DNS Privacy Project

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Selection of relevant internet drafts

  • DNS privacy considerations (draft-bortzmeyer-dnsop-dns-privacy)


  • Starting TLS over DNS (draft-hzhwm-start-tls-for-dns-00)

    This document describes a technique for upgrading a DNS TCP connection to use Transport Layer Security (TLS) over standard ports. Encryption provided by DNS-over-TLS eliminates opportunities for eavesdropping of DNS queries in the network. The proposed mechanism is backwards compatible with clients and servers that are not aware of DNS-over-TLS.

  • The edns-tcp-keepalive EDNS0 Option (http://datatracker.ietf.org/doc/draft-ietf-dnsop-edns-tcp-keepalive/)

    DNS messages between clients and servers may be received over either UDP or TCP. UDP transport involves keeping less state on a busy server, but can cause truncation and retries over TCP. Additionally, UDP can be exploited for reflection attacks. Using TCP would reduce retransmits and amplification. However, clients are currently limited in their use of the TCP transport as RFC 5966 suggests closing idle TCP sessions "in the order of seconds", making use of TCP only suitable for individual queries generated as a fallback protocol for truncated UDP answers. This document defines an EDNS0 option ("edns-tcp-keepalive") that allows DNS clients and servers to signal their respective readiness to conduct multiple DNS transactions over individual TCP sessions. This signalling facilitates a better balance of UDP and TCP transport between individual clients and servers, reducing the impact of problems associated with UDP transport and allowing the state associated with TCP transport to be managed effectively with minimal impact on the DNS transaction time.

  • The Transport Layer Security (TLS) Protocol (RFC5246)

  • Recommendations for Secure Use of TLS and DTLS (draft-ietf-uta-tls-bcp-01)  

    Suggests use of cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 with EC Brainpool P-256, brainpoolp256r1 [RFC7027]), and fall back to the commonly used NIST P-256 (secp256r1) curve [RFC4492]. Note: OpenSSL calls secp256r1 prime256v1 and you need OpenSSL 1.0.2-beta1 to get brainpoolp256r1

  • Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension RFC7301
  • TCP Fastopen (draft-ietf-tcpm-fastopen-10)
    Also see TCP Fastopen from the linux kernel documentation (search for tcp_fastopen). This is an experimental track draft and AFAIK is only implemented on Linux.

Technical reports


Example code

getdns API


  • No labels