
Show HN: Golang DNS server, including DNSSEC and DNS-over-TLS - tenta
https://github.com/tenta-browser/tenta-dns
======
hsivonen
Apart from the difference in programming language, how does this compare to
[https://github.com/bluejekyll/trust-dns](https://github.com/bluejekyll/trust-
dns) ?

~~~
tenta
This appears to be in the same universe (DNS with TLS in a shiny new
language).

It looks like Tenta DNS currently supports more features around scaling and
production use, while Trust DNS includes a client component.

~~~
bluejekyll
> DNS with TLS in a shiny new language

My goals with TRust-DNS are a little more than just shiny new language. I
really want to leverage Rust's safety guarantees, especially in regards
building high performance implementations for core tools like this. I believe
that with Rust we can produce more hardened software and deliver at a faster
pace than other more traditional low level languages.

I haven't yet had a chance to really optimize the library. In my measurements
for example, BIND responds to queries in 100 micro-seconds, whereas TRust-DNS
is now down to 250 (on my local system, YMMV). There are a couple of low-
hanging fruit things that I hope to get to soon, that should bring that down
significantly.

------
kanwisher
I like your octocat-gopher logo, very cool. Looks like an interesting project
also. How does it compare to the Cloudflare dns server in Go? (I guess being
open source is the most important). They did some interesting optimizations of
TLS with assembly

~~~
dullgiulio
AFAIK they both use the same miekg/dns library. I am not sure the assembly
optimizations have been merged into the library itself.

~~~
iangudger
If you want something faster than github.com/miekg/dns, there is
golang.org/x/net/dns. I am the author, but I promise it is a lot faster. It is
about an order of magnitude faster in my benchmarks.

~~~
lmb
Where does that order of magnitude come from? Certainly sounds interesting.

------
wiradikusuma
See also: [https://coredns.io/](https://coredns.io/) (also Go)

~~~
zaarn
CoreDNS has some fun issues at times. The documentation around it is rather
sparse and the last time I tried it, CoreDNS refused to reply with authorative
responses to any query and also refused to properly resolve any recursive
queries (delivering intermediate! results)

------
dbrgn
If we're already at it comparing different implementations, how's your story
versus Knot ([https://www.knot-dns.cz/](https://www.knot-dns.cz/))? Probably a
different focus: Knot is authoritative-only, while your implementation mostly
seems to focus on the recursive resolver, correct? Are there any reasons to
use Tenta DNS over Knot as authoritative nameserver with DNSSEC support?

~~~
tenta
Knot DNS is authoritative only. Our main focus has been recursive support and
full security support. We haven't used knot dns, but it has an excellent
reputation. At the moment, knot dns is more suitable for authoritative hosting
(our authoritative features are still very minimal). Although in certain
circumstances, like dns leak testing, we have built in support for that.

~~~
scurvy
I'll put on my djb hat here, I'd avoid combining authoritative and recursive
resolving servers in the same process. That is, unless you want to end up like
bind.

~~~
tenta
You can certainly make two configs, an authoritative only and a recursive only
and just run two copies. However, while we cannot strictly control how
goroutines are allocated, each module (recursor, resolver, nsnitch) run as
their own little kingdom and primarily communicate with shared plumbing
(geoip, for instance) through channels.

------
sleepybrett
What's the valueprop over Linux Fondation backed coredns?

~~~
bogomipz
BGP integration and nSnitch, both are nice adds.

~~~
tenta
thanks! also vs coreDNS, we support actually running as a recursive or
authoritative resolver. CoreDNS is appropriate (excellent, in fact) for
running for service discovery, but not suitable for running as a public
resolver.

------
roguecoder
Is it common in Golang to not write tests?

~~~
tptacek
Certainly it's common to write _fewer_ tests than Python or Ruby projects,
where you need tests to verify basic type and existence assertions.

~~~
pvg
This is starting to change, perhaps not in Ruby but JS and Python now have
commonly-used pre-compile typecheckers with typesystems fancier than your
typical typed C-descendant language, annotation stubs for the standard or
popular libraries, etc. I wouldn't be surprised that if in a couple of years,
the default for a new Javascript project would be more typechecked than Go,
strange as it is to say.

~~~
fulafel
I know only of Flow for JS, but are there signs that it's commonly used, or
are there other JS typecheckers with a more optimistic trajectory?

It looks to me more like compile-to-JS languages are winning this race. Which
is good, as it enables sthings like ClojureScript and Elm. Also many of us
think the lack of static types is the least of the problems in JS.

~~~
pvg
Flow and TypeScript are used a fair bit and both have adoption in big
organizations that make big, commonly used tools. I don't think any of the
compile-to-JS languages have ever really got quite that far and I'm somewhat
skeptical they will.

~~~
fulafel
Ah. I guess due to the superset-of-JS property you might kinda sorta see it as
annotated JS, though it has its own syntax and has to go through a compiler to
produce runnable JS.

edit: Seems the TS tools also have JS linting functionality, where you put
JSDoc annotations in comments and use the new --checkJs options, I guess you
may have meant this too.

------
pozibrothers
I've tried using the DNS listed in the page and they were very slow resolving
new names (I'm in Spain).

DNS Benchmark
([https://www.grc.com/dns/benchmark.htm](https://www.grc.com/dns/benchmark.htm))
shows this results:
[https://ghostbin.com/paste/rr65w](https://ghostbin.com/paste/rr65w)

Are they normal? Or are they slow because the servers are located in the US?

~~~
tenta
Servers are located in Amsterdam, Miami, Seattle and Singapore. Since the
resolvers are new, there's a lot of global cache to fill up.

In addition, if you'd be willing to share, visit
[https://nstoro.com/api/v1/geolookup](https://nstoro.com/api/v1/geolookup) and
shoot us the results to hello@tenta.com. That API will pull your IP and the
physical location of the box you connected to. If that location isn't
Amsterdam, then we'll need to take a look at our routing.

~~~
pozibrothers
I've just tested the nameservers again and ICANN ones seem to be a lot faster
than before. OpenNIC ones are down for me right now.

------
nik736
How does it compare to PowerDNS?

~~~
tenta
PowerDNS provides the standard by which other DNS resolvers are judged. It's
an amazing, stable product. Our biggest features compared to PowerDNS are that
we provide DNS-over-TLS, we're written in memory safe golang (which is also
highly concurrent, although so is PowerDNS), and we support BGP natively,
making "internet wide" deployments a breeze.

All of these things could be done with PowerDNS, but it would also require a
number of other programs "helping" in order to get TLS and BGP, and the
configuration would be a mess. With TentaDNS it's all in one convenient, easy
to run place, with a single set of config, running multiple (even 10s or
hundreds) of resolver configs all in one place.

That having been said, our Authoritative support (e.g. being the main
nameserver for a domain) still lacks a lot of features, while our recursive
support (e.g. being the resolver you use for your browser) is top notch.

~~~
nik736
For me the authoritative support would be relevant. Can you please elaborate
on what important thing is missing?

What's a recommended way of using your product in a redundant way? PowerDNS
for example has multiple backends, what I am missing is a bind style backend
that is based on JSON files and is able to reload on the fly, so that I don't
have to deal with a SQL database. Is this something that could be achieved
with Tenta?

~~~
Habbie
Hello, PowerDNS developer here! Not trying to steal Tenta's thunder here, but
you should know that the PowerDNS GeoIP backend can be used without a GeoIP
database, in which case it might better be called the 'YAML backend'.

Additionally, if you file a feature request for JSON support in the
bindbackend, we might consider it!

------
ploggingdev
You mentioned that the hosted recursive resolver is free to use along with api
access in exchange for a backlink, and I checked out the parent project which
is Tenta browser and it's currently in beta for Android, so how do make money?
Do you sell any upgrades/support to businesses?

~~~
tenta
Tenta browser business model is the opposite of most browsers. We don't care
about ads. It's simply based on protecting data. We have a built-in VPN that's
always free to use in-browser only, but if you want to expand VPN coverage to
other apps then we charge a monthly subscription

------
a012
I did test on tenta.com but couldn't get any result
[https://imgur.com/a/iK8Yh](https://imgur.com/a/iK8Yh)

~~~
tenta
Can you let me know which browser you're using? Also I'm assuming you're
running the test site with our DNS settings or another DNS? Also do you have a
VPN running?

~~~
a012
I'm using Firefox DE, and yes I'm on VPN and using DNS.WATCH server.

~~~
tenta
ah, in some cases VPN providers push DNS options too, in which case your
system DNS will be overridden. Can you check whether that's the case?

------
kim0
I know DNS over TLS is basically the same, but any plans to integrate dnscrypt
too?

~~~
tenta
Not currently no. First of all, there's sort of two parts to "DNSCrypt", the
typical DNSCrypt, which is Client<->Recurosor, and DNSCurve, which is
Recursor<->Authority. The implementation is complex, and not well supported. I
know that a number of people in the OpenNIC community to support DNSCrypt.

We've decided to go with TLS instead of DNSCrypt, since it's a well understood
(and now RFC standardized protocol). While we're the first to support this
publicly, we expect others to follow soon, which, combined with DNSSEC, will
provide true security for DNS.

------
GuyPostington
How does this stack up against Unbound?

~~~
tenta
Largely the same as vs PowerDNS. We've designed this to be an all-in-one for
running a performant and secure server with BGP. However, we use the excellent
miekg/dns library for the DNS wire protocol, which is related to (sponsored
by) NLNetLab, which also produces Unbound.

