{"id":13375865,"url":"https://github.com/adguardteam/dnsproxy","last_synced_at":"2026-05-21T18:09:46.170Z","repository":{"id":37251651,"uuid":"162436330","full_name":"AdguardTeam/dnsproxy","owner":"AdguardTeam","description":"Simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support","archived":false,"fork":false,"pushed_at":"2025-05-06T14:08:10.000Z","size":17210,"stargazers_count":2660,"open_issues_count":136,"forks_count":266,"subscribers_count":61,"default_branch":"master","last_synced_at":"2025-05-06T14:34:15.169Z","etag":null,"topics":["dns","dns-over-https","dns-over-quic","dns-over-tls","dnscrypt","golang","open-source","proxy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AdguardTeam.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-12-19T12:46:18.000Z","updated_at":"2025-05-06T14:08:13.000Z","dependencies_parsed_at":"2023-10-16T23:50:36.704Z","dependency_job_id":"25039984-e210-4158-a74f-079fb8f3497e","html_url":"https://github.com/AdguardTeam/dnsproxy","commit_stats":{"total_commits":722,"total_committers":33,"mean_commits":21.87878787878788,"dds":0.6481994459833795,"last_synced_commit":"5607a43e8a805a76bc9a1b2505b6a5ac2514a7b3"},"previous_names":[],"tags_count":226,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AdguardTeam%2Fdnsproxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AdguardTeam%2Fdnsproxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AdguardTeam%2Fdnsproxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AdguardTeam%2Fdnsproxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AdguardTeam","download_url":"https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252734791,"owners_count":21796080,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","dns-over-https","dns-over-quic","dns-over-tls","dnscrypt","golang","open-source","proxy"],"created_at":"2024-07-30T05:02:02.438Z","updated_at":"2026-05-04T17:02:04.632Z","avatar_url":"https://github.com/AdguardTeam.png","language":"Go","funding_links":[],"categories":["\u003ca id=\"1a9934198e37d6d06b881705b863afc8\"\u003e\u003c/a\u003e通信\u0026\u0026代理\u0026\u0026反向代理\u0026\u0026隧道","\u003ca id=\"d03d494700077f6a65092985c06bf8e8\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"56acb7c49c828d4715dce57410d490d1\"\u003e\u003c/a\u003e未分类-Proxy","\u003ca id=\"6381920f17576b07cc87a8dc619123aa\"\u003e\u003c/a\u003eDNS"],"readme":"# DNS Proxy \u003c!-- omit in toc --\u003e\n\n[![Code Coverage](https://img.shields.io/codecov/c/github/AdguardTeam/dnsproxy/master.svg)](https://codecov.io/github/AdguardTeam/dnsproxy?branch=master)\n[![Go Report Card](https://goreportcard.com/badge/github.com/AdguardTeam/dnsproxy)](https://goreportcard.com/report/AdguardTeam/dnsproxy)\n[![Go Doc](https://godoc.org/github.com/AdguardTeam/dnsproxy?status.svg)](https://godoc.org/github.com/AdguardTeam/dnsproxy)\n\nA simple DNS proxy server that supports all existing DNS protocols including\n`DNS-over-TLS`, `DNS-over-HTTPS`, `DNSCrypt`, and `DNS-over-QUIC`. Moreover,\nit can work as a `DNS-over-HTTPS`, `DNS-over-TLS` or `DNS-over-QUIC` server.\n\n- [How to install](#how-to-install)\n- [How to build](#how-to-build)\n- [Usage](#usage)\n- [Examples](#examples)\n - [Simple options](#simple-options)\n - [Encrypted upstreams](#encrypted-upstreams)\n - [Encrypted DNS server](#encrypted-dns-server)\n - [Additional features](#additional-features)\n - [DNS64 server](#dns64-server)\n - [Fastest addr + cache-min-ttl](#fastest-addr--cache-min-ttl)\n - [Specifying upstreams for domains](#specifying-upstreams-for-domains)\n - [Specifying private rDNS upstreams](#specifying-private-rdns-upstreams)\n - [EDNS Client Subnet](#edns-client-subnet)\n - [Bogus NXDomain](#bogus-nxdomain)\n - [Basic Auth for DoH](#basic-auth-for-doh)\n\n## How to install\n\nThere are several options how to install `dnsproxy`.\n\n1. Grab the binary for your device/OS from the [Releases][releases] page.\n2. Use the [official Docker image][docker].\n3. Build it yourself (see the instruction below).\n\n[releases]: https://github.com/AdguardTeam/dnsproxy/releases\n[docker]: https://hub.docker.com/r/adguard/dnsproxy\n\n## How to build\n\nYou will need Go 1.26 or later.\n\n```shell\nmake build\n```\n\n## Usage\n\n```none\nUsage of ./dnsproxy:\n --bogus-nxdomain=subnet\n Transform the responses containing at least a single IP that matches specified addresses and CIDRs into NXDOMAIN. Can be specified multiple times.\n --bootstrap/-b\n Bootstrap DNS for DoH and DoT, can be specified multiple times (default: use system-provided).\n --cache\n If specified, DNS cache is enabled.\n --cache-max-ttl=uint32\n Maximum TTL value for DNS entries, in seconds.\n --cache-min-ttl=uint32\n Minimum TTL value for DNS entries, in seconds. Capped at 3600. Artificially extending TTLs should only be done with careful consideration.\n --cache-optimistic\n If specified, optimistic DNS cache is enabled.\n --cache-size=int\n Cache size (in bytes). Default: 64k.\n --config-path=path\n YAML configuration file. Minimal working configuration in config.yaml.dist. Options passed through command line will override the ones from this file.\n --dnssec\n Defines whether the proxy should set the DO bits in the upstream requests. Default: true.\n --doh-insecure-enabled\n If specified, the DoH server will skip TLS certificate verification.\n --doh-routes\n Routes for DNS-over-HTTPS. If not specified, the default routes are registered:\n - \"GET /\", deprecated and will soon be removed,\n - \"POST /\", deprecated and will soon be removed.\n - \"GET /dns-query\",\n - \"POST /dns-query\".\n --dns64\n If specified, dnsproxy will act as a DNS64 server.\n --dns64-prefix=subnet\n Prefix used to handle DNS64. If not specified, dnsproxy uses the 'Well-Known Prefix' 64:ff9b::. Can be specified multiple times.\n --dnscrypt-config=path/-g path\n Path to a file with DNSCrypt configuration. You can generate one using https://github.com/ameshkov/dnscrypt.\n --dnscrypt-port=port/-y port\n Listening ports for DNSCrypt.\n --edns\n Use EDNS Client Subnet extension.\n --edns-addr=address\n Send EDNS Client Address.\n --fallback/-f\n Fallback resolvers to use when regular ones are unavailable, can be specified multiple times. You can also specify path to a file with the list of servers.\n --help/-h\n Print this help message and quit.\n --hosts-file-enabled\n If specified, use hosts files for resolving.\n --hosts-files=path\n List of paths to the hosts files, can be specified multiple times.\n --http3\n Enable HTTP/3 support.\n --https-port=port/-s port\n Listening ports for DNS-over-HTTPS.\n --https-server-name=name\n Set the Server header for the responses from the HTTPS server.\n --https-userinfo=name\n If set, all DoH queries are required to have this basic authentication information.\n --insecure\n Disable secure TLS certificate validation.\n --ipv6-disabled\n If specified, all AAAA requests will be replied with NoError RCode and empty answer.\n --listen=address/-l address\n Listening addresses.\n --max-go-routines=uint\n Set the maximum number of go routines. A zero value will not not set a maximum.\n --optimistic-answer-ttl\n Default TTL value for expired DNS entries in optimistic cache. Default: 30s\n --optimistic-max-age\n Period of time after which entries are removed from optimistic cache in human-readable form. Default: 12h.\n --output=path/-o path\n Path to the log file.\n --pending-requests-enabled\n If specified, the server will track duplicate queries and only send the first of them to the upstream server, propagating its result to others. Disabling it introduces a vulnerability to cache poisoning attacks.\n --port=port/-p port\n Listening ports. Zero value disables TCP and UDP listeners.\n --pprof\n If present, exposes pprof information on localhost:6060.\n --private-rdns-upstream\n Private DNS upstreams to use for reverse DNS lookups of private addresses, can be specified multiple times.\n --private-subnets=subnet\n Private subnets to use for reverse DNS lookups of private addresses.\n --quic-port=port/-q port\n Listening ports for DNS-over-QUIC.\n --ratelimit=int/-r int\n Ratelimit (requests per second).\n --ratelimit-subnet-len-ipv4=int\n Ratelimit subnet length for IPv4.\n --ratelimit-subnet-len-ipv6=int\n Ratelimit subnet length for IPv6.\n --refuse-any\n If specified, refuses ANY requests.\n --timeout=duration\n Timeout for outbound DNS queries to remote upstream servers in a human-readable form\n --tls-crt=path/-c path\n Path to a file with the certificate chain.\n --tls-key=path/-k path\n Path to a file with the private key.\n --tls-max-version=version\n Maximum TLS version, for example 1.3.\n --tls-min-version=version\n Minimum TLS version, for example 1.0.\n --tls-port=port/-t port\n Listening ports for DNS-over-TLS.\n --udp-buf-size=int\n Set the size of the UDP buffer in bytes. A value \u003c= 0 will use the system default.\n --upstream/-u\n An upstream to be used (can be specified multiple times). You can also specify path to a file with the list of servers.\n --upstream-mode=mode\n Defines the upstreams logic mode, possible values: load_balance, parallel, fastest_addr (default: load_balance).\n --use-private-rdns\n If specified, use private upstreams for reverse DNS lookups of private addresses.\n --verbose/-v\n Verbose output.\n --version\n Prints the program version.\n```\n\n## Examples\n\n### Simple options\n\nRuns a DNS proxy on `0.0.0.0:53` with a single upstream - Google DNS.\n\n```shell\n./dnsproxy -u 8.8.8.8:53\n```\n\nThe same proxy with verbose logging enabled writing it to the file `log.txt`.\n\n```shell\n./dnsproxy -u 8.8.8.8:53 -v -o log.txt\n```\n\nRuns a DNS proxy on `127.0.0.1:5353` with multiple upstreams.\n\n```shell\n./dnsproxy -l 127.0.0.1 -p 5353 -u 8.8.8.8:53 -u 1.1.1.1:53\n```\n\nListen on multiple interfaces and ports:\n\n```shell\n./dnsproxy -l 127.0.0.1 -l 192.168.1.10 -p 5353 -p 5354 -u 1.1.1.1\n```\n\nThe plain DNS upstream server may be specified in several ways:\n\n- With a plain IP address:\n\n ```shell\n ./dnsproxy -l 127.0.0.1 -u 8.8.8.8:53\n ```\n\n- With a hostname or plain IP address and the `udp://` scheme:\n\n ```shell\n ./dnsproxy -l 127.0.0.1 -u udp://dns.google -u udp://1.1.1.1\n ```\n\n- With a hostname or plain IP address and the `tcp://` scheme to force using TCP:\n\n ```shell\n ./dnsproxy -l 127.0.0.1 -u tcp://dns.google -u tcp://1.1.1.1\n ```\n\n### Encrypted upstreams\n\nDNS-over-TLS upstream:\n\n```shell\n./dnsproxy -u tls://dns.adguard.com\n```\n\nDNS-over-HTTPS upstream with specified bootstrap DNS:\n\n```shell\n./dnsproxy -u https://dns.adguard.com/dns-query -b 1.1.1.1:53\n```\n\nDNS-over-QUIC upstream:\n\n```shell\n./dnsproxy -u quic://dns.adguard.com\n```\n\nDNS-over-HTTPS upstream with enabled HTTP/3 support (chooses it if it's faster):\n\n```shell\n./dnsproxy -u https://dns.google/dns-query --http3\n```\n\nDNS-over-HTTPS upstream with forced HTTP/3 (no fallback to other protocol):\n\n```shell\n./dnsproxy -u h3://dns.google/dns-query\n```\n\nDNSCrypt upstream ([DNS Stamp](https://dnscrypt.info/stamps) of AdGuard DNS):\n\n```shell\n./dnsproxy -u sdns://AQMAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20\n```\n\nDNS-over-HTTPS upstream ([DNS Stamp](https://dnscrypt.info/stamps) of Cloudflare DNS):\n\n```shell\n./dnsproxy -u sdns://AgcAAAAAAAAABzEuMC4wLjGgENk8mGSlIfMGXMOlIlCcKvq7AVgcrZxtjon911-ep0cg63Ul-I8NlFj4GplQGb_TTLiczclX57DvMV8Q-JdjgRgSZG5zLmNsb3VkZmxhcmUuY29tCi9kbnMtcXVlcnk\n```\n\nDNS-over-TLS upstream with two fallback servers (to be used when the main upstream is not available):\n\n```shell\n./dnsproxy -u tls://dns.adguard.com -f 8.8.8.8:53 -f 1.1.1.1:53\n```\n\n### Encrypted DNS server\n\nRuns a DNS-over-TLS proxy on `127.0.0.1:853`.\n\n```shell\n./dnsproxy -l 127.0.0.1 --tls-port=853 --tls-crt=example.crt --tls-key=example.key -u 8.8.8.8:53 -p 0\n```\n\nRuns a DNS-over-HTTPS proxy on `127.0.0.1:443`.\n\n```shell\n./dnsproxy -l 127.0.0.1 --https-port=443 --tls-crt=example.crt --tls-key=example.key -u 8.8.8.8:53 -p 0\n```\n\nRuns a DNS-over-HTTPS proxy on `127.0.0.1:443` with HTTP/3 support.\n\n```shell\n./dnsproxy -l 127.0.0.1 --https-port=443 --http3 --tls-crt=example.crt --tls-key=example.key -u 8.8.8.8:53 -p 0\n```\n\nRuns a DNS-over-QUIC proxy on `127.0.0.1:853`.\n\n```shell\n./dnsproxy -l 127.0.0.1 --quic-port=853 --tls-crt=example.crt --tls-key=example.key -u 8.8.8.8:53 -p 0\n```\n\nRuns a DNSCrypt proxy on `127.0.0.1:443`.\n\n```shell\n./dnsproxy -l 127.0.0.1 --dnscrypt-config=./dnscrypt-config.yaml --dnscrypt-port=443 --upstream=8.8.8.8:53 -p 0\n```\n\n\u003e [!TIP]\n\u003e In order to run a DNSCrypt proxy, you need to obtain DNSCrypt configuration first. You can use https://github.com/ameshkov/dnscrypt command-line tool to do that with a command like this `./dnscrypt generate --provider-name=2.dnscrypt-cert.example.org --out=dnscrypt-config.yaml`.\n\n### Additional features\n\nRuns a DNS proxy on `0.0.0.0:53` with rate limit set to `10 rps`, enabled DNS cache, and that refuses type=ANY requests.\n\n```shell\n./dnsproxy -u 8.8.8.8:53 -r 10 --cache --refuse-any\n```\n\nRuns a DNS proxy on 127.0.0.1:5353 with multiple upstreams and enable parallel queries to all configured upstream servers.\n\n```shell\n./dnsproxy -l 127.0.0.1 -p 5353 -u 8.8.8.8:53 -u 1.1.1.1:53 -u tls://dns.adguard.com --upstream-mode parallel\n```\n\nLoads upstreams list from a file.\n\n```shell\n./dnsproxy -l 127.0.0.1 -p 5353 -u ./upstreams.txt\n```\n\n### DNS64 server\n\n`dnsproxy` is capable of working as a DNS64 server.\n\n\u003e [!NOTE] What is DNS64/NAT64\n\u003e This is a mechanism of providing IPv6 access to IPv4. Using a NAT64 gateway with IPv4-IPv6 translation capability lets IPv6-only clients connect to IPv4-only services via synthetic IPv6 addresses starting with a prefix that routes them to the NAT64 gateway. DNS64 is a DNS service that returns AAAA records with these synthetic IPv6 addresses for IPv4-only destinations (with A but not AAAA records in the DNS). This lets IPv6-only clients use NAT64 gateways without any other configuration.\n\u003e See also [RFC 6147](https://datatracker.ietf.org/doc/html/rfc6147).\n\nEnables DNS64 with the default [Well-Known Prefix][wkp]:\n\n```shell\n./dnsproxy -l 127.0.0.1 -p 5353 -u 8.8.8.8 --use-private-rdns --private-rdns-upstream=127.0.0.1 --dns64\n```\n\nYou can also specify any number of custom DNS64 prefixes:\n\n```shell\n./dnsproxy -l 127.0.0.1 -p 5353 -u 8.8.8.8 --use-private-rdns --private-rdns-upstream=127.0.0.1 --dns64 --dns64-prefix=64:ffff:: --dns64-prefix=32:ffff::\n```\n\nNote that only the first specified prefix will be used for synthesis.\n\nPTR queries for addresses within the specified ranges or the [Well-Known one][wkp] could only be answered with locally appropriate data, so dnsproxy will route those to the local upstream servers. Those should be specified and enabled if DNS64 is enabled.\n\n[wkp]: https://datatracker.ietf.org/doc/html/rfc6052#section-2.1\n\n### Fastest addr + cache-min-ttl\n\nThis option would be useful to the users with problematic network connection. In this mode, `dnsproxy` would detect the fastest IP address among all that were returned, and it will return only it.\n\nAdditionally, for those with problematic network connection, it makes sense to override `cache-min-ttl`. In this case, `dnsproxy` will make sure that DNS responses are cached for at least the specified amount of time.\n\nIt makes sense to run it with multiple upstream servers only.\n\nRun a DNS proxy with two upstreams, min-TTL set to 10 minutes, fastest address detection is enabled:\n\n```shell\n./dnsproxy -u 8.8.8.8 -u 1.1.1.1 --cache --cache-min-ttl=600 --upstream-mode=fastest_addr\n```\n\n who run `dnsproxy` with multiple upstreams\n\n### Specifying upstreams for domains\n\nYou can specify upstreams that will be used for a specific domain(s). We use the dnsmasq-like syntax, decorating domains with brackets (see `--server` [description][server-description]).\n\n**Syntax:** `[/[domain1][/../domainN]/]upstreamString`\n\nWhere `upstreamString` is one or many upstreams separated by space (e.g. `1.1.1.1` or `1.1.1.1 2.2.2.2`).\n\nIf one or more domains are specified, that upstream (`upstreamString`) is used only for those domains. Usually, it is used for private nameservers. For instance, if you have a nameserver on your network which deals with `xxx.internal.local` at `192.168.0.1` then you can specify `[/internal.local/]192.168.0.1`, and dnsproxy will send all queries to that nameserver. Everything else will be sent to the default upstreams (which are mandatory!).\n\n1. An empty domain specification, `//` has the special meaning of \"unqualified names only\", which will be used to resolve names with a single label in them, or with exactly two labels in case of `DS` requests.\n1. More specific domains take precedence over less specific domains, so: `--upstream=[/host.com/]1.2.3.4 --upstream=[/www.host.com/]2.3.4.5` will send queries for `*.host.com` to `1.2.3.4`, except `*.www.host.com`, which will go to `2.3.4.5`.\n1. The special server address `#` means, \"use the common servers\", so: `--upstream=[/host.com/]1.2.3.4 --upstream=[/www.host.com/]#` will send queries for `*.host.com` to `1.2.3.4`, except `*.www.host.com` which will be forwarded as usual.\n1. The wildcard `*` has special meaning of \"any sub-domain\", so: `--upstream=[/*.host.com/]1.2.3.4` will send queries for `*.host.com` to `1.2.3.4`, but `host.com` will be forwarded to default upstreams.\n\nSends requests for `*.local` domains to `192.168.0.1:53`. Other requests are sent to `8.8.8.8:53`:\n\n```shell\n./dnsproxy \\\n -u \"8.8.8.8:53\" \\\n -u \"[/local/]192.168.0.1:53\" \\\n ;\n```\n\nSends requests for `*.host.com` to `1.1.1.1:53` except for `*.maps.host.com` which are sent to `8.8.8.8:53` (along with other requests):\n\n```shell\n./dnsproxy \\\n -u \"8.8.8.8:53\" \\\n -u \"[/host.com/]1.1.1.1:53\" \\\n -u \"[/maps.host.com/]#\" \\\n ;\n```\n\nSends requests for `*.host.com` to `1.1.1.1:53` except for `host.com` which is sent to `9.9.9.10:53`, and all other requests are sent to `8.8.8.8:53`:\n\n```shell\n./dnsproxy \\\n -u \"8.8.8.8:53\" \\\n -u \"[/host.com/]9.9.9.10:53\" \\\n -u \"[/*.host.com/]1.1.1.1:53\" \\\n ;\n```\n\nSends requests for `com` (and its subdomains) to `1.2.3.4:53`, requests for other top-level domains to `1.1.1.1:53`, and all other requests to `8.8.8.8:53`:\n\n```shell\n./dnsproxy \\\n -u \"8.8.8.8:53\" \\\n -u \"[//]1.1.1.1:53\" \\\n -u \"[/com/]1.2.3.4:53\" \\\n ;\n```\n\n### Specifying private rDNS upstreams\n\nYou can specify upstreams that will be used for reverse DNS requests of type PTR for private addresses. Same applies to the authority requests of types SOA and NS. The set of private addresses is defined by the `--private-rdns-upstream`, and the set from [RFC 6303][rfc6303] is used by default.\n\nThe additional requirement to the domains specified for upstreams is to be `in-addr.arpa`, `ip6.arpa`, or its subdomain. Addresses encoded in the domains should also be private.\n\nSends queries for `*.168.192.in-addr.arpa` to `192.168.1.2`, if requested by client from `192.168.0.0/16` subnet. Other queries answered with `NXDOMAIN`:\n\n```shell\n./dnsproxy \\\n -l \"0.0.0.0\" \\\n -u \"8.8.8.8\" \\\n --use-private-rdns \\\n --private-subnets=\"192.168.0.0/16\" \\\n --private-rdns-upstream=\"192.168.1.2\" \\\n ;\n```\n\nSends queries for `*.in-addr.arpa` to `192.168.1.2`, `*.ip6.arpa` to `fe80::1`, if requested by client within the default [RFC 6303][rfc6303] subnet set. Other queries answered with `NXDOMAIN`:\n\n```shell\n./dnsproxy\\\n -l \"0.0.0.0\"\\\n -u 8.8.8.8\\\n --use-private-rdns\\\n --private-rdns-upstream=\"192.168.1.2\"\\\n --private-rdns-upstream=\"[/ip6.arpa/]fe80::1\"\n```\n\n[rfc6303]: https://datatracker.ietf.org/doc/html/rfc6303\n[server-description]: http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html\n\n### EDNS Client Subnet\n\nTo enable support for EDNS Client Subnet extension you should run dnsproxy with `--edns` flag:\n\n```shell\n./dnsproxy -u 8.8.8.8:53 --edns\n```\n\nNow if you connect to the proxy from the Internet - it will pass through your original IP address's prefix to the upstream server. This way the upstream server may respond with IP addresses of the servers that are located near you to minimize latency.\n\nIf you want to use EDNS CS feature when you're connecting to the proxy from a local network, you need to set `--edns-addr=PUBLIC_IP` argument:\n\n```shell\n./dnsproxy -u 8.8.8.8:53 --edns --edns-addr=72.72.72.72\n```\n\nNow even if your IP address is 192.168.0.1 and it's not a public IP, the proxy will pass through 72.72.72.72 to the upstream server.\n\n### Bogus NXDomain\n\nThis option is similar to dnsmasq `bogus-nxdomain`. `dnsproxy` will transform\nresponses that contain at least a single IP address which is also specified by\nthe option into `NXDOMAIN`. Can be specified multiple times.\n\nIn the example below, we use AdGuard DNS server that returns `0.0.0.0` for\nblocked domains, and transform them to `NXDOMAIN`.\n\n```shell\n./dnsproxy -u 94.140.14.14:53 --bogus-nxdomain=0.0.0.0\n```\n\nCIDR ranges are supported as well. The following will respond with `NXDOMAIN`\ninstead of responses containing any IP from `192.168.0.0`-`192.168.255.255`:\n\n```shell\n./dnsproxy -u 192.168.0.15:53 --bogus-nxdomain=192.168.0.0/16\n```\n\n### Basic Auth for DoH\n\nBy setting the `--https-userinfo` option you can use `dnsproxy` as a DoH proxy\nwith basic authentication requirements.\n\nFor example:\n\n```shell\n./dnsproxy \\\n --https-port='443' \\\n --https-userinfo='user:p4ssw0rd' \\\n --tls-crt='…/my.crt' \\\n --tls-key='…/my.key' \\\n -u '94.140.14.14:53' \\\n ;\n```\n\nThis configuration will only allow DoH queries that contain an `Authorization` header containing the BasicAuth credentials for user `user` with password `p4ssw0rd`.\n\nAdd `-p 0` if you also want to disable plain-DNS handling and make `dnsproxy` only serve DoH with Basic Auth checking.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadguardteam%2Fdnsproxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadguardteam%2Fdnsproxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadguardteam%2Fdnsproxy/lists"}