DNS record randomization tool for deprecated HINFO and LOC records. Built with Ada for maximum security and type safety.
Make your server appear to exist in quantum superposition - simultaneously as different hardware in multiple locations!
Serious Uses: - Honeypot obfuscation (make honeypots appear to move) - Attack response and deception - Privacy enhancement for public DNS records - Security research and education
Amusing Uses: - "Quantum Server" demonstrations - Confuse network reconnaissance tools - DNS record experiments
Why deprecated records? HINFO and LOC are deprecated per RFC 8482, making them perfect for experimental security techniques without affecting production services.
resource-record-fluctuator/
βββ hinfo_loc_fluctuator_ada/ β RECOMMENDED - Production Ada implementation
β βββ src/ Core Ada modules
β βββ data/ 68 CPUs, 77 OSes, 52 locations
β βββ docs/ Detailed use cases
β βββ Makefile Build system
β βββ README.md Complete documentation
β
βββ hinfo_loc_fluctuator/ β οΈ Reference Elixir prototype (NOT recommended)
β βββ README.md Why Ada was chosen instead
β
βββ CLAUDE.md Context for Claude Code sessions
βββ LICENSE Palimpsest-MPL-1.0 License
βββ README.md This file= Navigate to Ada implementation
cd hinfo_loc_fluctuator_ada
= Build
make
= Run
./bin/hinfo_loc_fluctuatorDemo Credentials:
- admin / any password (full access)
- user / any password (read-only)
- operator / any password (local modifications)
See [hinfo_loc_fluctuator_ada/README.md](hinfo_loc_fluctuator_ada/README.md) for complete documentation.
Original HINFO/LOC Fluctuation: - Type-safe HINFO (CPU + OS) and LOC (geographic) records - Compile-time bounds checking (latitude, longitude, altitude, TTL) - Random record generation from data pools (68 CPUs, 77 OSes, 52 locations) - "Quantum Server" mode (simultaneous HINFO + LOC)
Security & Access Control: - Permission system (None β Read-Only β Modify-Local β Modify-Remote β Admin) - Session management with 30-minute timeout - Constant-time password comparison (timing attack prevention) - Replay attack detection - Comprehensive audit logging
Infrastructure: - BIND-format zone file writer - Scheduled auto-fluctuation (Ada tasking) - INI-style configuration files - Thread-safe logging system - Interactive TUI with ANSI colors
Data: - 68 CPU types (Intel, AMD, ARM, historical, fictional) - 77 operating systems (Linux, BSD, Windows, Unix, fictional) - 52 geographic locations (data centers, exotic locations, fictional)
β NEW: Comprehensive DNS Security Platform
The project has been massively expanded into an enterprise-grade DNS security and infrastructure management platform! See [ENTERPRISE_FEATURES.md](hinfo_loc_fluctuator_ada/docs/ENTERPRISE_FEATURES.md) for full details.
Extended DNS Records (ALL types): - Basic: A, AAAA, PTR, NS, CNAME - Mail: MX, SPF, DKIM, DMARC - Security: CAA, TLSA (DANE), SSHFP, APL (CIDR access control) - Service: SRV, NAPTR - DNSSEC: DS, DNSKEY, NSEC, NSEC3 - IPv4/IPv6 protocol toggle (Dual-Stack, IPv4-Only, IPv6-Only) - DNS topology: Standard, Split-Horizon, Primary-Primary, Hidden-Primary - AXFR (zone transfer) with TSIG authentication
Firewall Integration (firewalld/iptables/nftables/pf): - Time-based maintenance windows with IP restrictions - Port rotation (SSH/services on schedule - maintainers calculate offline) - Service scheduling (MX, RSS, NNTP with time windows) - Stateful vs stateless firewall rules - Port knocking support - IPv4/IPv6 firewall toggle - Emergency lockdown/recovery modes
Security Headers & Obfuscation: - Server header obfuscation (Hidden, Obfuscated, Diagnostic modes) - X-Powered-By hiding - Diagnostic mode (expose real stack only to authorized IPs with secret token) - All security headers: HSTS, CSP (with nonces), X-Frame-Options, Referrer-Policy, Permissions-Policy - Experimental: COEP, COOP, CORP, Expect-CT, NEL - Integration with HINFO for consistent fake stack across DNS+HTTP
Software-Defined Perimeter (Zero-Trust): - CSA SDP architecture implementation - Single Packet Authorization (SPA) with AES-256-GCM encryption - Zero-trust access control (default deny all) - Device posture validation (OS, AV, firewall, encryption, patches) - Continuous authentication and re-verification - Micro-segmentation for network isolation - Session management with automatic firewall cleanup - Trust levels: Untrusted β Device Verified β User Authenticated β Posture Valid β Full Trust
Protocol Management (Modern alternatives to SNMP): - NETCONF (RFC 6241) - Recommended secure management - RESTCONF (RFC 8040) - RESTful API over HTTPS - gNMI - Modern gRPC-based management - Prometheus/OpenMetrics for metrics export - SNMP v1/v2c/v3 (with security warnings, disabled by default) - TLS/mTLS for all management protocols - Rate limiting and SDP integration
Master Configuration System: - Deployment modes: Development, Staging, Production, Honeypot, Research - Configuration profiles with validation - YAML/JSON import/export - Hot configuration reload - Emergency configurations (lockdown, recovery, minimal-safe) - Migration tools and compatibility checking
Key Enterprise Capabilities: 1. SSH port rotation: Port changes on schedule, maintainers calculate offline 2. Service scheduling: Accept mail/RSS/NNTP only during specific windows 3. Zero-trust SDP: All ports closed, opened only after authentication 4. Stack obfuscation: Consistent fake stack across DNS (HINFO) and HTTP headers 5. Maintainer diagnostics: Real stack info with secret token for troubleshooting
Original conversation: > User: "Iβm concerned about security since this modifies DNS infrastructure." > Response: "Youβre absolutely right. Letβs use Ada instead."
Ada Security Advantages:
- No buffer overflows - memory safety by design
- Compile-time bounds checking - type Latitude_Degrees is delta 0.000001 range -90.0 .. 90.0;
- Overflow checking - always enabled, even in release builds (-gnato)
- Stack checking - prevents stack overflow (-fstack-check)
- Formal verification - SPARK can mathematically prove correctness
An initial Elixir prototype exists in hinfo_loc_fluctuator/ but is NOT recommended. See [hinfo_loc_fluctuator/README.md](hinfo_loc_fluctuator/README.md) for why Ada was chosen instead.
TL;DR: DNS is critical infrastructure. Adaβs compile-time safety > Elixirβs runtime convenience.
See [hinfo_loc_fluctuator_ada/docs/USE_CASES.md](hinfo_loc_fluctuator_ada/docs/USE_CASES.md) for detailed scenarios:
-
Honeypot Obfuscation - Make honeypots appear to physically move
-
Incident Response - Confuse attackers during active response
-
Security Research - Teach DNS reconnaissance countermeasures
-
Privacy Enhancement - Obscure public server locations
-
Testing - Simulate multi-region deployments without cost
-
Demos - "Quantum Server" presentations
HINFO (Host Information) - RFC 1035: - CPU field: Hardware/architecture - OS field: Operating system - Deprecated per RFC 8482 (intentional!)
LOC (Location) - RFC 1876: - Latitude/Longitude in decimal degrees - Altitude above WGS84 ellipsoid - Size and precision fields - Deprecated per RFC 8482 (intentional!)
-- Compile-time guarantee: latitude CANNOT be out of range
type Latitude_Degrees is delta 0.000001 range -90.0 .. 90.0;
-- Try to create invalid value:
Bad_Lat : Latitude_Degrees := 100.0; -- COMPILE ERROR!
-- This is impossible in Ada - compiler prevents it
-- Elixir/Python/etc. would need runtime check (can be bypassed)make debug # No optimization, debug symbols, assertions
make release # Optimized, but safety checks STILL ENABLED
make prove # SPARK formal verification modeSecurity note: Overflow checking (-gnato) and stack checking (-fstack-check) are ALWAYS enabled, even in release builds. This is non-negotiable for DNS security.
-
Core DNS types and validation
-
Authentication and authorization
-
Randomization engine with CSV parser
-
Interactive TUI
-
Zone file writer
-
Logging and configuration
-
Scheduled fluctuation
-
Comprehensive documentation
-
DNS UPDATE wire format encoding
-
TSIG authentication implementation
-
Production password hashing
Authorized Use Only: - Authorized penetration testing - Your own infrastructure - Research networks and labs - Honeypot deployments - Educational demonstrations
Do NOT Use For: - Unauthorized DNS modification - Defrauding users about service location - Violating DNS provider ToS - Compliance violations (GDPR, HIPAA, etc.)
Always: - Obtain proper authorization - Document your use - Comply with local laws - Consider ethical implications
Palimpsest-MPL-1.0 License - see [LICENSE](LICENSE) file.
Additional Security Disclaimer: This software modifies DNS infrastructure. Use only with proper authorization. Demo credentials and simplified crypto MUST be replaced for production use.
-
RFCs 1034, 1035, 1876, 2136, 2845, 8482
-
Ada community for security-focused design
-
GNAT compiler team
-
Users who prioritize security over convenience
$ dig quantum.example.com HINFO
quantum.example.com. 300 IN HINFO "Intel-Xeon" "Ubuntu-22.04"
= Wait 30 seconds...
$ dig quantum.example.com HINFO
quantum.example.com. 300 IN HINFO "ARM-Cortex-A72" "Alpine-Linux"
= The server exists in quantum superposition! π±βοΈRemember: SchrΓΆdingerβs server is both running AND not running until observed. Our server is both Intel AND ARM until queried!
"With great DNS power comes great type safety responsibility."
See TOPOLOGY.md for a visual architecture map and completion dashboard.
