Simple fast and lightweight DNS proxy and cache, implementing DNS-over-TLS, DNS-over-HTTPS, and Serve-Stale
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Simple fast and lightweight DNS proxy and cache that listens on TCP or UDP ports and relays the request to various upstream DNS-over-TCP, DNS-over-TLS, or DNS-over-HTTPS servers, optionally over http or socks proxies (like tor), and optionally pinning public keys for complete TLS security. Implements a simple response cache respecting TTLs but also implementing proper Serve-Stale functionality.

This should support any current and future DNS record generically, as well as providing full DNSSEC support if upstream resolvers do.

Sample/default configuration is in and should be documented clearly there.

Build/run like so:

mvn clean package
java -jar target/jDnsProxy.jar ./

Implemented specs:

Use these for quick testing:

dig -p5353 @ +tries=1 +retry=0 +tcp
dig -p5353 @ +tries=1 +retry=0 +tcp +dnssec

dig -p5353 @ +tries=1 +retry=0
dig -p5353 @ +tries=1 +retry=0 +dnssec

And use this to extract TLS public keys in pinning format:

openssl s_client -connect '' 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey | openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst -sha256 -binary | openssl base64


MIT License, refer to LICENSE.txt