{"id":13439734,"url":"https://github.com/cofyc/dnscrypt-wrapper","last_synced_at":"2025-04-04T22:09:10.299Z","repository":{"id":5567420,"uuid":"6772864","full_name":"cofyc/dnscrypt-wrapper","owner":"cofyc","description":"This is dnscrypt wrapper (server-side dnscrypt proxy), which helps to add dnscrypt support to any name resolver.","archived":false,"fork":false,"pushed_at":"2022-01-22T22:30:07.000Z","size":2220,"stargazers_count":531,"open_issues_count":12,"forks_count":74,"subscribers_count":44,"default_branch":"master","last_synced_at":"2024-10-29T20:55:25.573Z","etag":null,"topics":["c","dns","dnscrypt","dnscrypt-proxy","dnscrypt-wrapper"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cofyc.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-11-20T05:55:08.000Z","updated_at":"2024-10-16T16:12:46.000Z","dependencies_parsed_at":"2022-07-07T03:02:50.799Z","dependency_job_id":null,"html_url":"https://github.com/cofyc/dnscrypt-wrapper","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cofyc%2Fdnscrypt-wrapper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cofyc%2Fdnscrypt-wrapper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cofyc%2Fdnscrypt-wrapper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cofyc%2Fdnscrypt-wrapper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cofyc","download_url":"https://codeload.github.com/cofyc/dnscrypt-wrapper/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247256115,"owners_count":20909240,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","dns","dnscrypt","dnscrypt-proxy","dnscrypt-wrapper"],"created_at":"2024-07-31T03:01:16.636Z","updated_at":"2025-04-04T22:09:10.279Z","avatar_url":"https://github.com/cofyc.png","language":"C","readme":"# Name\n\ndnscrypt-wrapper - A server-side dnscrypt proxy.\n\n[![Build Status](https://travis-ci.org/cofyc/dnscrypt-wrapper.png?branch=master)](https://travis-ci.org/cofyc/dnscrypt-wrapper)\n\n## Table of Contents\n\n* [Description](#description)\n* [Installation](#installation)\n* [Usage](#usage)\n  * [Quick start](#quick-start)\n  * [Running unauthenticated DNS and the dnscrypt service on the same port](#running-unauthenticated-dns-and-the-dnscrypt-service-on-the-same-port)\n  * [Key rotation](#key-rotation)\n* [Chinese](#chinese)\n* [See also](#see-also)\n\n## Description\n\nThis is dnscrypt wrapper (server-side dnscrypt proxy), which helps to\nadd dnscrypt support to any name resolver.\n\nThis software is modified from\n[dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy).\n\n## Installation\n\nInstall [libsodium](https://github.com/jedisct1/libsodium) and [libevent](http://libevent.org/) 2.1.1+ first.\n\nOn Linux:\n\n    $ ldconfig # if you install libsodium from source\n    $ git clone git://github.com/cofyc/dnscrypt-wrapper.git\n    $ cd dnscrypt-wrapper\n    $ make configure\n    $ ./configure\n    $ make install\n\nOn FreeBSD:\n\n    $ pkg install dnscrypt-wrapper\n\nOn OpenBSD:\n\n    $ pkg_add -r gmake autoconf\n    $ pkg_add -r libevent\n    $ git clone git://github.com/cofyc/dnscrypt-wrapper.git\n    $ cd dnscrypt-wrapper\n    $ gmake LDFLAGS='-L/usr/local/lib/' CFLAGS=-I/usr/local/include/\n\nOn MacOS:\n\n    $ brew install dnscrypt-wrapper\n\nIn Docker:\n\n    See https://github.com/jedisct1/dnscrypt-server-docker.\n\n## Usage\n\n### Quick Start\n\n1) Generate the provider key pair:\n\n```sh\n$ dnscrypt-wrapper --gen-provider-keypair \\\n  --provider-name=2.dnscrypt-cert.\u003cyourdomain\u003e --ext-address=\u003cexternal server ip\u003e\n```\n\nIf your server doesn't store logs, add `--nolog` and if it supports DNSSEC,\nadd `--dnssec`.\n\nThis will create two files in the current directory: `public.key` and\n`secret.key`.\n\nThis is a long-term key pair that is never supposed to change unless the\nsecret key is compromised. Make sure that `secret.key` is securely\nstored and backuped.\n\nIt will also print the stamp for dnscrypt-proxy version 2.x.\n\nIf you forgot to save your provider public key:\n\n```sh\n$ dnscrypt-wrapper --show-provider-publickey --provider-publickey-file \u003cyour-publickey-file\u003e\n```\n\nThis will print it out.\n\n2) Generate a time-limited secret key, which will be used to encrypt\nand authenticate DNS queries. Also generate a certificate for it:\n\n```sh\n$ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=1.key\n$ dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=1.key --provider-cert-file=1.cert \\\n                   --provider-publickey-file=public.key --provider-secretkey-file=secret.key\n```\n\nIn this example, the time-limited secret key will be saved as `1.key`\nand its related certificate as `1.cert` in the current directory.\n\nTime-limited secret keys and certificates can be updated at any time\nwithout requiring clients to update their configuration.\n\nNOTE: By default, secret key expires in 1 day (24 hours) for safety. You can\nchange it by adding `--cert-file-expire-days=\u003cyour-expected-expiraiton-days\u003e`,\nbut it's better to use short-term secret key and use\n[key-rotation](#key-rotation) mechanism.\n\n3) Run the program with a given key, a provider name and the most recent certificate:\n\n```sh\n$ dnscrypt-wrapper --resolver-address=8.8.8.8:53 --listen-address=0.0.0.0:443 \\\n                   --provider-name=2.dnscrypt-cert.\u003cyourdomain\u003e \\\n                   --crypt-secretkey-file=1.key --provider-cert-file=1.cert\n```\n\nThe provider name can be anything; it doesn't have to be within an existing\ndomain name. However, it has to start with `2.dnscrypt-cert.`, e.g.\n`2.dnscrypt-cert.example.com`.\n\nWhen the service is started with the `--provider-cert-file` switch, the\nproxy will automatically serve the certificate as a TXT record when a\nquery for the provider name is received.\n\nAs an alternative, the TXT record can be served by a name server for\nan actual DNS zone you are authoritative for. In that scenario, the\n`--provider-cert-file` option is not required, and instructions for\nUnbound and TinyDNS are displayed by the program when generating a\nprovider certificate.\n\nYou can get instructions later by running:\n\n```sh\n$ dnscrypt-wrapper --show-provider-publickey-dns-records\n                   --provider-cert-file \u003cpath/to/your/provider_cert_file\u003e\n```\n\n4) Run dnscrypt-proxy to check if it works:\n\n```sh\n$ dnscrypt-proxy --local-address=127.0.0.1:55 --resolver-address=127.0.0.1:443 \\\n                 --provider-name=2.dnscrypt-cert.\u003cyourdomain\u003e \\\n                 --provider-key=\u003cprovider_public_key\u003e\n$ dig -p 55 google.com @127.0.0.1\n```\n\n`\u003cprovider_public_key\u003e` is public key generated by `dnscrypt-wrapper --gen-provider-keypair`, which looks like `4298:5F65:C295:DFAE:2BFB:20AD:5C47:F565:78EB:2404:EF83:198C:85DB:68F1:3E33:E952`.\n\nOptionally, add `-d/--daemonize` flag to run as a daemon.\n\nRun `dnscrypt-wrapper -h` to view command line options.\n\n### Running unauthenticated DNS and the dnscrypt service on the same port\n\nBy default, and with the exception of records used for the\ncertificates, only queries using the DNSCrypt protocol will be\naccepted.\n\nIf you want to run a service only accessible using DNSCrypt, this is\nwhat you want.\n\nIf you want to run a service accessible both with and without\nDNSCrypt, what you usually want is to keep the standard DNS port for\nthe unauthenticated DNS service (53), and use a different port for\nDNSCrypt. You don't have to change anything for this either.\n\nHowever, if you want to run both on the same port, maybe because only\nport 53 is reachable on your server, you can add the `-U`\n(`--unauthenticated`) switch to the command-line. This is not\nrecommended.\n\n### Key rotation\n\nTime-limited keys are bound to expire.\n\n`dnscrypt-proxy` can check if the current key for a given server is\nnot going to expire soon:\n\n```sh\n$ dnscrypt-proxy --resolver-address=127.0.0.1:443 \\\n                 --provider-name=2.dnscrypt-cert.\u003cyourdomain\u003e \\\n                 --provider-key=\u003cprovider_public_key\u003e \\\n                 --test=10080\n```\n\nThe `--test` option is followed by a \"grace margin\".\n\nThe command will immediately exit after verifying the certificate validity.\n\nThe exit code is `0` if a valid certificate can be used, `2` if no valid\ncertificates can be used, `3` if a timeout occurred, and `4` if a currently\nvalid certificate is going to expire before the margin.\n\nThe margin is always specified in minutes.\n\nThis can be used in a cron tab to trigger an alert before a key is\ngoing to expire.\n\nIn order to switch to a fresh new key:\n\nFirst, create a new time-limited key (do not change the provider key!) and\nits certificate:\n\n```sh\n$ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=2.key\n$ dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=2.key --provider-cert-file=2.cert \\\n                   --provider-publickey-file=public.key --provider-secretkey-file=secret.key \\\n                   --cert-file-expire-days=1\n```\n\nSecond, Tell new users to use the new certificate but still accept the old\nkey until all clients have loaded the new certificate:\n\n```sh\n$ dnscrypt-wrapper --resolver-address=8.8.8.8:53 --listen-address=0.0.0.0:443 \\\n                   --provider-name=2.dnscrypt-cert.\u003cyourdomain\u003e \\\n                   --crypt-secretkey-file=1.key,2.key --provider-cert-file=1.cert,2.cert\n```\n\nNote that both `1.key` and `2.key` have be specified, in order to\naccept both the previous and the current key.\n\nThird, Clients automatically check for new certificates every hour. So,\nafter one hour, the old certificate can be refused, by leaving only\nthe new one in the configuration:\n\n```sh\n$ dnscrypt-wrapper --resolver-address=8.8.8.8:53 --listen-address=0.0.0.0:443 \\\n                   --provider-name=2.dnscrypt-cert.\u003cyourdomain\u003e \\\n                   --crypt-secretkey-file=2.key --provider-cert-file=2.cert\n```\n\nPlease note that on Linux systems (kernel \u003e= 3.9), multiples instances of\n`dnscrypt-wrapper` can run at the same time. Therefore, in order to\nswitch to a new configuration, one can start a new daemon without\nkilling the previous instance, and only kill the previous instance\nafter the new one started.\n\nThis also allows upgrades with zero downtime.\n\n## Blocking\n\nFor servers willing to block specific domain names (ads, malware), the\n`--blacklist-file` parameter can be added. That blacklist file accepts\npatterns such as:\n\n- `example.com`: blocks `example.com` as well as `www.example.com`\n- `*.example.com`: identical, just more explicit\n- `*example*`: blocks the `example` substring no matter where it appears\n- `ads.*`: blocks the `ads.` prefix\n\nPrefix and suffix lookups are fast and can scale to very large lists.\n\n## Chinese\n\n- CentOS/Debian/Ubuntu 下编译 dnscrypt-wrapper: http://03k.org/centos-make-dnscrypt-wrapper.html\n- dnscrypt-wrapper 使用方法: http://03k.org/dnscrypt-wrapper-usage.html\n\n注：第三方文档可能未及时与最新版本同步，以 README.md 为准。\n\n## See also\n\n- https://dnscrypt.info/\n- https://github.com/jedisct1/dnscrypt-proxy\n- https://github.com/cofyc/dnscrypt-wrapper\n","funding_links":[],"categories":["C","\u003ca id=\"a76463feb91d09b3d024fae798b92be6\"\u003e\u003c/a\u003e侦察\u0026\u0026信息收集\u0026\u0026子域名发现与枚举\u0026\u0026OSINT","C (61)","c","\u003ca id=\"d03d494700077f6a65092985c06bf8e8\"\u003e\u003c/a\u003e工具","\u003ca id=\"170048b7d8668c50681c0ab1e92c679a\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"a695111d8e30d645354c414cb27b7843\"\u003e\u003c/a\u003eDNS","\u003ca id=\"6381920f17576b07cc87a8dc619123aa\"\u003e\u003c/a\u003eDNS"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcofyc%2Fdnscrypt-wrapper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcofyc%2Fdnscrypt-wrapper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcofyc%2Fdnscrypt-wrapper/lists"}