Skip to main content

DoH/DoT Proxy

Starting with v3.0.0, DNS-MNS can run a local DoH (DNS over HTTPS) or DoT (DNS over TLS) proxy alongside the existing DNSCrypt proxy.

What It Does

The proxy listens on a local address (e.g., 127.0.0.1:53) and transparently encrypts all DNS queries before forwarding them to the upstream provider. Your applications don’t need any special configuration - they just talk to the local DNS as usual.

Protocols

DoH (DNS over HTTPS)

  • Uses HTTPS (port 443) to encrypt DNS queries
  • Looks like regular web traffic, making it harder to detect or block
  • Works through most firewalls and proxies
  • Best choice when DNS traffic is being filtered

DoT (DNS over TLS)

  • Uses TLS on port 853 to encrypt DNS queries
  • Dedicated protocol with lower overhead than DoH
  • If port 853 is blocked, the proxy automatically falls back to port 443

Using the Proxy

Interactive Mode

From the main menu, select option [8] DoH/DoT Proxy:
  1. Choose the protocol: DoH or DoT
  2. Select a provider from the list (Cloudflare, Google, Quad9, etc.)
  3. Enter the listen address (default: 127.0.0.1:53)
  4. The proxy starts and runs until you stop it

Running Alongside DNSCrypt

Both DNSCrypt and DoH/DoT proxies can run simultaneously on different ports: 
DNSCrypt Proxy: 127.0.0.1:53
DoH Proxy:      127.0.0.1:5353

Supported Providers

The proxy supports all 28+ DoH/DoT providers built into DNS-MNS, including:
  • International: Cloudflare, Google, Quad9, AdGuard, Mullvad, ControlD, DNS.SB
  • Regional: Shecan, Electro, RadarGame, 403Online
  • Privacy: Mullvad, NextDNS, RethinkDNS, DNS0-EU

Port Requirements

  • Port 53 requires administrator/root privileges
  • Use a higher port (e.g., 5353) if you don’t have admin access
  • Then configure your system DNS to point to 127.0.0.1:5353

Privacy Features

  • EDNS Padding (RFC 8467): All queries are padded to uniform 128-byte blocks to prevent traffic analysis
  • Connection Pooling: HTTP connections are reused for DoH queries, reducing latency on subsequent lookups

DPI Evasion

When starting the proxy from the interactive menu, you can enable TLS fragmentation to bypass Iran’s DPI:
  1. SNI-targeted — Split at the SNI boundary (recommended)
  2. Random (NoDPI-style) — Randomized split point and delay
See the DPI Evasion page for more details on fragmentation modes.

Troubleshooting

“Permission denied” error: Run DNS-MNS with sudo or use a port above 1024. “Address already in use”: Another DNS service is using the port. Try a different port or stop the conflicting service.