The Bunker

Zero-Trust DNS Security Platform with Kernel-Level Integrity Enforcement

A unified security platform written in 100% type-safe Rust, spanning kernel drivers to desktop UI, with FIPS 202 compliant SHA3-512 cryptographic integrity and formal state-machine security transitions.

---

Why This Matters

Most DNS firewalls operate entirely in user space, adding latency and leaving a gap between the network stack and the security decision. The Bunker closes that gap by placing a WFP (Windows Filtering Platform) kernel driver directly in the packet path, backed by a formally verified state machine and hardware-anchored cryptographic integrity.

Property	The Bunker	Typical DNS Firewall
Memory Safety	100% type-safe Rust (no_std kernel, std user)	C/C++ with manual allocation
Kernel Integrity	Direct WFP callout integration, zero user-space wrappers	User-space proxy with elevated privileges
Cryptographic Hash	SHA3-512 (FIPS 202), NIST CAVP validated, constant-time	SHA-256 or MD5, timing-vulnerable comparison
Post-Quantum Readiness	Keccak sponge construction (1600-bit state)	Merkle-Damgard constructions only
Side-Channel Resistance	Branch-free hex encoding, ct_hash_eq() for all comparisons	Standard == with early-exit
IPC Overhead	Zero-copy shared-memory ring buffer (virtio-style)	Named pipes or IOCTL marshalling
Compliance	ISO 27001, BSI Grundschutz, GDPR Art. 32	Varies

For researchers: The sha3-kernel-hasher crate is independently publishable and includes full NIST CAVP test vectors, RustCrypto cross-validation, and academic Harvard-style documentation. We welcome academic feedback on our constant-time implementation.

---

📽️ Project Walkthrough

[Watch: Zero-Trust DNS Security Platform & Kernel-Level Integrity Enforcement] A 6-minute walkthrough of the Bunker Manifesto and technical architecture.

---

---

Overview

The Bunker is an enterprise-grade unified security platform providing kernel-level DNS protection, ransomware defense, MITM detection, and traffic obfuscation. The entire stack compiles as a single Cargo workspace of 9 crates with zero errors and zero warnings.

Key Capabilities

• SHA3-512 SIMD Hashing -- FIPS 202 compliant, AVX2/AVX-512 accelerated, dual-mode (std + no_std)
• WFP Kernel Driver -- Real-time DNS interception via Windows Filtering Platform
• Ransomware Defense -- DGA detection, canary monitoring, Shannon entropy analysis
• MITM Detection -- Certificate pinning, TLS fingerprinting, rogue AP detection
• Poor Man's VPN -- Zero-cost traffic obfuscation (DNSCrypt, DoH, ECH, ODoH)
• Formal State Machine -- Booting -> Secured -> FilteringActive with #[must_use] enforcement
• TPM 2.0 Hardware Anchor -- Non-exportable keys, PCR-sealed storage (Rule 1)
• Privacy-First Audit -- HMAC-SHA256 blind indexing, 30-day hard purge (Art. 32 GDPR)
• Zero-Copy IPC -- Lock-free shared-memory ring buffers between kernel and user mode

Architecture

                        +--------------------------+
                        |     Web UI (Tauri)       |
                        |   Dashboard / Config     |
                        +------------+-------------+
                                     |
                        +------------v-------------+
                        |   User-Mode Service      |
                        |  +-------+ +----------+  |
                        |  | Rule  | | Blocklist|  |
                        |  | Engine| | Manager  |  |
                        |  +-------+ +----------+  |
                        |  +-------+ +----------+  |
                        |  | MITM  | | Ransomware|  |
                        |  | Detect| | Defense   |  |
                        |  +-------+ +----------+  |
                        |  +-------+ +----------+  |
                        |  | Poor  | | Hagezi   |  |
                        |  |Man VPN| | Updater  |  |
                        |  +-------+ +----------+  |
                        +------------+-------------+
                                     | Shared Memory (Zero-Copy)
                        +------------v-------------+
                        |   WFP Kernel Driver      |
                        |  SHA3-512 | WFP Callouts |
                        |  TPM 2.0  | State Machine|
                        +--------------------------+
                                     |
                        +------------v-------------+
                        | Windows Filtering Platform|
                        |   Network Stack (NDIS)   |
                        +--------------------------+

Workspace Structure (9 Crates)

project-2-the-bunker/
+-- kernel-driver/           WFP kernel driver with SHA3-512 + formal state machine
+-- user-mode-service/       Tokio async service: API, blocklist, Hagezi updater
+-- web-ui/                  Tauri desktop app with system tray
+-- rule-engine/             DNS filtering and wildcard matching
+-- shared-types/            IPC message types shared across kernel/user boundary
+-- mitm-detection/          Certificate validation, TLS fingerprinting
+-- ransomware-defense/      DGA detection, canary files, behavioral monitor
+-- poor-man-vpn/            DNSCrypt, DoH, ECH, ODoH traffic obfuscation
+-- sha3-kernel-hasher/      Standalone SHA3-512 crate (AVX2/AVX-512, dual-mode)
+-- docs/                    Compliance and audit documentation
|   +-- ISO_27001_COMPLIANCE.md / _EN.md
|   +-- BSI_COMPLIANCE.md / _EN.md
|   +-- GDPR_COMPLIANCE.md / _EN.md
|   +-- SECURITY_AUDIT.md / _EN.md
|   +-- DOKUMENTATION.md / _EN.md
|   +-- BUILD_TROUBLESHOOTING.md
+-- Cargo.toml               Workspace root (resolver = "2")

Quick Start

Prerequisites

• Windows 10/11 (x64)
• Rust 1.73+ (stable)
• Visual Studio 2022 with C++ Build Tools
• Windows Driver Kit (WDK) 10 (optional, for kernel-mode builds)

Build

# Full workspace check (all 9 crates, ~10s)
cargo check --release

# Build user-mode components
cargo build --release -p project-2-the-bunker-user-service

# Build kernel driver (requires WDK)
cargo build --release -p project-2-the-bunker-kernel-driver --features kernel-mode

# Run SHA3 benchmarks
cargo bench -p sha3-kernel-hasher

Driver Installation (Test-Signed)

signtool sign /v /s myCertificateStore /t http://timestamp.digicert.com /a bunker-dns-driver.sys
sc create BunkerDNS type= kernel binPath= C:\bunker-dns\bunker-dns-driver.sys
sc start BunkerDNS

Security Features

Kernel Layer

• WFP Callouts - Inspect/pass/drop only; heavy logic offloaded to user mode
• SHA3-512 Golden Image - Every process validated before execution (Rule 4)
• Formal State Machine - SecurityStatus enum with #[must_use] (Rule 3)
• Zero-Overhead IPC - Shared-memory ring buffers, no context-switch (Rule 5)

User-Mode Layer

• Rule Engine - Wildcard matching, Aho-Corasick blocklists, Hagezi integration
• Ransomware Defense - Shannon entropy, DGA probability, canary domain monitoring
• MITM Detection - x509 validation, CT log verification, certificate pinning
• Poor Man's VPN - DNSCrypt 2.0, DNS-over-HTTPS, Encrypted Client Hello, ODoH

Compliance

• ISO/IEC 27001:2022 - Information security management
• BSI IT-Grundschutz - German federal security standard
• GDPR / DSGVO - Privacy by design, blind indexing, hard purge
• Common Criteria - Formal security target evaluation

See docs/ for full compliance documentation.

Performance

Metric	Value	Notes
SHA3-512 (AVX-512)	~2.5 GB/s	SIMD-accelerated Keccak
SHA3-512 (AVX2)	~1.2 GB/s	Fallback SIMD path
SHA3-512 (Software)	~200 MB/s	Pure Rust, no intrinsics
Kernel DNS latency	< 1 ms	WFP inspect + pass/drop
Memory footprint	< 50 MB	All engines combined
CPU overhead	< 2%	Under full DNS load

Run cargo bench -p sha3-kernel-hasher for live results on your hardware.

Configuration

{
  "hashing": {
    "strategy": "dual_hash",
    "sha3_512_priority": "high",
    "cache_ttl_seconds": 300,
    "zero_copy_enabled": true
  },
  "behavioral_ai": {
    "dns_beaconing_enabled": true,
    "entropy_analysis_enabled": true,
    "auto_quarantine_on_anomaly": true,
    "min_confidence_threshold": 0.7
  },
  "poor_man_vpn": {
    "dns_crypt": true,
    "doh": true,
    "ech": true,
    "odoh": false
  }
}

REST API

GET  /api/status              System health and engine status
GET  /api/hal/cpu_features    SIMD capability detection
GET  /api/hashing/stats       SHA3-512 throughput metrics
GET  /api/behavioral/anomalies  DGA and beaconing alerts
GET  /api/virustotal/results  Hybrid threat intelligence
POST /api/rules               Update filtering rules

Contributing

1. Fork the repository
2. Create a feature branch (git checkout -b feature/my-feature)
3. Commit changes (git commit -m 'Add my feature')
4. Push to branch (git push origin feature/my-feature)
5. Open a Pull Request

License

Dual-licensed under MIT or Apache-2.0 at your option.

Security

We take security seriously. If you discover a vulnerability, please follow our responsible disclosure policy.

Rule	Principle	Summary
1	Hardware-Anchor	TPM 2.0 non-exportable keys, PCR-sealed storage
2	Trojan-Proof Supply Chain	cargo-audit + cargo-geiger; kernel = core/alloc only
3	State-Machine Security	Formal enum transitions; errors force HardLockdown
4	Golden Image Integrity	SHA3-512 per-process validation; deviation revokes network
5	Zero-Overhead IPC	Kernel: inspect/pass/drop; heavy logic via lock-free queue
6	Privacy-First Audit	HMAC-SHA256 blind indexing; 30-day hard purge (GDPR Art. 32)

Benchmarking

Run the comprehensive benchmark suite to generate a Markdown-ready comparison table of SHA3-512 vs Windows CNG SHA-512 across cache-resident, memory-bound, and I/O-bound payloads:

.\sha3-kernel-hasher\scripts\benchmark_suite.ps1
.\sha3-kernel-hasher\scripts\benchmark_suite.ps1 -MaxSizeMB 1024 -Iterations 5

Or run the Criterion micro-benchmarks:

cargo bench -p sha3-kernel-hasher

Troubleshooting

See docs/BUILD_TROUBLESHOOTING.md for common build issues and their solutions.

---

📬 Contact & Verification

🔐 PGP Public Key

Project Maintainer: Sebastian Friedrich Nestler
Email: [email protected]
PGP Key ID: 0x17A9F2E5

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Benutzer-ID:	Sebastian Friedrich Nestler <[email protected]>
Comment: Gültig seit:	08.02.2026 03:58
Comment: Gültig bis:	08.02.2029 12:00
Comment: Typ:	521-bit ECDSA (geheimer Schlüssel verfügbar)
Comment: Verwendung:	Signieren, Verschlüsselung, Benutzerkennungen beglaubigen
Comment: Fingerabdruck:	E799967FCCC36C6986AB39423B52B58B17A9F2E5


mJMEaYf75xMFK4EEACMEIwQAVRZXQwDQrkf57DEvGgAMG3Q0229ZWMbEpTT0KPec
DHg1CR1JzYqaTgpzjfZy90552kZgUoP45e59lTqmgH9gFs8AlrgqDOVHe1clcRNX
E4JWLCvCysHpLR0Qflip+11e9d5faOpTMu+kISDyQDavLCELfpjFN3VlOER39+AW
rBpvYCm0O1NlYmFzdGlhbiBGcmllZHJpY2ggTmVzdGxlciA8c2ViYXN0aWFuLm5l
c3RsZXJAdHV0YW5vdGEuZGU+iNwEExMKAEEWIQTnmZZ/zMNsaYarOUI7UrWLF6ny
5QUCaYf75wIbAwUJBaVcyQULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRA7
UrWLF6ny5US7AgkB5BpDvVoz2HrPirFu39m8Nb0iVjfyoq6AKPDAQ1+eeZsykWof
u4rTqKGKedaAVmvLKASino0XSCL502ePEtuG/AMCBRNx+xmVGaICzBxq9r8j68PU
lUmPokXj7OjTZmGLaafI2i9z5+isbWeg1SStlmRxbDXViJtTRhPym+17OYINWPaR
uJcEaYf75xIFK4EEACMEIwQBik1UHyy9KKUPenQd6jh4XHkcloPl998w4XIIOmDO
WQkEHOmxS5LUce7LqS0vV1iKFchK9mxYJADoH9OUeR4NZokA/P9dRIY7kJwbxEey
XE9keCzeINbTfKkat/weGgykR883EygOa8eLb5gAtBI4c2wk1S2R3+D0bayYVf5q
NKaWQtoDAQoJiMEEGBMKACYWIQTnmZZ/zMNsaYarOUI7UrWLF6ny5QUCaYf75wIb
DAUJBaVcyQAKCRA7UrWLF6ny5RYmAgiFXPTefCogFvIwgeiCgr3EQeNJjupxN4ol
VG1AEA3S/67o3/g+YNkkBQuE/FzYZHzgmthhHv8p46PWTBv7kaltBAIJAfKo44fO
6LH3X8U0RTMtG6zPPji59mcp6Dd8hHbXWuRBizBCieejz/sLOfkZA7wYw4C5jRxa
ECMoJD5+5FT5pk+0
=/GfA
-----END PGP PUBLIC KEY BLOCK-----

📧 Secure Communication

• Email: [email protected] (PGP encrypted preferred)
• PGP Fingerprint: E799 967F CCC3 6C69 86AB 3942 3B52 B58B 17A9 F2E5
• Key Server: Available on major keyservers

🔒 Security Verification

All releases, commits, and communications related to The Bunker project are signed with the above PGP key. Verify signatures before trusting any software or communications.

---

The Bunker -- Zero-Trust DNS Security Platform with Kernel-Level Integrity Enforcement

Built with Rust. Validated by NIST. Designed for audit.

Contact: [email protected] | PGP: 0x17A9F2E5