DNSCurve: Usable security for DNS
Introduction
DNS users:
Why DNSCurve?
Installing DNSCurve
DNS data managers:
Why DNSCurve?
Installing DNSCurve
DNS implementors:
Caches
Forwarders
Protocol designers:
Cryptography
DNS integration
Attackers:
Forgery
Negative forgery
Replays
Query espionage
Database espionage
+ nsec3walker
CPU flooding
Amplification
+ dnssecamp

How to install a DNSCurve cache

This page explains how to add DNSCurve protection to your incoming DNS data. There is a separate page explaining the benefits of this protection.

DNSCurve cache software is, at the time of this writing (June 2009), undergoing development and testing. This page summarizes what you will have to do once the software is officially released.

To protect DNS data entering your computer, simply upgrade your DNS cache (a "recursive server" such as dnscache or PowerDNS Recursor or BIND or MaraDNS or Nominum CNS or Unbound) to a DNS cache that supports DNSCurve.

No extra cache configuration is required. The DNS cache will figure out for itself when a server supports DNSCurve.

No extra firewall configuration is required (if you have your cache behind a firewall). DNSCurve requests and responses are, from a firewall's perspective, normal DNS packets.

Network bandwidth remains essentially unchanged. DNSCurve puts some extra information into packets to DNSCurve servers but does not use extra packets.

If your computer was relying on an ISP's DNS cache instead of running its own DNS cache, simply install a DNS cache that supports DNSCurve. This has several side benefits beyond the DNSCurve protection:

  • Your web browsing will "feel" noticeably faster, since most DNS queries will be answered immediately instead of incurring network delays.
  • You will put less DNS load on the local network.
  • You will put less DNS load on DNS servers. Your computer's cache is more effective than than your ISP's cache; it doesn't have to compete with other users for cache space.

Another way to improve performance is to download daily copies of the root zone (for example, http://www.internic.net/domain/ has a GPG-signed copy), and serve those copies through your own local DNSCurve-protected servers. The root zone is small and changes slowly. This also reduces the load on the root servers and noticeably reduces the frequency of big DNS lookup delays for users. Third parties can also operate DNSCurve-protected copies of the root as a public service.

Version

This is version 2009.06.22 of the in-install.html web page.