[dns-operations] OARC DNS Privacy Resolver Testbed

Keith Mitchell keith at dns-oarc.net
Wed Aug 3 17:33:58 UTC 2016

OARC is pleased to offer open DNS Privacy resolvers that anyone can use
to experiment with secured DNS over TLS services (see RFC 7858 [1]).
These listen for DNS queries over TLS on TCP port 853.

Detailed information about this testbed service is available at:


Two instances are available - one uses the ISI ANT T-DNS [2] server
proxy, with a back-end hooked into OARC's existing BIND-based ODVR [3]
server to provide packet capture as well as some modicum of logging. The
second server uses Unbound [4] as the front-end, which then forwards
queries to the Unbound-based version of the ODVR service.

Please note this service is *experimental*, and makes *no* guarantees of
availability, data privacy, RFC compliance/interoperability, or
suitability for live, production use. We do however aim to contribute to
the understanding of operating these services, seeking to improve their
deployment towards these aims. Feedback as to how well or whether they
actually work would be appreciated.

The IP addresses for the DNS Privacy name-servers are:

Instance	Name				IP addresses

T-DNS		tls-dns.odvr.dns-oarc.net
						No current IPv6 support

Unbound		tls-dns-u.odvr.dns-oarc.net

In line with OARC's mission, query data from these DNS Privacy and our
other testbed name-servers is collected and made available for
non-commercial, public benefit research purposes. Users of the service
should be aware this may include personally identifiable information.

If your DNS query data is sensitive, you should probably *not* be
trusting it to an experimental 3rd-party research testbed. Depending on
experience gathered from operating these testbeds, user uptake/demand
and/or Member feedback, OARC may or may not in future decide to add
anonymization of data gathered on these servers, or offer a choice for
this on different server(s). Note that it may also be necessary to limit
access to these open resolvers in the event of abuse.

If you are interested in analyzing data from any of OARC's testbed
tools, information about becoming an OARC member is available at
<https://www.dns-oarc.net/oarc/agreements>, or please contact us at
<admin at dns-oarc.net> if you have any questions/feedback about this service.

Keith Mitchell


[1]	https://datatracker.ietf.org/doc/rfc7858/
[2]	https://ant.isi.edu/software/tdns/tdns-server-proxy/index.html
[3]	https://www.dns-oarc.net/oarc/services/odvr
[4]	http://www.unbound.net/

More information about the dns-operations mailing list