doh-client
doh-client
is a DNS over HTTPS client, which opens a local UDP (DNS) port and forwards all DNS queries to a remote
HTTP/2.0 server. By default, the client will connect to the Cloudflare DNS service. It uses Tokio
for all asynchronous IO operations and Rustls to connect to the HTTPS server.
Getting Started
doh-client
is written in Rust. To build it you need the Rust compiler and build system cargo
.
Build
$ cargo build
or to build it as a release build
$ cargo build --release
Run
To run the binary, you need one option (see Options)
$ ./doh-client --cafile /path/to/the/ca/file.pem
For example, if you use Arch Linux then the following command uses the system cert store:
# ./doh-client --cafile /etc/ca-certificates/extracted/tls-ca-bundle.pem
Linux (systemd
)
To run the doh-client
as daemon and without root
under Linux with systemd
as init system. The following example
will connect to the Cloudflare DNS service.
- Build the binary see Build.
- Copy the binary to
/usr/local/bin
asroot
:# cp target/release/doh-client /usr/local/bin/
- Copy the config files to
/etc/systemd/system/
asroot
:
If the location of the binary is different from above then change the path in# cp doh-client.service doh-client.socket /etc/systemd/system
doh-client.service
underExecStart
. In the config filedoh-client.service
the path of the CA file is set to/etc/ca-certificates/extracted/tls-ca-bundle.pem
, adjust the path before going further (The path should be correct if you use Arch Linux). - Reload
systemd
manager configuration:# systemctl daemon-reload
- Enable the
doh-client
as a daemon:# systemctl enable doh-client
- Reboot the system or start the daemon manually:
# systemctl start doh-client
- Adjust the
/etc/resolv.conf
by add the following line:nameserver 127.0.0.1
Mac OS (launchd
)
To run the doh-client
as daemon and without root
under Mac OS with launchd
as init system. The following example
will connect to the Cloudflare DNS service.
- Build the binary see Build.
- Copy the binary to
/usr/local/bin
asroot
:# cp target/release/doh-client /usr/local/bin/
- Copy the
launchd
config files to/Library/LaunchDaemons/
asroot
:
If the location of the binary is different from above then change the path in# cp com.doh-client.daemon.plist /Library/LaunchDaemons
com.doh-client.daemon.plist
underProgramArguments
. In the config filecom.doh-client.daemon.plist
the path of the CA file is set to/usr/local/share/doh-client/DigiCert_Global_Root_CA.pem
, download the pem file under the following link. Before copy the pem file to/usr/local/share/doh-client/
, make the directorydoh-client
withmkdir
. - Load and start the config file as follow:
# launchctl load -w /Library/LaunchDaemons/com.doh-client.daemon.plist
- Adjust the
/etc/resolv.conf
by add the following line:nameserver 127.0.0.1
Options
doh-client
has one required option, --cafile
which sets the path to a pem file, which contains the trusted CA
certificates.
$ ./doh-client --help
DNS over HTTPS client 1.1.2
link.ted@mailbox.org
Open a local UDP (DNS) port and forward DNS queries to a remote HTTP/2.0 server.
By default, the client will connect to the Cloudflare DNS service.
USAGE:
doh-client [FLAGS] [OPTIONS] --cafile <FILE>
FLAGS:
-h, --help Prints help information
--listen-activation Use file descriptor 3 under Unix as UDP socket or launch_activate_socket() under Mac OS
-v Sets the level of verbosity
-V, --version Prints version information
OPTIONS:
-c, --cafile <FILE> The path to the pem file, which contains the trusted CA certificates
-d, --domain <Domain> The domain name of the remote server [default: cloudflare-dns.com]
-l, --listen-addr <Addr> Listen address [default: 127.0.0.1:53]
-p, --path <STRING> The path of the URI [default: dns-query]
-r, --remote-addr <Addr> Remote address [default: 1.1.1.1:443]
--retries <UNSIGNED INT> The number of retries to connect to the remote server [default: 3]
--timeout <UNSIGNED LONG> The time in seconds after that the connection would be closed if no response is
received from the server [default: 2]