kittendns

command module
v0.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

README

📖 DocumentationReleases 🏷️

What is this?

A toy DNS for hobbyists and worried people.

Mission Statement:

  • No fat. Fast.

Features:

  • Really easy to configure (toml syntax)
  • Rule engine to rewrite/deny queries
  • Plugins support

But also:

  • RFC2136 and LetsEncrypt compatibility, use as a DNS endpoint to obtain certificates
  • Configuration auto-update

Configuration, Documentation

Take a look at the content of the config.toml.template file. Copy it to config.toml and run.

Read the CONCISE DOCUMENTATION 📖

DNS Synchronization

There is currently no notion of primary and secondary DNS. All your DNS instances are equal. It would be fairly easy to implement IXFR/AXFR but unless it becomes a mandatory feature, this seems to go against my "no fat/easy to configure" goals. With this being said, you could use something like Syncthing to keep config.toml current.

Tell me more about the DNS repository

In the github.com/miekg/dns repository, there was a pull request allowing code using that library to retrieve additional information about the requesting socket. This includes source IP, which can be convenient in a split horizon environment. It lives in this directory (slightly adapted)

Performance testing

The tests below are performed using authoritative (local) records as my main goal is to offer a server that can survive a brutal assault serving cloud endpoints. Performing the same test against recursed hosts offers similar performance, simply because I am not querying 1M different hosts and the server efficiently* caches responses (while respecting their TTL)

These tests are run locally on a 2020 Macbook M1 Pro and jMeter is using as much CPU as it dares to, while kittendns doesn't even appear in my top output.

* dumbly

jMeter stress testing

  1. Run Wireshark to capture a DNS query. In the details window, select the Domain Name System layer, right-click, copy as a hex stream.
  2. In jMeter, paste in the "Request Data" area

The jMeter test plan is stored in KittenDNS jMeter Test Plan.jmx

Since we are testing DDoS-type scenarios, we are not going to allow any ramp-up. All clients will be hitting the servers from the beginning.

Results:

Scenario Queries/Minute Queries/Second
1M queued queries for locally resolved hosts 1.3M 21,666
1M queued queries for locally resolved, CNAME'd hosts 1.276M 21,417
1M queries, but by 100 users, no ramp-up 4.599M 76,650
1M queries, 100 users, flattening enabled 4.623M 77,050
1M queries, bump to 1,000 users 3.2M 53,333

Observations:

  • If we distribute across 1000 users rather than 100, threading starts degrading.
  • Flattening doesn't provide the expected level of improvement.

Latency is pretty good, too.

Mig testing

https://github.com/infobloxopen/dnstools/tree/master/mig

./mig -s 192.168.1.189 -n 1000000 -d domains.lst -o perf.json
python2 ../analyser/fit.py results/perf.json

Results:

Rule Engine Queries/Minute Queries/Second
Enabled 6.7M 111,677
Disabled 6.79M 113,181

Again, a somewhat unexpected result: a lightly loaded rule engine has almost no impact on the server's performance.

Todo

Cache improvements

  • If flattening is enabled, we should cache the flattened version.
  • When flattening, what about recursed and fragmented answers?

Circuit Breaker (when recursing)/Rate Limiter

Because, realistically, it is better to fail some queries if this will allow them to succeed later.

Rate Limiter: should be limiting some misbehaving clients. Problem: how do we identify a "Client?"

  • Is a client a single IP address? If it's a site DNS proxying to us, then it may be allowed higher traffic levels
  • Should we throttle a combination of source + queries?

FAQ

Q: I noticed that you are storing similar records in separate structures. For instance, there is one entry for a A (v4) record, and another entry for its AAAA (v6) counterpart. This is wasteful!

A: You are correct. However, I should not store both entries using the same key because they can both be capitalized differently. And, little known fact, capitalization in DNS can be a security feature.

Q: What's that about capitalization?

A: KittenDNS makes sure that the response to a query returns the host capitalized exactly as it was in the query. This is a protection scheme against DNS poisoning, known as the '0x20' trick.

Misc

Logo created by DesignEvo logo maker

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL