Runbound has not undergone an external human security audit. See THREAT_MODEL.md for the threat model and planned hardening.
Only the latest released version receives security fixes — there is no LTS.
| Version | Supported |
|---|---|
| 0.9.x | ✅ |
Please report privately via GitHub Private Vulnerability Reporting: https://github.com/redlemonbe/Runbound/security/advisories/new
Do not open a public issue for security problems. Reports are handled on a best-effort basis.
Runbound is distributed under AGPL-3.0 with no warranty (see
LICENSE, sections 15–16): under the open-source license there is no legal or contractual obligation to fix or disclose within a fixed timeframe. Commercial-license customers receive firm, contractual SLAs (e.g. critical fixes within 48 h — see COMMERCIAL_LICENSE.md).
- Transport (DoT / DoH / DoQ, master↔slave sync, WebUI): TLS via rustls 0.23 — TLS 1.2 and 1.3 only (no SSLv3 / TLS 1.0 / 1.1).
- WebUI password hashing: argon2id (m=19456, t=2, p=1).
- Sync relay authentication: HMAC-SHA256 with anti-replay (timestamp ±30 s) and TOFU certificate-fingerprint pinning.
- Audit log: optional HMAC-SHA256 hash-chained, tamper-evident.
- WebUI ↔ API: HTTP-only session cookies + CSRF tokens on mutating requests.
- DNSSEC signing: in-house ECDSA P-256 signer on
ring(RFC 6605 / 4034 / 5155 / 9276), served wire-native on the default path. - TSIG (RFC 8945): HMAC on
ring, with constant-time key-name lookup (subtle::ConstantTimeEq).
- DNS amplification:
ANYqueries are refused (REFUSED) to mitigate amplification; per-source-IP query rate limiting (rate-limit, with configurable v4/v6 prefix bucketing). - DNS rebinding:
private-addressCIDRs are stripped from upstream answers. - Cache poisoning: the forward path validates the upstream response transaction-ID and question before accepting it.
- Reduced attack surface (present): DNS is served by the in-house wire codec
(
serve_wire), and recursion + DNSSEC validation (RRSIG verification, DS/DNSKEY chain-of-trust, NSEC/NSEC3 denial) are entirely in-house (dns::recursor_wire,dns::dnssec_*), on by default. There is norecursorCargo feature.hickory-protois a dev-dependency, used for differential oracle tests. - Access control:
access-controlACLs; the REST API binds to localhost only (the WebUI server proxies/api/*internally). The WebUI itself binds127.0.0.1by default (ui-bind); network exposure requires an explicitui-bind: 0.0.0.0. For TCP/DoT/DoH the real client IP is carried to the handler via a PROXY v2 header soaxfr-allowand split-horizon evaluate the true source. - systemd: the shipped unit runs as a non-root
runbounduser with a least-privilegeCapabilityBoundingSet/AmbientCapabilitiesofCAP_NET_BIND_SERVICEonly,NoNewPrivileges=yes,ProtectSystem=strict,PrivateTmp=yes. The XDP fast path and the firewall-manage feature needCAP_NET_RAW/CAP_NET_ADMIN/CAP_BPF/CAP_PERFMON— an explicit, commented opt-in. - Bot/scanner defense: honeypot trap routes with configurable banning.
- Supply chain: release binaries are signed with minisign and ship a
CycloneDX SBOM plus
SHA256SUMS; reproducible-build and signature-verification steps are in docs/BUILD.md.cargo audit/cargo denyare configured (deny.toml/audit.toml) and available viamake audit/make deny, but are not yet wired into the GitHub Actions CI workflow.
- No external human security audit yet.
- Strict Response Rate Limiting (RFC 5358) is not implemented (ANY-block + per-IP query limiting only).
- The REST API default transport is a bearer token over localhost HTTP; an
owner-only Unix socket (mode 0600,
api-socket) is available as a hardened alternative (localhost mTLS is on the roadmap).