DNS Privacy Project > Implementation Status

Implemenation status

DoT Implementation Status

This table lists the best understanding of the current status of DNS-over-TLS related features in the latest stable releases of a selection of standalone open source DNS software.

Also see DNS Privacy Clients for a full list of OS, mobile apps, routers and browsers that support DoT.

If there are errors or glaring omission please email sara@sinodun.com

Also see guides on how to use NGINX and other proxies to provide DNS-over-TLS, also see here.

This works with a couple of provisos:

(1) Be aware that a client will think it is talking to a DNS-over-TLS server and so may keep connections open when idle even when not using EDNS0 Keepalive (as allowed by RFC7858 ). The nameserver will see only TCP connections which were historically used just for one-shot TCP and may not be robust to many long-lived connections.

(2) Therefore this will work much better if the nameserver has robust TCP capabilities (as described in Sections 6.2.2 and 10 of RFC7766), and would be required for production level service. Any server that fully implements EDNS0 Keepalive (RFC7828) should meet this criteria.

See the DNS Privacy Reference Material page for more details on the individual features.

Clients/Forwarders

Mode	Stub						Caching forwarder/proxy
Software	ldns (drill)	digit	getdns (Stubby)	BIND (dig)	Knot (kdig)	Go DNS	Unbound	BIND	Knot Res	dndist
Send ECS with SOURCE PREFIX-LENGTH value of 0			Y	Y	Y
TCP fast open (a)	P	Y	Y	Y	Y		Y	Y		Y
Connection reuse (Q/R, Q/R, Q/R)	P	Y	Y	Y		Y	Y	Y	Y	Y
Pipelining of queries(Q,Q,Q,R,R,R)	n/a	Y	Y	Y	n/a	Y	Y	Y	Y	Y
Process OOOR (Q1,Q2,R2,R1)	n/a	Y	Y	Y	n/a	W	Y	Y	Y
EDNS0 Keepalive (b)			Y	Y				(c)
TLS encryption (Port 853)	P	Y	Y	Y	Y	Y	Y	Y	Y
TLS authentication			Y		Y		Y	Y	Y
EDNS0 Padding		Y	Y	Y	Y		Y	Y
TLS DNSSEC Chain Extension (e)

Servers

Mode	Load Balancer	Recursive						Auth
Software	dnsdist	Unbound	BIND	Knot Res	PowerDNS Recursive	CoreDNS(e)	Tenta(e)	NSD	BIND	Knot Auth	PowerDNS Auth
QNAME minimisation	n/a	Y	Y	Y	Y						Y
TCP fast open(a)	Y	Y	Y	Y	Y			Y	Y	Y
Process Pipelined queries	Y	Y	Y	Y	Y			Y	Y	Y
Provide OOOR	(d)	Y	Y	Y	Y			n/a	n/a	n/a
EDNS0 Keepalive(b)		Y	Y	Y					Y
TLS encryption (Port 853)	Y	Y	Y	Y		Y	Y	Y
Provide TLS auth credentials	Y	Y	Y	Y		Y	Y
EDNS0 Padding (basic)		Y	Y	Y	(f)				Y
TLS DNSSEC Chain Extension(e)

KEY:

Y - indicates latest release already supports this functionality
P - indicates that a patch is available in our git repo. See here for details: DNS-over-TLS patches
W - indicates work in progress, or availabe in next release

(a) not yet available on Windows
(b) Implies robust TCP connection management (see RFC7828 and RFC7766)
(c) Can be added to queries but the response is currently ignored.
(d) Supports OOOR but could be limited by the nameserver or configuration used for recursion.
(e) RFC9102 Note this draft was published via the Independent Stream.
(f) This option adds padding to clear text queries to support running behind a DoT/DoH proxy such as dnsdist

Note pipelining/OOOP are not applicable (n/a) for some synchronous applications.

Other implementation work

TrustDNS is a RUST implementation of a DNS client/server that supports DNS-over-TLS.
Technitium DNS Server is an open source project which supports DoT, DoH and now DoQ. It also has support for both XFR-over-TLS and XFR-over-QUIC. There is also DNSSEC signing and validation support for all encrypted DNS protocols. Source code is on Github).

DoH Implementation status

See the list of implementations maintained on the curl github site:
(1) Browsers and Clients.
(2) Tools including various proxies (client and server) e.g dnscrypt-proxy, Facebooks experimental DoH proxy

We also maintain a list of some DoH clients (includes web browsers)
And below is the state of DoH implementation is well know open-source DNS recursive resolvers/load-balancers

Mode	Load Balancer	Recursive
Software	dnsdist	Unbound	BIND	Knot Res
DoH support	Y	Y	Y	Y

DoQ Implementation status

DoQ implementations are still in the early stages, the list below is an overview of the current status.

Stub

AdGuard clients support DoQ

Resolvers (downstream clients)

dnsdist supports DNS-over-QUIC for incoming queries since 1.9.0.
Unbound has an open pull request for DoQ downstream support
AdGuard resolvers support DoQ

Libraries/tools

A matrix of the interoperability of various QUIC libraries is available here: https://interop.seemann.io

dnsdist supports DNS-over-QUIC for incoming queries since 1.9.0.
AdGuard launched a DoQ recursive resolver service in December 2020. They have released a suite of open source tools that support DoQ:
1. AdGuard C++ DNS libraries A DNS proxy library that supports all existing DNS protocols including DNS-over-TLS, DNS-over-HTTPS, DNSCrypt and DNS-over-QUIC (experimental).
2. DNS Proxy A simple DNS proxy server that supports all existing DNS protocols including DNS-over-TLS, DNS-over-HTTPS, DNSCrypt, and DNS-over-QUIC. Moreover, it can work as a DNS-over-HTTPS, DNS-over-TLS or DNS-over-QUIC server.
3. CoreDNS fork for AdGuard DNS Includes DNS-over-QUIC server-side support.
4. dnslookup Simple command line utility to make DNS lookups. Supports all known DNS protocols: plain DNS, DoH, DoT, DoQ, DNSCrypt.
Quicdoq Quicdoq is a simple open source implementation of DoQ. It is written in C, based on Picoquic.
Flamethrower is an open source DNS performance and functional testing utility written in C++ that has an experimental implementation of DoQ.
aioquic is an implementation of QUIC in Python. It includes example client and server for DoQ.
doq-proxy is a lightweight Go implementaion of a simple client and server side proxy.
Technitium DNS Server is an open source project which supports DoT, DoH and now DoQ. It also has support for both XFR-over-TLS and XFR-over-QUIC.

Note that as of March 2022 there is early, experimental support for QUIC as a base transport protocol (i.e. without HTTP/3) in both nginx and HAProxy but that during work at the IETF 113 Hackathon neither could be configured to be useable for DoQ.

Recursive to Authoritative DoT/DoQ

Authoritatives

BIND supports DoT in Authoritative mode
Knot Authoritative 3.3.0 includes DNS-over-QUIC and XFR-over-QUIC
deSEC announced on the DPRIVE mailing list that they have support for DoT and DoQ on our authoritative anycast deployments.

Recursive (upstream queries)

Unilateral Probing Implementation status

RFC 9539 - Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS is now published

There are some experimental implementation of this draft, a brief summary is given below.

PowerDNS 4.7.0 supports an experimental version of this “The implementation does not follow the existing draft to the letter, but was strongly inspired by it.” More here.
Google Public DNS have said they are looking at an experimental version although nothing is official.
NLnet Labs reported work to implement this in Unbound at the IETF 116 hackathon (March 2023)

XFR/XoT Implementation status

This table is a work in progress - please notify us it updates/corrections are needed

This table reflects some of the current behaviour on implementations and also some features proposed in RFC9103. It is noted that some name servers will behave differently when starting up and first loading zones to steady state behaviour.

Feature	BIND		NSD		Knot Auth		PowerDNS
Features applicable to Secondary	Sec	Pri	Sec	Pri	Sec	Pri	Sec	Pri
TCP: Typically performs AXFRs for different zones in parallel to the same primary using separate connections (in steady state)	Y		Y		Y		Y
TCP: Typically performs IXFRs in parallel to AXFRs to the same primary using separate connections (in steady state)	Y		Y		Y		Y
TCP: Connection re-use for XFRs to same primary is possible			(a)
TCP: When re-using connections, will pipeline all XFR requests			Y
Handle empty AXFR responses	NT	NT	NT	NT	NT	NT	NT	NT
Supports XoT	9.18	9.18	v4.3.7
Feature applicable to Primary
Handle pipelined XFR requests on one connection for different zones		Y		Y(b)		Y		Y
Always sends AXFR responses for different zones serially on the same connection (not intermingled)		Y		Y		Y		Y
Sends all AXFR/IXFR responses serially on the same connection		(d)		(b)
Handle sequential XFR requests on one connection for the same zone		Y		(c)		Y		Y

Default size of XFR response		~20kB		16kB		16kB		4-8kB
Explicit configuration limit on num of concurrent XFRs		Y		(e)		(e)		(e)
Supports XoT	9.18	9.18

KEY:

Y - indicates latest release supports this functionality
NT - not tested yet, or cannot be tested.

(a) Current release will re-use connections if the max outgoing TPC connections is hit. This PR provides a configuration option to make that behaviour the default.
(b) NSD does not support IXFR as a primary
(c) Because NSD requires a reload to update a zone, an old version of the zone will currently be sent on a TCP connection opened before the reload. A fix/workaournd is proposed.
(d) e.g. If BIND receives an IXFR request whilst sending a large AXFR response, it will send the IXFR response immediately intermingled with the AXFR response.
(e) Whilst there is no limit explicitly for XFRs, the primary has a configuration option to limit the total number of incoming TCP connections
(defaults for relevant limits are: BIND - 25, NSD - 100, Knot - one half of the file descriptor limit for the server process, - PowerDNS 20
(g) See this issue for progress. Support was added in development release 9.17.10

Other implementation work

Technitium DNS Server is an open source project which supports DoT, DoH and now DoQ. It also has support for both XFR-over-TLS and XFR-over-QUIC.