This repo is a forked version of encrypted-dns-server
. From the original version, this has been modified to employ a PoC implementation of μODNS that is a multiple-relay-based anonymization protocol for DNS queries.
μODNS has been designed to protect user privacy in DNS even if a relay(s) collude with a resolver(s), which cannot be solved in existing DNS anonymization protocols. For the detailed information of μODNS, please refer to our concept paper below:
Jun Kurihara and Takeshi Kubo, ''Mutualized oblivious DNS (μODNS): Hiding a tree in the wild forest,'' Apr. 2021. https://arxiv.org/abs/2104.13785
The client proxy translating Do53 (traditional DNS) to PoC μODNS is available at https://github.com/junkurihara/dnscrypt-proxy-modns. Publicly available relays for PoC μODNS are listed at https://github.com/junkurihara/experimental-resolvers, where these relays has been deployed with the code in this repo.
NOTE: At this time this solution should be considered suitable for research and experimentation.
The PoC implementation of μODNS has been implemented by extending the Anonymized DNSCrypt protocol of DNSCrypt v2. Original encrypted-dns-server
provides two functions: translating DNSCrypt v2 messages to Do53 messages to upstream resolvers, and relaying Anonymized DNSCrypt query messages to upstream encrypted-dns-server
instances. In addition to these functions, encrypted-dns-server-modns
provides a function to relay PoC μODNS query messages to relays or upstream resolvers. Thus in the configuration file, our encrypted-dns-server-modns
only adds the option of [anonymized_dns]
section in encrypted-dns.toml
for PoC μODNS.
#####################################################
### For privacy enhanced anonymized DNS (mu-ODNS) ###
#####################################################
# Maximum allowed relays after this server (default = 2).
# If it is n, then n subsequent hops except for the final destination (DNS server) are allowed.
# If it is 0, the next node after this server must be the target DNSCrypt v2 resolver.
max_subsequent_relays = 2
Please refer to the example file example-encrypted-dns.toml
.
The option max_subsequent_relays
is given to simply avoid the overload for incredibly large number of relays. Our implementation also has the loop avoidance for relaying.
If you want to see debug messages, please run with an environment variable RUST_LOG=debug
as:
$ cargo build
$ RUST_LOG=debug target/debug/encrypted-dns-modns --config=encrypted-dns.toml
We are also planning to publish a docker image and Dockerfile of encrypted-dns-server-modns
.
We only modified the following parts from the original repo of encrypted-dns-server
:
-
modified several
.rs
files insrc/
-
modified the example configuration file `example-encrypted-dns.toml'
NOTE: This repo continuously tracks and reflects changes in the original repo of
encrypted-dns-server
. At this point, Github Actions (under.github/
) do not work in this forked repo since their setting is not modified for the forked version yet. (We are planning to do that.)
Below is the original README.md.
An easy to install, high-performance, zero maintenance proxy to run an encrypted DNS server.
The proxy supports the following protocols:
- DNSCrypt v2
- Anonymized DNSCrypt
- DNS-over-HTTP (DoH) forwarding
All of these can be served simultaneously, on the same port (usually port 443). The proxy automatically detects what protocol is being used by each client.
Debian packages, archives for Linux and Windows can be downloaded here.
Nothing else has to be installed. The server doesn't require any external dependencies.
In the Debian package, the example configuration file can be found in /usr/share/doc/encrypted-dns/
.
The proxy requires rust >= 1.0.39 or rust-nightly.
Rust can installed with:
curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain nightly
source $HOME/.cargo/env
Once rust is installed, the proxy can be compiled and installed as follows:
cargo install encrypted-dns
strip ~/.cargo/bin/encrypted-dns
The executable file will be copied to ~/.cargo/bin/encrypted-dns
by default.
dnscrypt-server-docker is the most popular way to deploy an encrypted DNS server.
This Docker image that includes a caching DNS resolver, the encrypted DNS proxy, and scripts to automatically configure everything.
The proxy requires a recursive DNS resolver, such as Knot, PowerDNS or Unbound.
That resolver can run locally and only respond to 127.0.0.1
. External resolvers such as Quad9 or Cloudflare DNS can also be used, but this may be less reliable due to rate limits.
In order to support DoH in addition to DNSCrypt, a DoH proxy must be running as well. rust-doh is the recommended DoH proxy server. DoH support is optional, as it is currently way more complicated to setup than DNSCrypt due to certificate management.
Make a copy of the example-encrypted-dns.toml
configuration file named encrypted-dns.toml
.
Then, review the encrypted-dns.toml
file. This is where all the parameters can be configured, including the IP addresses to listen to.
You should probably at least change the listen_addrs
and provider_name
settings.
Start the proxy. It will automatically create a new provider key pair if there isn't any.
The DNS stamps are printed. They can be used directly with dnscrypt-proxy
.
There is nothing else to do. Certificates are automatically generated and rotated.
If you are currently running an encrypted DNS server using dnscrypt-wrapper
, moving to the new proxy is simple:
- Double check that the provider name in
encrypted-dns.toml
matches the one you previously configured. If you forgot it, it can be recovered from its DNS stamp. - Run
encrypted-dns --import-from-dnscrypt-wrapper secret.key
, withsecret.key
being the file with thednscrypt-wrapper
provider secret key.
Done. Your server is now running the new proxy.
The proxy includes a key cache, as well as a DNS cache to significantly reduce the load on upstream servers.
In addition, if a server is slow or unresponsive, expired cached queries will be returned, ensuring that popular domain names always keep being served.
The proxy creates and updates a file named encrypted-dns.state
by default. That file contains the provider secret key, as well as certificates and encryption keys.
Do not delete the file, unless you want to change parameters (such as the provider name), and keep it secret, or the keys will be lost.
Putting it in a directory that is only readable by the super-user is not a bad idea.
Domains can be filtered directly by the proxy, see the [filtering]
section of the configuration file.
Access control can be enabled in the [access_control]
section and configured with the query_meta
configuration value of dnscrypt-proxy
.
Prometheus metrics can optionally be enabled in order to monitor performance, cache efficiency, and more.
Enabling Anonymized DNSCrypt allows the server to be used as an encrypted DNS relay.