Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Implementation Status

This table lists the best understanding of the current status of DNS-over-TLS related features in the latest stable releases of a selection of open source DNS software.

If there are errors or glaring omission please email sara@sinodun.com 

Info

Also see guides on how to use NGINX and other proxies to provide DNS-over-TLS, also see here. 

This works with a couple of provisos:

  • Be aware that a client will think it is talking to a DNS-over-TLS server and so may keep connections open when idle even when not using EDNS0 Keepalive (as allowed by RFC7858 

...

Softwareldns

getdns

getdns

Unbound

UnboundNSDBind

Bind

POC code

NOTES
Role/modeClient (Drill)

Client (Stub)

Client (Recursive*)

ServerClientServerServerClientClient & server 
Connection reuse(tick)

Implemented in upcoming

0.1.5 release by getdns team

       

Also works for PowerDNS,

Knot and Yadifa

Pipelining

N/A as only synchronous

Implemented in upcoming

0.1.5 release by getdns team

      

 

 
TCP fast open(tick)

(tick) (code in github)

 Work in progressWork in progress(tick)   (warning) Linux Only (tested on Ubuntu)
Dedicated TLS(tick)    (tick)    
T-DNS(tick)Planned for 2014 (tick)Planned for 2014(tick)    
OOOPN/A as only synchronous

Needs testing

        
Test scripts          

 

KEY:

  • Green square ). The nameserver will see only TCP connections which were historically used just for one-shot TCP and may not be robust to many long-lived connections.
  • Therefore this will work much better if the nameserver has robust TCP capabilities (as described in Sections 6.2.2 and 10 of RFC7766), and would be required for production level service. Any server that fully implements EDNS0 Keepalive (RFC7828) should meet this criteria.

See the DNS Privacy reference material page for more details on the individual features. 

Clients

Mode

Stub 

Recursive resolver

Software

ldns

(drill)

digit

getdns

(Stubby)

BIND

(dig)

Go
DNS 

Knot

(kdig)

getdns(a)

UnboundBIND

Knot

Res



TCP/TLS Features

TCP fast open(b)
(tick)

(tick)




P



(tick)
Connection reuse (Q/R, Q/R, Q/R)
(tick)

(tick)

(tick)(tick)(tick)

(tick)(tick)

Pipelining of queries(Q,Q,Q,R,R,R)

n/a(tick)

(tick)

(tick)(tick)(tick)

(tick)(tick)
Process OOOR (Q1,Q2,R2,R1)n/a (tick)

(tick)

(tick)



(tick)(tick)
EDNS0 Keepalive(c)

(tick)








TLS Features

TLS encryption (Port 853)
(tick)(tick)
(tick)(tick)(tick)(tick)

TLS authentication

(tick)






EDNS0 Padding
(tick)(tick)

(tick)



Servers

ModeRecursiveAuth
Software

Unbound

BIND

Knot

Res

NSDBIND

Knot

Auth


TCP/TLS Features

TCP fast open**(tick)(tick)(tick)

(tick)

Process Pipelined queries

(tick)(tick)(tick)(tick)(tick)(tick)
Provide OOORWIP(tick)(tick)n/an/an/a
EDNS0 Keepalive***WIP






TLS Features

TLS encryption (Port 853)(tick)(d)(tick)


Provide TLS auth credentials(tick)(d)(tick)


TLS DNSSEC Chain Extension





EDNS0 Padding (basic)

(tick)



KEY:

...

  • Green square (tick) - indicates latest release already supports this functionality
  • Green square with (tick) indicates a patch to the latest release Blue square - indicates that a patch is available in our Stash git repo:  https://portal.sinodun.com/stash/projects/TDNS/repos/tdns_patches/browse, or in a public github repo.
  • Blue square indicates code implementing this functionality contributed from this project is available in the latest release of the software
  • Yellow square indicates implementation in unreleased software

 

  • . See here for details: DNS-over-TLS patches
  • Yellow square - indicates work in progress, or availabe in next release
  • P - Requires building against a patched version of libunbound

(a)    getdns uses libunbound in recursive mode
(b)    not yet available on Windows 
(c)    Implies robust TCP connection management (see RFC7828 and RFC7766)
(d)   See this article for how to use stunnel with BIND to provide DNS-over-TLS - thanks Francis Dupont!

Note pipelining and OOOP are not applicable for synchronous applications.