DNS - The NLnet Labs Blog

DNS

A collection of 39 posts

Journeying into XDP: XDPerimenting with DNS telemetry

Journeying into XDP: XDPerimenting with DNS telemetry

By Luuk Hendriks The XDP programs we’ve so far described in this series have been actively modifying DNS packets to perform functions such as response rate limiting (RRL), cookies and padding. This time, we’ll look into a passive BPF-program which enables us to plot graphs of DNS metrics

Zone verification, the feature formerly known as CreDNS, formerly known as dnSƧexy

Zone verification, the feature formerly known as CreDNS, formerly known as dnSƧexy

NLnet Labs is pleased to announce version 4.6.0 of NSD. This release integrates and revives zone verification, a feature previously shipped in a separate product called CreDNS, which had its last release (0.2.10) in June 2012.

A little extra explanation is always helpf

Extended DNS Error support for Unbound

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914. While EDE was already supported in NSD since version 4.3.6 released in April of 2021, as with most things in a resolver, EDE support took more time to implement. As a short

Journeying into XDP: Fully-fledged DNS service augmentation

Journeying into XDP: Fully-fledged DNS service augmentation

By Willem Toorop In our previous post on using eXpress Data Path (XDP) for DNS, we discussed how a new XDP rate-limiting queries feature can augment a DNS service running in user space (with common DNS software) to deal with denial of service (DoS) attacks. Journeying into XDP: Part 0Network

Supporting DNSSEC Key Signing Ceremonies

Supporting DNSSEC Key Signing Ceremonies

Over the past decade, uptake of DNSSEC has grown significantly. The vast majority of top-level domains (TLDs) is now DNSSEC-signed. While key signing ceremonies are now deployed in many places in the DNSSEC community, what is lacking is a common approach, especially related to tooling.

SAD DNS and NLnet Labs DNS software

SAD DNS and NLnet Labs DNS software

Update 18 November 2021: we are aware of the follow-up paper published by the researchers. The text below remains accurate for Unbound users. Please note that Unbound 1.13.2 and newer has IPv6 PMTU disabled for UDP. During the ACM CCS conference 2020, held November 9-13, researchers from UC

Journeying into XDP Part 1: Augmenting DNS

Journeying into XDP Part 1: Augmenting DNS

How can eXpress Data Path (XDP) augment existing DNS software? We share our experiences of implementing Response Rate Limiting in XDP.

DNS-over-HTTPS in Unbound

DNS-over-HTTPS in Unbound

A major step forward in end user privacy.

Some Country for Old Men

Some Country for Old Men

An Unbound Story of Serving Expired Records.

Journeying into XDP: Part 0

Journeying into XDP: Part 0

Network programming using XDP has been on our radar for a while now. As tooling around this technology has vastly improved, we decided that it was time to finally get our hands dirty and see what this technology is all about.

Adapting Radix Trees

Adapting Radix Trees

NLnet Labs continuously strives to push the performance of its products. Over the course of the past year we researched improvements to main-memory databases for our authorative nameserver, NSD.

Tuning NSD for even better performance

Tuning NSD for even better performance

NLnet Labs is pleased to announce version 4.3.0 of NSD. This release contains, among bug fixes, features to tune NSD for even better performance. Most notably, processor affinity.

Response Policy Zones in Unbound

Response Policy Zones in Unbound

We are incredibly happy to introduce Unbound 1.10. This release features RPZ, a mechanism that makes it possible to define your local policies in a standardized way, and load your policies from external sources.

Measuring the impact of DNS Flag Day

Measuring the impact of DNS Flag Day

DNS Flag Day 2019 stimulated a lot of awareness, and as a result, the Internet got a little better.

Hackathon @ Africa Internet Summit 2019

Hackathon @ Africa Internet Summit 2019

The main objectives of the NLnet Labs foundation are the development of Open Source Software and Open Standards; this combination creates…

The Ongoing Story of OpenINTEL: Measuring the DNS for Research, Policy and Protocol Improvements

The Ongoing Story of OpenINTEL: Measuring the DNS for Research, Policy and Protocol Improvements

Measuring the DNS for Research, Policy and Protocol Improvements.

Sunrise DNS over TLS, sunset DNSSEC?

Sunrise DNS over TLS, sunset DNSSEC?

Is DNSSEC still needed when you get your DNS over TLS?

Aggressive use of the DNSSEC-Validated cache in Unbound

Aggressive use of the DNSSEC-Validated cache in Unbound

One of the new features in Unbound 1.7.0 is the aggressive use of the DNSSEC-Validated cache, resulting in decreased load on name servers.

The peculiar case of NSEC processing using expanded wildcard records

The peculiar case of NSEC processing using expanded wildcard records

Unbound, Google public DNS, PowerDNS and Dnsmasq contained a flaw that made it possible to downgrade secure connections.

Bringing DNS Security and Privacy to the End User

Bringing DNS Security and Privacy to the End User

How the getdns API project helps to achieve the goal of DNSSEC validation and DANE authentication at the end-points.

Privacy: Using DNS-over-TLS with the new Quad9 DNS Service

Privacy: Using DNS-over-TLS with the new Quad9 DNS Service

Install and configure Stubby to communicate securely with the Quad9 DNS service using DNS-over-TLS.

Testdriving the CrypTech Alpha Board

Testdriving the CrypTech Alpha Board

Experiences with the open source hardware cryptographic engine.

Client based filtering in Unbound

Client based filtering in Unbound

Using ‘tags’ introduced in Unbound 1.5.10 and ‘views’ in Unbound 1.6.0 to let DNS answers depend on the address of the client.

I Can’t Believe It’s Not DNS!

I Can’t Believe It’s Not DNS!

Experiences with “I Can’t Believe It’s Not DNS!”, an authoritative DNS server on the Espressif ESP8266, written in MicroPython.