BSDCan2019 - 1.7

BSDCan 2019
The Technical BSD Conference

Florian Obser
Day Talks #1 - 17 May - 2019-05-17
Room DMS 1110
Start time 11:15
Duration 01:00
ID 1055
Event type Lecture
Track Hacking
Language used for presentation English


A privilege-separated, validating DNS recursive nameserver for every laptop

DNS is easy. You type in your browser's address bar, hit enter and you will be greeted by your favorite BSD conference's start page. Actually...

We will start by giving a short introduction into DNS from the perspective of a client.

We will explore:

  • where to send questions to: upstream resolvers learned from dhcp / router advertisements / static quad-x resolvers vs. doing recursion ourselves,

  • what questions to ask: qname-minimization (yes or no),

  • what to do with the answer: benefits and limitations of DNSSEC.

We will then introduce unwind(8) - an always-running, validating DNS recursive nameserver, answering queries on localhost ( We will explain its privilege-separated design and show that it is secure to run this daemon by default. We will then show how its novel approach of observing changes in network location and actively probing the quality of the local network improve the user experience in DNS resolution. The focus will be on laptops that move through many networks, some good, some bad, some outright hostile.

We will compare unwind(8) to prior solutions and show how its design enables it to run without user intervention.

While unwind(8) is developed on OpenBSD it is intended to be portable. We will give pointers on a few OpenBSD specific features.