[dns-operations] DNS-over-TLS in public resolvers

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Feb 28 19:35:05 UTC 2017

It seems to me that DNS-over-TLS (RFC 7858) is specially important for
public DNS resolvers since the first kilometer is long for them. I may
not care that my DNS requests travel in clear ten meters from my
office to the corporation's LAN resolver, but it is more a concern if
I use a remote resolver (Google Public DNS is 14 hops and 4 ASes away
from my current location, and I'm in California!)

It is not just a matter of encrypting the data, it's also an
authentication issue (Google Public DNS was already impersonated

So, which public resolvers have DNS-over-TLS? Cisco OpenDNS uses the
non-standard DNScrypt and, for the others (Google, Verisign,
Yandex...), I find nothing. Isn't it time to push them to add this

More information about the dns-operations mailing list