{"id":39579449,"url":"https://github.com/shemul/dns-over-tls","last_synced_at":"2026-01-18T07:28:53.645Z","repository":{"id":65950342,"uuid":"299530543","full_name":"shemul/dns-over-tls","owner":"shemul","description":"A DNS over TLS proxy that accepts simple (conventional) DNS requests and proxy it to a DNS servers running with DNS over TLS (DoT)","archived":false,"fork":false,"pushed_at":"2020-09-30T04:10:07.000Z","size":7,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-06-20T06:23:24.251Z","etag":null,"topics":["dns","dns-over-tls","docker","golang","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shemul.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-09-29T06:55:32.000Z","updated_at":"2024-06-20T06:23:24.252Z","dependencies_parsed_at":"2023-02-18T01:00:59.844Z","dependency_job_id":null,"html_url":"https://github.com/shemul/dns-over-tls","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/shemul/dns-over-tls","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shemul%2Fdns-over-tls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shemul%2Fdns-over-tls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shemul%2Fdns-over-tls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shemul%2Fdns-over-tls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shemul","download_url":"https://codeload.github.com/shemul/dns-over-tls/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shemul%2Fdns-over-tls/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28533164,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T00:39:45.795Z","status":"online","status_checked_at":"2026-01-18T02:00:07.578Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","dns-over-tls","docker","golang","security"],"created_at":"2026-01-18T07:28:53.574Z","updated_at":"2026-01-18T07:28:53.635Z","avatar_url":"https://github.com/shemul.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n## Background  \n  \nOur applications don't handle DNS-over-TLS by default. But there are some hacks to enable it. But for now lets assume we don't want to hack our clients first. So our task is to design and create a simple DNS to DNS-over-TLS proxy that we could use to enable our application to query a DNS-over-TLS server. So our DNS queries will be secure.  \n  \n![alt text](https://i.imgur.com/rm6cQwv.jpg \"Without DoT\")  \n  \n  \n  \n## DNS over TLS Proxy (DoT)   \nSo, A DNS over TLS proxy that accepts simple (conventional) DNS requests and proxy it to a DNS servers running with DNS over TLS (DoT) (eg. cloudflare). So this sidecar DNS proxy will proxify our DNS queries to a DoT server.\n\n![alt text](https://i.imgur.com/gjoygas.jpg \"Title\")\n\n## Getting started\n\nThis program is writen in Golang and depend on the [miekg/dns](https://github.com/miekg/dns) library. Miekg/dns library is used for great projects as coredns.\n\nAlso a Docker image is available on [DockerHub](https://hub.docker.com/repository/docker/shemul/dns-over-tls)\n\n**UDP**\n\n    docker run -it -p 53:53/UDP shemul/dns-over-tls:latest /bin/app udp\n  \n  To test `dig +short  google.com @localhost`\n\n**TCP**\n\n    docker run -it -p 53:53 shemul/dns-over-tls:latest /bin/app tcp\n\nto test `dig +short +tcp google.com @localhost`\n\n## Implementation:\nFor simplicity I assumed there will be some configerations for this app. that can be come from Env or any config source. here is my simple config for now. \n\n    conf := config.Config{  \n       //Cloudflare's dns as resolver  \n      UpStreamResolverIp:   \"1.1.1.1\",  \n      UpStreamResolverPort: \"853\",  \n      TCPPort:              \":53\",  \n      UPDPort:              \":53\",  \n      UpstreamTimeout:      time.Millisecond * 3000,  \n    }\nand \n\n    ans, rtt, err := c.Exchange(msg, fmt.Sprintf(\"%v:%v\", conf.UpStreamResolverIp, conf.UpStreamResolverPort))\nthis `Exchange` method actually performs a synchronous query to a DoT server when the DNS client type is `tcp-tls`  to get Answer from DoT\n\n## Security Concerns:\n\nThis proxy allow us encrypted connection to upstream DoT servers, but all the traffic until this service, including its responses to clients, still not secure. For example, if you host this service in a public address and your DNS client points to it over public internet access, you can be a victim of a [man in the middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack).\n\nAnother thing is when this proxy will be deployed in a DHCP server. then this proxy will act as a default DNS for that DHCP server. So all of our DNS queries will hit our proxy unencrypted and insecure. \n\n## Distributed environment:\n\nRunnig this container as a daemonset (so that it runs on every node) with  `hostNetwork: true` in Kubernetes. Then every Node that uses the localhost address as its own NameServer. Kubernetes uses DNS service that resolves the cluster internal names and the Pods of this DNS service will talk with proxy daemonset directly. ","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshemul%2Fdns-over-tls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshemul%2Fdns-over-tls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshemul%2Fdns-over-tls/lists"}