OSTIF is proud to share the results of our security audit of Hickory DNS. Hickory DNS is an open source Rust based DNS client, server, and resolver. With the help of X41 D-Sec and Prossimo, this project can continue to provide users with a safe and secure DNS server and client. 

Audit Process:

X41 D-Sec performed a greybox pentest of the Hickory DNS source code in early fall of 2024. The project’s 70,000 lines of Rust code were audited using manual review and semgrep tooling. In particular, the audit narrowed in on the resolver library and its upstream servers and downstream cache, clients, and DNS cryptographic signatures. 

Audit Results:

  • 4 Findings with Security Impact
    • 2 Medium, 2 Low Severity
    • 7 Unranked findings
  • Recommendations for future security efforts

Audits function not only as a way to identify vulnerabilities and weaknesses in the project but also as a form of documentation to help maintainers and users plan for future releases and work. This engagement happened shortly after new code was added, and since more code is expected to be introduced, it is recommended that the project undergoes further security work in the future as more code is added and the project ages. 

Thank you to the individuals and groups that made this engagement possible:

  • Hickory DNS maintainers and community
  • X41 D-Sec: Eric Sesterhenn, Markus Vervier, JM, and Robert Femmer
  • Prossimo

You can read the Audit Report HERE

You can read more on the Hickory DNS blog HERE

Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].