Technitium DNS Server as a PDNS

[zbalkan]

Hi Shreyas,

I'd like to start by acknowledging your efforts to build such a solid product. If you have seen my discussions, issues and PRs, you have understood that I am mostly focusing on the security aspect. As a cybersecurity manager with a sysadmin background, I feel lucky to see myself to be able to see both sides of the coin.

The blocking capability is mostly for privacy, ad and tracker blocking but I am trying to repurpose it for security purposes in SMB or enterprise setups. For this purpose, I started with log exporter to be able to connect DNS server to SIEMs and XDRs. Then, I built MISP connector so that a dynamic blocklist can be built based on cyber threat intelligence.

I know that you have a roadmap, an I have mine. But since it is your product, I cannot push my roadmap or create conflicts. Therefore, I'd like to describe my vision clearly for proper communication. I'd like us to be on the same page.

Until this year, many organizations recommended usage of Protective DNS services, the most recent one was CISA's Selecting a Protective DNS Service . Some free services provide the capability to a level, while others are fully commercial.

The capability is based on the quality of CTI and that is not the job of a DNS server. However, a DNS server integrated with these capabilities is better than a cluster of tools glued together. For instance, There's a DNS-specific toll called DNS-Collector that can be considered a lightweight SIEM for DNS servers. It is fed via dnstap logs and then it correlates logs for alerts. But it is not even a bolt-on solution but something next to a DNS server.

It is my aim as a self-proclaimed plugin developer for Technitium DNS server to make Technitium DNS Server as capable as the aforementioned DNS-Collector tool, so that the logs will have not only DNS queries and responses but also correlated and aggregated alerts for third party security products to consume. Suspicious and risky actions such as consequent queries to malicious sites from single source IP, would be labeled, so that TDNS can provide actionable insights, while blocking the malicious traffic already.

TDNS is already very close to being a proper PDNS. It is very close to be used in an enterprise setup even ready for SMBs. Especially with the cluster functionality, it became better.

I am not suggesting anything, just sharing my thoughts as we don't have the chance to have a coffee and discuss these.

[ShreyasZare]

Hi Zafer,

Thanks for the compliments and the contributions you have made to the project. The cyber security aspect for this project I believe is really
useful for a lot of network out there and any feature that gets added for this will be useful for the community.

I really appreciate the things you have already built and the ones you are planning to. It would be nice to have plugin to be able to support things line dnstap, I have had dnstap support in my to-do list but other features being high in demand were prioritized. So a plugin for dnstap or something similar should be a lot useful for many such scenarios. It will be really nice if you are able to build plugins for these capabilities.

I am already planning to implement RPZ support too. I am still evaluating if it should be a plugin or if it can be built-in as a special zone. Just extending existing secondary zone for RPZ is not feasible since RPZ can contain millions of records and the zone tree data structure which was designed for concurrency and speed would take up a lot of memory to hold all these records. The RPZ support too would be useful since there are commercial feeds available that can be used directly with it.

Do let me know if you have any more suggestions. Have a good day!

[ShreyasZare]

RPZ is popular and supported by BIND since a long time so having it supported is useful to consume these feeds. And there is fair demand for this feature.

[zbalkan]

I suggest using lmdb as the database. It is used by and developed for OpenLDAP. PowerDNS also has an lmdb backend. It is considered the most performance by some users.

There's a dotnet library called Lightning.NET and I created a demo project aligning with PowerDNS lmdb backend's schema.

[ShreyasZare]

Thanks. Will check it out.

[zbalkan]

I want to try LiteDB as well. But it is less mature than lmdb. I'm fond of it as it is 100% C#. But without a proper benchmark, I would vote on lmdb.

[zbalkan]

I found Spreads.LMDB as well. It looks like it is more mature but has not been updated for a while.

[zbalkan]

Hi @ShreyasZare,

I found out that even if I set the Datagram EDNS Options in MISP Connector, when I check the logger, response.EDNS field becomes null. Therefore, for some reason, EDNS is not populated and the error information is lost. What may be the most probable reason? Where should I start looking at?

[ShreyasZare]

The DNS server will strip EDNS from response if the request does not have it. Most clients do not support EDNS and thus will have this issue.

[zbalkan]

Okay, so I need to ensure the DNS client to use EDNS. That's relieving. I don't know the RFCs as much as you do. I'll check it out and give it a try with proper tests. Thanks for the guidance.

[ShreyasZare]

You can to tests with the DNS client tool on the admin panel and see if the code works. This will make sure that the implementation is working well.

For practical scenario where clients are windows system, I don't think there is any option to enable it so that will be an issue.

[zbalkan]

Thanks for the hint. I spent over 3 hours for a problem that does not exist. I can see there's nothing wrong now.

[ShreyasZare]

You're welcome

[zbalkan]

For the PDNS part, I wrote an article on MISP usage: https://zaferbalkan.com/technitium-misp/

This is only the first part. I'll try to add more capabilities in time.

[zbalkan]

For RPZ and millions of records, we have an example here:

https://lemire.me/en/publication/authorea17255970336231063/

Its possible to try in dotnet as well. I'll create a benchmark soon.

The target architecture:

• Sieve cache in-memory
• In-memory ring buffer for cache misses
• LMDB for zones, consuming ring buffer