2018-01-31 01:25:55 -05:00
jDnsProxy
---------
Simple fast and lightweight DNS proxy and cache that listens on TCP or UDP ports and relays the request
2018-03-16 20:08:33 -04:00
to various upstream [DNS-over-TCP ](https://tools.ietf.org/html/rfc1035 ), [DNS-over-TLS ](https://tools.ietf.org/html/rfc7858 ),
or [DNS-over-HTTPS ](https://tools.ietf.org/html/draft-hoffman-dns-over-https ) servers, optionally over http or socks
2018-01-31 01:25:55 -05:00
proxies (like tor), and optionally pinning public keys for complete TLS security. Implements a simple
2018-03-16 20:08:33 -04:00
response cache respecting TTLs but also implementing proper [Serve-Stale ](https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale ) functionality.
2018-01-31 01:25:55 -05:00
This should support any current and future DNS record generically, as well as providing full DNSSEC support if upstream
resolvers do.
2018-03-16 20:08:33 -04:00
Sample/default configuration is in [jdnsproxy.properties ](https://github.com/moparisthebest/jDnsProxy/blob/master/jdnsproxy.properties ) and should be documented clearly there.
2018-01-31 01:25:55 -05:00
Build/run like so:
```
mvn clean package
java -jar target/jDnsProxy.jar ./jdnsproxy.properties
```
Implemented specs:
* [RFC-1035: DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION ](https://tools.ietf.org/html/rfc1035 )
2018-03-16 20:08:33 -04:00
* [RFC-7858: Specification for DNS over Transport Layer Security (TLS) ](https://tools.ietf.org/html/rfc7858 )
2018-01-31 01:25:55 -05:00
* [Draft: DNS Queries over HTTPS ](https://tools.ietf.org/html/draft-hoffman-dns-over-https )
2018-03-16 20:08:33 -04:00
* [Draft: Serving Stale Data to Improve DNS Resiliency ](https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale )
2018-01-31 01:25:55 -05:00
* [RFC-6891: Extension Mechanisms for DNS (EDNS(0)) ](https://tools.ietf.org/html/rfc6891 )
* [DNS EDNS0 Option Codes (OPT) ](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11 )
* [RFC-3225: Indicating Resolver Support of DNSSEC ](https://tools.ietf.org/html/rfc3225 )
Use these for quick testing:
```
dig -p5353 @127 .0.0.1 debian.org +tries=1 +retry=0 +tcp
dig -p5353 @127 .0.0.1 debian.org +tries=1 +retry=0 +tcp +dnssec
dig -p5353 @127 .0.0.1 debian.org +tries=1 +retry=0
dig -p5353 @127 .0.0.1 debian.org +tries=1 +retry=0 +dnssec
```
And use this to extract TLS public keys in pinning format:
```
openssl s_client -connect 'dns.google.com:443' 2>& 1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey | openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst -sha256 -binary | openssl base64
```
License
-------
2018-03-22 22:28:34 -04:00
MIT License, refer to LICENSE.txt