A standard URL format for sharing DNS-tunneled proxy configurations across clients and apps.
The dnst:// scheme encodes everything a client needs to connect through a DNS tunnel — the transport (DNSTT, VayDNS, Slipstream, MasterDNS, ...), the backend service behind it (SOCKS, SSH, Shadowsocks, ...), and any transport- or backend-specific parameters — in a single shareable link.
The goal of this repo is to define a single source of truth that all DNS-tunneling clients and management tools can implement, replacing the fragmented per-project formats in use today.
Version 1.0 of this spec was designed around the following transports and backends:
Transports
Backends
- SOCKS5
- SSH (password or private key)
- Shadowsocks — used with Slipstream via SIP003, or with DNSTT via the Mygod/dnstt fork which adds a server-side SIP003 wrapper
- Custom — arbitrary TCP service forwarding (e.g. VLESS, VMESS, or any other protocol)
The format is intentionally extensible — new transports and backends can be added without changing the URL grammar. See §7 of SPEC.md for guidance.
IP-level DNS tunnels like iodine are intentionally not covered in v1.0. These create a TUN interface and expose raw L3 packets rather than a userspace TCP stream, so the "transport + backend" model this spec is built around does not apply to them. A future version may add an optional no-backend mode if there is demand.
- SPEC.md — the formal specification: URL grammar, parameter table, encoding rules, and the equivalent base64-JSON form
- EXAMPLES.md — concrete example URLs for each transport and backend combination
Stable — v1.0. See net2share/vaydns#49 for the conversation that led to this spec.
- DNSTM — DNS tunnel manager (planned)
- DNSTC — DNS tunnel client (planned)
- Hiddify — multi-protocol proxy client (planned)
- SlipNet — Android proxy client (planned)
- SlipGate — Linux server tunnel manager (planned)
If you're implementing dnst:// in your project, open a PR to add it here.