Forem: Aviv Cohen The latest articles on Forem by Aviv Cohen (@colocohen). https://forem.com/colocohen https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3484740%2F70818aa6-e431-41c5-8eed-c812ac483913.jpeg Forem: Aviv Cohen https://forem.com/colocohen en Building Your Own Load Balancer in Node.js Aviv Cohen Wed, 17 Sep 2025 18:57:20 +0000 https://forem.com/colocohen/building-your-own-load-balancer-in-nodejs-on4 https://forem.com/colocohen/building-your-own-load-balancer-in-nodejs-on4 <h2> Why you need a load balancer </h2> <p>Imagine your website suddenly becomes popular. Hundreds or thousands of users are visiting at the same time.<br><br> If all of them land on one server, that server will slow down, maybe even crash.</p> <p>The natural solution is to run more than one server — maybe two, three, or ten — and spread the traffic between them.<br><br> The missing piece is a <strong>“traffic director”</strong> that decides who goes where. That’s what a <strong>load balancer</strong> is: it makes sure no single server carries all the weight.</p> <h2> Different approaches to load balancing </h2> <p>There are several ways to share traffic. Each approach works differently and comes with its own pros and cons:</p> <h3> 1) Reverse Proxy </h3> <p><strong>How it works:</strong> All traffic first goes through one main server — the reverse proxy. It accepts every request and forwards it to another backend server. This can be done at the transport layer or the application layer.</p> <p><strong>Example:</strong> A network load balancer forwarding TCP packets to different machines; or Nginx acting as a reverse proxy for HTTP requests.</p> <ul> <li>✅ <strong>Pros:</strong> <ul> <li>Simple to configure.</li> <li>Works with any application.</li> <li>Easy to add features like TLS termination, WebSockets, or header manipulation.</li> </ul> </li> <li>⚠️ <strong>Cons:</strong> <ul> <li>Everything passes through one “gatekeeper.”</li> <li>If that proxy server gets overloaded or is physically far from the user, performance suffers.</li> <li>It can become a single point of failure.</li> </ul> </li> </ul> <h3> 2) Redirector Server </h3> <p><strong>How it works:</strong> Instead of proxying every request forever, the main server can redirect the client to a more specific server or subdomain. For example, the proxy receives the first request, decides that this user should go to eu.example.com, and responds with a redirect. From then on, the client talks directly to that server.</p> <p><strong>Example:</strong> A Node.js server that checks the client’s IP location, then replies: “302 Redirect → us1.example.com” or “eu2.example.com.”</p> <ul> <li>✅ <strong>Pros:</strong> <ul> <li>After the first step, traffic no longer flows through the main proxy — reducing load on it.</li> </ul> </li> <li>⚠️ <strong>Cons:</strong> <ul> <li>Users still depend on that central server for the first connection.</li> <li>If it’s busy or goes down, new sessions can’t be routed correctly.</li> </ul> </li> </ul> <h3> 3) Anycast / IP‑level routing (used by Cloudflare, Google, etc.) </h3> <p><strong>How it works:</strong> The same IP address is announced from multiple geographic locations using BGP. Internet routing automatically directs users to the nearest announcement.</p> <p><strong>Example:</strong> 1.2.3.4 is announced from Amsterdam and New York; BGP delivers client traffic to the closest point.</p> <ul> <li>✅ <strong>Pros:</strong> <ul> <li>Very fast.</li> <li>Automatic.</li> <li>Resilient.</li> </ul> </li> <li>⚠️ <strong>Cons:</strong> <ul> <li>Requires BGP announcements and AS management.</li> <li>Only available to large providers.</li> <li>Not realistic for small companies or developers.</li> </ul> </li> </ul> <h3> 4) DNS-based Routing </h3> <p><strong>How it works:</strong> Your authoritative DNS server returns different IP answers depending on the query (by looking at client subnet via ECS, resolver IP, or other decision inputs). This effectively routes clients to different data centers before any TCP connection happens.</p> <p><strong>Example:</strong> For example.com, US users get 192.0.2.10, EU users get 198.51.100.20.</p> <ul> <li>✅ <strong>Pros:</strong> <ul> <li>Lightweight.</li> <li>Scalable.</li> <li>Avoids a single choke point.</li> </ul> </li> <li>⚠️ <strong>Cons:</strong> <ul> <li>Changes are not instant.</li> <li>Some delay because of caching and resolver behavior.</li> </ul> </li> </ul> <h2> The Best Approach: DNS‑based routing </h2> <p>The most practical way to balance traffic without expensive hardware or complex BGP setups is to <strong>use DNS itself</strong>.<br><br> Every connection on the internet starts with a DNS lookup — so if you control the DNS answers, you control where users connect.</p> <p>Think of DNS as a <strong>super‑lightweight version of HTTP</strong>:</p> <ul> <li>The client asks: <em>“What’s the IP of example.com?”</em> </li> <li>Your authoritative server replies: <em>“Connect to 203.0.113.10.”</em> </li> </ul> <p>One tiny request, one tiny response — no heavy proxy in the middle. </p> <p>By taking advantage of this mechanism, you can decide on the fly:</p> <ul> <li>🌍 Which server is closest to the user (geo-routing).</li> <li>❤️ Which servers are healthy and ready (health-aware routing).</li> <li>⚖️ How to split traffic between servers (weighted or canary testing).</li> </ul> <p>This makes DNS a traffic director built into the internet itself — fast, lightweight, and surprisingly flexible.</p> <p>Most traditional DNS software only gives static answers from a zone file. But if you want dynamic answers — logic that changes per user, per query, per moment — that’s where Node.js shines. With a few lines of JavaScript you can program the authoritative server itself and take full control.</p> <h2> Implementing a DNS‑Based Load Balancer with Node.js </h2> <p>To actually build a DNS‑based load balancer, you need a library that can act as an authoritative DNS server. And in the Node.js ecosystem there’s one library that really makes this possible: <a href="https://www.npmjs.com/package/dnssec-server" rel="noopener noreferrer"><strong>dnssec-server</strong></a>.</p> <p>Unlike traditional DNS software, which mostly relies on static zone files, <code>dnssec-server</code> lets you generate answers programmatically — with the same simplicity as Node’s built‑in HTTP module. That means your application can decide, in real time, what IPs to return. It’s the only Node.js library that brings this level of dynamic control and DNSSEC support out of the box.</p> <p>Here’s how it works at a high level:</p> <ol> <li>📩 A DNS query arrives (for example, <code>example.com</code> type A). </li> <li>⚙️ Your handler function runs, where you can inspect the query, check GeoIP, consult a health map, or apply custom logic. </li> <li>📤 You return one or more answers (<code>A</code> for IPv4, <code>AAAA</code> for IPv6), each with its own TTL. </li> </ol> <p>Let’s see it in practice.</p> <h3> Example 1 — Geo‑based answer (A/AAAA), annotated </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Import the library and GeoIP helper</span> <span class="kd">const</span> <span class="nx">dns_server</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dnssec-server</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">geoip</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">geoip-lite</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 🌍 Region → IP mapping for both IPv4 (A) and IPv6 (AAAA)</span> <span class="kd">const</span> <span class="nx">EDGES</span> <span class="o">=</span> <span class="p">{</span> <span class="na">us</span><span class="p">:</span> <span class="p">{</span> <span class="na">A</span><span class="p">:</span> <span class="dl">'</span><span class="s1">192.0.2.10</span><span class="dl">'</span><span class="p">,</span> <span class="na">AAAA</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2001:db8:10::10</span><span class="dl">'</span> <span class="p">},</span> <span class="na">eu</span><span class="p">:</span> <span class="p">{</span> <span class="na">A</span><span class="p">:</span> <span class="dl">'</span><span class="s1">198.51.100.20</span><span class="dl">'</span><span class="p">,</span> <span class="na">AAAA</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2001:db8:20::20</span><span class="dl">'</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// 🔍 Simple region picker by country code</span> <span class="kd">function</span> <span class="nf">pickRegion</span><span class="p">(</span><span class="nx">ip</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">looked</span> <span class="o">=</span> <span class="nx">geoip</span><span class="p">.</span><span class="nf">lookup</span><span class="p">(</span><span class="nx">ip</span><span class="p">)</span> <span class="o">||</span> <span class="p">{};</span> <span class="kd">const</span> <span class="nx">cc</span> <span class="o">=</span> <span class="nx">looked</span><span class="p">.</span><span class="nx">country</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">US</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">EU</span> <span class="o">=</span> <span class="p">{</span> <span class="na">DE</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">FR</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">NL</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">IT</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">ES</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">PL</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">SE</span><span class="p">:</span><span class="mi">1</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">EU</span><span class="p">[</span><span class="nx">cc</span><span class="p">]</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">eu</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">us</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// 🚀 Create the DNS server</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">dns_server</span><span class="p">.</span><span class="nf">createServer</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Only handle queries for our domain</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">name</span> <span class="o">==</span> <span class="dl">'</span><span class="s1">example.com.</span><span class="dl">'</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">region</span> <span class="o">=</span> <span class="nf">pickRegion</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">remoteAddress</span><span class="p">);</span> <span class="c1">// 📡 Add IPv4 answer if requested</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">ANY</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">answers</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">address</span><span class="p">:</span> <span class="nx">EDGES</span><span class="p">[</span><span class="nx">region</span><span class="p">].</span><span class="nx">A</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// 📡 Add IPv6 answer if requested</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">AAAA</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">ANY</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">answers</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AAAA</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">address</span><span class="p">:</span> <span class="nx">EDGES</span><span class="p">[</span><span class="nx">region</span><span class="p">].</span><span class="nx">AAAA</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Each query for <code>example.com</code> is checked against the user’s IP. We decide if the user is closer to <code>us</code> or <code>eu</code>, then send back both A (IPv4) and AAAA (IPv6) records with a 30s TTL.</p> <h3> Example 2 — Health‑aware answer (skip unhealthy regions), annotated </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Import the library</span> <span class="kd">const</span> <span class="nx">dns_server</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dnssec-server</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 🩺 Track health of each region (updated by background checks)</span> <span class="kd">let</span> <span class="nx">health</span> <span class="o">=</span> <span class="p">{</span> <span class="na">us</span><span class="p">:</span><span class="kc">true</span><span class="p">,</span> <span class="na">eu</span><span class="p">:</span><span class="kc">true</span> <span class="p">};</span> <span class="c1">// 🌍 Region → IP mapping</span> <span class="kd">const</span> <span class="nx">EDGES</span> <span class="o">=</span> <span class="p">{</span> <span class="na">us</span><span class="p">:</span> <span class="p">{</span> <span class="na">A</span><span class="p">:</span> <span class="dl">'</span><span class="s1">192.0.2.10</span><span class="dl">'</span><span class="p">,</span> <span class="na">AAAA</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2001:db8:10::10</span><span class="dl">'</span> <span class="p">},</span> <span class="na">eu</span><span class="p">:</span> <span class="p">{</span> <span class="na">A</span><span class="p">:</span> <span class="dl">'</span><span class="s1">198.51.100.20</span><span class="dl">'</span><span class="p">,</span> <span class="na">AAAA</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2001:db8:20::20</span><span class="dl">'</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// ⚙️ Function to choose the best healthy region</span> <span class="kd">function</span> <span class="nf">bestRegion</span><span class="p">(){</span> <span class="k">if </span><span class="p">(</span><span class="nx">health</span><span class="p">.</span><span class="nx">eu</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">eu</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">health</span><span class="p">.</span><span class="nx">us</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">us</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">us</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// fallback</span> <span class="p">}</span> <span class="c1">// 🚀 Create the DNS server</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">dns_server</span><span class="p">.</span><span class="nf">createServer</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Only handle queries for our domain</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">name</span> <span class="o">==</span> <span class="dl">'</span><span class="s1">example.com.</span><span class="dl">'</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">region</span> <span class="o">=</span> <span class="nf">bestRegion</span><span class="p">();</span> <span class="c1">// 📡 Add IPv4 answer if requested</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">ANY</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">answers</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">address</span><span class="p">:</span> <span class="nx">EDGES</span><span class="p">[</span><span class="nx">region</span><span class="p">].</span><span class="nx">A</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// 📡 Add IPv6 answer if requested</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">AAAA</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">ANY</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">answers</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AAAA</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">address</span><span class="p">:</span> <span class="nx">EDGES</span><span class="p">[</span><span class="nx">region</span><span class="p">].</span><span class="nx">AAAA</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>We maintain a small health map that tells us which regions are alive. If EU is healthy we send users there, otherwise they go to US. The logic is simple, but powerful enough to keep traffic flowing smoothly.</p> <h2> Pointing your Domain to Your Node.js Server </h2> <p>The DNS server that answers is not necessarily the same server that hosts your site files. In many cases, you may be using DNS services from your domain registrar (e.g. Namecheap, GoDaddy), a cloud provider (e.g. AWS Route 53, Cloudflare DNS), or traditional DNS software like <strong>BIND</strong> running on a separate server.</p> <p>If you haven’t explicitly set up your own authoritative DNS server, then by default your DNS is being served by one of those services.</p> <p>Here is how to set your domain’s NS (Name Server) records to point to your machine:</p> <p>Everyone who has ever configured a domain has seen something like this:</p> <ul> <li> <code>ns1.example.com</code> → points to IP of your Node.js DNS server. </li> <li> <code>ns2.example.com</code> → secondary server for redundancy.</li> </ul> <p>For example, in Namecheap’s dashboard you would:</p> <ol> <li>Go to <strong>Domain List</strong>. </li> <li>Select your domain, click <strong>Manage</strong>. </li> <li>Under <strong>Nameservers</strong>, choose <strong>Custom DNS</strong>. </li> <li>Enter <code>ns1.example.com</code> and <code>ns2.example.com</code> and IP address for each of them. </li> </ol> <p>Once saved and propagated, queries for your domain will start hitting your Node.js server. From there you have full programmatic control over the answers you return, and that means your DNS layer becomes part of your application logic — agile and reactive, adapting to your needs without relying on third‑party services.</p> <h2> Join the discussion </h2> <p>💬 Have questions? Ideas for improvements? Or maybe you’ve tried building your own DNS‑based load balancer and want to share your experience?<br><br> Feel free to leave a comment or start a discussion — your feedback helps improve the tools and guides for everyone.</p> webdev devops dns kubernetes Enable DNSSEC Support in Your Node.js Application Aviv Cohen Thu, 11 Sep 2025 04:37:12 +0000 https://forem.com/colocohen/enable-dnssec-support-in-your-nodejs-application-b4j https://forem.com/colocohen/enable-dnssec-support-in-your-nodejs-application-b4j <h2> The Internet Relies on DNS – and That’s Where the Problem Begins </h2> <p>Every visit to a website, every time an app communicates with a server – it all starts with a simple but critical step: <strong>translating a domain name into an IP address</strong>. The DNS system is the phone book of the Internet. Without DNS, we’d be stuck typing long IP numbers instead of easy-to-remember names like <code>example.com</code>.</p> <p>But DNS was born in a different era. In the 1980s, the Internet was still a small academic network. Nobody imagined it would become a global infrastructure supporting banks, governments, e-commerce, and billions of users. As a result, <strong>DNS was designed without cryptographic security</strong>. In simple terms: when you get an answer from DNS – who guarantees it’s really correct?</p> <p>Here lies the problem: an attacker can intercept your query or inject a fake answer, tricking you into visiting a malicious site. This isn’t theoretical – such attacks, known as <strong>DNS Spoofing</strong> or <strong>Cache Poisoning</strong>, have happened many times. A user thinks they are visiting <code>bank.com</code>, but in reality ends up on a fraudulent server.</p> <h2> “But I Have SSL – Isn’t That Enough?” </h2> <p>This is a common misconception. For years the world has moved to HTTPS with SSL/TLS certificates. Shouldn’t that guarantee security?</p> <p>The truth is more nuanced:</p> <ul> <li> <strong>SSL/TLS</strong> protects communication between the user and the server – but only <em>after</em> the user has reached the correct server.</li> <li> <strong>DNSSEC</strong> protects the step before that – ensuring the user even gets to the right server in the first place.</li> </ul> <p>In other words:</p> <ul> <li>DNSSEC makes sure the phone book isn’t lying.</li> <li>TLS ensures the conversation with the right number is encrypted.</li> </ul> <p>In reality, there have been cases where Certificate Authorities (CAs) were compromised, issuing fraudulent certificates. If the user reached the wrong server in the first place, TLS couldn’t save them. That’s where DNSSEC comes in – preventing that initial deception.</p> <h2> The Challenges and Developments in DNSSEC </h2> <p>Although DNSSEC has existed for two decades, adoption is still limited. There are several reasons: existing tools are complex and require deep expertise (like BIND or PowerDNS), awareness among developers is low, support from some TLDs and registrars is incomplete, and business pressure is often lacking – even major sites and banks sometimes don’t implement DNSSEC.</p> <p>That said, the tide is shifting. Services like <strong>Google Public DNS</strong> and <strong>Cloudflare 1.1.1.1</strong> validate DNSSEC by default. Governments around the world are beginning to require public-sector domains to be signed. Organizations like <strong>ICANN</strong> and the IETF continue to push new policies and standards. Research shows steady growth in the number of signed domains, though not yet at a sufficient pace.</p> <p>The importance of DNSSEC in 2025 is clear: threats are increasing – from attacks on databases, to widespread use of insecure public WiFi, to society’s total dependence on the Internet. DNSSEC has gone from a “nice-to-have” to a critical layer of defense. It doesn’t replace SSL – it <strong>complements it</strong>. SSL secures communication with the server, while DNSSEC ensures the user actually reached the right server. Together, they complete the trust chain.</p> <h2> Business and Reputational Benefits of DNSSEC </h2> <p>Beyond the technical advantages, DNSSEC also has reputational and business value:</p> <ul> <li>✅ <strong>Message to customers</strong>: A DNSSEC-signed site signals seriousness and responsibility.</li> <li>✅ <strong>Competitive advantage</strong>: Few sites adopt it, so those who do stand out.</li> <li>✅ <strong>Potential SEO impact</strong>: In the past, Google gradually removed non-SSL sites from search results. It’s possible the same could happen with DNSSEC in the future. The more security measures your site implements, the more you signal – both to people and to algorithms – that you’re authoritative and trustworthy.</li> <li>✅ <strong>Regulatory readiness</strong>: Many governments are beginning to mandate DNSSEC for public institutions. Businesses that adopt it early will be prepared.</li> </ul> <h2> A New Open-Source Library for DNSSEC in Node.js </h2> <p>When I looked for a way to run DNSSEC in a Node.js project, I found no simple tools. Existing libraries like <code>dns-packet</code> can only parse DNS messages – not sign them. Serious solutions exist in other languages, but they require heavy installations.</p> <p>And this is no small issue: Node.js has become a critical foundation for countless Internet services, applications, and websites. When managing a large app with dozens of services, it’s far more convenient and efficient to keep everything inside Node.js – rather than adding external servers just for DNSSEC. The lack of a native Node.js solution is one reason adoption has been so slow.</p> <p>By the way, since this library runs directly on Node.js, you can also manage complementary DevOps services in the same codebase you already use to build and maintain your systems. This centralizes management and reduces reliance on external tools that require extra learning and maintenance – something most developers don’t have the time or attention for.</p> <p>A new open-source project called <a href="https://github.com/colocohen/dnssec-server" rel="noopener noreferrer">dnssec-server</a> was released to fill this gap:</p> <ul> <li>📦 An open-source Node.js library with a simple API.</li> <li>🔐 Real-time signing of every DNS record.</li> <li>⚡ Lightweight and fast – run it as a script without external daemons.</li> <li>🌍 Supports multiple domains and dynamic zones.</li> <li>🛠 Designed for developers – run locally, test, and integrate into your projects.</li> </ul> <h2> Dynamic DNS Responses with Node.js </h2> <p>An important point is that this library isn’t just about DNSSEC. It also allows you to generate <strong>dynamic responses</strong> based on the incoming query. In traditional setups, most DNS servers behave like static HTML websites: they always return the same answer for the same record. With <strong>dnssec-server</strong>, you can behave more like a dynamic PHP site – adjusting responses on the fly depending on context, logic, or external data sources.</p> <p>This opens the door to advanced use cases: geo‑based answers, load balancing logic, conditional records, or even integrating with other Node.js services in real time – all with DNSSEC signing included.</p> <h2> Basic Usage Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tls</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">tls</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">DNSServer</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dnssec-server</span><span class="dl">'</span><span class="p">);</span> <span class="nx">DNSServer</span><span class="p">.</span><span class="nf">createServer</span><span class="p">({</span> <span class="na">tls</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// enable DNS over TLS (DoT) on port 853 by default</span> <span class="na">SNICallback</span><span class="p">:</span> <span class="nf">function </span><span class="p">(</span><span class="nx">servername</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="p">{</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">createSecureContext</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">key.pem</span><span class="dl">'</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">cert.pem</span><span class="dl">'</span><span class="p">)</span> <span class="p">}));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="nf">function </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`[</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">transport</span><span class="p">}</span><span class="s2">] from </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">remoteAddress</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">remotePort</span><span class="p">}</span><span class="s2"> q=</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">type</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="kd">class</span><span class="p">}</span><span class="s2"> DO=</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">flag_do</span><span class="p">}</span><span class="s2"> ECS=</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">ecsAddress</span><span class="o">||</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">ecsSourcePrefixLength</span><span class="o">||</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">example.com.</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">answers</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com.</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">,</span> <span class="na">class</span><span class="p">:</span> <span class="dl">'</span><span class="s1">IN</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">address</span><span class="p">:</span> <span class="dl">'</span><span class="s1">200.10.10.1</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">header</span><span class="p">.</span><span class="nx">rcode</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="c1">// NXDOMAIN</span> <span class="nx">res</span><span class="p">.</span><span class="nx">authority</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com.</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SOA</span><span class="dl">'</span><span class="p">,</span> <span class="na">class</span><span class="p">:</span> <span class="dl">'</span><span class="s1">IN</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">mname</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ns1.example.com.</span><span class="dl">'</span><span class="p">,</span> <span class="na">rname</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hostmaster.example.com.</span><span class="dl">'</span><span class="p">,</span> <span class="na">serial</span><span class="p">:</span> <span class="mi">2025081001</span><span class="p">,</span> <span class="na">refresh</span><span class="p">:</span> <span class="mi">3600</span><span class="p">,</span> <span class="na">retry</span><span class="p">:</span> <span class="mi">600</span><span class="p">,</span> <span class="na">expire</span><span class="p">:</span> <span class="mi">604800</span><span class="p">,</span> <span class="na">minimum</span><span class="p">:</span> <span class="mi">300</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Check with a DNS client (depending on transport):</p> <ul> <li>Classic UDP/TCP on port 53: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> dig @127.0.0.1 example.com +dnssec </code></pre> </div> <ul> <li>DNS over TLS (DoT) on port 853 (e.g., with <code>kdig</code>): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kdig +tls @127.0.0.1 <span class="nt">-p</span> 853 example.com A +dnssec </code></pre> </div> <p>You’ll get a response with an RRSIG signature when DNSSEC is enabled, proving the data is authentic and hasn’t been altered.</p> <h3> Feels Like Handling HTTP Requests </h3> <p>Notice how similar this is to returning responses for HTTP requests:</p> <ul> <li> <code>req</code> carries details about the incoming DNS query (name, type, class, transport, EDNS flags).</li> <li> <code>res</code> is your response builder: you push answers/authority/additional sections and call <code>res.send()</code>.</li> <li>You can plug in your own logic, read from databases/APIs, implement georouting or A/B switching, and emit different records dynamically — with DNSSEC signing layered on top.</li> <li>DoT via <code>tls</code> + <code>SNICallback</code> mirrors the familiar TLS setup developers already use in web servers.</li> </ul> <p>This programming model lowers the barrier for Node.js teams: the same patterns you use for HTTP services apply to DNS — in code you control, alongside the rest of your stack.</p> <h2> Conclusion </h2> <p>The Internet can’t keep relying on unsigned DNS. More and more organizations – including global DNS providers and governments – are pushing DNSSEC adoption. Yet most websites, even those handling sensitive financial data, still don’t use it.</p> <p>The lack of easy Node.js tools has been a major barrier. <strong>dnssec-server</strong> was built to address this gap and let developers integrate DNSSEC naturally into the Node.js systems they already manage.</p> <p>🔗 <a href="https://github.com/colocohen/dnssec-server" rel="noopener noreferrer">GitHub – dnssec-server</a></p> node security webdev programming