Lib.rs

Network programmingHickory
#dns-server #dnssec #dns

bin+lib hickory-dns

Hickory DNS is a safe and secure DNS server with a variety of protocol features (DNSSEC, TSIG, SIG(0), DoT, DoQ, DoH). It can be operated as an authoritative DNS server, forwarding resolver, stub resolver, or a recursive resolver (experimental). Zone data can be managed in-memory, with flat files, or with an SQLite database.

Owned by Benjamin Fry.

19 releases

new 0.26.0 Apr 16, 2026
0.26.0-beta.2 Mar 27, 2026
0.26.0-alpha.1 Jun 3, 2025
0.25.1 Mar 18, 2025
0.1.0 May 17, 2023

#1678 in Network programming

Download history 32/week @ 2025-12-25 25/week @ 2026-01-01 13/week @ 2026-01-08 60/week @ 2026-01-15 46/week @ 2026-01-29 62/week @ 2026-02-05 231/week @ 2026-02-12 88/week @ 2026-02-19 108/week @ 2026-02-26 48/week @ 2026-03-05 22/week @ 2026-03-12 13/week @ 2026-03-19 22/week @ 2026-03-26 4/week @ 2026-04-02 57/week @ 2026-04-09

104 downloads per month

MIT/Apache

3MB
54K SLoC

Overview

This crate provides a hickory-dns application, a safe and secure DNS server with a variety of protocol features (DNSSEC, TSIG, SIG(0), DoT, DoQ, DoH). It can be operated as an authoritative DNS server, forwarding resolver, stub resolver, or a recursive resolver (experimental). Zone data can be managed in-memory, with flat files, or with an SQLite database.

If you are writing your own Rust application, refer to the hickory-server, hickory-client, hickory-resolver and hickory-recursor library crates instead.

Features

  • Dynamic Update with sqlite journaling backend (SIG0)
  • DNSSEC online signing (with NSEC and NSEC3)
  • Forwarding stub resolver
  • ANAME resolution, for zone mapping aliases to A and AAAA records
  • Additionals section generation for aliasing record types

Cryptography provider

Features requiring cryptography require selecting a specific cryptography provider. See the project README for more information.

Protocol support

The following DNS protocols are optionally supported:

  • DNS over TLS (DoT)
  • DNS over HTTP/2 (DoH)
  • DNS over QUIC (DoQ)
  • DNS over HTTP/3 (DoH3)

In order to use these optional protocols you must enable a cargo feature corresponding to your desired cryptography provider:

  • DoT: tls-aws-lc-rs or tls-ring
  • DoH: https-aws-lc-rs or https-ring
  • DoQ: quic-aws-lc-rs or quic-ring
  • DoH3: h3-aws-lc-rs or h3-ring

DNSSEC

In order to use DNSSEC you must enable a cargo feature corresponding to your desired cryptography provider:

  • dnssec-aws-lc-rs
  • dnssec-ring

The current root key is bundled into the system, and used by default. This gives validation of DNSKEY and DS records back to the root. NSEC and NSEC3 are implemented.

When using dynamic DNS, zones will be automatically resigned on any record updates.

Other crate features

  • sqlite (enabled by default) - support maintaining zone data in a SQLite database. Required for dynamic DNS support.
  • blocklist - support configuring allow/deny blocklists.
  • recursor - enable experimental support for recursive resolution.
  • resolver (enabled by default) - enable forwarding zones to another resolver.
  • rustls-platform-verifier (enabled by default) - use the system verifier for TLS with rustls-platform-verifier.
  • webpki-roots - use the webpki-roots crate for TLS certificate verification.
  • prometheus-metrics - enable exposing Prometheus metrics for scraping.
  • systemd - enable systemd readiness (READY=1/STOPPING=1) and watchdog notifications.
  • ascii-art (enabled by default) - print project logo at start.

Running

Warning: Hickory DNS is still under development, running in production is not recommended.

  • Building
cargo build --release --bin hickory-dns
  • Verify the version
./target/release/hickory-dns --version
  • Get help
./target/release/hickory-dns --help
  • Launch hickory-dns server with test config

Note that if the -p parameter is not passed, the server will run on default DNS ports. There are separate port options for DoT and DoH servers, see hickory-dns --help

./target/release/hickory-dns -c ./tests/test-data/test_configs/example.toml -z ./tests/test-data/test_configs/ -p 24141
  • Query the just launched server with dig
dig @127.0.0.1 -p 24141 www.example.com

Dependencies

~24–81MB
~1.5M SLoC