A DNS-protocol proxy for DNS-over-HTTPS providers, such as Google and Cloudflare
output of secure-operator --help
:
A DNS-protocol proxy for Google's DNS-over-HTTPS service.
Usage:
secure-operator [options]
Options:
-auto-edns-subnet
By default, we use an EDNS subnet of 0.0.0.0/0 which does not reveal your
IP address or subnet to authoratative DNS servers. If privacy of your IP
address is not a concern and you want to take advantage of an authoratative
server determining the best DNS results for you, set this flag. This flag
specifies that Google should choose what subnet to send; if you'd like to
specify your own subnet, use the -edns-subnet option.
-cloudflare
Use Cloudflare defaults. When set, the following options will be used
unless explicitly overridden:
dns-servers: 1.0.0.1,1.1.1.1
params: ct=application/dns-json
endpoint: https://cloudflare-dns.com/dns-query
-dns-servers string
DNS Servers used to look up the endpoint; system default is used if absent.
Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
The port section is optional, and 53 will be used by default.
-edns-subnet string
Specify a subnet to be sent in the edns0-client-subnet option; by default
we specify that this option should not be used, for privacy. If
-auto-edns-subnet is used, the value specified here is ignored.
(default "0.0.0.0/0")
-endpoint string
DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
-endpoint-ips string
IPs of the DNS-over-HTTPS endpoint; if provided, endpoint lookup is
skipped, and the host value in "endpoint" is sent as the Host header. Comma
separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
randomly chosen for each request, failed requests are not retried.
-google
Use Google defaults. When set, the following options will be used unless
explicitly overridden:
dns-servers: 8.8.8.8,8.8.4.4
endpoint: https://dns.google.com/resolve
-header value
Additional headers to be sent with http requests, as Key=Value; specify
multiple as:
-header Key-1=Value-1-1 -header Key-1=Value1-2 -header Key-2=Value-2
-level string
Log level, one of: debug, info, warn, error, fatal, panic (default "info")
-listen [host]:port
listen address, as [host]:port (default ":53")
-no-pad
Disable padding of Google DNS-over-HTTPS requests to identical length
-param value
Additional query parameters to be sent with http requests, as key=value;
specify multiple as:
-param key1=value1-1 -param key1=value1-2 -param key2=value2
-quad9
Use Quad9 defaults. When set, the following options will be used
unless explicitly overriden:
dns-servers: 9.9.9.9, 149.112.112.112
params: ct=application/dns-json
endpoint : https://dns.quad9.net/dns-query
-tcp
Listen on TCP (default true)
-udp
Listen on UDP (default true)
This version is code identical to v4.0.0
output of secure-operator --help
:
A DNS-protocol proxy for Google's DNS-over-HTTPS service.
Usage:
secure-operator [options]
Options:
-auto-edns-subnet
By default, we use an EDNS subnet of 0.0.0.0/0 which does not reveal your
IP address or subnet to authoratative DNS servers. If privacy of your IP
address is not a concern and you want to take advantage of an authoratative
server determining the best DNS results for you, set this flag. This flag
specifies that Google should choose what subnet to send; if you'd like to
specify your own subnet, use the -edns-subnet option.
-cloudflare
Use Cloudflare defaults. When set, the following options will be used
unless explicitly overridden:
dns-servers: 1.0.0.1,1.1.1.1
params: ct=application/dns-json
endpoint: https://cloudflare-dns.com/dns-query
-dns-servers string
DNS Servers used to look up the endpoint; system default is used if absent.
Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
The port section is optional, and 53 will be used by default.
-edns-subnet string
Specify a subnet to be sent in the edns0-client-subnet option; by default
we specify that this option should not be used, for privacy. If
-auto-edns-subnet is used, the value specified here is ignored.
(default "0.0.0.0/0")
-endpoint string
DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
-endpoint-ips string
IPs of the DNS-over-HTTPS endpoint; if provided, endpoint lookup is
skipped, and the host value in "endpoint" is sent as the Host header. Comma
separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
randomly chosen for each request, failed requests are not retried.
-google
Use Google defaults. When set, the following options will be used unless
explicitly overridden:
dns-servers: 8.8.8.8,8.8.4.4
endpoint: https://dns.google.com/resolve
-header value
Additional headers to be sent with http requests, as Key=Value; specify
multiple as:
-header Key-1=Value-1-1 -header Key-1=Value1-2 -header Key-2=Value-2
-level string
Log level, one of: debug, info, warn, error, fatal, panic (default "info")
-listen [host]:port
listen address, as [host]:port (default ":53")
-no-pad
Disable padding of Google DNS-over-HTTPS requests to identical length
-param value
Additional query parameters to be sent with http requests, as key=value;
specify multiple as:
-param key1=value1-1 -param key1=value1-2 -param key2=value2
-tcp
Listen on TCP (default true)
-udp
Listen on UDP (default true)
-google
or -cloudflare
at the command line to get sane defaults for those providers (#27)This involves some API changes when instantiating the SimpleDNSClient
, now allowing an options struct to be passed.
output of secure-operator --help
:
A DNS-protocol proxy for Google's DNS-over-HTTPS service.
Usage:
secure-operator [options]
Options:
-auto-edns-subnet
By default, we use an EDNS subnet of 0.0.0.0/0 which does not reveal your
IP address or subnet to authoratative DNS servers. If privacy of your IP
address is not a concern and you want to take advantage of an authoratative
server determining the best DNS results for you, set this flag. This flag
specifies that Google should choose what subnet to send; if you'd like to
specify your own subnet, use the -edns-subnet option.
-cloudflare
Use Cloudflare defaults. When set, the following options will be used
unless explicitly overridden:
dns-servers: 1.0.0.1,1.1.1.1
params: ct=application/dns-json
endpoint: https://cloudflare-dns.com/dns-query
-dns-servers string
DNS Servers used to look up the endpoint; system default is used if absent.
Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
The port section is optional, and 53 will be used by default.
-edns-subnet string
Specify a subnet to be sent in the edns0-client-subnet option; by default
we specify that this option should not be used, for privacy. If
-auto-edns-subnet is used, the value specified here is ignored.
(default "0.0.0.0/0")
-endpoint string
DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
-endpoint-ips string
IPs of the DNS-over-HTTPS endpoint; if provided, endpoint lookup is
skipped, and the host value in "endpoint" is sent as the Host header. Comma
separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
randomly chosen for each request, failed requests are not retried.
-google
Use Google defaults. When set, the following options will be used unless
explicitly overridden:
dns-servers: 8.8.8.8,8.8.4.4
endpoint: https://dns.google.com/resolve
-header value
Additional headers to be sent with http requests, as Key=Value; specify
multiple as:
-header Key-1=Value-1-1 -header Key-1=Value1-2 -header Key-2=Value-2
-level string
Log level, one of: debug, info, warn, error, fatal, panic (default "info")
-listen [host]:port
listen address, as [host]:port (default ":53")
-no-pad
Disable padding of Google DNS-over-HTTPS requests to identical length
-param value
Additional query parameters to be sent with http requests, as key=value;
specify multiple as:
-param key1=value1-1 -param key1=value1-2 -param key2=value2
-tcp
Listen on TCP (default true)
-udp
Listen on UDP (default true)
Warning: prior to this release, secureoperator always sent 0.0.0.0/0
to upstream, which Google interprets as "send no value to authoritative servers for EDNS". In this release, it's possible to enable EDNS, which may reveal your IP address (or a portion of it) to authoritative DNS servers.
The default of both the binary release and the securoperator library is to use the old behavior (sending 0.0.0.0/0
) however future versions of the library will default to letting Google decide the behavior. This will be changed at version 4. The behavior of the binary release will not change.
If you use secureoperator as a library; it's recommended that you begin specifying your preferred EDNS settings now, so that you're prepared for when the default changes in the future. To specify the current behavior:
provider, err := secop.NewGDNSProvider(*endpoint, &secop.GDNSOptions{
UseEDNSsubnetOption: true,
EDNSSubnet: secop.GoogleEDNSSentinelValue,
})
For the version 3 release, the UseEDNSsubnetOption: true
is required to be specified, otherwise EDNSSubnet
value will be ignored. This is because the zero value of EDNSSubnet
(a blank string) means "allow Google to specify EDNS". In version 4, UseEDNSsubnetOption
will be removed and that behavior will become default in the library.
Please open an issue if you have any questions about this behavior or change.
output of secure-operator --help
:
A DNS-protocol proxy for Google's DNS-over-HTTPS service.
Usage:
secure-operator [options]
Options:
-auto-edns-subnet
By default, we use an EDNS subnet of 0.0.0.0/0 which does not reveal your
IP address or subnet to authoratative DNS servers. If privacy of your IP
address is not a concern and you want to take advantage of an authoratative
server determining the best DNS results for you, set this flag. This flag
specifies that Google should choose what subnet to send; if you'd like to
specify your own subnet, use the -edns-subnet option.
-dns-servers string
DNS Servers used to look up the endpoint; system default is used if absent.
Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
The port section is optional, and 53 will be used by default.
-edns-subnet string
Specify a subnet to be sent in the edns0-client-subnet option; by default
we specify that this option should not be used, for privacy. If
-auto-edns-subnet is used, the value specified here is ignored.
(default "0.0.0.0/0")
-endpoint string
Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
-endpoint-ips string
IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
skipped, and the host value in "endpoint" is sent as the Host header. Comma
separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
randomly chosen for each request, failed requests are not retried.
-level string
Log level, one of: debug, info, warn, error, fatal, panic (default "info")
-listen [host]:port
listen address, as [host]:port (default ":53")
-no-pad
Disable padding of Google DNS-over-HTTPS requests to identical length
-tcp
Listen on TCP (default true)
-udp
Listen on UDP (default true)
Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v3.0.0
dep
lockfile formatsoutput of secure-operator --help
:
A DNS-protocol proxy for Google's DNS-over-HTTPS service.
Usage:
secure-operator [options]
Options:
-dns-servers string
DNS Servers used to look up the endpoint; system default is used if absent.
Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
The port section is optional, and 53 will be used by default.
-endpoint string
Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
-endpoint-ips string
IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
skipped, and the host value in "endpoint" is sent as the Host header. Comma
separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
randomly chosen for each request, failed requests are not retried.
-level string
Log level, one of: debug, info, warn, error, fatal, panic (default "info")
-listen [host]:port
listen address, as [host]:port (default ":53")
-no-pad
Disable padding of Google DNS-over-HTTPS requests to identical length
-tcp
Listen on TCP (default true)
-udp
Listen on UDP (default true)
Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v2.2.1
dns.RR
generation from DNSRR
godep
output of secure-operator --help
:
A DNS-protocol proxy for Google's DNS-over-HTTPS service.
Usage:
secure-operator [options]
Options:
-dns-servers string
DNS Servers used to look up the endpoint; system default is used if absent.
Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
The port section is optional, and 53 will be used by default.
-endpoint string
Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
-endpoint-ips string
IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
skipped, and the host value in "endpoint" is sent as the Host header. Comma
separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
randomly chosen for each request, failed requests are not retried.
-level string
Log level, one of: debug, info, warn, error, fatal, panic (default "info")
-listen [host]:port
listen address, as [host]:port (default ":53")
-no-pad
Disable padding of Google DNS-over-HTTPS requests to identical length
-tcp
Listen on TCP (default true)
-udp
Listen on UDP (default true)
Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v2.2.0
output of secure-operator --help
:
A DNS-protocol proxy for Google's DNS-over-HTTPS service.
Usage:
secure-operator [options]
Options:
-dns-servers string
DNS Servers used to look up the endpoint; system default is used if absent.
Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
The port section is optional, and 53 will be used by default.
-endpoint string
Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
-endpoint-ips string
IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
skipped, and the host value in "endpoint" is sent as the Host header. Comma
separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
randomly chosen for each request, failed requests are not retried.
-level string
Log level, one of: debug, info, warn, error, fatal, panic (default "info")
-listen [host]:port
listen address, as [host]:port (default ":53")
-no-pad
Disable padding of Google DNS-over-HTTPS requests to identical length
-tcp
Listen on TCP (default true)
-udp
Listen on UDP (default true)
Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v2.1.0
output of secure-operator --help
:
A DNS-protocol proxy for Google's DNS-over-HTTPS service.
Usage:
secure-operator [options]
Options:
-dns-servers string
DNS Servers used to look up the endpoint; system default is used if absent.
Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
The port section is optional, and 53 will be used by default.
-endpoint string
Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
-endpoint-ips string
IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
skipped, and the host value in "endpoint" is sent as the Host header. Comma
separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
randomly chosen for each request, failed requests are not retried.
-level string
Log level, one of: debug, info, warn, error, fatal, panic (default "info")
-listen [host]:port
listen address, as [host]:port (default ":53")
-no-pad
Disable padding of Google DNS-over-HTTPS requests to identical length
-tcp
Listen on TCP (default true)
-udp
Listen on UDP (default true)
Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v2.0.1
output of secure-operator --help
:
A DNS-protocol proxy for Google's DNS-over-HTTPS service.
Usage:
secure-operator [options]
Options:
-dns-servers string
DNS Servers used to look up the endpoint; system default is used if absent.
Ignored if "endpoint-ips" is set. Comma separated, e.g. "8.8.8.8,8.8.4.4:53".
The port section is optional, and 53 will be used by default.
-endpoint string
Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
-endpoint-ips string
IPs of the Google DNS-over-HTTPS endpoint; if provided, endpoint lookup is
skipped, and the host value in "endpoint" is sent as the Host header. Comma
separated with no spaces; e.g. "74.125.28.139,74.125.28.102". One server is
randomly chosen for each request, failed requests are not retried.
-level string
Log level, one of: debug, info, warn, error, fatal, panic (default "info")
-listen [host]:port
listen address, as [host]:port (default ":53")
-no-pad
Disable padding of Google DNS-over-HTTPS requests to identical length
-tcp
Listen on TCP (default true)
-udp
Listen on UDP (default true)
Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v2.0.0
output of secure-operator --help
:
-endpoint string
Google DNS-over-HTTPS endpoint url (default "https://dns.google.com/resolve")
-level string
Log level, one of: debug, info, warn, error, fatal, panic (default "info")
-listen [host]:port
listen address, as [host]:port (default ":53")
-pad
Pad Google DNS-over-HTTPS requests to identical length (default true)
-tcp
Listen on TCP (default true)
-udp
Listen on UDP (default true)
Download the correct binary below for your platform, or install via docker pull fardog/secureoperator:v1.1.1