Archives
/
encrypted-dns-server
mirror of https://github.com/jedisct1/encrypted-dns-server
2
0
Fork 0
Code Issues Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/cargo/libsodium-sys-stable-1.20.7
dependabot/cargo/serde-1.0.201
dependabot/cargo/anyhow-1.0.83
master
sieve-cache
slab
tracing-locks
cart
packet-size
solofilter
ttl
0.9.15
0.9.14
0.9.13
0.9.12
0.9.11
0.9.10
0.9.9
0.9.8
0.9.7
0.9.6
0.9.5
0.9.4
0.9.3
0.9.2
0.9.1
0.9.0
0.3.23
0.3.22
0.3.21
0.3.20
0.3.17
0.3.14
0.3.12
0.3.11
0.3.10
0.3.8
0.3.7
0.3.6
0.3.5
0.3.3
0.3.2
0.3.1
0.3.0
0.2.10
0.2.9
0.2.8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a04d6e1d23'
${ noResults }
encrypted-dns-server/README.md

69 lines
2.9 KiB
Markdown
Raw Normal View History Unescape Escape

up
5 years ago
# Encrypted DNS Server
up
5 years ago
Update the documentation
5 years ago
An easy to install, zero maintenance proxy to run an encrypted DNS server.
Written in Rust.
## Protocols
The proxy aims at supporting the following protocols:
up
5 years ago
WIP
5 years ago
- [DNSCrypt v2](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/DNSCRYPT-V2-PROTOCOL.txt)
Update the documentation
5 years ago
- [Anonymized DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt) (WIP)
up
5 years ago
- DNS-over-HTTP (DoH)
WIP
5 years ago
Update the documentation
5 years ago
All of these can be served simultaneously, on the same port (usually port 443). The proxy automatically detects what protocol is being used by each client.
## Installation
The proxy uses recent features of the Rust compiler, and currently requires rust-nightly.
Rust can installed with:
```sh
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
```
Once rust is installed, the proxy can be compiled and installed with the following command, to be run in the source directory:
```sh
cargo install --path .
```
## Setup
The proxy requires a recursive DNS resolver, such as Knot, PowerDNS or Unbound.
That resolver can run locally and only respond to `127.0.0.1`. External resolvers such as Quad9 or Cloudflare DNS can also be used, but this may be less reliable due to rate limits.
In order to support DoH in addition to DNSCrypt, a DoH proxy must be running as well. [rust-doh](https://github.com/jedisct1/rust-doh) is the recommended DoH proxy server. DoH support is optional, as it is currently way more complicated to setup than DNSCrypt due to certificate management.
Review the `encrypted-dns.toml` configuration file. This is where all the parameters can be configured, including the IP addresses to listen to. You should probably at least change the `provider_name` setting.
Start the proxy. It will automatically create a new provider key pair if there isn't any.
The DNS stamps are printed. They can be used directly with `dnscrypt-proxy`.
There is nothing else to do. Certificates are automatically generated and rotated.
## Migrating from dnscrypt-wrapper
If you are currently running an encrypted DNS server using `dnscrypt-wrapper`, moving to the new proxy is simple:
- Double check that the provider name in `encrypted-dns.toml` matches the one you previously configured. If you forgot it, it can be recovered [from its DNS stamp](https://dnscrypt.info/stamps/).
- Run `dnscrypt-dns --import-from-dnscrypt-wrapper secret.key`, with `secret.key` being the file with the `dnscrypt-wrapper` provider secret key.
Done. Your server is now running the new proxy.
## State file
The proxy creates and updates a file named `encrypted-dns.state` by default. That file contains the provider secret key, as well as certificates and encryption keys.
WIP
5 years ago
Update the documentation
5 years ago
Do not delete the file, unless you want to change parameters (such as the provider name), and keep it secret, or the keys will be lost.
WIP
5 years ago
Update the documentation
5 years ago
Putting it in a directory that is only readable by the super-user is not a bad idea.
up
5 years ago
## WIP
This is still a work in progress.