- more flexible dns query filter to block some domains
- prevent dns injection and other security issue under some network
- flexible rules or filters to block domains, rules equal/prefix/suffix/regexp were supported
- multi dns protocol support, dns/dns-over-https/dns-over-tls/dns-over-quic were supported
- flexible dns cache rule support (this might violated dns rfc)
- forward different domain/zone to more than one different nameservers, to get better result
- collect personal dns query log, to identify security issue or something
- hijacking some domain or query type
# default all features
go build
# disable dns-over-quic
go build -tags="noquic"
# on linux platform, use epoll event to detect closed connection, to disable it, use tag "detect_common"
go build -tags="detect_common"
# reduce binary size
go build -ldflags '-s -w'
$ gnamed --help
Usage of gnamed:
-config-file string
config file (default "./configx/config.json")
-dump-json
dump configuration with json format, then exit
-verbose
verbose
$ gnamed
{"level":"debug","log_type":"main","op_type":"start","time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"filter","op_type":"load","filter_name":"phishing_army_blocklist_extended","syntax":"domain","stats":{"total":161411,"valid":161411,"invalid":0},"elapsed_time":148.2475,"time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"filter","op_type":"load","filter_name":"oisd_big_abp","syntax":"adblock","stats":{"total":247034,"valid":247034,"invalid":0},"elapsed_time":224.4434,"time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"filter","op_type":"load","elapsed_time":224.4434,"stats":{"total":2,"error":0,"success":2,"skip":0},"time":"2023-08-18T12:26:26+08:00"}
{"level":"trace","log_type":"cache","cache_mode":"skiplist","max_level":32,"probability":0.5,"time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"server","address":"127.0.1.2:53","network":"tcp","protocol":"dns","time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"server","address":"127.0.1.2:53","network":"udp","protocol":"dns","time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"server","protocol":"dns","network":"udp","clientip":"127.0.0.1","id":3,"name":"google.com.","qtype":"A","qclass":"IN","view_name":"google.com.","query_type":"external","queries":[{"nameserver_tag":"tag_doh_cf","protocol":"https","network":"tcp","doh_msg_type":"RFC8484","id":0,"name":"google.com.","method":"POST","doh_url":"https://1.1.1.1/dns-query","status_code":200,"latancy":360.7854}],"latency_query":360.7854,"rcode":"NOERROR","cache":"update","singleflight":false,"latency":361.4834,"time":"2023-08-18T12:26:39+08:00"}
{"level":"info","log_type":"server","protocol":"dns","network":"udp","clientip":"127.0.0.1","id":5,"name":"github.com.","qtype":"A","qclass":"IN","view_name":"github.com.","query_type":"external","queries":[{"nameserver_tag":"tag_dot_cf","protocol":"tls-tcp","network":"tcp-tls","id":42485,"name":"github.com.","latency":161.8645}],"latency_query":481.7437,"rcode":"NOERROR","cache":"update","singleflight":false,"latency":481.9434,"time":"2023-08-18T12:26:42+08:00"}
- Server: dns/dns-over-tls/dns-over-quic/dns-over-http
- Query: dns/dns-over-tls/dns-over-quic/dns-over-http(3)
- Cache: flexible ttls value, background update steal values
- API: delete value from ache / reload configuration
- Security: public free malware/ad filter lists, flexible black and white list
- Warm: auto store and reload domains that used in high frequency at shutdown and startup
- server: dns protocol support
- server: dns-over-https protocol support
- server: dns-over-tls protocol support
- server: dns-over-quic protocol support
- server: ensure singleflight incoming query
- query: dns protocol support
- query: dns-over-https protocol support
- query: dns-over-tls protocol support
- query: dns-over-quic protocol support
- query: flexible view match rules, for example 'contains'
- query: dns-over-https support auto detect that the server supported ALPN
- cache: delete expired cache actively
- cache: dns-over-https cache ttl should be calculated base on both http cache header and dns record ttl
- reply: update ttl when response from cache
- api: cache operations: delete/flush
- api: dns query statistics: NXDOMAIN(security audit), Qtype, not NOERROR
- api: update blacklist/whitelist
- web: web ui make api easy use
- doc: openapi https://github.com/swaggo/swag#how-to-use-it-with-gin
- optimization: blacklist/whitelist
contains
rule match algorithm, Aho-Corasick or flashtext - optimization: singleflight outgoing query (dns-over-https)
- optimization: select lowest rtt record (cdn domain)
- optimization: log format and fields
- optimization: algorithm to get dns response cache ttl
- optimization: select server base on latency
- security: filter by ip or domain, ad or malware https://gitlab.com/malware-filter/urlhaus-filter
- privacy: HTTP/TLS Fingerprint (cipher suit order http headers)
- https://dnsprivacy.org/public_resolvers/
- https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
Name | Protocol | Reference |
---|---|---|
Cloudflare | DOH/DOT/DNS | https://developers.cloudflare.com/1.1.1.1/ |
Nextdns | DOH/DOT/DNS | https://my.nextdns.io/start |
AdGuard | DOH/DOT/DOQ/DNS/DNSCrypt | https://adguard-dns.io/en/public-dns.html |
DOH/DOT/DNS | https://developers.google.com/speed/public-dns | |
Quad9 | DOH/DOT/DNS | https://www.quad9.net/ |
- Draft-IETF - Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)
- IANA - dns-parameters
- ICANN - DNS-related RFCs with Community Annotations
- RFC1034 - DOMAIN NAMES - CONCEPTS AND FACILITIES
- RFC1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
- RFC1912 - Common DNS Operational and Configuration Errors
- RFC4033 - DNS Security Introduction and Requirements
- RFC4074 - Common Misbehavior Against DNS Queries for IPv6 Addresses
- RFC5625 - DNS Proxy Implementation Guidelines
- RFC6147 - DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers
- RFC6840 - Clarifications and Implementation Notes for DNS Security (DNSSEC)
- RFC6891 - Extension Mechanisms for DNS (EDNS(0))
- RFC7766 - DNS Transport over TCP - Implementation Requirements
- RFC7858 - Specification for DNS over Transport Layer Security (TLS)
- RFC7871 - Client Subnet in DNS Queries
- RFC7873 - Domain Name System (DNS) Cookies
- RFC8085 - UDP Usage Guidelines
- RFC8310 - Usage Profiles for DNS over TLS and DNS over DTLS
- RFC8484 - DNS Queries over HTTPS (DoH)
- RFC8499 - DNS Terminology
- RFC8906 - A Common Operational Problem in DNS Servers: Failure to Communicate
- RFC9000 - QUIC: A UDP-Based Multiplexed and Secure Transport
- RFC9018 - Interoperable Domain Name System (DNS) Server Cookies
- RFC9114 - HTTP/3
- RFC9210 - DNS Transport over TCP - Operational Requirements
- RFC9230 - Oblivious DNS over HTTPS
- RFC9250 - DNS over Dedicated QUIC Connections
- BlackHat - eu-17-Shuster-Passive-Fingerprinting-Of-HTTP2-Clients-wp.pdf
- Show Your HTTP2 Fingerprint - https://tls.peet.ws/api/all
- APNIC - are-large-dns-messages-falling-to-bits
- Check My DNS
- dnsflagday
- Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation
- https://oisd.nl
- https://phishing.army
- https://gitlab.com/malware-filter/urlhaus-filter
- https://github.com/badmojr/1Hosts
- https://github.com/hectorm/hmirror/tree/master/data
- https://someonewhocares.org/hosts/zero/hosts
- singleflight need to set timeout. not alwasy wait pre-query response.