项目作者: shyam

项目描述 :
A python implementation of DNS stub resolver over TLS.
高级语言: Python
项目地址: git://github.com/shyam/dnsproxy.git
创建时间: 2018-10-03T14:36:39Z
项目社区:https://github.com/shyam/dnsproxy

开源协议:

下载


dnsproxy

What does this do:

This implements a DNS stub resolver. It listens on port 53 and resolve requests with an upsteam DNS server over TLS.

Implementation notes:

  • It is a TCP to TCP+TLS forwarder written in Python.
  • Uses maproxy library for handling proxy operations. It internally allows Nonblocking Network I/O, by using python tornado framework, an asynchronous networking library developed at FriendFeed. This allows the implementation to handle multiple requests simultaneously.
  • Docker image at my dockerhub.

Running:

  1. $ docker run -d -p 5353:53 shyam/dnsproxy:latest
  2. 74c80fa535b29e6562ffc76dd112f221c43322150f2bd59f75fb2ac83d36a180
  3. $ docker ps
  4. CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
  5. 74c80fa535b2 shyam/dnsproxy:latest "python dnsproxy.py" 8 seconds ago Up 7 seconds 0.0.0.0:5353->53/tcp festive_pike
  6. $ docker logs festive_pike
  7. [dnsproxy] tcp://127.0.0.1:53 -> tcp+tls://1.1.1.1:853
  8. $ dig @localhost -p 5353 +tcp shyamsundar.org
  9. ; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> @localhost -p 5353 +tcp shyamsundar.org
  10. ; (1 server found)
  11. ;; global options: +cmd
  12. ;; Got answer:
  13. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23048
  14. ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
  15. ;; OPT PSEUDOSECTION:
  16. ; EDNS: version: 0, flags:; udp: 1452
  17. ; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  18. [ ... snip ... ]
  19. ..............................................................................................................")
  20. ;; QUESTION SECTION:
  21. ;shyamsundar.org. IN A
  22. ;; ANSWER SECTION:
  23. shyamsundar.org. 1800 IN A 185.199.109.153
  24. shyamsundar.org. 1800 IN A 185.199.110.153
  25. shyamsundar.org. 1800 IN A 185.199.111.153
  26. shyamsundar.org. 1800 IN A 185.199.108.153
  27. ;; Query time: 78 msec
  28. ;; SERVER: 127.0.0.1#5353(127.0.0.1)
  29. ;; WHEN: Wed Oct 03 15:06:44 CEST 2018
  30. ;; MSG SIZE rcvd: 468

Applications:

  • In a microservices environment — service discovery is one of the most common paintpoints. When an org. is handling sensitive data like financial and medical records, we will need a way to ensure that even the DNS resolution which is integral to service discovery is secured and resistant eavesdropping and tampering. That is where a DNS stub proxy that allows existing services to work as-is without any major changes would help.

Security Concerns and other areas of improvement:

  • Implement proper validation of SSL/TLS certificates including SPKI Pinning.

    • This is particularly important to ensure that the upstream DNS service is not compromised.
  • Reduce latency by having long lived / persistent connections with upstream.

  • TCP resolution can easily take up a lot of connections/open files. It has to be monitored and additional instances have to be setup so that this doesn’t become a bottlenect.

    • Caching of dns responses could also help here, as it would not make sense to contact upstream each time.
  • Refactor the application to be more modular and add test coverage.

  • Ability to handle multiple upstream resolvers.

    • Will help in redundancy in case an upstream resolver goes offline.
  • Ability to handle custom rules

    • There will always be cases where we would want to rewrite queries. Similar to the query rewriting capabilities of coredns and dnsmasq.
  • Ability to handle UDP based DNS resolution.