DelphinusDNS Blog
(the latest about delphinusdnsd)||
|
Previous Page
November 6th, 2022
In possibly July 2002 I wrote the first header files in C for DNS programming.
Back then I had intention to write exploits, today I don't have those intentions
anymore. DNS work straightened me out. To be exact in 2002 I wanted to write
reflection and amplifier tools. It's perhaps coincidental that I'm working
with pf today to filter the "sl." botnet which seemingly has 1 spoofing master
,(14 hops away from my dns server),
to reflect off my DNS server. Some of you may have come across the "sl."
queries by looking at your logs, I know one of you has mentioned to me before
that this is an attack. It is an attack but not on us. It's more using our
infrastructure to contact zombies from the master. Or so I believe.
So 20 years DNS work, and soon the codebase to delphinusdnsd will also be 20
years old (in 2025). When you look at the first checkin of wildcarddnsd there
still is similarities, but with DNSSEC additions I have changed the concept
of this DNS server software immensely. I enjoy the work but before 2025 it's
over with the 1.9.0 release for me (being the sole programmer). I want to do
other things and there is some ideas on the table already. I can't do them
all so in 2024 I'll have to make a decision what I want to focus on. Otherwise
I'll likely do little projects one after the other but somehow I won't find
enjoyment with that. Go big, I think! Thanks for reading my thoughts here.
0 comments
October 8th, 2022
A DNS server is never finished(tm). It's an ongoing effort all the time, but
here are two construction sites in delphinusdnsd that stick out rather.
- Support for OpenWRT and WolfSSL. I started that and ran out of CPU time
on my Linux computers due to not using Linux 24/7 and having to do savings.
I also lost will on continuing with this, it was awkward. This is an open
hanging cliff.
- DoT support, is stalled. There is no aDoT Subscribers other than google
perhaps and it does the following over and over, making me think there is
somethign wrong.
(some cut for a query that went to sky.delphinusdns.org)
(ttl=TLS, region=1, tta=NA) for "sky.delphinusdns.org." type=SOA(6) class=1,
answering "NOERROR" (bytes=38/120, sum=NA)
Also I can't forward TLS code like one does a descriptor passing. This is a
limitation with the LibreSSL tls library, so forwarding code and AXFR won't
work with DoT. I removed the code for this in tlsloop(). AXFR's will have to
have their own ports in order to do TLS and I don't know if it'll happen in
2022.
- I thought there was a third perhaps but I can't think of it now.
So I went pretty nuts on my tree with these two. I'm gonna take it easier
the next two months before release so that I can start with the DNS Updates
code in 2023.
0 comments
October 8th, 2022
I just saw that Theo de Raadt committed mimmutable(2) support into
OpenBSD 7.2-current. Unfortunately I don't run any -current systems at the
moment so it's hard for me to put support for this in and test it for the
1.7 Delphinusdnsd release which is scheduled for after the FreeBSD release which
says December 7th on some document I saw @freebsd.org. Too bad, but on the
other hand it gives the OpenBSD code some time to be tested and it will be in
Delphinusdnsd probably after the 7.3 OpenBSD release so look for it in our
-current after April/May some time and Delphinusdnsd 1.8 in december 2023
should have the systemcall supported.
0 comments
October 4th, 2022
On the 27th of February in 2019, I did a commit with a few dubious changes.
The commit is 88e1f5170fea07586416f9ba2de5f36b99985cc7, and a dubious commit
looked something like this:
@@ -276,7 +279,7 @@ out:
u_int16_t *plen;
tmpbuf = malloc(outlen + 2);
- if (tmpbuf == NULL) {
+ if (tmpbuf == 0) {
dolog(LOG_INFO, "malloc: %s\n", strerror(errno));
}
plen = (u_int16_t *)tmpbuf;
As you can see it replaced a NULL with a 0. I can't explain why I would do
this. I fixed it up in commit 6b8ba22a0ecdf078798e64d13af67a48b45a9fc1,
yesterday. I went back to seeing what I did in that February 2019. It was
when Delphinusdnsd was in 1.3 still and I was at that time putting TSIG code
into it. I had correspondence with people from the west and from the east.
I also bought a lot of Windows books back then, did online shopping.
I find it very odd, though I dimly remember something with compiling linux
caused me to write out something to prevent compile errors. Perhaps it was
a file that accidentally slipped in?
My systems have changed twice over since then and I don't have evidence for
any breach. Though there was a rather big smtpd vuln between OpenBSD 6.4 and
now. Anyhow I can only learn from this. I need to write conciser commit log
messages with every commit detailing everything. I also need to examine every
commit after committing (partially doing that already) it helps in finding bugs
that slip through.
0 comments
October 3rd, 2022
An AAAA reply could send two packets in UDP and (possibly) double the answer
in TCP. I have a patch made but won't commit until later when my developing
workstation is back online. I had this to say about the bug:
09:37:29 almost a year with this bug
09:37:38 Oct 19th, 2021
09:38:25 d6a64d50049b4c39755a0c875a6ddd7fbd63bbbd is the offending
commit
So it was with us for almost a year and throughout the 1.6 release. I don't
think I'm going to make a backpatch unless you absolutely want me to. An email
will do and I'll make a backpatch to 1.6.x version. Other than that the
November/December release of 1.7 will have this fixed. So for now happy
holiday.
0 comments
September 29th, 2022
On the centroid.eu blog (predecessor to the delphinusdns blog) I wrote proudly
that wildcarddnsd (former name of delphinusdnsd and built on a fork of this)
was over 10,000 lines
of code. Well...that was then, and this:
echo$ wc -l *.[chy] | grep total
59146 total
is now. Almost 60K lines, and more planned. Though I've written delphinusdnsd
with a lot of copy/pasting from other functions and haven't compacted a lot of
redundancy into their own functions. Whether I do that before I "retire", will
be seen. I plan on going into in-active development after version 1.9 if you
don't know yet. Delphinusdnsd doesn't have programmers other than me and if
I continue on with a 2.x version it will be as a team.
0 comments
September 29th, 2022
So over last week I have implemented DoT on delphinusdnsd. It is still in
the experimental stage. However having said that I have implemented a
padding feature using OPT code 12 (padding), which pads out dns answers by
1024 bytes. However the RFC's disallow sending an EDNS payload to someone
who didn't request it. So my call out to recursor implementors is to make sure
you are sending EDNS0 through TLS (you can give it size 0xffff like is
standard for a TCP DNS packet). My implementation of RFC 7830 uses
arc4random_buf() which is a MAY instead of a 0-stream SHOULD. But you MUST
accept it if you request it. The benefit of arc4random_buf() in this is
that cryptanalyists can't find a block that is full of zeros and thus they
can't guess what's behind the ciphertext. I value that as a bonus.
0 comments
September 20th, 2022
In this article
I visually showed what RR's we support compared to ones we don't support.
Here is a september 2022 update:
The new RR's are in a lighter shade of green. Green is supported, red is not
supported (yet). I'll likely not add any more this year...
0 comments
September 20th, 2022
I have added KX RR (RFC 2230) and IPSECKEY RR support (RFC 4025) these are both
related to IPSEC and I hope to ignite some more DNS and DNSSEC interest in
the IPsec programming community. I did have someone point out to me that
Free/Libre/Open S/WAN's are all able to use the IPSECKEY RR. I did check in
OpenBSD and there is use of a KEY RR in isakmpd in a file called dnssec.c.
Perhaps now someone can hack this up to use IPSECKEY instead of KEY. It wasn't
enabled dnssec.c code though. I'm glad there is more functionality in
Delphinusdnsd and it will release with the 1.7 release in possibly December.
We're not going to see DNS Updates this year, in fact I've been on a spree
adding RR's because I need some fairly easy work until the release. I'm hoping
next year will be a good year for DNS Updates, so for 1.8 release.
0 comments
September 1st, 2022
Today I checked in the SVCB and HTTPS support. But it's broken. As long as
you don't use these RR's in your delphinusdnsd zone config files it should be
fine. I need some time to fix these up, maybe by next week.
0 comments
Next Page
|
Search
RSS Feed
 Click here for RSS
On this day in
Other links
Have feedback?
By clicking on the header of an article you will be
served a cookie. If you do not agree to this do not
click on the header. Thanks!
Using a text-based webbrowser?
... such as lynx? Welcome back it's working again for the time being.
Older Blog Entries
May, 2023
April, 2023
March, 2023
January, 2023
December, 2022
November, 2022
October, 2022
September, 2022
August, 2022
July, 2022
June, 2022
May, 2022
April, 2022
March, 2022
February, 2022
January, 2022
December, 2021
November, 2021
March, 2021
February, 2021
January, 2021
December, 2020
November, 2020
October, 2020
September, 2020
August, 2020
July, 2020
June, 2020
May, 2020
April, 2020
March, 2020
February, 2020
January, 2020
December, 2019
November, 2019
October, 2019
September, 2019
Powered by BCHS
|