DNS over TLS

Last updated
DNS over TLS
AbbreviationDoT
Status Proposed Standard
Latest version RFC   7858, RFC   8310
May 2016 and March 2018
Organization IETF
Authors

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

Contents

While DNS over TLS is applicable to any DNS transaction, it was first standardized for use between stub or forwarding resolvers and recursive resolvers, in RFC   7858 in May of 2016. Subsequent IETF efforts specify the use of DoT between recursive and authoritative servers ("Authoritative DNS over TLS" or "ADoT") [1] and a related implementation between authoritative servers (Zone Transfer-over-TLS or "xfr-over-TLS"). [2]

Server software

BIND supports DoT connections as of version 9.17. [3] Earlier versions offered DoT capability by proxying through stunnel. [4] Unbound has supported DNS over TLS since 22 January 2023. [5] [6] Unwind has supported DoT since 29 January 2023. [7] [8] With Android Pie's support for DNS over TLS, some ad blockers now support using the encrypted protocol as a relatively easy way to access their services versus any of the various work-around methods typically used such as VPNs and proxy servers. [9] [10] [11] [12]

Client software

Android clients running Android Pie or newer support DNS over TLS and will use it by default if the network infrastructure, for example the ISP, supports it. [13] [14]

In April 2018, Google announced that Android Pie will include support for DNS over TLS, [15] allowing users to set a DNS server phone-wide on both Wi-Fi and mobile connections, an option that was historically only possible on rooted devices. DNSDist, from PowerDNS, also announced support for DNS over TLS in version 1.3.0. [16]

Linux and Windows users can use DNS over TLS as a client through the NLnet Labs stubby daemon or Knot Resolver. [17] Alternatively they may install getdns-utils [18] to use DoT directly with the getdns_query tool. The unbound DNS resolver by NLnet Labs also supports DNS over TLS. [19]

Apple's iOS 14 introduced OS-level support for DNS over TLS (and DNS over HTTPS). iOS does not allow manual configuration of DoT servers, and requires the use of a third-party application to make configuration changes. [20]

systemd-resolved is a Linux-only implementation that can be configured to use DNS over TLS, by editing /etc/systemd/resolved.conf and enabling the setting DNSOverTLS. [21] [22] Most major Linux distributions have systemd installed by default. [23] [ circular reference ]

Public resolvers

DNS over TLS was first implemented in a public recursive resolver by Quad9 in 2017. [24] [25] Other recursive resolver operators such as Google and Cloudflare followed suit in subsequent years, and now it is a broadly-supported feature generally available in most large recursive resolvers. [26] [27] [28] [29] [30] [31] [32] [33] [12]

Criticisms and implementation considerations

DoT can impede analysis and monitoring of DNS traffic for cybersecurity purposes. DoT has been used to bypass parental controls which operate at the (unencrypted) standard DNS level; Circle, a parental control router which relies on DNS queries to check domains against a blocklist, blocks DoT by default due to this. [34] However, there are DNS providers that offer filtering and parental controls along with support for both DoT and DoH. [35] [36] [37] [38] [39] [12] In that scenario, DNS queries are checked against block lists once they are received by the provider rather than prior to leaving the user's router.

As with any communication, encryption of DNS requests by itself does not protect privacy. It protects against third-party observers, but does not guarantee what the endpoints do with the (then decrypted) data.

DoT clients do not necessarily directly query any authoritative name servers. The client may rely on the DoT server using traditional (port 53 or 853) queries to finally reach authoritative servers. Thus, DoT does not qualify as an end-to-end encrypted protocol, only hop-to-hop encrypted and only if DNS over TLS is used consistently.

Alternatives

DNS over HTTPS (DoH) is a similar protocol standard for encrypting DNS queries, differing only in the methods used for encryption and delivery from DoT. On the basis of privacy and security, whether or not a superior protocol exists among the two is a matter of controversial debate, while others argue the merits of either depend on the specific use case. [40]

DNSCrypt is another network protocol that authenticates and encrypts DNS traffic, although it was never proposed to the Internet Engineering Task Force (IETF) with a Request for Comments (RFC).

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

A name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

<span class="mw-page-title-main">Secure Hypertext Transfer Protocol</span> Web encryption method similar to HTTPS

Secure Hypertext Transfer Protocol (S-HTTP) is an obsolete alternative to the HTTPS protocol for encrypting web communications carried over the Internet. It was developed by Eric Rescorla and Allan M. Schiffman at EIT in 1994 and published in 1999 as RFC 2660.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

Unbound is a validating, recursive, and caching DNS resolver product from NLnet Labs. It is distributed free of charge in open-source form under the BSD license.

DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. It encrypts and authenticates DNS packets between resolvers and authoritative servers.

Obfuscated TCP (ObsTCP) was a proposal for a transport layer protocol which implements opportunistic encryption over Transmission Control Protocol (TCP). It was designed to prevent mass wiretapping and malicious corruption of TCP traffic on the Internet, with lower implementation cost and complexity than Transport Layer Security (TLS). In August 2008, IETF rejected the proposal for a TCP option, suggesting it be done on the application layer instead. The project has been inactive since a few months later.

Google Public DNS is a Domain Name System (DNS) service offered to Internet users worldwide by Google. It functions as a recursive name server. Google Public DNS was announced on December 3, 2009, in an effort described as "making the web faster and more secure." As of 2018, it is the largest public DNS service in the world, handling over a trillion queries per day. Google Public DNS is not related to Google Cloud DNS, which is a DNS hosting service.

DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction, preventing eavesdropping and forgery by a man-in-the-middle.

In computer networking, TCP Fast Open (TFO) is an extension to speed up the opening of successive Transmission Control Protocol (TCP) connections between two endpoints. It works by using a TFO cookie, which is a cryptographic cookie stored on the client and set upon the initial connection with the server. When the client later reconnects, it sends the initial SYN packet along with the TFO cookie data to authenticate itself. If successful, the server may start sending data to the client even before the reception of the final ACK packet of the three-way handshake, thus skipping a round-trip delay and lowering the latency in the start of data transmission.

DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It is the world's largest certificate authority, used by more than 300 million websites, with the goal of all websites being secure and using HTTPS. The Internet Security Research Group (ISRG), the provider of the service, is a public benefit organization. Major sponsors include the Electronic Frontier Foundation (EFF), the Mozilla Foundation, OVH, Cisco Systems, Facebook, Google Chrome, Internet Society, AWS, NGINX, and Bill and Melinda Gates Foundation. Other partners include the certificate authority IdenTrust, the University of Michigan (U-M), and the Linux Foundation.

A public recursive name server is a name server service that networked computers may use to query the Domain Name System (DNS), the decentralized Internet naming system, in place of name servers operated by the local Internet service provider (ISP) to which the devices are connected. Reasons for using these services include:

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States. In May 2020, Chrome switched to DNS over HTTPS by default.

EDNS Client Subnet (ECS) is an option in the Extension Mechanisms for DNS that allows a recursive DNS resolver to specify the subnetwork for the host or client on whose behalf it is making a DNS query. This is generally intended to help speed up the delivery of data from content delivery networks (CDNs), by allowing better use of DNS-based load balancing to select a service address near the client when the client computer is not necessarily near the recursive resolver.

<span class="mw-page-title-main">Quad9</span> Global public recursive DNS resolver based in Switzerland

Quad9 is a global public recursive DNS resolver that aims to protect users from malware and phishing. Quad9 is operated by the Quad9 Foundation, a Swiss public-benefit, not-for-profit foundation with the purpose of improving the privacy and cybersecurity of Internet users, headquartered in Zürich. Quad9 is entirely subject to Swiss privacy law, and the Swiss government extends that protection of the law to Quad9's users throughout the world, regardless of citizenship or country of residence.

1.1.1.1 is a free Domain Name System (DNS) service by the American company Cloudflare in partnership with APNIC. The service functions as a recursive name server, providing domain name resolution for any host on the Internet. The service was announced on April 1, 2018. On November 11, 2018, Cloudflare announced a mobile application of their 1.1.1.1 service for Android and iOS. On September 25, 2019, Cloudflare released WARP, an upgraded version of their original 1.1.1.1 mobile application.

References

  1. Henderson, Karl; April, Tim; Livingood, Jason (2020-02-14). "Authoritative DNS-over-TLS Operational Considerations". Ietf Datatracker. Internet Engineering Task Force. Retrieved 17 July 2021.
  2. Mankin, Allison (2019-07-08). "DNS Zone Transfer-over-TLS". Ietf Datatracker. Internet Engineering Task Force. Retrieved 17 July 2021.
  3. "4. BIND 9 Configuration Reference — BIND 9 documentation". bind9.readthedocs.io. Retrieved 2021-11-14.
  4. "Bind - DNS over TLS". Archived from the original on 2017-10-20. Retrieved 2018-05-15.
  5. "Unbound version 1.7.3 Changelog". Archived from the original on 2018-08-07. Retrieved 2018-08-07.
  6. Aleksandersen, Daniel. "Actually secure DNS over TLS in Unbound". Ctrl blog. Retrieved 2018-08-07.
  7. "openbsd-cvs mailing list archives".
  8. "openbsd-cvs mailing list archives".
  9. "blockerDNS - Block Ads and Online Trackers So You Can Browse the Web Privately on Your Android Phone Without Installing an App!". blockerdns.com. Retrieved 2019-08-14.
  10. "The official release of AdGuard DNS — a new unique approach to privacy-oriented DNS". AdGuard Blog. Retrieved 2019-08-14.
  11. "Blahdns -- Dns service support DoH, DoT, DNSCrypt". blahdns.com. Retrieved 2019-08-14.
  12. 1 2 3 "NextDNS". NextDNS. Retrieved 2023-12-16.
  13. "DNS over TLS support in Android P Developer Preview". Android Developers Blog. Retrieved 2019-12-07.
  14. Wallen, Jack (August 23, 2018). "How to enable DNS over TLS in Android Pie". TechRepublic. Retrieved 2021-03-17.
  15. "DNS over TLS support in Android P Developer Preview". Google Security Blog. April 17, 2018.
  16. "DNS-over-TLS". dnsdist.org. Retrieved 25 April 2018.
  17. "Knot Resolver".
  18. Package: getdns-utils , retrieved 2019-04-04
  19. "Unbound - About". NLnet Labs. Retrieved 2020-05-26.
  20. Cimpanu, Catalin. "Apple adds support for encrypted DNS (DoH and DoT)". ZDNet. Retrieved 2020-10-03.
  21. "resolved.conf manual page" . Retrieved 16 December 2019.
  22. "Fedora Magazine: Use DNS over TLS". 10 July 2020. Retrieved 4 September 2020.
  23. "Systemd adoption" . Retrieved 16 December 2019.
  24. Band, Alex (2017-11-20). "Privacy: Using DNS-over-TLS with the Quad9 DNS Service". Medium. Retrieved 17 July 2021. Recently the Quad9 DNS service was launched. Quad9 differentiates from similar services by focusing on security and privacy. One interesting feature is the fact that you can communicate with the service using DNS-over-TLS. This encrypts the communication between your client and the DNS server, safeguarding your privacy.
  25. Bortzmeyer, Stéphane (2017-11-21). "Quad9 is a public DNS resolver, with promises of better privacy, and a DNS-over-TLS access". RIPE Labs. Retrieved 17 July 2021. Last week, the new DNS resolver Quad9 has been announced. It is a public DNS resolver with the additional benefit that it is accessible in a secure way over TLS (RFC 7858). There are plenty of public DNS resolvers, but the link to them is not secure. This allows hijackings, as seen in Turkey, as well as third-party monitoring. The new Quad9 service on the other hand is operated by the not-for-profit Packet Clearing House (PCH), which manages large parts of the DNS infrastructure, and it allows access to the DNS over TLS. This makes it very difficult for third parties to listen in. And it makes it possible to authenticate the resolver.
  26. "Public DNS resolver Anycast DNS for All". www.dnslify.com. Archived from the original on 2020-07-24. Retrieved 2020-05-26.
  27. "Telsy TRT". Archived from the original on 2021-01-31. Retrieved 2020-05-26.
  28. "How to keep your ISP's nose out of your browser history with encrypted DNS". Ars Technica. Retrieved 2018-04-08.
  29. "DNS over TLS - Cloudflare Resolver". developers.cloudflare.com. Retrieved 2018-04-08.
  30. "Google Public DNS now supports DNS-over-TLS". Google Online Security Blog. Retrieved 2019-01-10.
  31. "Quad9, a Public DNS Resolver - with Security". RIPE Labs. 21 November 2017. Retrieved 2018-04-08.
  32. "Troubleshooting DNS over TLS". 13 May 2018.[ user-generated source ]
  33. "LibreDNS". LibreDNS. Retrieved 2019-10-20.
  34. "Managing encrypted DNS connections (DNS over TLS, DNS over HTTPS) with Circle". Circle Support Center. Archived from the original on 2020-08-03. Retrieved 2020-07-07.
  35. Gallagher, Sean (16 November 2017). "New Quad9 DNS service blocks malicious domains for everyone". Ars Technica. Retrieved 14 November 2021. The system blocks domains associated with botnets, phishing attacks, and other malicious Internet hosts.
  36. "Parental Control with DNS over TLS Support". CleanBrowsing. Retrieved 2020-08-20.
  37. "Parental Control with DNS Over HTTPS (DoH) Support". CleanBrowsing. Retrieved 2020-08-20.
  38. "Products". blockerdns.com. Retrieved 2020-08-20.
  39. "Protect your privacy with DNS-over-TLS on SafeDNS". SafeDNS. Archived from the original on 2020-09-18. Retrieved 2020-08-20.
  40. Claburn, Thomas (2020-05-20). "Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT". The Register . Retrieved 2021-02-03.