gnamed

Description

Why create this tools

1. more flexible dns query filter to block some domains
2. prevent dns injection and other security issue under some network

What it can do

1. flexible rules or filters to block domains, rules equal/prefix/suffix/regexp were supported
2. multi dns protocol support, dns/dns-over-https/dns-over-tls/dns-over-quic were supported
3. flexible dns cache rule support (this might violated dns rfc)
4. forward different domain/zone to more than one different nameservers, to get better result
5. collect personal dns query log, to identify security issue or something
6. hijacking some domain or query type

Install

# default all features
go build

# disable dns-over-quic
go build -tags="noquic"

# on linux platform, use epoll event to detect closed connection, to disable it, use tag "detect_common"
go build -tags="detect_common"

# reduce binary size
go build -ldflags '-s -w'

Architecture

Usage

Help

$ gnamed --help
Usage of gnamed:
  -config-file string
        config file (default "./configx/config.json")
  -dump-json
        dump configuration with json format, then exit
  -verbose
        verbose

Run

$ gnamed
{"level":"debug","log_type":"main","op_type":"start","time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"filter","op_type":"load","filter_name":"phishing_army_blocklist_extended","syntax":"domain","stats":{"total":161411,"valid":161411,"invalid":0},"elapsed_time":148.2475,"time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"filter","op_type":"load","filter_name":"oisd_big_abp","syntax":"adblock","stats":{"total":247034,"valid":247034,"invalid":0},"elapsed_time":224.4434,"time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"filter","op_type":"load","elapsed_time":224.4434,"stats":{"total":2,"error":0,"success":2,"skip":0},"time":"2023-08-18T12:26:26+08:00"}
{"level":"trace","log_type":"cache","cache_mode":"skiplist","max_level":32,"probability":0.5,"time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"server","address":"127.0.1.2:53","network":"tcp","protocol":"dns","time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"server","address":"127.0.1.2:53","network":"udp","protocol":"dns","time":"2023-08-18T12:26:26+08:00"}
{"level":"info","log_type":"server","protocol":"dns","network":"udp","clientip":"127.0.0.1","id":3,"name":"google.com.","qtype":"A","qclass":"IN","view_name":"google.com.","query_type":"external","queries":[{"nameserver_tag":"tag_doh_cf","protocol":"https","network":"tcp","doh_msg_type":"RFC8484","id":0,"name":"google.com.","method":"POST","doh_url":"https://1.1.1.1/dns-query","status_code":200,"latancy":360.7854}],"latency_query":360.7854,"rcode":"NOERROR","cache":"update","singleflight":false,"latency":361.4834,"time":"2023-08-18T12:26:39+08:00"}
{"level":"info","log_type":"server","protocol":"dns","network":"udp","clientip":"127.0.0.1","id":5,"name":"github.com.","qtype":"A","qclass":"IN","view_name":"github.com.","query_type":"external","queries":[{"nameserver_tag":"tag_dot_cf","protocol":"tls-tcp","network":"tcp-tls","id":42485,"name":"github.com.","latency":161.8645}],"latency_query":481.7437,"rcode":"NOERROR","cache":"update","singleflight":false,"latency":481.9434,"time":"2023-08-18T12:26:42+08:00"}

Features

• Server: dns/dns-over-tls/dns-over-quic/dns-over-http
• Query: dns/dns-over-tls/dns-over-quic/dns-over-http(3)
• Cache: flexible ttls value, background update steal values
• API: delete value from ache / reload configuration
• Security: public free malware/ad filter lists, flexible black and white list
• Warm: auto store and reload domains that used in high frequency at shutdown and startup

TODO-List

• server: dns protocol support
• server: dns-over-https protocol support
• server: dns-over-tls protocol support
• server: dns-over-quic protocol support
• server: ensure singleflight incoming query
• query: dns protocol support
• query: dns-over-https protocol support
• query: dns-over-tls protocol support
• query: dns-over-quic protocol support
• query: flexible view match rules, for example 'contains'
• query: dns-over-https support auto detect that the server supported ALPN
• cache: delete expired cache actively
• cache: dns-over-https cache ttl should be calculated base on both http cache header and dns record ttl
• reply: update ttl when response from cache
• api: cache operations: delete/flush
• api: dns query statistics: NXDOMAIN(security audit), Qtype, not NOERROR
• api: update blacklist/whitelist
• web: web ui make api easy use
• doc: openapi https://github.com/swaggo/swag#how-to-use-it-with-gin
• optimization: blacklist/whitelist contains rule match algorithm, Aho-Corasick or flashtext
• optimization: singleflight outgoing query (dns-over-https)
• optimization: select lowest rtt record (cdn domain)
• optimization: log format and fields
• optimization: algorithm to get dns response cache ttl
• optimization: select server base on latency
• security: filter by ip or domain, ad or malware https://gitlab.com/malware-filter/urlhaus-filter
• privacy: HTTP/TLS Fingerprint (cipher suit order http headers)

References

NameServers

Collections

1. https://dnsprivacy.org/public_resolvers/
2. https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

Info

Name	Protocol	Reference
Cloudflare	DOH/DOT/DNS	https://developers.cloudflare.com/1.1.1.1/
Nextdns	DOH/DOT/DNS	https://my.nextdns.io/start
AdGuard	DOH/DOT/DOQ/DNS/DNSCrypt	https://adguard-dns.io/en/public-dns.html
Google	DOH/DOT/DNS	https://developers.google.com/speed/public-dns
Quad9	DOH/DOT/DNS	https://www.quad9.net/

RFC

1. Draft-IETF - Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)
2. IANA - dns-parameters
3. ICANN - DNS-related RFCs with Community Annotations
4. RFC1034 - DOMAIN NAMES - CONCEPTS AND FACILITIES
5. RFC1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
6. RFC1912 - Common DNS Operational and Configuration Errors
7. RFC4033 - DNS Security Introduction and Requirements
8. RFC4074 - Common Misbehavior Against DNS Queries for IPv6 Addresses
9. RFC5625 - DNS Proxy Implementation Guidelines
10. RFC6147 - DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers
11. RFC6840 - Clarifications and Implementation Notes for DNS Security (DNSSEC)
12. RFC6891 - Extension Mechanisms for DNS (EDNS(0))
13. RFC7766 - DNS Transport over TCP - Implementation Requirements
14. RFC7858 - Specification for DNS over Transport Layer Security (TLS)
15. RFC7871 - Client Subnet in DNS Queries
16. RFC7873 - Domain Name System (DNS) Cookies
17. RFC8085 - UDP Usage Guidelines
18. RFC8310 - Usage Profiles for DNS over TLS and DNS over DTLS
19. RFC8484 - DNS Queries over HTTPS (DoH)
20. RFC8499 - DNS Terminology
21. RFC8906 - A Common Operational Problem in DNS Servers: Failure to Communicate
22. RFC9000 - QUIC: A UDP-Based Multiplexed and Secure Transport
23. RFC9018 - Interoperable Domain Name System (DNS) Server Cookies
24. RFC9114 - HTTP/3
25. RFC9210 - DNS Transport over TCP - Operational Requirements
26. RFC9230 - Oblivious DNS over HTTPS
27. RFC9250 - DNS over Dedicated QUIC Connections

Paper

1. DNS Rebinding

Others

1. BlackHat - eu-17-Shuster-Passive-Fingerprinting-Of-HTTP2-Clients-wp.pdf
2. Show Your HTTP2 Fingerprint - https://tls.peet.ws/api/all
3. APNIC - are-large-dns-messages-falling-to-bits
4. Check My DNS
5. dnsflagday
6. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation

Data

Filter Lists

1. https://oisd.nl
2. https://phishing.army
3. https://gitlab.com/malware-filter/urlhaus-filter
4. https://github.com/badmojr/1Hosts
5. https://github.com/hectorm/hmirror/tree/master/data
6. https://someonewhocares.org/hosts/zero/hosts

Others

1. public suffix list
2. A Research-Oriented Top Sites Ranking Hardened Against Manipulation

FIXME

1. singleflight need to set timeout. not alwasy wait pre-query response.