
Sdns – Lightweight, fast recursive dns server with dnssec support - haritsu
https://github.com/semihalev/sdns
======
thrownhwn
Nice work. Been looking for a resolver with DoH support that’s built with Go.
Cloudflared is just too buggy and not actively maintained.

Would love to see some support for Prometheus compatible metrics.

~~~
moderation
There have been 6 releases of cloudflared in the last 2 months -
[https://github.com/cloudflare/cloudflared/releases](https://github.com/cloudflare/cloudflared/releases)

~~~
newman314
Release Notes:
[https://github.com/cloudflare/cloudflared/blob/master/RELEAS...](https://github.com/cloudflare/cloudflared/blob/master/RELEASE_NOTES)

------
gigatexal
Will this:

docker run -d --name sdns -p 53:53 -p 53:53/udp -p 853:853 -p 8053:8053 -p
8080:8080 sdns

Give me a secure DNS box or do I have to do the TLS myself with say let’s
encrypt?

~~~
tptacek
What do you mean by "secure DNS box"? This is a DNSSEC-validating resolver,
which means it will check DNSSEC signatures, for whatever that is worth to
you. It won't encrypt your DNS traffic. It may accept DoH/DNS-TLS requests,
but won't (AFAIK) make outgoing DoH requests, so all the requests you make
will be visible from the server.

------
sliken
Can anyone compare this to unbound?

~~~
tptacek
Unbound is probably more featureful (especially when it comes to DNSSEC,
which, I mean, again, for what that's worth to you), but sdns is written in
Golang. Unbound is written in C and has had at least one memory corruption
vulnerability reported.

~~~
sliken
I'm definitely a fan of go over C. I was really happy with unbound as a local
resolver for a good long time, but then started having DNS issues that would
be cleared up by restarting unbound.

------
knodi
Love it!! Golang love!

------
PeterLGummybear
I'm all for rewriting things into safe languages, but I do like the battle-
tested nature of C things, like unbound. For example, I'm interested in
replacing my smtpd daemon with something better. I'm most tempted to go with
postfix, because it's very supported, does lots, is totally battle tested, and
has a good security track record. However, the hip kid on the block is Haraka
-- [https://haraka.github.io/](https://haraka.github.io/) . It's written by
smart people with a long history in the problem space, and it does things in a
new and modern way. I'm inclined to like it. But several things make me
hesitant:

\- Will a hipster javascript thing really be as reliable? Are these new
runtimes really sufficient for totally essential things like email? What about
filesystem stuff? I'd think a battletested thing like postfix will be much
better off than this. \- Do I really want to deal with javascript or whatever
other hipster language for deployment? With most essential utilities, it's
packaged in my distro with minimal dependencies. With hipster stuff, it's
usually a fast pace of development, which doesn't lend itself to packaging,
and uses something awful like npm. Is this something I really want to depend
on?

So I'd wonder the same thing about sdns. The "rewrite it in ${safelang}" trend
tends to produce immature and unreliably deployable software and that makes me
worried. How's sdns fare?

~~~
sliken
Not sure I see the justification replacing postfix (which with simple
configurations can be configured with just a few lines in a config file) with
haraka written in javascript.

Unbound seems generally respected, is nice and simple, written cleanly, and
does MUCH less than bind. However it has had at least one memory corruption
bug that plagues most c/c++ applications of non-trivial complexity. It also
does seem to hang and I ask around and other people have seen similar. It's no
longer what I consider reliable enough to be installed on every client. It's
scary that it hangs, because if it gets that wrong there's likely other issues
as well.

I'm hopeful that SDNS is more reliable and secure. I just want a local caching
resolver that understands DNSSEC.

