DnsSafeguard is a fast and secure DNS client written in Rust, designed to intercept DNS queries over a UDP socket and securely transmit them to a DNS server using DNS over HTTPS/TLS/QUIC (DoH/DoT/DoQ) protocols. By leveraging TLS client hello fragmentation and UDP Noise, it successfully bypasses the Great Firewall (GFW) censorship.
- Secure Communication: Utilizes Rustls for encrypted communication (TLS) with DNS servers.
- UDP Socket: Captures DNS queries on a UDP socket for efficient handling.
- DoH Protocol: Transmits DNS queries using the DoH protocol, supporting HTTP versions (HTTP/1.1, H2, H3) to ensure enhanced privacy.
- DoT Protocol: Transmits DNS queries using the DoT protocol with both blocking and non-blocking algorithms.
- DoQ Protocol: Transmits DNS queries using the DoQ protocol, providing highly secure and efficient communication, avoiding head-of-line blocking.
- Rules: Create rules for groups of domains and keywords to control DNS queries effectively.
- Censorship Bypass: Implements TLS client hello fragmentation with four methods to evade GFW TLS censorship.
- Customizable UDP Noise Implements four types of UDP Noise to bypass QUIC blocking.
- IPv6 Support
- HTTP/3 Support
- HTTP/2 Support
- HTTP/2 TLS Fragmentation
- HTTP/1.1 Multi-Connection
- DNS over TLS (DoT) with Blocking & Non-Blocking Support
- UDP Noise Implementation
- Advanced Rules Management
- DNS over QUIC (DoQ) Support
- Local HTTP/1.1 and HTTP/2 DoH Server (POST + GET)
To build the project, execute the following command in the project directory: cargo build --release
-
Windows
- Download the Latest Release:
- Visit the releases page and download the latest version of your DNS client.
- Extract the downloaded archive to a folder of your choice.
- Configure the
config.json
File:- Locate the
config.json
file in the extracted folder. - Open it using a text editor.
- Modify the necessary settings based on the instructions in the “Configuration File” section.
- Locate the
- Run the DNS Client:
- Execute the DNS client application (e.g., DnsSafeguard.exe).
- You should see log messages indicating that the client is attempting to establish a connection.
- Verify Connection Establishment:
- Keep an eye on the logs. When you see the message “Connection established,” it means the DNS client has successfully connected to the DNS server.
- Set Up Windows DNS:
- Go to your Windows network settings.
- Configure the DNS server address to match the IP address specified in the config.json file for the
UDP Socket Addresses
section.
- Download the Latest Release:
-
Linux
- Exact same steps as Windows except for step 5: open the
/etc/resolv.conf
file and configure the DNS server address to match the IP address specified in theconfig.json
file for theUDP Socket Addresses
section. For example, if UDP Socket Addresses value is127.0.0.1
, then the content in/etc/resolv.conf
must benameserver 127.0.0.1
.
- Exact same steps as Windows except for step 5: open the
The config.json
file is a crucial part of the DnsSafeguard application. It contains the necessary settings to control the behavior of the DNS client.
h1
anddot
are extremely cost-effective and operate on a single thread. All protocols establish a single connection, except forh1 multi
, which supports multiple connections.h3
anddoq
are built on the QUIC protocol and can be configured using theQuic
section in the configuration file.
The configuration file is structured in JSON format and includes the following settings:
Protocol
: Specifies the protocol used for DNS queries.h1
: Single HTTP/1.1 Connection.h1_multi
: Multiple HTTP/1.1 Connection.h2
: HTTP/2 Connection.h3
: HTTP/3 Connection.dot
: DOT Connection (DNS over TLS).dot_nonblocking
: DOT Non-Blocking Connection (DNS over TLS).doq
: DoQ Connection (DNS over QUIC).
Server Name
: The domain name of the DNS server.Disable Domain SNI
: When enabled, the server name is not used as SNI, which can be a good alternative to the fragmenting method. Some public DNS servers, like Google, support this. Supported protocols include H1, H2, DoT, DoT_nonblocking, and H1_multi.Socket Addresses
: The IP address and port for the DNS server connection.UDP Socket Addresses
: Local UDP address and port for DNS queries.Custom Http Path
: Specify a custom HTTP path for HTTP-based protocols such as H1, H2, and H3. Usenull
for default which is the standard DoH path.- Examples:
/jsd3n5nb4/dns-query
,/user/d618995a10e74acec7ed454ac6e39d6eb/dns-query
. - Warning: Custom path must end with
/dns-query
.
- Examples:
Fragmenting
: The fragmentation method to use during the TLS handshake has 4 valid values:linear
,random
,single
andjump
. Go to fragmenting pageNoise
: UDP noise setting.ntype
: Noise type. Variants includedns
,str
,lsd
, andrand
.content
: Domain fordns
ntype. Text forstr
ntype.packet_length
: Specifies the length of each noise packet in bytes forrand
ntype.packets
: Indicates the total number of UDP noise packets to send forrand
ntype.sleep
: Defines the sleep time (in milliseconds) after each UDP noise packet is sent.continues
: Enables continuous noise sending.
IPv6
: Contains IPv6 specific settings, similar to the IPv4 configuration.Quic
: Configuration for QUIC protocol.congestion_controller
: The congestion controller algorithm, options arebbr
,cubic
andnewreno
.keep_alive_interval
: The interval in seconds to keep the connection alive.datagram_receive_buffer_size
: Size of the receive buffer for datagrams.datagram_send_buffer_size
: Size of the send buffer for datagrams.connecting_timeout_sec
: Specifies the maximum connection timeout duration in seconds.
Connection
: Connection settings.h1_multi_connections
: Number of connections for theh1 multi
protocol.reconnect_sleep
: Duration to sleep before reconnecting (in seconds).max_reconnect
: Maximum reconnect attempts before sleeping for a longer duration.max_reconnect_sleep
: Duration to sleep when the maximum reconnect attempts are reached.
DoH Server
: Local DNS over HTTPS (HTTP/2) server for browsers.Listen Address
: The IP address and port of the local DoH server (e.g.,127.0.0.1:443
).ALPN
: Set up the HTTP version to serve. Supported variants areh2
andhttp/1.1
.Certificate
: Path to the certificate file (e.g.,/path/to/certificate.crt
).Key
: Path to the key file (e.g.,/path/to/key.key
).log_errors
: Enable logging DoH sever errors.
Rules
: Block or bypass DNS queries containing specified domains or keywords. Value can benull
.options
: List of domains or keywords.target
: Can beblock
or a DNS server providing plaintext UDP protocol (e.g., 1.1.1.1:53).
Warning
Only TLS 1.3 supported for better performance.
This project is licensed under the Apache *2.0 License - see the LICENSE file for details.