‹ Back
Deploy360 6 April 2017

RFC 8094: DNS over DTLS published

Kevin Meynell
By Kevin MeynellSenior Manager, Technical and Operational Engagement

RFC 8094 – DNS over Datagram Transport Layer Security (DTLS) – was recently published as an experimental specification.

This was the result of the ongoing activity of the DNS PRIVate Exchange (dprive) Working Group at the IETF to develop mechanisms to provide confidentiality to DNS transactions and to address concerns surrounding pervasive monitoring.

DNS queries and responses are normally exchanged unencrypted on the network between a DNS client and server, and can be monitored to reveal potentially sensitive information. RFC 8094 therefore proposes to use DTLS for encrypting queries and responses between DNS clients and servers.

The DTLS protocol is based on the Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees, but is more suited to datagram transport that supports low latency and loss tolerant communication but which does not require or provide reliable or in-order delivery of data.

As latency is critical for the DNS, the outlined specification aims to reduce DTLS round trips and reduce the DTLS handshake size, as well as minimise the computational load on the DNS servers. This is an experimental update to the DNS in order to evaluate implementations, interoperability and effect on the DNS infrastructure.

Further Information

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

DPRIVE experimental service debuts @ IETF 99
DPRIVE experimental service debuts @ IETF 99
Deploy36024 August 2017

DPRIVE experimental service debuts @ IETF 99

The IETF is not only a place to discuss the development of Internet protocols, but also offers a place for...

DNS Security & Privacy discussed at e-AGE18
DNS Security & Privacy discussed at e-AGE18
Deploy36024 December 2018

DNS Security & Privacy discussed at e-AGE18

The Internet Society continued its engagement with Middle East networking community by participating in the e-AGE18 Conference, where we took...

Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more
Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more
Deploy36012 April 2018

Cloudflare launches 1.1.1.1 DNS service with privacy, TLS and more

There was an important development this month with the launch of Cloudflare's new 1.1.1.1 DNS resolver service. This is a significant...

Join the conversation with Internet Society members around the world