All the following are tested over TLS connections.
- TLS Does the server answer DNS queries over TLS on port 853?
- TLS 443 Does the server answer DNS queries over TLS on port 443?
- Strict Name Does the server pass Strict authentication using the authentication domain name only?
- Strict SPKI Does the server pass Strict authentication using SPKI pins only (if a SPKI pins are published)?
- Cert 0 Are there 0 days or less to certificate expiry?
- Cert 14 Are there 14 or fewer days to certificate expiry?
- QNAME min Is the server configured to use QNAME minimisation [RFC7816]?
- RTT 250 Is a simple query round trip time from the probe location (in the UK) < 250ms?
- DNSSEC Is the server doing DNSSEC validation (i.e. returning SERVFAIL for bogus domains)?
- Keepalive Does the server support the EDNS0 Keepalive option [RFC7828]?
- Padding Does the server add an EDNS0 Padding option to the response if one is in the query [RFC7830]?
- TLS 1.3 Does the server support TLS 1.3 (Experimental, may give false negatives)?
- OOOR Does the server give Out Of Order Responses (Experimental, may give false negatives)?
- GREEN indicates success
- RED indicates failed test (this might result from non DNS related issues such server being off line, blocking from the probe location, etc.) Note that the ‘Strict mode’ tests could fail for a number of reasons including incorrect credentials, self-signed certificates for name only authentication, incompatible TLS version or Cipher suites, etc. The console log of the test may give more information.
- GREY indicates test not run (e.g. due to lack of available transport or the lack of the SPKI pin)
Authentication information is taken from the DNS Privacy Project Test Servers page
These tests use a getdns based monitoring plugin which is currently under development. It is based on Stephane Bortzmeyer’s getdns based nagios plugin.
TLS 1.3 access is tested using a recent copy of the OpenSSL
master branch, commit 3e524bf. This is using TLS 1.3
Note that Quad9 and Cloudflare operate an anycast service so the results below are just for our local server (London).
Google Public DNS is included because we would like them to support it but they don’t :-)
|Configuration Matrix||TLS||TLS 443||Strict Name||Strict SPKI||Cert 0||Cert 14||QNAME min||RTT 250||DNSSEC||Keepalive||Padding||TLS 1.3||OOOR|