Skip to content

anonvector/dnstt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

223 Commits
dns
dns
 
 
dnstt-client
dnstt-client
 
 
dnstt-server
dnstt-server
 
 
man
man
 
 
noise
noise
 
 
turbotunnel
turbotunnel
 
 
.gitignore
.gitignore
 
 
CHANGELOG
CHANGELOG
 
 
COPYING
COPYING
 
 
README.md
README.md
 
 
TODO
TODO
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

DNSTT (SlipNet Fork)

A hardened fork of dnstt — a userspace DNS tunnel with DoH, DoT, and UDP support.

This fork is maintained by SlipNet and includes significant modifications for production use in censorship-resistant networking.

Changes from upstream

Based on tladesignz/dnstt (itself a fork of David Fifield's original).

Key modifications in this fork:

  • Server hardening — session/stream limits, client eviction, removed PT dependency
  • Extracted server core into a reusable library with pluggable hooks
  • TXT-only mode — removed A-record/AAAA anti-filter mode for simplicity
  • Configurable query rate and retry settings for mobile optimization
  • Battery optimization — reduced DoH senders from 32 to 12
  • Graceful shutdown — suppressed closed-connection errors during teardown
  • Fixed sendLoop retrying forever on closed transport

License

This fork is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0).

The original dnstt code by David Fifield is public domain (CC0). The upstream fork by tladesignz is also CC0. This fork relicenses the combined work under AGPL-3.0 to ensure that modifications to this code — including use over a network — remain open source.

See COPYING for the full license text.

Overview

dnstt is a DNS tunnel with these features:

  • Works over DNS over HTTPS (DoH) and DNS over TLS (DoT) as well as plaintext UDP DNS.
  • Embeds a sequencing and session protocol (KCP/smux), which means that the client does not have to wait for a response before sending more data, and any lost packets are automatically retransmitted.
  • Encrypts the contents of the tunnel and authenticates the server by public key.

dnstt is an application-layer tunnel that runs in userspace. It doesn't provide a TUN/TAP interface; it only hooks up a local TCP port with a remote TCP port (like netcat or ssh -L) by way of a DNS resolver.

.------.  |            .---------.             .------.
|tunnel|  |            | public  |             |tunnel|
|client|<---DoH/DoT--->|recursive|<--UDP DNS-->|server|
'------'  |c           |resolver |             '------'
   |      |e           '---------'                |
.------.  |n                                   .------.
|local |  |s                                   |remote|
| app  |  |o                                   | app  |
'------'  |r                                   '------'

Usage

Refer to the original dnstt documentation for general setup instructions (DNS zone, server/client configuration, proxy setup).

Encryption

The tunnel uses Noise_NK_25519_ChaChaPoly_BLAKE2s for end-to-end encryption between client and server, independent of the DoH/DoT transport layer.

application data
smux
Noise
KCP
DNS messages
DoH / DoT / UDP DNS

About

No description, website, or topics provided.

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 2

Languages