DNS Privacy Project

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 25 Next »

Relevant Internet Drafts and RFCs

  • RFC7626 - DNS Privacy Considerations


  • Specification for DNS over TLS (draft-ietf-dprive-dns-over-tls)

    This document describes a technique for upgrading a DNS TCP connection to use Transport Layer Security (TLS) over standard ports. Encryption provided by DNS-over-TLS eliminates opportunities for eavesdropping of DNS queries in the network. The proposed mechanism is backwards compatible with clients and servers that are not aware of DNS-over-TLS.

  • Authentication and (D)TLS Profile for DNS-over-TLS and DNS-over-DTLS - (draft-ietf-dprive-dtls-and-tls-profiles)

    This document describes how a DNS client can use a domain name to authenticate a DNS server that uses Transport Layer Security (TLS) and Datagram TLS (DTLS). Additionally, it defines (D)TLS profiles for DNS clients and servers implementing DNS-over-TLS and DNS-over- DTL

  • DNS Transport over TCP - Implementation Requirements (draft-ietf-dnsop-5966bis)

    Update of RFC5966 including performance improvements. 

  • The edns-tcp-keepalive EDNS0 Option (draft-ietf-dnsop-edns-tcp-keepalive)

    DNS messages between clients and servers may be received over either UDP or TCP. UDP transport involves keeping less state on a busy server, but can cause truncation and retries over TCP. Additionally, UDP can be exploited for reflection attacks. Using TCP would reduce retransmits and amplification. However, clients are currently limited in their use of the TCP transport as RFC 5966 suggests closing idle TCP sessions "in the order of seconds", making use of TCP only suitable for individual queries generated as a fallback protocol for truncated UDP answers. This document defines an EDNS0 option ("edns-tcp-keepalive") that allows DNS clients and servers to signal their respective readiness to conduct multiple DNS transactions over individual TCP sessions. This signalling facilitates a better balance of UDP and TCP transport between individual clients and servers, reducing the impact of problems associated with UDP transport and allowing the state associated with TCP transport to be managed effectively with minimal impact on the DNS transaction time.

  • The Transport Layer Security (TLS) Protocol (RFC5246)


  • RFC7525 - Recommendations for Secure Use of TLS and DTLS

    Suggests use of cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 with EC Brainpool P-256, brainpoolp256r1 [RFC7027]), and fall back to the commonly used NIST P-256 (secp256r1) curve [RFC4492]. Note: OpenSSL calls secp256r1 prime256v1 and you need OpenSSL 1.0.2-beta1 to get brainpoolp256r1

  • RFC7301 - Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension
  • RFC7413 - TCP Fastopen

Technical reports


A short video is available demonstrating TCP connection re-use, pipelining, TCP Fast Open and DNS-over-TLS: DNS-over-TLS demo video

getdns API

Example code

  • No labels