High performance DNS over HTTPS client & server

Overview

DNS-over-HTTPS

Client and server software to query DNS over HTTPS, using Google DNS-over-HTTPS protocol and IETF DNS-over-HTTPS (RFC 8484).

Guides

Installing

From Source

  • Install Go, at least version 1.13. The newer the better.

Note for Debian/Ubuntu users: You need to set $GOROOT if you could not get your new version of Go selected by the Makefile.)

  • First create an empty directory, used for $GOPATH:
mkdir ~/gopath
export GOPATH=~/gopath
  • To build the program, type:
make
  • To install DNS-over-HTTPS as Systemd services, type:
sudo make install
  • By default, Google DNS over HTTPS is used. It should work for most users (except for People's Republic of China). If you need to modify the default settings, type:
sudoedit /etc/dns-over-https/doh-client.conf
  • To automatically start DNS-over-HTTPS client as a system service, type:
sudo systemctl start doh-client.service
sudo systemctl enable doh-client.service
  • Then, modify your DNS settings (usually with NetworkManager) to 127.0.0.1.

  • To test your configuration, type:

dig www.google.com
Output:
;; SERVER: 127.0.0.1#53(127.0.0.1)

Uninstall

  • To uninstall, type:
sudo make uninstall

Note: The configuration files are kept at /etc/dns-over-https. Remove them manually if you want.

Using docker image

docker run -d --name doh-server \
  -p 8053:8053 \
  -e UPSTREAM_DNS_SERVER="udp:8.8.8.8:53" \
  -e DOH_HTTP_PREFIX="/dns-query" \
  -e DOH_SERVER_LISTEN=":8053" \
  -e DOH_SERVER_TIMEOUT="10" \
  -e DOH_SERVER_TRIES="3" \
  -e DOH_SERVER_VERBOSE="false" \
  satishweb/doh-server

Server Configuration

The following is a typical DNS-over-HTTPS architecture:

+--------------+                                +------------------------+
| Application  |                                |  Recursive DNS Server  |
+-------+------+                                +-----------+------------+
        |                                                   |
+-------+------+                                +-----------+------------+
| Client side  |                                |      doh-server        |
| cache (nscd) |                                +-----------+------------+
+-------+------+                                            |
        |         +--------------------------+  +-----------+------------+
+-------+------+  |    HTTP cache server /   |  |   HTTP service muxer   |
|  doh-client  +--+ Content Delivery Network +--+ (Apache, Nginx, Caddy) |
+--------------+  +--------------------------+  +------------------------+

Although DNS-over-HTTPS can work alone, a HTTP service muxer would be useful as you can host DNS-over-HTTPS along with other HTTPS services.

HTTP/2 with at least TLS v1.3 is recommended. OCSP stapling must be enabled, otherwise DNS recursion may happen.

Configuration file

The main configuration file is doh-client.conf.

Server selectors. If several upstream servers are set, one is selected according to upstream_selector for each request. With upstream_selector = "random", a random upstream server will be chosen for each request.

# available selector: random (default) or weighted_round_robin or lvs_weighted_round_robin
upstream_selector = "random"

Example configuration: Apache

SSLProtocol TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!eNULL:!EXP:!LOW:!MD5
SSLUseStapling on
SSLStaplingCache shmcb:/var/lib/apache2/stapling_cache(512000)

<VirtualHost *:443>
    ServerName MY_SERVER_NAME
    Protocols h2 http/1.1
    ProxyPass /dns-query http://[::1]:8053/dns-query
    ProxyPassReverse /dns-query http://[::1]:8053/dns-query
</VirtualHost>

(Credit: Joan Moreau)

Example configuration: Nginx

server {
  listen       443 ssl http2 default_server;
  listen       [::]:443 ssl http2 default_server;
  server_name  MY_SERVER_NAME;

  server_tokens off;

  ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.13.0
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/dhparam.pem;     # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
  ssl_ecdh_curve secp384r1;               # Requires nginx >= 1.1.0
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;                # Requires nginx >= 1.5.9
  ssl_stapling on;                        # Requires nginx >= 1.3.7
  ssl_stapling_verify on;                 # Requires nginx => 1.3.7
  ssl_early_data off;                     # 0-RTT, enable if desired - Requires nginx >= 1.15.4
  resolver 1.1.1.1 valid=300s;            # Replace with your local resolver
  resolver_timeout 5s;
  # HTTP Security Headers
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header Strict-Transport-Security "max-age=63072000";
  ssl_certificate /path/to/your/server/certificates/fullchain.pem;
  ssl_certificate_key /path/to/your/server/certificates/privkey.pem;
  location /dns-query {
    proxy_pass       http://localhost:8053/dns-query;
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
  }
}

(Credit: Cipherli.st)

Example configuration: Caddy (v2)

my.server.name {
        reverse_proxy * localhost:8053
        tls [email protected]
        try_files {path} {path}/index.php /index.php?{query}
}

Example configuration: Docker Compose + Traefik + Unbound (Raspberry Pi/Linux/Mac) [linux/amd64,linux/arm64,linux/arm/v7]

version: '2.2'
networks:
  default:

services:
  proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.3
    hostname: proxy
    networks:
      - default
    environment:
      TRAEFIK_ACCESSLOG: "true"
      TRAEFIK_API: "true"
      TRAEFIK_PROVIDERS_DOCKER: "true"
      TRAEFIK_API_INSECURE: "true"
      TRAEFIK_PROVIDERS_DOCKER_NETWORK: "${STACK}_default"
      # DNS provider specific environment variables for DNS Challenge using route53 (AWS)
      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
      AWS_REGION: ${AWS_REGION}
      AWS_HOSTED_ZONE_ID: ${AWS_HOSTED_ZONE_ID}
    ports:
      # The HTTP port
      - "80:80"
      # The HTTPS port
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
    command:
      #- "--log.level=DEBUG"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
      # Providers list:
      #  https://docs.traefik.io/https/acme/#providers
      #  https://go-acme.github.io/lego/dns/
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=route53"
      # Enable below line to use staging letsencrypt server.
      #- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.letsencrypt.acme.email=${EMAIL}"
      - "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/proxy/certs:/certs
  doh-server:
    image: satishweb/doh-server:latest
    hostname: doh-server
    networks:
      - default
    environment:
      # Enable below line to see more logs
      # DEBUG: "1"
      UPSTREAM_DNS_SERVER: "udp:unbound:53"
      DOH_HTTP_PREFIX: "${DOH_HTTP_PREFIX}"
      DOH_SERVER_LISTEN: ":${DOH_SERVER_LISTEN}"
      DOH_SERVER_TIMEOUT: "10"
      DOH_SERVER_TRIES: "3"
      DOH_SERVER_VERBOSE: "false"
    #volumes:
      # - ./doh-server.conf:/server/doh-server.conf
      # - ./app-config:/app-config
    depends_on:
      - unbound
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.doh-server.rule=Host(`${SUBDOMAIN}.${DOMAIN}`) && Path(`${DOH_HTTP_PREFIX}`)"
      - "traefik.http.services.doh-server.loadbalancer.server.port=${DOH_SERVER_LISTEN}"
      - "traefik.http.middlewares.mw-doh-compression.compress=true"
      - "traefik.http.routers.doh-server.tls=true"
      - "traefik.http.middlewares.mw-doh-tls.headers.sslredirect=true"
      - "traefik.http.middlewares.mw-doh-tls.headers.sslforcehost=true"
      - "traefik.http.routers.doh-server.tls.certresolver=letsencrypt"
      - "traefik.http.routers.doh-server.tls.domains[0].main=${DOMAIN}"
      - "traefik.http.routers.doh-server.tls.domains[0].sans=${SUBDOMAIN}.${DOMAIN}"
      # Protection from requests flood
      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.average=100"
      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.burst=50"
      - "traefik.http.middlewares.mw-doh-ratelimit.ratelimit.period=10s"
  unbound:
    image: satishweb/unbound:latest
    hostname: unbound
    networks:
      - default
    ports:
      # Disable these ports if DOH server is the only client
      - 53:53/tcp
      - 53:53/udp
    volumes:
      - ./unbound.sample.conf:/templates/unbound.sample.conf
      - ./data/unbound/custom:/etc/unbound/custom
      # Keep your custom.hosts file inside custom folder
    #environment:
    #  DEBUG: "1"

Complete Guide available at: https://github.com/satishweb/docker-doh

IPV6 Support for Docker Compose based configuration TBA

DNSSEC

DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by default. However signature validation is not built-in. It is highly recommended that you install unbound or bind and pass results for them to validate DNS records. An instance of Pi Hole could also be used to validate DNS signatures as well as provide other capabilities.

EDNS0-Client-Subnet (GeoDNS)

DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the upstream server. This is useful for GeoDNS and CDNs to work, and is exactly the same configuration as most public DNS servers.

Keep in mind that /24 is not enough to track a single user, although it is precise enough to know the city where the user is located. If you think EDNS0-Client-Subnet is affecting your privacy, you can set no_ecs = true in /etc/dns-over-https/doh-client.conf, with the cost of slower video streaming or software downloading speed.

To ultilize ECS, X-Forwarded-For or X-Real-IP should be enabled on your HTTP service muxer. If your server is backed by unbound or bind, you probably want to configure it to enable the EDNS0-Client-Subnet feature as well.

Protocol compatibility

Google DNS-over-HTTPS Protocol

DNS-over-HTTPS uses a protocol compatible to Google DNS-over-HTTPS, except for absolute expire time is preferred to relative TTL value. Refer to json-dns/response.go for a complete description of the API.

IETF DNS-over-HTTPS Protocol

DNS-over-HTTPS uses a protocol compatible to IETF DNS-over-HTTPS (RFC 8484).

Supported features

Currently supported features are:

  • IPv4 / IPv6
  • EDNS0 large UDP packet (4 KiB by default)
  • EDNS0-Client-Subnet (/24 for IPv4, /56 for IPv6 by default)

The name of the project

This project is named "DNS-over-HTTPS" because it was written before the IETF DoH project. Although this project is compatible with IETF DoH, the project is not affiliated with IETF.

To avoid confusion, you may also call this project "m13253/DNS-over-HTTPS" or anything you like.

License

DNS-over-HTTPS is licensed under the MIT License. You are encouraged to embed DNS-over-HTTPS into your other projects, as long as the license permits.

You are also encouraged to disclose your improvements to the public, so that others may benefit from your modification, in the same way you receive benefits from this project.

Comments
  • X-Forwarded-For or X-Real-IP is not forwarding client ip to backend

    X-Forwarded-For or X-Real-IP is not forwarding client ip to backend

    After setting the mentioned header in the webserver 'nginx', the backend still receives DNS queries from nginx IP and not from the client IP. Even in the logs, I only see the IP of the web server and not the client. Is it bugged or I'm missing something here?

    from nginx config: ... proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; ... proxy_pass http://ungound-dns;

    from DOH config: ... log_guessed_client_ip = true

    opened by mahdiadnan 32
  • Add backend weight round robin select

    Add backend weight round robin select

    add

    • interface Selector
    • selector implement RandomSelector
    • selector implement WeightRoundRobinSelector

    reason

    dns-over-https allow us to set multi backends. However, sometimes some backends will be unavailable, we need a algorithm to reduce probability of thems. WRR algorithm is a good way.

    opened by Sherlock-Holo 19
  • Add support for DNS-over-TLS upstream resolvers

    Add support for DNS-over-TLS upstream resolvers

    ~~This PR adds support for DNS-over-TLS (DoT) upstream resolvers.~~

    ~~It adds a new configuration option which affects declared resolvers globally:~~

    # Only use DNS-over-TLS for upstream DNS queries
    tls_only = false
    

    A different approach, more invasive but which gives more flexibility, would be to get away from the global type booleans and instead support configuration declarations like:

    # Upstream DNS resolver
    # If multiple servers are specified, a random one will be chosen each time.
    upstream = [
        "tcp:1.1.1.1:53",
        "tcp-tls:1.0.0.1:853",
        "udp:8.8.8.8:53",
    ]
    

    Let me know if you prefer the latter instead, I could rewrite this patch.

    Edit: rewritten the patch to use above approach.

    opened by gdm85 18
  • 怎么会出现错误:

    怎么会出现错误:"no such host"

    hi. 在mac上的doh-client.conf里,我启用了: [[upstream.upstream_ietf]] url = "https://doh.dns.sb/dns-query" weight = 50

    然后,我运行:sudo $GOBIN/doh-client -conf ~/doh-client.conf 显示: 2019/12/06 20:57:15 Get https://doh.dns.sb/dns-query?ct=application/dns-message&dns=AAABAAABAAAAAAABA3d3dwdnc3RhdGljA2NvbQAAAQABAAApEAAAAAAAAAA: dial tcp: lookup doh.dns.sb: no such host 怎么回事,如何解决?

    opened by luckypoem 13
  • Provide fallback semantics for upstream server groups

    Provide fallback semantics for upstream server groups

    Currently, you can specify more than one upstream server in the google or ietf groups in doh-client.conf. The semantics for choosing one to query are currently random choice. It would be useful to provide an option to configure doh-client to use the upstream servers as an ordered list with fallback semantics. Something like a {google,ietf}_list_semantics = (random,fallback) configuration option would do. An additional fallback_timeout would be great as well, since it would be useful to have it set fairly low, unlike the overall timeout.

    The use case for this is that I prefer using cloudflare over google (I distrust them less with query data than google), but I've had hiccups and would like google to be used automagically when that happens.

    Ideally, this would include marking upstream servers as down when multiple queries time out in a short window, but in the absence of a full-blown solution like that, the fallback+timeout config options would suffice.

    opened by paulie-g 12
  • Uname darwin

    Uname darwin

    Hi

    I tried to install dns-over-https with command make, and I got stuck on uname darwin. Here's my results below :

    [email protected]:~/dns-over-https-2.2.5# make
    go get -d -u -v github.com/m13253/dns-over-https/doh-client/config
    go: downloading github.com/BurntSushi/toml v0.3.1
    go: downloading github.com/BurntSushi/toml v0.4.1
    go get: upgraded github.com/BurntSushi/toml v0.3.1 => v0.4.1
    go get -d -u -v github.com/m13253/dns-over-https/json-dns
    go: downloading github.com/infobloxopen/go-trees v0.0.0-20200715205103-96a057b8dfb9
    go: downloading github.com/miekg/dns v1.1.41
    go: downloading github.com/miekg/dns v1.1.43
    go: downloading golang.org/x/net v0.0.0-20210324205630-d1beb07c2056
    go: downloading golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d
    go: downloading golang.org/x/sys v0.0.0-20210324051608-47abb6519492
    go: downloading golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069
    go get: upgraded github.com/miekg/dns v1.1.41 => v1.1.43
    go get: upgraded golang.org/x/net v0.0.0-20210324205630-d1beb07c2056 => v0.0.0-20210805182204-aaa1db679c0d
    go get: upgraded golang.org/x/sys v0.0.0-20210324051608-47abb6519492 => v0.0.0-20210806184541-e5e7981a1069
    go get -d -v ./doh-client ./doh-server
    go: downloading github.com/gorilla/handlers v1.4.0
    go: downloading golang.org/x/text v0.3.6
    cd doh-client && go build
    cd doh-server && go build
    if [ "`uname`" = "Darwin" ]; then \
    	make -C darwin-wrapper; \
    fi
    

    My VPS is ubuntu 18.04 and installed the latest Go.

    How can I do?

    Thanks

    opened by mrsnax 10
  • Log workarounds only if verbose logging is enabled

    Log workarounds only if verbose logging is enabled

    Hello.

    Currently dns-over-https works around some dnscrypt-proxy and old Firefox bugs/features, and each time that happens, a message is printed in the log.

    If dns-over-https is used as a public DNS resolver, that hurts logs a lot:

    $ jctl -u doh-server --grep 'DNSCrypt-Proxy detected. Patching response.' | wc -l
    67964
    

    Could you please make that printout depend on s.conf.Verbose?

    Thanks.

    opened by pfactum 10
  • Use of loopback address as upstream DNS server fails

    Use of loopback address as upstream DNS server fails

    Hi @m13253 ,

    I have noticed that using loopback address as DNS upstream server does not work with current version of doh-server (2.2.4).

    DOH-Server Config:

    072e6a06e523:/server# cat doh-server.conf
    listen = [ ":8053" ]
    local_addr = ""
    cert = ""
    key = ""
    path = "/getnsrecord"
    upstream = [ "udp:127.0.0.1:53" ]
    timeout = 10
    tries = 3
    verbose = true
    log_guessed_client_ip = false
    

    Curl Test Logs:

    072e6a06e523:/# curl -I 'http://localhost:8053/getnsrecord?name=google.com&type=A'
    HTTP/1.1 503 Service Unavailable
    Access-Control-Allow-Headers: Content-Type
    Access-Control-Allow-Methods: GET, HEAD, OPTIONS, POST
    Access-Control-Allow-Origin: *
    Access-Control-Max-Age: 3600
    Content-Type: application/json; charset=UTF-8
    Server: DNS-over-HTTPS/2.2.4 (+https://github.com/m13253/dns-over-https)
    X-Powered-By: DNS-over-HTTPS/2.2.4 (+https://github.com/m13253/dns-over-https)
    Date: Sat, 26 Dec 2020 05:41:50 GMT
    Content-Length: 114
    

    DOH-Server console logs:

    072e6a06e523:/server#  /server/doh-server -conf /server/doh-server.conf
    2020/12/26 05:41:50 DNS error from upstream udp:127.0.0.1:53: read udp 127.0.0.1:53131->127.0.0.1:53: read: connection refused
    2020/12/26 05:41:50 DNS error from upstream udp:127.0.0.1:53: read udp 127.0.0.1:55126->127.0.0.1:53: read: connection refused
    2020/12/26 05:41:50 DNS error from upstream udp:127.0.0.1:53: read udp 127.0.0.1:55747->127.0.0.1:53: read: connection refused
    127.0.0.1 - - [26/Dec/2020:05:41:50 +0000] "HEAD /getnsrecord?name=google.com&type=A HTTP/1.1" 503 114 "" "curl/7.64.0"
    

    Simple nslookup test using loopback address was successful:

    072e6a06e523:/server# nslookup google.com 127.0.0.1
    Server:    127.0.0.1
    Address 1: 127.0.0.1 localhost
    
    Name:      google.com
    Address 1: 172.217.14.78
    Address 2: 2607:f8b0:4005:807::200e
    

    Please let me know if this is expected behavior or there is something that needs to be done to allow use of loopback address as upstream DNS server in DOH configuration.

    Steps to reproduce

    1. Run docker command to launch doh-server container
    docker run -itd \
      --name doh-server \
      -e UPSTREAM_DNS_SERVER='udp:127.0.0.1:53' \
      -e DEBUG=1 \
      -e DOH_SERVER_VERBOSE=true \
      satishweb/doh-server \
    sleep 36000
    
    1. Start doh-server inside the container in console mode
    docker exec -it doh-server /server/doh-server -conf /server/doh-server.conf
    
    1. Add curl and execute curl test command
    docker exec -it doh-server apk add curl
    docker exec -it doh-server curl -I 'localhost:8053/getnsrecord?name=google.com&type=A'
    
    1. To open shell: docker exec -it doh-server bash
    2. Cleanup: docker rm -f doh-server
    opened by satishweb 9
  • curl 127.0.0.1:8053/dns-query returns json response  status 2 comment invalid argument value and doh server doesn't seem to work

    curl 127.0.0.1:8053/dns-query returns json response status 2 comment invalid argument value and doh server doesn't seem to work

    Hello ,

    I appreciate you have put lot of effort in put this up together, I have been trying to setup DoH on my home network from more than 2 weeks now. going through your GitHub page I see some hope.

    I pulled your repository followed steps make and then sudo make install on ubuntu running on arm64 architecture now when I try curl 127.0.0.1:8053/dns-query I get response saying: {"Status":2,"Comment":"Invalid argument value: \"ct\" = \"\""}

    I have setup this with apache2, I already had domain name self hosted on ssl so I had cert I can use it .

    so even when I tried https://selfhosted.ddns.com/dns-query I got the same json result.
    I think the problem is on the doh server end to fix this json response.

    I used this self hosted.ddns.com/dns-query in chrome://settings > advanced > Security > custom DNS and tried from google chrome by visiting 1.1.1.1/help but I still do not get DoH .

    Any help will be greatly appreciated thank you

    opened by sanfx 8
  • new issue for random mode

    new issue for random mode

    I am using this program. But I think I found a bug. It seems to be a bug related to a random query patched in version 2.0.0.

    bug log:

    172.19.0.240:54867 - - [23/Mar/2019:15:43:31 +0000] "BLUR FOR DOMAIN. IN TXT"
    panic: invalid argument to Intn
    goroutine 22 [running]:
    math/rand.(*Rand).Intn(0xc00008a180, 0x0, 0x13)
    	/usr/local/go/src/math/rand/rand.go:169 +0x9c math/rand.Intn(...)
    	/usr/local/go/src/math/rand/rand.go:329 github.com/m13253/dns-over-https/doh-client/selector.(*RandomSelector).Get(0xc0000931e0, 0xc00009cc20)
    	/tmp/dns-over-https-2.0.0/doh-client/selector/randomSelector.go:45 +0x3f main.(*Client).handlerFunc(0xc0000955f0, 0x85b660, 0xc0000a05a0, 0xc0000fa090, 0xc00004be00)
    	/tmp/dns-over-https-2.0.0/doh-client/client.go:365 +0x322 main.(*Client).udpHandlerFunc(...)
    	/tmp/dns-over-https-2.0.0/doh-client/client.go:443 github.com/miekg/dns.HandlerFunc.ServeDNS(0xc000114490, 0x85b660, 0xc0000a05a0, 0xc0000fa090)
    	/go/pkg/mod/github.com/miekg/[email protected]/server.go:37 +0x44 github.com/miekg/dns.(*Server).serveDNS(0xc000112500, 0xc000142000, 0x36, 0x1000, 0xc0000a05a0)
    	/go/pkg/mod/github.com/miekg/[email protected]/server.go:603 +0x2b8 github.com/miekg/dns.(*Server).serveUDPPacket(0xc000112500, 0xc000028020, 0xc000142000, 0x36, 0x1000, 0xc000010010, 0xc000093280)
    	/go/pkg/mod/github.com/miekg/[email protected]/server.go:549 +0xb2 created by github.com/miekg/dns.(*Server).serveUDP
    	/go/pkg/mod/github.com/miekg/[email protected]/server.go:479 +0x27a
    

    I will wait for a quick reply.

    opened by dalbodeule 8
  • [Feature Request] DNSOverTLS support

    [Feature Request] DNSOverTLS support

    Hi,

    I've been using this great app to serve doh for all my devices. It is a fantastic app.

    Is there any way we can extend this to listen to DnsOverTLS requests also? Or has anyone already forked and extended this to perform DOT also?

    opened by pawankanumalli 7
  • [RFE] upstream_selector option for doh-server

    [RFE] upstream_selector option for doh-server

    Hey guys,

    the title says it all. At the moment a random upstream server will be chosen if we specify multiple IPs.

    What do you think about the idea to be able to change the upstream_selector for the doh-server like its already possible in the doh-client configuration?

    Best regards brotaxt

    help wanted 
    opened by brotaxt 1
  • Support for EDNS(0) Padding Option

    Support for EDNS(0) Padding Option

    Duplicated from email thread.

    Context:
    In our study [1], we have evaluated if DNS over TLS (DoT) and DNS over 
    HTTPS (DoH) resolvers support EDNS(0) padding to protect users’ privacy 
    against traffic analysis. Through our measurements, we found that your 
    resolver does not pad DNS responses, even if DNS queries are padded. 
    This leaves your users unprotected against traffic analysis attacks. To 
    tackle this privacy problem, it is recommended to pad DNS responses to 
    multiples of 468 bytes. There is some guidance for resolvers 
    specifically for padding with RFC 8467 and for privacy in general with 
    RFC 8932.
    
    Explanation of the Problem:
    In general, DoT and DoH promise to improve privacy of DNS by encrypting 
    DNS messages. While encryption is beneficial for users’ privacy, 
    websites or mobile apps can still be identified with traffic analysis 
    attacks solely by encrypted DNS traffic [1]. The resulting privacy 
    leakage through message size patterns is already discussed in the 
    standards for both protocols (see RFC 8484 and RFC 7858). As a 
    protection, it is recommended to pad DNS messages to a uniform size. 
    That is, resolvers should pad DNS responses to multiples of 468 bytes to 
    protect their users against traffic analysis attacks.
    
    help wanted 
    opened by imbushuo 8
  • [Feature Request] Upstream failover and Upstream IP.

    [Feature Request] Upstream failover and Upstream IP.

    I run doh-server on my server under two domains. My server is proxied by cloudflare, so I have 3 IPs for each domain, plus the servers real IP address.

    I've configured doh-client locally with the two domains, and added the six cloudflare IPs to my /etc/hosts file. Now, here is the problem. Sometimes, a cloudflare IP will become unstable with massive packet drops, causing the doh-client to timeout and return an empty response. We need the client to try again with either a different upstream or a different IP (if one exists) for the same domain.

    I suggest adding the ability to specify the upstream IP address alongside the domain, thus eliminating the need to add them to the hosts file. This should allow us to add multiple entries for the same domain. In addition, when the first query fails I'd like to see a failover to the next upstream server. A maximum_failover setting could be introduced and/or an individual upstream timeout (with the current timeout setting acting as a global timeout).

    Please note, I live in China which has recently blocked all DNS-over-TLS. Regular DNS53 IPs get blocked for a short time if I query banned domains (youtube/facebook etc). I cannot risk using my servers real IP, and must proxy it with cloudfare, out of the chance it will get blocked by the GFW. Currently dns-over-https is the only software I've found that actually works. But every time one of my IPs becomes unstable I have to edit the hosts file and restart services.

    I would offer a pull request myself, but I unfortunately know nothing about the GO language.

    opened by twifty 5
  • doh-server not starting when key file is only readable by root

    doh-server not starting when key file is only readable by root

    Hello

    In doh-server.conf you can set a cert an key file. However, when the key file is only readable by root, the service won't start:

    [[email protected] ~]# ls -l test.key -r-------- 1 root root 1675 21. Sep 17:52 test.key

    systemctl status doh-server ● doh-server.service - DNS-over-HTTPS Server Loaded: loaded (/usr/lib/systemd/system/doh-server.service; disabled; vendor preset: disabled) Active: activating (auto-restart) since Mon 2018-09-24 10:08:34 CEST; 949ms ago Docs: https://github.com/m13253/dns-over-https Process: 152070 ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf (code=exited, status=0/SUCCESS) Main PID: 152070 (code=exited, status=0/SUCCESS)

    It works when permissions are set to 444. I checked the service which drops its privileges and is then using AmbientCapabilities to bind to port 443; however I don't know how to read the file as user nobody with AmbientCapabilities.

    opened by josvo 6
the pluto is a gateway new time, high performance, high stable, high availability, easy to use

pluto the pluto is a gateway new time, high performance, high stable, high availability, easy to use Acknowledgments thanks nbio for providing low lev

mobus 2 Sep 19, 2021
The Dual-Stack Dynamic DNS client, the world's first dynamic DNS client built for IPv6.

dsddns DsDDNS is the Dual-Stack Dynamic DNS client. A dynamic DNS client keeps your DNS records in sync with the IP addresses associated with your hom

Ryan Young 14 Sep 7, 2022
DNS Ping: to check packet loss and latency issues with DNS servers

DNSping DNS Ping checks packet loss and latency issues with DNS servers Installation If you have golang, easiest install is go get -u fortio.org/dnspi

Fortio (Φορτίο) 60 Aug 5, 2022
Verify IP addresses of respectful crawlers like Googlebot by reverse dns and forward dns lookups

goodbots - trust but verify goodbots verifies the IP addresses of respectful crawlers like Googlebot by performing reverse dns and forward dns lookups

Eric Wu 30 Aug 16, 2022
netcup DNS module for caddy: dns.providers.netcup

netcup DNS module for Caddy This package contains a DNS provider module for Caddy. It can be used to manage DNS records with the netcup DNS API using

null 7 Sep 12, 2022
A fork on miekg/dns (since I've already forked zmap/dns)

Alternative (more granular) approach to a DNS library Less is more. Complete and usable DNS library. All Resource Records are supported, including the

null 0 Jan 19, 2022
A simple DNS forwarder that forwards DNS queries to various upstreams

A simple DNS forwarder that forwards DNS queries to various upstreams. If an upstream returns NXDomain, the next upstream is tried.

null 1 Jul 8, 2022
DNS/DoT to DoH proxy with load-balancing, fail-over and SSL certificate management

dns-proxy Configuration Variable Example Description TLS_DOMAIN my.duckdns.org Domain name without wildcards. Used to create wildcard certificate and

Dimitri Herzog 3 Nov 23, 2021
High-performance PHP application server, load-balancer and process manager written in Golang

RoadRunner is an open-source (MIT licensed) high-performance PHP application server, load balancer, and process manager. It supports running as a serv

Spiral Scout 6.7k Sep 25, 2022
High-performance PHP application server, load-balancer and process manager written in Golang

RoadRunner is an open-source (MIT licensed) high-performance PHP application server, load balancer, and process manager. It supports running as a serv

Spiral Scout 6.1k Dec 9, 2021
A fast, high performance Cross-platform lightweight Nat Tracker Server,

NatTrackerServer A fast, high performance Cross-platform lightweight Nat Tracker Server suport IPv4 and IPv6 Tracker Server protocol 1、get NAT public

51pwn 2 Apr 15, 2022
The devs are over here at devzat, chat over SSH!

Devzat Where are the devs at? Devzat! Devzat is chat over SSH Try it out: ssh sshchat.hackclub.com Add this to ~/.ssh/config: Host chat HostName s

Ishan Goel 1.4k Sep 21, 2022
Golang pow implementation client <-> server over UDP and TCP protocols

Client <-> server over UDP and TCP pow protocol Denial-of-Service-attacks are a typical situation when providing services over a network. A method for

Nikita Kryuchkov 0 Jan 13, 2022
Compiler as a Service is a compiler that is available over http/https and gRPC

BlakBoks(CaaS) Elasticsearch but for compiling untrusted code Compiler as a Service is a compiler that is available over http/2 and gRPC. Setup First

Nathan Kimutai 0 Nov 24, 2021
Server and client implementation of the grpc go libraries to perform unary, client streaming, server streaming and full duplex RPCs from gRPC go introduction

Description This is an implementation of a gRPC client and server that provides route guidance from gRPC Basics: Go tutorial. It demonstrates how to u

Joram Wambugu 0 Nov 24, 2021
Fast HTTP package for Go. Tuned for high performance. Zero memory allocations in hot paths. Up to 10x faster than net/http

fasthttp Fast HTTP implementation for Go. Currently fasthttp is successfully used by VertaMedia in a production serving up to 200K rps from more than

Aliaksandr Valialkin 18.5k Sep 28, 2022