runbound 0.3.2

RFC-compliant DNS resolver — drop-in Unbound with REST API, ACME auto-TLS, HMAC audit log, and master/slave HA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

[package]
name = "runbound"
version = "0.3.2"
edition = "2021"
authors = ["redlemonbe <https://github.com/redlemonbe>"]
license = "PolyForm-Noncommercial-1.0.0"
description = "RFC-compliant DNS resolver — drop-in Unbound with REST API, ACME auto-TLS, HMAC audit log, and master/slave HA"
readme = "README.md"
repository = "https://github.com/redlemonbe/Runbound"
homepage = "https://github.com/redlemonbe/Runbound"
keywords = ["dns", "unbound", "resolver", "dnssec", "acme"]
categories = ["network-programming", "command-line-utilities"]

[dependencies]
# Async runtime
tokio = { version = "1", features = ["full"] }

# DNS engine — DoT / DoH / DoQ / DNSSEC
hickory-server   = { version = "0.24", features = [
    "dnssec-ring",
    "dns-over-rustls",
    "dns-over-https-rustls",
    "dns-over-quic",
] }
hickory-resolver = { version = "0.24", features = [
    "dnssec-ring",
    "tokio-runtime",
    "dns-over-rustls",
    "dns-over-https-rustls",
] }
hickory-proto    = { version = "0.24", features = [
    "dnssec-ring",
    "dns-over-rustls",
    "dns-over-https-rustls",
    "dns-over-quic",
] }

# TLS certificate loading — must match hickory-server 0.24's rustls 0.21
rustls           = { version = "0.21", features = ["dangerous_configuration"] }
rustls-pemfile   = "1"

# REST API
axum       = { version = "0.7", features = ["json"] }
axum-extra = { version = "0.9", features = ["typed-header"] }
tower      = { version = "0.5", features = ["limit"] }
tower-http = { version = "0.6", features = ["limit", "trace"] }

# Serialization
serde       = { version = "1", features = ["derive"] }
serde_json  = "1"
toml        = "0.8"
serde_with  = "3"

# Error handling
thiserror = "2"
anyhow    = "1"

# Logging
tracing            = "0.1"
tracing-subscriber = { version = "0.3", features = ["json", "env-filter"] }
tracing-appender   = "0.2"

# Utils
uuid            = { version = "1", features = ["v4", "serde"] }
sha2            = "0.10"
hmac            = "0.12"
getrandom       = "0.3"
hex             = "0.4"
subtle          = "2"
tempfile        = "3"
regex           = "1"
humantime       = "2"
humantime-serde = "1"

# HTTP client (feeds fetch + ACME HTTP-01 bridge)
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }

# ACME (Let's Encrypt) — ring backend only; HTTP done via reqwest bridge
instant-acme = { version = "0.8", default-features = false, features = ["ring"] }

# Zero-copy byte buffers — used in ACME HttpClient bridge
bytes = "1"

# HTTP types shared across hyper / axum / instant-acme
http = "1"

# Stream utilities — SSE streaming for /stats/stream endpoint
futures-util = "0.3"

# Async trait (required by RequestHandler impl)
async-trait = "0.1"

# Jemalloc (Linux only)
tikv-jemallocator = "0.6"

# Concurrent HashMap — replaces Mutex<HashMap> in rate limiter (lock-free reads)
dashmap = "6"

# Fast non-cryptographic hasher — RandomState seeded by OS CSPRNG at startup,
# HashDoS resistant (v0.8+). Used for rate-limiter DashMaps (IpAddr keys).
# Zone-lookup HashMaps keep SipHash: DNS name keys come from untrusted network.
ahash = "0.8"

# Raw socket control — SO_REUSEPORT per-CPU UDP socket binding
socket2 = { version = "0.6", features = ["all"] }

# Low-level OS syscalls used by AF_XDP implementation
libc = "0.2"

# Lock-free atomic Arc swap — read path for LocalZoneSet with zero contention
arc-swap = "1"

# Self-signed TLS certificate generation (--gen-cert)
rcgen = "0.13"

# Slave/master sync: HTTPS server (TLS termination) + HTTPS client (cert pinning)
tokio-rustls   = "0.24"
hyper          = { version = "1", features = ["http1"] }
hyper-util     = { version = "0.1", features = ["tokio", "server-auto"] }
http-body-util = "0.1"

[dev-dependencies]

[features]
# Kernel-bypass DNS fast path via AF_XDP / eBPF.
# Requires: clang + libbpf-dev at build time (apt install clang libbpf-dev).
# No runtime C libraries needed — aya is pure Rust.
xdp = ["dep:aya"]

[dependencies.aya]
version  = "0.13"
optional = true

[profile.release]
opt-level     = 3
lto           = true
strip         = true
codegen-units = 1