DNS Server

The goal is secure, autoconfigured name services: a home user should be able to plug in a new named device, and everything "just work", including publishing an IPv6 address into the global DNS without any configuration required.

Automatic configuration & security

Towards the stated goal, the router includes Bind 9 running in a chrooted jail for additional security. This enables the router to support advanced name services, including zone transfers, split views, and DNSSEC. For more details, see the release notes as not all of this intended functionality is complete.

DNSSEC support

DNSSEC (Domain Name System Security Extensions) is a method for adding authentication and data security to the existing Domain Name System (DNS) while retaining backward compatibility with systems that do not support DNSSEC.

A DNSSEC-enabled name server which provides authoritative data for a given domain responds to requests with the requested data and also a signature record which cryptographically authenticates the response.

A DNSSEC-enabled name server that provides local resolution of DNS requests validates the signatures received from authoritative servers to ensure that the data received was not tampered with. If the data in the response cannot be proven to be valid and secure, the name server will reject it and return a "server failed" message to the client.

Local DNS Addressing

The CeroWrt router is always available to its LAN interfaces as 'gw.home.lan'. This makes it easy to connect with the router without requiring you to know the IP address ranges used by the router.

mDNS Addressing

By default, CeroWrt has a multicast DNS (aka "Zeroconfig" or "Bonjour" naming) reflector (the Avahi package) enabled for all the LAN interfaces. This allows you to locate devices without knowing their IP addresses.