A DNS client in Go that supports Google DNS over HTTPS

Last update: Nov 9, 2022

Comments: 8

dingo

A DNS client (stub resolver) implemented in Go for the Google DNS-over-HTTPS. It effectively encrypts all your DNS traffic. It also supports OpenResolve by OpenDNS.

The ultimate goal for the project is to provide a secure, caching DNS client that communicates with recursive DNS resolvers over encrypted channels only. For now, it resolves DNS queries over HTTP/2 in independent threads. The plans for future include better caching and support for QUIC.

Quick start

Download a pre-built binary for your platform from the latest release (or build your own binaries).

Run dingo as root on port 53. For example, on Linux:

$ sudo ./dingo-linux-amd64 -port=53

Update your DNS configuration. On Linux, edit your /etc/resolv.conf as root (remember to make backup first), e.g.:

$ sudo sh -c "echo nameserver 127.0.0.1 > /etc/resolv.conf"

Tuning dingo

You will probably want to change the default Google DNS-over-HTTPS server IP address, using the -gdns:server option. First, resolve dns.google.com to IP address, which should give you the server closest to you:

$ host dns.google.com
dns.google.com has address 216.58.209.174
dns.google.com has IPv6 address 2a00:1450:401b:800::200e

Next, pass it to dingo. If you prefer IPv6, enclose the address in brackets, e.g.:

$ sudo ./dingo-linux-amd64 -port=53 -gdns:server=[2a00:1450:401b:800::200e]

To see all options, run dingo -h:

Usage of dingo-linux-amd64:
  -bind string
    	IP address to bind to (default "127.0.0.1")
  -dbg int
    	debugging level (default 2)
  -gdns:auto
    	Google DNS: try to lookup the closest IPv4 server
  -gdns:edns string
    	Google DNS: EDNS client subnet (set 0.0.0.0/0 to disable)
  -gdns:host string
    	Google DNS: HTTP 'Host' header (real FQDN, encrypted in TLS) (default "dns.google.com")
  -gdns:nopad
    	Google DNS: disable random padding
  -gdns:server string
    	Google DNS: server address (default "216.58.195.78")
  -gdns:sni string
    	Google DNS: SNI string to send (should match server certificate) (default "www.google.com")
  -gdns:workers int
    	Google DNS: number of independent workers (default 10)
  -h1
    	use HTTPS/1.1 transport
  -odns:host string
    	OpenDNS: HTTP 'Host' header (real FQDN, encrypted in TLS) (default "api.openresolve.com")
  -odns:server string
    	OpenDNS: web server address (default "67.215.70.81")
  -odns:sni string
    	OpenDNS: TLS SNI string to send (unencrypted, must validate as server cert) (default "www.openresolve.com")
  -odns:workers int
    	OpenDNS: number of independent workers
  -port int
    	listen on port number (default 32000)

Finally, you will need to make dingo start in background each time you boot your machine. In Linux, you might want to use the GNU Screen, which can start processes in background. For example, you might want to add the following line to your /etc/rc.local:

screen -dmS dingo /path/to/bin/dingo -port=53 -gdns:server=[2a00:1450:401b:800::200e]

Author

Pawel Foremski, [email protected]

Find me on: LinkedIn, Twitter

Owner

Pawel Foremski

Internet Scientist / Engineer. @farsightsec + @iitis

https://github.com/pforemski/dingo

Comments

compile error...

go version: go1.9beta2 linux/amd64 quic-go: Latest commit 3157e2d

Error log: go get -u github.com/pforemski/dingo

github.com/pforemski/dingo

../src/github.com/pforemski/dingo/https.go:39:15: undefined: h2quic.QuicRoundTripper
OpenDNS error: "http2: could not negotiate protocol mutually"

Hi Pawel,

Lately OpenDNS seems to give an error (latest version of code):

$ ./dingo -port=53 -odns:workers=10 -gdns:workers=0 2017/01/05 14:29:40 starting 10 OpenDNS client(s) querying server 67.215.70.81 2017/01/05 14:29:40 dingo ver. 0.13 listening on 127.0.0.1 UDP port 53 2017/01/05 14:29:43 resolving index.hu./A 2017/01/05 14:29:43 http.Do(): Get https://67.215.70.81/A/index.hu.: http2: could not negotiate protocol mutually

Google works all right.

Also, thanks for the great software, keep up the good work!
HTTP/2 support

Go supports H/2 natively, but only if we don't touch the defaults, which isn't the case: dingo spoofs the SNI string in TLS handshakes, which is why Go selects the HTTP/1.1 transport instead of HTTP/2.
dingo actually uses HTTP/2.0 already?

I don't have much experience with golang, but I just read the following on the net/http2 docs: This package is low-level and intended to be used directly by very few people. Most users will use it indirectly through the automatic use by the net/http package (from Go 1.6 and later).

Also see the following (bottom of page): The http package has transparent support for the HTTP/2 protocol when using HTTPS.
why nslookup not recieve dingo response?

I know it maybe not a problem of dingo. I download dingo and try to use it. On my terminal , I get many outputs which like these: 2021/12/15 00:52:03 resolving cn.archive.ubuntu.com./AAAA 2021/12/15 00:52:03 resolving cn.archive.ubuntu.com./A 2021/12/15 00:52:04 resolving security.ubuntu.com./AAAA 2021/12/15 00:52:04 resolving security.ubuntu.com./A 2021/12/15 00:52:04 resolving dl.google.com./A 2021/12/15 00:52:04 resolving dl.google.com./AAAA 2021/12/15 00:52:08 resolving _http._tcp.cn.archive.ubuntu.com./SRV It seems dingo works. But My nslookup only ;; connection timed out; no servers could be reached

What configuration do I miss or what's wrong with my ubuntu 21? It's wired to me, since it seems that none of dingo user get the error when I search an answer on the web.

I have no idea on how does this work, so maybe I search the wrong place using the wrong key.

I hope someone here can help me. Thanks a lot.
Support for specifying multiple servers

Hello,

First of all, let me thank you for your great work with dingo, I'm currently finding it quite useful!

I was wondering if you had any plans of adding multiple server support for dingo. Something along the lines of what dnsmasq does, but simpler. The idea would be allowing the user to specify multiple servers, and one strategy for which one to use: Query all of them and return the fastest response, random/round robin, or fallback on error.

I can probably work on a PR implementing this if you find it interesting.
Cloudflare DNS support

This also changes the default server to cloudflare, by decreasing the worker count on gdns to 0. That might not be optimal for consistency reasons. Someone could also combine the common parts of cfdns and gdns to to use the same / inherited structures.
I have very little experience with go(*this is the first go project i ever touched) and just needed this to work on my router as a static binary, so i'm not the best person to do that.

PS: Thanks you for your work. Have been using dingo for over a year with google and i'm very happy with it. :) PPS: I'm not so happy with google. I just happend to notice today that their server failed to resolve some domains and had to switch to another. I do hope cloudflare does fare better.
RRSIG support
Running dig @127.0.0.1 -p 8853 rrsig debian.org pointed to dingo gives this log:

$ dingo-linux-amd64 -port 8853 2017/09/24 03:38:07 starting 10 Google Public DNS client(s) querying server 216.58.195.78 2017/09/24 03:38:07 dingo ver. 0.13 listening on 127.0.0.1 UDP port 8853 2017/09/24 03:38:11 resolving debian.org./RRSIG 2017/09/24 03:38:11 Pack() failed: dns: nil rr

And does not return any data, check what should be returned by running dig @8.8.8.8 rrsig debian.org

secureoperator has the same bug here

https://github.com/chenhw2/google-https-dns seems to work for RRSIG

Related tags

Networking DNS dingo

DNS over HTTPS [mirror]

dnss dnss is a daemon for using DNS over HTTPS. It can act as a proxy, receiving DNS requests and resolving them using DNS-over-HTTPs (DoH). This can

Dec 26, 2022

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.

Overview A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt. dnscrypt-p

Jan 3, 2023

A smol DNS server (<100 loc) that's configured with a static JSON file. Useful for split-dns.

Jul 27, 2022

DNS server with per-client targeted responses

GeoDNS servers This is the DNS server powering the NTP Pool system and other similar services. Questions or suggestions? For bug reports or feature re

Dec 15, 2022

🐶 Command-line DNS Client for Humans. Written in Golang

doggo ?? Command-line DNS client for humans doggo is a modern command-line DNS client (like dig) written in Golang. It outputs information in a neat c

Dec 29, 2022

DNS library in Go

Alternative (more granular) approach to a DNS library Less is more. Complete and usable DNS library. All Resource Records are supported, including the

Dec 26, 2022

GRONG is a DNS (Domain Name System) authoritative name server.It is more a research project than a production-ready program.

GRONG (Gross and ROugh Nameserver written in Go) is a DNS (Domain Name System) authoritative name server. It is intended as a research project and is

Oct 17, 2020

Multicast DNS library for Go

Introduction This package allows Go processes to publish multicast DNS style records onto their local network segment. For more information about mDNS

Oct 23, 2022

Resolver (DNS) cache daemon.

RESCACHED(1) Manual Page NAME rescached - DNS resolver cache daemon. Table of Contents SYNOPSIS OPTIONS DESCRIPTION FEATURES BEHIND THE DNS HOW CACHE

Nov 17, 2022

CUP - Cloudflare (DNS) Updater Program

CUP The Cloudflare (DNS) Updater CUP is a tool to turn CloudFlare DNS into a Dynamic DNS service. Documentation Documentation can be found in the docs

Jun 6, 2022

CoreDNS is a DNS server that chains plugins

CoreDNS is a DNS server/forwarder, written in Go, that chains plugins. Each plugin performs a (DNS) function. CoreDNS is a Cloud Native Computing Foun

Jan 3, 2023

Fast and lightweight DNS proxy as ad-blocker for local network with many features

Blocky Blocky is a DNS proxy and ad-blocker for the local network written in Go with following features: Features Blocking - Blocking of DNS queries w

Jan 1, 2023

Are you forwarding DNS traffic to another server for some reason, but want to make sure only queries for certain names are passed? Say no more.

DNSFWD Redirect DNS traffic to an upstream. Get Latest: wget https://github.com/C-Sto/dnsfwd/releases/latest/download/dnsfwd_linux (replace linux with

Dec 16, 2022

Fast DNS implementation for Go

Fast DNS implementation for Go Features 0 Dependency Similar Interface with net/http Fast DoH Server Co-create with fasthttp Fast DNS Client with rich

Dec 27, 2022

Gotator is a tool to generate DNS wordlists through permutations.

Dec 28, 2022

DNS lookup using Go

Dec 30, 2022

DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover

Dec 28, 2022

A tool to solve DNS pollution of GitHub website. Query the real IP address of domain names such as github.com, and refresh the domain name setting of the system hosts file.

githubDNS Target A tool to solve DNS pollution of GitHub website. Query the real IP address of domain names such as github.com, and refresh the domain

Oct 14, 2021

forward - facilitates proxying DNS messages to upstream resolvers.

forward Name forward - facilitates proxying DNS messages to upstream resolvers. Description The forward plugin re-uses already opened sockets to the u

Oct 16, 2021