DoHzel Proxy

Advanced DNS Protection System by DoHzel

Introduction

DoHzel Proxy is a product of Hafnova SA designed to secure a network (personal or corporate) through DNS. It can be easily installed on various systems such as Linux, MacOS, or Windows.

DoHzel Proxy leverages threat intelligence data from Hafnova's ThreadDB, which includes millions of entries of domains known for conducting digital crimes.

Its operation is straightforward. Once installed, you'll need to enroll your installation for the proxy to be recognized, which requires no account. The installation, at this stage, is anonymous. However, you can still manage what you want to block and change the blocking mode.

If you wish to delve deeper into managing your equipment, you can enroll it in a Hafnova Profile, allowing centralized management of multiple installations, groups, and permissions. You will need to create an account on Hafnova's management app for this purpose.

Download

• Linux Version [x64, arm64]
• MacOS Version [Apple Silicon, Intel]
• Windows Version [x64, arm64]

Installation

Initialization

First, download the application, for example on Linux (you must be root)

cd /root
wget https://download.hafnova.com/dohzel-proxy/dohzel-proxy.linux-x64-latest.bin
chmod +x dohzel-proxy.linux-x64-latest.bin

If you are on Linux, it is recommended to install DoHzel Proxy as a systemd service

./dohzel-proxy.linux-x64-latest.bin service

Then, you need to initialize the local configuration files of DoHzel Proxy

./dohzel-proxy.linux-x64-latest.bin init

Finally, you will need to enroll your devices to receive security updates from ThreadDB

./dohzel-proxy.linux-x64-latest.bin enroll

State Verification

At any time, you can check the status of your installation with the "status" command

./dohzel-proxy.linux-x64-latest.bin status

Note that this command returns, among other things, a "Rebound URL" address where you can connect to manage the advanced settings of your devices.

Server Launch

If you have installed DoHzel Proxy as a service, you can start the server via the systemd command

systemctl start dohzel-proxy.service

Otherwise, you can launch the DoHzel Proxy server in standalone mode using the command

dohzel-proxy server

Operation Modes

DoHzel Proxy has 3 operation modes:

• DNS2eDOH: This is the default mode where requests are filtered and resolved by Hafnova. Requests are encrypted using TLS + DOH. This approach is recommended in most cases and is the default behavior of the software.
• DNS2iDOH: Unlike DNS2eDOH mode, requests are not resolved by Hafnova but by your preferred DOH server. For example, you can use Quad9's DOH (or your own) as a resolver while retaining DoHzel filtering.
• DNS2DNS: Similar to DNS2iDOH mode, requests are filtered, but the DOH protocol is not used; instead, the DNS protocol is used to send recursive DNS requests. Thus, you lose DOH encryption but gain a simpler way to integrate DoHzel Proxy into your infrastructure, especially when you have your own DNS servers.

You will use these modes according to your needs.

After installation, you can change mode at any time via the command (no restart required).

dohzel-proxy mode DNS2eDOH

Conditional Forwarding

DoHzel Proxy offers a particularly important and powerful feature that allows an administrator to redirect DNS traffic from a domain to a specific DNS server. The system accepts both domains and regex.

Introduced in version 2.1.0, you can get help by entering the following command:

dohzel-proxy forwarding --help

You can check the status of conditional forwarding in DoHzel Proxy at any time using the following command:

dohzel-proxy forwarding list
---------------------------------------------------------------
| ID     | Priority | Type   | Rule       | Destination       |
| 71DE4D | 1        | domain | domain.lo  | (dns) 10.10.2.4   |
| 438770 | 2        | regex  | hafnova    | (dns) 10.10.2.4   |
| 29859E | 4        | domain | google.com | (dns) 10.10.9.40  |
---------------------------------------------------------------

• The ID column is a random identifier generated when the rule is created.
• The Priority defines the order in which the rule will be executed.
• The Type column indicates whether a domain or a regex is used for rule detection. For domains, all subdomains will also be detected.
• The Rule column specifies the rule (domain or regex).
• The Destination column defines which DNS server the DNS query will be routed to if the rule is detected.

NOTE: If none of the rules are found, the default operating mode will be applied. By default, the query will be transmitted in DoH on the Hafnova infrastructure. Additionally, it is not necessary to restart the server to see the applied changes; they are applied immediately.

Create a Conditional Entry

If you need to redirect a local domain to your preferred DNS server, for example for an Active Directory, you can adapt the example below:

dohzel-proxy forwarding create domain mydomain.local 10.10.2.4 -p 4

The -p (or --priority) option gives a priority of 4 to the rule, with conditions being executed in ascending order. The smallest number has the highest priority.

In some cases, it may be necessary to create a condition based on a regex rather than a domain. For example, if I want to create a rule that redirects all domains containing google in the query:

dohzel-proxy forwarding create regex google 10.10.2.3 -p 2

NOTE: With or without conditional forwarding, DoHzel Proxy will check the domain before rerouting it. This prevents bypass techniques from being established in the DNS security architecture.

Modify an Entry

Currently, it is possible to modify the priority of a rule. For example, if I want to change the priority of a rule via its ID:

dohzel-proxy forwarding change 71DE4D -p 100

In the example above, the rule 71DE4D will have its priority changed to 100.

Remove an Entry

You can delete a rule at any time using its ID:

dohzel-proxy forwarding remove 71DE4D