DNS Privacy Reference Material

DNS Privacy Project > DNS Privacy Reference Material

Relevant Internet Drafts and RFCs

DPRIVE

The DNS PRIVate Exchange (DPRIVE) Working Group develops mechanisms to provide confidentiality to DNS transactions in order to address concerns surrounding pervasive monitoring (RFC 7258).

Also see the DPRIVE document website


draft-ietf-dprive-dnsoquic	DNS over Dedicated QUIC connections	This document describes the use of QUIC to provide transport privacy for DNS (DoQ).
draft-ietf-dprive-unauth-to-authoritative	Recursive to Authoritative DNS with Unauthenticated Encryption	This document describes a use case and a method for a DNS recursive resolver to use unauthenticated encryption when communicating with authoritative servers.
RFC9103	DNS Zone Transfer over TLS	This document specifies the use of TLS, rather than cleartext, to prevent zone content collection via passive monitoring of zone transfers: XFR over TLS (XoT).
RFC9076	DNS Privacy Considerations	This document describes the privacy issues associated with the use of the DNS by Internet users. It is intended to be an analysis of the present situation and does not prescribe solutions.
RFC8932	Recommendations for DNS Privacy Service Operators	Describes Best Current Practices for operators of DoT and DoH servers in terms of protocol, service and privacy policy considerations.
RFC8310	Usage Profiles for DNS over TLS and DNS over DTLS	This document describes how a DNS client can use a domain name to authenticate a DNS server that uses Transport Layer Security (TLS) and Datagram TLS (DTLS). Additionally, it defines (D)TLS profiles for DNS clients and servers implementing DNS-over-TLS and DNS-over- DTLS
RFC7858	Specification for DNS over TLS	This document describes the use of TLS to provide privacy for DNS.
RFC8467	Padding Policy for EDNS(0)	Specifies the preferred algorithm for padding with the option defined in RFC7830
R FC7830	The EDNS(0) Padding Option	This document specifies the EDNS(0) 'Padding' option, which allows DNS clients and servers to pad request and response messages by a variable number of octets.

ADD

The Adaptive DNS Discovery focusses on discovery and selection of DNS resolvers by DNS clients in a variety of networking environments, including public networks, private networks, and VPNs, supporting both encrypted and unencrypted resolvers.

ADD is still developing work but has adopted the following drafts


Discovery of Designated Resolvers
DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR)

DOH

DOH has been concluded but worked to standardize encodings for DNS queries and responses that are suitable for use in HTTPS.


RFC8484	DNS Queries over HTTPS (DoH)	Document describing the protocol aspects of running DNS over HTTPS.

DNSOP

The DNS Operations Working Group will develop guidelines for the operation of DNS software and services and for the administration of DNS zones.


RFC7766	DNS Transport over TCP - Implementation Requirements	This document specifies the requirement for support of TCP as a transport protocol for DNS implementations and provides guidelines towards DNS-over-TCP performance on par with that of DNS-over-UDP.
RFC9156	DNS Query Name Minimisation to Improve Privacy	This document describes a technique called "QNAME minimisation" to improve DNS privacy, where the DNS resolver no longer always sends the full original QNAME and original QTYPE to the upstream name server.
RFC7828	The edns-tcp-keepalive EDNS0 Option	This document defines an EDNS0 option ("edns-tcp-keepalive") that allows DNS clients and servers to signal their respective readiness to conduct multiple DNS transactions over individual TCP sessions.

Other


RFC5246	The Transport Layer Security (TLS) Protocol
RFC7525	Recommendations for Secure Use of TLS and DTLS
RFC7413	TCP Fastopen
RFC8094 - Experimental	Specification for DNS over Datagram Transport Layer Security (DTLS)

Selection of Presentations

Also see the DNS Privacy Workshop pages!

OARC 29
- Where will encrypted DNS transports push DNS operators?- Slides, Video
RIPE 77
- It’s DNS Jim, But Not as We Know It - Slides, Video
- DNS Privacy measurements (Benchmarking DoT) - Slides, Video
ICANN DNS Symposium 2018
- ‘Where’s my DNS?’ (video)
RIPE 76
- Measurements on DNS Privacy (DNS-over-TCP and TLS benchmarking)
- BCOP WG - DNS Privacy PCP
- Dude, where’s my DNS? (subtitle ‘DNS-over-HTTPS is coming!’)
FOSDEM 2018
- Willem Toorop on Stub resolvers
OARC 27
- DNS Privacy clients. You tube video.
JCSA 2017
- Hands on with getdns
IETF 99 EDU Privacy Tutorial
- DNS Privacy Tutorial (Sara Dickinson, Daniel Kahn Gillmor)
RIPE 72
- DNS Privacy Public Resolver discussion (Sara Dickinson)
IETF 94:
- DNS-over-TLS draft update (D. Wessels, S. Dickinson)
IETF 93:
- Update on 5966bis and EDNS0 keepalive (Sara Dickinson)
DNS-OARC Fall workshop 2015:
- Using TLS for DNS Privacy in practice (Sara Dickinson)
IETF 91:
- DNS over TCP and TLS - draft-hzhwm-dprive-start-tls-for-dns-00 (John Heidermann, Sara Dickinson)
- A short video is demonstrating TCP connection re-use, pipelining, TCP Fast Open and DNS-over-TLS: DNS-over-TLS demo video
IETF 89:
- T-DNS: Connection-Oriented DNS to Improve Privacy and Security (Duane Wessels)
DNS-OARC Spring workshop 2014:
- T-DNS: Connection-Oriented DNS to Improve Privacy and Security (John Heidemann)
- getdns-api implementation (Willen Toorop)

Technical reports

T-DNS: Connection-Oriented DNS to Improve Privacy and Security http://www.isi.edu/publications/trpublic/files/tr-693.pdf
http://googlecode.blogspot.co.uk/2012/01/lets-make-tcp-faster.html