mirror of
https://github.com/DNSCrypt/dnscrypt-proxy.git
synced 2025-04-04 21:57:44 +03:00
dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
https://dnscrypt.info
anonymizedanonymized-dnsdnsdns-over-httpsdnscryptdnscrypt-proxydnscrypt-proxy2dohoblivious-dns-over-httpsoblivious-dohodohproxy
2d1dd7eaab
This works over DNSCrypt and DoH, but requires a specifically configured server. Instead of sending the actual DNS queries, the SH-T system works as follows: Step 1: the client query is evaluated through Argon2id, a military-grade, memory-hard, CPU-hard stretching function. This makes it very expensive for an attacker to find the original query, even using GPUs and ASICs. For post-quantum resistance, we use it to generate a 1024-bit key. Step 2: in case the Argon2id algorithm has a vulnerability, or, since this is a popular function used for hashing passwords and for cryptocurrencices, and people may have built rainbow tables already, we use a hash function over the result of the previous function. This immediately defeats rainbow tables. Step 3: the output of the hash function is truncated to 64-bit. Due to a property of this operation known as collision-misresistance, and even if the previous steps fail due to a nation-state actor, it is impossible for a server operator to prove what exact query was originally sent by a client. This feature is experimental. |
||
|---|---|---|
| dnscrypt-proxy | ||
| utils/generate-domains-blacklists | ||
| vendor | ||
| windows | ||
| .gitignore | ||
| .travis.yml | ||
| ChangeLog | ||
| dnscrypt-logo.svg | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| logo.png | ||
| logo.svg | ||
| README.md | ||
Overview
A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPS.
- dnscrypt-proxy documentation – This project's documentation (Wiki)
- DNSCrypt project home page
- DNS-over-HTTPS and DNSCrypt resolvers
- Server and client implementations
- DNS stamps
- FAQ
Download the latest release
Available as source code and pre-built binaries for most operating systems and architectures (see below).
Features
- DNS traffic encryption and authentication. Supports DNS-over-HTTPS (DoH) using TLS 1.3, and DNSCrypt.
- DNS query monitoring, with separate log files for regular and suspicious queries
- Filtering: block ads, malware, and other unwanted content. Compatible with all DNS services
- Time-based filtering, with a flexible weekly schedule
- Transparent redirection of specific domains to specific resolvers
- DNS caching, to reduce latency and improve privacy
- Local IPv6 blocking to reduce latency on IPv4-only networks
- Load balancing: pick a set of resolvers, dnscrypt-proxy will automatically measure and keep track of their speed, and balance the traffic across the fastest available ones.
- Cloaking: like a
HOSTSfile on steroids, that can return preconfigured addresses for specific names, or resolve and return the IP address of other names. This can be used for local development as well as to enforce safe search results on Google, Yahoo and Bing. - Automatic background updates of resolvers lists
- Can force outgoing connections to use TCP
- Supports SOCKS proxies
- Compatible with DNSSEC
Pre-built binaries
Up-to-date, pre-built binaries are available for:
- Android/arm
- Android/arm64
- Android/x86
- Android/x86_64
- Dragonfly BSD
- FreeBSD/arm
- FreeBSD/x86
- FreeBSD/x86_64
- Linux/arm
- Linux/arm64
- Linux/mips
- Linux/mipsle
- Linux/mips64
- Linux/mips64le
- Linux/x86
- Linux/x86_64
- MacOS X
- NetBSD/x86
- NetBSD/x86_64
- OpenBSD/x86
- OpenBSD/x86_64
- Windows
- Windows 64 bit
How to use these files, as well as how to verify their signatures, are documented in the installation instructions.