DNS over TLS

from Wikipedia, the free encyclopedia

DNS over TLS ( DoT ) is a protocol that allows DNS queries, i.e. H. Above all, queries for the resolution of host names into IP addresses and vice versa are transmitted in encrypted form via the Transport Layer Security protocol . It is a standard proposed by the Internet Engineering Task Force , RFC 7858 .

protocol

With DNS over TLS, DNS requests and responses are transmitted via a connection secured with TLS, which is established between the client such as the web browser and the server of the DNS provider. TLS (Transport Layer Security, more widely known under its predecessor Secure Sockets Layer SSL) is an encryption protocol for secure data transmission on the Internet. The port standardized by the IETF for DNS over TLS for connection establishment is 853.

safety

In this case, the DNS query is secured via the encryption protocol Transport Layer Security (TLS) and - in contrast to unsecured DNS - protected against spying and manipulation through a man-in-the-middle attack . This is intended to protect users' privacy from eavesdroppers and to prevent manipulated DNS information from being infiltrated. It is also intended to make denial-of-service attacks more difficult.

Implementations

On the client side, DNS over TLS is directly supported by Android from Android P without additional programs from the operating system. The Android Pie allows the user to explicitly enter the preferred DoT server in the settings. The Windows operating system does not have its own support for DoT, which is why local DNS resolvers must be used here, which first redirect DNS requests internally on the client using the localhost and then forward them to the corresponding public servers. On the server side, it is supported by various programs. This is how it is in DNSDist of PowerDNS in the current version 1.3.0. supported. Name Server Daemon supports DoT since version 4.2. With BIND , in combination with the stunnel tool, it is possible to use DNS over TLS. Technitium DNS Servers announced that they support DNS over TLS since version 1.3.

Public DNS servers

DNS over TLS is now freely available from a number of public DNS providers, including:

Provider Server
IP addresses 		Host name
(DoT address) 		Content blocking properties
Clean Browsing IPv4 :
185.228.168.168
185.228.168.169
IPv6 :
2a0d: 2a00: 1 ::
2a0d: 2a00: 2 :: 		adult-filter-dns.cleanbrowsing.org

family-filter-dns.cleanbrowsing.org

security-filter-dns.cleanbrowsing.org

Selectable:
  • Security filter (malware, phishing, ...)
  • Adult filter (blocks explicit content, but no mixed content such as Reddit )
  • Family filter (in addition to security and adult filters, it also blocks mixed content such as Reddit and also VPN and proxy )
 Port 853, DNSSEC validation
Cloudflare IPv4:
1.1.1.1
1.0.0.1
IPv6:
2606: 4700: 4700 :: 1111
2606: 4700: 4700 :: 1001 		one.one.one.one

1dot1dot1dot1.cloudflare-dns.com

No Port 853, DNSSEC validation
Digital courage IPv4:
46.182.19.48
IPv6:
2a02: 2970: 1002 :: 18 		dns2.digitalcourage.de No Port 853, DNSSEC validation
Digital society Switzerland IPv4:
185.95.218.42
185.95.218.43
IPv6:
2a05: fc84 :: 42
2a05: fc84 :: 43 		dns.digitale-gesellschaft.ch No Port 853, DNSSEC validation
Google Public DNS IPv4:
8.8.8.8
8.8.4.4
IPv6:
2001: 4860: 4860 :: 8888
2001: 4860: 4860 :: 8844 		dns.google No Port 853, DNSSEC validation
Quad9 IPv4:
9.9.9.9
149.112.112.112
IPv6:
2620: fe :: fe
2620: fe :: 9 		dns.quad9.net Malicious domains Port 853, DNSSEC validation

Differences from other protocols

By default, DNS requests and responses are transmitted unencrypted using the UDP protocol.

There are currently three main options for implementing encryption, namely:

With DNS over TLS, normal DNS requests are sent over a TLS tunnel, while with DNS over HTTPS an HTTPS connection is established through which communication takes place. This means that - if the DNS provider also offers a website on port 443 - in contrast to DNS over TLS, an eavesdropper cannot see whether DNS requests are being made or web content is being accessed. But DNS over TLS is much faster. Third, there is DNSCrypt, in which requests and responses are encrypted and transmitted directly via UDP or TCP .

See also

literature

  • Mark E. Jeftovic: Managing Mission - Critical Domains and DNS. P. 303 limited preview in Google Book search
  • Michael Dooley, Timothy Roone: DNS Security Management. P. 168 limited preview in Google Book search

Web links

  • DNS Privacy Project: dnsprivacy.org
  • Duane Wessels, John Heidemann, Liang Zhu, Allison Mankin, Paul Hoffman:  RFC 7858 . - Specification for DNS over Transport Layer Security (TLS) . [Errata: RFC 7858 ]. May 2016. (Updated by RFC 8310  - English).

Individual evidence

  1. Duane Wessels, John Heidemann, Liang Zhu, Allison Mankin, Paul Hoffman:  RFC 7858 . - Specification for DNS over Transport Layer Security (TLS) . May 2016. (English).
  2. Duane Wessels, John Heidemann, Liang Zhu, Allison Mankin, Paul Hoffman:  RFC 7858  - Specification for DNS over Transport Layer Security (TLS) . May 2016. Section 3: Establishing and Managing DNS-over-TLS Sessions. (English).
  3. DNS with privacy and security before the breakthrough heise.de
  4. Erik Kline, Ben Schwartz: DNS over TLS support in Android P Developer Preview. In: Android Developers Blog. April 13, 2018, accessed July 30, 2018 .
  5. DNS-over-TLS. Retrieved July 31, 2018 .
  6. News - NSD 4.2.0 released. Retrieved October 11, 2019 .
  7. Bind - DNS over TLS .
  8. Configuring DNS Server For Privacy & Security ( en )
  9. Troubleshooting DNS over TLS .
  10. Clean Browsing - DNS over TLS .
  11. NOC org / DCID: Parental Control with DNA over TLS support. Retrieved January 10, 2019 .
  12. CloudFlare - DNS over TLS .
  13. ^ Cloudflare Inc: Android - Cloudflare Resolver. Retrieved February 11, 2020 .
  14. Enable Private DNS with 1.1.1.1 on Android 9 Pie. August 16, 2018, accessed January 10, 2019 .
  15. Censorship-free DNS server | Digital courage. Retrieved May 8, 2019 .
  16. Public DNS-over-TLS and HTTPS DNS resolvers. Accessed September 2, 2019 (German).
  17. Google Public DNS now supports DNS-over-TLS. In: Google Online Security Blog. Retrieved January 10, 2019 .
  18. DNS-over-TLS | Public DNS. Retrieved January 10, 2019 .
  19. Quad9 - DNS over TLS .
  20. Private DNS using Quad9 on Android 9 • Quad 9. In: Quad September 18, 2018, accessed January 10, 2019 (American English).
  21. Tenta DNS over TLS vs DNSCrypt . In: Tenta Browser Blog . ( tenta.com [accessed August 5, 2018]).
  22. ^ Home page of the DNSCrypt project [DNS security]. Accessed August 5, 2018 .