A python implementation of DNS stub resolver over TLS.
What does this do:
This implements a DNS stub resolver. It listens on port 53 and resolve requests with an upsteam DNS server over TLS.
Implementation notes:
Running:
$ docker run -d -p 5353:53 shyam/dnsproxy:latest
74c80fa535b29e6562ffc76dd112f221c43322150f2bd59f75fb2ac83d36a180
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
74c80fa535b2 shyam/dnsproxy:latest "python dnsproxy.py" 8 seconds ago Up 7 seconds 0.0.0.0:5353->53/tcp festive_pike
$ docker logs festive_pike
[dnsproxy] tcp://127.0.0.1:53 -> tcp+tls://1.1.1.1:853
$ dig @localhost -p 5353 +tcp shyamsundar.org
; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> @localhost -p 5353 +tcp shyamsundar.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23048
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ ... snip ... ]
..............................................................................................................")
;; QUESTION SECTION:
;shyamsundar.org. IN A
;; ANSWER SECTION:
shyamsundar.org. 1800 IN A 185.199.109.153
shyamsundar.org. 1800 IN A 185.199.110.153
shyamsundar.org. 1800 IN A 185.199.111.153
shyamsundar.org. 1800 IN A 185.199.108.153
;; Query time: 78 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 03 15:06:44 CEST 2018
;; MSG SIZE rcvd: 468
Applications:
Security Concerns and other areas of improvement:
Implement proper validation of SSL/TLS certificates including SPKI Pinning.
Reduce latency by having long lived / persistent connections with upstream.
TCP resolution can easily take up a lot of connections/open files. It has to be monitored and additional instances have to be setup so that this doesn’t become a bottlenect.
Refactor the application to be more modular and add test coverage.
Ability to handle multiple upstream resolvers.
Ability to handle custom rules
coredns
and dnsmasq
.Ability to handle UDP based DNS resolution.