blog.robur.coop/articles/dnsvizor01.md

5.3 KiB

date title description tags author
2024-10-25 Meet DNSvizor: run your own DHCP and DNS MirageOS unikernel The NGI-funded DNSvizor provides core network services on your network; DNS resolution and DHCP.
OCaml
MirageOS
DNSvizor
name email link
Hannes Mehnert hannes@mehnert.org https://hannes.robur.coop

TL;DR: We got NGI0 Entrust (via NLnet) funding for developing DNSvizor - a DNS resolver and DHCP server. Please help us by sharing with us your dnsmasq configuration, so we can prioritize the configuration options to support.

Introduction

The dynamic host configuration protocol (DHCP) is fundamental in today's Internet and local networks. It usually runs on your router (or as a dedicated independent service) and automatically configures computers that join your network (for example wireless laptops, smartphones) with an IP address, routing information, a DNS resolver, etc. No manual configuration is needed once your friends' smartphone got the password of your wireless network \o/

The domain name system (DNS) is responsible for translating domain names (such as "robur.coop", "nlnet.nl") to IP addresses (such as 193.30.40.138 or 2a0f:7cc7:7cc7:7c40::138) - used by computers to talk to each other. Humans can remember domain names instead of memorizing IP addresses. Computers then use DNS to translate these domain names to IP addresses to communicate with. DNS is a hierarchic, distributed, faul-tolerant service.

These two protocols are fundamental to today's Internet: without them it would be much harder for humans to use it.

DNSvizor

We at robur got funding (from NGI0 Entrust via NLnet) to continue our work on DNSvizor - a MirageOS unikernel that provides DNS resolution and DHCP service for a network. This is fully implemented in OCaml.

Already at our MirageOS retreats we deployed such unikernel, to test our DHCP implementation and our DNS resolver - and found and fixed issues on-site. At the retreats we have a very limited Internet uplink, thus caching DNS queries and answers is great for reducing the load on the uplink.

Thanks to the funding we received, we'll be able to work on improving the performance, but also to finish our DNSSec implementation, provide DNS-over-TLS and DNS-over-HTTPS services, and also a web interface. DNSvizor will use the existing dnsmasq configuration syntax, and provide lots of features from dnsmasq, and also provide features such as block lists from pi-hole.

We are at a point where the basic unikernel (our MVP)

  • providing DNS and DHCP services - is ready, and we provide reproducible binary builds. Phew. This means that the first step is done. The --dhcp-range from dnsmasq is already being parsed.

We are now curious on concrete usages of dnsmasq and the configurations you use. If you're interested in dnsvizor, please open an issue at our repository with your dnsmasq configuration. This will help us to guide which parts of the configuration to prioritize.

Usages of DNSvizor

We have several use cases for DNSvizor:

  • at your home router to provide DNS resolution and DHCP service, filtering ads,
  • in the datacenter auto-configuring your machine park,
  • when running your unikernel swarm to auto-configure them.

The first one is where pi-hole as well fits into, and where dnsmasq is used quite a lot. The second one is also a domain where dnsmasq is used. The third one is from our experience that lots of people struggle with deploying MirageOS unikernels since they have to manually do IP configuration etc. We ourselves also pass additional information to the unikernels, such as syslog host, monitoring sink, X.509 certificates or host names, do some DNS provisioning, ...

With DNSvizor we will leverage the common configuration options of all unikernels (reducing the need for boot arguments), and also go a bit further and make deployment seamless (including adding hostnames to DNS, forwarding from our reverse TLS proxy, etc.).

Conclusion

DNSvizor provides DNS resolution and DHCP service for your network, and already exists :). Please report issues you encounter and questions you may have. Also, if you use dnsmasq, please show us your configuration.

If you're interested in MirageOS and using it in your domain, don't hesitate to reach out to us (via eMail: team@robur.coop) - we're keen to deploy MirageOS and find more domains where it is useful. If you can spare a dime, we're a registered non-profit in Germany - and can provide tax-deductable receipts in Europe.