SkillAgentSearch skills...

Sdns

A high-performance, recursive DNS resolver server with DNSSEC support, focused on preserving privacy.

GenerateConvertImprove

Install / Use

/learn @semihalev/Sdns
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<p align="center"> <img src="https://github.com/semihalev/sdns/blob/main/logo.png?raw=true" width="200"> </p> <h1 align="center">SDNS :rocket:</h1> <p align="center"> A high-performance, recursive DNS resolver server with DNSSEC support, focused on preserving privacy. </p> <p align="center"> <a href="https://github.com/semihalev/sdns/actions"><img src="https://img.shields.io/github/actions/workflow/status/semihalev/sdns/go.yml?style=flat-square"></a> <a href="https://goreportcard.com/report/github.com/semihalev/sdns"><img src="https://goreportcard.com/badge/github.com/semihalev/sdns?style=flat-square"></a> <a href="http://godoc.org/github.com/semihalev/sdns"><img src="https://img.shields.io/badge/godoc-reference-blue.svg?style=flat-square"></a> <a href="https://codecov.io/gh/semihalev/sdns"><img src="https://img.shields.io/codecov/c/github/semihalev/sdns?style=flat-square"></a> <a href="https://github.com/semihalev/sdns/releases"><img src="https://img.shields.io/github/v/release/semihalev/sdns?style=flat-square"></a> <a href="https://github.com/semihalev/sdns/blob/main/LICENSE"><img src="https://img.shields.io/github/license/semihalev/sdns?style=flat-square"></a> </p>

Installation

Install SDNS using the go install command:

go install github.com/semihalev/sdns@latest

Pre-built Binaries

Download the latest release from the GitHub Releases page.

Docker

$ docker run -d --name sdns -p 53:53 -p 53:53/udp sdns

Docker Compose

Install docker-compose and run from the root directory:

$ sudo apt install docker-compose
$ docker-compose up -d

Homebrew for macOS

Install and run as a service:

$ brew install sdns
$ brew install semihalev/tap/sdns (updated every release)
$ brew services start sdns

Snapcraft

$ snap install sdns

AUR for ArchLinux

$ yay -S sdns-git

Note: Pre-built binaries, Docker packages, brew taps, and snaps are automatically created by GitHub workflows.

Building from Source

$ go build

Testing

$ make test

Flags

| Flag | Description | | ----------------- | ------------------------------------------------------------------------------ | | -c, --config PATH | Location of the config file. If it doesn't exist, a new one will be generated. Default: /sdns.conf | | -t, --test | Test configuration file and exit. Returns exit code 0 if valid, 1 if invalid | | -v, --version | Show the SDNS version | | -h, --help | Show help information and exit |

Debugging Environment

To debug your environment, execute the following command:

$ export SDNS_DEBUGNS=true && export SDNS_PPROF=true && ./sdns

The SDNS_DEBUGNS environment variable is beneficial for verifying the RTT (Round Trip Time) of authoritative servers. To use it, send an HINFO query for zones with chaos class.

Here's an example of the output you might receive:

$ dig chaos hinfo example.com

; <<>> DiG 9.17.1 <<>> chaos hinfo example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29636
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f27dbb995df5ac79e4fa37c07d131b5bd03aa1c5f802047a7c02fb228a886cb281ecc319323dea81 (good)
;; QUESTION SECTION:
;example.com.			CH	HINFO

;; AUTHORITY SECTION:
example.com.		0	CH	HINFO	"Host" "IPv4:199.43.135.53:53 rtt:142ms health:[GOOD]"
example.com.		0	CH	HINFO	"Host" "IPv4:199.43.133.53:53 rtt:145ms health:[GOOD]"
example.com.		0	CH	HINFO	"Host" "IPv6:[2001:500:8f::53]:53 rtt:147ms health:[GOOD]"
example.com.		0	CH	HINFO	"Host" "IPv6:[2001:500:8d::53]:53 rtt:148ms health:[GOOD]"

Configuration (v1.6.1)

| Key | Description | | -------------------- | ------------------------------------------------------------------------------------------------------------------- | | version | Configuration file version | | directory | Working directory for SDNS data storage. Must be writable by the SDNS process. Default: "/db" | | bind | DNS server binding address and port. Default: ":53" (0.0.0.0:53 and [::]:53) | | bindtls | DNS-over-TLS (DoT) server binding address. Default: ":853" | | binddoh | DNS-over-HTTPS (DoH) server binding address. Default: ":8053" | | binddoq | DNS-over-QUIC (DoQ) server binding address. Default: ":853" | | tlscertificate | Path to the TLS certificate file for DoT/DoH/DoQ. Automatically reloaded on changes | | tlsprivatekey | Path to the TLS private key file for DoT/DoH/DoQ. Automatically reloaded on changes | | outboundips | Outbound IPv4 addresses for DNS queries. Multiple addresses enable random source IP selection per request | | outboundip6s | Outbound IPv6 addresses for DNS queries. Multiple addresses enable random source IP selection per request | | rootservers | Root DNS servers (IPv4). These are the authoritative name servers for the DNS root zone | | root6servers | Root DNS servers (IPv6). These are the authoritative name servers for the DNS root zone | | dnssec | Enable DNSSEC validation for secure DNS responses. Options: "on" or "off". Default: "on" | | rootkeys | DNSSEC root zone trust anchors in DNSKEY format | | fallbackservers | Upstream DNS servers used when all others fail. Format: "IP:port" (e.g., "8.8.8.8:53") | | forwarderservers | Forward all queries to these DNS servers. Format: "IP:port" (e.g., "8.8.8.8:53") | | api | HTTP API server binding address for statistics and control. Leave empty to disable | | bearertoken | API bearer token for authorization. If set, Authorization header must be included in API requests | | blocklists | URLs of remote blocklists to download and use for filtering | | blocklistdir | [DEPRECATED] Blocklist directory. Now automatically created in the working directory | | loglevel | Logging verbosity level. Options: crit, error, warn, info, debug. Default: "info" | | accesslog | Path to the access log file in Common Log Format. Leave empty to disable | | nullroute | IPv4 address returned for blocked A queries. Default: "0.0.0.0" | | nullroutev6 | IPv6 address returned for blocked AAAA queries. Default: "::0" | | accesslist | IP addresses/subnets allowed to make queries. Default allows all: ["0.0.0.0/0", "::0/0"] | | querytimeout | Maximum time to wait for any DNS query to complete. Default: "10s" | | timeout | Network timeout for upstream DNS queries. Default: "2s" | | hostsfile | Path to hosts file (RFC 952/1123 format) for local resolution. Auto reloads with fs watch. (The directory of the file is being watched, not the file. Best practice is to deploy the file in an individual directory.) Leave empty to disable | | expire | Cache TTL for error responses in seconds. Default: 600 | | cachesize | Maximum number of cached DNS records. Default: 256000 | | prefetch | Prefetch threshold percentage (10-90). Refreshes popular cache entries before expiration. 0 disables | | maxdepth | Maximum recursion depth for queries. Prevents infinite loops. Default: 30 | | ratelimit | Global query rate limit per second. 0 disables. Default: 0 | | clientratelimit | Per-client rate limit per minute. 0 disables. Default: 0 | | domainmetrics | Enable per-domain query metrics collection. Default: false | | domainmetricslimit | Maximum number of domains to track in metrics. 0 = unlimited (use with caution). Default: 10000 | | blocklist | Manual domain blocklist. Domains listed here will be blocked

semihalev

View profile

View on GitHub
GitHub Stars1.0k
CategoryCustomer
Updated4d ago
Forks69
semihalev/sdns

Languages

Go

Security Score

100/100

Audited on Mar 20, 2026

No findings