DNSCurve: Usable security for DNS
How to install a DNSCurve cacheThis page explains how to add DNSCurve protection to your incoming DNS data. There is a separate page explaining the benefits of this protection.
DNSCurve cache software is, at the time of this writing (June 2009), undergoing development and testing. This page summarizes what you will have to do once the software is officially released.
To protect DNS data entering your computer, simply upgrade your DNS cache (a "recursive server" such as dnscache or PowerDNS Recursor or BIND or MaraDNS or Nominum CNS or Unbound) to a DNS cache that supports DNSCurve.
No extra cache configuration is required. The DNS cache will figure out for itself when a server supports DNSCurve.
No extra firewall configuration is required (if you have your cache behind a firewall). DNSCurve requests and responses are, from a firewall's perspective, normal DNS packets.
Network bandwidth remains essentially unchanged. DNSCurve puts some extra information into packets to DNSCurve servers but does not use extra packets.
If your computer was relying on an ISP's DNS cache instead of running its own DNS cache, simply install a DNS cache that supports DNSCurve. This has several side benefits beyond the DNSCurve protection:
Another way to improve performance is to download daily copies of the root zone (for example, http://www.internic.net/domain/ has a GPG-signed copy), and serve those copies through your own local DNSCurve-protected servers. The root zone is small and changes slowly. This also reduces the load on the root servers and noticeably reduces the frequency of big DNS lookup delays for users. Third parties can also operate DNSCurve-protected copies of the root as a public service.
VersionThis is version 2009.06.22 of the in-install.html web page.