2.6 KiB
jDnsProxy
Simple fast and lightweight DNS proxy and cache that listens on TCP or UDP ports and relays the request to various upstream DNS-over-TCP, DNS-over-TLS, or DNS-over-HTTPS servers, optionally over http or socks proxies (like tor), and optionally pinning public keys for complete TLS security. Implements a simple response cache respecting TTLs but also implementing proper Serve-Stale functionality.
This should support any current and future DNS record generically, as well as providing full DNSSEC support if upstream resolvers do.
Sample/default configuration is in jdnsproxy.properties and should be documented clearly there.
Build/run like so:
mvn clean package
java -jar jDnsProxy/target/jDnsProxy.jar ./jdnsproxy.properties
# or with xmpp:// listener+resolver support:
java -cp jDnsProxy/target/jDnsProxy.jar:xmpp-dox/target/xmpp-dox.jar com.moparisthebest.dns.DnsProxy xmpp-dox/jdnsproxy.xmpp.resolver.properties
Implemented specs:
- RFC-1035: DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
- RFC-7858: Specification for DNS over Transport Layer Security (TLS)
- RFC 8484: DNS Queries over HTTPS (DoH)
- Draft: Serving Stale Data to Improve DNS Resiliency
- RFC-6891: Extension Mechanisms for DNS (EDNS(0))
- DNS EDNS0 Option Codes (OPT)
- RFC-3225: Indicating Resolver Support of DNSSEC
- XEP-0418: DNS Queries over XMPP (DoX)
Use these for quick testing:
dig -p5353 @127.0.0.1 debian.org +tries=1 +retry=0 +tcp
dig -p5353 @127.0.0.1 debian.org +tries=1 +retry=0 +tcp +dnssec
dig -p5353 @127.0.0.1 debian.org +tries=1 +retry=0
dig -p5353 @127.0.0.1 debian.org +tries=1 +retry=0 +dnssec
And use this to extract TLS public keys in pinning format:
openssl s_client -connect 'dns.google.com:443' 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey | openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst -sha256 -binary | openssl base64
License
MIT License, refer to LICENSE.txt