dns_over_tls_proxy

command module

v0.0.0-...-7e4a4a9 Latest Latest Go to latest Published: Jan 12, 2024 License: MIT Imports: 2 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dolfolife/dns_over_tls_proxy

Links

Open Source Insights

README ¶

DNS over TLS Proxy

Do not use this in production. This is for learning purposes

Features

Support for Both TCP and UDP: The proxy listens for DNS queries on both TCP and UDP on port 53.
DNS-over-TLS: Queries are forwarded securely using DNS-over-TLS to Cloudflare's 1.1.1.1 service.
Concurrent Handling: Multiple incoming DNS requests are handled concurrently.
Logging: Basic logging of errors and important events for troubleshooting.

Prerequisites

Go (version 1.15 or later)
Docker (if running using Docker)

Usage

Running Locally

build the proxy

go build

Run the Proxy

sudo ./dns_over_tls_proxy

Note: Root privileges are required to listen on port 53.

Test your proxy

dig @127.0.0.1 +tcp example.com.

dig @127.0.0.1 example.com.

Docker

Build the Docker image:

docker build -t dns-over-tls-proxy .

Run the container

docker run -p 53:53/udp -p 53:53/tcp --name dns-proxy-instance dns-over-tls-proxy

This command maps port 53 on both TCP and UDP from the container to port 53 on the host.

TODO

Currently, the proxy is pre-configured to use Cloudflare's 1.1.1.1 DNS-over-TLS service. You can modify the source code to change the DNS-over-TLS server or add additional configuration options. In the future this should be pass as a environment variable or some type of configuration for the DNS server that runs on TLS.

Q&A

Imagine this proxy being deployed in an infrastructure. What would be the security concerns you would raise?

There are no Rate Limiting or access control so it can be used for DNS amplification attacks
If there is a custom DNS server, ensure that the TLS connection to the DNS-over-TLS server is correctly configured.

How would you integrate that solution in a distributed, microservices-oriented and containerized architecture?

Kubernetes Service: Define a Service in Kubernetes to expose the DNS proxy. Depending on your network policies, this could be an internal service or exposed externally. As we already have a dockerfile we can maintain lightweight and secure as the image of this service pods using a Kubernetes Deployment.

With Kubernetes we can scale, load balance and monitor the proxy without adding on top of the complexity of the container.

Outside Kubernetes, it can be deployed as container in your private network (e.g. VPC in AWS).

What other improvements do you think would be interesting to add to the project?

Implement checks to validate DNS queries and responses to prevent DNS spoofing or cache poisoning attacks.
Proper error handling in the application is necessary to prevent leakage of sensitive information through error messages.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
tcp
tlsresolver
udp

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL