Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Domain Name System
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Transport protocols== From the time of its origin in 1983 the DNS has used the [[User Datagram Protocol]] (UDP) for transport over IP. Its limitations have motivated numerous protocol developments for reliability, security, privacy, and other criteria, in the following decades. ===Conventional: DNS over UDP and TCP ports 53 (Do53)=== # UDP reserves port number 53 for servers listening to queries.<ref name="rfc1035" /> Such a query consists of a clear-text request sent in a single UDP packet from the client, responded to with a clear-text reply sent in a single UDP packet from the server. When the length of the answer exceeds 512 bytes and both client and server support [[Extension Mechanisms for DNS]] (EDNS), larger UDP packets may be used.<ref>{{IETF RFC|2671}}, ''Extension Mechanisms for DNS (EDNS0)'', P. Vixie (August 1999)</ref> Use of DNS over UDP is limited by, among other things, its lack of transport-layer encryption, authentication, reliable delivery, and message length. In 1989, RFC 1123 specified optional [[Transmission Control Protocol]] (TCP) transport for DNS queries, replies and, particularly, [[DNS zone transfer|zone transfers]]. Via fragmentation of long replies, TCP allows longer responses, reliable delivery, and re-use of long-lived connections between clients and servers. For larger responses, the server refers the client to TCP transport. ===DNS over TLS (DoT)=== [[DNS over TLS]] emerged as an IETF standard for encrypted DNS in 2016, utilizing Transport Layer Security (TLS) to protect the entire connection, rather than just the DNS payload. DoT servers listen on TCP port 853. {{IETF RFC|7858}} specifies that opportunistic encryption and authenticated encryption may be supported, but did not make either server or client authentication mandatory. ===DNS over HTTPS (DoH)=== [[DNS over HTTPS]] was developed as a competing standard for DNS query transport in 2018, tunneling DNS query data over HTTPS, which transports HTTP over TLS. DoH was promoted as a more web-friendly alternative to DNS since, like DNSCrypt, it uses TCP port 443, and thus looks similar to web traffic, though they are easily differentiable in practice without proper padding.<ref>{{cite web |last1=Csikor |first1=Levente |last2=Divakaran |first2=Dinil Mon |title=Privacy of DNS over HTTPS: Requiem for a Dream? |url=https://raw.githubusercontent.com/cslev/doh_ml/main/DNS_over_HTTPS_identification.pdf |publisher=National University of Singapore |date=February 2021 |quote=We investigate whether DoH traffic is distinguishable from encrypted Web traffic. To this end, we train a machine learning model to classify HTTPS traffic as either Web or DoH. With our DoH identification model in place, we show that an authoritarian ISP can identify β97.4% of the DoH packets correctly while only misclassifying 1 in 10,000 Web packets.}}</ref> ===DNS over QUIC (DoQ)=== RFC 9250, published in 2022 by the [[Internet Engineering Task Force]], describes DNS over [[QUIC]]. It has "privacy properties similar to DNS over TLS (DoT) [...], and latency characteristics similar to classic DNS over UDP". This method is not the same as DNS over [[HTTP/3]].<ref>{{cite IETF|last1=Huitema |first1=Christian |last2=Dickinson |first2=Sara |last3=Mankin |first3=Allison |title=DNS over Dedicated QUIC Connections |rfc=9250 |publisher=Internet Engineering Task Force |date=May 2022}}</ref> ===Oblivious DoH (ODoH) and predecessor Oblivious DNS (ODNS)=== Oblivious DNS (ODNS) was invented and implemented by researchers at [[Princeton University]] and the [[University of Chicago]] as an extension to unencrypted DNS,<ref>{{Cite journal|last1=Schmitt|first1=Paul|last2=Edmundson|first2=Anne|last3=Feamster|first3=Nick|title=Oblivious DNS: Practical Privacy for DNS Queries|url=https://petsymposium.org/2019/files/papers/issue2/popets-2019-0028.pdf |archive-url=https://web.archive.org/web/20220121210624/https://petsymposium.org/2019/files/papers/issue2/popets-2019-0028.pdf |archive-date=2022-01-21 |url-status=live|journal=Privacy Enhancing Technologies |date=2019|volume=2019 |issue=2 |pages=228β244 |doi=10.2478/popets-2019-0028 |arxiv=1806.00276 |s2cid=44126163 }}</ref> before DoH was standardized and widely deployed. Apple and Cloudflare subsequently deployed the technology in the context of DoH, as Oblivious DoH (ODoH).<ref>{{cite web |title=Oblivious DNS Deployed by Cloudflare and Apple |date=9 December 2020 |url=https://medium.com/noise-lab/oblivious-dns-deployed-by-cloudflare-and-apple-1522ccf53cab |access-date=27 July 2022}}</ref> ODoH combines ingress/egress separation (invented in ODNS) with DoH's HTTPS tunneling and TLS transport-layer encryption in a single protocol.<ref>{{cite web |last1=Pauly |first1=Tommy |title=Oblivious DNS Over HTTPS |url=https://datatracker.ietf.org/doc/draft-pauly-dprive-oblivious-doh/|publisher=IETF |date=2 September 2021}}</ref> ===DNS over Tor=== DNS may be run over [[virtual private network]]s (VPNs) and [[tunneling protocol]]s. The privacy gains of Oblivious DNS can be garnered through the use of the preexisting [[Tor (network)|Tor]] network of ingress and egress nodes, paired with the transport-layer encryption provided by TLS.<ref>{{cite web |last1=Muffett |first1=Alec |title="No Port 53, Who Dis?" A Year of DNS over HTTPS over Tor |url=https://www.ndss-symposium.org/wp-content/uploads/dnspriv21-03-paper.pdf |archive-url=https://web.archive.org/web/20210321110839/https://www.ndss-symposium.org/wp-content/uploads/dnspriv21-03-paper.pdf |archive-date=2021-03-21 |url-status=live |publisher=Network and Distributed System Security Symposium |date=February 2021 |quote=DNS over HTTPS (DoH) obviates many but not all of the risks, and its transport protocol (i.e. HTTPS) raises concerns of privacy due to (e.g.) 'cookies.' The Tor Network exists to provide TCP circuits with some freedom from tracking, surveillance, and blocking. Thus: In combination with Tor, DoH, and the principle of "Don't Do That, Then" (DDTT) to mitigate request fingerprinting, I describe DNS over HTTPS over Tor (DoHoT).}}</ref> ===DNSCrypt=== The [[DNSCrypt]] protocol, which was developed in 2011 outside the [[Internet Engineering Task Force|IETF]] standards framework, introduced DNS encryption on the downstream side of recursive resolvers, wherein clients encrypt query payloads using servers' public keys, which are published in the DNS (rather than relying upon third-party certificate authorities) and which may in turn be protected by [[DNSSEC]] signatures.<ref>{{Cite web |last=Ulevitch |first=David |date=6 December 2011 |title=DNSCrypt β Critical, fundamental, and about time. |url=https://umbrella.cisco.com/blog/dnscrypt-critical-fundamental-and-about-time |url-status=live |archive-url=https://web.archive.org/web/20200701221715/https://umbrella.cisco.com/blog/dnscrypt-critical-fundamental-and-about-time |archive-date=1 July 2020 |website=Cisco Umbrella |language=en-US}}</ref> DNSCrypt uses either TCP port 443, the same port as [[HTTPS]] encrypted web traffic, or UDP port 443. This introduced not only privacy regarding the content of the query, but also a significant measure of firewall-traversal capability. In 2019, DNSCrypt was further extended to support an "anonymized" mode, similar to the proposed "Oblivious DNS", in which an ingress node receives a query which has been encrypted with the public key of a different server, and relays it to that server, which acts as an egress node, performing the recursive resolution.<ref name="Anonymized DNSCrypt specification">{{Cite web |title=Anonymized DNSCrypt specification |url=https://raw.githubusercontent.com/DNSCrypt/dnscrypt-protocol/master/ANONYMIZED-DNSCRYPT.txt |url-status=live |archive-url=https://web.archive.org/web/20191025094649/https://raw.githubusercontent.com/DNSCrypt/dnscrypt-protocol/master/ANONYMIZED-DNSCRYPT.txt |archive-date=25 October 2019 |website=[[GitHub]] |publisher=DNSCrypt}}</ref> Privacy of user/query pairs is created, since the ingress node does not know the content of the query, while the egress nodes does not know the identity of the client. DNSCrypt was first implemented in production by [[OpenDNS]] in December 2011. There are several free and open source software implementations that additionally integrate ODoH.<ref name="ODoH_(2022)">{{cite web |title=Oblivious DoH Β· DNSCrypt/dnscrypt-proxy Wiki |url=https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Oblivious-DoH |website=GitHub |publisher=DNSCrypt project |access-date=28 July 2022 |language=en}}</ref> It is available for a variety of operating systems, including Unix, Apple iOS, Linux, Android, and Windows.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)