<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] [Privacy Considerations] associated with the use of the [Domain Name System] ([DNS]).
  

[RFC 7626] describes the [Privacy Considerations] associated with the use of the [DNS] by [Internet] users.  


Some of the issues in simple terms:
* Almost every activity on the [Internet] starts with a DNS query (and often several). A key function of the [DNS] is to map [human] readable names (e.g. example.com [DNS Domain]) to [IP Address] that computers need in order to connect to each other. 
* Those queries can reveal not only what [websites] an individual visits but also [metadata] about other services such as the domains of email contacts or chat services. 
* Whilst the [data] in the [DNS] is public, individual transactions made by an [End-User] should not be public.
* [DNS] queries are sent in [Cleartext] (using [UDP] or [TCP]) which means passive [eavesdroppers] can observe all the DNS lookups performed.
* [Domain Name System] is a globally distributed system that crosses international boundaries and often uses servers in many different countries in order to provide resilience.
* It is well known that the NSA used the MORECOWBELL and QUANTUMDNS tools to perform covert monitoring, mass surveillance and hijacking of [Domain Name System] traffic.
* Some [Service Providers] ([Internet Service Providers]) [log|Logging] DNS queries at the resolver and share this information with [third-parties|Third-party] in ways not known or obvious to end users. 
* Some [ISPs] embed user information (e.g. a [UserId] or [MAC Address]) within [DNS] queries that go to the [ISPs] resolver in order to provide [services] such as Parental Filtering. This allows for [fingerprinting] of individual users.
* Some [CDNs] embed user information (client subnets) in queries from resolvers to authoritative servers (to geo-locate end users). This allows for correlations of queries to particular subnets.
* some [VPNs] will still leak your [DNS] queries by sending them unencrypted to your [ISP]. Use the nice tool from anonymyster.com to check is this is happening with your VPN!


!! Possible Solutions for [{$pagename}]

! [DNS over TLS] (DoT)
[RFC 7858] specified [DNS over TLS] as a Standards Track protocol in May [|Year 2016]. There is active work in this area.

There are now multiple [implementations] (including Stubby a local DNS Privacy stub resolver) and a number of experimental servers deployed. 

! [DNS over DTLS]
[RFC 8094] specified [DNS over DTLS] as an Experimental Standard in Feb [2017|Year 2017]. To our knowledge that are no implementations of DNS-over-DTLS planned or in progress.

One issue with DNS-over-DTLS is that it must still truncate DNS responses if the response size it too large (just as UDP does) and so it cannot be a standalone solution for privacy without a fallback mechanism (such as DNS-over-TLS) also being available.

! [DNS over HTTPS] (DoH)
The [IETF] created a new DoH working group in Sept [2017|Year 2017] to look at how DNS messages could be sent over an existing HTTP/2 connection. As of Sept [2018|Year 2018] the draft https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https/ is in in the RFC editor queue and there are several experimental implementations and deployments.  Note that with DoH it is possible to intermingle DNS and HTTP traffic on the same connection and make blocking of encrypted DNS harder. It should be noted that this draft addresses almost purely [protocol] issues and a follow up document on [discovery|Discoverability] and operational usage is expected. 

![DNSCrypt]
[DNSCrypt] is a method of authenticating communications between a DNS client and a DNS resolver that has been around since 2011. 
* [DNSCrypt] prevents DNS spoofing. 
* [DNSCrypt] uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with (the messages are still sent over UDP).  As a side effect [DNSCrypt] provides increased privacy because the [DNS] [message] content is [encrypted].  
* [DNSCrypt] is an open specification but it has not been standardized by the IETF.  There are multiple [implementations] and a set of DNSCrypt servers available.
* [OpenDNS] offers [DNSCrypt] 
Also check out an in depth comparison from Tenta.

! [DNS over HTTPS] (proxied)
There are implementations available (e.g. from BII) of proxies that will [tunnel] [DNS over HTTPS].

[Google] offers a proprietary DNS-over-HTTPS service using a JSON format for DNS queries.

A new working group was formed in Sept 2017 by the IETF: DNS-over-HTTPS (DOH)

! [DNS over QUIC]
A draft was submitted in April [2017|year 2017] to the [IETF] [QUIC] Working group on [DNS over QUIC]

! [DNSCurve]
[DNSCurve] was developed in 2010 with encrypting the resolver to authoritative communications in mind. It was not standardized by the IETF.

!! [DNS Queries over HTTPS]
[DNS Queries over HTTPS] is an [Implementation] by [Mozilla]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [DNS Privacy - The Problem|https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+-+The+Problem|target='_blank'] - based on information obtained 2018-09-15- 
* [#2] - [DNS Over HTTPS|https://datatracker.ietf.org/doc/charter-ietf-doh/|target='_blank'] - based on information obtained 2019-09-09 
















































































</pre>