DnsSafeguard is a fast and secure DNS client written in Rust. It is designed to intercept DNS queries over a UDP socket and securely transmit them to a DNS server using DNS over HTTPS/TLS (DoH/DoT) protocols. Additionally, it employs TLS client hello fragmentation to bypass Great Firewall (GFW) censorship.
Special thanks to the developers of Rustls for providing an excellent TLS framework.
- Secure Communication: Utilizes Rustls to ensure encrypted communication (TLS) with DNS servers
- UDP Socket: Captures DNS queries on a UDP socket.
- DoH Protocol: Transmits DNS queries using the DoH protocol, supporting all HTTP versions (HTTP/1.1, H2, H3) for enhanced privacy.
- DoT Protocol: Transmits DNS queries using the DoT protocol, featuring support for both blocking and non-blocking algorithms.
- Censorship Bypass: Implements TLS client hello fragmentation with three possible methods to evade GFW censorship.
- IPv6 Support
- HTTP/3
- HTTP/2
- HTTP/2 TLS Fragmenting
- HTTP/1.1 Multi-Connection
- DNS over TLS (DOT) (Blocking & Non-Blocking)
To build the project, execute the following command in the project directory: cargo build --release
- Windows
- Download the Latest Release:
- Visit the releases page and download the latest version of your DNS client.
- Extract the downloaded archive to a folder of your choice.
- Configure the
config.json
File:- Locate the
config.json
file in the extracted folder. - Open it using a text editor.
- Modify the necessary settings based on the instructions in the “Configuration File” section.
- Locate the
- Run the DNS Client:
- Execute the DNS client application (e.g., DnsSafeguard.exe).
- You should see log messages indicating that the client is attempting to establish a connection.
- Verify Connection Establishment:
- Keep an eye on the logs. When you see the message “Connection established,” it means the DNS client has successfully connected to the DNS server.
- Set Up Windows DNS:
- Go to your Windows network settings.
- Configure the DNS server address to match the IP address specified in the config.json file for the
UDP Socket Addresses
section.
- Download the Latest Release:
The config.json
file is a crucial part of the DnsSafeguard application. It contains the necessary settings to control the behavior of the DNS client.
The configuration file is structured in JSON format and includes the following settings:
Protocol
: Specifies the protocol used for DNS queries.h1
: Single HTTP/1.1 Connection.h1 multi
: Multiple HTTP/1.1 Connection.h2
: HTTP/2 Connection.h3
: HTTP/3 Connection (does not support fragmenting).dot
: DOT Connection (DNS over TLS).dot nonblocking
: DOT Non-Blocking Connection (DNS over TLS).
Server Name
: The domain name of the DNS server.Socket Addresses
: The IP address and port for the DNS server connection.UDP Socket Addresses
: Local UDP address and port for DNS queries.Fragmenting
: The fragmentation method to use during the TLS handshake has three valid values:linear
,random
,single
andjump
.IPv6
: Contains IPv6 specific settings, similar to the IPv4 configuration.Quic
: Configuration for QUIC protocol.congestion_controller
: The congestion controller algorithm, options arebbr
,cubic
andnewreno
.keep_alive_interval
: The interval in seconds to keep the connection alive, default is5
.datagram_receive_buffer_size
: Size of the receive buffer for datagrams, default is16777216
.datagram_send_buffer_size
: Size of the send buffer for datagrams, default is8388608
.
Connections
: Number of connections forh1 multi
.
Warning
Only TLS 1.3 supported for better performance.
- Brotli certificate compression
- Tls client hello Fragmenting
This project is licensed under the Apache-2.0 License - see the LICENSE file for details.