GbDns : A recursive caching DNS server for Windows

Installation Instructions

1. Download and Save GbDns.exe (~120kb) and GbDns.msi (301kb) to the same folder on your machine.

2. Run the installer by double clicking GbDns.msi.

3. Set your DNS server address to 127.0.0.1 [ Control Panel / Network Connections / <any connection> / Properties / Internet Protocol (TCP/IP) ]

Background

Some information on DNS security issues :

CERT Advisory

Amit Klein - Windows DNS Stub Resolver Cache Poisoning

Ietf draft on forgery resilience

Microsoft article on NAT de-randomization

Secure Channel article

An Illustrated Guide to the Kaminsky DNS Vulnerability

An attack might be possible in five hours with the patch

Cache-poisoning attack snares top Brazilian bank

Tests: dns-oarc netalyzer DNSSEC test (Verisign) ZoneCheck.fr IntoDns

License Statement

The GbDns software is entirely written by myself, George Barwood, and is hereby placed in the the public domain. It is free of all restrictions, you may do whatever you wish with it.

Security

GbDns cannot stop all "Man in the middle" attacks on unsigned zones. This is where an attacker can intercept packets and impersonate the real server(s). This is not an issue. If an attacker can do this, then an application needs to be secured at a higher level ( for example by https or signed email ) in any case.

You should use the dns-oarc test above to determine whether a NAT router is reversing port randomization.

As with any program, flaws in the software may give rise to security vulnerabilities. It is hoped that by keeping the program as simple as possible, the likelihood of such flaws is reduced.

Standards

RFC 1034 Domain Names - Concepts and Facilities.

RFC 1035 Domain Names - Implementation and Specification.

RFC 2181 Clarifications.

RFC 2308 Negative Caching of DNS Queries (DNS NCACHE)

RFC 3597 Handling of Unknown DNS Resource Record (RR) Types

RFC 3596 / 3513 IP Version 6 (AAAA)

Default Local Zones

RFC 3833 Threat Analysis of the Domain Name System (DNS)

Use of Bit 0x20 in DNS Labels to ImproveTransaction Identity

AXFR Wiki

EDNS DO bit

DNSSEC Intro RRs Protocol NSEC3 RSA-SHA1 RSA-SHA+ DS-SHA256 Ext Hex Clarifications DNAME Trust Anchor Update Wildcards DLV record CDS record

EPP EPP DNS mapping

DNSCurve Website NACL Paper Draft

TCP SYN Flooding

IP Opsec IP security

My notes on the DNS standard on DNSSEC

IANA DNS Parameters Registry

IETF working group

Articles/Blogs/Discussion

CircleID article

Sci.crypt

TMF UK bulletin board

GbDns on SourceForge

GbDns is a DNNSEC-enabled DNS server for Windows.

A full set of recursive and authoritative functions are provided.

This project was originally provoked by the problems noted by Dan Kaminsky in July 2008.

Earlier versions used query repetition to provide a secure recursive caching DNS server behind a NAT firewall that reverses port randomization. The curent version depends more on port randomisation, but also uses a simpler method of preventing Kaminsky-type attacks.

The source files are:

These source files should be built using Microsoft .NET Version 2 (or higher - not tested), or see top right to download and install the executable.

Options

DNSSEC : the file Dns/Anchors.dns may (optionally) be used to specify a root ( NS/A/AAA records ) and/or trust anchors (DS records). By default (if Dns/Anchors.dns does not exist) the standard public root trust anchor is used ( see Config.cs ). If root servers are not specified in Dns/Anchors.dns or Dns/Zones.dns, a priming query is used.

Dns/Anchors.dns may also be used to specify Forwarders. An example is
com. FWDA 192.168.2.1
causes all queries within .com to be sent to the IP address given. The forwarder must be a server willing to provide DNSSEC recursive service. Unfortunately most ISP servers do not yet have DNSSEC enabled, so you may not be able to use a forwarder yet.

DNSSEC Signing : to sign a zone, place a $SIGN directive on the line before the SOA is defined. If an NSEC3PARAM record is defined, NSEC3 will be used instead of NSEC. NSEC3 opt-out is disabled by default. The private keys and the DS record are stored in txt files derived from the zone name. To obtain security, the DS record needs to be installed in the parent zone, or configured as a trust anchor. The DS record(s) are saved in the file <zone>.cds.txt, and also published in the CDS RRset.

Secondary servers can load zones via AXFR by inserting a line $SLAVE [zonename] in Dns/Zones.dns.

When a DS RRset is found within a zone, the server will attempt to fetch the CDS RRset from the child and store it in the file <zone>.ds.txt. By including this file ($INCLUDE) in the parent zone, KSK rollover can be completely automated. A dummy DS RRset " DS 0 0 0 0" can be used to trigger the initial fetch. Note that this initial fetch cannot be authenticated, so a manual check should be performed. Subsequent rollovers are authenticated.

IPv6 is supported.

Restrictions

Recursive service is restricted to local IP addresses (127.x.x.x; 10.x.x.x; 192.168.x.x; or Link/Site Local for IPv6), as is normally appropriate, except for an ISP. Specified by IsLocal function in DnsCache.cs.

Dynamic update and IXFR are not yet implemented. Only the IN (internet) CLASS is supported. The EDNS NSID option is not yet supported.

Status

I started running the service on my own machine on 30 July 2008. The program has been running on my home machines and as a cache resolver/authority server for the company for which I work (~30 users) since October 2008.

Please send any comments to george.barwood@blueyonder.co.uk.

Especially if you are planning to use the program, have used the program without problems, or have had a problem.

I undertake to keep your email address confidential, and will only use it for individual correspondence or to notify you if there is significant problem / new GbDns release ( please state if you do not want this type of notice ).