miekg/dns

DNS is the system that translates a web address like "example.com" into the numerical address a computer actually uses to connect. This Go library gives programmers a complete toolkit for working with DNS at a low level, both from the client side (looking things up) and from the server side (answering requests). It is deliberately small: the authors follow a philosophy of not providing convenience wrappers for things that are straightforward to write yourself in Go. The library supports all standard DNS record types, including the security extensions known as DNSSEC, which let DNS responses be cryptographically signed so receivers can verify they have not been tampered with. It handles key generation, signing, and validation for several common algorithms. It also supports encrypted DNS over TLS, which wraps the usual DNS traffic in an encrypted channel so the query contents cannot be read in transit. Beyond basic lookups, the library covers zone file parsing, dynamic updates, TSIG authentication (a way to sign DNS messages using a shared secret), and zone transfers, which are the mechanism servers use to replicate their data to backup servers. It tracks the DNS standards closely, with a long list of RFCs implemented covering decades of specifications. The library has been picked up by a wide range of projects, including CoreDNS (a widely used DNS server), HashiCorp Consul (a service networking tool), and many others across the DNS tooling ecosystem. It has been maintained since 2010 and remains actively used, though the authors note that a new version 2 is now available at a separate location on Codeberg and is roughly twice as fast. This repository is in maintenance mode, receiving fixes but no new features. If you need to build a DNS resolver, a custom DNS server, a security auditing tool, or anything else that speaks DNS natively, this library provides the foundation. It requires Go and installs through the standard Go module system.