ResolveDB
All Use Cases

Factory Floor Config Without HTTP Stacks

Push configuration to thousands of PLCs, sensors, and edge devices using only the DNS they already have.

The Problem

Industrial environments run devices that can make DNS queries but lack full HTTP/TLS stacks - PLCs, legacy sensors, embedded controllers. Getting configuration updates to these devices traditionally requires custom protocols, VPNs, or expensive middleware. Updates need to reach devices behind NAT, through firewalls, across air-gapped networks.

The Solution

ResolveDB encodes device configuration in DNS responses using Blind Device Tokens (BDT) - cryptographically derived tokens that hide device identity while enabling lookup. Devices query using an opaque token derived from a factory secret, making enumeration attacks computationally infeasible.

Key Benefits

  • Zero information leakage - tokens are random 128-bit hashes (2^128 search space)
  • Per-device encryption - config encrypted with device-specific key via AES-256-GCM
  • Works on any device with DNS - HMAC-SHA256 is hardware-accelerated on most MCUs
  • Penetrates NAT, firewalls, air-gapped networks - standard DNS port 53

Security Pattern

bdt-Blind Device Tokens (BDT)

HMAC-derived opaque tokens that hide device identity. Weekly automatic rotation. Per-device AES-256-GCM encryption.

Try It Live

Live DNS Query
Query breakdown:
operation:getparams:bdt-a7f3b2c4e8d9f012a7f3b2c4e8d9f012resource:confignamespace:acme-factoryversion:v1

Code Examples

Terminal
# Device queries with blind token (32 hex chars)
dig TXT get.bdt-a7f3b2c4e8d9f012a7f3b2c4e8d9f012.config.acme-factory.v1.resolvedb.net +short

# Response (encrypted with device_secret):
# "v=rdb1;s=ok;t=data;e=aes;f=json;ttl=300;d=<AES-256-GCM encrypted config>"

# Firmware metadata (redirects to CDN for binary)
dig TXT get.h-abc123def456.firmware.acme-factory.v1.resolvedb.net +short
Python
import hmac
import hashlib
import time

def derive_blind_token(factory_secret: bytes, device_id: str, factory_id: str) -> str:
    """Derive BDT token for device."""
    # Derive device secret via HKDF pattern
    device_secret = hmac.new(
        factory_secret,
        device_id.encode(),
        hashlib.sha256
    ).digest()

    # Include epoch week for automatic rotation (weeks since Unix epoch)
    epoch_week = int(time.time() // (7 * 24 * 60 * 60))
    material = device_secret + factory_id.encode() + str(epoch_week).encode()

    blind_token = hashlib.sha256(material).hexdigest()[:32]
    return blind_token

# Usage
token = derive_blind_token(b"factory-secret", "SENSOR-001", "acme-factory")
query = f"get.bdt-{token}.config.acme-factory.v1.resolvedb.net"
JavaScript
import crypto from 'crypto';

function deriveBlindToken(factorySecret, deviceId, factoryId) {
  // Derive device secret
  const deviceSecret = crypto
    .createHmac('sha256', factorySecret)
    .update(deviceId)
    .digest();

  // Include epoch week for rotation
  const epochWeek = Math.floor(Date.now() / (7 * 24 * 60 * 60 * 1000));
  const material = Buffer.concat([
    deviceSecret,
    Buffer.from(factoryId),
    Buffer.from(epochWeek.toString())
  ]);

  const blindToken = crypto
    .createHash('sha256')
    .update(material)
    .digest('hex')
    .slice(0, 32);

  return blindToken;
}

// Usage
const token = deriveBlindToken('factory-secret', 'SENSOR-001', 'acme-factory');
const query = `get.bdt-${token}.config.acme-factory.v1.resolvedb.net`;
Go
package main

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "fmt"
    "time"
)

func deriveBlindToken(factorySecret, deviceID, factoryID string) string {
    // Derive device secret
    h := hmac.New(sha256.New, []byte(factorySecret))
    h.Write([]byte(deviceID))
    deviceSecret := h.Sum(nil)

    // Include epoch week (weeks since Unix epoch)
    epochWeek := time.Now().Unix() / (7 * 24 * 60 * 60)

    // Compute blind token
    h2 := sha256.New()
    h2.Write(deviceSecret)
    h2.Write([]byte(factoryID))
    h2.Write([]byte(fmt.Sprintf("%d", epochWeek)))

    return hex.EncodeToString(h2.Sum(nil))[:32]
}

Comparison

FeatureResolveDBAlternative
TransportUDP/DNS (port 53)TCP/MQTT or HTTPS
Memory footprint2-5KB50-200KB
TLS requirementOptionalUsually required
Firewall traversalAlways (port 53 open)Often blocked
Device enumerationImpossible (BDT)Often possible

Frequently Asked Questions

How do I provision device tokens?

During manufacturing, derive the device_secret from factory_master_secret + device_id using HKDF. Register the token mapping with ResolveDB API. Device computes token locally using same algorithm.

How does token rotation work?

The epoch_week component in the token derivation means tokens automatically change weekly. The server accepts both current and previous week tokens for seamless rotation.

How do I deliver firmware updates?

Firmware metadata (version, hash, size) is served via DNS. The actual binary is delivered via URL redirect to a CDN. Device verifies hash before installation.

Ready to get started?

Create an account and start storing data in under a minute.

Start BuildingView More Use Cases