BSDCan2019 - 1.8
BSDCan 2019
The Technical BSD Conference
| Speakers | |
|---|---|
|
Florian Obser |
| Schedule | |
|---|---|
| Day | Talks #1 - 17 May - 2019-05-17 |
| Room | DMS 1110 |
| Start time | 11:15 |
| Duration | 01:00 |
| Info | |
| ID | 1055 |
| Event type | Lecture |
| Track | Hacking |
| Language used for presentation | English |
| Feedback | |
|---|---|
|
Did you attend this event? Give Feedback |
unwind(8)
A privilege-separated, validating DNS recursive nameserver for every laptop
DNS is easy. You type bsdcan.org in your browser's address bar, hit enter and you will be greeted by your favorite BSD conference's start page. Actually...
We will start by giving a short introduction into DNS from the perspective of a client.
We will explore:
where to send questions to: upstream resolvers learned from dhcp / router advertisements / static quad-x resolvers vs. doing recursion ourselves,
what questions to ask: qname-minimization (yes or no),
what to do with the answer: benefits and limitations of DNSSEC.
We will then introduce unwind(8) - an always-running, validating DNS recursive nameserver, answering queries on localhost (127.0.0.1). We will explain its privilege-separated design and show that it is secure to run this daemon by default. We will then show how its novel approach of observing changes in network location and actively probing the quality of the local network improve the user experience in DNS resolution. The focus will be on laptops that move through many networks, some good, some bad, some outright hostile.
We will compare unwind(8) to prior solutions and show how its design enables it to run without user intervention.
While unwind(8) is developed on OpenBSD it is intended to be portable. We will give pointers on a few OpenBSD specific features.