Blinkenlights.ch

How to deploy DNSCurve

Posted on Apr 18, 2014

I’ve recently started to support DNSCurve on my nameservers running djbdns and you might do the same on your infrastructure: deploying DNSCurve turned out to be very easy and took about 1 hour of work!

Migrating your server to DNSCurve

But let’s start with the installation: First, you need to install a dnscurve-forwarder: The forwarder will listen for incoming requests on your public_interface:53 and forwards all queries to the dns-server (such as tinydns) listening on 127.0.0.1:53.

I’m using CurveDNS which fits nicely into existing djbdns/tinydns installations. Installing it is only a matter of minutes, thanks to the very good documentation.

Keep in mind that dnscurve-0.87 does not chroot() itself: This patch (sent to upstream) will make dnscurve chroot() itself if $ROOT is set. To activate chroot you should run:

$ mkdir /etc/curvedns/root
$ echo  /etc/curvedns/root > /etc/curvedns/env/ROOT
$ svc -t /service/curvedns

$ ls -l /proc/`pgrep curvedns`/root
lrwxrwxrwx 1 root root 0 2011-01-09 17:47 /proc/6620/root -> /etc/curvedns/root/

Whee, that was easy, wasn’t it? We can now modify the NS-Records of the server to include its private key!

Configuring the NS-Records

You should now create an entry for your new nameserver A (or AAAA) record: (remember the curvedns-keygen output?) In my case /etc/tinydns/root/data looks like this:

=uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net:80.246.50.17

..and the SOA record is set to

.eqmx.net::uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net

(do not forget to run make ;-) )

You must now also change/add the new NS-Record for you domain in the webinterface of your registrar.

Testing your DNSCurve installation

Testing the glue-records

We will now check if the TLD-Servers will ‘publish’ the public key of our domain (eg. eqmx.net).

Step 1: Ask the root-servers for the TLD-Servers of eqmx.net:

$ dig +short eqmx.net @a.root-servers.net
....
net.  172800  IN      NS      a.gtld-servers.net.
net.  172800  IN      NS      b.gtld-servers.net.
....

Step 2: Ask the .net servers for information about eqmx.net:

$ dig NS  eqmx.net @j.gtld-servers.net.
...
eqmx.net.               172800  IN      NS      dns1.workaround.ch.
eqmx.net.               172800  IN      NS      uz5mnv8n4dzrp95zl50jryb4wgf45my27q6pvx8f540l9sspkcwvtm.nszh1.eqmx.net.
eqmx.net.               172800  IN      NS      uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0.nsde1.eqmx.net.
....

Great: the public key is there! (If it isn’t: Did you update the records at your registrar? And even if you did: It can take some time until your changes are active)

Query the DNSCurve server

Chances are that there is no dnscurve-aware client installed on your host: we will use a simple dnscurve-aware client written in python (no installation needed)

Step 1: Grab a copy of Matthew Dempsky’s dnscurve repository at github:

$ cd /tmp
$ git clone https://github.com/mdempsky/dnscurve.git
$ cd dnscurve/tools
$ ln -s ../slownacl .   # link to a python-nacl implementation

Step 2: Run dnsq.py:

$ python dnsq.py a www.eqmx.net 80.246.50.17 uz5crn6x92t4vb4k3z68du7rmwmnnvkbdd29t79yzg9fr2s2rx5pk0
...output...

dnsq.py will printout some dig-like output if everything is ok. It will hang if you supply the wrong public key.

Patching dnscache to do DNSCurve queries

Matthew Dempsky has also written a patch for dnscache: You can grab a copy at this location