Pure Rust DNS Tunnel

The Antidote to
Internet Censorship

Tunnel your internet through DNS queries. Invisible to network observers. One binary. Zero dependencies.

Download v2.4.0 View Source
Architecture

How It Works

Your traffic is encrypted, multiplexed, and encoded into ordinary DNS queries that pass through any network.

Application Browser / curl / any app
SOCKS5 (127.0.0.1:1080)
Client Nooshdaroo client
Multiplexing smux v2 (stream multiplexing)
Encryption Noise_NK (authenticated encryption)
Reliability KCP (reliable transport)
Carrier DNS queries (base32 in QNAME)
Recursive DNS resolver
Server Nooshdaroo server (authoritative DNS)
TCP connect
Destination The open internet
Capabilities

Built for Hostile Networks

Every feature designed around one goal: keep you connected when everything else is blocked.

Noise Protocol Encryption

Noise_NK_25519_ChaChaPoly_BLAKE2s. Forward secrecy on every session. Server identity verified via pre-shared public key. No certificates, no PKI.

Chrome DNS Fingerprinting

Cover traffic mimics Chrome's DNS behavior: AD=1 flag, EDNS0 1452, A+AAAA+HTTPS query triplets, and burst timing patterns that blend with real browser traffic.

DNS Flux

Deterministic time-based domain selection spreads traffic across multiple tunnel domains. Rotating targets make static blocking unreliable.

OTA Config Updates

Push new domains, resolvers, and settings via encrypted DNS TXT records. Clients adapt to infrastructure changes without needing an app update.

Wire Compatible

Drop-in replacement for Go dnstt. Use a Nooshdaroo client with a Go server, or vice versa. Same Noise handshake, same KCP framing, same DNS encoding.

Tiny Binary

~1.4 MB client, ~3.6 MB server. Pure Rust with zero runtime dependencies. Cross-platform: Linux, macOS (signed), Windows.

Resolver Scanner

Auto-detects your ISP and scans local networks for working DNS resolvers. Built-in databases: 1,920 Iran CIDRs + 11,256 Russia CIDRs. --scan-iran / --scan-russia

Get Started

Downloads

Pre-built binaries for every major platform. No installers, no runtimes. Just the binary.

Client
🐧
Linux x86_64
~1.4 MB · static musl
🐧
Linux ARM64
~1.2 MB · Raspberry Pi, ARM servers
macOS Universal
~3.1 MB · Apple Silicon + Intel · Signed
macOS ARM64
~1.4 MB · Apple Silicon · Signed
macOS Intel
~1.7 MB · Intel · Signed
🪟
Windows x86_64
~1.2 MB · Windows 10+
Server
🖧
Server — Linux x86_64
~3.6 MB · Authoritative DNS server
Verification
🔒
SHA256SUMS
Verify download integrity
📦
Build from source
cargo build --release
Documentation

Quick Start

Connect in three commands. Or self-host your own server.

1
Download & run
# Linux:
curl -LO https://nooshdaroo.net/dist/nooshdaroo-linux-x86_64 && chmod +x nooshdaroo-linux-x86_64

# macOS:
curl -LO https://nooshdaroo.net/dist/nooshdaroo-macos-universal && chmod +x nooshdaroo-macos-universal

# Windows (PowerShell):
Invoke-WebRequest https://nooshdaroo.net/dist/nooshdaroo-windows-x86_64.exe -OutFile nooshdaroo.exe
2
Connect — zero arguments needed
# 10 tunnel domains and 8 resolvers are built in:
./nooshdaroo-linux-x86_64

# If global resolvers are blocked (Iran, Russia, China):
./nooshdaroo-linux-x86_64 --scan-iran
./nooshdaroo-linux-x86_64 --scan-russia
3
Use the SOCKS5 proxy
# The tunnel is now running on 127.0.0.1:1080
curl --proxy socks5h://127.0.0.1:1080 https://icanhazip.com

# Or configure your browser:
# Firefox: Settings → Network → SOCKS Host: 127.0.0.1, Port: 1080
# Chrome:  chrome --proxy-server="socks5://127.0.0.1:1080"

Self-host your own server

# Generate keypair:
./nooshdaroo-server --gen-key

# Set up DNS (at your registrar):
# t.example.com.  NS  ns.example.com.
# ns.example.com. A   <your-server-ip>

# Start the server:
./nooshdaroo-server --udp 0.0.0.0:53 --privkey <hex> t.example.com socks5

# Connect a client:
./nooshdaroo --domain t.example.com --pubkey <pubkey> --resolver 8.8.8.8