DNS Privacy
Links
DNS Privacy Project homepage
DPRIVE
getdns
NLnet Labs
Sinodun
This table lists the best understanding of the current status of DNS-over-TLS related features in the latest stable releases of a selection of open source DNS software.
If there are errors or glaring omission please email sara@sinodun.com
Coming soon will be guides on how to use NGINX and other proxies to provide DNS-over-TLS, also see here. This works with a couple of provisos:
See the DNS-over-TLS reference material page for more details on the individual features.
Mode | Stub | Recursive resolver | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Software | (drill) | digit | BIND (dig) | Go DNS | Knot (kdig) | getdns(a) | Unbound | BIND | Knot Res | ||
TCP/TLS Features | TCP fast open(b) | P | |||||||||
Connection reuse (Q/R, Q/R, Q/R) | |||||||||||
Pipelining of queries(Q,Q,Q,R,R,R) | n/a | ||||||||||
Process OOOR (Q1,Q2,R2,R1) | n/a | ||||||||||
EDNS0 Keepalive(c) | |||||||||||
TLS Features | TLS encryption (Port 853) | ||||||||||
TLS authentication | |||||||||||
EDNS0 Padding |
Mode | Recursive | Auth | |||||
---|---|---|---|---|---|---|---|
Software | BIND | Knot Res | NSD | BIND | Knot Auth | ||
TCP/TLS Features | TCP fast open** | ||||||
Process Pipelined queries | |||||||
Provide OOOR | WIP | n/a | n/a | n/a | |||
EDNS0 Keepalive*** | WIP | ||||||
TLS Features | TLS encryption (Port 853) | (d) | WIP | ||||
Provide TLS auth credentials | (d) | WIP | |||||
EDNS0 Padding | WIP |
KEY:
(a) getdns uses libunbound in recursive mode
(b) not yet available on Windows
(c) Implies robust TCP connection management (see RFC7828 and RFC7766)
(d) See this article for how to use stunnel with BIND to provide DNS-over-TLS - thanks Francis Dupont!
Note pipelining and OOOP are not applicable for synchronous applications.