DNS Privacy Project

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

A number of organisations have expressed interest in running experimental DNS Privacy servers. At the moment this page just attempts to capture the different features/characteristics that a DNS Privacy server can offer in more detail that the overview here: DNS-over-TLS implementations

The intension in future is to document what each service actually offers as it goes live, to allow users to make informed choices about which service they might utilise.

Feature/CharacteristicRelevant RFCs/I-DsNotes
DNS-over-TLS on port 853 (IPv4)RFC7858 
DNS-over-TLS on port 853 (IPv6)RFC7858 
Compliance with BCP195RRC7525

In particular, MUST implement TLS 1.2, SHOULD NOT negotiate TLS 1.1

Use recommended Cipher Suites:


TLS authentication via SPKI public keys provided securely

via an out-of-band mechansism



Required for Strict Privacy using SPKI pinsets
Verifiable certificate/certificate chain



Required for Strict Privacy using CA Certs
Concurrent processing of TCP/TLS queriesRFC7766Improves performance by elimiinating head of line blocking at the query level
EDNS0 KeepaliveRFC7828Recommened for TCP/TLC connection management
EDNS0 Client subnet privacy optionRFC7871Allows end users to specify their client subnet should not be sent to an authoritive server in the ENDS0 Client Subnet option
EDNS0 paddingRFC7830Obfuscates message size, reduces effectiveness of traffic analysis.
TCP Fast OpenRFC7413Data can be sent in the TCP SYN. For TLS the Client Hello can therefore be sent in the SYN reducing latency.
QNAME minimisation to Auth ServersRFC7816Reduce data sent to Authoritative servers, improves end user privacy
De-identification of data  
Data retention policy (if no de-identification)  
  • No labels