README
¶
SDNS
💫 Lightweight, fast recursive dns server with dnssec support
Based on kenshinx/godns, looterz/grimd
Installation
go get github.com/semihalev/sdns
or
or run with Docker image
docker run -d --name sdns -p 53:53 -p 53:53/udp -p 853:853 -p 8053:8053 -p 8080:8080 sdns
- Port 53 DNS server
- Port 853 DNS-over-TLS server
- Port 8053 DNS-over-HTTPS server
- Port 8080 HTTP API
Building
$ go build
Testing
$ make test
Flags
| Flag | Desc |
|---|---|
| config | Location of the config file, if not found it will be generated |
Configs
| Key | Desc |
|---|---|
| version | Config version |
| blocklists | List of remote blocklists |
| blocklistdir | List of locations to recursively read blocklists from (warning, every file found is assumed to be a hosts-file or domain list) |
| loglevel | What kind of information should be logged, Log verbosity level crit,error,warn,info,debug |
| bind | Address to bind to for the DNS server. Default :53 |
| bindtls | Address to bind to for the DNS-over-TLS server. Default :853 |
| binddoh | Address to bind to for the DNS-over-HTTPS server. Default :8053 |
| tlscertificate | TLS certificate file path |
| tlsprivatekey | TLS private key file path |
| outboundips | Outbound ip addresses, if you set multiple, sdns can use random outbound ip address |
| rootservers | DNS Root servers |
| root6servers | DNS Root IPv6 servers |
| rootkeys | DNS Root keys for dnssec |
| fallbackservers | Fallback servers IP addresses |
| api | Address to bind to for the http API server disable for left blank |
| nullroute | IPv4 address to forward blocked queries to |
| nullroutev6 | IPv6 address to forward blocked queries to |
| accesslist | Which clients allowed to make queries |
| timeout | Query timeout for dns lookups in duration Default: 5s |
| connecttimeout | Connect timeout for dns lookups in duration Default: 2s |
| hostsfile | Enables serving zone data from a hosts file, left blank for disabled |
| expire | Default cache TTL in seconds Default: 600 |
| cachesize | Cache size (total records in cache) Default: 256000 |
| maxdepth | Maximum recursion depth for nameservers. Default: 30 |
| ratelimit | Query based ratelimit per second, 0 for disable. Default: 0 |
| blocklist | Manual blocklist entries |
| whitelist | Manual whitelist entries |
Server Configuration Checklist
- Increase file descriptor on your server
Features
- Linux/BSD/Darwin/Windows supported
- DNS RFC compatibility
- DNS lookups within listed servers
- DNS caching
- DNSSEC validation
- DNS over TLS support
- DNS over HTTPS support
- Middleware Support
- RTT priority within listed servers
- Basic IPv6 support (client<->server)
- Query based ratelimit
- Access list
- Prometheus basic query metrics
- Black-hole internet advertisements and malware servers
- HTTP API support
- Outbound IP selection
TODO
- More tests
- Try lookup NS address better way
- DNS over TLS support
- DNS over HTTPS support
- Full DNSSEC support
- RTT optimization
- Access list
- Periodic priming queries described at RFC 8109
- Automated Updates DNSSEC Trust Anchors described at RFC 5011
- Full IPv6 support (server<->server communication)
Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Please make sure to update tests as appropriate.
Made With
- miekg/dns - Alternative (more granular) approach to a DNS library
License
Documentation
¶
Overview ¶
A Lightweight fast recursive dns server with dnssec support. https://semihalev.github.io/sdns/ for more information.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.