A DNS-protocol proxy for DNS-over-HTTPS providers, such as Google and Cloudflare
Clone or download
fardog README fixes (#31)
* fix links to Quad9
* remove mentions of reverseoperator, which was never really
  worked on.
* add links to dnoxy
Latest commit 6ee86f0 Jan 1, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd Add Quad9 support (#30) Nov 7, 2018
vendor update deps; use locked versions (#20) Dec 8, 2017
.gitignore adds release settings to travis Jan 29, 2017
.travis.yml fix travis release build on go 1.10 Jun 19, 2018
CODE_OF_CONDUCT.md Contributor guidelines, ideas for contributing, setup information (#23) Jan 7, 2018
CONTRIBUTING.md Contributor guidelines, ideas for contributing, setup information (#23) Jan 7, 2018
Dockerfile support provider defaults for google, cloudflare (#27) Jun 12, 2018
Gopkg.lock update deps; use locked versions (#20) Dec 8, 2017
Gopkg.toml update deps; use locked versions (#20) Dec 8, 2017
LICENSE Initial commit Jan 23, 2017
Makefile Allow specifying of DNS resolvers, endpoint IP addresses (#6) Apr 12, 2017
README.md README fixes (#31) Jan 1, 2019
dns_client.go SimpleDNSClient: Use DNS servers in order, try until one works (#29) Jun 16, 2018
dns_client_test.go SimpleDNSClient: Use DNS servers in order, try until one works (#29) Jun 16, 2018
handler.go replace DNSRR.RR with DNSRR.DNSRR; deprecate moved method (#19) Dec 8, 2017
provider.go replace DNSRR.RR with DNSRR.DNSRR; deprecate moved method (#19) Dec 8, 2017
provider_google.go SimpleDNSClient: Use DNS servers in order, try until one works (#29) Jun 16, 2018
provider_google_test.go Support optionally enabling EDNS (#22) Jan 4, 2018
provider_test.go replace DNSRR.RR with DNSRR.DNSRR; deprecate moved method (#19) Dec 8, 2017
util.go Initial commit Jan 23, 2017
util_test.go add tests, inline docs Jan 28, 2017

README.md

secureoperator

Build Status

A DNS-protocol proxy for DNS-over-HTTPS: allows you to run a server on your local network which responds to DNS queries, but requests records across the internet using HTTPS.

It's known to work with the following providers:

  • Google - Well tested and configured by default
  • Cloudflare (Beta) - May be used by passing the --cloudflare flag
  • Quad9 (Beta) - May be used by passing the `--quad9' flag

If you're interested in a more roll-your-own-DNS system, you might look at dnoxy, a sibling project to secureoperator which allows running your own DNS-over-HTTPS servers.

Installation

You may retrieve binaries from the releases page, or install using go get:

go get -u github.com/fardog/secureoperator/cmd/secure-operator

Then either run the binary you downloaded, or the built package:

secure-operator

This will start a DNS server listening on TCP and UDP at :53. For usage information, run secure-operator --help.

Note: Running a service on port 53 requires administrative privileges on most systems.

Docker

There is a Docker image available for secureoperator:

docker pull fardog/secureoperator

The latest tag will always be the build from the master branch. If you wish to use one of the stable releases, use its version tag when pulling, e.g.:

docker pull fardog/secureoperator:4  # latest of major version
docker pull fardog/secureoperator:4.0  # latest of minor version
docker pull fardog/secureoperator:4.0.1  # exact version

Version Compatibility

This package follows semver for its tagged releases. The master branch is always considered stable, but may break API compatibility. If you require API stability, either use the tagged releases or mirror on gopkg.in:

go get -u gopkg.in/fardog/secureoperator.v4

Caching

secureoperator does not perform any caching; each request to it causes a matching request to the upstream DNS-over-HTTPS server to be made. It's recommended that you place secureoperator behind a caching DNS server such as dnsmasq on your local network.

An simple example setup is described on the wiki. Please feel free to contribute additional setups if you are running secureoperator in your environment.

Security

Note that while DNS requests are made over HTTPS, this does not imply "secure"; consider the following:

  • You must trust the upstream provider with your requests; for your chosen provider, see:
  • The lookup for the HTTP endpoint must happen in some regard, although how this is handled is up to you:
    • The system DNS resolver is used to look up the endpoint (default)
    • You provide a list of DNS servers to use for the endpoint lookup
    • You provide the IP address(es) to the endpoint; and no unencrypted DNS lookup will be performed. However if the addresses change while the service is running, you will need to restart the service to provide new addresses.

Information on the usage of these options is available with secure-operator --help.

Help Wanted

secureoperator could be greatly enhanced by community contributions! The following areas could use work:

  • More thorough unit tests
  • Installable packages for your favorite Linux distributions
  • Documentation on deploying secureoperator to a local network

Known Issues

Cloudflare is not fully tested yet; it should work for common cases, however:

  • EDNS is not supported; this is an intentional choice by Cloudflare, which means any EDNS setting you provide when using Cloudflare as a provider will be silently ignored.

For a production environment, the Google provider (default) is your best option today. If you're brave, please test Cloudflare and report any issues!

Acknowledgments

This owes heavily to the following work:

License

   Copyright 2018 Nathan Wittstock

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0