encrypted-dns 0.9.18

A modern encrypted DNS server (DNSCrypt v2, Anonymized DNSCrypt, DoH)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

# CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

## Commands

### Build Commands

```bash
# Build the project
cargo build

# Build with release optimizations
cargo build --release

# Install the binary
cargo install --path .

# Run the server with the default config
cargo run -- --config encrypted-dns.toml

# Run with debug logs
cargo run -- --config encrypted-dns.toml --debug

# Dry run (only prints connection information)
cargo run -- --config encrypted-dns.toml --dry-run
```

### Testing

```bash
# Run all tests
cargo test

# Run tests with specific features
cargo test --features metrics
```

### Other Useful Commands

```bash
# Import from dnscrypt-wrapper
cargo run -- --import-from-dnscrypt-wrapper path/to/secret.key

# Generate Debian package
cargo deb
```

## Architecture Overview

This project is an encrypted DNS server supporting multiple protocols:
- DNSCrypt v2
- Anonymized DNSCrypt 
- DNS-over-HTTP (DoH) forwarding

The server is built in Rust and operates as a proxy, requiring a recursive DNS resolver like Knot, PowerDNS, or Unbound.

### Core Components

1. **Configuration (`config.rs`)**: Handles parsing of the TOML configuration file, which defines server behavior including listening addresses, upstream resolvers, caching, and protocol support.

2. **State Management**: The server maintains state in a file (default: `encrypted-dns.state`) which contains:
   - Provider keys for DNSCrypt
   - Certificates and encryption parameters

3. **Protocol Handling**:
   - `dnscrypt.rs` & `dnscrypt_certs.rs`: Implementation of the DNSCrypt v2 protocol
   - `anonymized_dns.rs`: Implementation of Anonymized DNSCrypt

4. **Cache System (`cache.rs`)**: 
   - DNS query caching to reduce upstream load
   - Certificate caching for relays

5. **Filtering (`blacklist.rs`)**:
   - Domain blacklisting
   - Handling of undelegated TLDs

6. **Metrics (`metrics.rs`, `varz.rs`)**:
   - Optional Prometheus metrics for monitoring server performance

7. **Resolver (`resolver.rs`)**:
   - Handles query resolution either from cache or via upstream resolver

8. **Networking**:
   - TCP and UDP socket handling for client connections
   - TLS proxy support for forwarding DoH requests

### Data Flow

1. Client sends encrypted query to the server
2. Server decrypts the query using DNSCrypt protocol
3. If query is in cache and not expired, return cached response
4. Otherwise, forward query to upstream DNS resolver
5. Cache the response
6. Encrypt the response using DNSCrypt
7. Send the encrypted response back to the client

## Project Configuration

The primary configuration is through a TOML file (example provided in `example-encrypted-dns.toml`). Key configuration sections include:

- Global settings (listen addresses, upstream DNS server, cache settings)
- DNSCrypt settings
- TLS settings
- Filtering
- Metrics
- Anonymized DNS
- Access control

The server can be run as a daemon with appropriate privilege dropping on Unix systems.