[dns-operations] DNS-over-TLS in public resolvers

John Todd jtodd at loligo.com
Thu Mar 2 23:18:10 UTC 2017

On 28 Feb 2017, at 11:35, Stephane Bortzmeyer wrote:

> It seems to me that DNS-over-TLS (RFC 7858) is specially important for
> public DNS resolvers since the first kilometer is long for them. I may
> not care that my DNS requests travel in clear ten meters from my
> office to the corporation's LAN resolver, but it is more a concern if
> I use a remote resolver (Google Public DNS is 14 hops and 4 ASes away
> from my current location, and I'm in California!)
> It is not just a matter of encrypting the data, it's also an
> authentication issue (Google Public DNS was already impersonated
> <http://bgpmon.net/turkey-hijacking-ip-addresses-for-popular-global-dns-providers/>)
> So, which public resolvers have DNS-over-TLS? Cisco OpenDNS uses the
> non-standard DNScrypt and, for the others (Google, Verisign,
> Yandex...), I find nothing. Isn't it time to push them to add this
> feature?

I think as interesting a question would be to ask what the mid- to 
long-term level of interest is by vendors in getting support embedded 
into stub resolvers. I am aware of the “stubby” project 
but would like to hear if there is any traction with larger 
implementations of stub library authors (MS, Apple, Google, etc.) This 
is a chicken/egg problem, though it also seems like the protocol is 
still in its infancy so perhaps that’s the wrong analogy.  
SOHO/residential multi-purpose edge devices that provide DNS relay/proxy 
service would be an interesting place for this, if there isn’t 
traction in the end devices.

As noted, there has been DNSCrypt support for years in some open 
resolvers, as well as support for that protocol overlay in OSS resolver 
software. Even with that, DNSCrypt hasn’t widely caught on (possibly 
due to politics?) so what makes DNS-over-TLS a more likely solution to 
be implemented as a built-in default or at least a selectable choice in 
off-the-shelf equipment? I am asking because I don’t know enough of 
the history and would like to understand what to spend energy on 
implementing in our resolvers. It is abundantly clear to me that 
last-mile encryption is highly-desirable, and I am surprised that no 
encryption support exists today at any scale in the universe of end user 


More information about the dns-operations mailing list