DNS over TLS

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.

DNS over TLS is covered by two Standards Track IETF RFCs: RFC 7858 and RFC 8310.[1][2] As of 2018, Cloudflare, Quad9, Quadrant Information Security and CleanBrowsing are providing public DNS resolver services via DNS over TLS.[3][4][5][6] In April 2018, Google announced that Android P will include support for DNS over TLS.[7] DNSDist, from PowerDNS also announced support for DNS over TLS in its latest version 1.3.0.[8] BIND users can also provide DNS over TLS by proxying it through stunnel.[9] Technitium DNS Server has announced support for DNS over TLS in its latest version 1.3.[10] Unbound supports DNS over TLS since 22 January 2018.[11][12]

DNS over TLS - Public DNS Servers[edit]

DNS over TLS server implementations are already available for free by some public DNS providers.[6] Three implementations are offering production services:

Provider IPs Blocking Domain Features
Cloudflare 1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
No 1dot1dot1dot1.cloudflare-dns.com [13] DNS over TLS on port 853.[14] DNSSEC validation
Quad9 9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9
Malicious domains dns.quad9.net DNS over TLS on port 853.[15] DNSSEC validation
CleanBrowsing 185.228.168.168
185.228.169.168
2a0d:2a00:1::
2a0d:2a00:2::
Adult content family-filter-dns.cleanbrowsing.org DNS over TLS on port 853.[16] DNSSEC validation
CleanBrowsing 185.228.168.9
185.228.169.9
2a0d:2a00:1::2
2a0d:2a00:2::2
Malicious domains security-filter-dns.cleanbrowsing.org DNS over TLS on port 853.[16] DNSSEC validation
Quadrant Information Security 12.159.2.159
2001:1890:140c::159
No dns-tls.qis.io DNS over TLS on port 853.[17] DNSSEC validation

See also[edit]

External links[edit]

References[edit]

  1. ^ Duane, Wessels; John, Heidemann; Liang, Zhu; Allison, Mankin; Paul, Hoffman. "Specification for DNS over Transport Layer Security (TLS)". tools.ietf.org. Retrieved 2018-04-08.
  2. ^ Tirumaleswar, Reddy; Daniel, Gillmor; Sara, Dickinson. "Usage Profiles for DNS over TLS and DNS over DTLS". tools.ietf.org. Retrieved 2018-04-09.
  3. ^ "How to keep your ISP's nose out of your browser history with encrypted DNS". Ars Technica. Retrieved 2018-04-08.
  4. ^ "DNS over TLS - Cloudflare Resolver". developers.cloudflare.com. Retrieved 2018-04-08.
  5. ^ "Quad9, a Public DNS Resolver - with Security". RIPE Labs. Retrieved 2018-04-08.
  6. ^ a b "Troubleshooting DNS over TLS".
  7. ^ "DNS over TLS support in Android P Developer Preview". Google Security Blog. April 17, 2018.
  8. ^ "DNS-over-TLS". dnsdist.org. Retrieved 25 April 2018.
  9. ^ "Bind - DNS over TLS".
  10. ^ "Configuring DNS Server For Privacy & Security". blog.technitium.com. Retrieved 2018-07-19.
  11. ^ "Unbound version 1.7.3 Changelog".
  12. ^ Aleksandersen, Daniel. "Actually secure DNS over TLS in Unbound". Ctrl blog. Retrieved 2018-08-07.
  13. ^ "Enable Private DNS with 1.1.1.1 on Android 9 Pie". The Cloudflare Blog. 2018-08-16. Retrieved 2018-11-28.
  14. ^ "CloudFlare - DNS over TLS".
  15. ^ "Quad9 - DNS over TLS".
  16. ^ a b "CleanBrowsing - DNS over TLS".
  17. ^ "Quadrant - DNS over TLS".