encrypted-dns-server
An easy to install, high-performance, zero maintenance proxy to run an encrypted DNS server.
Top Related Projects
dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
Network-wide ads & trackers blocking DNS server
一个 DNS 转发器
Unbound is a validating, recursive, and caching DNS resolver.
Quick Overview
DNSCrypt/encrypted-dns-server is an open-source DNS server that supports DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt protocols. It aims to provide a secure and private DNS resolution service, protecting users from DNS-based attacks and surveillance.
Pros
- Supports multiple encrypted DNS protocols (DoH, DoT, DNSCrypt)
- Highly configurable with extensive options for customization
- Lightweight and efficient, suitable for both personal and enterprise use
- Regular updates and active community support
Cons
- Requires some technical knowledge to set up and configure properly
- May introduce slight latency compared to traditional DNS servers
- Limited documentation for advanced features and troubleshooting
- Potential compatibility issues with some network configurations
Getting Started
To set up the encrypted-dns-server, follow these steps:
- Download the latest release from the GitHub repository.
- Create a configuration file named
encrypted-dns.tomlin the same directory as the executable. - Add the following basic configuration:
[server]
listen_addresses = ['127.0.0.1:53']
provider_name = 'your.provider.name'
[sources]
[sources.'upstream']
urls = ['https://dns.cloudflare.com/dns-query']
- Run the server:
./encrypted-dns-server
For more advanced configuration options, refer to the project's documentation on GitHub.
Competitor Comparisons
dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
Pros of dnscrypt-proxy
- Lightweight and versatile, suitable for various platforms and devices
- Supports multiple DNS protocols (DNSCrypt, DNS-over-HTTPS, DNS-over-TLS)
- Extensive filtering capabilities and customization options
Cons of dnscrypt-proxy
- Requires separate DNS server implementation
- May have higher latency due to additional encryption layer
- More complex setup for advanced features
Code Comparison
dnscrypt-proxy (Go):
func (proxy *Proxy) processIncomingQuery(clientPc *net.UDPConn, clientAddr *net.UDPAddr, packet []byte) {
query, err := dns.ParseDNSQuery(packet)
if err != nil {
return
}
// Process query and send response
}
encrypted-dns-server (Rust):
fn process_client_query(&self, packet: &[u8]) -> Result<Vec<u8>, Error> {
let query = Message::from_vec(packet)?;
// Process query and generate response
Ok(response.to_vec()?)
}
The code snippets show that both projects handle DNS queries, but dnscrypt-proxy is written in Go, while encrypted-dns-server is implemented in Rust. The encrypted-dns-server code appears more concise, potentially due to Rust's language features and the project's focused scope as a standalone DNS server.
Network-wide ads & trackers blocking DNS server
Pros of AdGuardHome
- User-friendly web interface for easy configuration and management
- Comprehensive ad-blocking and content filtering capabilities
- Supports multiple upstream DNS providers and protocols
Cons of AdGuardHome
- Higher resource usage due to additional features
- May be overly complex for users seeking a simple encrypted DNS solution
- Potential for false positives in ad-blocking and content filtering
Code Comparison
AdGuardHome configuration (YAML):
dns:
bind_hosts:
- 0.0.0.0
upstream_dns:
- https://dns.cloudflare.com/dns-query
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
encrypted-dns-server configuration (TOML):
[sources]
[sources.'cloudflare']
urls = ['https://cloudflare-dns.com/dns-query']
[listen_addrs]
'[::]:443' = { cert_file = "/path/to/cert.pem", key_file = "/path/to/key.pem" }
encrypted-dns-server focuses solely on providing encrypted DNS functionality, while AdGuardHome offers a more comprehensive suite of features including ad-blocking and content filtering. encrypted-dns-server is lighter on resources and simpler to configure for basic encrypted DNS needs, whereas AdGuardHome provides a more user-friendly interface and additional customization options at the cost of increased complexity and resource usage.
一个 DNS 转发器
Pros of mosdns
- Written in Go, offering better performance and easier cross-platform compilation
- More flexible configuration options, allowing for complex DNS routing and filtering rules
- Supports various upstream DNS protocols, including DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC
Cons of mosdns
- Less focus on encryption and privacy compared to encrypted-dns-server
- May require more complex setup and configuration for advanced features
- Smaller community and potentially less frequent updates
Code Comparison
encrypted-dns-server (Rust):
pub fn run(config: Config) -> Result<(), Error> {
let mut runtime = Runtime::new()?;
runtime.block_on(async move {
let (cert, key) = load_certs(&config)?;
let server = Server::new(config, cert, key).await?;
server.run().await
})
}
mosdns (Go):
func (s *Server) Run() error {
for _, l := range s.listeners {
go func(l net.Listener) {
if err := s.serve(l); err != nil {
s.logger.Error("server exited", zap.Error(err))
}
}(l)
}
return nil
}
Both projects implement DNS servers with different focuses. encrypted-dns-server emphasizes encryption and privacy, while mosdns offers more flexibility in DNS routing and filtering. The code snippets show the main run functions, highlighting the different languages and approaches used in each project.
Unbound is a validating, recursive, and caching DNS resolver.
Pros of unbound
- More mature and widely adopted DNS resolver with extensive documentation
- Supports a broader range of DNS-related features and protocols
- Highly configurable with numerous options for advanced users
Cons of unbound
- Less focus on encryption and privacy compared to encrypted-dns-server
- May be more complex to set up and configure for basic use cases
- Larger codebase and potentially higher resource usage
Code comparison
encrypted-dns-server (Rust):
pub fn new(config: Config) -> Result<Self, Error> {
let mut rng = rand::thread_rng();
let cache = Arc::new(Mutex::new(LruCache::new(config.cache_size)));
let state = ServerState::new(config, cache)?;
Ok(Server { state })
}
unbound (C):
struct ub_ctx* ub_ctx_create(void) {
struct ub_ctx* ctx = (struct ub_ctx*)calloc(1, sizeof(*ctx));
if(!ctx)
return NULL;
ctx->env = (struct module_env*)calloc(1, sizeof(*ctx->env));
if(!ctx->env) {
free(ctx);
return NULL;
}
return ctx;
}
Both projects implement DNS resolvers, but encrypted-dns-server focuses on encrypted DNS protocols, while unbound offers a more comprehensive DNS solution with broader functionality. encrypted-dns-server is written in Rust, emphasizing modern language features and memory safety, while unbound is implemented in C for performance and compatibility with existing systems.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
An easy to install, high-performance, zero maintenance proxy to run an encrypted DNS server.
Protocols
The proxy supports the following protocols:
- DNSCrypt v2
- Anonymized DNSCrypt
- DNS-over-HTTP (DoH) forwarding
All of these can be served simultaneously, on the same port (usually port 443). The proxy automatically detects what protocol is being used by each client.
Installation
Option 1: precompiled x86_64 binary
Debian packages, archives for Linux and Windows can be downloaded here.
Nothing else has to be installed. The server doesn't require any external dependencies.
In the Debian package, the example configuration file can be found in /usr/share/doc/encrypted-dns/.
Option 2: compilation from source code
The proxy requires rust >= 1.0.39 or rust-nightly.
Rust can installed with:
curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain nightly
source $HOME/.cargo/env
Once rust is installed, the proxy can be compiled and installed as follows:
cargo install encrypted-dns
strip ~/.cargo/bin/encrypted-dns
The executable file will be copied to ~/.cargo/bin/encrypted-dns by default.
Options 3: Docker
dnscrypt-server-docker is the most popular way to deploy an encrypted DNS server.
This Docker image that includes a caching DNS resolver, the encrypted DNS proxy, and scripts to automatically configure everything.
Setup
The proxy requires a recursive DNS resolver, such as Knot, PowerDNS or Unbound.
That resolver can run locally and only respond to 127.0.0.1. External resolvers such as Quad9 or Cloudflare DNS can also be used, but this may be less reliable due to rate limits.
In order to support DoH in addition to DNSCrypt, a DoH proxy must be running as well. rust-doh is the recommended DoH proxy server. DoH support is optional, as it is currently way more complicated to setup than DNSCrypt due to certificate management.
Make a copy of the example-encrypted-dns.toml configuration file named encrypted-dns.toml.
Then, review the encrypted-dns.toml file. This is where all the parameters can be configured, including the IP addresses to listen to.
You should probably at least change the listen_addrs and provider_name settings.
Start the proxy. It will automatically create a new provider key pair if there isn't any.
The DNS stamps are printed. They can be used directly with dnscrypt-proxy.
There is nothing else to do. Certificates are automatically generated and rotated.
Migrating from dnscrypt-wrapper
If you are currently running an encrypted DNS server using dnscrypt-wrapper, moving to the new proxy is simple:
- Double check that the provider name in
encrypted-dns.tomlmatches the one you previously configured. If you forgot it, it can be recovered from its DNS stamp. - Run
encrypted-dns --import-from-dnscrypt-wrapper secret.key, withsecret.keybeing the file with thednscrypt-wrapperprovider secret key.
Done. Your server is now running the new proxy.
Built-in DNS cache
The proxy includes a key cache, as well as a DNS cache to significantly reduce the load on upstream servers.
In addition, if a server is slow or unresponsive, expired cached queries will be returned, ensuring that popular domain names always keep being served.
State file
The proxy creates and updates a file named encrypted-dns.state by default. That file contains the provider secret key, as well as certificates and encryption keys.
Do not delete the file, unless you want to change parameters (such as the provider name), and keep it secret, or the keys will be lost.
Putting it in a directory that is only readable by the super-user is not a bad idea.
Filtering
Domains can be filtered directly by the proxy, see the [filtering] section of the configuration file. Note: Filtering only works with the DNSCrypt protocol and does not apply to DNS-over-HTTP (DoH) forwarding.
Access control
Access control can be enabled in the [access_control] section and configured with the query_meta configuration value of dnscrypt-proxy.
Prometheus metrics
Prometheus metrics can optionally be enabled in order to monitor performance, cache efficiency, and more.
Anonymized DNSCrypt
Enabling Anonymized DNSCrypt allows the server to be used as an encrypted DNS relay.
Top Related Projects
dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
Network-wide ads & trackers blocking DNS server
一个 DNS 转发器
Unbound is a validating, recursive, and caching DNS resolver.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot