Knot DNS

Last updated
Knot DNS
Developer(s) CZ.NIC
Initial releaseNovember 3, 2011;13 years ago (2011-11-03)
Stable release
3.4.3 / December 6, 2024;6 days ago (2024-12-06)
Repository
Written in C
Operating system Unix-like
Type DNS server
License GNU General Public License
Website www.knot-dns.cz

Knot DNS is an open-source authoritative-only server for the Domain Name System. It was created from scratch and is actively developed by CZ.NIC, the .CZ domain registry. The purpose of this project is to supply an alternative open-source implementation of an authoritative DNS server suitable for TLD operators to increase overall security, stability and resiliency of the Domain Name System. It is implemented as a multi-threaded daemon, using a number of programming techniques and data structures to make the server very fast, [1] notably Read-copy-update [2] or a special kind of a radix tree.

Contents

Knot DNS uses a zone parser written in Ragel to achieve very fast loading of the zones at the startup. It is also able to add and remove zones on the fly by changing the configuration file and reloading the server using the 'knotc' utility.

Since version 3.0.0, Knot DNS supports a high performance XDP mode in Linux, which can improve response performance significantly. [3] [4]

Changelog

New in 1.2.0: Response Rate Limiting, Dynamic DNS, and a new remote control utility.

New in 1.3.0: new zone parser in Ragel (replaces zone compilation) and several client utilities (kdig, khost and knsupdate).

New in 1.4.0: automatic DNSSEC signing of the managed zones.

New in 1.5.0: query modules with two new modules: "Automatic forward/reverse records" and dnstap.

New in 1.6.0: persistent timers for slave zones (expire, refresh, and flush) using LMDB.

New in 2.0.0: new YAML-based configuration, and new DNSSEC implementation using GnuTLS.

New in 2.1.0: [5] dynamic configuration, PKCS #11 interface, and online DNSSEC signing.

New in 2.2.0: [6] Response Rate Limiting white listing, support for URI (RFC 7553) and CAA (RFC 6844) resource record types, interactive mode for 'knotc', new control interface for the server including simple Python bindings.

New in 2.3.0: [7] DNSSEC signing configured in server configuration, automatic NSEC3 resalting, zone operations over server control interface, TLS in kdig.

New in 2.4.0: [8] Unified LMDB based journal, new statistics module, automatic deletion of retired DNSSEC keys.

New in 2.5.0: [9] LMDB based KASP database, KSK rollover, dynamic modules, zone freeze/thaw, zone contents in journal.

New in 2.6.0: [10] On-slave DNSSEC signing, automatic DNSSEC algorithm rollover, Ed25519 algorithm support, TCP Fast Open.

New in 2.7.0: [11] Performance improvement, new module for DNS Cookies, new module for GeoIP, support for ECS.

New in 2.8.0: [12] Offline-KSK, multithreaded DNSSEC signing, extended ACL for DDNS, zone update speed-up.

New in 2.9.0: [13] Significant zone update speed-up, TCP optimizations, configuration cleanup.

New in 3.0.0: [14] High performance XDP mode for UDP under Linux, catalog zones support, continuous DNSSEC validation, kzonesign and kxdpgun utilities, DoH support in kdig, deterministic ECDSA support, on-line backup of persistent data. [15]

New in 3.1.0: [16] basic DNS over TCP using XDP, routing-aware XDP processing, ZONEMD generation and validation, SVCB/HTTPS support, zone catalog evolution, EDNS error (EDE) support, epoll/kqueue support.

New in 3.2.0: [17] full DNS over TCP using XDP (including transfers), DNS over QUIC in the XDP mode, DNSSEC multi-signer support.

New in 3.3.0: [18] full DNS over QUIC (using both XDP and operating system TCP/IP-stack), bidirectional XFR over QUIC, multi-signer operation mode.

New in 3.4.0: [19] full DNS over TLS, DDNS over QUIC and TLS, bidirectional XFR over TLS, automatic DNSSEC revalidation, refined RRL module.

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

BIND is a suite of software for interacting with the Domain Name System (DNS). Its most prominent component, named, performs both of the main DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver in the network. As of 2015, it is the most widely used domain name server software, and is the de facto standard on Unix-like operating systems. Also contained in the suite are various administration tools such as nsupdate and dig, and a DNS resolver interface library.

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.

The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.

The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

PowerDNS is a DNS server program, written in C++ and licensed under the GPL. It runs on most Unix derivatives. PowerDNS features a large number of different backends ranging from simple BIND style zonefiles to relational databases and load balancing/failover algorithms. A DNS recursor is provided as a separate program.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

TSIG is a computer-networking protocol defined in RFC 2845. Primarily it enables the Domain Name System (DNS) to authenticate updates to a DNS database. It is most commonly used to update Dynamic DNS or a secondary/slave DNS server. TSIG uses shared secret keys and one-way hashing to provide a cryptographically secure means of authenticating each endpoint of a connection as being allowed to make or respond to a DNS update.

Opportunistic TLS refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted connection instead of using a separate port for encrypted communication. Several protocols use a command named "STARTTLS" for this purpose. It is a form of opportunistic encryption and is primarily intended as a countermeasure to passive monitoring.

DNS management software is computer software that controls Domain Name System (DNS) server clusters. DNS data is typically deployed on multiple physical servers. The main purposes of DNS management software are:

DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. It encrypts and authenticates DNS packets between resolvers and authoritative servers.

OpenDNSSEC is a computer program that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.

HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working Group of the Internet Engineering Task Force (IETF). HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to the Internet Engineering Steering Group (IESG) for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015. The initial HTTP/2 specification was published as on May 14, 2015.

In computer networking, TCP Fast Open (TFO) is an extension to speed up the opening of successive Transmission Control Protocol (TCP) connections between two endpoints. It works by using a TFO cookie, which is a cryptographic cookie stored on the client and set upon the initial connection with the server. When the client later reconnects, it sends the initial SYN packet along with the TFO cookie data to authenticate itself. If successful, the server may start sending data to the client even before the reception of the final ACK packet of the three-way handshake, thus skipping a round-trip delay and lowering the latency in the start of data transmission.

DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

QUIC is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google. It was first implemented and deployed in 2012 and was publicly announced in 2013 as experimentation broadened. It was also described at an IETF meeting. The Chrome web browser, Microsoft Edge, Firefox, and Safari all support it. In Chrome, QUIC is used by more than half of all connections to Google's servers.

A public recursive name server is a name server service that networked computers may use to query the Domain Name System (DNS), the decentralized Internet naming system, in place of name servers operated by the local Internet service provider (ISP) to which the devices are connected. Reasons for using these services include:

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

<span class="mw-page-title-main">MsQuic</span> Microsoft open source library

MsQuic is a free and open source implementation of the IETF QUIC protocol written in C that is officially supported on the Microsoft Windows, Linux, and Xbox platforms. The project also provides libraries for macOS and Android, which are unsupported. It is designed to be a cross-platform general purpose QUIC library optimized for client and server applications benefitting from maximal throughput and minimal latency. By the end of 2021 the codebase had over 200,000 lines of production code, with 50,000 lines of "core" code, sharable across platforms. The source code is licensed under MIT License and available on GitHub.

References

  1. Response rate benchmark of several OSS authoritative name servers
  2. Knot DNS memory requirements
  3. Peltan, Libor (2020-02-08). "DNS response rate speedup by using XDP". Presentation at DNS OARC 32. Retrieved 2020-09-09.
  4. Knot DNS 3.0 Benchmarking
  5. Knot DNS 2.1.0
  6. Knot DNS 2.2.0
  7. Knot DNS 2.3.0
  8. Knot DNS 2.4.0
  9. Knot DNS 2.5.0
  10. Knot DNS 2.6.0
  11. Knot DNS 2.7.0
  12. Knot DNS 2.8.0
  13. Knot DNS 2.9.0
  14. Knot DNS 3.0.0
  15. Peltan, Libor (2020-09-09). "Knot DNS 3.0 News". Blog of CZ.NIC staff. Retrieved 2020-09-09.
  16. Knot DNS 3.1.0
  17. Knot DNS 3.2.0
  18. Knot DNS 3.3.0
  19. Knot DNS 3.4.0
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.