Show HN: I built a DNS resolver from scratch in Rust – no DNS libraries

(github.com)

115 points by rdme5 days ago

24 comments

rdme5 days ago
Since I needed it to be my primary DNS, I also added: recursive resolution from root nameservers, DNSSEC chain-of-trust validation, ad blocking (385K+ domains), and LAN service discovery.I wrote about the DNSSEC implementation here: <a href="https://numa.rs/blog/posts/dnssec-from-scratch.html" rel="nofollow">https://numa.rs/blog/posts/dnssec-from-scratch.html</a> It's now my daily system DNS. Single binary (~8MB), macOS/Linux/Windows.`sudo numa install`
- pyprism5 days ago
 Very interesting project! I have a couple of questions. With all the default blocked domains loaded, what is the average memory usage? Currently, I am using Pi-hole on a low memory single board computer. Is it possible to use this instead of Pi-hole? If so, I’d like to use it for all of my devices."
 - rdme5 days ago
 With 390K blocked domains: ~31MB total process footprint. Breakdown: - Blocklist: 23.4MB (390K domains) - Cache: 3.8MB (4.4K entries) - Query log, SRTT, runtime: ~4MBIt binds to 0.0.0.0:53 by default, so just point your devices' DNS to the board's IP
- onel4 days ago
 Romanian project. Instant upvote. Great work
- rdme5 days ago
 Thanks! If you hit any issues during setup, feel free to open an issue — happy to help debug. The dashboard at localhost:5380 shows what's happening in real time.
 - siruwastaken5 days ago
 Why are you replying to your own coment?
 - happytoexplain5 days ago
 I think it's a bot? There's an identical version of this comment in another reply, except it cuts off half way through a sentence.
 - rdme5 days ago
 I hit reply on the wrong post and you can't delete comments or at least I don't see how it can be done
 dgb235 days ago
 Above the comments I've written on HN I see:5 minutes ago | parent | next | edit | delete
 hxugufjfjf5 days ago
 That only lasts for a few minutes until it’s locked and you can no longer delete after that.
 eqvinox5 days ago
 It lasts 2 full hours, at least for edit. Delete stops working when someone replies afaik.
 - rdme5 days ago
 because I clicked reply on the wrong one and you can't delete it...
 - nalekberov4 days ago
 Of course I can’t prove it, but i am guessing some kind of “AI” is doing that. Humans rarely use emdashes.
 - BrandoElFollito4 days ago
 [flagged]
 dang4 days ago
 Please don't break the site guidelines, regardless of how wrong someone is or you feel they are.You're right about em dashes of course (<a href="https://news.ycombinator.com/item?id=47154752">https://news.ycombinator.com/item?id=47154752</a>) but being right on a point does not make it ok to attack another user or violate the rules of the site.<a href="https://news.ycombinator.com/newsguidelines.html">https://news.ycombinator.com/newsguidelines.html</a>
 nalekberov4 days ago
 [flagged]
 dang4 days ago
 Please don't respond to a bad comment by breaking the site guidelines yourself. That only makes things worse.<a href="https://news.ycombinator.com/newsguidelines.html">https://news.ycombinator.com/newsguidelines.html</a>
 BrandoElFollito4 days ago
 [flagged]
voxadam5 days ago
It's neither here nor there but can I ask about the name? I only ask because when I see "numa" in relation to computing I immediately think "Non-Uniform Memory Access".Very cool project by the way. I wonder how this would run on an OpenWRT device.I see in your install.sh that you support Linux and Darwin/MacOS, do you think there would be any major hurdles in supporting FreeBSD?
- rdme5 days ago
 also in romanian nume = name(dns) and I also get the easter egg of that well known Romanian song numa numa :) <a href="https://www.youtube.com/watch?v=YnopHCL1Jk8" rel="nofollow">https://www.youtube.com/watch?v=YnopHCL1Jk8</a>On OpenWRT — it's musl-based Linux so the binary should run the arm one would need a crosscompile Free BSD can be done (pr's welcome?)
- camdv5 days ago
 On the web site, it's named after the second King of Rome
dwedge5 days ago
I have a couple of projects that once a month need to run a few million dns lookups as quickly as possible. I'm tempted to try this just to see how it performs and if it breaks.
- rdme5 days ago
  let me know if you do it!
kevin0615 days ago
The interface looks vibecoded. I have no problem with people vibecoding things. In fact, I have zero frontend skills, so I rely on AI to be able to make easy-to-use interfaces. However, I feel like this should be clearly and prominently displayed in the project page.Furthermore it is a little off-putting to see a vibecoded UI because I have very little confidence that the rest of the backend code is not vibecoded. I know I am possibly being unfair, but this is how it looks to me. If the developer tells me they didn't use AI at all, I would believe it.
- rdme5 days ago
 It definitely is and you can see it in the git commits. The DNS wire protocol parser was the original learning project I wrote to understand the spec. Later features (recursive resolver, DNSSEC validation, the dashboard) were built with the help of AI
 - kevin0615 days ago
 That's fair, thanks for letting me know!
- andoando5 days ago
 I dont get this criticism at all, would you prefer someone write a shittier UI? And since when were people writing amazing bug free software before hand where not being vibe coded meant you could trust its good software?I guess to be fair, beforehand no body would be attempting this kind of thing and releasing it unless they knew what they were doing
 - kevin0615 days ago
 I literally said I'm fine with using LLMs for the frontend, but I think this should be disclosed clearly.
 - bitpush5 days ago
 I don't think having conditions to certain things qualify as "I'm fine with it""I'm fine with people eating meat, as long as they declare so when we go out" like why? Why does it matter?
 - xg154 days ago
 Both GP's and your example in effect mean "I'm fine with other people doing this, but I don't want to have anything to do with it, or at least be able to decide case-by-case."Which is a valid stance IMO.In the OP, a vibecoded UI when the whole project emphasizes "I did this myself, from scratch" is a bit awkward.Does "I did this myself" mean they read all the relevant specs and then wrote the code - or did they just write the prompts themselves?Edit: OP already answered and confirmed that they in fact did write the code themselves.
- dev_l1x_be5 days ago
 Given the state of webdev it is not a surprise. LLMs are my rubber gloves when working with web technologies.
p2hari5 days ago
Nice idea. To test I ran a simple nextjs on port 3000. Added the service via the dashboard. However, when I visit the url, (using chrome latest version), <a href="https://{mygivenname}.numa/" rel="nofollow">https://{mygivenname}.numa/</a> I hit a DNS resolution fail error. If I do not use a trailing '/' then it is going to google search for {mygivenname}.numa and shows me some search results. Should I open an issue?
- rdme5 days ago
 Is it possible you didn't start it as root ( sudo numa install)? Does dig {mygivenname}.numa @127.0.0.1 return 127.0.0.1 ? What OS are you on? Maybe you report it as an issue?
 - p2hari5 days ago
 Thanks for quick response. It started to work. I think it must be some caching issue. But it needs a trailing '/' . Maybe will raise the issue for this. Cool.
 - arcaen5 days ago
 I believe that is actually browser specific behavior. I sometimes use a fake TLD for stuff hosted at home, and both chrome and firefox resort to search if I don't include a trailing '/'. My assumption is the browser does a quick match against known TLDs and if it doesn't match then it resorts to search.
 - rdme5 days ago
 exactly, I'll add a pr soon that tells the os (and browsers) that is'a a valid domain
conradludgate5 days ago
What's the reason you're not using hickory? Or was that the LLMs choice? Genuinely curious
- rdme5 days ago
  This was started as a learning project, went from the start to the lowest level then I've just added features I wanted one by one, it just made the most sense
fanf24 days ago
The first thing I look at in new DNS code is whether it’s vulnerable to DNS name compression loops. This code passes the test! However it’s vulnerable to dots embedded in labels: it doesn’t escape bytes properly when converting from wire format to text.
- rdme1 day ago
 Thanks for pointing this out! I’ve created <a href="https://github.com/razvandimescu/numa/issues/36" rel="nofollow">https://github.com/razvandimescu/numa/issues/36</a>
- BobbyTables23 days ago
 How does one handle dots embedded in a label ? Isn’t that not valid?
6r175 days ago
Same hack here ; I have no DSN running by default - much more handy than having to set up nginx as it has no opinion on the targeted infrastructure. And the bonus point is that you can see every sneaky request that happens when you browse ; so another side-project connected to this is to make an inventory and policy filter
- rdme5 days ago
  Yes sir! The query log is at GET /querylog (or on the dashboard) shows every request with domain, type, path (forwarded/recursive/cached/blocked) and latency
bahador5 days ago
feature request: libnuma so i can use it programmatically with configuration. also, multiple user defined blocklists.
- rdme5 days ago
 Multiple blocklists already work -<a href="https://github.com/razvandimescu/numa/blob/main/numa.toml#L44" rel="nofollow">https://github.com/razvandimescu/numa/blob/main/numa.toml#L4...</a> The pieces are already there for libnuma, it could be done, would you share what use case you have in mind?
BugsBunnyCodes5 days ago
I have a project that requires DNS lookups and block ads. I am going to try this for it.
- rdme5 days ago
  let me know how it goes
dev_l1x_be5 days ago
How is to compare to AdGuard? If it gets those features I would be switching over.
- rdme5 days ago
 Numa can do recursive resolution from root nameservers + DNSSEC, .numa local domains with auto HTTPS for dev, and LAN service discovery. What features would you be interested in?
 - dwedge5 days ago
 What about split horizon dns so I can locally resolve home servers instead of going to tailscale
 - rdme5 days ago
 Split DNS already works — Numa auto-detects Tailscale forwarding rules from the system config. Queries matching .<ts.net> go to Tailscale’s DNS, everything else goes through NumaIf you want to skip Tailscale entirely for home servers, Numa’s LAN discovery auto-finds machines running Numa on the same network. Or add static records in numa.toml for machines that don’t run it.
 - dev_l1x_be1 day ago
 Just normal ad filtering.
rbluethl5 days ago
Cool idea, every developer running apps in dev on their machine knows this pain for sure. I'll give it a spin and let you know how it goes!
- rdme5 days ago
 Thanks! If you hit any issues during setup, feel free to open an issue — happy to help debug. The dashboard at localhost:5380 (or at <a href="https://numa.numa" rel="nofollow">https://numa.numa</a>)
Asuka-wx5 days ago
Nice work. What made you choose this license?
lyfeninja5 days ago
I think I need to give this a go. Cool project.
- rdme5 days ago
  Thanks! Let me know how it goes.
_kidlike5 days ago
very interesting. how does the blocklist work? can one manage the lists? like StevenBlack or others.
- rdme5 days ago
 Yes, it is configurable as a list <a href="https://github.com/razvandimescu/numa/blob/main/numa.toml#L44" rel="nofollow">https://github.com/razvandimescu/numa/blob/main/numa.toml#L4...</a>There's also a per-domain allowlist and you can pause/unpause blocking from the dashboard or API.Here's how the resolution pipeline looks like: <a href="https://numa.rs/blog/posts/dns-from-scratch.html#the-resolution-pipeline" rel="nofollow">https://numa.rs/blog/posts/dns-from-scratch.html#the-resolut...</a>
bulanel5 days ago
nice
voltagex_5 days ago
Great idea, pity about the slop.
goodpoint5 days ago
we need a [slop] flag in the headlines
derodero244 days ago
[flagged]
derodero244 days ago
[flagged]
derodero244 days ago
[flagged]
arafeq5 days ago
[flagged]
- rdme5 days ago
 Actually, if you point a container's DNS at the host (dns: [host.docker.internal] in compose), it works for resolution + ad blocking for the reverse however, I've added it on the radar, thanks!
 - Kaliboy5 days ago
 How does auto-TLS work? It makes a self signed certificate automatically?
 - rdme5 days ago
 Yes — numa install generates a local CA and stores it in the system trust store. When you register a .numa service, it generates a per-service TLS cert signed by that CA
- dgb235 days ago
 I don't want to hijack the thread, because that's a cool project.Still, if you're looking for something that "just works" and is widely used, have a look at caddy.
EdoardoIaga5 days ago
[flagged]