1. Download and Save GbDns.exe (~105kb) and GbDns.msi (301kb) to the same folder on your machine.
2. Run the installer by double clicking GbDns.msi.
3. Set your DNS server address to 127.0.0.1 [ Control Panel / Network Connections / <any connection> / Properties / Internet Protocol (TCP/IP) ]
Some information on how current resolvers are insecure etc.
Amit Klein - Windows DNS Stub Resolver Cache Poisoning
Ietf draft on forgery resilience
Microsoft article on NAT de-randomization
An Illustrated Guide to the Kaminsky DNS Vulnerability
An attack might be possible in five hours with the patch
Security ( Config.ConfidenceMin ) is set to 50 bits by default. You may amend this value by re-compiling the source files. There is a trade off between performance and security : a higher number of bits will necessitate more requests to authoritative DNS servers.
GbDns cannot stop all "Man in the middle" attacks. This is where an attacker can intercept packets and impersonate the real server(s). This is not an issue. If an attacker can do this, then an application needs to be secured at a higher level ( for example by https or signed email ) in any case.
As with any program, flaws in the software may give rise to security vulnerabilities. It is hoped that by keeping the program as simple as possible, the likelihood of such flaws is reduced.
RFC 1034 Domain Names - Concepts and Facilities.
RFC 1035 Domain Names - Implementation and Specification.
RFC 2308 Negative Caching of DNS Queries (DNS NCACHE)
RFC 3597 Handling of Unknown DNS Resource Record (RR) Types
RFC 3596 / 3513 IP Version 6 (AAAA)
RFC 3833 Threat Analysis of the Domain Name System (DNS)
Use of Bit 0x20 in DNS Labels to ImproveTransaction Identity
DNSSEC Intro RRs Protocol NSEC3 SHA-256 Ext Hex Clarifications
This project was provoked by the problems noted by Dan Kaminsky in July 2008.
It provides a secure recursive caching DNS server behind a NAT firewall that reverses port randomization.
No other DNS server currently provides this functionality ( as of April 2009 ).
Basic authoritative functionality is also provided.
GbDns defeats spoofing by sending the query two (or more) times, and checks the responses agree. It also responds to spoofing attempts by dynamically increasing the security level.
A full description is given in this Internet Draft submitted to the IETF.
The source files are:
These source files should be built using Microsoft .NET Version 2 (or higher - not tested).
Authoritative support is basic. Dynamic update and transfers from primary to secondary servers are not supported. Instead changes to Dns/Zones.dns must be made by other means.
Recursive service is restricted to local IP addresses (127.x.x.x; 10.x.x.x; 192.168.x.x; or Link/Site Local for IPv6), as is normally appropriate, except for an ISP. Specified by IsLocal function in DnsCache.cs.
IPv6 support is new.
DNSSEC support is in development ( see Change log ).
QRP Client : Root servers may be configured using Dns/Rootservers.dns ( NS,A,AAAA,TPORT and QRPK records ).
QRP Server : Private/public key pair is stored in Dns/QRP.txt. Alternate key pairs may be stored in Dns/QRPAlt.txt (for use during public key rollover).
I started running the service on my own machine on 30 July 2008. The program has been running on my home machines and as a cache resolver/authority server for the company for which I work (~30 users) since October 2008.
I'm now looking for a small number of people to test the program further.
Please send any comments to george.barwood@blueyonder.co.uk.
Especially if you are planning to use the program, have used the program without problems, or have had a problem.
I undertake to keep your email address confidential, and will only use it for individual correspondence or to notify you if there is significant problem / new GbDns release ( please state if you do not want this type of notice ).