We have just completed our review of OpenSSL 1.1.1 with QuarksLab, and we are moving on to our next big project, Unbound DNS!


What is Unbound and Why is it Important?

One of the core functions of the internet is domain name resolution. This means that when you type in a domain name like “ostif.org” into your browser, your computer asks a Domain Name Server (DNS Server) where OSTIF.org is, and that server returns an address to your browser so that it knows where to go to load the site. This same system is used in apps, operating systems, and every web-connected service.

The entire DNS system is decades old and was not originally designed with security or privacy in mind. This means that DNS was designed as “connectionless” and without encryption. This opens up DNS to all kinds of problem like DNS reflection attacks (hijacking many DNS servers to knock down websites via a Distributed Denial of Service attack), DNS Spoofing and DNS Poisoning (an attacker intercepting your DNS requests and sending back malicious IP addresses), and wholesale surveillance (all DNS requests going through multiple parties on the web who can record every website you visit and every service you use).

To fix this, standards have been developed to make DNS more trustworthy by encrypting the connections and verifying the data coming back from the servers is not from an interloper. DNSSEC and DNS over TLS are the two major solutions used today.

The most popular open-source solution out there is Unbound by NLNetLabs.

To help increase online privacy, Unbound supports DNS-over-TLS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers. These standards do not only improve privacy but also help making the DNS more robust. The most important are Query Name Minimisation, the Aggressive Use of DNSSEC-Validated Cache and support for authority zones, which can be used to load a copy of the root zone.

https://nlnetlabs.nl/projects/unbound/about

Not only is it widely used in many sites and services, but it is integrated into projects like Let’s Encrypt that are increasing the security of the entire Internet through enabling widespread use of free security certificates for Domain Names. Let’s Encrypt serves over 150 million domain certificates that enable https on websites around the world.

How Are We Collaborating?

OSTIF and Unbound have been discussing their current security practices and potential improvements, as well as establishing secure communications with NLNetLabs for reporting issues. Now, we are raising money for a full security review of Unbound, which will be conducted with X41-Dsec in Germany. After all issues are resolved we will publish the audit report for the public to review, and then Unbound will join our bug-bounty program to bring white-hat hackers around the world in to do continuous review of the code and locate further issues.

How much do we need to raise?

We need to raise approximately $139,000 in total to cover the cost of the audit, the pool of money for the bug bounty system, and various operations costs (transaction fees on donations, etc). These numbers come from the size of the code base, the complexity of the code, the quality of the documentation on how the app works, and the current security practices which influence the scope of the audit.

HOW TO GET INVOLVED!

You can donate to us through a huge number of easy options here. Recurring donations through Paypal or Patreon help us more than one-time commitments, as recurring funding allows us to better budget and plan our finances. Every little bit helps. The community effect adds up to help us cover all of our operations costs and tech expenses!

More importantly, you can help spread the word about our work. These projects only succeed because people hear about us and get involved. We have an active twitter account @ostifofficial and we are frequently on Reddit as /u/ostifofficial. Tell people about our project and that we are making the Internet a safer place for all of us.

Additionally, if you work for a company that utilizes open-source software like OpenVPN, OpenSSL, Unbound, Open Office, BitMessage, VeraCrypt, MariaDB or VLC Media Player, PHP, Apache, DD-WRT, or GnuPG GPA, encourage them to get involved in the effort. We have various support tiers that companies can join to both help us make the internet more secure while simultaneously improving their own security. Companies that get involved also get a direct line to our managers to help us select future projects and direct the organization through our advisory counsel and steering committees.

We are excited to bring Unbound onto OSTIF support! Let’s get this done!