The DNS PRIVate Exchange (DPRIVE) Working Group develops mechanisms to provide confidentiality to DNS transactions in order to address concerns surrounding pervasive monitoring (RFC 7258).
|draft-ietf-dprive-unilateral-probing||Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS||This document sets out steps that DNS servers (recursive resolvers and authoritative servers) can take unilaterally (without any coordination with other peers) to defend DNS query privacy against a passive network monitor.|
|RFC9250||DNS over Dedicated QUIC connections||This document describes the use of QUIC to provide transport privacy for DNS (DoQ).|
|RFC9103||DNS Zone Transfer over TLS||This document specifies the use of TLS, rather than cleartext, to prevent zone content collection via passive monitoring of zone transfers: XFR over TLS (XoT).|
|RFC9076||DNS Privacy Considerations||This document describes the privacy issues associated with the use of the DNS by Internet users. It is intended to be an analysis of the present situation and does not prescribe solutions.|
|RFC8310||Usage Profiles for DNS over TLS and DNS over DTLS||This document describes how a DNS client can use a domain name to authenticate a DNS server that uses Transport Layer Security (TLS) and Datagram TLS (DTLS). Additionally, it defines (D)TLS profiles for DNS clients and servers implementing DNS-over-TLS and DNS-over- DTLS|
|RFC7858||Specification for DNS over TLS||This document describes the use of TLS to provide privacy for DNS.|
|RFC8467||Padding Policy for EDNS(0)||Specifies the preferred algorithm for padding with the option defined in RFC7830|
|RFC7830||The EDNS(0) Padding Option||This document specifies the EDNS(0) 'Padding' option, which allows DNS clients and servers to pad request and response messages by a variable number of octets.|
The Adaptive DNS Discovery focusses on discovery and selection of DNS resolvers by DNS clients in a variety of networking environments, including public networks, private networks, and VPNs, supporting both encrypted and unencrypted resolvers.
ADD is still developing work but has adopted the following drafts
|Discovery of Designated Resolvers||This document defines Discovery of Designated Resolvers (DDR), a mechanism for DNS clients to use DNS records to discover a resolver’s encrypted DNS configuration.|
|DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR)||The document specifies new DHCP and IPv6 Router Advertisement options to discover encrypted DNS resolvers (e.g., DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC).|
DOH has been concluded but worked to standardize encodings for DNS queries and responses that are suitable for use in HTTPS.
|RFC8484||DNS Queries over HTTPS (DoH)||Document describing the protocol aspects of running DNS over HTTPS.|
The DNS Operations Working Group will develop guidelines for the operation of DNS software and services and for the administration of DNS zones.
|RFC9210||DNS Transport over TCP - Operational Requirements||This document requires the operational practice of permitting DNS messages to be carried over TCP on the Internet as a Best Current Practice.|
|RFC8806||Running a Root Server Local to a Resolver||This document shows how to start and maintain such a copy of the root zone that does not cause problems for other users of the DNS, at the cost of adding some operational fragility for the operator.|
|RFC7766||DNS Transport over TCP - Implementation Requirements||This document specifies the requirement for support of TCP as a transport protocol for DNS implementations and provides guidelines towards DNS-over-TCP performance on par with that of DNS-over-UDP.|
|RFC9156||DNS Query Name Minimisation to Improve Privacy||This document describes a technique called "QNAME minimisation" to improve DNS privacy, where the DNS resolver no longer always sends the full original QNAME and original QTYPE to the upstream name server.|
|RFC7828||The edns-tcp-keepalive EDNS0 Option||This document defines an EDNS0 option ("edns-tcp-keepalive") that allows DNS clients and servers to signal their respective readiness to conduct multiple DNS transactions over individual TCP sessions.|
|RFC5246||The Transport Layer Security (TLS) Protocol|
|RFC7525||Recommendations for Secure Use of TLS and DTLS|
|RFC8094 - Experimental||Specification for DNS over Datagram Transport Layer Security (DTLS)|
Also see the DNS Privacy Workshop pages!
T-DNS: Connection-Oriented DNS to Improve Privacy and Security http://www.isi.edu/publications/trpublic/files/tr-693.pdf