[strenholme]

Shameless plug time:

My own MaraDNS has been extensively audited now that we’re in the age of AI-assisted security audits.

Not one single serious security bug has been found since 2023. [1]

The only bugs auditers have been finding are things like “Deadwood, when fully recursive, will take longer than usual to release resources when getting this unusual packet” [2] or “This side utility included with MaraDNS, which hasn’t been able to be compiled since 2022, has a buffer overflow, but only if one’s $HOME is over 50 characters in length” [3]

I’m actually really pleased just how secure MaraDNS is now that it’s getting real in depth security audits.

[1] https://samboy.github.io/MaraDNS/webpage/security.html

[2] https://github.com/samboy/MaraDNS/discussions/136

[3] https://github.com/samboy/MaraDNS/pull/137

[shakna]

Well, as you bundle Lua 5.1 (as Lunacy), instead of making a library and loading it, and you bundled the 2012 version, you're probably affected by CVE-2014-5461 and others. Lua hasn't been security fix free.

[strenholme]

Thank you for your concern.

I fixed CVE-2014-5461 for Lunacy back in 2021:

https://github.com/samboy/lunacy/commit/4de84e044c1219b06744...

This is discussed here:

https://samboy.github.io/MaraDNS/webpage/security.html#CVE-2...

In addition, I have done other security hardening with Lunacy compared to Lua 5.1:

https://samboy.github.io/MaraDNS/webpage/lunacy/

Now, I should probably explain why I’m using Lua 5.1 instead of the latest “official” version of Lua. Lua has an interesting history; in particular Lua 5.1 is the most popular version and the version which is most commonly used or forked against. Adobe Illustrator uses Lua 5.1, and Roblox uses a fork of Lua 5.1 called “luau”. LuaJIT is based on Lua 5.1, and other independent implementations of Lua (Moonsharp, etc.) are based on versions mostly compatible with Lua 5.1.

Lua 5.1 has a remarkably good security history, and of course I take responsibility for any security bugs in the Lua 5.1 codebase since I use the code with the relatively new coLunacyDNS server (Lua 5.1 isn’t used with the MaraDNS or Deadwood servers).

Lua 5.1 is used to convert documentation, but those scripts are run offline and the converted documents are part of the MaraDNS Git tree.

[shakna]

Yeah, I've had patches submitted to Moonscript, Fengari, and luau. Don't need to sell on why 5.1 is useful. Each version is a new lang, not just a few fixes or niceties.

I'm not convinced that vendoring, instead of embedding, is the right way.

The patch landing in 2021, instead of 2014, being one of those concerns.

(And you might want to recheck your assumption of how big 'int' will be, for rg32. C defines it in terms of minimum size, not direct size. int16_t isn't necessarily an alias.)

[strenholme]

>>>The patch landing in 2021, instead of 2014, being one of those concerns.<<<

What makes you think I was using Lua in 2014? Seriously, do you even know how to use “git log”?

I added Lua to MaraDNS in 2020:

https://github.com/samboy/MaraDNS/commit/2e154c163a465ee7ead...

I patched it on my own in 2021:

https://github.com/samboy/MaraDNS/commit/efddb3a92b9cee30f11...

>>>you might want to recheck your assumption of how big 'int' will be

uint32_t is always 32-bit:

https://en.cppreference.com/c/types/integer

And, yes, this can be easily checked with a tiny C program:

  #include <stdint.h>
  #include <stdio.h>

  int main() {
    uint32_t foo = 0xfffffffd;
    uint64_t bar = 0xfffffffd;
    uint32_t a = 0;
    for(a=0;a<20;a++) { printf("%16llx:%16llx\n",foo++,bar++); }
    return 0; 
  }

If there’s a system where uint32_t is 64 bits, that’s a bug with the compiler (which isn’t following the spec), not MaraDNS.

Are you going to make any other negative false implications about MaraDNS? Because you’re making a lot of very negative accusations without bothering to check first.

Edit: Here’s a version of the above C program which works in tcc 0.9.25:

  #include <stdint.h>
  #include <stdio.h>

  void shownum(uint64_t in) {
    int32_t a;
    for(a=60;a>=0;a-=4) {
      int n = (in >> a) & 0xf;
      if(n < 10) {printf("%c",'0'+n);}
            else {printf("%c",'a'+(n-10)); }
    }
    return;
  }

  int main() {
    uint32_t foo = 0xfffffffd;
    uint64_t bar = 0xfffffffd;
    uint32_t a = 0;
    for(a=0;a<20;a++) { 
      shownum(foo++); 
      printf(":"); 
      shownum(bar++); 
      puts(""); }
    return 0;
  }

[shakna]

> What makes you think I was using Lua in 2014? Seriously, do you even know how to use “git log”?

... It was fixed, upstream, in 2014. Thanks for not checking the number at the start of the CVE, before launching straight into attack mode.

https://www.lua.org/bugs.html#5.2.2-1

Which is the point. In 2020, when you added Lua, you added a vulnerability that had officially been fixed for six years. Because you vendored, and did not depend on any system package.

> uint32_t is always 32-bit:

Yah. Which is why I said 'int'.

As in the assumptions you made here:

https://github.com/samboy/LUAlibs/blob/master/rg32.c#L59

[strenholme]

Apologies for being confrontational; accusations of there being security holes are serious accusations in my book, and need to be backed up with solid facts. Yes, that’s how seriously I take security with the software I make available on the Internet.

That number is a 32-bit number in the C code, but it’s converted in to a 16-bit number. I used “int” to have it interface with other Lua code, but safely assume “int” can fit 16 bits, and yes I do convert the number to a 16-bit one before passing it off to other Lua code:

https://github.com/samboy/LUAlibs/blob/master/rg32.c#L77

Here, I assume lua_number can pass 32 bits:

https://github.com/samboy/LUAlibs/blob/master/rg32.c#L45

https://github.com/samboy/MaraDNS/blob/master/coLunacyDNS/lu...

https://github.com/samboy/lunacy/blob/master/src/lmathlib.c#...

But it works without issue:

  rg32.randomseed("shakna3")
  print(string.format("%x",rg32.rand32()))

One sees “b0e6725c”, i.e. a 32-bit unsigned number

Likewise:

  rg32.randomseed("shakna3")
  print(string.format("%x %x",rg32.rand16(),rg32.rand16()))

Gives us “b0e6 725c”.

Vendoring Lua 5.1 was forced; since I wanted to use Lua 5.1 (for reasons described above, e.g. LuaJIT compatibility), I had to use code which hasn’t been updated upstream since 2012.

[tosti]

I don't think you should take responsibility for bugs. Debugging is the act of removing bugs, so programming is the act of putting them in. Free software, per license, must not come with guarantees because the legal implications of any warranty whatsoever could cripple free software projects. The license of your nice DNS server includes the "as-is" wording for good reason.

That said, it is comendable that you've gone out of your way to hold up your software against very high standards. That kind of quality speaks for itself :)

[asddubs]

Why is Lua 5.1 the most popular version?

[strenholme]

Very good question. I can tell you why I chose Lua 5.1 for MaraDNS:

• Lua 5.1 is smaller than Lua 5.4

• Lua 5.1 is LuaJIT compatible; Lua 5.4/5.5 isn’t as compatible

LuaJIT is a version of Lua 5.1 which is an incredibly fast scripting language because it, in real time, compiles Lua 5.1 code in to native instructions. The only wart LuaJIT has is that its RISC-V port is incomplete, but that will undoubtedly change as RISC-V slowly gets more popular.

The other reason to stick to Lua5.1 is because Lua changes its syntax between versions; e.g. bitwise operations in Lua 5.4 are very different than how they are done in Lua5.1, to the point it’s difficult to make a polyglot library which can do bitwise operations in both Lua 5.1 and Lua 5.4. I am of the opinion Lua 5.3 should had been named Lua 6.0 for the simple reason that having native integers in Lua is a pretty significant backwards compatibility breaking change.

Since Lua (well, Lunacy) is the only tool in MaraDNS which isn’t standardized (e.g. MaraDNS uses only POSIX-comatible shell scripts, it uses “make” because that’s a standardized tool with multiple implementations, C is also a standard with multiple implementations, etc.), sticking to Lua5.1 allows me to use a version of Lua with multiple implementations and, as such, is informally standardized.

[asddubs]

appreciate the answer!

[theamk]

Unless the service accepts Lua code from the internet (and that would be a completely insane thing), the CVE-2014-5461 will not apply. And while I have not reviewed every Lua CVE, I bet most (all?) of then require a specifically crafted code, or at least highly-complex user input (such as arbitrary json)

It's important to look at the actual vulnerability at the context, and not just list any CVE which matches by version.

[strenholme]

I should explain how MaraDNS uses Lua 5.1 (actually, Lunacy, my own fork with security bugs fixed as well as security hardening—including, yes, a patch against CVE-2014-5461), so you can get an idea of its attack surface.

MaraDNS has three components:

• MaraDNS, the authoritative server, which goes back all the way to 2001

• Deadwood, the recursive server, which was started back in 2007

• coLunacyDNS, which allows a DNS server to use Lua scripting; this didn’t exist until the COVID pandemic

Neither MaraDNS nor Deadwood use Lunacy (except as a scripting engine for converting documents); only coLunacyDNS uses Lunacy. coLunacyDNS uses a sandboxed and security hardened version of Lunacy (and, yes, I would accept bugs where someone could escape that sandbox), and the Lua scripts which coLunacyDNS uses can only be controlled by a local user and there is no capability to run Lua scripts remotely.

[koolba]

> coLunacyDNS, which allows a DNS server to use Lua scripting; this didn’t exist until the COVID pandemic

Why would a DNS server use Lua scripting? Is this for dynamically responding to requests rather than doing a pure lookup?

[strenholme]

It’s useful for things like 10.1.2.3.ip4.internal style queries, or having a DNS server that always returns a given IP for any query given to it.

More discussion is on the coLunacyDNS overview page:

https://samboy.github.io/MaraDNS/coLunacyDNS/

[shakna]

Its important to maintain your dependencies, by say embedding Lua, rather than rebranding it and then claiming you have no security flaws.

If I can find a CVE that _may_ affect the stack in five minutes, what _actual_ problems lurk there?

You vendor Lua - thus, it _is_ your responsibility to review every Lua CVE. You've set yourself up as the maintainer by vendoring.

[strenholme]

You weren’t replying to me. The parent poster made a good point—a vulnerability in Lua doesn’t mean software running Lua can necessarily be exploited—but, more to the point, I do update Lunacy and make sure it’s secure, just as I still take responsibility for verified important security holes in MaraDNS.

See this, for example:

https://samboy.github.io/MaraDNS/webpage/security.html#CVE-2...

[ajross]

That seems wildly naive in the post-XSS era. We've been here before, and that kind of analysis turns out to be wrong almost every time.

"Well, sure, this component is insecure but an attacker can't reach it" is like a 50%+ positive signal for an unexpected privilege elevation bug.

[cesarb]

> It's important to look at the actual vulnerability at the context, and not just list any CVE which matches by version.

Unfortunately, that's not enough. Even if the vulnerable parts of the code are not being built, heck even if they have been completely erased from the source code, the auditors will still insist that you're vulnerable and must immediately upgrade, or else they will give your software a failing grade.

[gcr]

MaraDNS is much less popular than dnsmasq though.

I have several libraries that I've written. Not one single serious security bug in them has been found since 1991. Granted, nobody uses my libraries...

Not to diminish your team's achievement! :D But it's important to contextualize claims like this with information about what your userbase looks like

[strenholme]

A lot of security and other audits have been performed against it though; MaraDNS, after all, is notable enough to have a Wikipedia page and hundreds of GitHUB stars.

For example, when the Ghost Domain Name DNS vulnerability was discussed, MaraDNS was audited and named (MaraDNS was immune to the security bug, for the record)

https://web.archive.org/web/20120304054959/https://www.isc.o...

[andrewjf]

I don't think that's relevant. You can still find security issues in software nobody uses.

The question is a matter of impact because of how used the software is.

[VorpalWay]

Way fewer people are going to look at obscure things, so a lower percentage of issues will likely have been found. There is less fame and fotune in spending security research time on obscure software. Most small libraries won't be covered by any bug bounty programs either for example.

[andrewjf]

You don't need other people anymore to find security issues, you can do it yourself with AI.

[rhdnfjtkfmf]

Even accepting the premise, is it not immediately obvious to you that folks will be spending more money and effort aiming AI at higher-impact targets? This isn’t all-or-nothing.

[cwillu]

I remember being delighted finding maradns as an alternative to the “do everything” of dnsmasq way back when I set up a dns server, and more importantly, I haven't had to think about it since then.

[ExoticPearTree]

> Shameless plug time: My own MaraDNS has been extensively audited now that we’re in the age of AI-assisted security audits.

Out of curiosty: what is the point you’re trying to make? That there are alternatives to dnsmasq? That somehow your software is “better”?

This plug provides zero value to the dnsmasq discussion.

As others have pointed out: the more used a software is, the more scrutiny it gets and more bugs or edge cases are found.

[z3ratul163071]

good job. but it is amazing we are still writing core networking tools in vulnerable language such as c in 2026.

[strenholme]

Agreed, it made a lot more sense to write MaraDNS in C in 2001 though.

The main advantage of writing in C over Rust here in 2026 is that C has two different Lua interpreters, and there isn’t a port of Lua to Rust yet; [1] yes, there are ways to use the C version of Lua in Rust, but that’s different.

If I were to write a new server today, I could very well write it in Go, then use GopherLua for the Lua engine:

https://github.com/yuin/gopher-lua

Although, even here, the advantage of C is that I could increase performance by using LuaJIT:

https://luajit.org/luajit.html

[1] If I were to use Rust, I would consider using Rune as an embedded language as per https://rune-rs.github.io/

[kortilla]

Flagged because this discussion about dnsmasq and another dns resolver implementation that has relatively no rollout worldwide by comparison is pointless.

[binaryturtle]

That's a bit shameless, indeed.

dnsmasq has served me well for like an eternity in multiple setups for different use cases. As all software it has bugs. And once located those get fixed. Its author is also easy to communicate with.

Why should I switch over to something way less proven? I'm quite sure your software also has bugs, many still not located. Maybe because it's less popular/ less well known nobody cares to hunt for those bugs? Which means even if the numbers of found bugs is less in your software at the moment, and it may look more audited for this reason, it may actually be way less secure.

[rgkpz]

"All software has bugs" is the most meaningless statement ever. It is just used for bonding with fellow bug writers who sit at a virtual campfire and muse about inevitabilities.

Demonstrably some software has fewer bugs, and its authors are often hated, especially if they are a lone author like Bernstein. Because it must not happen!

Projects with useless churn and many bug reports are more popular because only activity matters, not quality.

[dc396]

If DJB is "hated", it isn't because he's a lone author (Linus Torvalds was once a lone author and I don't think he was hated). It's because he can be an asshole. To quote George Bernard Shaw, “The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.”

[strenholme]

DJB is a lot of things, and I have great respect for him, even though I feel he didn’t responsibly maintain Qmail/DJBdns/Publicfile. He made MaraDNS more secure because I carefully read his documentation—I got the idea to have a random source port to give MaraDNS more security from him, which means MaraDNS was unscathed when DNS spoofing was independently discovered in 2007.

The point DJB made was this: It was possible for a skilled C programmer to make a server with few security holes. Even though that’s not as relevant now, with Rust having most of the speed of C and security built in, it did make the Internet a safer place for many years. I remember using Qmail and DJBdns to make the servers at the small company I worked for at the time more secure.

[shermantanktop]

“Fellow bug writers” is everyone. People who write fewer bugs exist, and a lone few who write many fewer.

I haven’t noticed antipathy, but I have noticed skepticism. I assume people with outlier records in any field get some extra inspection.

If it becomes jealousy-fueled not-picking, those people are insecure jerks. But unusual track records are worth understanding.

[vasco]

> Demonstrably some software has fewer bugs

You literally write fewer instead of none, therefore agreeing with the sentence you claimed to say is meaningless.

[zx8080]

> "All software has bugs" is the most meaningless statement ever.

It's not! It's the foundation of all dev AI products marketing.

[zamadatix]

"All software has bugs" so "be wary of the one trying to say they haven't had any in 3 years" not so "I guess all are equal". For extremely low security bug rates either the scope is extremely narrow, the claim is dubious, or the project is a massive effort which the community talks about directly in posts rather than plugs (e.g. curl).

[strenholme]

DJB, with Qmail and DjbDNS (as well as Publicfile, which didn’t catch on in an era of CGI scripts), showed that one could have (mostly) security bug free software without the scope being “extremely narrow”, and without the claim being “dubious”.

It’s not normal for software to be so poorly written, one doubts the claim that a security bug hasn’t been found in over three years. If one thinks the claim of no security bugs of consequence in three years is dubious, feel free to do a security audit of MaraDNS (or DjbDNS, which I also will take responsibility for even though my software is, if you will, a “competitor” to DjbDNS), and report any bugs you find.

Speaking of DJB, DjbDNS has had a few security bugs over the years (but not that many), but I’m maintaining a fork of DjbDNS with all of the security bugs I know about fixed:

https://github.com/samboy/ndjbdns

I am saying all this as someone who has had significant enough issues with DJB’s software, I ended up writing my own DNS server so I didn’t have to use his server (I might not had done so if DjbDNS was public domain in 2001, but oh well).

(As a matter of etiquette, it’s a little rude to claim someone is saying something “dubious”, especially when the claim is backed up with solid evidence [multiple audits didn’t find anything of significance in the last year, as I documented above], unless you have solid evidence the claim is dubious, e.g. a significant security hole more recent than three years old)

[3ASAF]

People here don't know that MaraDNS was already popular on extremely critical security mailing lists that basically hated anything but qmail and postfix. If you introduce more bugs and blog about them, it will probably gain in popularity. :)

[fc417fc802]

> It’s not normal for software to be so poorly written, one doubts the claim that a security bug hasn’t been found in over three years.

Can you back that claim up with at least some sort of theory? Because it doesn't match my perception of the real world, nor does it match my mental model of how CVEs happen.

[strenholme]

Yes, I can.

https://samboy.github.io/MaraDNS/webpage/DNS.security.compar...

Also, my sister post: https://news.ycombinator.com/item?id=48112042

[zamadatix]

I never used Qmail, so I won't comment on it, but I will say I absolutely consider djbdns narrow in scope as well (before accounting the Unix approach, utilized perhaps even more than in MaraDNS, to break that already narrowed scope down into even more focused binaries).

I had believed (and continue to hold) DNS software containing, e.g., an authoritative DNS server which lacks native TCP or DNSSEC support falls squarely into the "narrowly scoped" bucket and would appreciate if you'd not try to decide my opinion for me on any given project in the future.

[strenholme]

The point of djbdns and qmail was this: It allowed administrators to run a local DNS server securely without needing to constantly patch the code. They were limited in scope, but were perfect for admins who valued security over features.

In an era when DNS was otherwise a monoculture, djbdns was a welcome breath of fresh air.

https://lwn.net/2001/0208/

[daneel_w]

> Why should I switch over to something way less proven?

Must they prove their software to you? They're offering an alternative, not bargaining for a deal.

[fc417fc802]

When you offer up an alternative as technically superior in some manner then yes, it is on you to demonstrate such a claim in a convincing manner. "No bugs in 3 years in this software with a much smaller audience and also look AI audits!" comes across as off topic shameless self promotion. At least if an insightful technical discussion ensued the subthread might prove worthwhile but so far it's just the usual tired shit flinging.

[strenholme]

I have far more evidence of a very good security record with MaraDNS than “No bugs in 3 years in this software with a much smaller audience and also look AI audits!”

• The software has been around for 25 years

• The software is popular enough to have been subjected to dozens of security code audits, including two audits in the post-AI era

• In those 25 years, only two remote “packet of death” bugs have been found

• Also, in those same 25 years, only one single bug report of remotely exploitable memory leaks has been found

This isn’t something which, as implied here, has a lot of security bugs only because no one has used or audited the software. This is a long term, mature code base which has only had a few serious security bugs in that timeframe.

Here is my evidence:

https://samboy.github.io/MaraDNS/webpage/security.html

If this evidence isn’t “convincing” to you, I don’t know what evidence would be “convincing”.

[fc417fc802]

For what it's worth I didn't know about maradns prior to this. Maybe it actually sees fairly wide use? Whether or not I accept your evidence would hinge on that. Regardless I think my point stands - if you don't lead with a convincing line of reasoning all that's left is an empty assertion. Unless I happen to recognize you as an authority in the field that's not going to do anything for me since by default you're some stranger on the internet that might be a dog for all I know.

To illustrate the issue with an extreme example, consider that a disused repository on github full of security holes is highly unlikely to have any CVEs regardless of age. The software has to present a worthwhile target (ie have a substantial long term userbase) before anyone will bother to look for exploits. (I guess that might change in the near future thanks to AI but I don't think we're there just yet.)

[strenholme]

“The software has to present a worthwhile target (ie have a substantial long term userbase) before anyone will bother to look for exploits”

MaraDNS is a worthwhile target; two people have been auditing it this year, in fact:

https://github.com/samboy/MaraDNS/pull/137

https://github.com/samboy/MaraDNS/security/advisories/GHSA-c...

[BrandoElFollito]

> dnsmasq has served me well for like an eternity in multiple setups for different use cases. As all software it has bugs. And once located those get fixed. Its author is also easy to communicate with.

I concur. The last part, however, is quite worrisome. Dnsmasq is ran by one person, published on their own git and I did not see any information about other maintainers.

It is a super important (and great, and useful, and everything) software and i have fears of what will happen one day.

Sure, someone can clone and push to github but it may seriously fragment the ecosystem.