Consulting djbware Publications

Unified IPv6 DNS Security

Scope

djbdnscurve6 is a fork of djbdns combining

The decrypting djbdnscurve6 stub resolver can be used as standard lib for other programs.

Heritage

While DJBDNS is the unsurpassed DNS content and cache server implementation written by Daniel Bernstein, it lacks IPv6 features. Using Felix von Leitner's IPv6 add-on, I have included Matthew Dempsky's DNSCurve patch utilizing Bernstein's approach to provided a full solution.

In order to achieve DNS message encryption on the server side, you need to install Harm von Tilborg's CurveDNS server along-side with Daniel Bernstein's, Tanja Lange's, and Peter Schwabe's NaCl library.

Architecture of djbdnscurve6

DNS applies a client/server architecture with three different components:

  1. The DNS stub resolver as part of the application/Operating system.
  2. The DNS Forwarder or Cache server accessible on the same host or remotely; in particular at the edge of the Intranet -- typically accessing services from the Internet.
  3. Some DNS Name Server -- or Content Server -- hosted inherent or outsourced to other companies.

djbdnscurve6 provides applications and a library to cope with all of those circumstances. In particular, to separate the 'Intranet' from the 'Internet' regarding name resolution (split horizon).

CurveDNS enabled DNS Cache server/full resolver

This is sketch of the dnscache solution:

Figure 1: Concept and layout of dnscache; IP addresses are samples

Some features:

CurveDNS enabled DNS content server

To benefit from encrypted DNS messages, the DNS content server has to be CurveDNS aware. Harm van Tilborg, Jeroen Schreeder, and Lieuwe Jan Koning provide a generic solution not depending on a particular Name Server implementation while providing a

For the forthcoming releases of djbdnscurve6, I plan to integrated this capability natively into tinydns as well.

Sources & Downloads

Please be aware, that though trying to provide an abstraction layer, djbdnscurve6 is quite complex and attention should be given to each step.

Dependencies

Prior of installing djbdnscurve6 you need to meet the following requirements and verified to have them installed successfully:

Co-dependency

If you plan to setup an own CurveDNS Name Service use:

You need to generate a qualified Curve25519 public key and use this as AName for your Name Server, provide this for delegation, and publish it.

Download

Version & Download Description Verification Code
djbdnscurve6-34 The second public release of djbdnscurve6 providing IPv4/IPv6 dual-stack servers. MD5: f40dd8aebf44286c8592ca5435da481d
Build: 20190315163826
doxygen

Installation and Setup

For some more details read the attached INSTALL document coming with the SW.

Release Management & Defects

Naming conventions:

ReferenceType DescriptionState
[20190227#1]Bug/Error dnscache does not log IP of rejected client connections for UDP/TCP fixed in v34

Forthcoming releases:

Module Documentation

Though djbdnscurve6 tries to be compatible with former versions, it is different in many ways from djbdns and you need to get accustomed to it. Thus, please read the following documents regarding the servers:

Application Miscellaneous Description
axfrdns axfrdns-conf AXFR DNS zone transfer server; requires tcpserver or sslsever
axfr-get AXFR DNS zone transfer client; requires tcpclient or sslclient
dnscache dnscache-conf
dnscache-log
DNS cache server and iterative resolver (supporting UDP, TCP, and EDNS0)
rbldns rbldns-conf Relay Black (and white) List server for IPv4 and IPv6
tinydns tinydns-conf
tinydns-data
tinydns-edit
tinydns-log
UDP based DNS content server
walldns walldns-conf UDP based reverse DNS wall server

The DNS lookup clients and diagnostic tools are kept API-compliant w.r.t. djbdns 1.05; thus we have:

Recursive lookup clients Diagnostic tools
dnsip dnsq
dnsmx dnsqr
dnsname dnstrace
dnstxt dnsfilter

Other Points of Interest