Table of Contents
1. Overview & Architecture Go 1.22+
DNSScienced is a modern, enterprise-grade DNS server platform written in Go. It provides both authoritative and recursive DNS services with deep integration into the DNSScience.io intelligence platform.
Key Differentiators:
- Native DoT, DoH, and DoQ transport support
- Built-in DNSScience.io threat intelligence integration
- Web3 name resolution (ENS, SNS, Unstoppable Domains)
- Modern YAML-like zone file format
- Plugin architecture (Go + Lua/Starlark)
- Multi-layer DDoS protection
Architecture Overview
+---------------------------------------------------------------+
| DNSScience Ecosystem |
+---------------------------------------------------------------+
| |
| +------------------+ +------------------------+ |
| | dnsscience_cached|<-------->| dnsscience_authd | |
| | (Recursive) | | (Authoritative) | |
| | | | | |
| | - Caching | | - Zone serving | |
| | - DNSSEC valid | | - DNSSEC signing | |
| | - Query routing | | - Dynamic updates | |
| | - Response policy| | - Zone transfers | |
| | - DDoS detection | | - Catalog zones | |
| +--------+---------+ +-----------+------------+ |
| | | |
| +---------------+----------------+ |
| | |
| +--------------v---------------+ |
| | libdnsscience (core) | |
| | | |
| | - DNS wire protocol | |
| | - DNSSEC crypto engine | |
| | - Plugin runtime | |
| | - Config parser | |
| | - Zone parser (multi-format) | |
| | - Metrics/telemetry | |
| +------------------------------+ |
| |
| +----------------------------------------------------------+ |
| | CLI Utilities | |
| | | |
| | dnsscience-checkzone Zone file validation | |
| | dnsscience-convert BIND/djbdns -> dnsscienced | |
| | dnsscience-keygen DNSSEC key generation | |
| | dnsscience-signzone Zone signing | |
| | dnsscience-dig Enhanced dig replacement | |
| | dnsscience-ctl Runtime control (rndc-like) | |
| +----------------------------------------------------------+ |
+----------------------------------------------------------------+
View on GitHub
2. Quick Start
Installation
# Clone the repository
git clone https://github.com/dnsscience/dnsscienced.git
cd dnsscienced
# Build all binaries
make build
# Install to system
sudo make install
# Or using Go directly
go install github.com/dnsscience/dnsscienced/cmd/...@latestStart Recursive Resolver
# Start with default configuration
sudo dnsscience-cached -c /etc/dnsscienced/cached.conf
# Test it
dig @127.0.0.1 example.comStart Authoritative Server
# Start authoritative server
sudo dnsscience-authd -c /etc/dnsscienced/authd.conf
# Test zone
dig @127.0.0.1 example.com SOADocker Deployment
# Run recursive resolver
docker run -d --name dns-cached \
-p 53:53/udp -p 53:53/tcp \
-p 853:853/tcp \
-v /etc/dnsscienced:/etc/dnsscienced \
dnsscience/dnsscienced:cached
# Run authoritative server
docker run -d --name dns-authd \
-p 5353:53/udp -p 5353:53/tcp \
-v /var/lib/dnsscienced/zones:/zones \
dnsscience/dnsscienced:authd3. dnsscience_cached Recursive Resolver
A full-featured recursive DNS resolver with caching, DNSSEC validation, and threat protection.
Query Engine
- Iterative resolution from root
- Query name minimization (RFC 7816)
- 0x20 encoding for cache poisoning resistance
- Parallel queries to nameservers
- TCP connection reuse & pipelining
Cache Layer
- In-memory or Redis backend
- Serve Stale (RFC 8767)
- Proactive prefetching
- Negative caching (RFC 2308)
- Aggressive NSEC (RFC 8198)
DNSSEC Validation
- Full chain of trust from root
- Algorithm agility (RFC 8624)
- Trust anchor auto-update (RFC 5011)
- Negative trust anchors
- Extended DNS Errors (RFC 8914)
Response Policy (RPZ)
- Multiple RPZ zones
- DNSScience.io threat feeds
- Custom blocklists/allowlists
- Response rewriting
- Real-time updates
Modern Transport Support
| Protocol | Port | RFC | Description |
|---|---|---|---|
| UDP/TCP | 53 | RFC 1035 | Traditional DNS |
| DoT | 853 | RFC 7858 | DNS over TLS |
| DoH | 443 | RFC 8484 | DNS over HTTPS |
| DoQ | 853/UDP | RFC 9250 | DNS over QUIC |
4. dnsscience_authd Authoritative Server
Enterprise-grade authoritative DNS server with multi-format zone support and automated DNSSEC.
Zone Management
- Native .dnszone format
- BIND zone file compatibility
- djbdns format support
- JSON/YAML zones
- Hot reload (SIGHUP)
Zone Transfers
- AXFR primary & secondary
- IXFR incremental transfers
- NOTIFY protocol
- TSIG authentication
- Catalog zones (RFC 9432)
DNSSEC Signing
- Online signing
- Offline signing
- Automatic key rollover
- HSM support (PKCS#11)
- Cloud KMS integration
Dynamic Updates
- RFC 2136 updates
- GSS-TSIG (Kerberos)
- Update policies
- Journal/WAL
- API-driven updates
5. Configuration
Main Configuration (/etc/dnsscienced/dnsscienced.conf)
# DNSScienced Global Configuration
global {
user = "dnsscienced"
group = "dnsscienced"
directory = "/var/lib/dnsscienced"
pid-file = "/run/dnsscienced/dnsscienced.pid"
}
logging {
channel default {
file = "/var/log/dnsscienced/default.log"
severity = info
format = json
}
channel queries {
file = "/var/log/dnsscienced/queries.log"
severity = info
print-time = yes
print-queries = yes
}
}
statistics {
enabled = yes
prometheus {
listen = "127.0.0.1:9153"
path = "/metrics"
}
}
# DNSScience.io Cloud Integration
dnsscience-cloud {
enabled = yes
api-key = "${DNSSCIENCE_API_KEY}"
threat-feeds = yes
telemetry = yes
}Recursive Resolver (/etc/dnsscienced/cached.conf)
# dnsscience_cached Configuration
server {
listen = ["0.0.0.0:53", "[::]:53"]
listen-tls = ["0.0.0.0:853"]
listen-https = ["0.0.0.0:443"]
tls-certificate = "/etc/dnsscienced/tls/server.crt"
tls-key = "/etc/dnsscienced/tls/server.key"
}
cache {
backend = "memory" # or "redis"
size = "512MB"
min-ttl = 60
max-ttl = 86400
serve-stale = yes
stale-ttl = 86400
prefetch = yes
prefetch-threshold = 0.75
}
dnssec {
validation = yes
trust-anchor-file = "/etc/dnsscienced/root.key"
auto-trust-anchor-update = yes
}
rpz {
zone "dnsscience-threat" {
url = "https://rpz.dnsscience.io/threat.rpz"
refresh = 3600
}
zone "custom-blocklist" {
file = "/etc/dnsscienced/rpz/custom.rpz"
}
}
rate-limiting {
queries-per-second = 100
slip = 2
window = 15
}6. Zone File Format
DNSScienced introduces a modern, YAML-like zone file format that's easier to read and maintain than traditional BIND format.
Native Format (.dnszone)
# example.com.dnszone - Native DNSScienced Zone Format
zone: example.com
serial: auto # Auto-increment on changes
ttl: 3600 # Default TTL
refresh: 7200
retry: 1800
expire: 1209600
minimum: 3600
# Primary nameserver
primary-ns: ns1.example.com
admin-email: admin@example.com
# Nameservers
nameservers:
- ns1.example.com
- ns2.example.com
# MX records with priority
mx:
- priority: 10
host: mail1.example.com
- priority: 20
host: mail2.example.com
# DNS records
records:
# Apex records (@)
"@":
A: 192.0.2.1
AAAA: 2001:db8::1
TXT:
- "v=spf1 mx -all"
- "google-site-verification=xxx"
CAA:
- flags: 0
tag: issue
value: "letsencrypt.org"
# Subdomains
www:
CNAME: "@"
mail1:
A: 192.0.2.10
mail2:
A: 192.0.2.11
# Wildcard
"*":
A: 192.0.2.1
# SRV records
_https._tcp:
SVCB:
priority: 1
target: "."
alpn: ["h2", "h3"]
# TLSA for DANE
_443._tcp.www:
TLSA:
usage: 3
selector: 1
matching: 1
data: "abc123..."Format Conversion
# Convert BIND zone to DNSScienced format
dnsscience-convert bind2dnszone example.com.zone -o example.com.dnszone
# Convert DNSScienced to BIND (for migration)
dnsscience-convert dnszone2bind example.com.dnszone -o example.com.zone
# Validate zone file
dnsscience-checkzone example.com example.com.dnszone7. DNSSEC Implementation
Supported Algorithms
| Algorithm | ID | Status | Recommendation |
|---|---|---|---|
| RSASHA256 | 8 | MUST | Legacy compatibility |
| RSASHA512 | 10 | MUST | Legacy compatibility |
| ECDSAP256SHA256 | 13 | MUST | Recommended |
| ECDSAP384SHA384 | 14 | MAY | High security |
| ED25519 | 15 | RECOMMENDED | Best performance |
| ED448 | 16 | MAY | Highest security |
Key Generation
# Generate KSK (Key Signing Key)
dnsscience-keygen -a ED25519 -f KSK example.com
# Generate ZSK (Zone Signing Key)
dnsscience-keygen -a ED25519 example.com
# Sign zone
dnsscience-signzone -o example.com.signed example.com.dnszone
# Automated signing in authd.conf
dnssec {
auto-sign = yes
algorithm = ED25519
ksk-lifetime = 365d
zsk-lifetime = 30d
key-directory = "/var/lib/dnsscienced/keys"
}8. DDoS Mitigation Architecture
Multi-layer defense against DNS-based attacks:
Layer 1: Network/Transport
- SYN cookies for TCP
- UDP source validation
- Connection limits per IP
- BPF/XDP packet filtering
Layer 2: DNS Protocol
- DNS Cookies (RFC 7873)
- Response Rate Limiting (RRL)
- TC bit forcing
- Minimal responses
Layer 3: Application
- Per-client query quotas
- NXDOMAIN rate limiting
- Random subdomain detection
- Zone transfer restrictions
Layer 4: Intelligence
- ML-based anomaly detection
- DNSScience.io threat feeds
- Reputation scoring
- Real-time blocklisting
Attack Detection
- Amplification attacks - Minimal responses, rate limiting
- Query floods - Per-source rate limiting, DNS cookies
- Random subdomain (water torture) - Pattern detection, NXDOMAIN limits
- Cache poisoning - 0x20 encoding, source port randomization
- Reflection attacks - Source validation, RRL
9. Web3 DNS Integration Blockchain
Native resolution of blockchain-based domain names through plugin modules.
| Service | TLDs | Blockchain | Status |
|---|---|---|---|
| ENS (Ethereum Name Service) | .eth | Ethereum L1 + L2s | Supported |
| SNS (Solana Name Service) | .sol | Solana | Supported |
| Unstoppable Domains | .crypto, .x, .wallet, .nft, .blockchain, .888, .dao | Polygon | Supported |
| Freename | .fn | Polygon | Supported |
| ITZ | .itz | Multiple | Supported |
Configuration
# Enable Web3 resolution in cached.conf
plugins {
web3 {
enabled = yes
ens {
enabled = yes
rpc-url = "https://eth.llamarpc.com"
cache-ttl = 300
}
sns {
enabled = yes
rpc-url = "https://api.mainnet-beta.solana.com"
}
unstoppable {
enabled = yes
api-key = "${UD_API_KEY}"
}
}
}Resolution Example
# Resolve ENS domain
dig @localhost vitalik.eth A
# Resolve Unstoppable domain
dig @localhost brad.crypto A
# Resolve Solana domain
dig @localhost bonfida.sol A10. Plugin System
Extend DNSScienced with custom functionality using Go plugins or interpreted scripts.
Plugin Types
| Type | Format | Performance | Use Case |
|---|---|---|---|
| Native Go | .so files | Highest | Production, performance-critical |
| Lua | .lua scripts | Good | Quick customization, hot reload |
| Starlark | .star scripts | Good | Sandboxed, config-like |
Hook Points
// Available hook points for plugins
type PluginHooks interface {
// Query processing
PreQuery(ctx *QueryContext) (*QueryContext, error)
PostResponse(ctx *ResponseContext) (*ResponseContext, error)
// Zone events
OnZoneLoad(zone *Zone) error
OnZoneUpdate(zone *Zone, changes []Change) error
// Cache events
OnCacheHit(key string, record *Record) error
OnCacheMiss(key string) error
OnCacheEvict(key string, record *Record) error
// Lifecycle
OnStart(server *Server) error
OnStop(server *Server) error
OnReload(server *Server) error
}Built-in Modules
- DNS Intelligence Platform (DIP) - AI/ML threat detection
- GeoIP Routing - Geographic load balancing
- Blocklist Plugin - Domain filtering
- Web3 Modules - Blockchain name resolution
11. CLI Utilities
dnsscience-checkzone
Validate zone files before deployment
dnsscience-checkzone example.com /path/to/zone.dnszone
dnsscience-checkzone --strict example.com /path/to/zone.dnszonednsscience-convert
Convert between zone file formats
# BIND to DNSScienced
dnsscience-convert bind2dnszone input.zone -o output.dnszone
# DNSScienced to BIND
dnsscience-convert dnszone2bind input.dnszone -o output.zone
# BIND config to NSD
dnsscience-convert named2nsd named.conf -o nsd.confdnsscience-keygen
Generate DNSSEC keys
# Generate KSK
dnsscience-keygen -a ED25519 -f KSK example.com
# Generate ZSK
dnsscience-keygen -a ECDSAP256SHA256 example.comdnsscience-signzone
Sign zones with DNSSEC
dnsscience-signzone -o example.com.signed \
-k /keys/Kexample.com.+015+12345.key \
example.com.dnszonednsscience-dig
Enhanced dig replacement with DNSSEC and DoH support
# Standard query
dnsscience-dig example.com A
# With DNSSEC validation
dnsscience-dig +dnssec example.com A
# DNS over HTTPS
dnsscience-dig +https @cloudflare-dns.com example.com A
# DNS over TLS
dnsscience-dig +tls @1.1.1.1 example.com Adnsscience-ctl
Runtime control (similar to rndc)
# Reload configuration
dnsscience-ctl reload
# Flush cache
dnsscience-ctl flush
# Show statistics
dnsscience-ctl stats
# Zone operations
dnsscience-ctl zone reload example.com
dnsscience-ctl zone freeze example.com
dnsscience-ctl zone thaw example.com12. RFC Compliance Matrix
Core DNS (P0 - MUST)
| RFC | Title |
|---|---|
| RFC 1034 | Domain Names - Concepts and Facilities |
| RFC 1035 | Domain Names - Implementation |
| RFC 2181 | Clarifications to the DNS Specification |
| RFC 2308 | Negative Caching of DNS Queries |
| RFC 3597 | Handling Unknown DNS RR Types |
| RFC 6891 | EDNS(0) Extensions |
| RFC 7766 | DNS Transport over TCP |
| RFC 8020 | NXDOMAIN: There Really Is Nothing Underneath |
DNSSEC (P0/P1)
| RFC | Title |
|---|---|
| RFC 4033/4034/4035 | DNSSEC Introduction & Protocol |
| RFC 5155 | NSEC3 Hashed Authenticated Denial |
| RFC 6781 | DNSSEC Operational Practices |
| RFC 8624 | Algorithm Implementation Requirements |
| RFC 9276 | NSEC3 Guidance |
Modern Transports (P1/P2)
| RFC | Title |
|---|---|
| RFC 7858 | DNS over TLS (DoT) |
| RFC 8484 | DNS over HTTPS (DoH) |
| RFC 9250 | DNS over QUIC (DoQ) |
| RFC 7873 | DNS Cookies |
| RFC 8767 | Serving Stale Data |
Privacy & Security (P1)
| RFC | Title |
|---|---|
| RFC 7816 | DNS Query Name Minimisation |
| RFC 8198 | Aggressive NSEC/NSEC3 Caching |
| RFC 8914 | Extended DNS Errors (EDE) |
| RFC 9156 | Query Name Minimisation Improvements |
Get Started with DNSScienced
Enterprise DNS infrastructure with intelligence built-in
Clone Repository