{"id":49191582,"url":"https://github.com/abihf/doqxy","last_synced_at":"2026-04-23T07:02:23.487Z","repository":{"id":331610164,"uuid":"1131125813","full_name":"abihf/doqxy","owner":"abihf","description":"Dns over Quic Proxy","archived":false,"fork":false,"pushed_at":"2026-04-11T14:31:19.000Z","size":151,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-11T16:24:44.035Z","etag":null,"topics":["dns","dns-over-quic","dns-proxy","quic"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/abihf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-09T14:12:11.000Z","updated_at":"2026-04-11T14:31:18.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/abihf/doqxy","commit_stats":null,"previous_names":["abihf/quicdns","abihf/doqxy"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/abihf/doqxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abihf%2Fdoqxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abihf%2Fdoqxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abihf%2Fdoqxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abihf%2Fdoqxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/abihf","download_url":"https://codeload.github.com/abihf/doqxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abihf%2Fdoqxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32169657,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-23T02:19:40.750Z","status":"ssl_error","status_checked_at":"2026-04-23T02:17:55.737Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","dns-over-quic","dns-proxy","quic"],"created_at":"2026-04-23T07:02:22.604Z","updated_at":"2026-04-23T07:02:23.466Z","avatar_url":"https://github.com/abihf.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# doqxy\n\nA high-performance DNS proxy with DNS-over-QUIC (DoQ) support, written in Rust.\n\n## Features\n\n- **DNS-over-QUIC (DoQ)**: Forwards DNS queries over QUIC (RFC 9250) for improved privacy and performance\n- **In-Memory Caching**: Built-in cache with configurable TTL to reduce latency and upstream load\n- **Connection Management**: Single persistent QUIC connection with multiplexed streams for optimal performance\n- **Zero-Copy Mode**: Minimal parsing overhead when debug mode is disabled\n- **Systemd Integration**: Production-ready systemd service with security hardening\n- **Environment Configuration**: Flexible configuration via environment variables\n\n## Architecture\n\n- Single QUIC connection with auto-reconnect capability\n- Multiple bidirectional streams for concurrent queries\n- Moka-based async cache (10,000 entries, 5-minute TTL by default)\n- Cache key based on DNS question section for efficient deduplication\n- SERVFAIL responses on upstream errors\n\n## Requirements\n\n- Rust 2024 edition or later\n- Linux with systemd (for service deployment)\n- CAP_NET_BIND_SERVICE capability (to bind to port 53 without root)\n\n## Installation\n\nSee [INSTALL.md](INSTALL.md) for detailed installation instructions.\n\nQuick install:\n```bash\nmake build\nsudo make install\nsudo systemctl enable --now doqxy.service\n```\n\n## Configuration\n\nConfiguration is done via environment variables:\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `UPSTREAM_SERVER` | `dns.adguard-dns.com` | DNS-over-QUIC server hostname |\n| `UPSTREAM_PORT` | `853` | DNS-over-QUIC server port |\n| `UPSTREAM_IP` | _(resolved)_ | Upstream server IP (avoids DNS resolution at startup) |\n| `BIND_ADDR` | `127.0.0.53:53` | Local address to bind the DNS proxy |\n| `DEBUG` | `0` | Enable debug logging and DNS message parsing (`1` to enable) |\n\n### Example Configuration\n\nEdit the systemd service:\n```bash\nsudo systemctl edit doqxy.service\n```\n\nAdd custom environment variables:\n```ini\n[Service]\nEnvironment=\"UPSTREAM_SERVER=dns.adguard-dns.com\"\nEnvironment=\"UPSTREAM_PORT=853\"\nEnvironment=\"UPSTREAM_IP=94.140.14.14\"\nEnvironment=\"BIND_ADDR=127.0.0.10:53\"\nEnvironment=\"DEBUG=0\"\n```\n\n## Usage\n\n### Running as a Service\n\n```bash\n# Start the service\nsudo systemctl start doqxy.service\n\n# Check status\nsystemctl status doqxy.service\n\n# View logs\njournalctl -u doqxy -f\n\n# Stop the service\nsudo systemctl stop doqxy.service\n```\n\n### Testing\n\n```bash\n# Test with dig\ndig @127.0.0.53 example.com\n\n# Test with nslookup\nnslookup example.com 127.0.0.53\n\n# Test with systemd-resolve\nsystemd-resolve --status\n```\n\n### Running Manually\n\n```bash\n# Set environment variables\nexport UPSTREAM_SERVER=dns.adguard-dns.com\nexport UPSTREAM_PORT=853\nexport UPSTREAM_IP=94.140.14.14\nexport BIND_ADDR=127.0.0.10:53\nexport DEBUG=1\n\n# Run the proxy\ncargo run --release\n```\n\n## System Configuration\n\n### Disable NetworkManager DNS Management\n\nIf you want to use doqxy as your system DNS resolver, you need to prevent NetworkManager from managing `/etc/resolv.conf`:\n\n1. Create NetworkManager configuration:\n```bash\nsudo mkdir -p /etc/NetworkManager/conf.d\nsudo tee /etc/NetworkManager/conf.d/dns.conf \u003e /dev/null \u003c\u003c 'EOF'\n[main]\ndns=none\nsystemd-resolved=false\nEOF\n```\n\n2. Restart NetworkManager:\n```bash\nsudo systemctl restart NetworkManager\n```\n\n### Configure System DNS\n\n1. Make `/etc/resolv.conf` writable (if it's a symlink):\n```bash\nsudo rm /etc/resolv.conf\n```\n\n2. Create new `/etc/resolv.conf`:\n```bash\nsudo tee /etc/resolv.conf \u003e /dev/null \u003c\u003c 'EOF'\nnameserver 127.0.0.53\noptions edns0 trust-ad\nEOF\n```\n\n3. Protect from modification:\n```bash\nsudo chattr +i /etc/resolv.conf\n```\n\n4. To revert protection (if needed):\n```bash\nsudo chattr -i /etc/resolv.conf\n```\n\n**Note**: Make sure doqxy is running and bound to the address specified in `/etc/resolv.conf` before making these changes.\n\n## Security\n\nThe systemd service includes several security hardening features:\n\n- **DynamicUser**: Runs as a temporary system user\n- **CAP_NET_BIND_SERVICE**: Minimal capabilities (only bind to privileged ports)\n- **ProtectSystem**: File system protection\n- **ProtectHome**: Home directory isolation\n- **PrivateTmp**: Private /tmp and /var/tmp\n- **NoNewPrivileges**: Prevents privilege escalation\n- **RestrictAddressFamilies**: Limited to AF_INET and AF_INET6\n\n## Performance\n\n- Native CPU optimizations enabled by default (`RUSTFLAGS=\"-C target-cpu=native\"`)\n- Zero-copy forwarding in non-debug mode\n- Efficient caching reduces upstream queries\n- Single QUIC connection minimizes connection overhead\n- Async I/O with Tokio for high concurrency\n\n## Dependencies\n\n- [quinn](https://github.com/quinn-rs/quinn) - QUIC implementation\n- [rustls](https://github.com/rustls/rustls) - TLS library\n- [hickory-proto](https://github.com/hickory-dns/hickory-dns) - DNS protocol library\n- [moka](https://github.com/moka-rs/moka) - Fast concurrent cache\n- [tokio](https://tokio.rs/) - Async runtime\n\n## License\n\nLicensed under the MIT License. See [LICENSE](LICENSE) for details.\n\n## Contributing\n\nContributions are welcome! Please feel free to submit issues or pull requests.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabihf%2Fdoqxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fabihf%2Fdoqxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabihf%2Fdoqxy/lists"}