[dns-operations] DNS-over-TLS in public resolvers

Paul Hoffman phoffman at proper.com
Tue Feb 28 21:21:16 UTC 2017

On 28 Feb 2017, at 11:35, Stephane Bortzmeyer wrote:

> It seems to me that DNS-over-TLS (RFC 7858) is specially important for
> public DNS resolvers since the first kilometer is long for them. I may
> not care that my DNS requests travel in clear ten meters from my
> office to the corporation's LAN resolver, but it is more a concern if
> I use a remote resolver (Google Public DNS is 14 hops and 4 ASes away
> from my current location, and I'm in California!)
> It is not just a matter of encrypting the data, it's also an
> authentication issue (Google Public DNS was already impersonated
> <http://bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-providers/>)
> So, which public resolvers have DNS-over-TLS? Cisco OpenDNS uses the
> non-standard DNScrypt and, for the others (Google, Verisign,
> Yandex...), I find nothing. Isn't it time to push them to add this
> feature?

Another way to ask is: how can we encourage some/many of the public 
resolvers to do so? Is there someone on this list from the part of 
Verisign that runs or from Comodo It could look 
very forward-looking of a public resolver to do this, for example.

--Paul Hoffman

More information about the dns-operations mailing list