Pledge for integrating a DNSSEC validating DNS proxy into IPFire that secures the DNS system. Modifications of dnsmasq are necessary.


IPFire is currently using dnsmasq as a forwarding DNS proxy. That means that if there is a DNS query coming from the local network, it will be forwarded to an upstream DNS server and the response will be cached by dnsmasq. If the same or an other hosts asks for the same things again, the reply will be delivered from the local cache.

It is possible to poison that cache and possible to forge DNS responses so that users can be hijacked and data fraud can happen. The technique to prevent this is called DNSSEC:

It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

We would like to enable IPFire to validate the DNS responses so that the local networks are protected against fraud and those attacks on the DNS system. However, we need some modifications on dnsmasq to read the DHCP leases file. We therefore ask for your support to make this happen.

This is short video that explains how DNSSEC works.


Launched: April 29, 2014 at 12:00 am • This funding runs until the goal is reached.