[dns-operations] DNS-over-TLS in public resolvers

Willem Toorop willem at nlnetlabs.nl
Tue Feb 28 21:55:24 UTC 2017

Hear, hear!

Verisign public DNS would be a good candidate too.  They already use the
slogan: "A free DNS resolution service that respects your privacy"

-- Willem

Op 28-02-17 om 11:35 schreef Stephane Bortzmeyer:
> It seems to me that DNS-over-TLS (RFC 7858) is specially important for
> public DNS resolvers since the first kilometer is long for them. I may
> not care that my DNS requests travel in clear ten meters from my
> office to the corporation's LAN resolver, but it is more a concern if
> I use a remote resolver (Google Public DNS is 14 hops and 4 ASes away
> from my current location, and I'm in California!)
> It is not just a matter of encrypting the data, it's also an
> authentication issue (Google Public DNS was already impersonated
> <http://bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-providers/>)
> So, which public resolvers have DNS-over-TLS? Cisco OpenDNS uses the
> non-standard DNScrypt and, for the others (Google, Verisign,
> Yandex...), I find nothing. Isn't it time to push them to add this
> feature?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list