24

sdns - Lightweight, fast recursive dns server with dnssec support

 5 years ago
source link: https://www.tuicool.com/articles/hit/r2QB3eu
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

SDNS

:dizzy: Lightweight, fast recursive dns server with dnssec support

Based on kenshinx/godns , looterz/grimd

nm6NJfa.png!web

Installation

go get github.com/semihalev/sdns

or

download

or run with Docker image

docker run -d --name sdns -p 53:53 -p 53:53/udp -p 853:853 -p 8053:8053 -p 8080:8080 sdns
  • Port 53 DNS server
  • Port 853 DNS-over-TLS server
  • Port 8053 DNS-over-HTTPS server
  • Port 8080 HTTP API

Building

$ go build

Testing

$ make test

Flags

Flag Desc config Location of the config file, if not found it will be generated

Configs

Key Desc version Config version blocklists List of remote blocklists blocklistdir List of locations to recursively read blocklists from (warning, every file found is assumed to be a hosts-file or domain list) loglevel What kind of information should be logged, Log verbosity level crit,error,warn,info,debug bind Address to bind to for the DNS server. Default :53 bindtls Address to bind to for the DNS-over-TLS server. Default :853 binddoh Address to bind to for the DNS-over-HTTPS server. Default :8053 tlscertificate TLS certificate file path tlsprivatekey TLS private key file path outboundips Outbound ip addresses, if you set multiple, sdns can use random outbound ip address rootservers DNS Root servers root6servers DNS Root IPv6 servers rootkeys DNS Root keys for dnssec fallbackservers Fallback servers IP addresses api Address to bind to for the http API server disable for left blank nullroute IPv4 address to forward blocked queries to nullroutev6 IPv6 address to forward blocked queries to accesslist Which clients allowed to make queries timeout Query timeout for dns lookups in duration Default: 5s connecttimeout Connect timeout for dns lookups in duration Default: 2s expire Default cache TTL in seconds Default: 600 cachesize Cache size (total records in cache) Default: 256000 maxdepth Maximum recursion depth for nameservers. Default: 30 ratelimit Query based ratelimit per second, 0 for disable. Default: 30 blocklist Manual blocklist entries whitelist Manual whitelist entries

Server Configuration Checklist

  • Increase file descriptor on your server

Features

  • Linux/BSD/Darwin/Windows supported
  • DNS RFC compatibility
  • DNS lookups within listed servers
  • DNS caching
  • DNSSEC validation
  • DNS over TLS support
  • DNS over HTTPS support
  • RTT priority within listed servers
  • Basic IPv6 support (client<->server)
  • Query based ratelimit
  • Access list
  • Black-hole internet advertisements and malware servers
  • HTTP API support
  • Outbound IP selection

TODO

  • More tests
  • Try lookup NS address better way
  • DNS over TLS support
  • DNS over HTTPS support
  • Full DNSSEC support
  • RTT optimization
  • Access list
  • Periodic priming queries described at RFC 8109
  • Automated Updates DNSSEC Trust Anchors described at RFC 5011
  • Full IPv6 support (server<->server communication)

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

Made With

  • miekg/dns - Alternative (more granular) approach to a DNS library

License

MIT


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK