secDNS is a local DNS resolver that helps you bypass DNS spoofing (DNS cache poisoning) from your ISP while keeping latency low and configuration predictable.

• Upstream flexibility: DoT, DoH, classic DNS (TCP/UDP), and ECS-aware recursive resolution with DNSSEC validation.
• Networking options: SOCKS5 proxy support, source-IP binding, TCP fallback, and qname minimization.
• Performance: LRU cache with TTL bounds, negative caching, stale-while-revalidate, jitter, and prefetch controls.
• IPv6 ready: DNS64 synthesis, ECS handling (add/override/passthrough/strip), and dual-stack listeners.
• Integration: HTTP API listener (/resolve) plus UDP/TCP DNS listener; configurable rules route queries to named resolvers.
• Resilience: Failover (sequence) and fastest-response (concurrentNameServerList) strategies for resolver pools.

See docs/configuration.md for the overall JSON schema.

Quick start:

• Download a released binary from GitHub releases.
• Validate a config: ./secDNS -test -config config.json
• Run with a config: ./secDNS -config config.json

• Configuration - JSON schema, object layout, and examples.
• Listeners - Available listeners such as dnsServer and the HTTP API, with version notes.
• Resolvers - All upstream resolver types, capabilities, and minimum supported versions.
• Rules - Rule engines for routing queries to specific resolvers.
• Version History - Feature timeline and component availability across releases.

See docs/version_history.md.

The GNU Affero General Public License v3.0 (GNU AGPLv3)

This project relies on the following third-party project:

• miekg/dns