Update readme

Dockerfile

@@ -1,35 +1,41 @@
 FROM ubuntu:latest as smartdns-builder
 LABEL previous-stage=smartdns-builder
-COPY . /smartdns/
+
+# prepare builder
+ARG OPENSSL_VER=1.1.1f
 RUN apt update && \
-    apt install -y perl wget make musl-tools musl-dev && \
-    OPENSSL_VER=1.1.1f && \
-    mkdir /build -p && \
+    apt install -y perl curl make musl-tools musl-dev && \
     ln -s /usr/include/linux /usr/include/$(uname -m)-linux-musl && \
     ln -s /usr/include/asm-generic /usr/include/$(uname -m)-linux-musl && \
     ln -s /usr/include/$(uname -m)-linux-gnu/asm /usr/include/$(uname -m)-linux-musl && \
-    cd /build && \
-    wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_${OPENSSL_VER}.orig.tar.gz && \
-    tar xf openssl_${OPENSSL_VER}.orig.tar.gz && \
-    cd openssl-${OPENSSL_VER} && \
+    \
+    mkdir -p /build/openssl && \
+    cd /build/openssl && \
+    curl -sSL http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_${OPENSSL_VER}.orig.tar.gz | tar --strip-components=1 -zxv && \
+    \
     export CC=musl-gcc && \
     if [ "$(uname -m)" = "aarch64" ]; then \
         ./config --prefix=/opt/build no-tests -mno-outline-atomics ; \
     else \ 
-        ./config --prefix=/opt/build no-tests; \
+        ./config --prefix=/opt/build no-tests ; \
     fi && \
     make all -j8 && make install_sw && \
-    cd /smartdns && \
+    cd / && rm -rf /build
+
+# do make
+COPY . /build/smartdns/
+RUN cd /build/smartdns && \
+    export CC=musl-gcc && \
     export CFLAGS="-I /opt/build/include" && \
     export LDFLAGS="-L /opt/build/lib" && \
     sh ./package/build-pkg.sh --platform linux --arch `dpkg --print-architecture` --static && \
-    mkdir /release -p && \
-    cd /smartdns/package && tar xf *.tar.gz && \
-    cp /smartdns/package/smartdns/etc /release/ -a && \
-    cp /smartdns/package/smartdns/usr /release/ -a && \
-    chmod +x /release/etc/init.d/smartdns && \
-    mkdir /release/var/log/ /release/var/run/ -p && \
-    rm -fr /build /smartdns
+    \
+    ( cd package && tar -xvf *.tar.gz && chmod a+x smartdns/etc/init.d/smartdns ) && \
+    \
+    mkdir -p /release/var/log /release/var/run && \
+    cp package/smartdns/etc /release/ -a && \
+    cp package/smartdns/usr /release/ -a && \
+    cd / && rm -rf /build
 
 FROM busybox:latest
 COPY --from=smartdns-builder /release/ /

ReadMe.md

@@ -548,6 +548,8 @@ rtt min/avg/max/mdev = 5.954/6.133/6.313/0.195 ms
 
 ## 配置文件说明
 
+配置建议：**smartdns默认已设置为最优模式，适合大部分场景的DNS查询体验改善，一般情况只需要增加上游服务器地址即可，无需做其他配置修改；如有其他配置修改，请务必了解其用途，避免修改后起到反作用。**
+
 | 键名 | 功能说明 | 默认值 | 可用值/要求 | 举例 |
 | :--- | :--- | :--- | :--- | :--- |
 | server-name | DNS 服务器名称 | 操作系统主机名 / smartdns | 符合主机名规格的字符串 | server-name smartdns |
@@ -576,6 +578,7 @@ rtt min/avg/max/mdev = 5.954/6.133/6.313/0.195 ms
 | server-tls | 上游 TLS DNS | 无 | 可重复。<br>[ip][:port]：服务器 IP:端口（可选)<br>[-spki-pin [sha256-pin]]：TLS 合法性校验 SPKI 值，base64 编码的 sha256 SPKI pin 值<br>[-host-name]：TLS SNI 名称<br>[-tls-host-verify]：TLS 证书主机名校验<br> [-no-check-certificate]：跳过证书校验<br>[-blacklist-ip]：配置 IP 过滤结果<br>[-whitelist-ip]：仅接受参数中配置的 IP 范围<br>[-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br>[-exclude-default-group]：将 DNS 服务器从默认组中排除 | server-tls 8.8.8.8:853 |
 | server-https | 上游 HTTPS DNS | 无 | 可重复。<br>https://[host][:port]/path：服务器 IP:端口（可选）<br>[-spki-pin [sha256-pin]]：TLS 合法性校验 SPKI 值，base64 编码的 sha256 SPKI pin 值<br>[-host-name]：TLS SNI 名称<br>[-http-host]：http 协议头主机名<br>[-tls-host-verify]：TLS 证书主机名校验<br> [-no-check-certificate]：跳过证书校验<br>[-blacklist-ip]：配置 IP 过滤结果<br>[-whitelist-ip]：仅接受参数中配置的 IP 范围。<br>[-group [group] ...]：DNS 服务器所属组，比如 office 和 foreign，和 nameserver 配套使用<br>[-exclude-default-group]：将 DNS 服务器从默认组中排除 | server-https https://cloudflare-dns.com/dns-query |
 | speed-check-mode | 测速模式选择 | 无 | [ping\|tcp:[80]\|none] | speed-check-mode ping,tcp:80,tcp:443 |
+| response-mode | 首次查询响应模式 | first-ping |模式：[fisrt-ping\|fastest-ip\|first-response]<br> [first-ping]: 最快ping响应地址模式，DNS上游最快查询时延+ping时延最短，查询等待与链接体验最佳;<br>[fastest-ip]: 最快IP地址模式，查询到的所有IP地址中ping最短的IP。需等待IP测速; <br>[first-response]: 最快响应的DNS结果，DNS查询等待时间最短，返回的IP地址可能不是最快。| response-mode first-ping |
 | address | 指定域名 IP 地址 | 无 | address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6] <br>- 表示忽略 <br># 表示返回 SOA <br>4 表示 IPv4 <br>6 表示 IPv6 | address /www.example.com/1.2.3.4 |
 | nameserver | 指定域名使用 server 组解析 | 无 | nameserver /domain/[group\|-], group 为组名，- 表示忽略此规则，配套 server 中的 -group 参数使用 | nameserver /www.example.com/office |
 | ipset | 域名 ipset | 无 | ipset /domain/[ipset\|-\|#[4\|6]:[ipset\|-][,#[4\|6]:[ipset\|-]]]，-表示忽略 | ipset /www.example.com/#4:dns4,#6:- |
@@ -594,6 +597,7 @@ rtt min/avg/max/mdev = 5.954/6.133/6.313/0.195 ms
 | serve-expired-reply-ttl | 回应的过期缓存 TTL | 5 | 秒，0 表示停用超时，大于 0 表示指定的超时的秒数 | serve-expired-reply-ttl 30 |
 | dualstack-ip-selection | 双栈 IP 优选 | yes | [yes\|no] | dualstack-ip-selection yes |
 | dualstack-ip-selection-threshold | 双栈 IP 优选阈值 | 15ms | 单位为毫秒（ms） | dualstack-ip-selection-threshold [0-1000] |
+| user | 进程运行用户 | root | user [username] | user nobody |
 | ca-file | 证书文件 | /etc/ssl/certs/ca-certificates.crt | 合法路径字符串 | ca-file /etc/ssl/certs/ca-certificates.crt |
 | ca-path | 证书文件路径 | /etc/ssl/certs | 合法路径字符串 | ca-path /etc/ssl/certs |
 

ReadMe_en.md

@@ -514,6 +514,7 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
 |server-tls|Upstream TLS DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[-host-name]`:TLS Server name. <br>`[-tls-host-verify]`: TLS cert hostname to verify. <br>`-no-check-certificate:`: No check certificate. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tls 8.8.8.8:853
 |server-https|Upstream HTTPS DNS server|None|Repeatable <br>`https://[host][:port]/path`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[-host-name]`:TLS Server name<br>`[-http-host]`：http header host. <br>`[-tls-host-verify]`: TLS cert hostname to verify. <br>`-no-check-certificate:`: No check certificate. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-https https://cloudflare-dns.com/dns-query
 |speed-check-mode|Speed ​​mode|None|[ping\|tcp:[80]\|none]|speed-check-mode ping,tcp:80,tcp:443
+|response-mode|First query response mode|first-ping|Mode: [fisrt-ping\|fastest-ip\|first-response]<br> [first-ping]: The fastest dns + ping response mode, DNS query delay + ping delay is the shortest;<br>[fastest-ip]: The fastest IP address mode, return the fastest ip address, may take some time to test speed. <br>[first-response]: The fastest response DNS result mode, the DNS query waiting time is the shortest. | response-mode first-ping |
 |address|Domain IP address|None|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6], `-` for ignore, `#` for return SOA, `4` for IPV4, `6` for IPV6| address /www.example.com/1.2.3.4
 |nameserver|To query domain with specific server group|None|nameserver /domain/[group\|-], `group` is the group name, `-` means ignore this rule, use the `-group` parameter in the related server|nameserver /www.example.com/office
 |ipset|Domain IPSet|None|ipset /domain/[ipset\|-\|#[4\|6]:[ipset\|-][,#[4\|6]:[ipset\|-]]], `-` for ignore|ipset /www.example.com/#4:dns4,#6:-
@@ -532,6 +533,7 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
 |serve-expired-reply-ttl|TTL value to use when replying with expired data|5|second，0：disable，> 0  seconds after expiration|serve-expired-reply-ttl 30
 |dualstack-ip-selection|Dualstack ip selection|yes|[yes\|no]|dualstack-ip-selection yes
 |dualstack-ip-selection-threshold|Dualstack ip select threadhold|15ms|millisecond|dualstack-ip-selection-threshold [0-1000]
+|user|run as user|root|user [username]|user nobody
 |ca-file|certificate file|/etc/ssl/certs/ca-certificates.crt|path|ca-file /etc/ssl/certs/ca-certificates.crt
 |ca-path|certificates path|/etc/ssl/certs|path|ca-path /etc/ssl/certs
 

src/fast_ping.c

@@ -673,6 +673,12 @@ static int _fast_ping_create_icmp_sock(FAST_PING_TYPE type)
 			}
 		}
 		if (fd < 0) {
+			if (errno == EACCES || errno == EAFNOSUPPORT) {
+				if (bool_print_log == 0) {
+					goto errout;
+				}
+				bool_print_log = 0;
+			}
 			tlog(TLOG_ERROR, "create icmp socket failed, %s\n", strerror(errno));
 			goto errout;
 		}
@@ -689,6 +695,12 @@ static int _fast_ping_create_icmp_sock(FAST_PING_TYPE type)
 		}
 
 		if (fd < 0) {
+			if (errno == EACCES || errno == EAFNOSUPPORT) {
+				if (bool_print_log == 0) {
+					goto errout;
+				}
+				bool_print_log = 0;
+			}
 			tlog(TLOG_ERROR, "create icmp socket failed, %s\n", strerror(errno));
 			goto errout;
 		}

src/smartdns.c

@@ -132,7 +132,7 @@ static void _help(void)
 		"Start smartdns server.\n"
 		"  -f            run forground.\n"
 		"  -c [conf]     config file.\n"
-		"  -p [pid]      pid file path\n"
+		"  -p [pid]      pid file path, '-' means don't create pid file.\n"
 		"  -S            ignore segment fault signal.\n"
 		"  -x            verbose screen.\n"
 		"  -v            dispaly version.\n"
@@ -571,7 +571,7 @@ int main(int argc, char *argv[])
 		_reg_signal();
 	}
 
-	if (create_pid_file(pid_file) != 0) {
+	if (strncmp(pid_file, "-", 2) != 0 && create_pid_file(pid_file) != 0) {
 		goto errout;
 	}