A DNSCurve Forwarding Name Server
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
contrib initial import Oct 23, 2010
docs Created FAQ.md Oct 2, 2015
nacl initial import Oct 23, 2010
ChangeLog - Non-DNSCurve query packets were too intensively checked (on OPCODE,… Jan 3, 2011
INSTALL.md Added performance and FAQ sections to INSTALL.md Mar 15, 2016
LICENSE.md Converted LICENSE to Markdown Oct 2, 2015
Makefile.in No commit message Oct 25, 2010
README.md Converted README to Markdown README Oct 2, 2015
TODO Added TODO Jan 13, 2011
VERSION - New VERSION Jan 2, 2011
cache_hashtable.c initial import Oct 23, 2010
cache_hashtable.h initial import Oct 23, 2010
configure.curvedns Updated so that fd = 0 is not closed. Dec 27, 2010
configure.nacl initial import Oct 23, 2010
curvedns-keygen.c Getting ready for release. Dec 28, 2010
curvedns.c dns.c: Dec 4, 2010
curvedns.h No commit message Oct 25, 2010
debug.c initial import Oct 23, 2010
debug.h initial import Oct 23, 2010
dns.c No commit message Jan 3, 2011
dns.h initial import Oct 23, 2010
dnscurve.c - Non-DNSCurve query packets were too intensively checked (on OPCODE,… Jan 3, 2011
dnscurve.h initial import Oct 23, 2010
event.h initial import Oct 23, 2010
event_main.c event_main.c, event_tcp.c, event_udp.c: Oct 25, 2010
event_tcp.c event_tcp.c: Oct 25, 2010
event_udp.c No commit message Jan 3, 2011
ip.c Updated so that fd = 0 is not closed. Dec 27, 2010
ip.h ip.[ch], dns.c: Dec 4, 2010
misc.c No commit message Oct 25, 2010
misc.h - Source IP when target is contacted can be specified in CURVEDNS_SOU… Oct 25, 2010


CurveDNS - A DNSCurve Forwarding Name Server


What exactly is CurveDNS?

CurveDNS is the first publicly released forwarding implementation that implements the DNSCurve protocol. Brings us to a new question: what is DNSCurve? Parts of a master thesis have been written to answer this question, but of course there is a short answer. The protocol's official website gives a pretty good impression in only one sentence: 'DNSCurve uses high-speed high-security elliptic-curve cryptography to drastically improve every dimension of DNS security'.

What is so special about this implementation is the fact that any authoritative DNS name server can act as a DNSCurve capable one, without changing anything on your current DNS environment. The only thing a DNS data manager (that is probably you) has to do is to install CurveDNS on a machine, generate a keypair, and update NS type records that were pointing towards your authoritative name server and let them point to this machine running CurveDNS. Indeed, it is that easy to become fully protected against almost any of the currently known DNS flaws, such as active and passive cache poisoning.

Features of CurveDNS

CurveDNS supports:

  • Forwarding of regular (non-protected) DNS packets;
  • Unboxing of DNSCurve queries and forwarding the regular DNS packets
  • Boxing of regular DNS responses to DNSCurve responses;
  • Both DNSCurve’s streamlined- and TXT-format;
  • Caching of shared secrets;
  • Both UDP and TCP;
  • Both IPv4 and IPv6.

So what about DNSSEC?

You're right, DNSSEC was designed to do exactly the same thing. So why should you be using DNSCurve instead of DNSSEC? The short answer: because it is better in many ways. The longer answer involves some more knowledge about things DNSSEC does not fulfill that well. One of the most important 'flaws' of DNSSEC is so called amplification. This means that a DNSSEC capable authoritative name server can be used as an 'amplification target'. For example, sending a 31 byte query to a certain DNSSEC capable host (i.e. an authoritative name server), can result in a 3.974 byte response. In this way, the response traffic grows with a factor of around 128. Meaning an attacker with a 1Mbit/s connection can theoretically generate a UDP flood of 128Mbit/s.

Nevertheless, CurveDNS is able to forward DNSSEC packets too. Meaning that if you put CurveDNS in front of a DNSSEC competent authoritative name server, you have enabled your DNS data to be DNSSEC and DNSCurve capable.

What is ON2IT?

ON2IT is a Dutch company that delivers managed computer security services to a wide variety of customers. They support CurveDNS by giving a student the opportunity to design, built, and analyze a DNSCurve implementation to accomplish his master study — which is exactly the implementation you are looking at.


CurveDNS is delivered in one format only, that is the source distribution. By downloading the source, you will have to compile the software yourself. If you are not familiar with this process, the INSTALL file answers many questions regarding this subject.

CurveDNS includes a copy of the NaCl library. This library implements the cryptographic primitives that are needed and used by CurveDNS. It is included to make the entire compile process easier and straightforward. (There are however preliminary plans to use libsodium for this matter in future releases.)

Stable release

Old releases




CurveDNS is a collaboration of several people. Each with their own part in CurveDNS' development and release process.



And as always, we could not have done this alone. Along the way several people have helped us in different ways. Therefore we would like to thank the developers of gdnsd, which was and is a huge inspiration to our forwarding name server. Furthermore we would like to thank Matthew Dempsky, Adam Langley, and Daniel Bernstein for their support on DNSCurve specific questions.