This table lists the best understanding of the current status of DNS-over-TLS related features in the latest stable releases of a selection of commonly used open source DNS software.
If there are errors or glaring omission please email email@example.com
Client - Stub
Client - Recursive
This works with a couple of provisos:
See the DNS Privacy reference material page for more details on the individual features.
|TCP fast open(b)|
|Connection reuse (Q/R, Q/R, Q/R)|
Pipelining of queries(Q,Q,Q,R,R,R)
|Process OOOR (Q1,Q2,R2,R1)||n/a|
|TLS encryption (Port 853)|
|TCP fast open**|
Process Pipelined queries
|TLS encryption (Port 853)||(d)|
|Provide TLS auth credentials||(d)|
|TLS DNSSEC Chain Extension|
|EDNS0 Padding (basic)|
Most of the implementations above use only the STARTTLS/CH/TXT query text to negotiate the upgrade to TLS by default (the TO bit proposed in the draft in NOT used since it is not assigned by IANA, but may be available as an option in some implementations).
* (a) getdns uses libunbound in recursive mode
** available on linux only
*** Pipelining and (b) not yet available on Windows
(c) Implies robust TCP connection management (see RFC7828 and RFC7766)
(d) See this article for how to use stunnel with BIND to provide DNS-over-TLS - thanks Francis Dupont!
Note pipelining and OOOP are not applicable for synchronous applications.