“Broken” DNS proxy – for simulating DNS issues

Some DNS software solutions like Unbound, ISC BIND, FreeIPA, rely on the DNSSEC support of remote DNS resolver, when using it as forwarder. Some tools are intended to detect and assess the level of DNSSEC support of such remote DNS resolver. There are many issues that can arise. Some of them are specified in the IETF draft (http://www.ietf.org/id/draft-ietf-dnsop-dnssec-roadblock-avoidance-00.txt), some are based on real life issues and errors in specific implementations of DNS resolvers (e.g. wildcard NSEC issue in old versions of BIND).

There is no simple way for simulating such DNS related issues for testing purposes.

Purpose of this project is to:

  • Do research on possible problems that can DNS resolver have when using DNSSEC.
  • Do research on existing projects with the same focus as “Broken” DNS Proxy and compare them
  • Implement simple, extensible and easy to use DNS proxy for simulating such issues
  • Implement modules simulating various DNS related issues
  • Implement tests for implemented functionality
  • Create configurations for the proxy that simulate various issues using implemented modules
  • Implement scripts for automatically setting up a working DNS server (BIND) which can be used by the proxy as the “backend”
  • Document the usage of the tool
  • Document how to add new module for simulating DNS issues
  • Package the proxy as RPM package for Fedora and EPEL

An existing Proof of Concept implementation (written in Python) of the proxy server should be taken as the base for the project:
https://github.com/thozza/broken-dns-proxy

The goal is to improve the existing implementation and add the remaining pieces.

It is possible to extend the topic to implementing test suite for Dnssec-trigger project (http://www.nlnetlabs.nl/projects/dnssec-trigger/) and improving the DNS server probing functionality in Dnssec-trigger.

You must be logged in to perform this action!

Tomas Hozza

Team: Platform Engineering
Location: Brno