
diff --git a/‎internal/dns/ticker.go
+1-1 b/‎internal/dns/ticker.go
+1-1
diff --git a/‎internal/dns/update.go
+24-20 b/‎internal/dns/update.go
+24-20
@@ -104,7 +104,7 @@
 - name: "Wireguard"
   color: "ffc7ea"
   description: ""
-- name: "Unbound (DNS over TLS)"
+- name: "DNS"
   color: "ffc7ea"
   description: ""
 - name: "Firewall"
 
@@ -151,9 +151,6 @@ ENV VPN_SERVICE_PROVIDER=pia \
     DOT=on \
     DOT_PROVIDERS=cloudflare \
     DOT_PRIVATE_ADDRESS=127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112 \
-    DOT_VERBOSITY=1 \
-    DOT_VERBOSITY_DETAILS=0 \
-    DOT_VALIDATION_LOGLEVEL=0 \
     DOT_CACHING=on \
     DOT_IPV6=off \
     BLOCK_MALICIOUS=on \
@@ -207,12 +204,11 @@ RUN apk add --no-cache --update -l wget && \
     apk add --no-cache --update -X "https://dl-cdn.alpinelinux.org/alpine/v3.17/main" openvpn\~2.5 && \
     mv /usr/sbin/openvpn /usr/sbin/openvpn2.5 && \
     apk del openvpn && \
-    apk add --no-cache --update openvpn ca-certificates iptables ip6tables unbound tzdata && \
+    apk add --no-cache --update openvpn ca-certificates iptables ip6tables tzdata && \
     mv /usr/sbin/openvpn /usr/sbin/openvpn2.6 && \
     # Fix vulnerability issue
     apk add --no-cache --update busybox && \
-    rm -rf /var/cache/apk/* /etc/unbound/* /usr/sbin/unbound-* /etc/openvpn/*.sh /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so && \
+    rm -rf /var/cache/apk/* /etc/openvpn/*.sh /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so && \
     deluser openvpn && \
-    deluser unbound && \
     mkdir /gluetun
 COPY --from=build /tmp/gobuild/entrypoint /gluetun-entrypoint
@@ -75,7 +75,6 @@ Lightweight swiss-knife-like VPN client to multiple VPN service providers
 - Compatible with amd64, i686 (32 bit), **ARM** 64 bit, ARM 32 bit v6 and v7, and even ppc64le 🎆
 - [Custom VPN server side port forwarding for Private Internet Access](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/private-internet-access.md#vpn-server-port-forwarding)
 - Possibility of split horizon DNS by selecting multiple DNS over TLS providers
-- Unbound subprogram drops root privileges once launched
 - Can work as a Kubernetes sidecar container, thanks @rorph
 
 ## Setup
 
@@ -13,7 +13,6 @@ import (
 	_ "time/tzdata"
 
 	_ "github.com/breml/rootcerts"
-	"github.com/qdm12/dns/pkg/unbound"
 	"github.com/qdm12/gluetun/internal/alpine"
 	"github.com/qdm12/gluetun/internal/cli"
 	"github.com/qdm12/gluetun/internal/configuration/settings"
@@ -51,7 +50,6 @@ import (
 	"github.com/qdm12/goshutdown/order"
 	"github.com/qdm12/gosplash"
 	"github.com/qdm12/log"
-	"github.com/qdm12/updated/pkg/dnscrypto"
 )
 
 //nolint:gochecknoglobals
@@ -257,16 +255,11 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 	ovpnConf := openvpn.New(
 		logger.New(log.SetComponent("openvpn configurator")),
 		cmder, puid, pgid)
-	dnsCrypto := dnscrypto.New(httpClient, "", "")
-	const cacertsPath = "/etc/ssl/certs/ca-certificates.crt"
-	dnsConf := unbound.NewConfigurator(nil, cmder, dnsCrypto,
-		"/etc/unbound", "/usr/sbin/unbound", cacertsPath)
 
 	err = printVersions(ctx, logger, []printVersionElement{
 		{name: "Alpine", getVersion: alpineConf.Version},
 		{name: "OpenVPN 2.5", getVersion: ovpnConf.Version25},
 		{name: "OpenVPN 2.6", getVersion: ovpnConf.Version26},
-		{name: "Unbound", getVersion: dnsConf.Version},
 		{name: "IPtables", getVersion: func(ctx context.Context) (version string, err error) {
 			return firewall.Version(ctx, cmder)
 		}},
@@ -296,15 +289,8 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 	if nonRootUsername != defaultUsername {
 		logger.Info("using existing username " + nonRootUsername + " corresponding to user id " + fmt.Sprint(puid))
 	}
-	// set it for Unbound
-	// TODO remove this when migrating to qdm12/dns v2
-	allSettings.DNS.DoT.Unbound.Username = nonRootUsername
 	allSettings.VPN.OpenVPN.ProcessUser = nonRootUsername
 
-	if err := os.Chown("/etc/unbound", puid, pgid); err != nil {
-		return err
-	}
-
 	if err := routingConf.Setup(); err != nil {
 		if strings.Contains(err.Error(), "operation not permitted") {
 			logger.Warn("💡 Tip: Are you passing NET_ADMIN capability to gluetun?")
@@ -382,10 +368,10 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 	go portForwardLooper.Run(portForwardCtx, portForwardDone)
 
 	unboundLogger := logger.New(log.SetComponent("dns over tls"))
-	unboundLooper := dns.NewLoop(dnsConf, allSettings.DNS, httpClient,
+	unboundLooper := dns.NewLoop(allSettings.DNS, httpClient,
 		unboundLogger)
 	dnsHandler, dnsCtx, dnsDone := goshutdown.NewGoRoutineHandler(
-		"unbound", goroutine.OptionTimeout(defaultShutdownTimeout))
+		"dns", goroutine.OptionTimeout(defaultShutdownTimeout))
 	// wait for unboundLooper.Restart or its ticker launched with RunRestartTicker
 	go unboundLooper.Run(dnsCtx, dnsDone)
 	otherGroupHandler.Add(dnsHandler)
 
@@ -6,16 +6,15 @@ require (
 	github.com/breml/rootcerts v0.2.11
 	github.com/fatih/color v1.15.0
 	github.com/golang/mock v1.6.0
-	github.com/qdm12/dns v1.11.0
-	github.com/qdm12/golibs v0.0.0-20210822203818-5c568b0777b6
+	github.com/qdm12/dns/v2 v2.0.0-rc3
+	github.com/qdm12/golibs v0.0.0-20210915134941-19815c6f95fe
 	github.com/qdm12/gosettings v0.4.0-rc1
 	github.com/qdm12/goshutdown v0.3.0
 	github.com/qdm12/gosplash v0.1.0
 	github.com/qdm12/gotree v0.2.0
 	github.com/qdm12/govalid v0.2.0-rc1
 	github.com/qdm12/log v0.1.0
 	github.com/qdm12/ss-server v0.5.0-rc1
-	github.com/qdm12/updated v0.0.0-20210603204757-205acfe6937e
 	github.com/stretchr/testify v1.8.4
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a
@@ -28,24 +27,35 @@ require (
 )
 
 require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/golang/protobuf v1.4.3 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/josharian/native v1.0.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/mdlayher/genetlink v1.2.0 // indirect
 	github.com/mdlayher/netlink v1.6.2 // indirect
 	github.com/mdlayher/socket v0.2.3 // indirect
-	github.com/miekg/dns v1.1.40 // indirect
+	github.com/miekg/dns v1.1.54 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.10.0 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.18.0 // indirect
+	github.com/prometheus/procfs v0.6.0 // indirect
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
 	github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae // indirect
 	go4.org/intern v0.0.0-20211027215823-ae77deb06f29 // indirect
 	go4.org/unsafe/assume-no-moving-gc v0.0.0-20230221090011-e4bae7ad2296 // indirect
 	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
+	golang.org/x/mod v0.8.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+	google.golang.org/protobuf v1.23.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
@@ -3,10 +3,11 @@ package settings
 import (
 	"errors"
 	"fmt"
+	"net/http"
 	"net/netip"
 	"regexp"
 
-	"github.com/qdm12/dns/pkg/blacklist"
+	"github.com/qdm12/dns/v2/pkg/blockbuilder"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
@@ -83,16 +84,17 @@ func (b *DNSBlacklist) overrideWith(other DNSBlacklist) {
 	b.AddBlockedIPPrefixes = gosettings.OverrideWithSlice(b.AddBlockedIPPrefixes, other.AddBlockedIPPrefixes)
 }
 
-func (b DNSBlacklist) ToBlacklistFormat() (settings blacklist.BuilderSettings, err error) {
-	return blacklist.BuilderSettings{
-		BlockMalicious:       *b.BlockMalicious,
-		BlockAds:             *b.BlockAds,
-		BlockSurveillance:    *b.BlockSurveillance,
+func (b DNSBlacklist) ToBlockBuilderSettings(client *http.Client) (
+	settings blockbuilder.Settings) {
+	return blockbuilder.Settings{
+		BlockMalicious:       b.BlockMalicious,
+		BlockAds:             b.BlockAds,
+		BlockSurveillance:    b.BlockSurveillance,
 		AllowedHosts:         b.AllowedHosts,
 		AddBlockedHosts:      b.AddBlockedHosts,
-		AddBlockedIPs:        netipAddressesToNetaddrIPs(b.AddBlockedIPs),
-		AddBlockedIPPrefixes: netipPrefixesToNetaddrIPPrefixes(b.AddBlockedIPPrefixes),
-	}, nil
+		AddBlockedIPs:        b.AddBlockedIPs,
+		AddBlockedIPPrefixes: b.AddBlockedIPPrefixes,
+	}
 }
 
 func (b DNSBlacklist) String() string {
 
@@ -43,18 +43,11 @@ func Test_Settings_String(t *testing.T) {
 |   └── DNS over TLS settings:
 |       ├── Enabled: yes
 |       ├── Update period: every 24h0m0s
-|       ├── Unbound settings:
+|       ├── DNS over TLS settings:
 |       |   ├── Authoritative servers:
 |       |   |   └── Cloudflare
 |       |   ├── Caching: yes
-|       |   ├── IPv6: no
-|       |   ├── Verbosity level: 1
-|       |   ├── Verbosity details level: 0
-|       |   ├── Validation log level: 0
-|       |   ├── System user: root
-|       |   └── Allowed networks:
-|       |       ├── 0.0.0.0/0
-|       |       └── ::/0
+|       |   └── IPv6: no
 |       └── DNS filtering settings:
 |           ├── Block malicious: yes
 |           ├── Block ads: no
 
@@ -2,62 +2,28 @@ package settings
 
 import (
 	"errors"
-	"fmt"
 	"net/netip"
 
-	"github.com/qdm12/dns/pkg/provider"
-	"github.com/qdm12/dns/pkg/unbound"
+	"github.com/qdm12/dns/v2/pkg/provider"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 
 // Unbound is settings for the Unbound program.
 type Unbound struct {
-	Providers             []string       `json:"providers"`
-	Caching               *bool          `json:"caching"`
-	IPv6                  *bool          `json:"ipv6"`
-	VerbosityLevel        *uint8         `json:"verbosity_level"`
-	VerbosityDetailsLevel *uint8         `json:"verbosity_details_level"`
-	ValidationLogLevel    *uint8         `json:"validation_log_level"`
-	Username              string         `json:"username"`
-	Allowed               []netip.Prefix `json:"allowed"`
+	Providers []string `json:"providers"`
+	Caching   *bool    `json:"caching"`
+	IPv6      *bool    `json:"ipv6"`
 }
 
 func (u *Unbound) setDefaults() {
-	if len(u.Providers) == 0 {
-		u.Providers = []string{
-			provider.Cloudflare().String(),
-		}
-	}
-
+	u.Providers = gosettings.DefaultSlice(u.Providers, []string{
+		provider.Cloudflare().Name,
+	})
 	u.Caching = gosettings.DefaultPointer(u.Caching, true)
 	u.IPv6 = gosettings.DefaultPointer(u.IPv6, false)
-
-	const defaultVerbosityLevel = 1
-	u.VerbosityLevel = gosettings.DefaultPointer(u.VerbosityLevel, defaultVerbosityLevel)
-
-	const defaultVerbosityDetailsLevel = 0
-	u.VerbosityDetailsLevel = gosettings.DefaultPointer(u.VerbosityDetailsLevel, defaultVerbosityDetailsLevel)
-
-	const defaultValidationLogLevel = 0
-	u.ValidationLogLevel = gosettings.DefaultPointer(u.ValidationLogLevel, defaultValidationLogLevel)
-
-	if u.Allowed == nil {
-		u.Allowed = []netip.Prefix{
-			netip.PrefixFrom(netip.AddrFrom4([4]byte{}), 0),
-			netip.PrefixFrom(netip.AddrFrom16([16]byte{}), 0),
-		}
-	}
-
-	u.Username = gosettings.DefaultString(u.Username, "root")
 }
 
-var (
-	ErrUnboundVerbosityLevelNotValid        = errors.New("Unbound verbosity level is not valid")
-	ErrUnboundVerbosityDetailsLevelNotValid = errors.New("Unbound verbosity details level is not valid")
-	ErrUnboundValidationLogLevelNotValid    = errors.New("Unbound validation log level is not valid")
-)
-
 func (u Unbound) validate() (err error) {
 	for _, s := range u.Providers {
 		_, err := provider.Parse(s)
@@ -66,120 +32,51 @@ func (u Unbound) validate() (err error) {
 		}
 	}
 
-	const maxVerbosityLevel = 5
-	if *u.VerbosityLevel > maxVerbosityLevel {
-		return fmt.Errorf("%w: %d must be between 0 and %d",
-			ErrUnboundVerbosityLevelNotValid,
-			*u.VerbosityLevel,
-			maxVerbosityLevel)
-	}
-
-	const maxVerbosityDetailsLevel = 4
-	if *u.VerbosityDetailsLevel > maxVerbosityDetailsLevel {
-		return fmt.Errorf("%w: %d must be between 0 and %d",
-			ErrUnboundVerbosityDetailsLevelNotValid,
-			*u.VerbosityDetailsLevel,
-			maxVerbosityDetailsLevel)
-	}
-
-	const maxValidationLogLevel = 2
-	if *u.ValidationLogLevel > maxValidationLogLevel {
-		return fmt.Errorf("%w: %d must be between 0 and %d",
-			ErrUnboundValidationLogLevelNotValid,
-			*u.ValidationLogLevel, maxValidationLogLevel)
-	}
-
 	return nil
 }
 
 func (u Unbound) copy() (copied Unbound) {
 	return Unbound{
-		Providers:             gosettings.CopySlice(u.Providers),
-		Caching:               gosettings.CopyPointer(u.Caching),
-		IPv6:                  gosettings.CopyPointer(u.IPv6),
-		VerbosityLevel:        gosettings.CopyPointer(u.VerbosityLevel),
-		VerbosityDetailsLevel: gosettings.CopyPointer(u.VerbosityDetailsLevel),
-		ValidationLogLevel:    gosettings.CopyPointer(u.ValidationLogLevel),
-		Username:              u.Username,
-		Allowed:               gosettings.CopySlice(u.Allowed),
+		Providers: gosettings.CopySlice(u.Providers),
+		Caching:   gosettings.CopyPointer(u.Caching),
+		IPv6:      gosettings.CopyPointer(u.IPv6),
 	}
 }
 
 func (u *Unbound) mergeWith(other Unbound) {
 	u.Providers = gosettings.MergeWithSlice(u.Providers, other.Providers)
 	u.Caching = gosettings.MergeWithPointer(u.Caching, other.Caching)
 	u.IPv6 = gosettings.MergeWithPointer(u.IPv6, other.IPv6)
-	u.VerbosityLevel = gosettings.MergeWithPointer(u.VerbosityLevel, other.VerbosityLevel)
-	u.VerbosityDetailsLevel = gosettings.MergeWithPointer(u.VerbosityDetailsLevel, other.VerbosityDetailsLevel)
-	u.ValidationLogLevel = gosettings.MergeWithPointer(u.ValidationLogLevel, other.ValidationLogLevel)
-	u.Username = gosettings.MergeWithString(u.Username, other.Username)
-	u.Allowed = gosettings.MergeWithSlice(u.Allowed, other.Allowed)
 }
 
 func (u *Unbound) overrideWith(other Unbound) {
 	u.Providers = gosettings.OverrideWithSlice(u.Providers, other.Providers)
 	u.Caching = gosettings.OverrideWithPointer(u.Caching, other.Caching)
 	u.IPv6 = gosettings.OverrideWithPointer(u.IPv6, other.IPv6)
-	u.VerbosityLevel = gosettings.OverrideWithPointer(u.VerbosityLevel, other.VerbosityLevel)
-	u.VerbosityDetailsLevel = gosettings.OverrideWithPointer(u.VerbosityDetailsLevel, other.VerbosityDetailsLevel)
-	u.ValidationLogLevel = gosettings.OverrideWithPointer(u.ValidationLogLevel, other.ValidationLogLevel)
-	u.Username = gosettings.OverrideWithString(u.Username, other.Username)
-	u.Allowed = gosettings.OverrideWithSlice(u.Allowed, other.Allowed)
-}
-
-func (u Unbound) ToUnboundFormat() (settings unbound.Settings, err error) {
-	providers := make([]provider.Provider, len(u.Providers))
-	for i := range providers {
-		providers[i], err = provider.Parse(u.Providers[i])
-		if err != nil {
-			return settings, err
-		}
-	}
-
-	const port = 53
-
-	return unbound.Settings{
-		ListeningPort:         port,
-		IPv4:                  true,
-		Providers:             providers,
-		Caching:               *u.Caching,
-		IPv6:                  *u.IPv6,
-		VerbosityLevel:        *u.VerbosityLevel,
-		VerbosityDetailsLevel: *u.VerbosityDetailsLevel,
-		ValidationLogLevel:    *u.ValidationLogLevel,
-		AccessControl: unbound.AccessControlSettings{
-			Allowed: netipPrefixesToNetaddrIPPrefixes(u.Allowed),
-		},
-		Username: u.Username,
-	}, nil
 }
 
 var (
 	ErrConvertingNetip = errors.New("converting net.IP to netip.Addr failed")
 )
 
-func (u Unbound) GetFirstPlaintextIPv4() (ipv4 netip.Addr, err error) {
+func (u Unbound) GetFirstPlaintextIPv4() (ipv4 netip.Addr) {
 	s := u.Providers[0]
 	provider, err := provider.Parse(s)
 	if err != nil {
-		return ipv4, err
+		// Settings should be validated before calling this function,
+		// so an error happening here is a programming error.
+		panic(err)
 	}
 
-	ip := provider.DNS().IPv4[0]
-	ipv4, ok := netip.AddrFromSlice(ip)
-	if !ok {
-		return ipv4, fmt.Errorf("%w: for ip %s (%#v)",
-			ErrConvertingNetip, ip, ip)
-	}
-	return ipv4.Unmap(), nil
+	return provider.DNS.IPv4[0]
 }
 
 func (u Unbound) String() string {
 	return u.toLinesNode().String()
 }
 
 func (u Unbound) toLinesNode() (node *gotree.Node) {
-	node = gotree.New("Unbound settings:")
+	node = gotree.New("DNS over TLS settings:")
 
 	authServers := node.Appendf("Authoritative servers:")
 	for _, provider := range u.Providers {
@@ -188,15 +85,6 @@ func (u Unbound) toLinesNode() (node *gotree.Node) {
 
 	node.Appendf("Caching: %s", gosettings.BoolToYesNo(u.Caching))
 	node.Appendf("IPv6: %s", gosettings.BoolToYesNo(u.IPv6))
-	node.Appendf("Verbosity level: %d", *u.VerbosityLevel)
-	node.Appendf("Verbosity details level: %d", *u.VerbosityDetailsLevel)
-	node.Appendf("Validation log level: %d", *u.ValidationLogLevel)
-	node.Appendf("System user: %s", u.Username)
-
-	allowedNetworks := node.Appendf("Allowed networks:")
-	for _, network := range u.Allowed {
-		allowedNetworks.Appendf(network.String())
-	}
 
 	return node
 }
@@ -2,7 +2,6 @@ package settings
 
 import (
 	"encoding/json"
-	"net/netip"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -13,25 +12,15 @@ func Test_Unbound_JSON(t *testing.T) {
 	t.Parallel()
 
 	settings := Unbound{
-		Providers:             []string{"cloudflare"},
-		Caching:               boolPtr(true),
-		IPv6:                  boolPtr(false),
-		VerbosityLevel:        uint8Ptr(1),
-		VerbosityDetailsLevel: nil,
-		ValidationLogLevel:    uint8Ptr(0),
-		Username:              "user",
-		Allowed: []netip.Prefix{
-			netip.PrefixFrom(netip.AddrFrom4([4]byte{}), 0),
-			netip.PrefixFrom(netip.AddrFrom16([16]byte{}), 0),
-		},
+		Providers: []string{"cloudflare"},
+		Caching:   boolPtr(true),
+		IPv6:      boolPtr(false),
 	}
 
 	b, err := json.Marshal(settings)
 	require.NoError(t, err)
 
-	const expected = `{"providers":["cloudflare"],"caching":true,"ipv6":false,` +
-		`"verbosity_level":1,"verbosity_details_level":null,"validation_log_level":0,` +
-		`"username":"user","allowed":["0.0.0.0/0","::/0"]}`
+	const expected = `{"providers":["cloudflare"],"caching":true,"ipv6":false}`
 
 	assert.Equal(t, expected, string(b))
 
 
@@ -17,20 +17,5 @@ func (s *Source) readUnbound() (unbound settings.Unbound, err error) {
 		return unbound, err
 	}
 
-	unbound.VerbosityLevel, err = s.env.Uint8Ptr("DOT_VERBOSITY")
-	if err != nil {
-		return unbound, err
-	}
-
-	unbound.VerbosityDetailsLevel, err = s.env.Uint8Ptr("DOT_VERBOSITY_DETAILS")
-	if err != nil {
-		return unbound, err
-	}
-
-	unbound.ValidationLogLevel, err = s.env.Uint8Ptr("DOT_VALIDATION_LOGLEVEL")
-	if err != nil {
-		return unbound, err
-	}
-
 	return unbound, nil
 }
@@ -2,10 +2,6 @@ package constants
 
 import "github.com/fatih/color"
 
-func ColorUnbound() *color.Color {
-	return color.New(color.FgCyan)
-}
-
 func ColorOpenvpn() *color.Color {
 	return color.New(color.FgHiMagenta)
 }
@@ -3,6 +3,10 @@ package dns
 type Logger interface {
 	Debug(s string)
 	Info(s string)
-	Warn(s string)
+	Warner
 	Error(s string)
 }
+
+type Warner interface {
+	Warn(s string)
+}
@@ -5,7 +5,8 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/qdm12/dns/pkg/blacklist"
+	"github.com/qdm12/dns/v2/pkg/dot"
+	"github.com/qdm12/dns/v2/pkg/filter/mapfilter"
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/dns/state"
@@ -16,9 +17,9 @@ import (
 type Loop struct {
 	statusManager *loopstate.State
 	state         *state.State
-	conf          Configurator
+	server        *dot.Server
+	filter        *mapfilter.Filter
 	resolvConf    string
-	blockBuilder  blacklist.Builder
 	client        *http.Client
 	logger        Logger
 	userTrigger   bool
@@ -34,23 +35,24 @@ type Loop struct {
 
 const defaultBackoffTime = 10 * time.Second
 
-func NewLoop(conf Configurator, settings settings.DNS,
+func NewLoop(settings settings.DNS,
 	client *http.Client, logger Logger) *Loop {
 	start := make(chan struct{})
 	running := make(chan models.LoopStatus)
 	stop := make(chan struct{})
 	stopped := make(chan struct{})
 	updateTicker := make(chan struct{})
-
 	statusManager := loopstate.New(constants.Stopped, start, running, stop, stopped)
 	state := state.New(statusManager, settings, updateTicker)
 
+	filter := mapfilter.New(mapfilter.Settings{})
+
 	return &Loop{
 		statusManager: statusManager,
 		state:         state,
-		conf:          conf,
+		server:        nil,
+		filter:        filter,
 		resolvConf:    "/etc/resolv.conf",
-		blockBuilder:  blacklist.NewBuilder(client),
 		client:        client,
 		logger:        logger,
 		userTrigger:   true,
 
@@ -2,44 +2,43 @@ package dns
 
 import (
 	"net/netip"
+	"time"
 
-	"github.com/qdm12/dns/pkg/nameserver"
+	"github.com/qdm12/dns/v2/pkg/nameserver"
 )
 
 func (l *Loop) useUnencryptedDNS(fallback bool) {
 	settings := l.GetSettings()
 
 	// Try with user provided plaintext ip address
-	// if it's not 127.0.0.1 (default for DoT)
-	targetIP := settings.ServerAddress
-	if targetIP.Compare(netip.AddrFrom4([4]byte{127, 0, 0, 1})) != 0 {
-		if fallback {
-			l.logger.Info("falling back on plaintext DNS at address " + targetIP.String())
-		} else {
-			l.logger.Info("using plaintext DNS at address " + targetIP.String())
-		}
-		nameserver.UseDNSInternally(targetIP.AsSlice())
-		err := nameserver.UseDNSSystemWide(l.resolvConf, targetIP.AsSlice(), *settings.KeepNameserver)
-		if err != nil {
-			l.logger.Error(err.Error())
-		}
-		return
-	}
-
-	// Use first plaintext DNS IPv4 address
-	targetIP, err := settings.DoT.Unbound.GetFirstPlaintextIPv4()
-	if err != nil {
-		// Unbound should always have a default provider
-		panic(err)
+	// if it's not 127.0.0.1 (default for DoT), otherwise
+	// use the first DoT provider ipv4 address found.
+	var targetIP netip.Addr
+	if settings.ServerAddress.Compare(netip.AddrFrom4([4]byte{127, 0, 0, 1})) != 0 {
+		targetIP = settings.ServerAddress
+	} else {
+		targetIP = settings.DoT.Unbound.GetFirstPlaintextIPv4()
 	}
 
 	if fallback {
 		l.logger.Info("falling back on plaintext DNS at address " + targetIP.String())
 	} else {
 		l.logger.Info("using plaintext DNS at address " + targetIP.String())
 	}
-	nameserver.UseDNSInternally(targetIP.AsSlice())
-	err = nameserver.UseDNSSystemWide(l.resolvConf, targetIP.AsSlice(), *settings.KeepNameserver)
+
+	const dialTimeout = 3 * time.Second
+	settingsInternalDNS := nameserver.SettingsInternalDNS{
+		IP:      targetIP,
+		Timeout: dialTimeout,
+	}
+	nameserver.UseDNSInternally(settingsInternalDNS)
+
+	settingsSystemWide := nameserver.SettingsSystemDNS{
+		IP:             targetIP,
+		ResolvPath:     l.resolvConf,
+		KeepNameserver: *settings.KeepNameserver,
+	}
+	err := nameserver.UseDNSSystemWide(settingsSystemWide)
 	if err != nil {
 		l.logger.Error(err.Error())
 	}
 
@@ -23,13 +23,11 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 	for ctx.Err() == nil {
 		// Upper scope variables for Unbound only
 		// Their values are to be used if DOT=off
-		waitError := make(chan error)
-		unboundCancel := func() { waitError <- nil }
-		closeStreams := func() {}
+		var runError <-chan error
 
 		for *l.GetSettings().DoT.Enabled {
 			var err error
-			unboundCancel, waitError, closeStreams, err = l.setupUnbound(ctx)
+			runError, err = l.setupUnbound(ctx)
 			if err == nil {
 				l.backoffTime = defaultBackoffTime
 				l.logger.Info("ready")
@@ -43,7 +41,7 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 				return
 			}
 
-			if !errors.Is(err, errUpdateFiles) {
+			if !errors.Is(err, errUpdateBlockLists) {
 				const fallback = true
 				l.useUnencryptedDNS(fallback)
 			}
@@ -61,30 +59,27 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 		for stayHere {
 			select {
 			case <-ctx.Done():
-				unboundCancel()
-				<-waitError
-				close(waitError)
-				closeStreams()
+				stopErr := l.server.Stop()
+				if stopErr != nil {
+					l.logger.Error("stopping DoT server: " + stopErr.Error())
+				}
+				// TODO revert OS and Go nameserver when exiting
 				return
 			case <-l.stop:
 				l.userTrigger = true
 				l.logger.Info("stopping")
 				const fallback = false
 				l.useUnencryptedDNS(fallback)
-				unboundCancel()
-				<-waitError
-				// do not close waitError or the waitError
-				// select case will trigger
-				closeStreams()
+				err := l.server.Stop()
+				if err != nil {
+					l.logger.Error("stopping DoT server: " + err.Error())
+				}
 				l.stopped <- struct{}{}
 			case <-l.start:
 				l.userTrigger = true
 				l.logger.Info("starting")
 				stayHere = false
-			case err := <-waitError: // unexpected error
-				closeStreams()
-
-				unboundCancel()
+			case err := <-runError: // unexpected error
 				l.statusManager.SetStatus(constants.Crashed)
 				const fallback = true
 				l.useUnencryptedDNS(fallback)
 
@@ -3,6 +3,11 @@ package dns
 import (
 	"context"
 
+	"github.com/qdm12/dns/v2/pkg/cache"
+	"github.com/qdm12/dns/v2/pkg/cache/lru"
+	"github.com/qdm12/dns/v2/pkg/dot"
+	"github.com/qdm12/dns/v2/pkg/filter/mapfilter"
+	"github.com/qdm12/dns/v2/pkg/provider"
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 )
 
@@ -12,3 +17,31 @@ func (l *Loop) SetSettings(ctx context.Context, settings settings.DNS) (
 	outcome string) {
 	return l.state.SetSettings(ctx, settings)
 }
+
+func buildDoTSettings(settings settings.DNS,
+	filter *mapfilter.Filter, warner Warner) (
+	dotSettings dot.ServerSettings) {
+	var cache cache.Interface
+	if *settings.DoT.Unbound.Caching {
+		cache = lru.New(lru.Settings{})
+	}
+	providers := make([]provider.Provider, len(settings.DoT.Unbound.Providers))
+	for i := range settings.DoT.Unbound.Providers {
+		var err error
+		providers[i], err = provider.Parse(settings.DoT.Unbound.Providers[i])
+		if err != nil {
+			panic(err) // this should already been checked
+		}
+	}
+
+	return dot.ServerSettings{
+		Resolver: dot.ResolverSettings{
+			DoTProviders: settings.DoT.Unbound.Providers,
+			DNSProviders: settings.DoT.Unbound.Providers,
+			IPv6:         *settings.DoT.Unbound.IPv6,
+			Warner:       warner,
+		},
+		Filter: filter,
+		Cache:  cache,
+	}
+}
@@ -4,59 +4,55 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net"
 
-	"github.com/qdm12/dns/pkg/check"
-	"github.com/qdm12/dns/pkg/nameserver"
+	"github.com/qdm12/dns/v2/pkg/check"
+	"github.com/qdm12/dns/v2/pkg/dot"
+	"github.com/qdm12/dns/v2/pkg/nameserver"
 )
 
-var errUpdateFiles = errors.New("cannot update files")
+var errUpdateBlockLists = errors.New("cannot update filter block lists")
 
-// Returning cancel == nil signals we want to re-run setupUnbound
-// Returning err == errUpdateFiles signals we should not fall back
-// on the plaintext DNS as DOT is still up and running.
-func (l *Loop) setupUnbound(ctx context.Context) (
-	cancel context.CancelFunc, waitError chan error, closeStreams func(), err error) {
+func (l *Loop) setupUnbound(ctx context.Context) (runError <-chan error, err error) {
 	err = l.updateFiles(ctx)
 	if err != nil {
-		return nil, nil, nil,
-			fmt.Errorf("%w: %s", errUpdateFiles, err)
+		return nil, fmt.Errorf("%w: %w", errUpdateBlockLists, err)
 	}
 
 	settings := l.GetSettings()
 
-	unboundCtx, cancel := context.WithCancel(context.Background())
-	stdoutLines, stderrLines, waitError, err := l.conf.Start(unboundCtx,
-		*settings.DoT.Unbound.VerbosityDetailsLevel)
+	dotSettings := buildDoTSettings(settings, l.filter, l.logger)
+	server, err := dot.NewServer(dotSettings)
 	if err != nil {
-		cancel()
-		return nil, nil, nil, err
+		return nil, fmt.Errorf("creating DoT server: %w", err)
 	}
 
-	linesCollectionCtx, linesCollectionCancel := context.WithCancel(context.Background())
-	lineCollectionDone := make(chan struct{})
-	go l.collectLines(linesCollectionCtx, lineCollectionDone,
-		stdoutLines, stderrLines)
-	closeStreams = func() {
-		linesCollectionCancel()
-		<-lineCollectionDone
+	runError, err = server.Start()
+	if err != nil {
+		return nil, fmt.Errorf("starting server: %w", err)
 	}
+	l.server = server
 
 	// use Unbound
-	nameserver.UseDNSInternally(settings.ServerAddress.AsSlice())
-	err = nameserver.UseDNSSystemWide(l.resolvConf, settings.ServerAddress.AsSlice(),
-		*settings.KeepNameserver)
+	nameserver.UseDNSInternally(nameserver.SettingsInternalDNS{
+		IP: settings.ServerAddress,
+	})
+	err = nameserver.UseDNSSystemWide(nameserver.SettingsSystemDNS{
+		IP:             settings.ServerAddress,
+		ResolvPath:     l.resolvConf,
+		KeepNameserver: *settings.KeepNameserver,
+	})
 	if err != nil {
 		l.logger.Error(err.Error())
 	}
 
-	if err := check.WaitForDNS(ctx, net.DefaultResolver); err != nil {
-		cancel()
-		<-waitError
-		close(waitError)
-		closeStreams()
-		return nil, nil, nil, err
+	err = check.WaitForDNS(ctx, check.Settings{})
+	if err != nil {
+		stopErr := l.server.Stop()
+		if stopErr != nil {
+			l.logger.Error("stopping DoT server: " + stopErr.Error())
+		}
+		return nil, err
 	}
 
-	return cancel, waitError, closeStreams, nil
+	return runError, nil
 }
@@ -34,7 +34,7 @@ func (l *Loop) RunRestartTicker(ctx context.Context, done chan<- struct{}) {
 				if err := l.updateFiles(ctx); err != nil {
 					l.statusManager.SetStatus(constants.Crashed)
 					l.logger.Error(err.Error())
-					l.logger.Warn("skipping Unbound restart due to failed files update")
+					l.logger.Warn("skipping DNS server restart due to failed files update")
 					continue
 				}
 			}
 
@@ -1,35 +1,39 @@
 package dns
 
-import "context"
+import (
+	"context"
+	"fmt"
+
+	"github.com/qdm12/dns/v2/pkg/blockbuilder"
+	"github.com/qdm12/dns/v2/pkg/filter/update"
+)
 
 func (l *Loop) updateFiles(ctx context.Context) (err error) {
-	l.logger.Info("downloading DNS over TLS cryptographic files")
-	if err := l.conf.SetupFiles(ctx); err != nil {
-		return err
-	}
 	settings := l.GetSettings()
 
-	unboundSettings, err := settings.DoT.Unbound.ToUnboundFormat()
-	if err != nil {
-		return err
+	l.logger.Info("downloading hostnames and IP block lists")
+	blacklistSettings := settings.DoT.Blacklist.ToBlockBuilderSettings(l.client)
+
+	blockBuilder := blockbuilder.New(blacklistSettings)
+	result := blockBuilder.BuildAll(ctx)
+	for _, resultErr := range result.Errors {
+		if err != nil {
+			err = fmt.Errorf("%w, %w", err, resultErr)
+			continue
+		}
+		err = resultErr
 	}
 
-	l.logger.Info("downloading hostnames and IP block lists")
-	blacklistSettings, err := settings.DoT.Blacklist.ToBlacklistFormat()
 	if err != nil {
 		return err
 	}
 
-	blockedHostnames, blockedIPs, blockedIPPrefixes, errs :=
-		l.blockBuilder.All(ctx, blacklistSettings)
-	for _, err := range errs {
-		l.logger.Warn(err.Error())
+	updateSettings := update.Settings{
+		IPs:        result.BlockedIPs,
+		IPPrefixes: result.BlockedIPPrefixes,
 	}
+	updateSettings.BlockHostnames(result.BlockedHostnames)
+	l.filter.Update(updateSettings)
 
-	// TODO change to BlockHostnames() when migrating to qdm12/dns v2
-	unboundSettings.Blacklist.FqdnHostnames = blockedHostnames
-	unboundSettings.Blacklist.IPs = blockedIPs
-	unboundSettings.Blacklist.IPPrefixes = blockedIPPrefixes
-
-	return l.conf.MakeUnboundConf(unboundSettings)
+	return nil
 }
Original file line number	Diff line number	Diff line change
`@@ -2,10 +2,6 @@ package constants`
`2`	`2`
`3`	`3`	`import "github.com/fatih/color"`
`4`	`4`
`5`		`-func ColorUnbound() *color.Color {`
`6`		`- return color.New(color.FgCyan)`
`7`		`-}`
`8`		`-`
`9`	`5`	`func ColorOpenvpn() *color.Color {`
`10`	`6`	`return color.New(color.FgHiMagenta)`
`11`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ func (l *Loop) RunRestartTicker(ctx context.Context, done chan<- struct{}) {`
`34`	`34`	`if err := l.updateFiles(ctx); err != nil {`
`35`	`35`	`l.statusManager.SetStatus(constants.Crashed)`
`36`	`36`	`l.logger.Error(err.Error())`
`37`		`- l.logger.Warn("skipping Unbound restart due to failed files update")`
	`37`	`+ l.logger.Warn("skipping DNS server restart due to failed files update")`
`38`	`38`	`continue`
`39`	`39`	`}`
`40`	`40`	`}`