-
Notifications
You must be signed in to change notification settings - Fork 19
DNS registration
Conjure registration can be done via dns requests. DNS gives a covert but low throughput tunnel, which accommodates registration needs.
The design of sending DNS registration messages is adapted from dnstt, with reliability layers removed as we only need to send and receive 1 message at a time. The client side encrypts and encodes the registration message using server's public key, and prepends the encoded payload as subdomains to a domain name that the server side is the DNS nameserver for, then sends it as a DNS request via a DNS recursive resolver. The server side reads the message and sends an encrypted response to the client via a TXT record response.
Start with a message encrypted via the noise library with server's public key:ENCRYPTED MSG BYTES
Base 32 encode it: IVHEGUSZKBKEKRBAJVJUOICCLFKEKUY
Append it to the domain to use: IVHEGUSZKBKEKRBAJVJUOICCLFKEKUY.r.refraction.network
Then send the encrypted message as a DNS TXT record request, either directly to the DNS nameserver or via a 3rd party recursive resolver (like 1.1.1.1).
The server side simply sends the encrypted message response via the DNS TXT record response.
The registration request is sent in the same C2SWrapper format as the HTTP API registrar. The only difference is that the client must specify their IPv4 address in the registration_address field. This is because unlike the HTTP API, there is no way for the DNS registration server to know where the request came from since they could be sent via 3rd party recursive resolves.
The response is sent in the DnsResponse protobuf format.
| Field | usage |
|---|---|
DnsResponse.success |
whether the registration request was successful |
DnsResponse.clientconf_outdated |
whether the ClientConf of the client is outdated |
DnsResponse.bidirectional_response |
the bidirectional registration response in the same format as the HTTP API |
Unlike the HTTP API, the DNS registration server does not include an updated ClientConf if the client has an old version because of the message size limit of DNS TXT records.
To use the DNS registrar on the cli client, simply specify the -registrar dns or -registrar bddns flag for unidirectional and bidirectional registrar respectively.
The configuration for the DNS registrar is stored via DnsRegConf protobuf format and read from assets when initializing the client. A set of defaults configuration is initialized. These options will be configurable and set via the ClientConf file.