Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Selection of relevant internet drafts


DNS privacy considerations (draft-bortzmeyer-dnsop-dns-privacy)



This document describes a technique for upgrading a DNS TCP connection to use Transport Layer Security (TLS) over standard ports. Encryption provided by DNS-over-TLS eliminates opportunities for eavesdropping of DNS queries in the network. The proposed mechanism is backwards compatible with clients and servers that are not aware of DNS-over-TLS.


Relevant Internet Drafts and RFCs


RFC7626DNS Privacy Considerations

This document describes the privacy issues associated with the use
of the DNS by Internet users. It is intended to be an analysis of the
present situation and does not prescribe solutions.

RFC7858Specification for DNS over TLS

This document describes the use of TLS to provide privacy for DNS.

RFC7830The EDNS(0) Padding Option

his document specifies the EDNS(0) 'Padding' option, which allows
DNS clients and servers to pad request and response messages by a
variable number of octets.

draft-ietf-dprive-dtls-and-tls-profilesAuthentication and (D)TLS Profile for DNS-over-TLS and
This document describes how a DNS client can use a domain name
to authenticate a DNS server that uses Transport Layer Security
(TLS) and Datagram TLS (DTLS). Additionally, it defines (D)TLS
profiles for DNS clients and servers implementing DNS-over-TLS
and DNS-over- DTL


dprive-dnsodtls/Specification for DNS over Datagram Transport Layer Security (DTLS) 
draft-ietf-dprive-evalEvaluation of Privacy for DNS Private Exchange*

This document describes methods for measuring the
performance of DNS privacy mechanisms, particularly it provides
methods for measuring effectiveness in the face of pervasive
monitoring as defined in RFC7258.


RFC7766DNS Transport over TCP - Implementation Requirements*

This document specifies the requirement for support of TCP as a transport
protocol for DNS implementations and provides guidelines towards
DNS-over-TCP performance on par with that of DNS-over-UDP.

RFC7816DNS Query Name Minimisation to Improve Privacy 
RFC7828The edns-tcp-keepalive EDNS0 Option*This document defines an EDNS0 option ("edns-tcp-keepalive")
that allows DNS clients and servers to signal their respective
readiness to conduct multiple DNS transactions over individual TCP sessions.




RFC5246The Transport Layer Security (TLS) Protocol


RFC7525Recommendations for Secure Use of TLS and DTLS


Suggests use of cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 with EC Brainpool P-256, brainpoolp256r1 [RFC7027]), and fall back to the commonly used NIST P-256 (secp256r1) curve [RFC4492]. Note: OpenSSL calls secp256r1 prime256v1 and you need OpenSSL 1.0.2-beta1 to get brainpoolp256r1


Technical reports


RFC7413TCP Fastopen

Selection of Presentations

A short video is available demonstrating TCP connection re-use, pipelining, TCP Fast Open and DNS-over-TLS: DNS-over-TLS demo video

Example code

getdns API

Technical reports


  • T-DNS: Connection-Oriented DNS to Improve Privacy and Security  (http://www.





Example code