How to install a DNSCurve forwarder
This page explains how to add DNSCurve protection to outgoing DNS data
published by your DNS server:
an "authoritative DNS server" such as tinydns
or PowerDNS Server or BIND or NSD or MaraDNS or Nominum ANS.
There is a
explaining the benefits of this protection.
You could upgrade your DNS server
to a DNS server that supports DNSCurve.
However, you can instead install a DNSCurve forwarder
without changing your DNS server.
A full-fledged DNSCurve forwarder named
has been released by Harm van Tilborg
with the support of Jeroen Scheerder and Lieuwe Jan Koning at ON2IT Security.
There are five main steps in setting up a DNSCurve forwarder:
DNSCurve caches will now start encrypting and authenticating packets to your forwarder.
You don't need to change any other DNS data.
You don't need to change your procedures for updating DNS data.
- Install the forwarder on a new IP address.
If you install the forwarder on the same computer as your existing DNS server
then you need to put it on a different IP address from the existing DNS server.
- Configure the forwarder to forward to your existing DNS server's IP address.
- Add, in your DNS data, a special DNSCurve server name for the forwarder.
The name is specific to this forwarder
and is automatically generated during installation of the forwarder.
- Add the same DNSCurve server name in your parent DNS data.
- After a week, remove the old non-DNSCurve server names.
let's say you're the nytimes.com DNS administrator,
with a DNS server on IP address 220.127.116.11.
Here is how you would add support for DNSCurve:
- Install the DNSCurve forwarder on a new IP address, for example 18.104.22.168.
- Configure the DNSCurve forwarder to forward to IP address 22.214.171.124.
(in tinydns format)
nytimes.com. IN NS uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw.nytimes.com.
uz5xgm1kx1zj8xsh51zp315k0rw7dcsgyxqh2sl7g8tjg25ltcvhyw.nytimes.com. IN A 126.96.36.199
(in BIND format).
is a special name generated by this DNSCurve forwarder.
- Log in to the .com registrar
and provide the same
- After a week, remove the old non-DNSCurve server name.
This is version 2010.12.24 of the out-install.html web page.