runbound 0.4.14

A DNS server. Just for fun.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

[package]
name = "runbound"
version = "0.4.14"
edition = "2021"
authors = ["redlemonbe <https://github.com/redlemonbe>"]
license = "AGPL-3.0-or-later"
description = "A DNS server. Just for fun."
readme = "README.md"
repository = "https://github.com/redlemonbe/Runbound"
homepage = "https://github.com/redlemonbe/Runbound"
keywords = ["dns", "unbound", "resolver", "dnssec", "acme"]
categories = ["network-programming", "command-line-utilities"]

[dependencies]
# Async runtime
tokio = { version = "1", features = ["full"] }

# DNS engine — DoT / DoH / DoQ / DNSSEC
# 0.26.1 fixes RUSTSEC-2026-0119 (O(n²) compression), RUSTSEC-2026-0037 (quinn DoS),
# RUSTSEC-2025-0009 (ring AES panic), RUSTSEC-2026-0104/0098/0099 (rustls-webpki).
hickory-server   = { version = "0.26", features = [
    "dnssec-ring",
    "tls-ring",
    "https-ring",
    "quic-ring",
] }
hickory-resolver = { version = "0.26", features = [
    "dnssec-ring",
    "tokio",
    "tls-ring",
    "https-ring",
] }
hickory-proto    = { version = "0.26", features = [
    "dnssec-ring",
] }

# TLS — rustls 0.23 (TLS 1.3 default, rustls-webpki CVEs fixed)
rustls         = { version = "0.23", features = ["tls12"] }
rustls-pemfile = "2"

# REST API
axum       = { version = "0.7", features = ["json"] }
axum-extra = { version = "0.9", features = ["typed-header"] }
tower      = { version = "0.5", features = ["limit"] }
tower-http = { version = "0.6", features = ["limit", "trace"] }

# Serialization
serde       = { version = "1", features = ["derive"] }
serde_json  = "1"
toml        = "0.8"
serde_with  = "3"

# Error handling
thiserror = "2"
anyhow    = "1"

# Logging
tracing            = "0.1"
tracing-subscriber = { version = "0.3", features = ["json", "env-filter"] }
tracing-appender   = "0.2"

# Utils
uuid            = { version = "1", features = ["v4", "serde"] }
sha2            = "0.10"
hmac            = "0.12"
getrandom       = "0.3"
hex             = "0.4"
subtle          = "2"
tempfile        = "3"
regex           = "1"
humantime       = "2"
humantime-serde = "1"

# HTTP client (feeds fetch + ACME HTTP-01 bridge)
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }

# ACME (Let's Encrypt) — ring backend only; HTTP done via reqwest bridge
instant-acme = { version = "0.8", default-features = false, features = ["ring"] }

# HSM (Hardware Security Module) key storage via PKCS#11
# cryptoki provides the Rust binding; the actual PKCS#11 .so is loaded
# dynamically at runtime (dlopen) — no compile-time dependency on the HSM.
cryptoki = "0.6"

# Secure memory zeroing — used for HSM-loaded key material (Zeroizing<T>)
zeroize = "1"

# Zero-copy byte buffers — used in ACME HttpClient bridge
bytes = "1"

# HTTP types shared across hyper / axum / instant-acme
http = "1"

# Stream utilities — SSE streaming for /stats/stream endpoint
futures-util = "0.3"

# Async trait (required by RequestHandler impl)
async-trait = "0.1"

# Jemalloc (Linux only)
tikv-jemallocator = "0.6"

# Concurrent HashMap — replaces Mutex<HashMap> in rate limiter (lock-free reads)
dashmap = "6"

# Fast non-cryptographic hasher — RandomState seeded by OS CSPRNG at startup,
# HashDoS resistant (v0.8+). Used for rate-limiter DashMaps (IpAddr keys).
# Zone-lookup HashMaps keep SipHash: DNS name keys come from untrusted network.
ahash = "0.8"

# Raw socket control — SO_REUSEPORT per-CPU UDP socket binding
socket2 = { version = "0.6", features = ["all"] }

# Low-level OS syscalls used by AF_XDP implementation
libc = "0.2"

# Lock-free atomic Arc swap — read path for LocalZoneSet with zero contention
arc-swap = "1"

# Self-signed TLS certificate generation (--gen-cert)
rcgen = "0.13"

# Slave/master sync: HTTPS server (TLS termination) + HTTPS client (cert pinning)
tokio-rustls   = "0.26"
hyper          = { version = "1", features = ["http1"] }
hyper-util     = { version = "0.1", features = ["tokio", "server-auto"] }
http-body-util = "0.1"

[dev-dependencies]

[features]
# Kernel-bypass DNS fast path via AF_XDP / eBPF.
# Requires: clang + libbpf-dev at build time (apt install clang libbpf-dev).
# No runtime C libraries needed — aya is pure Rust.
xdp = ["dep:aya"]

[dependencies.aya]
version  = "0.13"
optional = true

[profile.release]
opt-level     = 3
lto           = true
strip         = true
codegen-units = 1