secure_dns

secure_dns

secure_dns is a secure, decentralized DNS-over-QUIC (DoQ) implementation tailored for zero-trust mesh networks. It enforces strict mutual TLS (mTLS) authentication for all peer connections, frames DNS traffic over stream-oriented QUIC transport using a 2-byte length prefix (compliant with stream-based DNS standards), and integrates with a cryptographic data verification engine to protect against domain spoofing and malicious ingress.

Features

• DNS-over-QUIC (DoQ): Replaces traditional untrusted UDP communication with robust, stream-oriented QUIC connections.
• Strict Mutual TLS (mTLS): Enforces peer identity verification via x509 client certificates, ensuring only pre-authorized nodes can query or inject zone records.
• Decentralized Swarm Mesh Resolution: Coordinates local zone file resolution with network-wide peer broadcasts using a custom peer routing layer.
• Cryptographic Data Lineage Verification: Leverages a secure data validation engine to audit the authenticity and configuration validity of resource records.
• Authoritative Persistence Layer: Plugs into atomic, fast, local memory-page persistence for quick lookups and secure transactions.

Architecture & Transport Framing

Unlike UDP-based DNS alternatives, secure_dns relies on reliable, ordered stream byte delivery via quic-go. To handle query boundaries over continuous streams accurately, all packet transactions prepend a 2-byte big-endian length prefix.

When a query is received, the node evaluates the peer's certificate, establishes the streaming context, parses the structural DNS labels sequentially, and checks local tables. If an entry is missing or expired, it falls back to a network broadcast to find the record within the trusted swarm mesh.

Prerequisites

Ensure your environment includes a modern version of quic-go which manages connection handlers via the concrete pointer (*quic.Conn) architecture.

go get github.com/quic-go/quic-go

General Application Server Integration

To integrate secure_dns into a modular application server architecture or framework, instantiate the coordinator during your platform's startup lifecycle once the database and network layers are operational.

Implementation Template

package main

import (
	"crypto/tls"
	"log"

	"github.com/0TrustCloud/secure_dns"
)

// Assume your environment has pre-existing components for storage and networking
type ApplicationServer struct {
	DB        *YourDatabaseType
	Router    *YourRouterType
	Engine    *YourCryptoEngineType
	PublicKey []byte
}

func (s *ApplicationServer) StartDNSWorker(bindAddr string, tlsConf *tls.Config) {
	// 1. Initialize the SecureDNS instance with your platform's core dependencies
	sdns := secure_dns.NewSecureDNS(s.Router, s.Engine, s.PublicKey, s.DB)

	// 2. Ensure the TLS configuration enforces strict peer verification
	tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
	tlsConf.NextProtos = []string{"doq"}

	// 3. Spin up the listener loop inside a background execution routine
	go func() {
		log.Printf("[DNS Core] Launching mTLS DNS-over-QUIC loop on %s...", bindAddr)
		if err := sdns.ServeWireProtocol(bindAddr, tlsConf); err != nil {
			log.Printf("[DNS Core] Listener closed or exited: %v", err)
		}
	}()
}

Managing Domain Zone Modifications

You can manage authoritative domain bindings programmatically by executing zone registration commands through your application handlers or administrative API endpoints:

// Bind an authoritative A record to the underlying database page
err := sdns.RegisterDomain("node-alpha.mesh", "A", "10.0.0.5", 3600)
if err != nil {
    log.Printf("Failed to bind domain authority: %v", err)
}

Running Tests

The test suite validates connection streams, mTLS handshake constraints, and proper packet framing by generating ephemeral in-memory Certificate Authorities and cross-signing connection endpoints at runtime.

To execute the unit tests, use:

go test -v ./...