forked from xuanhan863/dnscrypt-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTECHNOTES
147 lines (103 loc) · 5.03 KB
/
TECHNOTES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
Implementation details
======================
Cryptographic library
---------------------
- We didn't reinvent the wheel.
- The crypto code is provided by NaCl: http://nacl.cr.yp.to/
- Why NaCl? Unbloated, blazing fast, and less error-prone that other libraries.
See http://cr.yp.to/highspeed/coolnacl-20111201.pdf
- Faster, but CPU-specific implementations have been removed, though,
so that portable packages can be built. CPU-specific implementations are
used server-side.
- crypto_box_curve25519xsalsa20poly1305_*() for signing/encrypting
queries and replies, crypto_sign_ed25519_*() for signing certificates
(+ crypto_stream_xsalsa20_*() server-side, mainly for random padding).
See the NaCl documentation for details.
PRNG
----
- Uses arc4random() that any sane (= providing strlcpy()/strlcat()) C
library already implements.
- Not the latest, not the fastest, not the safest, but widespread and good
enough for our needs.
- However, OpenBSD happens to be the only operating system able to
reseed it with a system call (= safe in an empty chroot environment).
- alt_arc4random.c (actually imported from pure-ftpd) is OpenBSD's
arc4random() using a descriptor we open before the chroot() call.
Event-notification library
--------------------------
- Uses NodeJS' libuv, which wraps libev and native Windows functions, and
provides nice cross-platform wrappers for common functions. Unbound's
boilerplate is also excellent, but it hasn't been packaged as a
standalone library yet.
- Because it is totally awesome for writing software that has to
eventually work on Windows.
- Bundled with dnscrypt, for now, because it's still a moving target.
- It currently uses static per-OS config.h definitions, which makes
compilation faster, but breaks on operating systems with older libc, like
Openwall Linux. The bundled version has minor local changes in order
to support Openwall Linux.
Certificates
------------
The following information has to be provided to the proxy:
- The provider name (defaults to 2.dnscrypt-cert.opendns.com.)
- The provider public key (defaults to the current one for OpenDNS).
- The resolver IP address (defaults to 208.67.222.222).
At startup and every 60 minute, the proxy directly connects to the specified
resolver IP address and issues a TXT query for the provider name. The
first component of the provider name indicates the latest protocol version,
or the version range, supported by the client.
One or more TXT records are returned, each containing a signed certificate.
The provider public key is only used to verify a certificate, never for
authenticating/encrypting queries.
Certificates have the following header:
- 4 byte magic header DNSC
- 2 byte major version
- 2 byte minor version
Followed by signed content (the signature adds 512 bits to the payload):
- server 256-bit public key
- 8 byte magic header to use for queries using this specific key
- 4 byte serial number
- 4 + 4 byte validity period (two timestamps)
The proxy drops invalid certificates for the current date, and picks the one
with the highest serial number.
More than one certificate may be returned when keys rollovers or
function changes are performed.
Resolvers are never signing certificates themselves, they are just providing
pre-signed certificates.
Queries
-------
Queries and replies are basically using djb's dnscurve protocol:
http://www.dnscurve.org/
The proxy always generates a new, in-memory only key pair at startup.
Random padding is added to queries and replies, using a 64 byte block size.
Encrypted queries are prefixed with the following header structure:
- 8 byte magic header (provided by the chosen certificate)
- A 256 bit client public key
- A 96 bit client nonce (64 bit monotically increasing timestamp +
32 random bits)
- A 128 bit Poly1305-AES MAC
Replies are prefixed with the following header structure:
- 8 byte static magic header r6fnvWJ8
- A 192 bit nonce: the 96 bit client-supplied nonce + a 96 bit server
nonce extension.
- A 128 bit Poly1305-AES MAC.
The proxy immediately discards replies to queries made more than 10
second ago and replies that don't match the client-supplied nonce.
Miscellaneous
-------------
If you need extra monitoring/profiling, the proxy provides a bunch of
DTrace probes on OSX, as the dnscrypt-proxy provider.
See src/dnscrypt-proxy/probes_dnscrypt_proxy.d
The proxy doesn't cache replies. Neither does it perform any DNSSec
validation yet.
This is better handled by a separate process or by linking libunbound.
The proxy does alter queries, though, in order to:
- immediately reply with a "reply truncated" message to a UDP query when
the --tcp-port switch has been turned on.
- add an empty OPT section in order to advertise a payload size unless
an EDNS section was already present or unless --payload-size with a
< 512 bytes size has been specified.
OSX Lion, OpenBSD/amd64 and Dragonfly BSD/amd64 are the primary
development platforms, but the code has been designed to be as
portable as possible, and patches to support other operating systems
and architectures are more than welcome.