A comprehensive DNS server solution similar to AdGuard, designed for ISPs and end-users with advanced filtering, monitoring, and multi-tenant capabilities.
β¨ NEW: Now with rate limiting and webhook integration! See Rate Limiting Guide and Webhook Integration.
- β Recursive DNS resolver with IPv4 and IPv6 support
- β DNS-over-HTTPS (DoH) support (RFC 8484)
- β DNS-over-TLS (DoT) support (RFC 7858)
- β Intelligent DNS response caching
- β Blacklist/whitelist domain filtering
- β Automatic blocklist updates from trusted sources
- β Support for exact match, wildcard, and regex filtering
- β Custom rules per ISP/customer
- β Whitelist overrides for trusted domains
- β Multiple category support (ads, trackers, malware, adult content)
- β Complete DNS query logging
- β Suspicious activity detection (DNS tunneling, malware C2)
- β Prometheus metrics export
- β Grafana dashboard integration
- β Live query statistics and visualizations
- β Modern React-based web dashboard
- β Real-time charts with ApexCharts
- β Role-based access control (super_admin, isp_admin, customer)
- β RESTful API with FastAPI
- β Complete API documentation
- β Dark mode support
- β Multi-tenant architecture
- β ISP-specific configurations and blocklists
- β API key management for ISP integration
- β Isolated dashboards per ISP
- β Subscription tier support
- β JWT-based authentication
- β TLS encryption for DoH/DoT
- β Password hashing with bcrypt
- β Database connection pooling
- β Docker containerization
- β Health check endpoints
- β Rate limiting middleware (NEW)
- β Webhook signature verification (NEW)
- β Webhook support for real-time events (NEW)
- β Rate limiting with configurable thresholds (NEW)
- β Event-driven architecture
- β Complete REST API
- β Prometheus metrics integration
- Docker & Docker Compose
- Python 3.11+
- Node.js 18+
- PostgreSQL 15+
- Redis 7+
- Clone the repository:
git clone https://github.com/i4edubd/DNS-for-ISP.git
cd DNS-for-ISP- Configure SSL certificates (for DoH/DoT):
# For testing with self-signed certificates (default)
echo "SSL_SELF_SIGNED=true" >> backend/.env
# For production, use valid certificates
# SSL_SELF_SIGNED=false
# SSL_CERT_FILE=/path/to/cert.pem
# SSL_KEY_FILE=/path/to/key.pem- Start all services:
cd docker
docker-compose up -d- Access the services:
- Frontend Dashboard: http://localhost:3000
- Backend API: http://localhost:8000
- API Documentation: http://localhost:8000/docs
- DNS Server: UDP/TCP port 53
- DoH Endpoint: https://localhost:443/dns-query
- DoT Server: TLS port 853
- Prometheus: http://localhost:9090
- Grafana: http://localhost:3001 (admin/admin)
- Install dependencies:
cd backend
pip install -r requirements.txt- Configure environment:
cp .env.example .env
# Edit .env with your settings- Initialize database:
# Database will be auto-initialized on first run- Run the server:
python -m uvicorn app.main:app --host 0.0.0.0 --port 8000- Install dependencies:
cd frontend
npm install- Configure API URL:
# Create .env file
echo "REACT_APP_API_URL=http://localhost:8000" > .env- Run development server:
npm startcurl -X POST http://localhost:8000/api/auth/register \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"username": "newuser",
"password": "securepassword",
"full_name": "New User"
}'Note: Registration creates a customer role by default. Admin users must be created by super admins through privileged flows.
curl -X POST http://localhost:8000/api/auth/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=admin&password=securepassword"curl -X POST http://localhost:8000/api/dns/query \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"domain": "example.com",
"query_type": "A"
}'curl http://localhost:8000/api/dns/queries?limit=100 \
-H "Authorization: Bearer YOUR_TOKEN"curl http://localhost:8000/api/dns/stats?hours=24 \
-H "Authorization: Bearer YOUR_TOKEN"curl -X POST http://localhost:8000/api/blocklist/add \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"domain": "malicious-site.com",
"rule_type": "exact",
"category": "malware"
}'curl -X POST http://localhost:8000/api/blocklist/update \
-H "Authorization: Bearer YOUR_TOKEN"curl -X POST http://localhost:8000/api/isp/create \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "My ISP",
"domain": "myisp.com",
"subscription_tier": "premium"
}'curl -X POST http://localhost:8000/api/webhooks/register \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-server.com/webhook",
"events": ["dns.blocked", "alert.suspicious_activity"],
"secret": "your-webhook-secret"
}'curl http://localhost:8000/api/webhooks/list \
-H "Authorization: Bearer YOUR_TOKEN"See Webhook Integration Guide for complete documentation.
Rate limiting is automatically enabled with default settings:
- 100 requests per 60 seconds per IP
- Configurable via environment variables
See Rate Limiting Guide for details.
The server now supports encrypted DNS protocols:
# Query using curl (POST method)
curl -H 'Content-Type: application/dns-message' \
--data-binary @query.bin \
https://localhost:443/dns-query
# Configure in browsers
# Firefox/Chrome: Settings β DNS over HTTPS β https://localhost:443/dns-query# Query using kdig
kdig -d @localhost +tls example.com
# Configure systemd-resolved
echo "[Resolve]
DNS=your-server-address
DNSOverTLS=yes" | sudo tee -a /etc/systemd/resolved.conf
sudo systemctl restart systemd-resolvedSee DoH/DoT Guide for complete documentation.
βββββββββββββββββββ
β React Frontend β
β (Port 3000) β
ββββββββββ¬ββββββββββ
β
βΌ
βββββββββββββββββββ ββββββββββββββββ
β FastAPI βββββββΊβ PostgreSQL β
β Backend β β Database β
β (Port 8000) β ββββββββββββββββ
ββββββββββ¬ββββββββββ
β ββββββββββββββββ
βββββββββββββββββΊβ Redis β
β β Cache β
β ββββββββββββββββ
β
βΌ
βββββββββββββββββββ ββββββββββββββββ
β Prometheus βββββββΊβ Grafana β
β Metrics β β Dashboard β
βββββββββββββββββββ ββββββββββββββββ
Create a .env file in the backend directory:
# Application
APP_NAME="DNS Server for ISP"
DEBUG=false
# Server
HOST=0.0.0.0
PORT=8000
# DNS
DNS_HOST=0.0.0.0
DNS_PORT=53
DNS_CACHE_TTL=3600
DNS_UPSTREAM_SERVERS=["8.8.8.8", "8.8.4.4", "1.1.1.1"]
# DoH/DoT
DOH_ENABLED=true
DOH_PORT=443
DOT_ENABLED=true
DOT_PORT=853
# SSL/TLS Configuration for DoH/DoT
SSL_CERT_FILE=/etc/ssl/certs/dns_cert.pem
SSL_KEY_FILE=/etc/ssl/private/dns_key.pem
SSL_SELF_SIGNED=true # Use false in production with valid certs
# Database
DATABASE_URL=postgresql+asyncpg://dns_user:dns_pass@localhost:5432/dns_db
# Redis
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_DB=0
# Security
SECRET_KEY=your-secret-key-change-in-production
ALGORITHM=HS256
ACCESS_TOKEN_EXPIRE_MINUTES=30
# CORS
CORS_ORIGINS=["http://localhost:3000"]
# Monitoring
PROMETHEUS_ENABLED=trueThe system exposes the following metrics:
dns_queries_total- Total DNS queriesdns_blocked_queries_total- Total blocked queriesdns_response_time_seconds- DNS response time histogramdns_cache_hits_total- Cache hit counterdns_cache_misses_total- Cache miss counter
Access Grafana at http://localhost:3001 with:
- Username:
admin - Password:
admin
Import the provided dashboard from config/grafana/dashboards/
- Change Default Credentials: Update all default passwords
- Use Strong Secret Keys: Generate secure SECRET_KEY
- Enable HTTPS: Use TLS certificates for production
- Regular Updates: Keep blocklists updated
- Monitor Logs: Check for suspicious activity
- Backup Database: Regular PostgreSQL backups
- Limit API Access: Use firewall rules
- Rate Limiting: Implement rate limits for API endpoints
- super_admin: Full system access, manage all ISPs
- isp_admin: Manage their ISP's settings and users
- customer: View their ISP's dashboard and queries
# Apply Kubernetes manifests
kubectl apply -f k8s/- Change all default passwords
- Generate secure SECRET_KEY
- Configure TLS certificates
- Set up database backups
- Configure monitoring alerts
- Set up log aggregation
- Configure firewall rules
- Enable rate limiting
- Set up CDN for frontend
- Configure DNS load balancing
cd backend
pytest tests/ -vcd frontend
npm test- Fork the repository
- Create a feature branch
- Commit your changes
- Push to the branch
- Create a Pull Request
This project is licensed under the MIT License.
- Built with FastAPI, React, and PostgreSQL
- Blocklists from StevenBlack and AdAway
- Charts powered by ApexCharts
- Monitoring with Prometheus and Grafana
For support, email: support@example.com
- Rate limiting middleware
- Webhook integration system
- Grafana dashboard configuration
- Comprehensive documentation
- WebSocket real-time updates
- Mobile application
- Machine learning-based threat detection
- IPv6 full support
- DNSSEC validation
- Custom DNS response manipulation
- Advanced analytics and reporting
- Billing integration (Stripe/PayPal)
- Multi-language support
- Kubernetes operator