Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This site is mainly focussed on following the development and deployment of DNS-over-TLS (DOT) and DNS-over-HTTPS (DOH) as the leading solution solutions for DNS Privacy because that DOT is the only protocol currently standardized by the IETF and DOH is expected to be a standard shortly (as of May 2018).

Some history and background on other alternatives are outlined below and we intend to follow other solutions as they evolve.

...

One issue with DNS-over-DTLS is that it must still truncate DNS responses if the response size it too large (just as UDP does) and so it cannot be a standalone solution for privacy without a fallback mechanism (such as DNS-over-TLS) also being available.

DNS-over-

...

HTTP (

...

There are implementations available (e.g. from BII) of proxies that will tunnel DNS-over-HTTPS.

Google offers a proprietary DNS-over-HTTPS service using a JSON format for DNS queries.

A new working group was formed in Sept 2017 by the IETF: DNS-over-HTTPS (DOH)

DNS-over-QUIC

A draft was submitted in April 2017 to the IETF QUIC Working group on DNS-over-QUIC

DNSCrypt

Note

As of December 2017 the status of DNSCrypt was uncertain. See the new website

...

DOH)

The IETF created a new DOH working group in Sept 2017 to look at how DNS messages could be sent over an existing HTTP/2 connection. It is in the very early stages but one advantage of this approach would be to intermingle DNS and HTTP traffic on the same connection and make blocking of encrypted DNS harder. As of May 2018 the draft https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https/ is in WGLC and there are several experimental implementations and deployments. It should be noted that this draft addresses almost purely protocol issues and a follow up document on discovery and operational usage is expected. 

DNSCrypt

DNSCrypt is a method of authenticating communications between a DNS client and a DNS resolver that has been around since 2011:since 2011. 

  • It prevents DNS spoofing. 
  • It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with (the messages are still sent over UDP). 
  • As a side effect it provides increased privacy because the DNS message content is encrypted.  
  • It is an open specification but it has not been standardized by the IETF. 
  • There are multiple implementations and a set of DNSCrypt servers available.
  • OpenDNS offers DNSCrypt 

Also check out an in depth comparison from from Tenta.

DNS-over-HTTPS (proxied)

There are implementations available (e.g. from BII) of proxies that will tunnel DNS-over-HTTPS.

Google offers a proprietary DNS-over-HTTPS service using a JSON format for DNS queries.

A new working group was formed in Sept 2017 by the IETF: DNS-over-HTTPS (DOH)

DNS-over-QUIC

A draft was submitted in April 2017 to the IETF QUIC Working group on DNS-over-QUIC

DNSCurve

DNSCurve was developed in 2010 with encrypting the resolver to authoritative communications in mind. It was not standardized by the IETF.

DNS-over-HTTP (DOH)

The IETF has recently created a new DOH working group to look at how DNS messages could be sent over an existing HTTP/2 connection. It is in the very early stages but one advantage of this approach would be to intermingle DNS and HTTP traffic on the same connection and make blocking of encrypted DNS harder.