{"id":16908705,"url":"https://github.com/micolous/dns-over-https-proxy","last_synced_at":"2026-04-27T00:31:45.908Z","repository":{"id":139103118,"uuid":"113040480","full_name":"micolous/dns-over-https-proxy","owner":"micolous","description":"DNS proxy to route requests Google Public DNS HTTPS API","archived":false,"fork":false,"pushed_at":"2018-02-09T23:26:49.000Z","size":25,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-02T01:36:29.923Z","etag":null,"topics":["apache2-license","dns-server","google-dns","privacy","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/micolous.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-12-04T12:37:00.000Z","updated_at":"2018-02-04T07:50:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"256e8fa8-91ad-4c96-aada-1ed0749d6912","html_url":"https://github.com/micolous/dns-over-https-proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/micolous/dns-over-https-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micolous%2Fdns-over-https-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micolous%2Fdns-over-https-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micolous%2Fdns-over-https-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micolous%2Fdns-over-https-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/micolous","download_url":"https://codeload.github.com/micolous/dns-over-https-proxy/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micolous%2Fdns-over-https-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32318417,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"ssl_error","status_checked_at":"2026-04-26T23:26:25.802Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache2-license","dns-server","google-dns","privacy","rust"],"created_at":"2024-10-13T18:52:34.782Z","updated_at":"2026-04-27T00:31:45.892Z","avatar_url":"https://github.com/micolous.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# dns-over-https-proxy\n\nThis is a simple DNS server that proxies requests to [Google Public DNS](https://developers.google.com/speed/public-dns/docs/dns-over-https).  This was an exercise to help me learn Rust.\n\nIt is not yet complete.  It currently supports a limited number of record types.  It also doesn't handle parallel incoming requests properly.\n\nIt is intended for use on either a single machine, or behind a better (ideally caching) DNS server like [BIND](https://www.isc.org/downloads/bind/), in order to reduce clear-text DNS being transmitted over the internet.  This relies on the premise that you [trust Google with all of your DNS traffic](https://developers.google.com/speed/public-dns/privacy).\n\n\u003e **Note**: This is not an official Google product. Please don't bug them about this. :)\n\n## Building it\n\n[Install the current version of Rust](https://www.rustup.rs) and dependencies:\n\n```\nsudo apt install build-essential curl libssl-dev pkgconfig\ncurl https://sh.rustup.rs -sSf | sh\n. ~/.cargo/env\n```\n\nThen:\n\n```\ncargo build --release\n```\n\nYou'll get a binary in `target/release/dns-over-https-proxy`.\n\n## Running it\n\nBy default, it listens on `127.0.0.1:35353` (UDP). This can be changed by specifying a different host/port as a command-line option, for example:\n\n```\ndns-over-https-proxy 0.0.0.0:53\n```\n\nIPv6 is also supported:\n\n```\ndns-over-https-proxy '[::1]:35353'\n```\n\nDebug mode (environment variable): `RUST_LOG=dns_over_https_proxy=debug`.  Note that this debug mode will dump all received DNS queries and responses to stderr.\n\n## Running with systemd\n\nThere is a unit file included with this repository, in `dns-over-https-proxy.service`.  Once the binary is built, you can set things up (as root):\n\n```\ninstall -o0 -g0 target/release/dns-over-https-proxy /usr/local/sbin/\ninstall -m644 -o0 -g0 dns-over-https-proxy.service /etc/systemd/system/\nsystemctl daemon-reload\nsystemctl enable dns-over-https-proxy.service\nsystemctl start dns-over-https-proxy.service\n```\n\nThere also exists an alternative target which can be used to start up multiple instances of the program on different ports, in order to allow a DNS server to load balance between processes (`dns-over-https-proxy@.service`):\n\n```\ninstall -o0 -g0 target/release/dns-over-https-proxy /usr/local/sbin/\ninstall -m644 -o0 -g0 dns-over-https-proxy@.service /etc/systemd/system/\nsystemctl daemon-reload\n\n# Start instances on 127.0.0.1 port 1230, 1231, 1232 \u0026 1233\nfor p in 1230 1231 1232 1233; do\n\tsystemctl enable dns-over-https-proxy@127.0.0.1\\:$p\n\tsystemctl start dns-over-https-proxy@127.0.0.1\\:$p\ndone\n```\n\n## Running in Docker\n\nMany distributions don't ship with new enough versions of Rust, and it is very fast-moving.  For convenience, a Docker container is offered.\n\n```\ndocker build -t dns-over-https-proxy .\ndocker run -d -p 127.0.0.1:35353:35353/udp --rm --name dns-over-https-proxy dns-over-https-proxy\n```\n\nThis will build and start a Docker container, with DNS available on `localhost:35353`.\n\n## Using the DNS server with dig\n\n```\ndig -p 35353 developers.google.com @127.0.0.1\n```\n\n## Using with BIND\n\nThe primary goal of this project is to act as a forwarder for BIND. However, there is a Catch-22 on the DNS server:\n\n* This program connects to `dns.google.com`, and needs to know the IP address of it.\n\n* The system resolver contacts BIND to look up the name.\n\n* BIND needs an upstream resolver in order to resolve `dns.google.com`, and contacts this program.\n\n* ...and repeat.\n\n### Breaking the loop with BIND\n\nBIND has configuration options that allow us to break the loop, at the expense of leaking DNS queries to `dns.google.com`. While an attacker (or your ISP) could intercept your requests to 8.8.8.8, `reqwests` (when used with a functional OpenSSL implementation, and reliable certificate chain) will fail in the event that your traffic has been redirected.\n\nThis configuration uses Google Public DNS via the DNS protocol (unencrypted), and then forwards everything else to this program.\n\n```\n// In local view / global zone config\n\nzone \"dns.google.com.\" {\n\ttype forward;\n\tforwarders {\n\t\t8.8.8.8;\n\t\t8.8.4.4;\n\t\t2001:4860:4860::8888;\n\t\t2001:4860:4860::8844;\n\t};\n};\n\n// In named.conf.options\noptions {\n\tforwarders {\n\t\t127.0.0.1 port 35353;\n\n\t\t// Additional forwarders can be added here.\n\t};\n\n\t// The default behaviour will leak DNS queries to upstream servers in the\n\t// event of errors. This will return SERVFAIL on the proxy being unavailable.\n\tforward only;\n};\n```\n\n### Breaking the loop with the system resolver\n\nThe system resolver can also break this loop in two different ways:\n\n* Use a DNS server other than `localhost`.\n\n* Hard code IP addresses for `dns.google.com` in `/etc/hosts`, eg:\n\n```\n216.239.32.27 dns.google.com\n```\n\n## Supported record types\n\nPer [RFC 1035](https://www.ietf.org/rfc/rfc1035.txt) unless otherwise stated:\n\n* A\n* AAAA (RFC 3596)\n* CNAME\n* MX\n* NS\n* PTR\n* SOA\n* SRV (RFC 2782)\n* TXT\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicolous%2Fdns-over-https-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmicolous%2Fdns-over-https-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicolous%2Fdns-over-https-proxy/lists"}