sdns - 轻量级,快速的dns递归服务器
sdns - 轻量级,快速的dns递归服务器
Go 网络编程
共622Star
详细介绍
🚀
Privacy important, fast, recursive dns resolver server with dnssec support
Installation
go get github.com/semihalev/sdns
or
or run with Docker image or alternative from Docker hub
docker run -d --name sdns -p 53:53 -p 53:53/udp -p 853:853 -p 8053:8053 -p 8080:8080 sdns
- Port 53 DNS server
- Port 853 DNS-over-TLS server
- Port 8053 DNS-over-HTTPS server
- Port 8080 HTTP API
Building
$ go build
Testing
$ make test
Flags
Flag | Desc |
---|---|
config | Location of the config file, if config file not found, a config will generate |
v | Show version information |
Debug Environment
$ export SDNS_DEBUGNS=true && export SDNS_PPROF=true && ./sdns
SDNS_DEBUGNS enviroment useful when you want to check authoritive servers RTT times. Usage: send HINFO query for zones.
Example Output:
$ dig chaos hinfo example.com
; <<>> DiG 9.17.1 <<>> chaos hinfo example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29636
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f27dbb995df5ac79e4fa37c07d131b5bd03aa1c5f802047a7c02fb228a886cb281ecc319323dea81 (good)
;; QUESTION SECTION:
;example.com. CH HINFO
;; AUTHORITY SECTION:
example.com. 0 CH HINFO "Host" "IPv4:199.43.135.53:53 rtt:142ms health:[GOOD]"
example.com. 0 CH HINFO "Host" "IPv4:199.43.133.53:53 rtt:145ms health:[GOOD]"
example.com. 0 CH HINFO "Host" "IPv6:[2001:500:8f::53]:53 rtt:147ms health:[GOOD]"
example.com. 0 CH HINFO "Host" "IPv6:[2001:500:8d::53]:53 rtt:148ms health:[GOOD]"
Configuration (v1.0.1)
Key | Desc |
---|---|
version | Config version |
blocklists | List of remote blocklists address list. All lists will be download to blocklist folder. |
blocklistdir | List of locations to recursively read blocklists from (warning, every file found is assumed to be a hosts-file or domain list) |
loglevel | What kind of information should be logged, Log verbosity level crit,error,warn,info,debug |
accesslog | The location of access log file, left blank for disabled. SDNS uses Common Log Format by default. |
bind | Address to bind to for the DNS server. Default :53 |
bindtls | Address to bind to for the DNS-over-TLS server. Default :853 |
binddoh | Address to bind to for the DNS-over-HTTPS server. Default :8053 |
tlscertificate | TLS certificate file path |
tlsprivatekey | TLS private key file path |
outboundips | Outbound ipv4 addresses, if you set multiple, sdns can use random outbound ipv4 address by request based |
outboundip6s | Outbound ipv6 addresses, if you set multiple, sdns can use random outbound ipv6 address by request based |
rootservers | DNS Root IPv4 servers |
root6servers | DNS Root IPv6 servers |
rootkeys | Trusted anchors for DNSSEC |
fallbackservers | Failover resolver ipv4 or ipv6 addresses with port, left blank for disabled: Example: "8.8.8.8:53" |
api | Address to bind to for the http API server, left blank for disabled |
nullroute | IPv4 address to forward blocked queries to |
nullroutev6 | IPv6 address to forward blocked queries to |
accesslist | Which clients allowed to make queries |
timeout | Network timeout for each dns lookups in duration Default: 2s |
hostsfile | Enables serving zone data from a hosts file, left blank for disabled |
expire | Default error cache TTL for in seconds Default: 600 |
cachesize | Cache size (total records in cache) Default: 256000 |
maxdepth | Maximum iteration depth for a query Default: 30 |
ratelimit | Query based ratelimit per second, 0 for disabled. Default: 0 |
clientratelimit | Client ip address based ratelimit per minute, 0 for disable. if client support edns cookie no limit. Default: 0 |
blocklist | Manual blocklist entries |
whitelist | Manual whitelist entries |
cookiesecret | DNS cookie secret (RFC 7873), if no cookiesecret set, it will be generate automatically |
nsid | DNS server identifier (RFC 5001), it's useful while operating multiple sdns. left blank for disabled |
chaos | Enable to answer version.server, version.bind, hostname.bind and id.server chaos txt queries. |
qname_min_level | Qname minimize level.If higher, it can be more complex and impact the response performance. If set 0, qname min will be disable |
emptyzones | Empty zones return answer for RFC 1918 zones. Please see http://as112.net/ for details. |
Server Configuration Checklist
- Increase file descriptor on your server
Features
- Linux/BSD/Darwin/Windows supported
- DNS RFC compatibility
- DNS lookups within listed ipv4 and ipv6 auth servers
- DNS caching
- DNSSEC validation
- DNS over TLS support (DoT)
- DNS over HTTPS support (DoH)
- Outbound IP selection
- Middleware Support, you can add, your own middleware
- RTT priority within listed servers
- Failover forwarders while returning failured responses
- EDNS Cookie Support (client<->server)
- EDNS NSID Support
- Full IPv6 support (client<->server, server<->server)
- Query based ratelimit
- IP based ratelimit
- Access list
- Access log
- Prometheus basic query metrics
- Black-hole for malware responses
- HTTP API support
- Cache Purge API and query support
- Answer chaos txt queries for version.bind and hostname.bind
- Empty zones support described at RFC 1918
TODO
- More tests
- Try lookup NS address better way
- DNS over TLS support
- DNS over HTTPS support
- Full DNSSEC support
- RTT optimization
- Access list
- Periodic priming queries described at RFC 8109
- Full IPv6 support (server<->server communication)
- Query name minimization to improve privacy described at RFC 7816
- DNAME Redirection in the DNS described at RFC 6672
- Automated Updates DNSSEC Trust Anchors described at RFC 5011
- DNS64 DNS Extensions for NAT from IPv6 Clients to IPv4 Servers described at RFC 6147
Performance
These benchmarks were run on a server with Intel Xeon E5-2609 v4 cpu and 32GB memory on localhost. DNS-OARC dnsperf (https://www.dns-oarc.net/tools/dnsperf) tool used with 50.000 sample query data.
Resolver | RESPONSE | NOERROR | SERVFAIL | NXDOMAIN | RUN TIME | QPS |
---|---|---|---|---|---|---|
SDNS | %99,88 | %73,60 | %1,36 | %25,04 | 101s480ms | 492/s |
PowerDNS | %99,59 | %72,76 | %1,40 | %25,84 | 123s930ms | 402/s |
Bind | %99,40 | %72,98 | %1,09 | %25,94 | 115s150ms | 431/s |
Unbound | %99,14 | %73,19 | %0,90 | %25,90 | 178s80ms | 278/s |
Who Used
CubeDNS public open resolver project using sdns on multi location. The project supported both UDP and TCP also DoT and DoH.
Proto | Servers |
---|---|
IPv4 | 195.244.44.44, 195.244.44.45 |
IPv6 | 2a0a:be80::cbe:4444, 2a0a:be80::cbe:4445 |
DoH | https://cubedns.com/dns-query |
Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Please make sure to update tests as appropriate.
♥️
Made With
- miekg/dns - Alternative (more granular) approach to a DNS library
Inspired by
License
-
0 Star
-
523 Star
-
2415 Star
-
40 Star
-
0 Star
-
1937 Star
-
0 Star
-
1329 Star
-
0 Star
-
0 Star