DelphinusDNS Blog

I've been programming DNS in C for 20 years now

November 6th, 2022

In possibly July 2002 I wrote the first header files in C for DNS programming. Back then I had intention to write exploits, today I don't have those intentions anymore. DNS work straightened me out. To be exact in 2002 I wanted to write reflection and amplifier tools. It's perhaps coincidental that I'm working with pf today to filter the "sl." botnet which seemingly has 1 spoofing master ,(14 hops away from my dns server), to reflect off my DNS server. Some of you may have come across the "sl." queries by looking at your logs, I know one of you has mentioned to me before that this is an attack. It is an attack but not on us. It's more using our infrastructure to contact zombies from the master. Or so I believe.

So 20 years DNS work, and soon the codebase to delphinusdnsd will also be 20 years old (in 2025). When you look at the first checkin of wildcarddnsd there still is similarities, but with DNSSEC additions I have changed the concept of this DNS server software immensely. I enjoy the work but before 2025 it's over with the 1.9.0 release for me (being the sole programmer). I want to do other things and there is some ideas on the table already. I can't do them all so in 2024 I'll have to make a decision what I want to focus on. Otherwise I'll likely do little projects one after the other but somehow I won't find enjoyment with that. Go big, I think! Thanks for reading my thoughts here.

0 comments

---

Two open constructions added this year

October 8th, 2022

A DNS server is never finished(tm). It's an ongoing effort all the time, but here are two construction sites in delphinusdnsd that stick out rather.

1. Support for OpenWRT and WolfSSL. I started that and ran out of CPU time on my Linux computers due to not using Linux 24/7 and having to do savings. I also lost will on continuing with this, it was awkward. This is an open hanging cliff.
2. DoT support, is stalled. There is no aDoT Subscribers other than google perhaps and it does the following over and over, making me think there is somethign wrong.

   (some cut for a query that went to sky.delphinusdns.org)
   (ttl=TLS, region=1, tta=NA) for "sky.delphinusdns.org." type=SOA(6) class=1,  
   answering "NOERROR" (bytes=38/120, sum=NA)
   

   Also I can't forward TLS code like one does a descriptor passing. This is a limitation with the LibreSSL tls library, so forwarding code and AXFR won't work with DoT. I removed the code for this in tlsloop(). AXFR's will have to have their own ports in order to do TLS and I don't know if it'll happen in 2022.
3. I thought there was a third perhaps but I can't think of it now.

So I went pretty nuts on my tree with these two. I'm gonna take it easier the next two months before release so that I can start with the DNS Updates code in 2023.

0 comments

---

No mimmutable(2) in 1.7 release

October 8th, 2022

I just saw that Theo de Raadt committed mimmutable(2) support into OpenBSD 7.2-current. Unfortunately I don't run any -current systems at the moment so it's hard for me to put support for this in and test it for the 1.7 Delphinusdnsd release which is scheduled for after the FreeBSD release which says December 7th on some document I saw @freebsd.org. Too bad, but on the other hand it gives the OpenBSD code some time to be tested and it will be in Delphinusdnsd probably after the 7.3 OpenBSD release so look for it in our -current after April/May some time and Delphinusdnsd 1.8 in december 2023 should have the systemcall supported.

0 comments

---

A possible breach on my (then) CVS tree?

October 4th, 2022

On the 27th of February in 2019, I did a commit with a few dubious changes. The commit is 88e1f5170fea07586416f9ba2de5f36b99985cc7, and a dubious commit looked something like this:

@@ -276,7 +279,7 @@ out:
                u_int16_t *plen;

                tmpbuf = malloc(outlen + 2);
-               if (tmpbuf == NULL) {
+               if (tmpbuf == 0) {
                        dolog(LOG_INFO, "malloc: %s\n", strerror(errno));
                }
                plen = (u_int16_t *)tmpbuf;

As you can see it replaced a NULL with a 0. I can't explain why I would do this. I fixed it up in commit 6b8ba22a0ecdf078798e64d13af67a48b45a9fc1, yesterday. I went back to seeing what I did in that February 2019. It was when Delphinusdnsd was in 1.3 still and I was at that time putting TSIG code into it. I had correspondence with people from the west and from the east. I also bought a lot of Windows books back then, did online shopping. I find it very odd, though I dimly remember something with compiling linux caused me to write out something to prevent compile errors. Perhaps it was a file that accidentally slipped in?

My systems have changed twice over since then and I don't have evidence for any breach. Though there was a rather big smtpd vuln between OpenBSD 6.4 and now. Anyhow I can only learn from this. I need to write conciser commit log messages with every commit detailing everything. I also need to examine every commit after committing (partially doing that already) it helps in finding bugs that slip through.

0 comments

---

Found a bug with reply_aaaa() in reply.c

October 3rd, 2022

An AAAA reply could send two packets in UDP and (possibly) double the answer in TCP. I have a patch made but won't commit until later when my developing workstation is back online. I had this to say about the bug:

09:37:29  almost a year with this bug     
09:37:38  Oct 19th, 2021
09:38:25  d6a64d50049b4c39755a0c875a6ddd7fbd63bbbd is the offending   
                  commit

So it was with us for almost a year and throughout the 1.6 release. I don't think I'm going to make a backpatch unless you absolutely want me to. An email will do and I'll make a backpatch to 1.6.x version. Other than that the November/December release of 1.7 will have this fixed. So for now happy holiday.

0 comments

---

What a difference 12 years makes

September 29th, 2022

On the centroid.eu blog (predecessor to the delphinusdns blog) I wrote proudly that wildcarddnsd (former name of delphinusdnsd and built on a fork of this) was over 10,000 lines of code. Well...that was then, and this:

echo$ wc -l *.[chy] | grep total
   59146 total

is now. Almost 60K lines, and more planned. Though I've written delphinusdnsd with a lot of copy/pasting from other functions and haven't compacted a lot of redundancy into their own functions. Whether I do that before I "retire", will be seen. I plan on going into in-active development after version 1.9 if you don't know yet. Delphinusdnsd doesn't have programmers other than me and if I continue on with a 2.x version it will be as a team.

0 comments

---

DoT and Padding: The benefit of using EDNS0 in this

September 29th, 2022

So over last week I have implemented DoT on delphinusdnsd. It is still in the experimental stage. However having said that I have implemented a padding feature using OPT code 12 (padding), which pads out dns answers by 1024 bytes. However the RFC's disallow sending an EDNS payload to someone who didn't request it. So my call out to recursor implementors is to make sure you are sending EDNS0 through TLS (you can give it size 0xffff like is standard for a TCP DNS packet). My implementation of RFC 7830 uses arc4random_buf() which is a MAY instead of a 0-stream SHOULD. But you MUST accept it if you request it. The benefit of arc4random_buf() in this is that cryptanalyists can't find a block that is full of zeros and thus they can't guess what's behind the ciphertext. I value that as a bonus.

0 comments

---

Supported RR's in Delphinusdnsd (202209)

September 20th, 2022

In this article I visually showed what RR's we support compared to ones we don't support. Here is a september 2022 update:

The new RR's are in a lighter shade of green. Green is supported, red is not supported (yet). I'll likely not add any more this year...

0 comments

---

More RR support and release in sight

September 20th, 2022

I have added KX RR (RFC 2230) and IPSECKEY RR support (RFC 4025) these are both related to IPSEC and I hope to ignite some more DNS and DNSSEC interest in the IPsec programming community. I did have someone point out to me that Free/Libre/Open S/WAN's are all able to use the IPSECKEY RR. I did check in OpenBSD and there is use of a KEY RR in isakmpd in a file called dnssec.c. Perhaps now someone can hack this up to use IPSECKEY instead of KEY. It wasn't enabled dnssec.c code though. I'm glad there is more functionality in Delphinusdnsd and it will release with the 1.7 release in possibly December.

We're not going to see DNS Updates this year, in fact I've been on a spree adding RR's because I need some fairly easy work until the release. I'm hoping next year will be a good year for DNS Updates, so for 1.8 release.

0 comments

---

SVCB and HTTPS support (not complete)

September 1st, 2022

Today I checked in the SVCB and HTTPS support. But it's broken. As long as you don't use these RR's in your delphinusdnsd zone config files it should be fine. I need some time to fix these up, maybe by next week.

0 comments

---