Unified IPv6 DNS Security
Scope
djbdnscurve6 is a fork of djbdns combining
- IPv6 capabilites based on fehQlibs allowing the use of compactified IPv6 and LLU addresses,
- a DNSCurve secured query/response for dnscache based on NaCl with an adopted Matthew Dempsky patch,
using Siphash now to defend against DNS spoofing,- allowing a qualification of DNS Name Servers.
- rbldns supporting IPv6 addresses.
- tinydns using compactified IPv6 addresses within the tinydns-data data file while supporting generic TXT (SPF), TLSA, and DKIM records.
-
All servers - including tinydns -
are now DNSCurve enabled and thus potentially provide DNS message with confidentiality and integrity.
- Installation is done according to the slashpackage convention.
-
Authoritative servers, in particular tinydns,
provide now 'split-horizion' capabilities for clients based on their IPv4/IPv6 CIDR address.
The decrypting djbdnscurve6 stub resolver can be used as standard lib for other programs.
Heritage and Directions
While djbdns is the unsurpassed DNS content and cache server implementation written by Daniel Bernstein, it lacks IPv6 features. Using Felix von Leitner's IPv6 add-on, I have included Matthew Dempsky's DNSCurve patch utilizing Bernstein's approach to provided a full solution.
Unlike DNS over TLS (DNS/TLS) DNSCurve provides an application-level message encryption:
- It uses an El-Gamal type of message exchange based on the elliptical curve encryption Curve25519.
- Authoritative name servers need to present in the DNS their 32 byte ECC public key following the preamble uz5 as hostname and delegated from the superior name server.
- DNSCurve enabled resolvers - upon recognizing this token - will automatically switch to DNS message encryption.
- DNS messages are concealed in a NaCl crypto-container using XSalsa20 with Poly1305 used for symmetrical encryption as well as for (peer-) authenticity and (message-) integrity. Each DNS message is uniquely encrypted (irrespectively of its contents) by means of a qualified Nonce, providing state-of-the-art security.
- The DNS transport container could be a either given as proprietary DNSCurve 'stream' format or as standard 'TXT' message suiteable for cases where DNS message inception is provided by Firewalls.
Components of djbdnscurve6
DNS applies a client/server architecture with three different components:
- The DNS stub resolver as part of the application/Operating system.
- The DNS Forwarder or Cache server (occassionaly called a Recurser) accessible on the same host or remotely; in particular at the edge of the Intranet -- typically accessing services from the Internet.
- Some DNS Authoritative Name Server -- or Content Server -- hosted inherent or outsourced to other companies.
djbdnscurve6 provides applications and a library to cope with all of those circumstances. In particular to separate the 'Intranet' from the 'Internet' regarding name resolution (split horizon).
The following modules can be used from djbdnscurve6:
Figure: DNS modules and libraries coming with djbdnscurve6
DNSCurve enabled DNS Cache server/full resolver
dnscache provides the DNS interface to your operating system and your applications under Unix. DNS name resolution should be reliable, fast, and confidential while working together with the DNS stub resolvers on your system.
Some features of dnscache:
- Common support for IPv4 and IPv6.
- Additionally allowing IPv6 LLU addresses for sending and receiving.
- Reverse IPv6 Anycast capabilities (automatic binding to new IPv6 addresses and interfaces) - Software Defined Networking (SDN) enabled.
- Dual-stack operation: Serving IPv4 and IPv6 networks with the same DNS instance.
- Recognition of EDNS0 messages by dnscache (thanks Peter Conrad).
-
The current version works well based on the shared library libsodium
in addition to NaCl - in particular on a RasPi.
DNSCurve enabled DNS authoritative content servers
Starting with version 3 of djbdnscurve6 DNSCurve encryption is also provided on the server side for
once the DNSCurve public/private key pair has been generated and the public key uz5 ... is provisioned to the upstream name server as 'trust anchor'.
DNS libraries and communication features
For a stub-resolver typically the fehQlibs DNS libraries (libdnsresolv) can be used; though djbdnscurve6's libdnscresolv is enabled for additional DNSCurve capabilities.
Common with Daniel Bernstein, the libdnscresolv is using a layered architecture to provide library routines for application programs thus as browsers, SMTP mail clients (such as qmail-remote) and others to be able to allow a qualified (and confidential) domain name resolution:
- DNS client library routines meant to be used in browsers and other programs that require to resolve domain names.
Note: Unlike DJB, I use here more refined DNS return codes. - Name qualification for domain names (building up their FQDN from hostnames only).
- Name resolution for hostnames to IPv4 and IPv6 addresses.
- MX resolution to identify the MX for a domain name.
- TXT resolution, in particular for SPF records.
- Domain library to parse and construct (back and forth) DNS wire format domain names with their labels.
- DNS message functions to read, parse, and setup DNS messages to be transmitted over UDP or TCP.
Note: Here, EDNS0 message formats (including DNSSec) are not (yet) supported. - DNS message transmit functions doing the actual transmissions (and reception) caring about timeouts, name server randomization, recursion and iterative queries als well as encryption and others.
Other communication features apart from DNSCurve support:
- Common binding to IPv4 and IPv6 addresses ('dualstack') with one source.
- Automatic binding to new IPv6 addresses ('reverse IPv6 Anycasting') - if requested.
- The UDP-only servers allow large DNS messages at least up to 1228 byte.
- The librarary supports local-based services (LBS) and allows applications to follow their own DNS rules; unlike to standard Unix /etc/resolv.conf base.
DNSCurve enabled reverse (forwarding) proxies
If you use other DNS content servers, you can benefit from encrypted DNS messages using Harm van Tilborg, Jeroen Schreeder, and Lieuwe Jan Koning CurveDNS reverse proxy:
- CurveDNS - A DNSCurve Forwarding Name Server
- also available at DNSCurve.io and
- CurveDNS.
The reverse proxy generates authoritative replies for the clients. Also here, you need to generate a qualified Curve25519 public key and use this as AName for your Name Server, provide this for delegation, and publish it.
Sources & Downloads
Please be aware, that though trying to provide a common abstraction layer with djbdns, djbdnscurve6 is quite complex and attention should be given to each step.
Dependencies
Prior of installing djbdnscurve6 you need to meet the following requirements and verified to have them installed successfully:
- fehQlibs: Required; since djbdnscurve6 includes only application programs (+ stub resolver).
- NaCl Library: Required for cryptographic operations - or - libsodium.
- Co-dependence: Daemontools as required for setup, user separation and memory restrictions.
Download
| Version & Download | Description | fehQlibs version | Verification |
|---|---|---|---|
| djbdnscurve6-45 | The tenth public release of djbdnscurve6 (version 3) is mainly done for convenience compatibility with current 'C' compilers. | fehQlibs-25+ | MD5: 737644acd5fbb0f93264c1fdb85df194 Build: 20241215160800 (new build) |
| djbdnscurve6-44d | The ninth public major release of djbdnscurve6 (version 3) includes some minor fixes for dnscache regarding lookup of private IP addresses and DNS names. Most important, tinydns is now empowered to provide 'split-horizon' answers for IPv4/IPv6 clients given their CIDR address (with a small but important fix now). dnscache in FORWARDONLY mode frees now unused memory. | fehQlibs-23 (!) | MD5: 01354c9949bdea31055db85d682ef930 Build: 20230917124652 |
| djbdnscurve6-43 | The six public major release of djbdnscurve6 (version 3) includes DNSCurve support for all DNS content server as well! And now with siphash for dnscache. Qualified generation and parsing of DKIM and TLSA records in TXT format with labels. | fehQlibs-20 | MD5: b5bd67967f4d2028bad28fc40d434532 Build: 20220731213000 |
| djbdnscurve6-39 | The tenth public minor release of djbdnscurve6 (version 2) comes now with partial EDNS0 query/response capability for dnscache together with better protection against DNS spoofing using Siphash. It provides better IPv4 compliance now and works well with gcc 11! | fehQlibs-18 | MD5: 6543ba7e76a76770ee69c98ffcc1ddc7 Build: 20211001094001 |
| djbdnscurve6-38 | The nineth public minor release of djbdnscurve6
comes now with |
fehQlibs-18 | MD5: e5979a25e368324480e94fa637442fd6 Build: 20210803222338 |
| djbdnscurve6-37+ | The eights public minor release of djbdnscurve6 provides small enhancements and comes with native support for TLSA/DANE records in particular for tinydns. It is compliant with fehQlibs-16 DNS qualification extensions. New build! gcc-10.2 compliant! | fehQlibs-16+ (new build!) | MD5: 2d081ff47b91b7d5e535b30f9ef2f81e Build: 20210221190552 |
| djbdnscurve6-36c | The seventh public release of djbdnscurve6 is a maintenance release to be compliant with fehQlibs-15's DNS qualification extensions and follows the enhanced DNS error return codes even here. | fehQlibs-15 | MD5: d959f1fecf480d3cba0512502cc928c4 Build: 20200731124637 |
| djbdnscurve6-36b | The six public release of djbdnscurve6 provides compatibility with fehQlibs-13 and is aligned with it s DNS lookup timeouts and following the enhanced DNS error return codes completely. | fehQlibs-13d/ fehQlibs-10(b) | MD5: b3051587c2100789b0a2800de6ed69dd Build: 20200202151144 |
| djbdnscurve6-35 | The third public release of djbdnscurve6 providing IPv4/IPv6 dual-stack servers and working seamlessly with libsodium even for NaCl unsupported platforms like the RasPi. | fehQlibs-10(b)/ fehQlibs-12x | MD5: f1a0d63158e019104fd640578c23c971 Build: 20190609152734 |
The current versions's code is documented in doxygen.
While djbdnscurve6 includes a dnscache-log.pl script to convert IPv4 addresses to their usual decimal-dotted values, an enhanced version dnscache-log.pl is available to do the very same thing with IPv6 addresses. If you have installed CPAN's 'Net::IPv6Addr' module it even displays the IPv6 address in compactified format. This version is included since djbdnscurve6-37.
Installation, Setup & Configuration
Installation
- Un-tar the djbnscurve6-XY under /package and verify the creation of ./net/djbdnscurve6-XY (it is a slashpackage registered software).
- Edit the conf- files to your needs; in particular conf-nacl needs customisation.
- There are some skeleton installation routines available called conf-tinydns ... for convenience only.
- In order to enable DNSCurve support for the servers you need to call curvedns-keygen in the DNS' service main directory generating the public and private key under ./env/.
- The public key name needs to be provisioned als trust anchor name to the upstream name server.
For some more details read the attached INSTALL document coming with the SW.
Setup
Additional information about customization and entering DNS resource data are now available:
The recommendations given by Daniel J. Bernstein for setting up the individual services for djbdns are mostly still valid though.
Updating
Since you have installed a previous version of djbdnscurve6 you should follow this path:
- After un-taring the new version, do a package/compile in the generated directory.
- Go to ./compile and call ./install.
- Proceed with package/man in the main directory and finally with
- package/upgrade.
Libsodium support
Instead of vanilla NaCl, alternative implementations can be used, as long as they provide the same cryptobox APIs. NaCl installs well on 'bare metal' servers (having access to the CPU capabilities directly) but is not really applicable for virtualized environments. Here is the recipe to accustom the installation:
- Adjust conf-nacl to point to the path of the header files and the libraries.
- Edit ./src/Makefile and replace -lnacl with -lsodium. Now carry on with installation.
systemd compatibility
djbdnscurve6 services like tinydns and dnscache depend some daemontools modules to provide the chroot environment and memory usage. In case those requirements are met, the servers run smoothlessly even under systemd even including journald.
Defects & Release Management
Naming conventions
- Error: Implementation does not conform to reqs, e.g. something is missing.
- Bug: Coding mistake in source file(s).
- Flaw: Wrong/missing description in man-file or any attached documentation.
- RfC: Request for Change: Feature request.
Known and solved defects
| Reference | Type | Description | State |
|---|---|---|---|
| [20190227#1] | Bug/Error | dnscache does not log IP of rejected client connections for UDP/TCP | fixed in v34 |
| [20190510#1] | Bug | tinydns-data missing IPv4|v6 addresses for MX records upon generation | fixed in v35 |
| [20190516#1] | Bug | dnsip may segfault at lookup | fixed in v35 |
| [20190530#1] | Bug | walldns, rbldns, and dnstrace may segfault due to wrong casting in dd6 | fixed in v35 |
| [20190608#1] | Bug | Wrong composition of inverse IPv6 name (dns_nd.c) | fixed in v35 |
| [20190608#2] | Bug/Error | dnsfilter generates no output | fixed in v35 |
| [20191129#1] | Bug | dnscache
produces high polling load in case the DNS server is not responding (introduced in v36 while only partially adopting the enhanced DNS error return codes) |
fixed in v36a |
| [20191213#1] | Bug | dnsip does not return resolved IPv6 addresses on output | fixed in v36b |
| [20201225#1] | Bug | tinydns returns a IPv6-mapped IPv4 address for NS queries in the additional section. | fixed in v37 |
| [20210801#1] | Error | Binding to IPv4 or IPv6 for UDP or TCP is solely based on IP address of remote site. EDNS0 support reworked. | fixed in v38 |
| [20211107#1] | Bug | dnscache answers a 'dnsname ::1' with 'ip4-loopback'; paste'n'copy error ;-) | Fixed in v39 |
| [20220113#1] | Error | dnscache may fail to return IP address (A/AAAA) for deeply nested CNAMEs. Removed Jonathan de Boyne Pollard's CNAME extension. | Fixed in v41 |
| [20220127#1] | Flaw | dnscache did not include siphash due to a wrong fork. | Included in v42 |
| [20221008#1] | Flaw | dnscache should not do a lookup for IP fc00:/7. | Fixed in v44 |
| [20220823#1] | Bug | dnscache does not recognize blacklisted IP client addresses correctly. | Fixed in v44 |
| [20220822#1] | Flaw | dnscache should not do a PTR lookup for .onion domain. | Fixed in v44 |
| [20220827#1] | Flaw | dnscache does not consider all forseen 16 NS for lookup. | Fixed in v44 |
| [20221005#1] | Bug | tinydns does not recognize 'split-horizon' settings. | Fixed in v44 |
| [20230331#1] | Bug | tinydns-data crashes in case of a IPv4 CIDR address for DNS 'split-horizon' settings. | Fixed in v44a |
| [20230405#1] | Flaw | dnscache provides no name resolution in case of misconfigured CurveDNS authoritative servers. | Fixed in v44b |
| [20230706#1] | Bug | tinydns-edit does not recognize IPv6 address on call for NS and MX records. | Fixed in v44c |
Versions & releases plans
- djbdnscurve6 (version 1) without DNSCurve support might be published on demand.
- djbdnscurve6 (version 2) providing DNSCurve support for
dnscache is the current major version (starting with v33).
The next minor release shall fully integrate EDNS0 support in dnscache (partially done).
- djbdnscurve6 (version 3) is scheduled to support DNSCurve natively for tinydns (done; starting with version v40).
- A TCP enhanced tinydns content server would also be not bad at all. Preforking? TLS support?
- djbdnscurve6 (version 4) shall be multicast enabled.
Tickets, Change Requests, communication
An EZMLM mailing list working together with djbdnscurve6 keeps you updated with current developments, bug fixes, and features discussed. This list also can be used to file
- Defects (bug reports) and
- Change Requests (enhancements).
To inscribe use: djbdnscurve6 mailing list
As usual, I can't guarantee a certain response level; but reasonable issues will be answered.
Module Documentation
Though djbdnscurve6 tries to be compatible with former versions, it is different in many ways from djbdns and you need to get accustomed to it. Thus, please read the following documents regarding the servers:
| Application | Miscellaneous | Description |
|---|---|---|
| axfrdns | axfrdns-conf axfr-get |
AXFR DNS zone transfer server; requires tcpserver or sslsever |
| dnscache | dnscache-conf dnscache-log |
DNS cache server and iterative resolver (supporting UDP, TCP, and EDNS0) |
| rbldns | rbldns-conf | Relay Black (and white) List server for IPv4 and IPv6 |
| tinydns | tinydns-conf tinydns-data tinydns-edit tinydns-get tinydns-log curvedns-keygen |
DNSCurve enabled UDP based DNS content server |
| walldns | walldns-conf curvedns-keygen |
DNSCurve enabled UDP based reverse DNS wall server |
The DNS lookup clients and diagnostic tools are kept API-compliant w.r.t. djbdns 1.05; thus we have:
| Recursive lookup clients | Diagnostic tools |
|---|---|
| dnsip | dnsq |
| dnsmx | dnsqr |
| dnsname | dnstrace |
| dnstxt | dnsfilter |
Other Points of Interest
- DJB's djbdns site [CurveDNS enabled (txt)]
- dq by Jan Mojzis
- djbdns-1.06 (obsolete ?)
- DNSCurve: Usable security for DNS (included) [CurveDNS enabled]
- DNSCurve.io [CurveDNS enabled]
- IANIX [CurveDNS enabled]
- dnscache Log File Format (included)
- dnscache tweaking (more or less included)
- MaraDNS (perhaps)
- Peter Conrad's tinydnssec [CurveDNS enabled]
- IPvFuture (?)
- Henning Brauer's Live With djbdns (mostly applicable)
- tinydns w/o Daemontools (if you need it)
- my djbdns Jumbo Patch
- djbdns patches
- JBP's 'Minor softwares for use with djbdns' Caution: Sharp edges!