Zero-infrastructure private networking over DNS.
Trantor is a "zero-infrastructure" private networking system that connects clients to servers in a way that is completely invisible to outside observers. Unlike traditional VPNs, Trantor does not rely on a centralized coordination server; it repurposes the DNS protocol as an encrypted, asynchronous control plane.
Trantor connects clients to servers invisibly. No coordination server, no open ports, no identifiable traffic. It hides connection metadata inside encrypted DNS TXT records that only passphrase holders can read.
Trantor secures up to three aspects of a connection, depending on the server configuration:
1. IP Address (always protected). The server's IP is encrypted in DNS records. Only passphrase holders can discover it. This applies even for plain HTTP services.
2. TLS Certificate (if the service uses HTTPS). Client and server independently forge identical TLS certificates from shared parameters. No certificate authority needed. Only passphrase holders can establish a TLS connection.
3. Domain Name (if the server supports ECH). The SNI field in TLS handshakes normally leaks the domain name in cleartext. Trantor integrates Encrypted Client Hello (RFC 9849) to encrypt it. The client daemon serves the ECH configuration locally, so the browser encrypts the SNI without querying any external server.
Trantor repurposes the global DNS as an encrypted control plane. A server publishes its IP address, TLS certificate, and ECH configuration as encrypted TXT records. A client with the right passphrase queries the DNS, decrypts the records, forges an identical TLS certificate locally, and connects directly to the server over standard HTTPS.
Client DNS Server
| | |
| 1. TXT query (hashed) | |
| ────────────────────────> | |
| | |
| 2. Encrypted record | |
| <──────────────────────── | |
| | |
| 3. Decrypt -> IP + cert | |
| + ECH config | |
| | |
| 4. TLS handshake | |
| (SNI encrypted via ECH)| |
| ─────────────────────────────────────────────────────> |
| | |
| 5. Secure connection | |
| <───────────────────────────────────────────────────── |
| Trantor | Tor | Tailscale / ZeroTier | WireGuard | |
|---|---|---|---|---|
| Infrastructure | Existing DNS | Relay nodes | Coordination server | Static point-to-point |
| Stealth | Invisible (DNS noise) | Identifiable (public guard nodes) | Visible (to controller) | Identifiable (port scan / DPI) |
| Resilience | High (distributed global DNS) | High (thousands of nodes) | Low (central controller) | High (point-to-point) |
| Attack surface | Low (no port, no identifiable server) | Large (known nodes, malicious exits, traffic correlation) | Medium (controller = compromise point) | Low (exposed UDP port) |
| Performance | Direct (min. latency) | Triple hop (slow) | Direct (STUN/ICE) | Direct (fast) |
| Complexity | Low (no server to run) | High | Medium | Low |
Blocking Trantor would require blocking DNS TXT queries altogether, which would break email delivery, domain validation, and other core internet services.
Secure discovery. Server IP addresses are encrypted in DNS records. Only passphrase holders can resolve them.
Deterministic TLS. Client and server independently forge identical TLS certificates from shared parameters. No certificate authority needed.
SNI protection. Encrypted Client Hello hides the domain name during TLS handshakes. The ECH configuration is served locally by the client daemon, never published in public DNS.
Access management. Create any number of passphrases. Assign them to individuals or groups. Revoke any passphrase without affecting the others.
Multi-platform. Runs as a system daemon with a tray GUI on Linux, Windows, and macOS. Runs as a VPN-based app on iOS and Android.
Zero infrastructure. No server to deploy, no account to create, no coordinator to maintain. Just DNS.
The full technical specification is available in this repository:
Trantor is under active development. Installation instructions are here for future purposes.
# Download the latest release
curl -L https://github.com/digicreon/trantor/releases/latest/download/trantor-server-linux-amd64 -o trantor-server
chmod +x trantor-server
sudo mv trantor-server /usr/local/bin/
# Initialize configuration
sudo trantor-server init --domain titi.tutu.com --provider cloudflareLinux / macOS:
curl -L https://github.com/digicreon/trantor/releases/latest/download/trantor-client-linux-amd64 -o trantor-client
chmod +x trantor-client
sudo mv trantor-client /usr/local/bin/
# Start the daemon
sudo trantor-client startWindows:
# Download and install
Invoke-WebRequest -Uri "https://github.com/digicreon/trantor/releases/latest/download/trantor-client-windows-amd64.exe" -OutFile "trantor-client.exe"
# Install and start the service
.\trantor-client.exe startThe desktop GUI (trantor-gui) is packaged with the installer. It runs as a system tray icon and provides a visual interface for managing domains and passphrases.
iOS / Android: Mobile apps will be available on the App Store and Google Play.
Server side: Initialize Trantor, create a passphrase, and let the server publish its encrypted records to DNS.
# Initialize
sudo trantor-server init --domain titi.tutu.com --provider cloudflare
# Create a passphrase for a user or group
sudo trantor-server passphrase add --domain titi.tutu.com --name "team-alpha"
# Output: Passphrase generated: correct-horse-battery-staple
# Publish to DNS
sudo trantor-server publish --domain titi.tutu.comClient side: Add the domain via the GUI (click the tray icon, then "+ Add Domain") or edit the configuration file and reload:
# Edit the config file, then reload the daemon
sudo trantor-client reloadOpen https://titi.tutu.com in your browser. The connection is established through Trantor.
Trantor uses a two-tier system. Users receive a passphrase. Behind the scenes, the server maintains a master passphrase (256-bit random, never shared with users) that encrypts the actual connection data.
Each user passphrase has its own DNS record containing the master passphrase (encrypted). Revoking a passphrase regenerates the master passphrase, updates all remaining passphrase records, and deletes the revoked one. Existing users notice nothing. The revoked user loses access immediately.
# Revoke a passphrase
sudo trantor-server passphrase revoke --domain titi.tutu.com --name "team-alpha"Trantor's security relies on:
- AES-256-GCM for record encryption.
- Argon2id (64 MB) for key derivation, protecting against brute-force attacks on passphrases.
- ECDSA P-256 for TLS certificate key pairs.
- HPKE X25519 for ECH key pairs (SNI encryption).
- DNSSEC (recommended) to prevent DNS MITM attacks.
- DoH/DoT (recommended) to hide DNS query content from local network observers.
The passphrase is the single point of trust. Choose strong passphrases and distribute them through secure channels.
trantor/
├── cmd/
│ ├── trantor-server/ # Server binary
│ ├── trantor-client/ # Client binary (daemon + reload + status)
│ └── trantor-gui/ # Desktop Fyne GUI (tray app)
├── internal/
│ ├── crypto/ # Argon2id, AES-GCM, certificate forging
│ ├── dns/ # DNS TXT record read/write via Lexicon
│ ├── resolver/ # Local DNS resolver (A/AAAA + HTTPS type 65)
│ ├── ech/ # HPKE key generation, ECHConfigList, HTTPS record synthesis
│ └── trust/ # OS trust store management
├── platform/ # Per-OS DNS interception, trust store, reload signaling
├── mobile/
│ ├── ios/ # Xcode project (Fyne + Swift Network Extension)
│ └── android/ # Gradle project (Fyne + Kotlin VpnService)
├── docs/
│ ├── trantor-spec-en.md # Technical specification (English)
│ ├── trantor-spec-fr.md # Technical specification (French)
│ └── trantor-client-spec.md # Client implementation specification
├── go.mod
├── go.sum
├── CLAUDE.md
├── LICENSE
└── README.md
Contributions are welcome. Please read the technical specification before submitting changes to ensure alignment with the protocol design.
Trantor is a Digicreon project.