Man pages sections > man8 > curvedns

curvedns - high-speed high-security elliptic-curve cryptography DNS



curvedns - high-speed high-security elliptic-curve cryptography DNS server


curvedns listening_IPs listening_port target_DNS_server_IP target_DNS_server_port


curvedns(8) is a daemon that implements the DNSCurve protocol acting as a forwarder to an authoritative DNS server. The daemon is started with four mandatory command line arguments:
listening_IPs: The IP addresses on which CurveDNS should listen. If you have more IP addresses, separate them by a comma (,). Notice both IPv4 and IPv6 addresses can be used. Valid inputs are for example: and fe80::1, If you want CurveDNS to listen on all IP addresses use (for IPv4 hosts) or :: (for IPv6 hosts).
listening_port: The port number on which CurveDNS should listen. If you want to use a port number beneath 1024, you must be root - nevertheless, CurveDNS will eventually drop the root privileges once it has done all the tasks that need root.
target_DNS_server_IP: This is the IP address of the authoritative name server we are forwarding non-DNSCurve queries to. This can be either an IPv4 or IPv6 address.
target_DNS_server_port: The port number of the authoritative name server we are forwarding for. Usually this will be 53.


curvedns(8) does not use a configuration files. Instead all remaining configuration uses environment variables. Mandatory environment variables:
CURVEDNS_PRIVATE_KEY: the hexadecimal representation of the server´s private (secret) key.
Optional environment variables:
CURVEDNS_INTERNAL_TIMEOUT: number of seconds when to consider the target server has timeout (default: 1.2)
CURVEDNS_UDP_TRIES: total number of tries towards the target server before we drop the query (default: 2)
CURVEDNS_TCP_NUMBER: number of simultaneous TCP connections that are allowed (default: 25)
CURVEDNS_TCP_TIMEOUT: number of seconds before the TCP session to the client times out (default: 60.0)
CURVEDNS_SHARED_SECRETS: number of shared secrets that can be cached (default: 5000)
Depending on your query load and the number of clients, increasing the number of cached shared secrets can improve performance. It is a good idea to temporarily set the debug level (see next option) to debug when you alter this value. Using this level, curvedns will log the amount of memory it reserved for the shared secret cache during startup. In this way you can check whether this will suit your system´s physical memory boundaries.
CURVEDNS_DEBUG: the debug level to control what events to log (default : 2)
Available debug levels: 1 (fatal), 2 (error), 3 (warning), 4 (info), 5 (debug)
CURVEDNS_SOURCE_IP: the IP address CurveDNS will use as source IP address when it forwards the query to the authoritative name server (default: let kernel decide).


man (1) curvedns-keygen
Installation and configuration from github


Stephane Neveu
July 2017