collapse
0%
WDescription%
Build stability: All recent builds failed.0
Build History
x
 

Project dnsprivacy-monitoring

The Tests

All the following are tested over TLS connections.

  • TLS Does the server answer DNS queries over TLS on port 853?
  • TLS 443 Does the server answer DNS queries over TLS on port 443?
  • Strict Name Does the server pass Strict authentication using the authentication domain name only?
  • Strict SPKI Does the server pass Strict authentication using SPKI pins only (if a SPKI pins are published)?
  • Cert 0 Are there 0 days or less to certificate expiry?
  • Cert 14 Are there 14 or fewer days to certificate expiry?
  • QNAME min Is the server configured to use QNAME minimisation [RFC7816]?
  • RTT 250 Is a simple query round trip time from the probe location (in the UK) < 250ms?
  • DNSSEC Is the server doing DNSSEC validation (i.e. returning SERVFAIL for bogus domains)?
  • Keepalive Does the server support the EDNS0 Keepalive option [RFC7828]?
  • Padding Does the server add an EDNS0 Padding option to the response if one is in the query [RFC7830]?
  • TLS 1.3 Does the server support TLS 1.3 (Experimental, may give false negatives)?
  • OOOR Does the server give Out Of Order Responses (Experimental, may give false negatives)?

Results

  • GREEN indicates success
  • RED indicates failed test (this might result from non DNS related issues such server being off line, blocking from the probe location, etc.) Note that the ‘Strict mode’ tests could fail for a number of reasons including incorrect credentials, self-signed certificates for name only authentication, incompatible TLS version or Cipher suites, etc. The console log of the test may give more information.
  • GREY indicates test not run (e.g. due to lack of available transport or the lack of the SPKI pin)

Notes

Authentication information is taken from the DNS Privacy Project Test Servers page
These tests use a getdns based monitoring plugin which is currently under development. It is based on Stephane Bortzmeyer’s getdns based nagios plugin.

TLS 1.3 access is tested using a recent copy of the OpenSSL master branch, commit 3e524bf. This is using TLS 1.3 draft-23 revision.

Note that Quad9 and Cloudflare operate an anycast service so the results below are just for our local server (London).

Google Public DNS is included because we would like them to support it but they don’t :-)

Configuration MatrixTLSTLS 443Strict NameStrict SPKICert 0Cert 14QNAME minRTT 250DNSSECKeepalivePaddingTLS 1.3OOOR
dnsovertls.sinodun.comv4
Success
Success
Success
Success
Success
Success
Failed
Success
Success
Success
Success
Failed
Success
v6
Success
Success
Success
Success
Success
Success
Failed
Success
Success
Success
Success
Failed
Success
dnsovertls1.sinodun.comv4
Success
Success
Success
Success
Success
Success
Failed
Success
Success
Success
Success
Failed
Success
v6
Success
Success
Success
Success
Success
Success
Failed
Success
Success
Success
Success
Failed
Success
getdnsapi.netv4
Success
Failed
Success
Success
Success
Success
Success
Success
Success
Failed
Failed
Failed
Failed
v6
Success
Failed
Success
Success
Success
Success
Success
Success
Success
Failed
Failed
Failed
Failed
dns.quad9.netv4
Success
Failed
Success
Not configured
Success
Success
Failed
Success
Success
Failed
Failed
Failed
Failed
v6
Success
Failed
Success
Not configured
Success
Success
Failed
Success
Success
Failed
Failed
Failed
Failed
1dot1dot1dot1.cloudflare-dns.comv4
Success
Failed
Success
Not configured
Success
Success
Success
Success
Success
Failed
Success
Failed
Failed
v6
Success
Failed
Success
Not configured
Success
Success
Success
Success
Success
Failed
Success
Failed
Failed
unicast.censurfridns.dkv4
Success
Failed
Success
Success
Success
Success
Failed
Success
Success
Failed
Failed
Failed
Success
v6
Success
Failed
Success
Success
Success
Success
Failed
Success
Success
Failed
Failed
Failed
Success
dnsovertls3.sinodun.comv4
Success
Failed
Success
Success
Success
Success
Failed
Success
Success
Success
Success
Success
Success
v6
Success
Failed
Success
Success
Success
Success
Failed
Success
Success
Success
Success
Success
Success
dnsovertls2.sinodun.comv4
Success
Failed
Success
Success
Success
Success
Success
Success
Success
Failed
Success
Failed
Failed
v6
Success
Failed
Success
Success
Success
Success
Success
Success
Success
Failed
Success
Failed
Success
dns.cmrg.netv4
Success
Success
Success
Success
Success
Success
Success
Success
Success
Failed
Success
Failed
Success
v6
Success
Success
Success
Success
Success
Success
Success
Success
Success
Failed
Success
Failed
Success
dns.larsdebruin.netv4
Success
Failed
Failed
Failed
Failed
Failed
Failed
Success
Success
Failed
Failed
Failed
Failed
v6
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
dot.securedns.euv4
Success
Failed
Success
Success
Success
Success
Failed
Success
Success
Success
Success
Failed
Success
v6
Success
Failed
Success
Success
Success
Success
Failed
Success
Success
Success
Success
Failed
Success
dns-tls.bitwiseshift.netv4
Success
Success
Failed
Failed
Failed
Failed
Success
Success
Success
Failed
Failed
Failed
Failed
v6
Success
Success
Failed
Failed
Failed
Failed
Success
Success
Success
Failed
Failed
Failed
Failed
ns1.dnsprivacy.atv4
Success
Failed
Success
Success
Success
Success
Success
Success
Failed
Failed
Failed
Failed
Failed
v6
Success
Failed
Success
Success
Success
Success
Success
Success
Failed
Failed
Failed
Failed
Failed
ns2.dnsprivacy.atv4
Success
In progress
Success
Success
Success
Success
Success
Success
Failed
Failed
Failed
Failed
Failed
v6
Success
Failed
Success
Success
Success
Success
Success
Success
Failed
Failed
Failed
Failed
Failed
dns.bitgeek.inv4
Success
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Success
Failed
Failed
Failed
Failed
v6
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
ns0.ldn-fai.netv4
Success
Success
Not configured
Success
Success
Success
Failed
Success
Success
Failed
Failed
Failed
Failed
v6
Success
Success
Not configured
Success
Success
Success
Failed
Success
Success
Failed
Failed
Failed
Failed
dns.neutopia.orgv4
Success
Success
Success
Success
Success
Success
Success
Success
Failed
Failed
Success
Failed
Failed
v6
Success
Success
Success
Success
Success
Success
Success
Success
Failed
Failed
Success
Failed
Success
privacydns.go6lab.siv4
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
v6
Success
Failed
Success
Success
Success
Success
Failed
Success
Success
Failed
Failed
Failed
Failed
dnsotls.lab.nic.clv4
Success
Failed
Not configured
Success
Success
Success
Success
Success
Failed
Failed
Failed
Failed
Failed
v6
Success
Failed
Not configured
Success
Success
Success
Success
Success
Failed
Failed
Failed
Failed
Failed
dns-resolver.yeti.eu.orgv4
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
v6
Success
Failed
Success
Success
Success
Success
Failed
Success
Success
Failed
Failed
Failed
Failed
tls-dns-u.odvr.dns-oarc.netv4
Success
Failed
Not configured
Success
Success
Success
Failed
Failed
Failed
Failed
Failed
Failed
Failed
v6
Success
Failed
Not configured
Success
Success
Success
Failed
Failed
Failed
Failed
Failed
Failed
Failed
publicdns.google.comv4
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
v6
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed
Failed