DNS Privacy Project > Implementation Status

Implementation status (Stub to Recursive)

This page now contains information specific to Stub to Recursive Implementation Status.

For all information relating to encrypting Recursive to Authoritative communications (ADoT/Q) see ADoX Status and Deployment .

For all information relating to encrypted Zone Transfer (XoT/XoQ) see Encrypted Zone Transfer.

DoT Implementation Status

This table lists the best understanding of the current status of DNS-over-TLS related features in the latest stable releases of a selection of standalone open source DNS software.

Also see DNS Privacy Clients for a full list of OS, mobile apps, routers and browsers that support DoT.

If there are errors or glaring omission please email sara@sinodun.com

Also see guides on how to use NGINX and other proxies to provide DNS-over-TLS, also see here.

This works with a couple of provisos:

(1) Be aware that a client will think it is talking to a DNS-over-TLS server and so may keep connections open when idle even when not using EDNS0 Keepalive (as allowed by RFC7858 ). The nameserver will see only TCP connections which were historically used just for one-shot TCP and may not be robust to many long-lived connections.

(2) Therefore this will work much better if the nameserver has robust TCP capabilities (as described in Sections 6.2.2 and 10 of RFC7766), and would be required for production level service. Any server that fully implements EDNS0 Keepalive (RFC7828) should meet this criteria.

See the DNS Privacy Reference Material page for more details on the individual features.

Clients/Forwarders

Mode	Stub						Caching forwarder/proxy
Software	ldns (drill)	digit	getdns (Stubby)	BIND (dig)	Knot (kdig)	Go DNS	Unbound	BIND	Knot Res	dndist
Send ECS with SOURCE PREFIX-LENGTH value of 0			Y	Y	Y
TCP fast open (a)	P	Y	Y	Y	Y		Y	Y		Y
Connection reuse (Q/R, Q/R, Q/R)	P	Y	Y	Y		Y	Y	Y	Y	Y
Pipelining of queries(Q,Q,Q,R,R,R)	n/a	Y	Y	Y	n/a	Y	Y	Y	Y	Y
Process OOOR (Q1,Q2,R2,R1)	n/a	Y	Y	Y	n/a	W	Y	Y	Y
EDNS0 Keepalive (b)			Y	Y				(c)
TLS encryption (Port 853)	P	Y	Y	Y	Y	Y	Y	Y	Y
TLS authentication			Y		Y		Y	Y	Y
EDNS0 Padding		Y	Y	Y	Y		Y	Y
TLS DNSSEC Chain Extension (e)

Servers

Mode	Load Balancer	Recursive						Auth
Software	dnsdist	Unbound	BIND	Knot Res	PowerDNS Recursive	CoreDNS(e)	Tenta(e)	NSD	BIND	Knot Auth	PowerDNS Auth
QNAME minimisation	n/a	Y	Y	Y	Y						Y
TCP fast open(a)	Y	Y	Y	Y	Y			Y	Y	Y
Process Pipelined queries	Y	Y	Y	Y	Y			Y	Y	Y
Provide OOOR	(d)	Y	Y	Y	Y			n/a	n/a	n/a
EDNS0 Keepalive(b)		Y	Y	Y					Y
TLS encryption (Port 853)	Y	Y	Y	Y		Y	Y	Y
Provide TLS auth credentials	Y	Y	Y	Y		Y	Y
EDNS0 Padding (basic)		Y	Y	Y	(f)				Y
TLS DNSSEC Chain Extension(e)

KEY:

Y - indicates latest release already supports this functionality
P - indicates that a patch is available in our git repo. See here for details: DNS-over-TLS patches
W - indicates work in progress, or availabe in next release

(a) not yet available on Windows
(b) Implies robust TCP connection management (see RFC7828 and RFC7766)
(c) Can be added to queries but the response is currently ignored.
(d) Supports OOOR but could be limited by the nameserver or configuration used for recursion.
(e) RFC9102 Note this draft was published via the Independent Stream.
(f) This option adds padding to clear text queries to support running behind a DoT/DoH proxy such as dnsdist

Note pipelining/OOOP are not applicable (n/a) for some synchronous applications.

Other implementation work

TrustDNS is a RUST implementation of a DNS client/server that supports DNS-over-TLS.
Technitium DNS Server is an open source project which supports DoT, DoH and now DoQ. It also has support for both XFR-over-TLS and XFR-over-QUIC. There is also DNSSEC signing and validation support for all encrypted DNS protocols. Source code is on Github).

DoH Implementation status

We do not maintain an extensive list of DoH implementations here, instead see the list of implementations maintained on the curl github site:
(1) Browsers and Clients.
(2) Tools including various proxies (client and server) e.g dnscrypt-proxy, Facebooks experimental DoH proxy

We do maintain a list of some DoH clients (includes web browsers)

DoH in Open Source resolvers

The following resolvers can receive queries over DoH (server side support).

Mode	Recursive
Software	Unbound	BIND	Knot Res
DoH support	Y	Y	Y

DoH in Open Source proxies/load balancers

dnsdist can act as both a client and server for proxying DoH queries (as it can for DoT).

DoQ Implementation status

DoQ implementations are still in the early stages, the list below is an overview of the current status.

Stub

AdGuard clients support DoQ

Resolvers (downstream clients)

dnsdist supports DNS-over-QUIC for incoming queries since 1.9.0.
Unbound supports DoQ from v1.22.0
AdGuard resolvers support DoQ

Libraries/tools

A matrix of the interoperability of various QUIC libraries is available here: https://interop.seemann.io

dnsdist supports DNS-over-QUIC for incoming queries since 1.9.0.
AdGuard launched a DoQ recursive resolver service in December 2020. They have released a suite of open source tools that support DoQ:
1. AdGuard C++ DNS libraries A DNS proxy library that supports all existing DNS protocols including DNS-over-TLS, DNS-over-HTTPS, DNSCrypt and DNS-over-QUIC (experimental).
2. DNS Proxy A simple DNS proxy server that supports all existing DNS protocols including DNS-over-TLS, DNS-over-HTTPS, DNSCrypt, and DNS-over-QUIC. Moreover, it can work as a DNS-over-HTTPS, DNS-over-TLS or DNS-over-QUIC server.
3. CoreDNS fork for AdGuard DNS Includes DNS-over-QUIC server-side support.
4. dnslookup Simple command line utility to make DNS lookups. Supports all known DNS protocols: plain DNS, DoH, DoT, DoQ, DNSCrypt.
Quicdoq Quicdoq is a simple open source implementation of DoQ. It is written in C, based on Picoquic.
Flamethrower is an open source DNS performance and functional testing utility written in C++ that has an experimental implementation of DoQ.
aioquic is an implementation of QUIC in Python. It includes example client and server for DoQ.
doq-proxy is a lightweight Go implementaion of a simple client and server side proxy.
Technitium DNS Server is an open source project which supports DoT, DoH and now DoQ. It also has support for both XFR-over-TLS and XFR-over-QUIC.

Note that as of March 2022 there is early, experimental support for QUIC as a base transport protocol (i.e. without HTTP/3) in both nginx and HAProxy but that during work at the IETF 113 Hackathon neither could be configured to be useable for DoQ.