README
¶
🚀 Privacy important, fast, recursive dns resolver server with dnssec support
Installation
go get github.com/semihalev/sdns
or
or run with Docker image
docker run -d --name sdns -p 53:53 -p 53:53/udp -p 853:853 -p 8053:8053 -p 8080:8080 sdns
- Port 53 DNS server
- Port 853 DNS-over-TLS server
- Port 8053 DNS-over-HTTPS server
- Port 8080 HTTP API
Building
$ go build
Testing
$ make test
Flags
| Flag | Desc |
|---|---|
| config | Location of the config file, if config file not found, a config will generate |
| v | Show version information |
Debug Environment
$ export SDNS_DEBUGNS=true && export SDNS_PPROF=true && ./sdns
SDNS_DEBUGNS enviroment useful when you want to check authoritive servers RTT times. Usage: send HINFO query for zones.
Example Output:
$ dig chaos hinfo example.com
; <<>> DiG 9.17.1 <<>> chaos hinfo example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29636
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f27dbb995df5ac79e4fa37c07d131b5bd03aa1c5f802047a7c02fb228a886cb281ecc319323dea81 (good)
;; QUESTION SECTION:
;example.com. CH HINFO
;; AUTHORITY SECTION:
example.com. 0 CH HINFO "Host" "IPv4:199.43.135.53:53 rtt:142ms health:[GOOD]"
example.com. 0 CH HINFO "Host" "IPv4:199.43.133.53:53 rtt:145ms health:[GOOD]"
example.com. 0 CH HINFO "Host" "IPv6:[2001:500:8f::53]:53 rtt:147ms health:[GOOD]"
example.com. 0 CH HINFO "Host" "IPv6:[2001:500:8d::53]:53 rtt:148ms health:[GOOD]"
Configuration (v1.0.0)
| Key | Desc |
|---|---|
| version | Config version |
| blocklists | List of remote blocklists address list. All lists will be download to blocklist folder. |
| blocklistdir | List of locations to recursively read blocklists from (warning, every file found is assumed to be a hosts-file or domain list) |
| loglevel | What kind of information should be logged, Log verbosity level crit,error,warn,info,debug |
| accesslog | The location of access log file, left blank for disabled. SDNS uses Common Log Format by default. |
| bind | Address to bind to for the DNS server. Default :53 |
| bindtls | Address to bind to for the DNS-over-TLS server. Default :853 |
| binddoh | Address to bind to for the DNS-over-HTTPS server. Default :8053 |
| tlscertificate | TLS certificate file path |
| tlsprivatekey | TLS private key file path |
| outboundips | Outbound ipv4 addresses, if you set multiple, sdns can use random outbound ipv4 address by request based |
| outboundip6s | Outbound ipv6 addresses, if you set multiple, sdns can use random outbound ipv6 address by request based |
| rootservers | DNS Root IPv4 servers |
| root6servers | DNS Root IPv6 servers |
| rootkeys | Trusted anchors for DNSSEC |
| fallbackservers | Failover resolver ipv4 or ipv6 addresses with port, left blank for disabled: Example: "8.8.8.8:53" |
| api | Address to bind to for the http API server, left blank for disabled |
| nullroute | IPv4 address to forward blocked queries to |
| nullroutev6 | IPv6 address to forward blocked queries to |
| accesslist | Which clients allowed to make queries |
| timeout | Network timeout for each dns lookups in duration Default: 2s |
| hostsfile | Enables serving zone data from a hosts file, left blank for disabled |
| expire | Default error cache TTL for in seconds Default: 600 |
| cachesize | Cache size (total records in cache) Default: 256000 |
| maxdepth | Maximum iteration depth for a query Default: 30 |
| ratelimit | Query based ratelimit per second, 0 for disabled. Default: 0 |
| clientratelimit | Client ip address based ratelimit per minute, 0 for disable. if client support edns cookie no limit. Default: 0 |
| blocklist | Manual blocklist entries |
| whitelist | Manual whitelist entries |
| cookiesecret | DNS cookie secret (RFC 7873), if no cookiesecret set, it will be generate automatically |
| nsid | DNS server identifier (RFC 5001), it's useful while operating multiple sdns. left blank for disabled |
| chaos | Enable to answer version.server, version.bind, hostname.bind and id.server chaos txt queries. |
| qname_min_level | Qname minimize level.If higher, it can be more complex and impact the response performance. If set 0, qname min will be disable |
Server Configuration Checklist
- Increase file descriptor on your server
Features
- Linux/BSD/Darwin/Windows supported
- DNS RFC compatibility
- DNS lookups within listed ipv4 and ipv6 auth servers
- DNS caching
- DNSSEC validation
- DNS over TLS support (DoT)
- DNS over HTTPS support (DoH)
- Outbound IP selection
- Middleware Support, you can add, your own middleware
- RTT priority within listed servers
- Failover forwarders while returning failured responses
- EDNS Cookie Support (client<->server)
- EDNS NSID Support
- Full IPv6 support (client<->server, server<->server)
- Query based ratelimit
- IP based ratelimit
- Access list
- Access log
- Prometheus basic query metrics
- Black-hole for malware responses
- HTTP API support
- Cache Purge API and query support
- Answer chaos txt queries for version.bind and hostname.bind
TODO
- More tests
- Try lookup NS address better way
- DNS over TLS support
- DNS over HTTPS support
- Full DNSSEC support
- RTT optimization
- Access list
- Periodic priming queries described at RFC 8109
- Full IPv6 support (server<->server communication)
- Query name minimization to improve privacy described at RFC 7816
- Automated Updates DNSSEC Trust Anchors described at RFC 5011
- DNAME Redirection in the DNS described at RFC 6672
- DNS64 DNS Extensions for NAT from IPv6 Clients to IPv4 Servers described at RFC 6147
Who Used
CubeDNS public open resolver project using sdns on multi location. The project supported both UDP and TCP also DoT and DoH.
| Proto | Servers |
|---|---|
| IPv4 | 195.244.44.44, 195.244.44.45 |
| IPv6 | 2a0a:be80::cbe:4444, 2a0a:be80::cbe:4445 |
| DoH | https://cubedns.com/dns-query |
Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Please make sure to update tests as appropriate.
♥ Made With
- miekg/dns - Alternative (more granular) approach to a DNS library
Inspired by
License
Documentation
¶
Overview ¶
Privacy important, fast recursive dns resolver server with dnssec support. https://semihalev.github.io/sdns/ for more information.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.