README ¶
Intro: What's pique or repique
It's not DNS...
There's no way it was DNS...
It was DNS.
-- SSBroski
Repique is an advanced DNS stub which can run on different OS such as Windows, Linux, OpenWRT.
Repique is unique in the world because:
- All DNS queries forwarded by repique are encrypted and secured as following top consumable standard.
- The forwarding regulation of repique are extremely dynamic and flexible for self-hosted multiple listeners and upstreams.
- The configuration of clockes, caches and patterns of repique can be ad hoc reloaded on Windows anytime unlimited.
- The size(6MiB) of repique's binary file are much smaller than the rest of existing go program which has supported 3+ encryption protocols.
- Repique is the only public golang program leveraging nested socks5/tcp/udp and http(s) proxy.
- Main program is called "Repique" while its repository name is "Pique", which just creates foo-bar towards golang.
- There is an additional awesome standalone GUI tooling in combination with repique, check it.
pique /piːk/
repique /ʁə.pik/
The words "pique" and "repique" are of Spanish origin
Although it often scores poorly, it is usually advantageous to declare it to prevent the opponent from scoring pique or repique, despite the tactical disadvantage of giving information to the opponent
Overview
Why use pique or repique
Repique acts out an unifiable key point of Internet of Things - DNS Privacy and Confidence.
Be an advancer of IoT, repique embraces aspects of Freedom, Privacy and Security.
Nowadays people like using their preferred DNS services to maximize the interests of personal IoT and business network.
An illuminated perspective of new DNS infrastucture is representing as multiple upstreams, multiple encryption protocols and multiple interventions.
There are so many open source applications of DNS client/server that people usually can't distinguish difference between each other.
They often confuse a DNS stub with a DNS server running locally. Even the authors of building DNS toolset, they are misleading the fundamental functionality and features of client/server.
For example:
cache.c
in dnsmasq by Simon Kelley uses 2K-LOCs(source lines of code) to maintain different type of DNS queries while others pseudo 'server' applications only delegate its functionality to vendors or create a rough one.network.c
in dnsmasq uses 2K-LOCs to coordinate sfd of socket and interfaces while others pseudo 'server' applications only delegate its functionality to vendors or create a rough one.- ACCESS-CONTROL, MEMORY-CONTROL, THREADS-CONTROL,CACHE-CONTROL, SOCKET OPTION in unbound by NLnetLabs are more detailed than others pseudo 'server' applications.
Now, everybody knows the story in year 2020.
DNSpooq: Cache Poisoning and RCE in Popular DNS Forwarder (
rfc1035.c 2K-LOCs
) DNSpooqdemonstrates
that DNS implementations are still insecure, even today, 13 years after the last major attack was described.
CVE | Impact |
---|---|
CVE-2020-25684 | DNS Cache Poisoning |
CVE-2020-25685 | DNS Cache Poisoning |
CVE-2020-25686 | DNS Cache Poisoning |
CVE-2020-25681 | Remote Code Execution, Denial of Service |
CVE-2020-25682 | Remote Code Execution, Denial of Service |
CVE-2020-25683 | Remote Code Execution, Denial of Service |
CVE-2020-25687 | Remote Code Execution, Denial of Service |
In a bit of irony, in order for a device to be affected by the four buffer overflow vulnerabilities, the DNSSEC feature must be enabled. Devices with DNSSEC disabled would NOT be affected by the buffer overflow flaws. However, JSOF notes it is important to enable DNSSEC as it is used to prevent cache poisoning attacks.
DNS is an Internet-critical protocol whose security greatly affect the security of Internet users. In this paper, JSOF presented 7 vulnerabilities affecting the popular DNS forwarder dnsmasq. These issues put networking and other devices at a risk of compromise and affect millions of Internet users which can suffer from the cache poisoning attack and RCE presented. This highlights the importance of DNS security in general and the security of DNS forwarders in particular. It also highlights the need to expedite the deployment of DNS security measures such as DNSSEC, DNS transport security and DNS cookies.
It sights a lack of creativity of DNS toolset mostly and these senseless users are used to pseudo newcome and speaking yogurt.
The fact is repique never aims at being a DNS server application so that it never performs overhead design or pseudo implementation.
However repique did most DNS stub never did, a powerful, dynamic and flexible program with interoperability to strong encryption protocols and routines to synthetic data.
Illustration of sending TLS1.3 Client Hello to IBM's server by repique
You may find out the difference of TLS 1.3 golang implementation inside above snapshot. It's ture.
Repique demonstrates the ability to mod golang std-library and build together, meanwhile it won't be shipped with the release.
For more information, see GITHUB gist:
- Golang - Secure Windows CryptoAPI calling when verifying certificate
- Golang - stdlib RNG migration for Windows
- Others such as bypassing INTEL's AES-NI won't be presented on gist because it just takes 5 minutes after saw issues like
how to disable aes-ni usage
, thus everybody can get this done without gist.
Repique can share cache and patterns between multiple listeners or on the contrary, isolate them as independence.
Repique can create nested groups for upstreams as well as tags for extra definition of upstreams.
Repique can use regular expressions to dispatch queries to groups, tags and listeners.
Repique has less explicit fingerprints and interaction behaviors than the rest of applications.
Repique enforces TLS to fix on version 1.3 and therefore bypasses https 1.1.
Repique uses same ordered cipher suites no matter of what hardware features running on and has discarded TLS_AES_128_GCM_SHA256
from v1.3 suites.
Repique uses compatible upstreams definitions with dnscrypt-proxy and compatible routines with Acrylic DNS.
Repique is the only alternative golang implementation conform to dnscrypt protocol.
Repique goes beyond other stubs by implementing preload functions and various cache procedures.(See example)
Who use pique or repique
- People who take care of 'DNS Privacy'.
- People who desire an inclusive DNS stub.
- People who start prioritizing digital freedom, privacy and security across convenience and cost.
- People who accept/cognize possible sophisticated analysis on encryption protocols as well inner/outer states by public servers, non-agreement front/back-end of services and mid hops.
- People who understand the first principle of Zero Trust.
- People who practise Zero Trust security with open source contributions and vendors.
- People who have a background in computer science and normal IQ able to produce exact regular expressions for repique
- People who study golang or cryptoanalysis.
- People who can foresee the future form of IoT evolvement.
Comparison between repique and dnscrypt-proxy
Since repique started from dnscrypt-proxy R2, introducing an overall changes to advantages is necessary to specify:
- Rewritten crypto functions
- Rewritten all protocols baseline
- Improved debug info so as to achieve principal stage of module based iteration methodology
- Improved flows and data handling
- Improved general design of common CLI program
- Strict & Small & Smart
Finally, comparing both release size on Windows(with go1.15;zipped):
-
dnscrypt-proxy-win64-2.0.45.zip 2.86 MB
-
repique_windows_amd64.zip 1.85 MB
⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕ ⭕
Comparison between repique and dnsmasq/pihole-FTL
Pihole-FTL is an enhanced(it's called coupling) dnsmasq copy with database, lua scripting, DHCP-discover and signals/regex support.
Pihole-FTL is a fat variation of dnsmasq even has a set of Telnet API.
Pihole-FTL/dnsmasq is a regular DNS server comparing to repique.
Pihole-FTL/dnsmasq doesn't support encryption protocols.
It is always recommended to use repique combining with a DNS server if hosting on a capable device.
Comparison between repique and pihole-MassDNS
Repique can run on different OS while MassDNS is designed to run on Linux.
Comparison between repique and djb'dns
Repique and djbdns share some common legends: both of them are reaction-propelled DNS project.
Djbdns was started because of black hole inside BIND DNS.
Repique was started because of dissentient vendoring, privacy and size of dnscrypt-proxy.
Repique is a modern DNS stub while djbdns is an old fashion DNS server after all.
Comparison between repique and NLnet Labs' stubby
Just like other NLnet Labs' project, stubby has external dependencies on OpenSSL, libunbound, libidn2.
Repique has internal dependencies on Google's golang std libs.
Repique and stubby use different cryptographic primitives.
There is no complex routines or strict/flexible TLS when using stubby.
Comparison between repique and CoreDNS
CoreDNS is a DNS server that chains plugins
Repique is a DNS stub that discarded plugins
If using CoreDNS as a forwarder, applicable size is coredns_1.8.1_windows_amd64.tgz
12.4 MB (extracted coredns.exe
41.0 MB)
Comparison between repique and Acrylic DNS
Acrylic is a DNS stub built with Delphi 7.
Repique is built with golang fresh version.
Repique can build with consistency on any machine and check its fidelity.
Acrylic doesn't support encryption protocols and complex routines.
Comparison between repique and dnsdist(PowerDNS)
PowerDNS is similar to dnsmasq nevertheless its cryptographic primitives take from OpenSSL and dnsmasq uses Nettle.
PowerDNS has Built-in Webserver and HTTP API that repique never wants to implement.
PowerDNS doesn't support encryption protocols and complex routines.
Comparison between repique and AdGuardHome
If using AdGuardHome as a forwarder, applicable size is AdGuardHome_windows_amd64.zip
8.31 MB
AdGuard comes with a beautiful dashboard and ad-block features.
There is no complex routines or strict TLS when using AdGuardHome.
It is easy to compare memory usage of both; the conclusion is clear: only repique can run on limited hardware e.g. a mips soc with small mem.
Comparison between repique and m13253-dns-over-https/routedns/the others DNS applications
There is no complex routines or strict TLS when using others implementation.
There is no dnscrypt protocol support when using others implementation.
Getting Started
Recommend Setup Scenarios:
- Work with DNS client:
running on the supported OS; using the default DNS client by OS; configurate repique as the first upstream resolver. - Work with DNS server:
running on the supported OS; using any DNS server preferred; configurate forwarding rule to repique.
Releases
Check out Releases Page
Installation
Download the latest release with golang 1.15 for AMD64 on Windows or Linux
Notice:
Releases for OpenWRT won't be included in this repository @github.
AMD64 Linux is considered an exception.
Usage
X-Copy deployment
There is no additional service or setup to run repique.
You are free to run it as service by searching existing mature methodology from the Internet
.
Command Line Interface Options:
flags | description |
---|---|
–check=true | check the configuration file and exit |
-version | print current version and exit |
–config=[path] | Path to the configuration file (default repique.toml in current folder when omitted or not specified) |
Configurations
Only three configuration files compose the configurations for a common scenario(shared routine) usage.
- Single
.md
file for upstreams definitions; SEE >>>>> HOW TO - Single
.toml
file for program parameters; SEE >>>>> EXAMPLE - Single
any
named file for routine; SEE >>>>> EXAMPLE
.md.minisig
is automatically generated by the great GUI TOOL
Illustration of program files on Windows
Versioning
Repique has dual version association.
Primary releases shipped with binaries are versioned like this:
_______________________|--number 2 : V2 (previous R2) | ________________|--sequencing number from 1 | | ________|--X : fixed X mark | | | Ver. + MAJOR.MINOR.SUBRELEASE
Secondary tag releases with git and github are versioned like this:
________________________|--number 1 : for golang semantic versioning | _________________|--sequencing number from 1 | | _________|--counter numbers of minor update | | | v + MAJOR.MINOR.SUBRELEASE
MINOR versions of the twinned version are always matched for a single release.
Server Name Indication 📔
👻 rfc3546 👻 draft-ietf-tls-rfc4366-bis-12 👻 rfc6066
'BCI/RSA Security/Transactionware/Vodafone/Stellar Switches/Huawei USA'
Repique's wonderful adventure without SNI
Autobiography
⏬⏬⏬ old snapshot when middle ages
Directories ¶
Path | Synopsis |
---|---|
behaviors
Package pidfile provides structure and helper functions to create and remove PID file.
|
Package pidfile provides structure and helper functions to create and remove PID file. |
unclassified
Package secretbox encrypts and authenticates small messages.
|
Package secretbox encrypts and authenticates small messages. |