DNS over TLS

Posted on

Tags: dns tls security privacy

Recently couple of public DNS resolvers started offering DNS over TLS, which is different from DNS over HTTPS APIs. On my FreeBSD host, I use BIND as caching resolver. It doesn’t have native support for DNS over TLS yet, but with proxying to stunnel one can set it up easily. There are instructions for this.

Following is my stunnel configuration:

setuid = stunnel
setgid = nogroup

pid = /var/tmp/stunnel.pid

options = NO_SSLv3
options = NO_TLSv1 
options = NO_TLSv1.1

[dns-goog]
client = yes
accept = 127.0.0.1:1053
connect = 8.8.8.8:853
verifyChain = yes
CAfile = /etc/ssl/cert.pem
checkHost = dns.google

[dns-cf]
client = yes
accept = 127.0.0.1:1054
connect = 1.1.1.1:853
verifyChain = yes
CAfile = /etc/ssl/cert.pem
checkHost = dns.cloudflare-dns.com

[dns-quad9]
client = yes
accept = 127.0.0.1:1055
connect = 9.9.9.9:853
verifyChain = yes
CAfile = /etc/ssl/cert.pem
checkHost = dns.quad9.net

Following is the corresponding minimal named configuration:

options {
        listen-on    { 127.0.0.2; };
        listen-on-v6 { ::1; };
        forwarders {
                127.0.0.1 port 1053;
                127.0.0.1 port 1054;
                127.0.0.1 port 1055;
        };
        forward only;
};

server 127.0.0.1 {
        tcp-only yes;
};

After this no more plaintext TCP/UDP port 53 traffic. In theory this works as expected, although in practice it mostly works as expected, e.g. in my testing with Google Public DNS, I noticed how I get different results (for domains that respond based on presence of edns client subnet option in query) between queries over DNS over TLS, and regular DNS. So, it seems to me that these public DNS over TLS resolvers are configured differently (on provider’s end), which I don’t think has any need for it.

Also, it seems like Google Public DNS hasn’t formally announced DNS over TLS for their Google Public DNS service, so I guess still in testing or something.

In future, I would like encrypted DNS service by default between nameservers and resolvers. I guess DNSCrypt does that.