hickory-dns/hickory-dnsPublic

NotificationsYou must be signed in to change notification settings
Fork484
Star4.4k

A Rust based DNS client, server, and resolver

License

Apache-2.0, MIT licenses found

Licenses found

4.4k stars 484 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 3,998 Commits
.cargo		.cargo
.github		.github
audit		audit
bin		bin
conformance		conformance
crates		crates
fuzz		fuzz
scripts		scripts
tests		tests
util		util
.codecov.yml		.codecov.yml
.gitignore		.gitignore
.markdownlint.json		.markdownlint.json
.rustfmt.toml		.rustfmt.toml
ARCHITECTURE.md		ARCHITECTURE.md
CHANGELOG.md		CHANGELOG.md
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
Kjqmt7v.csr		Kjqmt7v.csr
LICENSE-APACHE		LICENSE-APACHE
LICENSE-MIT		LICENSE-MIT
OLD-CHANGELOG.md		OLD-CHANGELOG.md
README.md		README.md
SECURITY.md		SECURITY.md
copyright.txt		copyright.txt
justfile		justfile
logo.png		logo.png

Repository files navigation

Hickory DNS

A Rust based DNS client, server, and resolver, built to be safe and secure from theground up.

This repo consists of multiple crates:

Library	Description
Hickory DNS	Provides the`hickory-dns` binary for running a DNS server.
Proto	Low-level DNS library, including message encoding/decoding and DNS transports.
Client	Used for sending`query`,`update`, and`notify` messages directly to a DNS server.
Server	Used to build DNS servers. The`hickory-dns` binary makes use of this library.
Resolver	Utilizes the client library to perform DNS resolution. Can be used in place of the standard OS resolution facilities.
Recursor	Performs recursive DNS resolution, looking up records from their authoritative name servers.

NOTICE This project was rebranded from Trust-DNS to Hickory DNS and has been moved to thehttps://github.com/hickory-dns/hickory-dns organization and repo.

Goals

Build a safe and secure DNS server and client with modern features.
No panics, all code is guarded
Use only safe Rust, and avoid all panics with proper Error handling
Use only stable Rust
Protect against DDOS attacks (to a degree)
Support options for Global Load Balancing functions
Make it dead simple to operate

Status

DNSSEC status

The current root key is bundled into the system, and used by default. This givesvalidation of DNSKEY and DS records back to the root. NSEC and NSEC3 areimplemented.

Zones will be automatically resigned on any record updates via dynamic DNS. To enable DNSSEC, enable thednssec-ring feature.

RFCs implemented

RFC 8499: No more master/slave, in honor ofJuneteenth

Basic operations

RFC 1035: Base DNS spec (see the Resolver for caching)
RFC 2308: Negative Caching of DNS Queries (see the Resolver)
RFC 2782: Service location
RFC 3596: IPv6
RFC 6891: Extension Mechanisms for DNS
RFC 6761: Special-Use Domain Names (resolver)
RFC 6762: mDNS Multicast DNS (experimental feature:mdns)
RFC 6763: DNS-SD Service Discovery (experimental feature:mdns)
RFC ANAME: Address-specific DNS aliases (ANAME)

Update operations

RFC 2136: Dynamic Update
RFC 7477: Child-to-Parent Synchronization in DNS

Secure DNS operations

RFC 2931: SIG(0)
RFC 3007: Secure Dynamic Update
RFC 4034: DNSSEC Resource Records
RFC 4035: Protocol Modifications for DNSSEC
RFC 4509: SHA-256 in DNSSEC Delegation Signer
RFC 5155: DNSSEC Hashed Authenticated Denial of Existence
RFC 5702: SHA-2 Algorithms with RSA in DNSKEY and RRSIG for DNSSEC
RFC 6844: DNS Certification Authority Authorization (CAA) Resource Record
RFC 6698: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
RFC 6840: Clarifications and Implementation Notes for DNSSEC
RFC 6844: DNS Certification Authority Authorization Resource Record
RFC 6944: DNSKEY Algorithm Implementation Status
RFC 6975: Signaling Cryptographic Algorithm Understanding
RFC 7858: DNS over TLS (feature:dns-over-rustls,dns-over-native-tls, ordns-over-openssl)
RFC DoH: DNS over HTTPS, DoH (feature:dns-over-https-rustls)

RFCs in progress or not yet implemented

Basic operations

RFC 2317: Classless IN-ADDR.ARPA delegation

Update operations

RFC 1995: Incremental Zone Transfer
RFC 1996: Notify secondaries of update
Update Leases: Dynamic DNS Update Leases
Long-Lived Queries: Notify with bells

Secure DNS operations

DNSCrypt: Trusted DNS queries
S/MIME: Domain Names For S/MIME

Minimum Rust Version

The current minimum rustc version for this project is1.70

Testing

Hickory DNS usesjust for build workflow management. While runningcargo test at the project root will work, this is not exhaustive. Installjust withcargo install just. A few of thejust recipes requirecargo-workspaces to be installed, a plugin to optimize the workflow around cargo workspaces. Install the plugin withcargo install cargo-workspaces.

Default tests
These are good for running on local systems. They will create sockets forlocal tests, but will not attempt to access remote systems. Tests can alsobe run from the crate directory, i.e.client orserver andcargo test

just default

Default feature tests
Hickory DNS has many features, to quickly test with them or without, there are three targets supported,default,no-default-features,all-features:

just all-features

Individual feature tests
Hickory DNS has many features, each individual feature can be testedindependently. See individual crates for all their features, here is a notnecessarily up to date list:dns-over-rustls,dns-over-https-rustls,dns-over-native-tls,dns-over-openssl,dns-dnssec-openssl,dns-dnssec-openssl,dns-dnssec-ring,mdns. Each feature can be testedwith itself as the task target forjust:

just dns-over-https-rustls

Benchmarks
Waiting on benchmarks to stabilize in mainline Rust.

Building

Production build, from thehickory-dns base dir, to get all features, just pass the--all-features flag.

cargo build --release -p hickory-dns

Using the hickory-resolver CLI

Available in0.20

cargo install --bin resolve hickory-util

Or from source, in the hickory-dns directory

cargo install --bin resolve --path util

example:

$ resolve www.example.com.Queryingfor www.example.com. A from udp:8.8.8.8:53, tcp:8.8.8.8:53, udp:8.8.4.4:53, tcp:8.8.4.4:53, udp:[2001:4860:4860::8888]:53, tcp:[2001:4860:4860::8888]:53, udp:[2001:4860:4860::8844]:53, tcp:[2001:4860:4860::8844]:53Successfor query name: www.example.com. type: A class: IN        www.example.com. 21063 IN A 93.184.215.14

FAQ

Why are you building another DNS server?
```
Because of all the security advisories out there for BIND.
```
Using Rust semantics it should be possible to develop a high performance andsafe DNS Server that is more resilient to attacks.
What is the MSRV (minimum stable Rust version) policy?
```
Hickory DNS will work to support backward compatibility with three Rust versions.
```
For example, if1.50 is the current release, then the MSRV will be1.47. Theversion is only increased as necessary, so it's possible that the MSRV is olderthan this policy states. Additionally, the MSRV is only supported for theno-default-featuresbuild due to it being an intractable issue of trying to enforce this policy on dependencies.

Community

For live discussions beyond this repository, please see thisDiscord.

License

Licensed under either of

Apache License, Version 2.0, (LICENSE-APACHE orhttps://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT orhttps://opensource.org/licenses/MIT)

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionallysubmitted for inclusion in the work by you, as defined in the Apache-2.0license, shall be dual licensed as above, without any additional terms orconditions.