GbDns : A recursive caching DNS server for Windows

GbDns is a DNNSEC-enabled DNS server for Windows.

A full set of recursive and authoritative functions are provided.

This project was originally provoked by the problems noted by Dan Kaminsky in July 2008.

Earlier versions used query repetition to provide a secure recursive caching DNS server behind a NAT firewall that reverses port randomization. The curent version depends more on port randomisation, but also uses a simpler method of preventing Kaminsky-type attacks.

The source files are:

• Ask.cs - Transport protocols - Sending Requests.
• Auth.cs - DNSSEC Authentication.
• Cache.cs - General Housekeeping.
• Config.cs - Configuration constants.
• Data.cs - Representation of DNS messages / data.
• DnsSec.cs - DNSSEC resource records.
• Enum.cs - Enumerated types.
• Domain.cs - Representation of a Domain.
• Listen.cs - Transport protocols - Handling requests.
• LoadAxfr.cs - Loads zones using Axfr.
• Loader.cs - Zone Loading.
• LoadText.cs - Loads zones from text file(s).
• Misc.cs - Odds and ends.
• Prime.cs - Finding large random primes.
• Proof.cs - NSEC proof.
• Query.cs - Respond to client query.
• Random.cs - Generation of random values and hashing.
• RSA.cs - RSA digital signature.
• Rx.cs - Low level DNS packet decoding.
• Service.cs - Windows Service details.
• Set.cs - Generic implementation of Sets.
• ServerPick.cs - Picks a server based on previous response time.
• SimpleQuery.cs - Simple Query to remote Server.
• Signer.cs - Zone signing.
• Tx.cs - Low level DNS packet encoding.
• Vlong.cs - Very Long Integers.
• Worker.cs - Send queries and process responses.

These source files should be built using Microsoft .NET Version 2 (or higher - not tested), or see top right to download and install the executable.

• BuildDnsService.bat is a batch file to build the executable.
• InstallDnsService.bat is a batch file to install it ( alternative to GbDns.msi )
• Changes.htm is a log of changes.
• Issues.txt is my working notes.
• Design Notes documents some of the implementation choices.
• GbDnsT.exe is the executable with tracing enabled ( Log file is C:\GbDnsLog.txt )
• GbDns.zip is a zip file containing all the files.

Options

DNSSEC : the file Dns/Anchors.dns may (optionally) be used to specify a root ( NS/A/AAA records ) and/or trust anchors (DS records). By default (if Dns/Anchors.dns does not exist) the standard public root trust anchor is used ( see Config.cs ). If root servers are not specified in Dns/Anchors.dns or Dns/Zones.dns, a priming query is used.

Dns/Anchors.dns may also be used to specify Forwarders. An example is
com. FWDA 192.168.2.1
causes all queries within .com to be sent to the IP address given. The forwarder must be a server willing to provide DNSSEC recursive service. Unfortunately most ISP servers do not yet have DNSSEC enabled, so you may not be able to use a forwarder yet.

DNSSEC Signing : to sign a zone, place a $SIGN directive on the line before the SOA is defined. If an NSEC3PARAM record is defined, NSEC3 will be used instead of NSEC. NSEC3 opt-out is disabled by default. The private keys and the DS record are stored in txt files derived from the zone name. To obtain security, the DS record needs to be installed in the parent zone, or configured as a trust anchor. The DS record(s) are saved in the file <zone>.cds.txt, and also published in the CDS RRset.

Secondary servers can load zones via AXFR by inserting a line $SLAVE [zonename] in Dns/Zones.dns.

When a DS RRset is found within a zone, the server will attempt to fetch the CDS RRset from the child and store it in the file <zone>.ds.txt. By including this file ($INCLUDE) in the parent zone, KSK rollover can be completely automated. A dummy DS RRset " DS 0 0 0 0" can be used to trigger the initial fetch. Note that this initial fetch cannot be authenticated, so a manual check should be performed. Subsequent rollovers are authenticated.

IPv6 is supported.

Restrictions

Recursive service is restricted to local IP addresses (127.x.x.x; 10.x.x.x; 192.168.x.x; or Link/Site Local for IPv6), as is normally appropriate, except for an ISP. Specified by IsLocal function in DnsCache.cs.

Dynamic update and IXFR are not yet implemented. Only the IN (internet) CLASS is supported. The EDNS NSID option is not yet supported.

Status

I started running the service on my own machine on 30 July 2008. The program has been running on my home machines and as a cache resolver/authority server for the company for which I work (~30 users) since October 2008.

Please send any comments to george.barwood@blueyonder.co.uk.

Especially if you are planning to use the program, have used the program without problems, or have had a problem.

I undertake to keep your email address confidential, and will only use it for individual correspondence or to notify you if there is significant problem / new GbDns release ( please state if you do not want this type of notice ).