Dennis the DNS Menace
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Dennis the DNS Menace

Tailored DNS responses

Dennis is a DNS server which can serve customized DNS responses on a per user basis.

On its own Dennis isn't very useful but by adding a DNS recursor and a HTTP(S) proxy, Dennis can bypass geo-blocking for thousands of users.

How it works

Users are identified by their IP address, and each user can setup an unlimited number of custom DNS responses.



  • Redis instance
  • DNS recursor like PowerDNS (for test purposes you can use your ISPs or Google's DNS server)
  • HTTP proxy like Nginx (To proxy HTTPS support for Server Name Indication, rfc6066, is required)

Build, configure and run Dennis.

  1. Build Dennis, make sure you install the dependancies first:

     $ go build dennis.go
  2. Run Denis with a config file:

     $ cat > dennis.conf
         bind-addr =
         redis-addr =
         dnsfwd-addr =
         portal-addr =
         logfile = /tmp/dennis.log
     $ ./dennis -config dennis.conf
     	Running on

    bind-addr: bind Dennis to this address
    redis-addr: address of the Redis instance
    dnsfwd-addr: DNS server address for forwarding requests
    portal-addr: this is the address unregistered users will get, works like a WiFi Portal

  3. Create a test user identified by IP and load it into Redis:

     $ cat > data.txt
         SET gateway:90d1ed58-399e-5ce9-93d8-28f0c86c80e0 53e48371-0bda-4f45-8d03-b0943c89c4ea
     $ cat data |redis-cli --pipe

    Format gateway:<uuid5.NAMESPACE_OID:ip> <str:user_id>
    Format user:<str:user_id>:domain:<root_domain> <ip> is the IP address of your HTTP proxy 1 is the IP address of your HTTP proxy 2

  4. Test the setup and fire off some DNS queries with Dig:

     $ dig @ -p 8054
     	...    0   IN  A
     $ dig @ -p 8054
     	...    0   IN  A

Configuring Redis, Nginx and PowerDNS Recursor is out of scope for this document.


Don't run Dennis on a privileged port, use firewall rules instead to make Dennis available on TCP & UDP port 53:

Redirect TCP/UDP traffic from external:53 to internal:8054

$ iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 53 -j REDIRECT --to-port 8054
$ iptables -A PREROUTING -t nat -i eth0 -p udp --dport 53 -j REDIRECT --to-port 8054

Query Process



Dennis is licensed under the terms of the MIT license, see attached LICENSE file for more details.