pique

module
v1.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 17, 2021 License: LGPL-3.0

README

CodeQLrepique_release_go1.15Gitter

hash pe 1.15 hash elf 1.15

Intro: What's pique or repique

It's not DNS...
There's no way it was DNS...
It was DNS.
-- SSBroski

Repique is an advanced DNS stub which can run on different OS such as Windows, Linux, OpenWRT.

Repique is unique in the world because:

  • All DNS queries forwarded by repique are encrypted and secured as following top consumable standard.
  • The forwarding regulation of repique are extremely dynamic and flexible for self-hosted multiple listeners and upstreams.
  • The configuration of clockes, caches and patterns of repique can be ad hoc reloaded on Windows anytime unlimited.
  • The size(6MiB) of repique's binary file are much smaller than the rest of existing go program which has supported 3+ encryption protocols.
  • Repique is the only public golang program leveraging nested socks5/tcp/udp and http(s) proxy.
  • Main program is called "Repique" while its repository name is "Pique", which just creates foo-bar towards golang.
  • There is an additional awesome standalone GUI tooling in combination with repique, check it.

pique /piːk/

repique /ʁə.pik/

The words "pique" and "repique" are of Spanish origin

Although it often scores poorly, it is usually advantageous to declare it to prevent the opponent from scoring pique or repique, despite the tactical disadvantage of giving information to the opponent

repique dnscrypt-proxy-r2-legacy

Overview

Why use pique or repique

Repique acts out an unifiable key point of Internet of Things - DNS Privacy and Confidence.
Be an advancer of IoT, repique embraces aspects of Freedom, Privacy and Security.
Nowadays people like using their preferred DNS services to maximize the interests of personal IoT and business network. An illuminated perspective of new DNS infrastucture is representing as multiple upstreams, multiple encryption protocols and multiple interventions. There are so many open source applications of DNS client/server that people usually can't distinguish difference between each other. They often confuse a DNS stub with a DNS server running locally. Even the authors of building DNS toolset, they are misleading the fundamental functionality and features of client/server.
For example:

  • cache.c in dnsmasq by Simon Kelley uses 2K-LOCs(source lines of code) to maintain different type of DNS queries while others pseudo 'server' applications only delegate its functionality to vendors or create a rough one.
  • network.c in dnsmasq uses 2K-LOCs to coordinate sfd of socket and interfaces while others pseudo 'server' applications only delegate its functionality to vendors or create a rough one.
  • ACCESS-CONTROL, MEMORY-CONTROL, THREADS-CONTROL,CACHE-CONTROL, SOCKET OPTION in unbound by NLnetLabs are more detailed than others pseudo 'server' applications.

Now, everybody knows the story in year 2020.

DNSpooq: Cache Poisoning and RCE in Popular DNS Forwarder (rfc1035.c 2K-LOCs) DNSpooq demonstrates that DNS implementations are still insecure, even today, 13 years after the last major attack was described.

CVE Impact
CVE-2020-25684 DNS Cache Poisoning
CVE-2020-25685 DNS Cache Poisoning
CVE-2020-25686 DNS Cache Poisoning
CVE-2020-25681 Remote Code Execution, Denial of Service
CVE-2020-25682 Remote Code Execution, Denial of Service
CVE-2020-25683 Remote Code Execution, Denial of Service
CVE-2020-25687 Remote Code Execution, Denial of Service

In a bit of irony, in order for a device to be affected by the four buffer overflow vulnerabilities, the DNSSEC feature must be enabled. Devices with DNSSEC disabled would NOT be affected by the buffer overflow flaws. However, JSOF notes it is important to enable DNSSEC as it is used to prevent cache poisoning attacks.

DNS is an Internet-critical protocol whose security greatly affect the security of Internet users. In this paper, JSOF presented 7 vulnerabilities affecting the popular DNS forwarder dnsmasq. These issues put networking and other devices at a risk of compromise and affect millions of Internet users which can suffer from the cache poisoning attack and RCE presented. This highlights the importance of DNS security in general and the security of DNS forwarders in particular. It also highlights the need to expedite the deployment of DNS security measures such as DNSSEC, DNS transport security and DNS cookies.

It sights a lack of creativity of DNS toolset mostly and these senseless users are used to pseudo newcome and speaking yogurt.
The fact is repique never aims at being a DNS server application so that it never performs overhead design or pseudo implementation.
However repique did most DNS stub never did, a powerful, dynamic and flexible program with interoperability to strong encryption protocols and routines to synthetic data.

repique TLS1.3

Illustration of sending TLS1.3 Client Hello to IBM's server by repique

You may find out the difference of TLS 1.3 golang implementation inside above snapshot. It's ture.
Repique demonstrates the ability to mod golang std-library and build together, meanwhile it won't be shipped with the release.
For more information, see GITHUB gist:

  1. Golang - Secure Windows CryptoAPI calling when verifying certificate
  2. Golang - stdlib RNG migration for Windows
  3. Others such as bypassing INTEL's AES-NI won't be presented on gist because it just takes 5 minutes after saw issues like how to disable aes-ni usage, thus everybody can get this done without gist.

Repique can share cache and patterns between multiple listeners or on the contrary, isolate them as independence.
Repique can create nested groups for upstreams as well as tags for extra definition of upstreams.
Repique can use regular expressions to dispatch queries to groups, tags and listeners.
Repique has less explicit fingerprints and interaction behaviors than the rest of applications.
Repique enforces TLS to fix on version 1.3 and therefore bypasses https 1.1.
Repique uses same ordered cipher suites no matter of what hardware features running on and has discarded TLS_AES_128_GCM_SHA256 from v1.3 suites.
Repique uses compatible upstreams definitions with dnscrypt-proxy and compatible routines with Acrylic DNS.
Repique is the only alternative golang implementation conform to dnscrypt protocol.
Repique goes beyond other stubs by implementing preload functions and various cache procedures.(See example)

Who use pique or repique

  • People who take care of 'DNS Privacy'.
  • People who desire an inclusive DNS stub.
  • People who start prioritizing digital freedom, privacy and security across convenience and cost.
  • People who accept/cognize possible sophisticated analysis on encryption protocols as well inner/outer states by public servers, non-agreement front/back-end of services and mid hops.
  • People who understand the first principle of Zero Trust.
  • People who practise Zero Trust security with open source contributions and vendors.
  • People who have a background in computer science and normal IQ able to produce exact regular expressions for repique
  • People who study golang or cryptoanalysis.
  • People who can foresee the future form of IoT evolvement.
Comparison between repique and dnscrypt-proxy

Since repique started from dnscrypt-proxy R2, introducing an overall changes to advantages is necessary to specify:

  1. Rewritten crypto functions
  2. Rewritten all protocols baseline
  3. Improved debug info so as to achieve principal stage of module based iteration methodology
  4. Improved flows and data handling
  5. Improved general design of common CLI program
  6. Strict & Small & Smart

Finally, comparing both release size on Windows(with go1.15;zipped):

  •  dnscrypt-proxy-win64-2.0.45.zip 2.86 MB
    
  •  repique_windows_amd64.zip 1.85 MB  
    

⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕

Comparison between repique and dnsmasq/pihole-FTL

Pihole-FTL is an enhanced(it's called coupling) dnsmasq copy with database, lua scripting, DHCP-discover and signals/regex support.
Pihole-FTL is a fat variation of dnsmasq even has a set of Telnet API.
Pihole-FTL/dnsmasq is a regular DNS server comparing to repique.
Pihole-FTL/dnsmasq doesn't support encryption protocols.
It is always recommended to use repique combining with a DNS server if hosting on a capable device.

Comparison between repique and pihole-MassDNS

Repique can run on different OS while MassDNS is designed to run on Linux.

Comparison between repique and djb'dns

Repique and djbdns share some common legends: both of them are reaction-propelled DNS project.
Djbdns was started because of black hole inside BIND DNS.
Repique was started because of dissentient vendoring, privacy and size of dnscrypt-proxy.
Repique is a modern DNS stub while djbdns is an old fashion DNS server after all.

Comparison between repique and NLnet Labs' stubby

Just like other NLnet Labs' project, stubby has external dependencies on OpenSSL, libunbound, libidn2.
Repique has internal dependencies on Google's golang std libs.
Repique and stubby use different cryptographic primitives.
There is no complex routines or strict/flexible TLS when using stubby.

Comparison between repique and CoreDNS

CoreDNS is a DNS server that chains plugins

Repique is a DNS stub that discarded plugins
If using CoreDNS as a forwarder, applicable size is coredns_1.8.1_windows_amd64.tgz 12.4 MB (extracted coredns.exe 41.0 MB)

Comparison between repique and Acrylic DNS

Acrylic is a DNS stub built with Delphi 7.
Repique is built with golang fresh version.
Repique can build with consistency on any machine and check its fidelity.
Acrylic doesn't support encryption protocols and complex routines.

Comparison between repique and dnsdist(PowerDNS)

PowerDNS is similar to dnsmasq nevertheless its cryptographic primitives take from OpenSSL and dnsmasq uses Nettle.
PowerDNS has Built-in Webserver and HTTP API that repique never wants to implement.
PowerDNS doesn't support encryption protocols and complex routines.

Comparison between repique and AdGuardHome

If using AdGuardHome as a forwarder, applicable size is AdGuardHome_windows_amd64.zip 8.31 MB
AdGuard comes with a beautiful dashboard and ad-block features.
There is no complex routines or strict TLS when using AdGuardHome.
It is easy to compare memory usage of both; the conclusion is clear: only repique can run on limited hardware e.g. a mips soc with small mem.

Comparison between repique and m13253-dns-over-https/routedns/the others DNS applications

There is no complex routines or strict TLS when using others implementation.
There is no dnscrypt protocol support when using others implementation.

Getting Started

Recommend Setup Scenarios:
  • Work with DNS client:
    running on the supported OS; using the default DNS client by OS; configurate repique as the first upstream resolver.
  • Work with DNS server:
    running on the supported OS; using any DNS server preferred; configurate forwarding rule to repique.
Releases

Check out Releases Page

Installation

Download the latest release with golang 1.15 for AMD64 on Windows or Linux

Notice:
Releases for OpenWRT won't be included in this repository @github.
AMD64 Linux is considered an exception.

Usage
X-Copy deployment

There is no additional service or setup to run repique.

You are free to run it as service by searching existing mature methodology from the Internet.

Command Line Interface Options:
flags description
–check=true check the configuration file and exit
-version print current version and exit
–config=[path] Path to the configuration file (default repique.toml in current folder when omitted or not specified)
Configurations

Only three configuration files compose the configurations for a common scenario(shared routine) usage.

  1. Single .md file for upstreams definitions; SEE >>>>> HOW TO
  2. Single .toml file for program parameters; SEE >>>>> EXAMPLE
  3. Single any named file for routine; SEE >>>>> EXAMPLE

.md.minisig is automatically generated by the great GUI TOOL

repique files

Illustration of program files on Windows

Versioning

Repique has dual version association.

Primary releases shipped with binaries are versioned like this:

          _______________________|--number 2 : V2 (previous R2)
         |       ________________|--sequencing number from 1
         |      |        ________|--X : fixed X mark
         |      |       |
Ver. + MAJOR.MINOR.SUBRELEASE

Secondary tag releases with git and github are versioned like this:

       ________________________|--number 1 : for golang semantic versioning
      |       _________________|--sequencing number from 1
      |      |        _________|--counter numbers of minor update
      |      |       |
v + MAJOR.MINOR.SUBRELEASE

MINOR versions of the twinned version are always matched for a single release.

Server Name Indication 📔

👻 rfc3546 👻 draft-ietf-tls-rfc4366-bis-12 👻 rfc6066

'BCI/RSA Security/Transactionware/Vodafone/Stellar Switches/Huawei USA'
Repique's wonderful adventure without SNI

repique TLS1.3

Autobiography

discussions...

⏬⏬⏬ old snapshot when middle ages

repique dnscrypt-proxy-r2-legacy

Directories

Path Synopsis
behaviors
Package pidfile provides structure and helper functions to create and remove PID file.
Package pidfile provides structure and helper functions to create and remove PID file.
unclassified
Package secretbox encrypts and authenticates small messages.
Package secretbox encrypts and authenticates small messages.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL