DNS over HTTPS [mirror]

Last update: Dec 26, 2022

Comments: 9

dnss

dnss is a daemon for using DNS over HTTPS.

It can act as a proxy, receiving DNS requests and resolving them using DNS-over-HTTPs (DoH). This can be useful to improve DNS security and privacy on laptops and small/home networks.

It can also act as a DoH server, in case you want end to end control.

Features

Supports the DNS Queries over HTTPS (DoH) standard (RFC 8484).
Local cache (optional).
HTTP(s) proxy support, autodetected from the environment.
Monitoring HTTP server, with exported variables and tracing to help debugging.
Separate resolution for specific domains, useful for home networks with local DNS servers.

Install

Debian/Ubuntu

The dnss package installs the daemon configured in proxy mode and ready to use, using Google's public resolvers (and easily changed via configuration).

sudo apt install dnss

Manual install

To download and build the binary:

go install blitiri.com.ar/go/dnss

And if you want to configure the daemon to be automatically run by systemd:

# Copy the binary to a system-wide location.
sudo cp "$GOPATH/bin/dnss" /usr/local/bin/

# Set it up in systemd.
sudo cp "$GOPATH"/src/blitiri.com.ar/go/dnss/etc/systemd/dns-to-https/* \
	/etc/systemd/system/

sudo systemctl dnss enable

Examples

DNS server (proxy mode)

Listens on port 53 for DNS queries, resolves them using the given HTTPS URL.

# Use the default HTTPS URL (currently, dns.google):
dnss -enable_dns_to_https

# Use Cloudflare's 1.1.1.1:
dnss -enable_dns_to_https -https_upstream="https://1.1.1.1/dns-query"

# Use Google's dns.google:
dnss -enable_dns_to_https -https_upstream="https://dns.google/dns-query"

HTTPS server

Receives DNS over HTTPS requests, resolves them using the machine's configured DNS servers, and returns the replies. You will need to have certificates for the domains you want to serve.

Supports both DoH and JSON modes automatically, and the endpoints are /dns-query and /resolve.

# Serve DNS over HTTPS requests, take certificates from letsencrypt.
DOMAIN=yourdomain.com
dnss -enable_https_to_dns \
  -https_key=/etc/letsencrypt/live/$DOMAIN/privkey.pem \
  -https_cert=/etc/letsencrypt/live/$DOMAIN/fullchain.pem

Owner

Alberto Bertogli

https://github.com/albertito/dnss https://blitiri.com.ar/git/r/dnss/

Comments

Work with default(google) but not with others
Hi there, nice project! I found this today and i think is awesome project! But, i try to use it and i can't get it working with custom DoH This works fine: sudo dnss -enable_dns_to_https This works fine too (by IP, but that's wrong): sudo dnss -enable_dns_to_https -https_upstream "https://1.1.1.1/dns-query" But this is not: sudo dnss -enable_dns_to_https -https_upstream "https://cloudflare-dns.com/dns-query" And this is not work:

sudo dnss -enable_dns_to_https \ -fallback_upstream 1.1.1.1:53 \ -fallback_domains cloudflare-dns.com \ -https_upstream "https://cloudflare-dns.com/dns-query"

Of cource it doesn't work with Quad9 and my own DoH

Another good idea to add helpful info to readme: To get it working you should disable and stop original resolver which use port 53 This happens if not

sudo systemctl disable systemd-resolved.service sudo systemctl stop systemd-resolved sudo systemctl restart dnss

I hope you can help. Cheers!

dnss appears to be using the system resolver instead of the fallback flags.

Hi,

I tried configuring dnss to use unbound on localhost as the fallback_upstream, but I'm getting SERVFAIL some of the time. Not always, just some of the time. From the logs, I think dnss might be trying to use the system resolver (systemd-resolved) instead of unbound to lookup fallback_domains.

I'm on Debian stable, using dnss 0.0~git20180721.0.2de63ab0-1+b11, so apologies if this is something that's been fixed already. I looked at the git history and didn't see anything that looked relevant though.

dnss command, from ps:

/usr/bin/dnss --dns_listen_addr=systemd --enable_cache=false --enable_dns_to_https --fallback_domains=dns.google. --fallback_upstream=[::1]:14653 --force_mode=DoH --https_upstream=https://dns.google/dns-query

Relevant ports, from ss:

udp   UNCONN 0      0                                 [::1]:25953                                                      [::]:*                                    users:(("dnss",pid=384,fd=5),("systemd",pid=1,fd=57))                          
tcp   LISTEN 0      128                               [::1]:25953                                                      [::]:*                                    users:(("dnss",pid=384,fd=3),("systemd",pid=1,fd=58)) 
udp   UNCONN 0      0                                 [::1]:14653                                                      [::]:*                                    users:(("unbound",pid=440,fd=3))                                               
tcp   LISTEN 0      128                               [::1]:14653                                                      [::]:*                                    users:(("unbound",pid=440,fd=4))

unbound is correctly resolving dns.google.:

# dig dns.google @::1 -p 14653

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> dns.google @::1 -p 14653
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1118
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns.google.                    IN      A

;; ANSWER SECTION:
dns.google.             744     IN      A       8.8.8.8
dns.google.             744     IN      A       8.8.4.4

;; Query time: 0 msec
;; SERVER: ::1#14653(::1)
;; WHEN: Mon Mar 01 23:31:20 EST 2021
;; MSG SIZE  rcvd: 71

But dnss is returning SERVFAIL:

# dig google.com @::1 -p 25953

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> google.com @::1 -p 25953
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4451
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 4001 msec
;; SERVER: ::1#25953(::1)
;; WHEN: Mon Mar 01 23:31:35 EST 2021
;; MSG SIZE  rcvd: 28

System logs, starting when I queried dnss for google.com:

Mar 01 23:33:51 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)                                                                                                                                                         
Mar 01 23:33:51 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)                                                                                                                                                         
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question . IN SOA: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question google IN DS: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question google IN SOA: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question google IN DNSKEY: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question dns.google IN DS: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question dns.google IN DNSKEY: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question dns.google IN AAAA: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question dns.google IN A: no-signature
Mar 01 23:33:54 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)                                                                                                                                                         
Mar 01 23:33:55 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)                                                                                                                                                         
Mar 01 23:33:55 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)                                                                                                                                                         
Mar 01 23:33:56 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: dial tcp: lookup dns.google: Temporary failure in name resolution
Mar 01 23:33:56 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: dial tcp: lookup dns.google: Temporary failure in name resolution
Mar 01 23:34:00 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)                                                                                                                                                         
Mar 01 23:34:00 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)                                                                                                                                                         
Mar 01 23:34:04 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:34:04 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:34:05 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:34:06 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: dial tcp: lookup dns.google: Temporary failure in name resolution
Mar 01 23:34:06 sakaar dnss[786]: _ server.go:134      resolver query error: POST failed: Post https://dns.google/dns-query: dial tcp: lookup dns.google: Temporary failure in name resolution

The fact that systemd-resolved appears to be trying to look up dns.google makes me think that somehow dnss is using the local resolver via getaddrinfo() or similar, instead of querying the fallback_upstream, but I'm just guessing. Any ideas how this could happen?

Is the flag -testing__insecure_http just for testing?

Thanks for dnss, very useful!

I use the flag -testing__insecure_http because dnss sits behind encrypted Apache, so I do not need dnss to use encryption.

Is the flag -testing__insecure_http ok to use in this scenario, i.e. not just for "testing"?
Cannot change HTTPS Upstream

Hi, great software! Just installed dnssfrom the Debian Buster's repo, works good so far!

The only thing which I can't get to work is changing the HTTPS Upstream, even when I enter the CloudFlare's address, seems like the Google service is still used. Care to check if there is a bug?

Version: 0.0~git20180721.0.2de63ab0-1+b11

dnss 1649 0.0 0.1 778316 13504 ? Ssl 13:15 0:00 /usr/bin/dnss --dns_listen_addr=systemd --monitoring_listen_addr=127.0.0.1:9981 -enable_dns_to_https -https_upstream=https://1.1.1.1/dns-query

I use https://www.dnsleaktest.com to check which DNS resolvers had been hit.
what does "server.go:63 HTTPS exiting: open : no such file or directory" mean?

hi.

[root@vps ~]# dnss -enable_https_to_dns -dns_upstream 8.8.8.8:53 -https_server_addr 127.0.0.1:2367 _ server.go:56 HTTPS listening on 127.0.0.1:2367 ☠ server.go:63 HTTPS exiting: open : no such file or directory [root@vps ~]#

thank u
Custom listening port?

Hi! I find this app pretty damn awesome, I don't really want to mess with cloudflared so I used dnss, but the problem is I wanted to use it with Pi-hole, which eats up :53 port, so the problem is I can't launch dnss on this port, it will break things up. I can build my own version, but it will be awesome to be able to control listening port via command args. What do you think?
Error happens when apt install

It says dnss.socket: Failed to create listening socket ([::]:53): Address already in use but it should not use network during installation, and should not fail just because of another dns server being running.
Is it possible to use multiple --https_upstream clauses?

at the moment I am testing with

--https_upstream="https://1.1.1.1/dns-query"

but is it possible to add multiple DoH sources? e.g. in case if 1.1.1.1 is down use next one --https_upstream="https://9.9.9.9/dns-query"
Structured query logging

Hello, I'm currently testing dnss in a lab environment and I can't enable proper logging of all DNS requests. I found in the source code that, apparently, "-v=3" should enable more logging but it does not work. Having proper logging is essential for me. Any tip?

DNS server using miekg/dns offering dynamic subdomains, time-over-dns, and standard zone file support.

dns-go DNS server using miekg/dns offering dynamic subdomains, time-over-dns, and standard zone file support. dynamic subdomains web.myapp.192.168.1.1

Dec 14, 2021

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.

Overview A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt. dnscrypt-p

Jan 3, 2023

A smol DNS server (<100 loc) that's configured with a static JSON file. Useful for split-dns.

Jul 27, 2022

DNS library in Go

Alternative (more granular) approach to a DNS library Less is more. Complete and usable DNS library. All Resource Records are supported, including the

Dec 26, 2022

DNS server with per-client targeted responses

GeoDNS servers This is the DNS server powering the NTP Pool system and other similar services. Questions or suggestions? For bug reports or feature re

Dec 15, 2022

GRONG is a DNS (Domain Name System) authoritative name server.It is more a research project than a production-ready program.

GRONG (Gross and ROugh Nameserver written in Go) is a DNS (Domain Name System) authoritative name server. It is intended as a research project and is

Oct 17, 2020

Multicast DNS library for Go

Introduction This package allows Go processes to publish multicast DNS style records onto their local network segment. For more information about mDNS

Oct 23, 2022

Resolver (DNS) cache daemon.

RESCACHED(1) Manual Page NAME rescached - DNS resolver cache daemon. Table of Contents SYNOPSIS OPTIONS DESCRIPTION FEATURES BEHIND THE DNS HOW CACHE

Nov 17, 2022

CUP - Cloudflare (DNS) Updater Program

CUP The Cloudflare (DNS) Updater CUP is a tool to turn CloudFlare DNS into a Dynamic DNS service. Documentation Documentation can be found in the docs

Jun 6, 2022

🐶 Command-line DNS Client for Humans. Written in Golang

doggo ?? Command-line DNS client for humans doggo is a modern command-line DNS client (like dig) written in Golang. It outputs information in a neat c

Dec 29, 2022

CoreDNS is a DNS server that chains plugins

CoreDNS is a DNS server/forwarder, written in Go, that chains plugins. Each plugin performs a (DNS) function. CoreDNS is a Cloud Native Computing Foun

Jan 3, 2023

Fast and lightweight DNS proxy as ad-blocker for local network with many features

Blocky Blocky is a DNS proxy and ad-blocker for the local network written in Go with following features: Features Blocking - Blocking of DNS queries w

Jan 1, 2023

Are you forwarding DNS traffic to another server for some reason, but want to make sure only queries for certain names are passed? Say no more.

DNSFWD Redirect DNS traffic to an upstream. Get Latest: wget https://github.com/C-Sto/dnsfwd/releases/latest/download/dnsfwd_linux (replace linux with

Dec 16, 2022

Fast DNS implementation for Go

Fast DNS implementation for Go Features 0 Dependency Similar Interface with net/http Fast DoH Server Co-create with fasthttp Fast DNS Client with rich

Dec 27, 2022

Gotator is a tool to generate DNS wordlists through permutations.

Dec 28, 2022

DNS lookup using Go

Dec 30, 2022

DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover

Dec 28, 2022

A tool to solve DNS pollution of GitHub website. Query the real IP address of domain names such as github.com, and refresh the domain name setting of the system hosts file.

githubDNS Target A tool to solve DNS pollution of GitHub website. Query the real IP address of domain names such as github.com, and refresh the domain

Oct 14, 2021

forward - facilitates proxying DNS messages to upstream resolvers.

forward Name forward - facilitates proxying DNS messages to upstream resolvers. Description The forward plugin re-uses already opened sockets to the u

Oct 16, 2021