Simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support
DNS Proxy is a DNS proxy tool designed to handle DNS queries securely using DoH (DNS over HTTPS), DoT (DNS over TLS), DoQ (DNS over QUIC), and DNSCrypt protocols.
Key Features:
Supports multiple secure DNS protocols, including DoH, DoT, DoQ, and DNSCrypt.
Flexible routing and configuration options for different network environments.
Performance optimization for fast and reliable DNS resolution.
Enhanced security with encrypted DNS queries to protect privacy.
Compatibility with various platforms and configurations.
Installable via winget for seamless setup.
Audience & Benefit:
Ideal for network administrators, developers, and IT professionals seeking a robust, secure, and flexible DNS proxy solution to manage DNS queries effectively while ensuring data privacy and performance.
README
DNS Proxy
A simple DNS proxy server that supports all existing DNS protocols including
DNS-over-TLS, DNS-over-HTTPS, DNSCrypt, and DNS-over-QUIC. Moreover,
it can work as a DNS-over-HTTPS, DNS-over-TLS or DNS-over-QUIC server.
Connect to remote systems and manage your network and server infrastructure using tools like Remote Desktop (RDP), PuTTY (SSH, Telnet, Serial), PowerShell (WinRM), TigerVNC (VNC), or AWS Console (AWS SSM). Analyze, troubleshoot, and obtain detailed information about your network and systems with features such as the WiFi Analyzer, IP Scanner, Port Scanner, Ping Monitor, Traceroute, DNS Lookup, and LLDP/CDP Capture (and many more) — all within a unified interface. Hosts and networks can be saved in encrypted profiles and used across all features.
AdGuard is a unique desktop program that has all the necessary features for the best web experience.
The software combines the world's most advanced ad blocker for Windows, a whole privacy protection module, and a parental control tool — all working in any browser or app.
A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and ODoH (Oblivious DoH).
Topnotch VPN by AdGuard. Your ultimate solution for the safe Internet without restrictions. Must-have when you need uncompromising online privacy protection.
Topnotch VPN by AdGuard. Your ultimate solution for the safe Internet without restrictions. Must-have when you need uncompromising online privacy protection.
Connect to remote systems and manage your network and server infrastructure using tools like Remote Desktop (RDP), PuTTY (SSH, Telnet, Serial), PowerShell (WinRM), TigerVNC (VNC), or AWS Console (AWS SSM). Analyze, troubleshoot, and obtain detailed information about your network and systems with features such as the WiFi Analyzer, IP Scanner, Port Scanner, Ping Monitor, Traceroute, DNS Lookup, and LLDP/CDP Capture (and many more) — all within a unified interface. Hosts and networks can be saved in encrypted profiles and used across all features.
AdGuard is a unique desktop program that has all the necessary features for the best web experience.
The software combines the world's most advanced ad blocker for Windows, a whole privacy protection module, and a parental control tool — all working in any browser or app.
A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and ODoH (Oblivious DoH).
Topnotch VPN by AdGuard. Your ultimate solution for the safe Internet without restrictions. Must-have when you need uncompromising online privacy protection.
Topnotch VPN by AdGuard. Your ultimate solution for the safe Internet without restrictions. Must-have when you need uncompromising online privacy protection.
Usage of ./dnsproxy:
--bogus-nxdomain=subnet
Transform the responses containing at least a single IP that matches specified addresses and CIDRs into NXDOMAIN. Can be specified multiple times.
--bootstrap/-b
Bootstrap DNS for DoH and DoT, can be specified multiple times (default: use system-provided).
--cache
If specified, DNS cache is enabled.
--cache-max-ttl=uint32
Maximum TTL value for DNS entries, in seconds.
--cache-min-ttl=uint32
Minimum TTL value for DNS entries, in seconds. Capped at 3600. Artificially extending TTLs should only be done with careful consideration.
--cache-optimistic
If specified, optimistic DNS cache is enabled.
--cache-size=int
Cache size (in bytes). Default: 64k.
--config-path=path
YAML configuration file. Minimal working configuration in config.yaml.dist. Options passed through command line will override the ones from this file.
--dns64
If specified, dnsproxy will act as a DNS64 server.
--dns64-prefix=subnet
Prefix used to handle DNS64. If not specified, dnsproxy uses the 'Well-Known Prefix' 64:ff9b::. Can be specified multiple times.
--dnscrypt-config=path/-g path
Path to a file with DNSCrypt configuration. You can generate one using https://github.com/ameshkov/dnscrypt.
--dnscrypt-port=port/-y port
Listening ports for DNSCrypt.
--edns
Use EDNS Client Subnet extension.
--edns-addr=address
Send EDNS Client Address.
--fallback/-f
Fallback resolvers to use when regular ones are unavailable, can be specified multiple times. You can also specify path to a file with the list of servers.
--help/-h
Print this help message and quit.
--hosts-file-enabled
If specified, use hosts files for resolving.
--hosts-files=path
List of paths to the hosts files, can be specified multiple times.
--http3
Enable HTTP/3 support.
--https-port=port/-s port
Listening ports for DNS-over-HTTPS.
--https-server-name=name
Set the Server header for the responses from the HTTPS server.
--https-userinfo=name
If set, all DoH queries are required to have this basic authentication information.
--insecure
Disable secure TLS certificate validation.
--ipv6-disabled
If specified, all AAAA requests will be replied with NoError RCode and empty answer.
--listen=address/-l address
Listening addresses.
--max-go-routines=uint
Set the maximum number of go routines. A zero value will not not set a maximum.
--output=path/-o path
Path to the log file.
--pending-requests-enabled
If specified, the server will track duplicate queries and only send the first of them to the upstream server, propagating its result to others. Disabling it introduces a vulnerability to cache poisoning attacks.
--port=port/-p port
Listening ports. Zero value disables TCP and UDP listeners.
--pprof
If present, exposes pprof information on localhost:6060.
--private-rdns-upstream
Private DNS upstreams to use for reverse DNS lookups of private addresses, can be specified multiple times.
--private-subnets=subnet
Private subnets to use for reverse DNS lookups of private addresses.
--quic-port=port/-q port
Listening ports for DNS-over-QUIC.
--ratelimit=int/-r int
Ratelimit (requests per second).
--ratelimit-subnet-len-ipv4=int
Ratelimit subnet length for IPv4.
--ratelimit-subnet-len-ipv6=int
Ratelimit subnet length for IPv6.
--refuse-any
If specified, refuses ANY requests.
--timeout=duration
Timeout for outbound DNS queries to remote upstream servers in a human-readable form
--tls-crt=path/-c path
Path to a file with the certificate chain.
--tls-key=path/-k path
Path to a file with the private key.
--tls-max-version=version
Maximum TLS version, for example 1.3.
--tls-min-version=version
Minimum TLS version, for example 1.0.
--tls-port=port/-t port
Listening ports for DNS-over-TLS.
--udp-buf-size=int
Set the size of the UDP buffer in bytes. A value <= 0 will use the system default.
--upstream/-u
An upstream to be used (can be specified multiple times). You can also specify path to a file with the list of servers.
--upstream-mode=mode
Defines the upstreams logic mode, possible values: load_balance, parallel, fastest_addr (default: load_balance).
--use-private-rdns
If specified, use private upstreams for reverse DNS lookups of private addresses.
--verbose/-v
Verbose output.
--version
Prints the program version.
Examples
Simple options
Runs a DNS proxy on 0.0.0.0:53 with a single upstream - Google DNS.
./dnsproxy -u 8.8.8.8:53
The same proxy with verbose logging enabled writing it to the file log.txt.
./dnsproxy -u 8.8.8.8:53 -v -o log.txt
Runs a DNS proxy on 127.0.0.1:5353 with multiple upstreams.
> [!TIP]
> In order to run a DNSCrypt proxy, you need to obtain DNSCrypt configuration first. You can use https://github.com/ameshkov/dnscrypt command-line tool to do that with a command like this ./dnscrypt generate --provider-name=2.dnscrypt-cert.example.org --out=dnscrypt-config.yaml.
Additional features
Runs a DNS proxy on 0.0.0.0:53 with rate limit set to 10 rps, enabled DNS cache, and that refuses type=ANY requests.
> [!NOTE] What is DNS64/NAT64
> This is a mechanism of providing IPv6 access to IPv4. Using a NAT64 gateway with IPv4-IPv6 translation capability lets IPv6-only clients connect to IPv4-only services via synthetic IPv6 addresses starting with a prefix that routes them to the NAT64 gateway. DNS64 is a DNS service that returns AAAA records with these synthetic IPv6 addresses for IPv4-only destinations (with A but not AAAA records in the DNS). This lets IPv6-only clients use NAT64 gateways without any other configuration.
> See also RFC 6147.
Note that only the first specified prefix will be used for synthesis.
PTR queries for addresses within the specified ranges or the Well-Known one could only be answered with locally appropriate data, so dnsproxy will route those to the local upstream servers. Those should be specified and enabled if DNS64 is enabled.
Fastest addr + cache-min-ttl
This option would be useful to the users with problematic network connection. In this mode, dnsproxy would detect the fastest IP address among all that were returned, and it will return only it.
Additionally, for those with problematic network connection, it makes sense to override cache-min-ttl. In this case, dnsproxy will make sure that DNS responses are cached for at least the specified amount of time.
It makes sense to run it with multiple upstream servers only.
Run a DNS proxy with two upstreams, min-TTL set to 10 minutes, fastest address detection is enabled:
You can specify upstreams that will be used for a specific domain(s). We use the dnsmasq-like syntax, decorating domains with brackets (see --serverdescription).
Syntax:[/[domain1][/../domainN]/]upstreamString
Where upstreamString is one or many upstreams separated by space (e.g. 1.1.1.1 or 1.1.1.1 2.2.2.2).
If one or more domains are specified, that upstream (upstreamString) is used only for those domains. Usually, it is used for private nameservers. For instance, if you have a nameserver on your network which deals with xxx.internal.local at 192.168.0.1 then you can specify [/internal.local/]192.168.0.1, and dnsproxy will send all queries to that nameserver. Everything else will be sent to the default upstreams (which are mandatory!).
An empty domain specification, // has the special meaning of "unqualified names only", which will be used to resolve names with a single label in them, or with exactly two labels in case of DS requests.
More specific domains take precedence over less specific domains, so: --upstream=[/host.com/]1.2.3.4 --upstream=[/www.host.com/]2.3.4.5 will send queries for *.host.com to 1.2.3.4, except *.www.host.com, which will go to 2.3.4.5.
The special server address # means, "use the common servers", so: --upstream=[/host.com/]1.2.3.4 --upstream=[/www.host.com/]# will send queries for *.host.com to 1.2.3.4, except *.www.host.com which will be forwarded as usual.
The wildcard * has special meaning of "any sub-domain", so: --upstream=[/*.host.com/]1.2.3.4 will send queries for *.host.com to 1.2.3.4, but host.com will be forwarded to default upstreams.
Sends requests for *.local domains to 192.168.0.1:53. Other requests are sent to 8.8.8.8:53:
You can specify upstreams that will be used for reverse DNS requests of type PTR for private addresses. Same applies to the authority requests of types SOA and NS. The set of private addresses is defined by the --private-rdns-upstream, and the set from RFC 6303 is used by default.
The additional requirement to the domains specified for upstreams is to be in-addr.arpa, ip6.arpa, or its subdomain. Addresses encoded in the domains should also be private.
Sends queries for *.168.192.in-addr.arpa to 192.168.1.2, if requested by client from 192.168.0.0/16 subnet. Other queries answered with NXDOMAIN:
Sends queries for *.in-addr.arpa to 192.168.1.2, *.ip6.arpa to fe80::1, if requested by client within the default RFC 6303 subnet set. Other queries answered with NXDOMAIN:
To enable support for EDNS Client Subnet extension you should run dnsproxy with --edns flag:
./dnsproxy -u 8.8.8.8:53 --edns
Now if you connect to the proxy from the Internet - it will pass through your original IP address's prefix to the upstream server. This way the upstream server may respond with IP addresses of the servers that are located near you to minimize latency.
If you want to use EDNS CS feature when you're connecting to the proxy from a local network, you need to set --edns-addr=PUBLIC_IP argument:
Now even if your IP address is 192.168.0.1 and it's not a public IP, the proxy will pass through 72.72.72.72 to the upstream server.
Bogus NXDomain
This option is similar to dnsmasq bogus-nxdomain. dnsproxy will transform
responses that contain at least a single IP address which is also specified by
the option into NXDOMAIN. Can be specified multiple times.
In the example below, we use AdGuard DNS server that returns 0.0.0.0 for
blocked domains, and transform them to NXDOMAIN.
This configuration will only allow DoH queries that contain an Authorization header containing the BasicAuth credentials for user user with password p4ssw0rd.
Add -p 0 if you also want to disable plain-DNS handling and make dnsproxy only serve DoH with Basic Auth checking.
DNSControl is an opinionated platform for seamlessly managing your DNS configuration across any number of DNS hosts, both in the cloud or in your own infrastructure. It manages all of the domains for the Stack Overflow network, and can do the same for you!
DNSControl is an opinionated platform for seamlessly managing your DNS configuration across any number of DNS hosts, both in the cloud or in your own infrastructure. It manages all of the domains for the Stack Overflow network, and can do the same for you!
AdGuard Home is a network-wide software for blocking ads & tracking.
After you set it up, it’ll cover ALL your home devices, and you don’t need any client-side software for that.
With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control your whole network.
AdGuard Home is a network-wide software for blocking ads & tracking.
After you set it up, it’ll cover ALL your home devices, and you don’t need any client-side software for that.
With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control your whole network.
A non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk.
A non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk.
