- Security updates will be released as soon as possible
- All security fixes will be released as a new minor version
- Critical vulnerabilities will be addressed within 48 hours
We take security seriously. Please follow these steps to report a vulnerability:
- DO NOT create a public GitHub issue for security vulnerabilities
- Email security concerns to [[email protected]]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your recommendation for fixing (if any)
After reporting a vulnerability:
- Initial Response: Within 48 hours
- Status Update: Within 5 business days
- Resolution Timeline: Based on severity
- Critical: 48 hours
- High: 1 week
- Medium: 2 weeks
- Low: Next release
When using NanoDNS:
-
Port Configuration
- Avoid running on port 53 in production
- Use non-privileged ports (>1024)
- Restrict port access to necessary networks
-
Access Control
- Run with minimal privileges
- Use Docker's network isolation features
- Limit exposure to trusted networks only
-
Record Configuration
- Validate DNS records before deployment
- Use appropriate TTL values
- Monitor for unexpected record changes
-
Monitoring
- Monitor DNS query logs
- Watch for unusual traffic patterns
- Set up alerts for configuration changes
-
Service Resolution
- Service discovery is limited to Docker network
- External network access should be restricted
- Use firewall rules when exposing the service
-
Environment Variables
- Sensitive data in environment variables
- Secure your environment file
- Use Docker secrets when possible
Verify the authenticity of releases:
-
Docker Images
# Check image digest docker pull ghcr.io/mguptahub/nanodns:latest docker image inspect ghcr.io/mguptahub/nanodns:latest -
Binary Releases
- All releases are signed
- Verify signatures using GPG
# Example verification gpg --verify nanodns_linux_amd64.sig nanodns_linux_amd64
-
Code Submissions
- No hardcoded credentials or secrets
- Use environment variables for configuration
- Follow secure coding practices:
// Do not expose sensitive info in logs log.Printf("Processing request from %s", sanitizeInput(source)) // Use strong random number generation crypto/rand instead of math/rand // Validate all user inputs validateDNSRecord(record)
-
Pull Request Security Checklist
- No sensitive information in code/comments
- Input validation for new features
- Error handling follows security best practices
- Dependencies are from trusted sources
- New features don't compromise existing security
- Tests don't expose sensitive information
-
Code Review Guidelines
- Check for potential security issues
- Verify input validation
- Review error handling
- Examine logging practices
- Validate configuration handling
-
Documentation Contributions
- Don't include real domains/IPs in examples
- Use example.com, example.net for demonstrations
- Avoid exposing internal infrastructure details
- Include security warnings where appropriate
-
Reporting Issues
- Use private reporting for security issues
- Don't share exploit details publicly
- Follow responsible disclosure
- Wait for fixes before discussing publicly
-
Discussing Security
- Use GitHub Security Advisories
- Don't share vulnerability details in issues
- Avoid posting sensitive configurations
- Help others follow security best practices
-
Testing and Feedback
- Report suspicious behavior
- Test security fixes when requested
- Provide feedback on security features
- Share security enhancement ideas safely
-
Local Development
# Use non-privileged ports export DNS_PORT=10053 # Keep environment files secure chmod 600 .env # Use Docker's security features docker-compose up --build --force-recreate
-
Testing Security Features
# Test with restricted permissions sudo -u nobody ./nanodns # Verify network isolation docker network inspect nanodns_network
-
Code Analysis
# Run security linters gosec ./... # Check dependencies go mod verify govulncheck ./...
-
Docker Compose
services: nanodns: image: ghcr.io/mguptahub/nanodns:latest security_opt: - no-new-privileges:true read_only: true environment: - DNS_PORT=10053
-
Kubernetes
securityContext: runAsNonRoot: true readOnlyRootFilesystem: true capabilities: drop: - ALL
-
Official Channels
- GitHub Security Advisories
- Security-related issues
- Official releases
-
Community Channels
- GitHub Discussions for general security topics
- Release announcements for security updates
- Documentation updates
-
Proposing Security Improvements
- Create a GitHub Discussion
- Use security advisory if sensitive
- Follow the security template
- Wait for maintainer review
-
Implementing Security Features
- Create a draft PR
- Add tests for security features
- Update documentation
- Request security review
-
Review Process
- Security-focused code review
- Integration testing
- Documentation review
- Final security assessment
Contributors who help improve security can be recognized through:
- Security acknowledgments in releases
- Addition to CONTRIBUTORS.md
- Special mention in security advisories
- Community recognition badges
Currently, we do not operate a bug bounty program. However, we deeply appreciate security researchers who:
- Follow responsible disclosure
- Provide detailed reports
- Help improve NanoDNS security
We maintain a list of security researchers who have helped improve NanoDNS security. Submit a PR to be added to this list.
This security policy may be updated. Check the commit history for changes.
Last updated: 2024-10-26