Bloodhound

About Bloodhound

Bloodhound is a modified and re-branded version of the Mozilla Firefox browser that supports local  DNSSEC validation and the DANE protocol.

DNSSEC Validation in Bloodhound

For a general description of the features made available in Bloodhound and for screenshots describing these features, please see this wiki page.

Bloodhound adds local DNSSEC validation support. This means that  DNSSEC validation status information for all names looked up while loading a web page is determined within the browser itself (as opposed to on a validating recursive name server elsewhere on the network).  This provides more assurance that the DNSSEC responses were not tampered with between the points where they were validated and where they were used. Enabling local validation is especially useful in the context of protocols such as DANE, where information validated using DNSSEC is used as a trust anchor bootstrapping mechanism within other protocols.

DNSSEC support is enabled using the DNSSEC-Tools dnsval validating library, which is available from the DNSSEC-Tools download page and also via the update channels for certain OS platforms.

Since DNSSEC adds some overhead in the number of additional lookups that must be performed in order to validate DNS responses, Bloodhound uses the asynchronous lookup capability in dnsval to speed up this operation.  With this feature Bloodhound is able to perform a number of lookup operations in parallel without the need to spawn additional threads.

By default, Bloodhound will use a pre-configured validation policy, but you may override it by defining your own validator configuration in /usr/local/opt/etc/dnssec-tools/dnsval.conf. For instance, the in-built validator configuration file does not have DLV enabled, so you could enable DLV configuration in your custom validator configuration file as described here.

By default, Bloodhound will look at the /etc/resolv.conf file for recursive name server information. If name servers in /etc/resolv.conf are not DNSSEC-capable, Bloodhound will try to work around the problem by doing iterative queries from Root to fetch the right set of data. However, depending on the specific failure and how broken the environment is, this fallback technique may or may not work. You can define a new resolv.conf file in /usr/local/opt/etc/dnssec-tools/resolv.conf to have Bloodhound use a different recursive name server if necessary. If you define an "empty" resolv.conf file (size = 0) in /usr/local/opt/etc/dnssec-tools/resolv.conf Bloodhound will use the iterative lookup process for all query resolutions, caching results internally where necessary.

The DNSSEC enhancements that have been implemented in Bloodhound have been submitted to Mozilla for further consideration. See bugzilla entries 685524 748232 and 589538 for further details.

DNSSEC-Status Extension

The DNSSEC-Status extension for Bloodhound (also available from the download page) will listen for DNSSEC-related events generated by Bloodhound and will provide appropriate messages to the user when it detects validation errors. For further information please see this wiki page.

DANE Support in Bloodhound

The DANE implementation originally started out as an extension to Matt McCutchen's patch but has changed significantly since then.
DANE support in Bloodhound is enabled through the DNSSEC-Tools dnsval package, specifically the libval and libsres libraries. DANE support is still under development and should be considered experimental for now.

For a list of DANE test sites please see this page from the Deploy360 effort. Note that the DANE TLSA record for some of these websites can only be validated using DLV, so ensure that DLV is enabled in your validator configuration file as described here.

Additional Links

• For additional information on the DNSSEC-Tools project please visit the project website.
• For additional information on the need for validation within applications please visit this page.
• For additional information on DNSSEC-Deployment and for information on tools and resources that will help you deploy DNSSEC please visit the DNSSEC-Deployment Initiative website and the ISOC Deploy360 website.

Sponsors

This work was funded in part by the U.S. Department of Homeland Security/Science & Technology (S&T).

Copyright and Disclaimers

Please read the COPYING file distributed with the dnssec-tools package for copyright and general disclaimer information.

Bloodhound is an experimental piece of software. It is being provided to the community in order to encourage further discussion on the need for DNSSEC validation within applications, demonstrate innovative ways to use DNSSEC (such as within the DANE protocol), and ways to communicate DNSSEC related errors to the user.

Bloodhound is a re-branded and patched version of the Mozilla Firefox browser.  That is, it contains changes to the Firefox code-base that result in new code paths, and consequently increases the potential for new bugs. While we will try and make periodic updates to Bloodhound available, it is important to note that the version of Bloodhound made available on our website may not always be in sync with the latest patched version of Firefox. Please visit the Mozilla website if you are looking for the latest version of Firefox.

Contact Us

Please use the DNSSEC-Tools users mailing list to send us general comments, and please submit all bugs to our bug database.

You may also send feedback to: feedback AT dnssec DASH tools DOT org