DJBDNSCurve6

walldns

Purpose

walldns handles statelessly iterative PTR and A/AAAA queries for your domain responding with a generic answer and thus not disclosing information about your used IP name space. Any PTR queries will return IPv4 and IPv6 names from the domain in-addr.arpa or ip6.arpa within the responses. walldns thus needs a delegation for your reverse zone from your superior name server. It is able to encrypt DNS queries and decrypt DNS responses using the DNSCurve format in the 'streamline' as well as in the 'txt' format. walldns however, does not support DNSSec. walldns can simultaneously bind to IPv4 and IPv6 network addresses and supports 'reverse IPv6-anycasting'.

Programs

System Setup

It is preferrable to install D.J. Bernsteins's daemontools or Bruce Guenter's daemontools-encore. Further alternatives are Gerrit Pape's runit though in principal systemd and any of its derivates or the s6 toolbox to manage Unix services will do.

Given the first two, walldns-conf can be successfully applied to setup walldns.

walldns runs chrooted under a particular user, typically walldns. while located usually at /etc/walldns.

The run script for walldns looks like:

#!/bin/sh exec 2>&1 exec envdir ./env sh -c ' exec envuidgid walldns /usr/local/bin/walldns '

Here, envdir is used to source walldns's ./env directory and populating the required environment variables.

walldns logs to STDOUT which shall be managed by multilog with a dedicated systems user and rotation capability.

A run script for multilog can be very generic:

#!/bin/sh exec setuidgid daemon multilog t s1677721 /var/log/walldns

It should be noted, that walldns writes condensed log lines without a timestamp while appending this to the current file. Thus, it is advisable to restrict the logfile size.

Service Configuration

walldns can run in two different security modes:

DNSCurve enabled: In case a DNSCurve public key curvedns-keygen has been generated and its name has been used as delegated name server to the upstream ones, encryption of DNS messages is possible by an enabled iterative resolver.
Plain DNS: Without this setting, DNS queries and responses are unencrypted transmitted over UDP. This is the usual operational mode.

The main walldns settings are provided in the directory ./env. Here one defines in particular files:

IP: The IP addreses walldns listens to and sends responses.
ROOT: The path to the 'root' directory (could be on a ram disk). Unlike the other DNS services, no particular settings are given here.
uz5... : The DNSCurve public key as file name including the (hexadecimal) public key as content.
CURVEDNS_PRIVATE_KEY: Including the DNSCurve private key.

Content Configuration

Though walldns comes with a ./root/ directory which is automatically raised by means of walldns-conf walldns does not require a particular setting of its DNS content. All DNS responses are generated automatically from the query.