DoHzel Proxy

Advanced DNS Protection System by DoHzel

Introduction

DoHzel Proxy is a product of Hafnova SA designed to secure a network (personal or corporate) through DNS. It can be easily installed on various systems such as Linux, MacOS, or Windows.

DoHzel Proxy leverages threat intelligence data from Hafnova's ThreadDB, which includes millions of entries of domains known for conducting digital crimes.

Its operation is straightforward. Once installed, you'll need to enroll your installation for the proxy to be recognized, which requires no account. The installation, at this stage, is anonymous. However, you can still manage what you want to block and change the blocking mode.

If you wish to delve deeper into managing your equipment, you can enroll it in a Hafnova Profile, allowing centralized management of multiple installations, groups, and permissions. You will need to create an account on Hafnova's management app for this purpose.

Download

Installation

Initialization

First, download the application, for example on Linux (you must be root)

cd /root
wget https://download.hafnova.com/dohzel-proxy/dohzel-proxy.linux-x64-latest.bin
chmod +x dohzel-proxy.linux-x64-latest.bin

If you are on Linux, it is recommended to install DoHzel Proxy as a systemd service

./dohzel-proxy.linux-x64-latest.bin service

Then, you need to initialize the local configuration files of DoHzel Proxy

./dohzel-proxy.linux-x64-latest.bin init

Finally, you will need to enroll your devices to receive security updates from ThreadDB

./dohzel-proxy.linux-x64-latest.bin enroll

State Verification

At any time, you can check the status of your installation with the "status" command

./dohzel-proxy.linux-x64-latest.bin status

Note that this command returns, among other things, a "Rebound URL" address where you can connect to manage the advanced settings of your devices.

Server Launch

If you have installed DoHzel Proxy as a service, you can start the server via the systemd command

systemctl start dohzel-proxy.service

Otherwise, you can launch the DoHzel Proxy server in standalone mode using the command

dohzel-proxy server

Operation Modes

DoHzel Proxy has 3 operation modes:

You will use these modes according to your needs.

After installation, you can change mode at any time via the command (no restart required).

dohzel-proxy mode DNS2eDOH

Conditional Forwarding

DoHzel Proxy offers a particularly important and powerful feature that allows an administrator to redirect DNS traffic from a domain to a specific DNS server. The system accepts both domains and regex.

Introduced in version 2.1.0, you can get help by entering the following command:

dohzel-proxy forwarding --help

You can check the status of conditional forwarding in DoHzel Proxy at any time using the following command:

dohzel-proxy forwarding list
---------------------------------------------------------------
| ID     | Priority | Type   | Rule       | Destination       |
| 71DE4D | 1        | domain | domain.lo  | (dns) 10.10.2.4   |
| 438770 | 2        | regex  | hafnova    | (dns) 10.10.2.4   |
| 29859E | 4        | domain | google.com | (dns) 10.10.9.40  |
---------------------------------------------------------------

NOTE: If none of the rules are found, the default operating mode will be applied. By default, the query will be transmitted in DoH on the Hafnova infrastructure. Additionally, it is not necessary to restart the server to see the applied changes; they are applied immediately.

Create a Conditional Entry

If you need to redirect a local domain to your preferred DNS server, for example for an Active Directory, you can adapt the example below:

dohzel-proxy forwarding create domain mydomain.local 10.10.2.4 -p 4

The -p (or --priority) option gives a priority of 4 to the rule, with conditions being executed in ascending order. The smallest number has the highest priority.

In some cases, it may be necessary to create a condition based on a regex rather than a domain. For example, if I want to create a rule that redirects all domains containing google in the query:

dohzel-proxy forwarding create regex google 10.10.2.3 -p 2

NOTE: With or without conditional forwarding, DoHzel Proxy will check the domain before rerouting it. This prevents bypass techniques from being established in the DNS security architecture.

Modify an Entry

Currently, it is possible to modify the priority of a rule. For example, if I want to change the priority of a rule via its ID:

dohzel-proxy forwarding change 71DE4D -p 100

In the example above, the rule 71DE4D will have its priority changed to 100.

Remove an Entry

You can delete a rule at any time using its ID:

dohzel-proxy forwarding remove 71DE4D