Deploy360 6 April 2017

RFC 8094: DNS over DTLS published

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

RFC 8094 – DNS over Datagram Transport Layer Security (DTLS) – was recently published as an experimental specification.

This was the result of the ongoing activity of the DNS PRIVate Exchange (dprive) Working Group at the IETF to develop mechanisms to provide confidentiality to DNS transactions and to address concerns surrounding pervasive monitoring.

DNS queries and responses are normally exchanged unencrypted on the network between a DNS client and server, and can be monitored to reveal potentially sensitive information. RFC 8094 therefore proposes to use DTLS for encrypting queries and responses between DNS clients and servers.

The DTLS protocol is based on the Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees, but is more suited to datagram transport that supports low latency and loss tolerant communication but which does not require or provide reliable or in-order delivery of data.

As latency is critical for the DNS, the outlined specification aims to reduce DTLS round trips and reduce the DTLS handshake size, as well as minimise the computational load on the DNS servers. This is an experimental update to the DNS in order to evaluate implementations, interoperability and effect on the DNS infrastructure.

Further Information

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...