Skip to content

Homelab dns server, multi protocols and flexible rules supported.

License

Notifications You must be signed in to change notification settings

chaosmatrix/gnamed

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

99 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

gnamed

Description

Why create this tools

  1. more flexible dns query filter to block some domains
  2. prevent dns injection and other security issue under some network

What it can do

  1. flexible rules or filters to block domains, rules equal/prefix/suffix/regexp were supported
  2. multi dns protocol support, dns/dns-over-https/dns-over-tls/dns-over-quic were supported
  3. flexible dns cache rule support (this might violated dns rfc)
  4. forward different domain/zone to more than one different nameservers, to get better result
  5. collect personal dns query log, to identify security issue or something
  6. hijacking some domain or query type

Install

# default all features
go build

# disable dns-over-quic
go build -tags="noquic"

# on linux platform, use epoll event to detect closed connection, to disable it, use tag "detect_common"
go build -tags="detect_common"

# reduce binary size
go build -ldflags '-s -w'

Architecture

architecture

Usage

Help

$ gnamed --help
Usage of gnamed:
  -config-file string
        config file (default "./configx/config.json")
  -dump-json
        dump configuration with json format, then exit
  -verbose
        verbose

Run

$ gnamed
{"level":"debug","log_type":"main","op_type":"start","time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"filter","op_type":"load","filter_name":"phishing_army_blocklist_extended","syntax":"domain","stats":{"total":161411,"valid":161411,"invalid":0},"elapsed_time":148.2475,"time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"filter","op_type":"load","filter_name":"oisd_big_abp","syntax":"adblock","stats":{"total":247034,"valid":247034,"invalid":0},"elapsed_time":224.4434,"time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"filter","op_type":"load","elapsed_time":224.4434,"stats":{"total":2,"error":0,"success":2,"skip":0},"time":"2023-08-18T12:26:26+08:00"}
{"level":"trace","log_type":"cache","cache_mode":"skiplist","max_level":32,"probability":0.5,"time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"server","address":"127.0.1.2:53","network":"tcp","protocol":"dns","time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"server","address":"127.0.1.2:53","network":"udp","protocol":"dns","time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"server","protocol":"dns","network":"udp","clientip":"127.0.0.1","id":3,"name":"google.com.","qtype":"A","qclass":"IN","view_name":"google.com.","query_type":"external","queries":[{"nameserver_tag":"tag_doh_cf","protocol":"https","network":"tcp","doh_msg_type":"RFC8484","id":0,"name":"google.com.","method":"POST","doh_url":"https://1.1.1.1/dns-query","status_code":200,"latancy":360.7854}],"latency_query":360.7854,"rcode":"NOERROR","cache":"update","singleflight":false,"latency":361.4834,"time":"2023-08-18T12:26:39+08:00"}
{"level":"info","log_type":"server","protocol":"dns","network":"udp","clientip":"127.0.0.1","id":5,"name":"github.com.","qtype":"A","qclass":"IN","view_name":"github.com.","query_type":"external","queries":[{"nameserver_tag":"tag_dot_cf","protocol":"tls-tcp","network":"tcp-tls","id":42485,"name":"github.com.","latency":161.8645}],"latency_query":481.7437,"rcode":"NOERROR","cache":"update","singleflight":false,"latency":481.9434,"time":"2023-08-18T12:26:42+08:00"}

Features

  • Server: dns/dns-over-tls/dns-over-quic/dns-over-http
  • Query: dns/dns-over-tls/dns-over-quic/dns-over-http(3)
  • Cache: flexible ttls value, background update steal values
  • API: delete value from ache / reload configuration
  • Security: public free malware/ad filter lists, flexible black and white list
  • Warm: auto store and reload domains that used in high frequency at shutdown and startup

TODO-List

  • server: dns protocol support
  • server: dns-over-https protocol support
  • server: dns-over-tls protocol support
  • server: dns-over-quic protocol support
  • server: ensure singleflight incoming query
  • query: dns protocol support
  • query: dns-over-https protocol support
  • query: dns-over-tls protocol support
  • query: dns-over-quic protocol support
  • query: flexible view match rules, for example 'contains'
  • query: dns-over-https support auto detect that the server supported ALPN
  • cache: delete expired cache actively
  • cache: dns-over-https cache ttl should be calculated base on both http cache header and dns record ttl
  • reply: update ttl when response from cache
  • api: cache operations: delete/flush
  • api: dns query statistics: NXDOMAIN(security audit), Qtype, not NOERROR
  • api: update blacklist/whitelist
  • web: web ui make api easy use
  • doc: openapi https://github.com/swaggo/swag#how-to-use-it-with-gin
  • optimization: blacklist/whitelist contains rule match algorithm, Aho-Corasick or flashtext
  • optimization: singleflight outgoing query (dns-over-https)
  • optimization: select lowest rtt record (cdn domain)
  • optimization: log format and fields
  • optimization: algorithm to get dns response cache ttl
  • optimization: select server base on latency
  • security: filter by ip or domain, ad or malware https://gitlab.com/malware-filter/urlhaus-filter
  • privacy: HTTP/TLS Fingerprint (cipher suit order http headers)

References

NameServers

Collections
  1. https://dnsprivacy.org/public_resolvers/
  2. https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
Info
Name Protocol Reference
Cloudflare DOH/DOT/DNS https://developers.cloudflare.com/1.1.1.1/
Nextdns DOH/DOT/DNS https://my.nextdns.io/start
AdGuard DOH/DOT/DOQ/DNS/DNSCrypt https://adguard-dns.io/en/public-dns.html
Google DOH/DOT/DNS https://developers.google.com/speed/public-dns
Quad9 DOH/DOT/DNS https://www.quad9.net/

RFC

  1. Draft-IETF - Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)
  2. IANA - dns-parameters
  3. ICANN - DNS-related RFCs with Community Annotations
  4. RFC1034 - DOMAIN NAMES - CONCEPTS AND FACILITIES
  5. RFC1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
  6. RFC1912 - Common DNS Operational and Configuration Errors
  7. RFC4033 - DNS Security Introduction and Requirements
  8. RFC4074 - Common Misbehavior Against DNS Queries for IPv6 Addresses
  9. RFC5625 - DNS Proxy Implementation Guidelines
  10. RFC6147 - DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers
  11. RFC6840 - Clarifications and Implementation Notes for DNS Security (DNSSEC)
  12. RFC6891 - Extension Mechanisms for DNS (EDNS(0))
  13. RFC7766 - DNS Transport over TCP - Implementation Requirements
  14. RFC7858 - Specification for DNS over Transport Layer Security (TLS)
  15. RFC7871 - Client Subnet in DNS Queries
  16. RFC7873 - Domain Name System (DNS) Cookies
  17. RFC8085 - UDP Usage Guidelines
  18. RFC8310 - Usage Profiles for DNS over TLS and DNS over DTLS
  19. RFC8484 - DNS Queries over HTTPS (DoH)
  20. RFC8499 - DNS Terminology
  21. RFC8906 - A Common Operational Problem in DNS Servers: Failure to Communicate
  22. RFC9000 - QUIC: A UDP-Based Multiplexed and Secure Transport
  23. RFC9018 - Interoperable Domain Name System (DNS) Server Cookies
  24. RFC9114 - HTTP/3
  25. RFC9210 - DNS Transport over TCP - Operational Requirements
  26. RFC9230 - Oblivious DNS over HTTPS
  27. RFC9250 - DNS over Dedicated QUIC Connections

Paper

  1. DNS Rebinding

Others

  1. BlackHat - eu-17-Shuster-Passive-Fingerprinting-Of-HTTP2-Clients-wp.pdf
  2. Show Your HTTP2 Fingerprint - https://tls.peet.ws/api/all
  3. APNIC - are-large-dns-messages-falling-to-bits
  4. Check My DNS
  5. dnsflagday
  6. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation

Data

Filter Lists
  1. https://oisd.nl
  2. https://phishing.army
  3. https://gitlab.com/malware-filter/urlhaus-filter
  4. https://github.com/badmojr/1Hosts
  5. https://github.com/hectorm/hmirror/tree/master/data
  6. https://someonewhocares.org/hosts/zero/hosts
Others
  1. public suffix list
  2. A Research-Oriented Top Sites Ranking Hardened Against Manipulation

FIXME

  1. singleflight need to set timeout. not alwasy wait pre-query response.

About

Homelab dns server, multi protocols and flexible rules supported.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages