DNS-over-TLS Implementation Status

This table lists the best understanding of the current status of DNS-over-TLS related features in the latest stable releases of a selection of standalone open source DNS software

Also see DNS Privacy Clients for a full list of OS, mobile apps, routers and browsers that support DoT.

If there are errors or glaring omission please email sara@sinodun.com 

Also see guides on how to use NGINX and other proxies to provide DNS-over-TLS, also see here

This works with a couple of provisos:

See the DNS Privacy Reference Material page for more details on the individual features. 

Clients/Forwarders

Mode

Stub 

Caching forwarder/proxy

Software

ldns

(drill)

digit

getdns

(Stubby)

BIND

(dig)

Go
DNS 

Knot

(kdig)

UnboundBIND

Knot Res

dndist
GeneralSend ECS with SOURCE PREFIX-LENGTH value of 0 

(tick)(tick)
(tick)





TCP/TLS Features

TCP fast open(b)
(tick)

(tick)




(tick)

(tick)
Connection reuse (Q/R, Q/R, Q/R)
(tick)

(tick)

(tick)(tick)(tick)
(tick)(tick)(tick)

Pipelining of queries(Q,Q,Q,R,R,R)

n/a(tick)

(tick)

(tick)(tick)(tick)
(tick)(tick)(tick)
Process OOOR (Q1,Q2,R2,R1)n/a (tick)

(tick)

(tick)


(tick)(tick)(tick)
EDNS0 Keepalive(c)

(tick)(tick)



(f)



TLS Features

TLS encryption (Port 853)
(tick)(tick)
(tick)(tick)(tick)
(tick)
TLS authentication

(tick)

(tick)(tick)
(tick)
EDNS0 Padding
(tick)(tick)(tick)
(tick)
(tick)

TLS DNSSEC Chain Extension(h)











Servers

ModeLoad BalancerRecursiveAuth
Softwarednsdist

Unbound

BIND

Knot

Res

CoreDNS(e)Tenta(e)NSDBIND

Knot

Auth

GeneralQNAME minimisationn/a(tick)(tick)(tick)





TCP/TLS Features

TCP fast open(b)(tick)(tick)(tick)(tick)


(tick)(tick)

Process Pipelined queries

(tick)(tick)(tick)(tick)

(tick)(tick)(tick)
Provide OOOR(g)(tick)(tick)(tick)

n/an/an/a
EDNS0 Keepalive(c)
(tick)(tick)(tick)


(tick)



TLS Features

TLS encryption (Port 853)(tick)(tick)(d)(tick)(tick)(tick)


Provide TLS auth credentials(tick)(tick)(d)(tick)(tick)(tick)


EDNS0 Padding (basic)

(tick)(tick)


(tick)
TLS DNSSEC Chain Extension(h)









KEY:


(a)    getdns uses libunbound in recursive mode
(b)    not yet available on Windows 
(c)    Implies robust TCP connection management (see RFC7828 and RFC7766)
(d)    See this article for how to use stunnel with BIND to provide DNS-over-TLS - thanks Francis Dupont!
(e)    Full list of supported features to be confirmed
(f)    Can be added to queries but the response is currently ignored.
(g)    Supports OOOR but could be limited by the nameserver or configuration used for recursion.
(h)   This is no longer an active draft in the TLS working group. 

Note pipelining and OOOP are not applicable for synchronous applications. 

Other implementation work

DOH Implementation status

The picture for DOH implementation is move very rapidly. Some work to date

See the list of implementations maintained on the curl github site: 

ModeLoad BalancerRecursive
Softwarednsdist

Unbound

BIND

Knot Res

DoH supportWIP

Experimental Implementation released in 4.0.0