gloryhole

What problem does it solve?

It provides fast, controllable DNS resolution with ad-blocking and fine-grained policy, without relying on untrusted upstreams for recursive behavior.

Core Features & Use Cases

• Policy-driven DNS handling: Uses an expr-based engine to decide BLOCK / ALLOW / REDIRECT / FORWARD actions, including domain and IP/CIDR matchers.
• Local authoritative records + CNAME resolution: Serves authoritative records and resolves CNAME chains locally for your internal hostnames.
• Pi-hole-style blocklists with safe updates: Downloads blocklists, applies them via lock-free atomic swaps, and overrides TTL behavior for blocked answers.
• Conditional forwarding with resilient round-robin: Evaluates priority-sorted conditional forwarding rules and forwards to upstreams using a round-robin strategy with circuit breaking and upstream health tracking.
• Embedded Unbound recursion topology: Bundles Unbound recursor in the same runtime (supervised child on loopback) to provide DNSSEC-validated recursion for DoT/DoH use cases.
• Built-in observability and audit trail: Exposes Prometheus metrics, uses OpenTelemetry meter patterns, and logs queries into SQLite asynchronously.

Quick Start

Configure your forwarder/policy/blocklist rules in ~/gloryhole/AGENTS.md, then run the glory-hole binary deployed under ~/gloryhole/ for your chosen home or public DoT/DoH profile.