DNS over TLS
|Latest version||RFC 7858, RFC 8310|
May 2016 and March 2018
|Domain Name System|
DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks.
While DNS-over-TLS is applicable to any DNS transaction, it was first standardized for use between stub or forwarding resolvers and recursive resolvers, in RFC 7858 in May of 2016. Subsequent IETF efforts specify the use of DoT between recursive and authoritative servers ("Authoritative DNS-over-TLS" or "ADoT") and a related implementation between authoritative servers (Zone Transfer-over-TLS or "xfr-over-TLS").
BIND supports DoT connections as of version 9.17. Earlier versions offered DoT capability by proxying through stunnel. Unbound has supported DNS over TLS since 22 January 2018. Unwind has supported DoT since 29 January 2019. With Android Pie's support for DNS over TLS, some ad blockers now support using the encrypted protocol as a relatively easy way to access their services versus any of the various work-around methods typically used such as VPNs and proxy servers. Simple DNS Plus, a resolving and authoritative DNS server for Windows, added support for DoT in version 9.0 released 28 September 2021.
In April 2018, Google announced that Android Pie will include support for DNS over TLS, allowing users to set a DNS server phone-wide on both Wi-Fi and mobile connections, an option that was historically only possible on rooted devices. DNSDist, from PowerDNS, also announced support for DNS over TLS in version 1.3.0.
Linux and Windows users can use DNS over TLS as a client through the NLnet Labs stubby daemon or Knot Resolver. Alternatively they may install getdns-utils to use DoT directly with the getdns_query tool. The unbound DNS resolver by NLnet Labs also supports DNS over TLS.
Apple's iOS 14 introduced OS-level support for DNS over TLS (and DNS over HTTPS). iOS does not allow manual configuration of DoT servers, and requires the use of a third-party application to make configuration changes.
systemd-resolved is a Linux-only implementation that can be configured to use DNS over TLS, by editing
/etc/systemd/resolved.conf and enabling the setting
DNSOverTLS. Most major Linux distributions have systemd installed by default.[circular reference]
Nebulo is an open source DNS changer application for Android which supports both DoT and DoH.
DNS-over-TLS was first implemented in a public recursive resolver by Quad9 in 2017. Other recursive resolver operators such as Google and Cloudflare followed suit in subsequent years, and now it is a broadly-supported feature generally available in most large recursive resolvers.
Criticisms and implementation considerations
DoT can impede analysis and monitoring of DNS traffic for cybersecurity purposes. DoT has been used to bypass parental controls which operate at the (unencrypted) standard DNS level; Circle, a parental control router which relies on DNS queries to check domains against a blocklist, blocks DoT by default due to this. However, there are DNS providers that offer filtering and parental controls along with support for both DoT and DoH. In that scenario, DNS queries are checked against block lists once they are received by the provider rather than prior to leaving the user's router.
Encryption by itself does not protect privacy. It only protects against third-party observers. It does not guarantee what the endpoints do with the (then decrypted) data.
DoT clients do not necessarily directly query any authoritative name servers. The client may rely on the DoT server using traditional (port 53 or 853) queries to finally reach authoritative servers. Thus, DoT does not qualify as an end-to-end encrypted protocol, only hop-to-hop encrypted and only if DNS over TLS is used consistently.
- Henderson, Karl; April, Tim; Livingood, Jason (2020-02-14). "Authoritative DNS-over-TLS Operational Considerations". Internet Engineering Task Force. Retrieved 17 July 2021.
- Mankin, Allison (2019-07-08). "DNS Zone Transfer-over-TLS". Internet Engineering Task Force. Retrieved 17 July 2021.
- "4. BIND 9 Configuration Reference — BIND 9 documentation". bind9.readthedocs.io. Retrieved 2021-11-14.
- "Bind - DNS over TLS".
- "Unbound version 1.7.3 Changelog".
- Aleksandersen, Daniel. "Actually secure DNS over TLS in Unbound". Ctrl blog. Retrieved 2018-08-07.
- "openbsd-cvs mailing list archives".
- "openbsd-cvs mailing list archives".
- "blockerDNS - Block Ads and Online Trackers So You Can Browse the Web Privately on Your Android Phone Without Installing an App!". blockerdns.com. Retrieved 2019-08-14.
- "The official release of AdGuard DNS — a new unique approach to privacy-oriented DNS". AdGuard Blog. Retrieved 2019-08-14.
- "Blahdns -- Dns service support DoH, DoT, DNSCrypt". blahdns.com. Retrieved 2019-08-14.
- "DNS over TLS support in Android P Developer Preview". Android Developers Blog. Retrieved 2019-12-07.
- August 23, Jack Wallen in Security on; 2018; Pst, 10:46 Am. "How to enable DNS over TLS in Android Pie". TechRepublic. Retrieved 2021-03-17.CS1 maint: numeric names: authors list (link)
- "DNS over TLS support in Android P Developer Preview". Google Security Blog. April 17, 2018.
- "DNS-over-TLS". dnsdist.org. Retrieved 25 April 2018.
- "Knot Resolver".
- Package: getdns-utils, retrieved 2019-04-04
- "Unbound - About". NLnet Labs. Retrieved 2020-05-26.
- Cimpanu, Catalin. "Apple adds support for encrypted DNS (DoH and DoT)". ZDNet. Retrieved 2020-10-03.
- "resolved.conf manual page". Retrieved 16 December 2019.
- "Fedora Magazine: Use DNS over TLS". 10 July 2020. Retrieved 4 September 2020.
- "Systemd adoption". Retrieved 16 December 2019.
- "personalDNSfilter - a personal open source dns filter for stopping ads and more". zenz-solutions.de. Retrieved 2020-05-26.
- "Nebulo - DNS Changer for DNS over HTTPS/TLS - Apps on Google Play". play.google.com. Retrieved 2020-05-26.
- Band, Alex (2017-11-20). "Privacy: Using DNS-over-TLS with the Quad9 DNS Service". Medium. Retrieved 17 July 2021.
Recently the Quad9 DNS service was launched. Quad9 differentiates from similar services by focusing on security and privacy. One interesting feature is the fact that you can communicate with the service using DNS-over-TLS. This encrypts the communication between your client and the DNS server, safeguarding your privacy.
- Bortzmeyer, Stéphane (2017-11-21). "Quad9 is a public DNS resolver, with promises of better privacy, and a DNS-over-TLS access". RIPE Labs. Retrieved 17 July 2021.
Last week, the new DNS resolver Quad9 has been announced. It is a public DNS resolver with the additional benefit that it is accessible in a secure way over TLS (RFC 7858). There are plenty of public DNS resolvers, but the link to them is not secure. This allows hijackings, as seen in Turkey, as well as third-party monitoring. The new Quad9 service on the other hand is operated by the not-for-profit Packet Clearing House (PCH), which manages large parts of the DNS infrastructure, and it allows access to the DNS over TLS. This makes it very difficult for third parties to listen in. And it makes it possible to authenticate the resolver.
- "Public DNS resolver Anycast DNS for All". www.dnslify.com. Retrieved 2020-05-26.
- "Telsy TRT". Retrieved 2020-05-26.
- "How to keep your ISP's nose out of your browser history with encrypted DNS". Ars Technica. Retrieved 2018-04-08.
- "DNS over TLS - Cloudflare Resolver". developers.cloudflare.com. Retrieved 2018-04-08.
- "Google Public DNS now supports DNS-over-TLS". Google Online Security Blog. Retrieved 2019-01-10.
- "Quad9, a Public DNS Resolver - with Security". RIPE Labs. Retrieved 2018-04-08.
- "Troubleshooting DNS over TLS". 13 May 2018.[user-generated source]
- "LibreDNS". LibreDNS. Retrieved 2019-10-20.
- "Managing encrypted DNS connections (DNS over TLS, DNS over HTTPS) with Circle". Circle Support Center. Retrieved 2020-07-07.
- Gallagher, Sean (16 November 2017). "New Quad9 DNS service blocks malicious domains for everyone". Ars Technica. Retrieved 14 November 2021.
The system blocks domains associated with botnets, phishing attacks, and other malicious Internet hosts.
- Inc, CleanBrowsing. "Parental Control with DNS over TLS Support". CleanBrowsing. Retrieved 2020-08-20.
- Inc, CleanBrowsing. "Parental Control with DNS Over HTTPS (DoH) Support". CleanBrowsing. Retrieved 2020-08-20.
- blockerDNS. "blockerDNS - Products". blockerdns.com. Retrieved 2020-08-20.
- "Protect your privacy with DNS-over-TLS on SafeDNS". SafeDNS. Retrieved 2020-08-20.