Unified IPv6 DNS Security
djbdnscurve6 is a fork of djbdns combining
- IPv6 capabilites based on fehQlibs allowing the use of compactified IPv6 and LLU addresses,
- a CurveDNS secured query/response for dnscache based on NaCl with an adopted Methew Dempsky patch,
- including improvements for CNAME caching, and
- allowing a qualification of DNS Name Servers.
- rbldns supporting IPv6 addresses.
- tinydns using compactified IPv6 addresses within the tinydns-data data file.
- Finally, installation is done according to the slashpackage convention.
The decrypting djbdnscurve6 stub resolver can be used as standard lib for other programs.
While DJBDNS is the unsurpassed DNS content and cache server implementation written by Daniel Bernstein, it lacks IPv6 features. Using Felix von Leitner's IPv6 add-on, I have included Matthew Dempsky's DNSCurve patch utilizing Bernstein's approach to provided a full solution.
In order to achieve DNS message encryption on the server side, you need to install Harm von Tilborg's CurveDNS server along-side with Daniel Bernstein's, Tanja Lange's, and Peter Schwabe's NaCl library.
Architecture of djbdnscurve6
DNS applies a client/server architecture with three different components:
- The DNS stub resolver as part of the application/Operating system.
- The DNS Forwarder or Cache server accessible on the same host or remotely; in particular at the edge of the Intranet -- typically accessing services from the Internet.
- Some DNS Name Server -- or Content Server -- hosted inherent or outsourced to other companies.
djbdnscurve6 provides applications and a library to cope with all of those circumstances. In particular, to separate the 'Intranet' from the 'Internet' regarding name resolution (split horizon).
CurveDNS enabled DNS Cache server/full resolver
This is sketch of the dnscache solution:
- Common support for IPv4 and IPv6.
- EDNS0 enabled (thanks Peter Conrad).
- Support for IPv6 LLU addresses (sending and receiving).
- Reverse IPv6 Anycast capabilities (automatic binding to new IPv6 addresses and interfaces) - Software Defined Networking (SDN) enabled.
- Dual-stack operation: Serving IPv4 and IPv6 networks with the same DNS daemon instance.
CurveDNS enabled DNS content server
To benefit from encrypted DNS messages, the DNS content server has to be CurveDNS aware. Harm van Tilborg, Jeroen Schreeder, and Lieuwe Jan Koning provide a generic solution not depending on a particular Name Server implementation while providing a
For the forthcoming releases of djbdnscurve6, I plan to integrated this capability natively into tinydns as well.
Sources & Downloads
Please be aware, that though trying to provide an abstraction layer, djbdnscurve6 is quite complex and attention should be given to each step.
Prior of installing djbdnscurve6 you need to meet the following requirements and verified to have them installed successfully:
- Daemontools: Required for user separation and memory restrictions.
- NaCl Library: Required for cryptographic operations.
- fehQlibs: Required; since djbdnscurve6 includes only application programs (+ stub resolver).
If you plan to setup an own CurveDNS Name Service use:
- CurveDNS (recommended)
You need to generate a qualified Curve25519 public key and use this as AName for your Name Server, provide this for delegation, and publish it.
|Version & Download||Description||Verification||Code|
|djbdnscurve6-34||The second public release of djbdnscurve6 providing IPv4/IPv6 dual-stack servers.|| MD5: f40dd8aebf44286c8592ca5435da481d
Installation and Setup
- Un-tar the djbnscurve6-XY under /package and verify the creation of ./net/djbdnscurve6-XY (it is a slashpackage registered software).
- Edit the conf- files to your needs; in particular conf-nacl needs customisation.
- For setting up the individual services, follow DJB's instructions available via djbdns.
- There are some skeleton installation routines available called conf-tinydns ... for convenience only.
For some more details read the attached INSTALL document coming with the SW.
- Error: Implementation does not conform to reqs, e.g. something is missing.
- Bug: Coding mistake in source file(s).
- Flaw: Wrong/missing description in man-file or any attached documentation.
- RfC: Request for Change: Feature request.
|[20190227#1]||Bug/Error||dnscache does not log IP of rejected client connections for UDP/TCP||fixed in v34|
- djbdnscurve6-35 is scheduled to support CurveDNS natively for tinydns.
- djbdnscurve6-3z shall be multicast enabled.
Though djbdnscurve6 tries to be compatible with former versions, it is different in many ways from djbdns and you need to get accustomed to it. Thus, please read the following documents regarding the servers:
|axfrdns||axfrdns-conf||AXFR DNS zone transfer server; requires tcpserver or sslsever|
|axfr-get||AXFR DNS zone transfer client; requires tcpclient or sslclient|
|DNS cache server and iterative resolver (supporting UDP, TCP, and EDNS0)|
|rbldns||rbldns-conf||Relay Black (and white) List server for IPv4 and IPv6|
|UDP based DNS content server|
|walldns||walldns-conf||UDP based reverse DNS wall server|
The DNS lookup clients and diagnostic tools are kept API-compliant w.r.t. djbdns 1.05; thus we have:
|Recursive lookup clients||Diagnostic tools|
Other Points of Interest
- dq by Jan Mojzis
- djbdns-1.06 (obsolete ?)
- DNSCurve: Usable security for DNS (included)
- dnscache Log File Format (included)
- dnscache tweaking (more or less included)
- TinyDNS Format (not relevant here)
- MaraDNS (perhaps)
- Peter Conrad's tinydnssec
- IPvFuture (?)
- Henning Brauer's Live With djbdns (mostly applicable)
- tinydns w/o Daemontools (if you need it)