Advanced DNS Protection System by DoHzel
DoHzel Proxy is a product of Hafnova SA designed to secure a network (personal or corporate) through DNS. It can be easily installed on various systems such as Linux, MacOS, or Windows.
DoHzel Proxy leverages threat intelligence data from Hafnova's ThreadDB, which includes millions of entries of domains known for conducting digital crimes.
Its operation is straightforward. Once installed, you'll need to enroll your installation for the proxy to be recognized, which requires no account. The installation, at this stage, is anonymous. However, you can still manage what you want to block and change the blocking mode.
If you wish to delve deeper into managing your equipment, you can enroll it in a Hafnova Profile, allowing centralized management of multiple installations, groups, and permissions. You will need to create an account on Hafnova's management app for this purpose.
First, download the application, for example on Linux (you must be root)
cd /root
wget https://download.hafnova.com/dohzel-proxy/dohzel-proxy.linux-x64-latest.bin
chmod +x dohzel-proxy.linux-x64-latest.bin
If you are on Linux, it is recommended to install DoHzel Proxy as a systemd service
./dohzel-proxy.linux-x64-latest.bin service
Then, you need to initialize the local configuration files of DoHzel Proxy
./dohzel-proxy.linux-x64-latest.bin init
Finally, you will need to enroll your devices to receive security updates from ThreadDB
./dohzel-proxy.linux-x64-latest.bin enroll
At any time, you can check the status of your installation with the "status" command
./dohzel-proxy.linux-x64-latest.bin status
Note that this command returns, among other things, a "Rebound URL" address where you can connect to manage the advanced settings of your devices.
If you have installed DoHzel Proxy as a service, you can start the server via the systemd command
systemctl start dohzel-proxy.service
Otherwise, you can launch the DoHzel Proxy server in standalone mode using the command
dohzel-proxy server
DoHzel Proxy has 3 operation modes:
You will use these modes according to your needs.
After installation, you can change mode at any time via the command (no restart required).
dohzel-proxy mode DNS2eDOH
DoHzel Proxy offers a particularly important and powerful feature that allows an administrator to redirect DNS traffic from a domain to a specific DNS server. The system accepts both domains and regex.
Introduced in version 2.1.0, you can get help by entering the following command:
dohzel-proxy forwarding --help
You can check the status of conditional forwarding in DoHzel Proxy at any time using the following command:
dohzel-proxy forwarding list
---------------------------------------------------------------
| ID | Priority | Type | Rule | Destination |
| 71DE4D | 1 | domain | domain.lo | (dns) 10.10.2.4 |
| 438770 | 2 | regex | hafnova | (dns) 10.10.2.4 |
| 29859E | 4 | domain | google.com | (dns) 10.10.9.40 |
---------------------------------------------------------------
NOTE: If none of the rules are found, the default operating mode will be applied. By default, the query will be transmitted in DoH on the Hafnova infrastructure. Additionally, it is not necessary to restart the server to see the applied changes; they are applied immediately.
If you need to redirect a local domain to your preferred DNS server, for example for an Active Directory, you can adapt the example below:
dohzel-proxy forwarding create domain mydomain.local 10.10.2.4 -p 4
The -p
(or --priority
) option gives a priority of 4 to the rule, with conditions being executed in ascending order. The smallest number has the highest priority.
In some cases, it may be necessary to create a condition based on a regex rather than a domain. For example, if I want to create a rule that redirects all domains containing google in the query:
dohzel-proxy forwarding create regex google 10.10.2.3 -p 2
NOTE: With or without conditional forwarding, DoHzel Proxy will check the domain before rerouting it. This prevents bypass techniques from being established in the DNS security architecture.
Currently, it is possible to modify the priority of a rule. For example, if I want to change the priority of a rule via its ID:
dohzel-proxy forwarding change 71DE4D -p 100
In the example above, the rule 71DE4D will have its priority changed to 100.
You can delete a rule at any time using its ID:
dohzel-proxy forwarding remove 71DE4D