doh-client
doh-client is a DNS over HTTPS client, which opens a local UDP (DNS) port and forwards all DNS queries to a remote
HTTP/2.0 server. By default, the client will connect to the Cloudflare DNS service. It uses Tokio
for all asynchronous IO operations and Rustls to connect to the HTTPS server.
Getting Started
doh-client is written in Rust. To build it you need the Rust compiler and build system cargo.
Build
$ cargo build
or to build it as a release build
$ cargo build --release
Run
To run the binary, you need one option (see Options)
$ ./doh-client --cafile /path/to/the/ca/file.pem
For example, if you use Arch Linux then the following command uses the system cert store:
# ./doh-client --cafile /etc/ca-certificates/extracted/tls-ca-bundle.pem
Linux (systemd)
To run the doh-client as daemon and without root under Linux with systemd as init system. The following example
will connect to the Cloudflare DNS service.
- Build the binary see Build.
- Copy the binary to
/usr/local/binasroot:# cp target/release/doh-client /usr/local/bin/ - Copy the config files to
/etc/systemd/system/asroot:
If the location of the binary is different from above then change the path in# cp doh-client.service doh-client.socket /etc/systemd/systemdoh-client.serviceunderExecStart. In the config filedoh-client.servicethe path of the CA file is set to/etc/ca-certificates/extracted/tls-ca-bundle.pem, adjust the path before going further (The path should be correct if you use Arch Linux). - Reload
systemdmanager configuration:# systemctl daemon-reload - Enable the
doh-clientas a daemon:# systemctl enable doh-client - Reboot the system or start the daemon manually:
# systemctl start doh-client - Adjust the
/etc/resolv.confby add the following line:nameserver 127.0.0.1
Mac OS (launchd)
To run the doh-client as daemon and without root under Mac OS with launchd as init system. The following example
will connect to the Cloudflare DNS service.
- Build the binary see Build.
- Copy the binary to
/usr/local/binasroot:# cp target/release/doh-client /usr/local/bin/ - Copy the
launchdconfig files to/Library/LaunchDaemons/asroot:
If the location of the binary is different from above then change the path in# cp com.doh-client.daemon.plist /Library/LaunchDaemonscom.doh-client.daemon.plistunderProgramArguments. In the config filecom.doh-client.daemon.plistthe path of the CA file is set to/usr/local/share/doh-client/DigiCert_Global_Root_CA.pem, download the pem file under the following link. Before copy the pem file to/usr/local/share/doh-client/, make the directorydoh-clientwithmkdir. - Load and start the config file as follow:
# launchctl load -w /Library/LaunchDaemons/com.doh-client.daemon.plist - Adjust the
/etc/resolv.confby add the following line:nameserver 127.0.0.1
Options
doh-client has one required option, --cafile which sets the path to a pem file, which contains the trusted CA
certificates.
$ ./doh-client --help
DNS over HTTPS client 1.1.2
link.ted@mailbox.org
Open a local UDP (DNS) port and forward DNS queries to a remote HTTP/2.0 server.
By default, the client will connect to the Cloudflare DNS service.
USAGE:
doh-client [FLAGS] [OPTIONS] --cafile <FILE>
FLAGS:
-h, --help Prints help information
--listen-activation Use file descriptor 3 under Unix as UDP socket or launch_activate_socket() under Mac OS
-v Sets the level of verbosity
-V, --version Prints version information
OPTIONS:
-c, --cafile <FILE> The path to the pem file, which contains the trusted CA certificates
-d, --domain <Domain> The domain name of the remote server [default: cloudflare-dns.com]
-l, --listen-addr <Addr> Listen address [default: 127.0.0.1:53]
-p, --path <STRING> The path of the URI [default: dns-query]
-r, --remote-addr <Addr> Remote address [default: 1.1.1.1:443]
--retries <UNSIGNED INT> The number of retries to connect to the remote server [default: 3]
--timeout <UNSIGNED LONG> The time in seconds after that the connection would be closed if no response is
received from the server [default: 2]