A Cloudflare Worker that optimizes CDN routing by intelligently handling EDNS Client Subnet (ECS). It dual-resolves DNS queries using both the client's actual IP and an alternative IP (e.g., VPN exit IP) to select the best response, ensuring optimal performance and content availability.
- Smart Routing: Prioritizes local CDN nodes by checking if the resolved IP matches the client's country.
- VPN Optimization: Falls back to an alternative IP resolution if the local lookup fails to match the country, ensuring access through VPNs.
- Privacy First: Encrypts DNS queries via HTTPS, protecting against eavesdropping.
- D1 Database: Uses Cloudflare D1 for efficient Geolocation lookups.
Before deploying, ensure you have:
- A Cloudflare account.
- A MaxMind account (for the GeoIP database).
- A GitHub account.
This project uses GitHub Actions for automated deployment and initialization. You do not need to install any tools locally.
Fork this repository to your own GitHub account.
Go to your forked repository's Settings > Secrets and variables > Actions, and add the following Repository secrets:
| Secret Name | Description |
|---|---|
CLOUDFLARE_API_TOKEN |
Your Cloudflare API Token (Permissions: Worker Scripts: Edit, D1: Edit). Get it here. |
CLOUDFLARE_ACCOUNT_ID |
Your Cloudflare Account ID. Found in the URL of your Cloudflare Dashboard. |
MAXMIND_ACCOUNT_ID |
Your MaxMind Account ID. |
MAXMIND_LICENSE_KEY |
Your MaxMind License Key. |
UPSTREAM_ENDPOINT |
(Optional) Custom upstream DoH server (Default: https://dns.google/dns-query). |
The deployment workflow acts automatically:
- Enable Workflows: Go to the Actions tab in your repository and enable workflows if asked.
- Trigger Deployment: The workflow runs automatically on every push to the
mainbranch. You can also manually trigger it from the Actions tab by selecting the "Deploy" workflow and clicking Run workflow.
Automatic Setup: The workflow will automatically download the GeoIP database, create the D1 database (
doh-country-db), import the data, and deploy the worker.
The worker is configured primarily through the GitHub Secrets defined above.
The DoH endpoint accepts requests in the following format:
https://<your-worker-domain>/client-ip/<IP>/client-country/<COUNTRY_CODE>/alternative-ip/<ALT_IP>/dns-query
| Parameter | Description | Required | Source Priority |
|---|---|---|---|
client-ip |
The client's real IP address. | No | URL Path > CF-Connecting-IP header |
client-country |
The 2-letter ISO country code of the client. | No | URL Path > CF-IPCountry header |
alternative-ip |
The IP address to use for the secondary resolution (e.g., VPN exit). | Yes | URL Path |
curl "https://doh.subdomain.workers.dev/client-ip/223.5.5.5/client-country/CN/alternative-ip/8.8.8.8/dns-query?dns=<BASE64_DNS_QUERY>"Contributions are welcome! Please feel free to open issues or submit pull requests.