Encrypted-DNS operates as a DNS server that forward DNS queries over UDP, TCP, TLS or HTTPS, thus preventing your device from DNS cache poisoning and censorship. It could also cache DNS records to accelerate further queries, block specific client, and ignore particular domain names.
-
Install Python 3.7.
-
Install package via
pip.
$ python3 -m pip install encrypted-dns
- Generate and edit config file.
$ sudo encrypted-dns
$ vim ~/.config/encrypted_dns/config.json
- Run Encrypted-DNS Resolver.
$ sudo encrypted-dns
- Test DNS Query.
Linux or MacOS:
$ dig @127.0.0.1 www.google.com
Windows:
$ nslookup www.google.com 127.0.0.1
- Change DNS Address to
127.0.0.1.
Encrypted-DNS will generate a JSON file within its directory.
The following JSON object is a typical Upstream DNS server.
Encrypted-DNS supports three protocols: udp, tcp, tls, and https.
You may specify the ip address of DNS-over-HTTPS or DNS-over-TLS server to avoid DNS cache poisoning.
"upstream_dns": [
{
"protocol": "https",
"address": "cloudflare-dns.com",
"ip": "1.0.0.1",
"port": 443,
"weight": 0,
"enable_http_proxy": False,
"proxy_host": "localhost",
"proxy_port": 8001
},
{
"protocol": "tls",
"address": "dns.google",
"ip": "8.8.4.4",
"port": 853,
"weight": 100
},
{
"protocol": "udp",
"address": "9.9.9.9",
"port": 53,
"weight": 0
},
{
"protocol": "tcp",
"address": "8.8.4.4",
"port": 53,
"weight": 0
}
}
If you add multiple upstream servers, each DNS query will be forwarded to a server based on random selection or weighted random selection.
Encrypted-DNS will send a UDP DNS query to the bootstrap DNS server to retrieve the ip address of DNS-over-HTTPS or DNS-over-TLS server unless you specify it.
"bootstrap_dns_address": {
"address": "1.0.0.1",
"port": 53
}
You may set the ip addresses of the clients which you want to ignore DNS queries sent by them.
"client_blacklist": [
"1.0.0.1",
"172.100.100.100"
]
You may specify a list of domain names which you don"t want to be forward to upstream DNS servers.
Queries will be sent to the bootstrap DNS server.
"dns_bypass": [
"captive.apple.com",
"connectivitycheck.gstatic.com",
"detectportal.firefox.com",
"msftconnecttest.com",
"nmcheck.gnome.org",
"pool.ntp.org",
"time.apple.com",
"time.asia.apple.com",
"time.euro.apple.com",
"time.nist.gov",
"time.windows.com"
]
If you set dns_bypass_china to true, all the queries related to domain names in China will be redirected to the bootstrap address, which could be set to a public DNS server located in China.
"dns_bypass_china": true
If you set enable_cache to true, responses will be cached based on the TTL.
"enable_cache": true
Manually set A or CNAME record for specific domain name.
"hosts": {
"www.instagram.com": "31.13.82.174",
"www.bbc.co.uk": "212.58.244.69"
}
Enable SafeSearch Mode for Google, Bing, and Youtube to filter harmful content.
"force_safe_search": true
Block common advertisement domain names.
"block_ads": true