DNS

A collection of 40 posts

DNS

Somebody Told Me

Proxying client information to your favorite resolver and more.

Research

Journeying into XDP: XDPerimenting with DNS telemetry

By Luuk Hendriks The XDP programs we’ve so far described in this series have been actively modifying DNS packets to perform functions such as response rate limiting (RRL), cookies and padding. This time, we’ll look into a passive BPF-program which enables us to plot graphs of DNS metrics

Newsletter

🛠 A confidence building toolbox

Nobody likes pushing the "Go" button to deploy and just hope things will be okay. 🤞 In this newsletter we'll cover some of the recent additions to our software aimed at giving you more operational confidence... 💬 In this issue: * Zone Verification in NSD. Prevent zones with errors in the DNSSEC signed

DNS

Zone verification, the feature formerly known as CreDNS, formerly known as dnSƧexy

NLnet Labs is pleased to announce version 4.6.0 of NSD. This release integrates and revives zone verification, a feature previously shipped in a separate product called CreDNS, which had its last release (0.2.10) in June 2012.

DNS

Extended DNS Error support for Unbound

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914. While EDE was already supported in NSD since version 4.3.6 released in April of 2021, as with most things in a resolver, EDE support took more time to implement. As a short

Research

Journeying into XDP: Fully-fledged DNS service augmentation

By Willem Toorop In our previous post on using eXpress Data Path (XDP) for DNS, we discussed how a new XDP rate-limiting queries feature can augment a DNS service running in user space (with common DNS software) to deal with denial of service (DoS) attacks. Journeying into XDP: Part 0Network

DNS

Supporting DNSSEC Key Signing Ceremonies

Over the past decade, uptake of DNSSEC has grown significantly. The vast majority of top-level domains (TLDs) is now DNSSEC-signed. While key signing ceremonies are now deployed in many places in the DNSSEC community, what is lacking is a common approach, especially related to tooling.

DNS

SAD DNS and NLnet Labs DNS software

Update 18 November 2021: we are aware of the follow-up paper published by the researchers. The text below remains accurate for Unbound users. Please note that Unbound 1.13.2 and newer has IPv6 PMTU disabled  for UDP. During the ACM CCS conference 2020, held November 9-13, researchers from UC

Research

Journeying into XDP Part 1: Augmenting DNS

How can eXpress Data Path (XDP) augment existing DNS software? We share our experiences of implementing Response Rate Limiting in XDP.

DNS

DNS-over-HTTPS in Unbound

A major step forward in end user privacy.

DNS

Some Country for Old Men

An Unbound Story of Serving Expired Records.

Research

Journeying into XDP: Part 0

Network programming using XDP has been on our radar for a while now. As tooling around this technology has vastly improved, we decided that it was time to finally get our hands dirty and see what this technology is all about.

Research

Adapting Radix Trees

NLnet Labs continuously strives to push the performance of its products. Over the course of the past year we researched improvements to main-memory databases for our authorative nameserver, NSD.

DNS

Tuning NSD for even better performance

NLnet Labs is pleased to announce version 4.3.0 of NSD. This release contains, among bug fixes, features to tune NSD for even better performance. Most notably, processor affinity.

DNS

Response Policy Zones in Unbound

We are incredibly happy to introduce Unbound 1.10. This release features RPZ, a mechanism that makes it possible to define your local policies in a standardized way, and load your policies from external sources.

Research

Measuring the impact of DNS Flag Day

DNS Flag Day 2019 stimulated a lot of awareness, and as a result, the Internet got a little better.

Dev

Hackathon @ Africa Internet Summit 2019

The main objectives of the NLnet Labs foundation are the development of Open Source Software and Open Standards; this combination creates…

Research

The Ongoing Story of OpenINTEL: Measuring the DNS for Research, Policy and Protocol Improvements

Measuring the DNS for Research, Policy and Protocol Improvements.

DNS

Sunrise DNS over TLS, sunset DNSSEC?

Is DNSSEC still needed when you get your DNS over TLS?

DNS

Aggressive use of the DNSSEC-Validated cache in Unbound

One of the new features in Unbound 1.7.0 is the aggressive use of the DNSSEC-Validated cache, resulting in decreased load on name servers.

DNS

The peculiar case of NSEC processing using expanded wildcard records

Unbound, Google public DNS, PowerDNS and Dnsmasq contained a flaw that made it possible to downgrade secure connections.

DNS

Bringing DNS Security and Privacy to the End User

How the getdns API project helps to achieve the goal of DNSSEC validation and DANE authentication at the end-points.

DNS

Privacy: Using DNS-over-TLS with the new Quad9 DNS Service

Install and configure Stubby to communicate securely with the Quad9 DNS service using DNS-over-TLS.

Dev

Testdriving the CrypTech Alpha Board

Experiences with the open source hardware cryptographic engine.

DNS

Client based filtering in Unbound

Using ‘tags’ introduced in Unbound 1.5.10 and ‘views’ in Unbound 1.6.0 to let DNS answers depend on the address of the client.