jedisct1/edgedns jedisct1/edgedns

  • Stars
    star
    490
  • Rank 89,811 (Top 2 %)
  • Language
    Rust
  • License
    ISC License
  • Created almost 9 years ago
  • Updated almost 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
jedisct1/edgedns
github

jedisct1

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A high performance DNS cache designed for Content Delivery Networks

Build Status

EdgeDNS

A high performance DNS cache designed for Content Delivery Networks, with built-in security mechanisms to protect origins, clients and itself.

Precompiled binaries (recommended)

Installation from source

EdgeDNS requires rust-nightly. Compile and install the server with:

git clone -b 0.3.0 https://github.com/jedisct1/edgedns
cd edgedns
cargo install

Quickstart

  1. Edit a copy of the edgedns.toml configuration file
  2. Run edgedns -c /path/to/edgedns.toml

On Linux, you may use that sample systemd service to start it.

EdgeDNS can protect authoritative servers ("virtual DNS" mode), or act as a local cache for responses received from a recursive server.

EdgeDNS as a cache for authoritative servers ("virtual DNS" mode)

For this mode, set the type property in the [upstream] section to authoritative:

[upstream]
# Type of upstream servers: "resolver" or "authoritative"
type = "authoritative"

EdgeDNS will act as a "secondary DNS server" for the zones served by one or more "primary DNS servers". The external IP address edgedns is listening to can be configured as a public authoritative server for the zone.

This will reduce the load on the "primary server", mitigate common attacks, and ensure a continuity of service even if the primary server has temporary outages.

Binding as many ports as possible (udp_ports in the [network] section) is recommended in this mode of operation. This may require some adjustments to your system configuration. See below.

EdgeDNS as a local DNS cache

For this mode, set the type property in the [upstream] section to resolver:

[upstream]
# Type of upstream servers: "resolver" or "authoritative"
type = "resolver"

And configure the local host to use 127.0.0.1 as a resolver. EdgeDNS will cache responses, balance the load across the resolvers set, and improve your experience by making DNS more reliable.

Operation

EdgeDNS has two modes of operation:

  • In "virtual DNS" mode, it acts as an authoritative server, and sits between authoritative DNS servers and resolvers. It ensures that only correct queries are sent to upstream servers, balances the load across multiple upstreams, reduces the load by caching recent and frequent queries, mitigates DDoS attacks and does its best to respond to critical queries even when upstream servers are slow or unresponsive.
  • In "resolver" mode, EdgeDNS can act as a simple, non-recursive DNS cache, sitting between a recursive resolver and stub resolvers.

"virtual DNS" is the default mode, but this can be changed with the type property in the [upstream] section.

By default, the load is distributed using jump consistent hashing, ensuring that the upstream servers get a similar share, but queries for a given zone always favor the same upstream server.

As an alternative, servers can be tried sequentially, and queries are eventually sent to the first responsive server.

That behavior is controlled by the strategy property in the [upstream] section. uniform enables consistent hashing, fallback selects servers in sequence and minload uses the power-of-two-choices algorithm.

A unique feature of EdgeDNS is that it uses a fixed number of UDP sockets. Sockets designed to receive responses from upstream servers are all open at once, and are then kept open forever. Matching responses with queries is entirely done by the application instead of the kernel.

As a result, the server will not start if the maximum number of UDP ports to use is larger than the maximum number of file descriptors allowed.

Tweaking /etc/security/limits.conf or using ulimit -n might thus be required prior to starting the server.

By default, only 8 UDP ports are open. This is acceptable for a local cache ("resolver mode") sending queries to a local resolver on a trusted network. In all other scenarios, raising this number as much as possible (up to 64511) using the udp_ports property is highly recommended.

Live metrics

If the enabled property is set to true in the [webservice] section, EdgeDNS will serve live metrics that can be collected by the Prometheus time-series database.

The default URL to access these metrics is http://0.0.0.0:9090/metrics.

Note

This software is still a work in progress. More features are planned, with a focus on automatic DDoS mitigation.

Features

Reliable

EdgeDNS is written in Rust, which by design prevents common security and reliability issues while remaining extremely fast.

EdgeDNS can thus be used as a protection layer for DNS resolvers and authoritative servers.

EdgeDNS has been running flawlessly on the public scaleway-fr server since January 2016.

DNSSEC support

EdgeDNS is fully compatible with DNSSEC.

Low memory usage

In virtual DNS mode, responses are cached independently instead of performing zone transfers, in order to favor caching of hot records.

With a large number of zones, and an uneven distribution of queries across records, this leads to a very low memory usage compared to secondary servers keeping entire zones.

EDNS0 support

EdgeDNS fully supports EDNS0 both to respond to clients, and to communicate with upstream servers. This minimizes the number of queries requiring TCP and reduces latency.

Minimal truncated responses

Responses that don't fit within the maximum payload size supported by a client get a truncated response, whose content cannot be used by a resolver or stub resolver.

Instead of forwarding truncated responses sent by authoritative servers, EdgeDNS directly synthesizes the shortest possible responses.

Correct support for the dns0x20 extension

In order to improve resistance against forgery, some clients support the dns0x20 extension, which randomizes casing in DNS names. This shouldn't lead to distinct cache entries. The cache normalize names, but respect the form initially sent by clients in its responses.

Coalescing of identical queries

Multiple clients can be simultaneously waiting for the same cache entry to be filled.

Similar in-flight queries are coalesced, and the first received response is dispatched among all waiting clients.

Latency guarantee

Slow authoritative servers can have a huge impact on clients, even if this is a temporary situation.

EdgeDNS does its best to guarantee a maximum latency. If a response that needs to be refreshed doesn't get a response within a given time frame, EdgeDNS can directly respond with cached records in order to avoid breaking the latency guarantee.

Short responses to ANY queries

ANY queries are commonly used to conduct DDoS attacks.

The ANY query type has been deprecated for a while, but not answering queries with the ANY type breaks legacy software, namely Qmail.

Cloudflare handles ANY queries by synthesizing responses with HINFO records. EdgeDNS implements this proposal as well. It doesn't violate the protocol, doesn't break Qmail and mitigate abuses, while not requiring any interactions with authoritative servers.

Query validation

Only valid queries should be sent to authoritative servers. This mitigates common attacks exploiting vulnerabilities in resolvers and authoritative servers.

Negative caching

The absence of data is cached. Temporary errors such as SERVFAIL responses are also cached for a short period of time, in order to avoid hammering upstream servers.

Automatic failover

Outages of upstream servers are quickly detected, and background probes are sent to bring them back to the pool as soon as they get operational again.

Consistent hashing

In order to improve cache locality, the same questions should preferably be always sent to the same upstream servers.

Consistent hashing limits the amount of reshuffling after servers are being flagged as down or back up, and is a strategy the proxy can use in order to distribute queries amount authoritative servers.

As an alternative, EdgeDNS can send data to a primary upstream servers, and fall back to a list of backup servers in case of an outage.

Resilience against temporary outages of authoritive servers

If authoritative servers cannot be reached for a given zone, and a previous version of the response is available, EdgeDNS serves that version instead of returning a server failure.

If authoritative responses are received, but with a significant delay, EdgeDNS responds with a previous version of the response, and updates its cache as soon as the update is effectively being received.

Resilience against cache pollution

An attacker could fill the cache with entries of little relevance, or invalid entries, in order to reduce the cache efficiency, or partly disrupt the service.

In order to protect against cache pollution, EdgeDNS uses the CLOCK-Pro algorithm. This algorithm separately tracks recently used and frequently used entries.

A significant amount of new entries does not have a perceptible impact on frequently asked DNS questions.

TCP slots reuse

The number of simultaneous connections coming from the same client IP address is capped, and dynamically adjusted according to the total number of free slots.

After the cap is reached, new connections recycle older connections from the same client IP. A single client opening many TCP connections doesn't affect the general service availablity.

More Repositories

1

libsodium

A modern, portable, easy to use crypto library.
C
12,131
star
2

dsvpn

A Dead Simple VPN.
C
5,068
star
3

piknik

Copy/paste anything over the network.
Go
2,342
star
4

minisign

A dead simple tool to sign files and verify digital signatures.
C
1,856
star
5

libsodium.js

libsodium compiled to Webassembly and pure JavaScript, with convenient wrappers.
HTML
899
star
6

libhydrogen

A lightweight, secure, easy-to-use crypto library suitable for constrained environments.
C
599
star
7

pure-ftpd

Pure FTP server
C
589
star
8

libsodium-php

The PHP extension for libsodium.
C
546
star
9

swift-sodium

Safe and easy to use crypto for iOS and macOS
C
518
star
10

libpuzzle

A library to quickly find visually similar images
C
262
star
11

iptoasn-webservice

Web service to map IP addresses to AS information, using iptoasn.com
Rust
254
star
12

dnsblast

A simple and stupid load testing tool for DNS resolvers
C
233
star
13

as-wasi

An AssemblyScript API layer for WASI system calls.
TypeScript
232
star
14

rust-jwt-simple

A secure, standard-conformant, easy to use JWT implementation for Rust.
Rust
222
star
15

wasm-crypto

A WebAssembly (via AssemblyScript) set of cryptographic primitives for building authentication and key exchange protocols.
TypeScript
214
star
16

rust-bloom-filter

A fast Bloom filter implementation in Rust
Rust
187
star
17

encpipe

The dum^H^H^Hsimplest encryption tool in the world.
C
182
star
18

Pincaster

A fast persistent nosql database with a HTTP/JSON interface, not only for geographical data.
C
171
star
19

UCarp

UCARP allows a couple of hosts to share common virtual IP addresses in order to provide automatic failover. It is a portable userland implementation of the secure and patent-free Common Address Redundancy Protocol (CARP, OpenBSD's alternative to the patents-bloated VRRP).
M4
170
star
20

blacknurse

BlackNurse attack PoC
C
170
star
21

libsodium-doc

Gitbook documentation for libsodium
Shell
166
star
22

bitbar-dnscrypt-proxy-switcher

BitBar plugin to control dnscrypt-proxy usage
Shell
148
star
23

charm

A really tiny crypto library.
C
148
star
24

witx-codegen

WITX code and documentation generator for AssemblyScript, Zig, Rust and more.
Rust
134
star
25

siphash-js

A Javascript implementation of SipHash-2-4
JavaScript
122
star
26

rust-ed25519-compact

Small, wasm-friendly, zero-dependencies Ed25519 and X25519 implementation for Rust.
Rust
120
star
27

rsign2

A command-line tool to sign files and verify signatures in pure Rust.
Rust
112
star
28

go-minisign

Minisign verification library for Golang.
Go
103
star
29

rust-nats

A simple NATS client library for Rust
Rust
102
star
30

zigly

The easiest way to write services for Fastly's Compute@Edge in Zig.
Zig
84
star
31

was-not-wasm

A hostile memory allocator to make WebAssembly applications more predictable.
Rust
81
star
32

webassembly-benchmarks

Libsodium WebAssembly benchmarks results.
79
star
33

rust-minisign

A pure Rust implementation of the Minisign signature tool.
Rust
78
star
34

zig-charm

A Zig version of the Charm crypto library.
Zig
74
star
35

rust-ffmpeg-wasi

ffmpeg 7 libraries precompiled for WebAsembly/WASI, as a Rust crate.
Rust
67
star
36

openssl-wasm

OpenSSL 3 compiled for WebAssembly/WASI (up-to-date, maintained)
C
66
star
37

rust-sthash

Very fast cryptographic hashing for large messages.
Rust
65
star
38

vtun

A mirror of VTUN, with some changes
C
63
star
39

iptrap

A simple, but damn fast sinkhole
Rust
62
star
40

boringssl-wasm

BoringSSL for WebAssembly/WASI
Zig
59
star
41

libsodium-signcryption

Signcryption using libsodium.
C
59
star
42

wasmsign

A tool to add and verify digital signatures to/from WASM binaries
Rust
56
star
43

libaegis

Portable C implementations of the AEGIS family of high-performance authenticated encryption algorithms.
C
56
star
44

blobcrypt

Authenticated encryption for streams and arbitrary large files using libsodium
C
54
star
45

rust-coarsetime

Time and duration crate optimized for speed
Rust
52
star
46

zig-minisign

Minisign reimplemented in Zig.
Zig
50
star
47

rust-siphash

SipHash (2-4, 1-3 + 128 bit variant) implementations for Rust
Rust
48
star
48

6Jack

A framework for analyzing/testing/fuzzing network applications.
C
46
star
49

rust-hyperloglog

A HyperLogLog implementation in Rust.
Rust
46
star
50

libchloride

Networking layer for libsodium, based on CurveCP
C
44
star
51

rust-qptrie

A qp-trie implementation in Rust
Rust
42
star
52

minicsv

A tiny, fast, simple, single-file, BSD-licensed CSV parsing library in C.
C
39
star
53

spake2-ee

A SPAKE2+ Elligator Edition implementation for libsodium 1.0.16+
C
36
star
54

massresolver

Mass DNS resolution tool
C
36
star
55

cpace

A CPace PAKE implementation using libsodium.
C
35
star
56

aegis-X

The AEGIS-128X and AEGIS-256X high performance ciphers.
Zig
34
star
57

rust-privdrop

A simple Rust crate to drop privileges
Rust
34
star
58

PureDB

PureDB is a portable and tiny set of libraries for creating and reading constant databases.
C
33
star
59

libclang_rt.builtins-wasm32.a

The missing libclang_rt.builtins-wasm32.a file to compile to WebAssembly.
32
star
60

c-ipcrypt

ipcrypt implementation in C
C
31
star
61

rust-dnsclient

A simple and secure DNS client crate for Rust.
Rust
29
star
62

rust-xoodyak

Xoodyak, a lightweight and versatile cryptographic scheme implemented in Rust.
Rust
29
star
63

fastly-terrarium-examples

Example code you can run in Fastly Terrarium: https://www.fastlylabs.com/
C
28
star
64

libsodium-xchacha20-siv

Deterministic/nonce-reuse resistant authenticated encryption scheme using XChaCha20, implemented on libsodium.
C
28
star
65

rust-geoip

GeoIP bindings for Rust
Rust
28
star
66

rust-minisign-verify

A small Rust crate to verify Minisign signatures.
Rust
27
star
67

whatsmyresolver

A tiny DNS server that returns the client (resolver) IP
Go
26
star
68

libsodium-sys-stable

Sodiumoxide's libsodium-sys crate, but that installs stable versions of libsodium.
Rust
26
star
69

spritz

A C implementation of Spritz, a spongy RC4-like stream cipher and hash function.
C
25
star
70

metrohash-c

C version of the MetroHash function
C
25
star
71

rust-hmac-sha256

A small, self-contained SHA256 and HMAC-SHA256 implementation.
Rust
25
star
72

rust-cpace

A Rust implementation of CPace, a balanced PAKE.
Rust
25
star
73

rust-clockpro-cache

CLOCK-Pro cache replacement algorithm for Rust
Rust
24
star
74

rust-blind-rsa-signatures

RSA blind signatures in Rust
Rust
24
star
75

PHP-OAuth2-Provider

Skyrock OAuth2 server
PHP
23
star
76

rust-aegis

AEGIS high performance ciphers for Rust.
Rust
23
star
77

system-tuning-for-crypto

System tuning recommendations for running cryptographic applications
23
star
78

hashseq

A simple proof of work, mainly designed to mitigate DDoS attacks.
C
23
star
79

dnssector

A DNS library for Rust.
Rust
23
star
80

openssl-family-bench

A quick benchmark of {Open,Libre,Boring}SSL
C
23
star
81

randen-rng

A port of the Google Randen fast backtracking-resistant random generator to the C language.
C
21
star
82

Blogbench

A filesystem benchmark tool that simulates a realistic load
C
21
star
83

vue-dnsstamp

DNS Stamp calculator component for VueJS
Vue
21
star
84

supercop

Always up-to-date mirror of the SUPERCOP cryptographic benchmark.
C
21
star
85

yaifo

YAIFO [remote OpenBSD installer] for OpenBSD-current
Shell
21
star
86

ratelimit

Plug-and-play IP rate limiter in C
C
21
star
87

draft-aegis-aead

The AEGIS cipher family - Draft.
20
star
88

go-hpke-compact

A small and easy to use HPKE implementation in Go.
Go
20
star
89

ipgrep

Extract, defang, resolve names and IPs from text
Python
20
star
90

zig-rocca-s

An implementation of the ROCCA-S encryption scheme.
Zig
19
star
91

Simple-Comet-Server

HTTP long-polling server and javascript client library.
Python
19
star
92

simpira384

An AES-based 384 bit permutation.
C
18
star
93

PHP-WebDAV-extension

The PHP WebDAV extension allows easy access to remote resources with PHP through the DAV protocol.
Shell
18
star
94

nonce-extension

Make AES-GCM safe to use with random nonces, for any practical number of messages.
Rust
17
star
95

rust-sealed_box

Sealed boxes implementation for Rust/WebAssembly.
Rust
16
star
96

zig-eddsa-key-blinding

A Zig implementation of EdDSA signatures with blind keys.
Zig
16
star
97

c-blind-rsa-signatures

Blind RSA signatures for OpenSSL/BoringSSL.
C
16
star
98

aes-torture

A software AES implementation to torture code generators.
C
16
star
99

js-base64-ct

Safe Base64 encoding/decoding in pure JavaScript.
TypeScript
16
star
100

rust-aes-wasm

Fast(er) AES-based constructions for WebAssembly and Rust.
Rust
16
star