DNSCurve: Usable security for DNS


Introduction
DNS users:
Why DNSCurve?
Installing DNSCurve
DNS data managers:
Why DNSCurve?
Installing DNSCurve
DNS implementors:
Caches
Forwarders
Protocol designers:
Cryptography
DNS integration
Attackers:
Forgery
Negative forgery
Replays
Query espionage
Database espionage
+ nsec3walker
CPU flooding
Amplification
+ dnssecamp

Why install a DNSCurve forwarder?

Do you run a DNS server that sends out DNS data? For example, do you run an "authoritative DNS server" such as tinydns or PowerDNS Server or BIND or NSD or MaraDNS or Nominum ANS to publish the IP addresses of your web server and mail server?

This page explains the benefits of adding DNSCurve protection to your outgoing DNS data.

What does DNSCurve do for me?

An increasing number of DNS clients around the Internet support DNSCurve. If you install a DNSCurve forwarder in front of your server then the incoming DNS queries from those clients, and the DNS responses sent back to those clients from your server, will be automatically encrypted with high-speed high-security cryptography. This has several benefits:
  • An attacker who sees your incoming DNS queries won't be able to understand them. He can still gain information from "traffic analysis" (seeing when you're receiving packets and how long the packets are) but will not be shown the packet contents.
  • An attacker who sees the outgoing DNS responses won't be able to understand them.
  • An attacker who forges an outgoing DNS response won't be able to fool DNSCurve clients. Those clients will simply discard the forgery and wait for the correct response to get through.

Version

This is version 2009.06.22 of the out-benefits.html web page.