The End of DNS as we know it …

Carsten Strotmann, Men & Mice

Created: 2018-09-22 Sat 23:16


  • Privacy despite DNS - is that possible?
  • DNS-over-TLS
  • DNS-over-HTTPS
  • DNS-over-QUIC
  • QNAME-Minimization

Slides on

Who am I?

Carsten Strotmann

DNS(SEC)/DANE/DHCP/IPv6 Trainer/Consultant

Privacy with DNS - possible?

  • the IETF has expanded the good old DNS-Protocol with new security functions in the last few years
    • DNS-over-TLS (Transport encryption between DNS-Client and DNS-Server)
    • DNS-over-HTTPS (Hide DNS-Requests inside Web-Communication)
    • QNAME Minimization (Reduction of Metadata)
    • EDNS-Padding (hiding the payload size of DNS-Data in encrypted connections)
    • NSEC[3] "agressive use" - fight DDoS attacks with the help of DNSSEC

DoT - DNS-over-TLS

DNS-over-TLS (1/3)


DNS-over-TLS (2/3)


DNS-over-TLS (3/3)


DNS-over-TLS Performance

  • when using TLS 1.3, Performance/Latency of DNS-over-TLS is good
  • once the connection is open, performance can be in par with DNS-over-UDP, due to
    • Pipelining
    • TCP fast open
    • 0-RTT resume
  • unfortunaltly, most current implementations are not optimized

DNS-over-TLS modes

  • DNS-over-TLS defines two usage modes
    • opportunistic - try TLS, but continue without in case TLS is not available
    • strict - only exchange data with the server over TLS, fail if TLS or authentication is not available

DNS-over-TLS Client Implementations

DNS-over-TLS Server Implementations

  • DoT Server Implementations
    • CoreDNS
    • TentaDNS
    • every DNS-Server via a reverse TLS-Proxy (stunnel, ha-proxy, nginx, relayd)

DNS-over-TLS provider

DOH - DNS over HTTP(S)




  • HTTPS (Port 443) is already permitted in Firewalls
  • easy to use inside (JavaScript) Web-Applications
  • most programming languages have HTTP(S) APIs


  • IETF 100 - November 2017 - DNS over HTTP(S) (DoH) working group established:
  • IETF 101 - März 2018 - work on DNS Queries over HTTPS finished, start of working group last call (WGLC) in April 2018
  • RFC can appear every day now
  • Implementations in C, go, python, rust, java exist
  • new implementations pop up every week

DNS-over-HTTPS and IDS/Network-Filter

  1. Operational Considerations

[…] Filtering or inspection systems that rely on unsecured transport of DNS will not function in a DNS over HTTPS environment.


DoH Client Implementations (1/2)

URL: about:networking Firefox-61-TRR-Lookups.png

DoH Client Implementations (2/2)

DoH Resolver/Server

DoH Provider (Selection)

similar Developments

DoQ - DNS over QUIC

what is QUIC

  • modern TCP-replacement from Google, currently standardized in the IETF
    • based on UDP, but implements TCP-like functions
    • usually implemented in application, not OS kernels (to fight ossification)
    • contains transport encryption similar to TLS 1.3
    • 0-RTT
  • Performance in par with classic DNS-over-UDP
  • QUIC Documents



DNS over QUIC comparison


  • classic DNS name resolution has been very chatty
    • more data is requested and delivered than needed by modern world DNS


Traditional DNS-Nameresolution (1/6)


Traditional DNS-Nameresolution (2/6)


Traditional DNS-Nameresolution (3/6)


Traditional DNS-Nameresolution (4/6)


Traditional DNS-Nameresolution (5/6)


Traditional DNS-Nameresolution (6/6)


DNS-Nameresolution with QNAME-Minimization

  • a DNS-Resolver with QNAME-Minimization knows the structure of DNS delegation in the Internet (Root -> TLD -> SLD …)
  • the DNS-Resolver with QNAME-Minimization only requests the bare minimum DNS-Data on on each DNS level
  • Performance of DNS-Resolution with QNAME-Minimization is equal to traditional Resolution, and in some cases it is even a little faster.

DNS-Nameresolution with QNAME-Minimization


QNAME-Minimization Implementations

  • Unbound
  • Knot-Resolver
  • BIND 9.13 (in development)

QNAME Minimization test

A simple test from the commandline (using dig) will tell if the DNS-resolver in use does work with QNAME-Minimization

shell$ dig txt +short
"HOORAY - QNAME minimisation is enabled on your resolver :)!"

Summary and looking ahead (1/3)

Summary and looking ahead (2/3)

  • new DNS-Protocoll Extensions …
    • … protect the privacy of users of DNS
    • … increase the security of DNS communication
    • … decrease the usability of DNS-IDS/Passive-DNS

Summary and looking ahead (3/3)

  • what can we do today?
    • deploy DNS-over-TLS for the resolver in your network
    • (if you know how to operate a service securly in the Internet) deploy a public DNS-over-HTTPS service
    • enable QNAME-Minimization in your DNS-resolver (if available)
    • monitor your DNS-resolver for malicious traffic
    • separate the resolving and authoritative DNS functions
    • enable DNSSEC validation
    • consider DNSSEC signing your zone

Thank you!

Questions ?

Contact: or

Thanks to Men & Mice for sponsoring this talk

Presentation created with the help of Emacs 26, Org-Mode and Reveal.js

Don't forget the October 11th KSK-Roll

keyroll.jpg |