Earlier this year, Least Authority completed a security audit of Knot DNS and the Knot Resolver for the Mozilla Secure Open Source (“SOS”) Fund. The Mozilla SOS Fund provides security auditing, remediation, and verification for key open source software projects. This Fund is part of the Mozilla Open Source Support program (MOSS) which recognizes and celebrates open source projects that contribute to the health of the Internet.
We at Least Authority are strong advocates of open-source software. As we work towards designing secure systems and creating freedom compatible technologies, we applaud Mozilla for its effort to improve the security of the open source ecosystem.
Knot DNS is a high-performance authoritative-only DNS server which supports all key features of the modern domain name system. The Knot Resolver is a caching full resolver implementation, including both a resolver library and a daemon.
Both Knot DNS and Knot Resolver are open source and are completely free to download and use. The source code is available under GPL license.
Knot DNS and Knot Resolver Audit
Knot DNS and Knot Resolver audit was performed by Jack Lloyd and David Stainton. Jack and David investigated some of the security issues, and also added recommendations that could be implemented to improve the code.
The auditors reviewed the latest releases of Knot DNS and Knot Resolver code. They examined not only the application code but also the dependency code and behavior when it was relevant to a particular line of investigation. While analyzing the dependency code, they focused on bugs in the usage of dependencies rather than in the dependencies themselves.
Findings
On the whole, the auditors found the code well structured and cleanly written. In their words, “Knot makes good use of available tools, such as fuzzers and computer sanitizers”. The report and subsequent change logs are published on the SOS wiki.
If you have any questions about these results or our security audit process, please contact us.
At Least Authority, our mission is to bring verifiable end-to-end security to everyone, which aligns with Mozilla’s core beliefs – open source software is a key part of the Internet and is essential for the online life of choice, innovation, and opportunity we seek to build. In pursuance of our mission, we run a verifiable-secure cloud backup system — S4 — with a graphical user interface — Gridsync — and provide security consulting services to free and open-source software projects.
We have extensive experience in security and cryptography, and we have performed audits for a variety of open-source privacy or transparency related projects including CryptoCat, GlobalLeaks, SpiderOak, Melonport, and Ooni. Least Authority was also hired by Ethereum to perform an incentive analysis on the proof-of-work puzzle, Ethash, and the gas mechanism. You can find more information about our security audits and consulting services here.