TIMEOUT Resource Record

DNS Authoritative server lease lifetimes

Tim Wattenberg and I recently published a new internet-draft: DNS TIMEOUT Resource Record that provides a mechanism for authoritative DNS servers to save a lifetime for other resource records in the same zone.

Lifetimes are sometimes associated with records based on the source of the record. DHCP based address assignments have a lease lifetime as well as DHCPv6 prefix delegation. Service Discovery DNS UPDATE registrations use an EDNS(0) Lease Lifetime Option to attach a lifetime to the services being registered.

If you have other uses for TIMEOUT resource records, let me know!

more ...

Writing DNS Applications

What's the best programming language for DNS?

Everytime I get ready to start a new project, I struggle with what language to write it in. Lately, I've been writing a lot of prototype DNS features. The development environment is becoming more and more important to me. In the past, I've used the standard vim/gcc/gdb/ctags/id-utils tools. This still works but after having experimented with other languages, I realize this is outdated. After using Xcode on macOS for iPhone/iPad development, I've come to really appreciate Xcode for the speed of the edit/compile/debug cycle. But available libraries and language features in C are still a problem and Objective-C isn't portable.

I've tried some interpreted languages like python and ruby but they don't seem to be suited for high performance, scalable network server software and debugging them is not easy.

After using Xcode and the LLVM based tools, I really love the speed of LLVM based solutions and all of the advantages they bring like the static analyzer and optimizations that can be made at compile time with memory efficiency, strict typing, and debugging. Therefore, I decided to only look at LLVM based solutions. Sorry Golang. Sorry Node.js.

Also, I'm starting to like features introduced in many of the functional programming languages like promises or futures, async/await, and observables (see here).

Based on this criteria, I've found two possibilities:

  1. Swift
  2. Rust

So next, I started looking for DNS libraries so I didn't have to re-invent the wheel. I had recently contributed quite a bit to the Node.js dns-packet javascript library and redoing all of the low-level work so I could get to the work I really wanted to do isn't an attractive option.

There's a scattering of Swift DNS code around but nothing low level or comprehensive. But Rust has what seems to be a very exciting option:


This work is broken down into a bunch of smaller Rust Crates, see here.

So if you're a DNS Rust developer and you want to collaborate, let me know!

I am going to see how much I can integrate Rust into Xcode 10.0 and would love some help.


This dns-parser crate seems pretty good so far. When programming custom DNS applications, I find it simpler to work with.

Update 2

The answer is NLnetLabs. What was the question? Oh yeah, what is the best DNS library I've found so far for Rust? domain and the crate is here: crate.

more ...


Well-known DNS Server Reputation Service

While preparing for a talk I gave at IETF 102 in Montréal, I had an idea about establishing a reputation service for sharing trust about well-known public DNS servers. Sort of a wisdom-of-the-crowds attempt for clients and operating systems to bootstrap trust when learning about new public DNS servers. Trust is local and trust doesn't scale as Leif Johansson and Lucy Lynch once told me. So this is an attempt at conveying trust or more likely conveying the lack of trust.

The talk related to DHCP, which wasn't well received, but it's not clear how well the reputation service part was received. HTTPS has a form of a reputation service for identifying compromised certificates called Online Certificate Status Protocol (OCSP).

While public DNS servers also have certificates that could benefit from OCSP, the DNS reputation service I was proposing was more about the anwers returned by the DNS resolvers. Ideally, DNSSEC would be more widespread and the answers returned by a resolver could all be validated by the client. But clients don't normally do DNSSEC validation. They trust the resolvers to do it for them when asked. So, are resolvers returning the correct results? We hope so but how do you catch them if they aren't.

Imagine if you attach to a network that is a bad actor. The network operator gives you DNS resolvers to use over DHCP but they intend to log your DNS traffic and sell access to it. The only ones who know about this are the buyer and the seller and neither have an interest in letting you know.

Now, what if they return invalid results? You are trusting your resolver to give you accurate results. The only way you can be sure though is to do DNSSEC validation at the client.

So imagine if there was a registry, say at dnsprivacy.org, where users could report a public DNS server. The service could list their security practices, audit logs, third-party verification, etc to allow users to decide which DNS servers they trust. If a bad actor is found to be abusing its resolver data, others would immediately know.

If this is something you would like to see happen, contact me!


Marek Vavruša made a great point on the DNSOP mailing list here. The network operator should be involved in this reputation service by pushing the list of its servers that it considers trustworthy. Then the clients can evaluate these servers.

more ...


Configuring Private DNS via DHCP

At IETF 102 in Montréal, I presented some slides on DHCPv6 Private DNS Discovery at the DRIU BOF.

The talk was based on an Internet Draft that Willem Toorop and I worked on: DHCPv6 Options for private DNS Discovery. It provided a means to include an Authenticated Domain Name (ADN) for a nameserver to be used with DNS over TLS (DoT) or DNS over HTTPS (DoH).

To say that the talk was received poorly is an understatment...

Ted Lemon made a good argument that DHCP should only be used for boostrapping initial network parameters and not for full fledged configuration of all network parameters.

There was enough consensus that we feel that moving forward with this work would go against the wishes of the IETF community.

There still is a need for configuring the ADN in a trusted campus environment but a different proposal will need to be invented for this use case.

Overall, it was a good excercise and I hope that by documenting this here, it will discourage others from going down this path in the future.


Ted Lemon's talk can be found here in the IETF Proceedings on YouTube at 33:18.

more ...


Node.js DNS Packet library

Recently, I've been contributing to the node.js library dns-packet. This library takes a JSON description of DNS fields and encodes them into raw DNS packets. On the receiving side, it also decodes raw DNS packets and returns a JSON representation.

It's a handy package that I am using for another future project to be announced soon I hope.

more ...

iPhone/iPad TLS DNS Proxy

As Sarah Dickinson recently mentioned at DNS-OARC 27 in San Jose, CA, https://indico.dns-oarc.net/event/27/session/4/contribution/20, there is a work in progress for a TLS DNS Proxy for the Apple iPhone/iPad running iOS 11 and above. This uses the new DNS Proxy Network Extension and, when enabled, all DNS requests will be sent to a resolver over TLS.

I expect this new DNS Network Extension to be available for macOS in a future release as well.

Check back here in a bit to see the status and sign up for beta testing.


After receiving the following message on the Console, it appears that the only way to use the new DNS Proxy Network Extension in iOS 11 is through Mobile Device Management (MDM) Tools as a supervised device. This makes it impossible to install for the average user through the App Store.

Therefore, I am suspending this effort until this extension is more useful to a wider audience.

Oct  5 17:29:26 iPhone nehelper(NetworkExtension)[99] <Error>: -[NEHelperConfigurationManager:562  Warning: allowing creation/modification of a DNS proxy configuration on non-supervised device because the requesting app (DNS-TLS) is a development version. This will not be allowed for the production version of DNS-TLS


An Apple representative confirmed this is currently only for supervised devices but he seems to indicate they are considering opening this up to all devices but with no assurances or timeline:

I’ve just confirmed that, as things currently stand, NEDNSProxyProvider is limited to supervised devices.  We have a bug on file (r. 34843801) requesting that this restriction be lifted.  I suspect that this will happen but, as per usual, I can’t make any specific promises about that, or about the timeline for this change.  It certainly wouldn’t hurt for each of you to file your own bug describing your use case, how this restriction is affecting you, and what workarounds you’ve resorted to.


I posted the sample code on github here:


more ...

DNS Delegating Server

Requirements of the delegating server

The hybrid proxy is an authoritative DNS server for one or more subdomains. Each of these subdomains MUST be delegated to the hybrid proxy by the parent zone.


Subdomains are delegated to another server by defining NS records in the delegating server. The following records create three subdomains and delegate those subdomains to the listed servers.

floor1.example.com. IN      NS      server1.example.com.
floor2.exmaple.com. IN      NS      server2.example.com.
floor3.example.com. IN      NS      server3.example.com.

Browse Records

Service Discovery clients will query known search domains to see if they are browseable for services. Initially, they will query for b.dns-sd.udp.example.com. If the domain is browseable, it will have PTR records for one or more browseable domains. This could include a PTR record for the domain and also for subdomains. For a client to search a hybrid proxy for discoverable services, PTR records for the subdomain of each IP subnet represented by the hybrid proxy must be listed in the delegating server.

b._dns-sd._udp IN      PTR     @                   ;apex is browseable
b._dns-sd._udp IN      PTR     floor1.example.com. ;delegated to discovery proxy
b._dns-sd._udp IN      PTR     floor2.example.com.
b._dns-sd._udp IN      PTR     floor3.example.com.

The client will then query each of the subdomains listed to see if they are browseable, for example, b.dns-sd.udp.floor1.example.com. The hybrid proxy should answer this query with its hostname.

more ...