Developing a full resolver

Member： Kei HIBINO, Kazu YAMAMOTO

Category: Underpinning

Tags: dns, full resolver, Haskell

1. Background: The environment surrounding DNS is constantly changing, and a unique DNS full resolver that can be used to verify DNS protocols is desired.
2. Purpose: Implement IIJ’s unique DNS full resolver.

Summary

We are developing a DNS full resolver, called bowline, in Haskell. bowline supports DNS over UDP, TCP, TLS, QUIC, HTTP/2 and HTTP/3.

Results

• Software: the dnsext libraries including the bowline full resolver and the dug command tool
• DNSフルリゾルバの実装への DNSSEC の組み込み – DNSSEC と反復検索, IIJ Engineer Blogs, 2024
• DNSフルリゾルバの実装への DNSSEC の組み込み – NSEC/NSEC3 による否定応答の証明, IIJ Engineer Blogs, 2024
• DNS検索コマンドdugの紹介, IIJ Engineer Blogs, 2024

Progress

Progress in 2024FY4Q

• Enhancement of bowline operational features: In response to operational requests, we implemented keepalive for monitors, added NSID/id.server/version.server functionality, added Negative Trust Anchor functionality, and implemented DNSSEC validation result counters with additions to metrics.
• Stabilization of bowline: We improved communication stability by fixing buffer management issues in TCP53 Virtual Circuit servers. We also stabilized the service to continue even during reload failures by parsing configuration files in advance. Furthermore, we resolved conflicts between reload functionality and user switching by separating processes requiring root privileges and adopting a method to restore root privileges only when necessary.

Progress in 2024FY3Q

• Improved availability of bowline: In iterative searches, fallbacks are now performed for all NSs, increasing the number of cases where the problem can be resolved. In addition, the number of queries in an iterative search is limited to prevent attacks on authoritative servers
• Issue Fixes: Fixed the following issues found during testing: Response error code translation, NSEC/NSEC3 record caching, and response AD flag support.

Progress in 2024FY2Q

• Improvement of bowline communication stability: This enables stable communication with resolvers even in environments where intermediate NATs frequently change ports.
• Improvement of bowline operational features: Provided Enhanced metrics information
• Stability improvements of bowline: Improved determinism of client-facing session state using STM (Software Transactional Memory) transactions for clearer resource management. Random tests also improve robustness of STM transactions for session state management
• dug release and introduction article: Wrote an IIJ engineer blog introducing dug. In conjunction with that, released dug multiple times

Progress in 2024FY1Q

• bowline improvements: Resolved issues found during evaluation and addressed new requests such as CheckDisabled flag and cache deletion.
• dug improvements: now supports session resumption and 0-RTT for TLS, QUIC, HTTP/2, and HTTP/3. Also, information such as QUIC and TLS handshake mode was changed to be displayed at the end of the output. Enhanced NSEC/NSEC3 verification information output

Progress in 2023FY4Q

• Pipeline testing: By incorporating the DNS over TLS/QUIC/H2/H3 pipeline function into the dug command, it is now possible to test the pipeline function of the full resolver bowline.
• Local zone data support: Local zones, root hints, and trust anchors can now be defined by interpreting zone data.
• Vulnerability countermeasures: By limiting the input size and number of verifications, it is now possible to reduce the amount of calculation required for KeyTrap attacks.

Progress in 2023FY3Q

• Improved safety of lower library TLS, HTTP/2, QUIC *Response by relaxing conditions for nested iterative search cache and negation cache Improved response performance by relaxing conditions for nested iterative search cache and negation cache

Progress 2023FY2Q

• Functional enhancements for test operation of cache server
  • Transport layer expansion (TLS, QUIC, HTTP2, HTTP3)
  • Implementation of logging function using DNSTAP
  • Implementation of Web API for server management
  • Supports Prometheus for monitoring
  • Incorporating DNSSEC validation functionality for negative responses (NSEC/NSEC3)
• Fixed repeated search and DNSSEC issues
  • Fixed to avoid issuing unnecessary DS queries
  • Fixed RR set normalization issue (TTL restoration, canonical order)

Progress in 2023FY1Q

• Incorporating DNSSEC validation functionality into full resolver implementations under development
  • Encryption key signature (DS) verification function for delegation information during repeated searches
  • Result record signature (RRSIG) verification function
  • Fallback function for parent-child zone coexistence case (“.” and “arpa.” etc.)
  • Log output of verification results (success, failure, no verification)
• Enhancements aimed at demos
  • Select a transport (QUIC, TLS, H2, H3) from SVCB and use it for name resolution
  • Visualization of full resolver operation (iterative search)
  • Display DNSSEC results in color
  • Used in Open House