DNS Analysis and Privacy Tools

digit

Digit is a DNS client side tool that can be used to perform DNS queries via different protocols such as UDP, TCP, TLS. It tracks the current Specification for DNS over TLS, draft-ietf-dprive-dns-over-tls-09, enabling direct TLS on port 853 by default, with TCP, STARTTLS and other protocols as options. This tool was primarily built to evaluate the client side latency of DNS over TCP and TLS, as described in the paper Connection-Oriented DNS to Improve Privacy and Security. It is experimental and not suitable for production use. With some modifications it can be used as stub resolver which supports multiple protocols. A README in the package has detailed instructions about how to use this software.

tdns-client-proxy

Tdns-client-proxy is a client-side proxy for DNS that takes UDP-based DNS queries from local application and forwards them to a remote recursive DNS server over TCP (with STARTTLS) or direct TLS. It also forwards responses from remote recursive DNS server back to local application over UDP. It can be used to pair with tdns-server-proxy to accomplish T-DNS's features, such as privacy with query pipelining and out-of-order responses. It tracks the current Specification for DNS over TLS, draft-ietf-dprive-dns-over-tls-09, enabling direct TLS on port 853 by default, with TCP and STARTTLS as options. A man page (README.man in the package) describes how to use this proxy.

tdns-server-proxy

Tdns-server-proxy is a server-side proxy for DNS that takes connection (TCP/TLS) based DNS queries from client and forwards them to a recursive DNS server over UDP. Ideally, the recursive DNS server should be running at the same host as this proxy. It also forwards responses from the recursive DNS server back to client over TCP/TLS. It can be used to pair with tdns-client-proxy to accomplish T-DNS's features, such as query pipelining and out-of-order responses. It tracks the current Specification for DNS over TLS, draft-ietf-dprive-dns-over-tls-09, enabling direct TLS on port 853 by default, with TCP and STARTTLS as options. A man page (README.man in the package) describes how to use this proxy.

T-DNS support for unbound patch

This patch includes all the changes we made to unbound to make it support TLS negotiation and current processing of queries from TCP connection. It adds TLS negotiation to current unbound implementation, so we don't need a separate port for DNS-over-TLS. Full explanation of TLS negotiation over DNS is described here draft-hzhwm-start-tls-for-dns It also adds support of concurrent processing of queries from the same TCP connection. We see some intermittent problems with this patch: sometimes responses are not sent back to client, or are delayed for a long time.

  • unbound_changes_20140227.patch
  • Related work

    In addition to our implementations, please see Sinodun's work on T-DNS, including their sample implementations for getDNS and Unbound, with plans for NSD and bind. (As of 2014-11-23.)