Skip to content
🍩 DNS to DNS-over-HTTPS (DoH) proxy server
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Dohnut is a DNS to DNS-over-HTTPS (DoH) proxy server. Dohnut improves the performance, security, and privacy of your DNS traffic.

Dohnut works with any open standard (RFC8484) compliant DoH provider, including the Commons Host DoH service and many others.

Dohnut overview diagram


High Performance Auto-select the fastest DoH resolver. Continuously adapts to network and service conditions by monitoring the round-trip-tip of the DoH connection using HTTP/2 PING frames.

High Availability Allows using multiple DoH resolvers at once to provide automatic failover in case a service is unavailable.

Zero Overhead - Network traffic does not go through Dohnut so there is no performance penalty. Only the DNS queries (very little bandwidth) are proxied.

Lightweight - Multi-threaded architecture for fast performance on low-power devices like single board computers. Designed for Raspberry Pi and Odroid but compatible with anything that can run Node.js.

Full Encryption - DoH encrypts all DNS queries inside a secure HTTP/2 connection. This protects DNS lookups against snooping at your local network router or ISP.

Connection Sharding - Spread queries across multiple DoH resolvers for improved privacy. This reduces the amount of information a single DoH service can collect.

Query Spoofing - Mask your DNS queries using fake DNS queries. Uses several randomisation techniques and samples from a public list of the top 1 million domains.

User Agent Spoofing - Avoid tracking at the HTTP level using fake browser identifiers. Randomly chosen from a public list of real-world browser data.


Dohnut is lightweight and cross-platform. Dohnut can operate standalone or with other DNS tools like Pi-hole.

Dohnut can be used in several ways:

This example launches Dohnut on your local machine to accept DNS connections and proxy them to the Commons Host DNS over HTTPS (DoH) service. See the command line interface reference for more options.

$ sudo npx dohnut --listen --doh

Started listening on (udp4)

Verify by running a DNS lookup against Dohnut. The query is proxied to the DoH service.

$ dig @localhost

; <<>> DiG 9.10.6 <<>> @localhost
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24758
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;			IN	A


;; Query time: 4 msec
;; MSG SIZE  rcvd: 53


Made by Kenny Shen and Sebastiaan Deckers for 🐑 Commons Host.

You can’t perform that action at this time.