How does SDNS compare to Unbound for performance?

SDNS benchmarks show 712 QPS with 136ms latency, significantly higher than Unbound's 338 QPS and 237ms latency, making it better for high-load environments, though Unbound has a larger user base.

How to set up SDNS for Kubernetes DNS?

Enable the Kubernetes middleware in the config with 'enabled = true' and set the cluster domain; optionally activate 'killer mode' for extreme performance, which supports service and pod resolution with real-time API sync.

Does SDNS support DNS-over-HTTPS (DoH)?

Yes, SDNS fully supports DoH on the default port 8053, along with DoT and DoQ, providing encrypted transport options that automatically reload TLS certificates for seamless integration with ACME clients like Let's Encrypt.

What are the main privacy features in SDNS?

Key privacy features include QNAME minimization to reduce data exposure to authoritative servers and support for encrypted protocols (DoT, DoH, DoQ) to secure queries against interception and tampering.

How to monitor SDNS cache performance?

SDNS exports Prometheus metrics including cache hits, misses, and hit rates via the '/metrics' endpoint; configure the 'api' setting and use queries like 'dns_cache_hit_rate' for real-time insights.

SDNS or BIND for security?

SDNS offers built-in features like Reflex attack detection and automatic DNSSEC validation, while BIND has a longer security history but may require more manual configuration; SDNS is better for modern, automated setups.

sdns

MITGov1.6.5

A high-performance, recursive DNS resolver server with DNSSEC support, focused on preserving privacy.

Visit Website

What is sdns?

SDNS is a high-performance, recursive DNS resolver server designed with a strong emphasis on privacy and security. It provides full DNSSEC validation and supports modern encrypted DNS transport protocols like DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and DNS-over-QUIC (DoQ). The server is built for performance with an extensible middleware architecture and comprehensive caching mechanisms.

Target Audience

System administrators, DevOps engineers, and infrastructure teams who need a secure, high-performance DNS resolver for private networks, data centers, or Kubernetes clusters. It is also suitable for privacy-conscious users seeking an alternative to public DNS resolvers.

Value Proposition

Developers choose SDNS for its superior performance, with benchmarked higher throughput and lower latency compared to alternatives like BIND and Unbound, combined with strong privacy features like QNAME minimization and encrypted transports. Its extensible middleware architecture, including specialized Kubernetes integration with a high-performance 'killer mode,' offers unique flexibility for modern infrastructure.

Overview

A high-performance, recursive DNS resolver server with DNSSEC support, focused on preserving privacy.

Use Cases

Best For

Related Projects

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub

GitHub

1.0k stars70 forks0 contributors

Deploying a high-performance recursive DNS resolver in data centers or private networks where low latency and high query throughput are critical.
Implementing a privacy-focused DNS resolver with DNSSEC validation and encrypted transport support (DoT, DoH, DoQ) to protect user queries.
Integrating DNS resolution within Kubernetes clusters using the built-in middleware, especially when requiring the extreme performance of 'killer mode' for service discovery.
Enhancing DNS security with features like amplification attack detection (Reflex), IP-based access control, and rate limiting to protect infrastructure.
Building an extensible DNS server platform using the middleware and external plugin architecture to add custom functionality.
Monitoring DNS server performance with comprehensive Prometheus metrics and cache statistics for operational insights.

Not Ideal For

Environments requiring DNS64 (NAT64) support for IPv6-to-IPv4 translation, as it's listed as a TODO item and not yet implemented.
Small-scale or home network setups where a simpler, GUI-based DNS resolver like Pi-hole or basic router DNS would be easier to manage.
Teams deeply entrenched in BIND or Unbound ecosystems who need extensive third-party plugins, commercial support, or well-established community resources.
Use cases demanding a web-based administration interface, as SDNS relies on CLI, config files, and an API without a built-in web UI.

Pros & Cons

Pros

Superior Performance

Benchmarks show SDNS achieves 712 QPS with 136ms average latency, outperforming BIND, Unbound, and PowerDNS in both throughput and reliability, with zero-allocation cache operations.

Privacy-Focused Design

Implements QNAME minimization and supports encrypted DNS transports (DoT, DoH, DoQ) to protect query privacy from eavesdropping, with automatic DNSSEC trust anchor updates.

Extensible Middleware Architecture

Features a flexible middleware system with built-in Kubernetes integration, including a high-performance 'killer mode,' and supports external plugins for custom functionality.

Comprehensive Security Features

Includes full DNSSEC validation, DNS amplification attack detection (Reflex), IP-based access control, and rate limiting, providing robust protection against threats.

Cons

Missing DNS64 Support

The TODO list explicitly notes DNS64 (RFC 6147) is not implemented, making SDNS unsuitable for scenarios requiring NAT64 translation from IPv6 clients to IPv4 servers.

Complex Configuration

With over 50 configuration options in the TOML file, setup can be daunting for basic deployments, requiring detailed knowledge of DNS protocols and server tuning.

Smaller Ecosystem

As a newer project compared to BIND or Unbound, SDNS has fewer third-party tools, community-contributed plugins, and extensive documentation resources available.

Open Source Alternative To

sdns is an open-source alternative to the following products:

U

Unbound

Unbound is a validating, recursive, and caching DNS resolver designed for security, performance, and standards compliance.

PowerDNS Recursor

PowerDNS Recursor is an open-source DNS recursor that resolves DNS queries for clients, featuring high performance, security features, and extensive configuration options.

B

BIND

Frequently Asked Questions

Home

Go

fasthttp

Fast HTTP package for Go. Tuned for high performance. Zero memory allocations in hot paths. Up to 10x faster than net/http

Pure Go implementation of the WebRTC API

Stars16,256

Forks1,838

Last commit18 hours ago

kcptun

Reliable UDP Transmission Optimizer based on KCP: Enhancing network efficiency in poor connectivity environments.

Stars14,404

Forks2,631

Last commit21 days ago

cloudflared

Cloudflare Tunnel client